Grok Computer Security

Missing Russian Ship

noreply@blogger.com (Michael) — Thu, 13 Aug 2009 13:59:00 +0000

Right out of a Tom Clancy novel, a 4,000 tonne cargo ship is missing. Reportedly, this ship had nothing worth hijacking. There are not a lot of facts about this available but there are some interesting bits:

10 armed men boarded the ship about a week before it disappeared. They left 12 hours later.
The ship spent two weeks in Kaliningrad before beginning its voyage.
The Russians are searching for the ship with all available resources.

As reported here, the Russians have battlefield nuclear weapons in Kaliningrad.

I wish the Russians good luck in their search and I hope the NATO forces provide all available resources to assist.

Data Protection for Virtualized Servers

noreply@blogger.com (Michael) — Fri, 24 Apr 2009 03:45:00 +0000

I am recording a webcast live next Wednesday. It's free and only requires a short pre-registration.

Data Protection for Virtualized Servers

How many manhole covers are in San Jose, CA?

noreply@blogger.com (Michael) — Fri, 10 Apr 2009 14:05:00 +0000

From the Mercury News:

John Britton, a spokesman for AT&T, said it appears somebody opened a manhole in South San Jose, climbed down eight to 10 feet and cut four or five fiber-optic cables. Britton also said there was a report of underground cables being cut in San Carlos.
AT&T's contract with the Communication Workers of America expired at 11:59 p.m. Saturday, but Britton said "we have a really good relationship with the union" and that negotiations continue between the two sides.

It's my understanding that a single cut in one location would not cause the outage we recently experienced. There would need to be two or more cuts at strategic locations to cause an outage to cell phone, land line, and emergency services.

Knowing which manhole covers to open would require very specific knowledge of the Bay Area fiber infrastructure.

Securing the Dynamic Data Center

noreply@blogger.com (Michael) — Tue, 31 Mar 2009 19:56:00 +0000

I am recording a webcast live today. It's free and only requires a short pre-registration.

Securing the Dynamic Data Center

Conficker and April 1

noreply@blogger.com (Michael) — Tue, 31 Mar 2009 04:13:00 +0000

Well, here’s the Wikipedia entries that got me thinking:

As a countermeasure, ICANN and several TLD registrars began in February 2009 a coordinated barring of transfers and registrations for these domains”

Variant C contains code to sidestep these countermeasures by generating an expanded daily list of 50000 domains across 110 TLDs. This new pull mechanism, however, is disabled until April 1

I’ve also been following the work at SRI regarding this threat.

Even 1 million Variant C infections results in potentially 50 billion whois queries.

I think Wednesday is going to be a slow day on the Internet.

Heartland Breach

noreply@blogger.com (Michael) — Wed, 04 Feb 2009 04:37:00 +0000

Summary:

Level 1 credit card processor fails to prevent data loss effecting hundreds of millions of transactions.
Attacker installed tools on Heartland server, inside the PCI trust path network
Tools “sniffed” transactions and sent data to system(s) outside North America

“Heartland has said intruders broke into its systems sometime last year and planted malware that they used to steal the card data. The number of compromised cards still isn't known. But Heartland processes more than 100 million transactions per month.”
- Banks, customers feel the fallout of the Heartland breach. 2/2/2009. Jalkumar Vijayan, Computer World, Security.

Breach analysis:
Root cause includes but is not limited to the following:

Failure of host based intrusion prevention system (HIPS)
Failure of network based intrusion prevention systems (IDP)
Failure of configuration management, to detect changes to host and network configuration
Failure of separation of duties and detection of abuse or escalation of privilege
Failure to segment the processor network and enforce a zone of trust

In summary, Heartland failed to properly implement and enforce defense-in-depth, network segmentation and separation of duties. Remember, Heartland is a level 1 PCI processor and was required by regulation to get this right. This means Heartland's auditors failed.

Solution:
Catbird directly addresses all of the above, except for HIPS. HIPS requires an agent on every end-point, this is not a component of our architecture, which is agent-less by design. Our customers are able to implement and enforce defense-in-depth using Catbird TrustZones™ security policies, virtual infrastructure configuration management and virtual machine tracking technologies. These technologies include but are not limited to:

Policy and detection templates for IDP, to monitor and control network flows between zones and intra-machine flows inside a trust zone
Policy based configuration monitoring and enforcement using session blocking and quarantine, including quarantine of virtual machines
Monitoring of virtual administrator activities and enforcement of dual controls for virtual machine connection to network zones
Catbird TrustZones monitor and enforce network segmentation within and between machines on any network, VLAN or port group

In summary, proper deployment of Catbird TrustZones technology would have detected and prevented a data breach like the one that occurred at Heartland.

Guardians? What Guardians?

noreply@blogger.com (Michael) — Fri, 12 Dec 2008 19:09:00 +0000

Yesterday, the New York Times covered the recent arrest of Bernard L. Madoff.

Madoff, a prominent Wall Street Hedge fund manager, has admitted to running a $50 Billion Ponzi scheme.

While law enforcement has been quick to react, the revelation came when Mr. Madoff confessed to an associate. While rival Hedge fund managers had been suspicious that Madoff's results were too good to be true, THE REGULATORS HAD NO CLUE.

Years ago, there were many warnings on and off the Hill. Regulators, economists and many others sounded the alarm that allowing an entire financial industry to exist without regulations was a bad idea. However, the standard responses were: regulations are bad, the market will police itself, we can trust our Hedge fund managers. Well, look at what has happened. AIG failed to accurately assess and hedge their risks. Dozens of financial institutions have gone under and hundreds more are at risk. Hedge fund managers have admitted to running a crooked game.

The lesson is clear, systems and the people who work within them are not self-policing. Shocker. I am sure Machiavelli and Juvenalis are laughing at the continuing naivete of the human race.

Now, right now, we have a very similar pattern emerging in information technology. Institutions around the world are virtualizing like crazy. IT is deploying the vast majority of these virtual infrastructures without any of the protections I recommend here. PCI, HIPAA, SOX, you name it, these IT Groups are putting sensitive data about you and me, valuable data worth billions of dollars is at risk.

Where are the Guardians?

The Guardians are out to lunch, they missed the memo, they drank the Kool-aid from the platform vendors.

People like myself, Chris Hoff, Greg Ness, Ian Pratt, Brandon Baker and many others are sounding the alarm.

It's time for the Guardians to get to work. It's time for the IT security team to get off their butts and start addressing this issue.

Michael

Registrar's are still a weak link

noreply@blogger.com (Michael) — Tue, 09 Dec 2008 18:16:00 +0000

Very nice article on the hack against Check Free here.

Current theories center on the likelihood that a Check Free employee got suckered by a phishing or straight-up social engineering attack.

I'm going to hazard a guess that this was a spear-phish or more targeted form of attack. A quick search of Linkedin, Facebook and other social networking applications finds a treasure trove of CheckFree/Fiserv employees.

It's a small step to go from these links to a targeted attack against Fiserv IT staff.

However, as the article notes Fiserv was not the only target in this attack and Financial Institutions (FI) are dangerously reliant on a single registrar.

My recommendations:

FI's and others must monitor and protect themselves from domain hijack -- I recommend Pharming Shield.
Get social networking applications out of the data center, IT personnel must not use corporate resources (including email) to access these sites
The Financial Industry is at risk from a single-point of failure at Network Solutions. This must be addressed through community efforts and directly by the platform providers.

Happy Holidays!

Virtual Security and Compliance Webcast

noreply@blogger.com (Michael) — Wed, 12 Nov 2008 19:41:00 +0000

Recorded last week, go here to register and listen (sorry, the sound is ahead of the slides, I am trying to get that fixed).

Shout out to Tarry and everyone else who participated.

Risk mitigation for virtual infrastructures

noreply@blogger.com (Michael) — Tue, 11 Nov 2008 05:06:00 +0000

Virtualization in the Data Center introduces the following: (skip down below)

	EFFECT	RISK
1.	Flattens infrastructure and networks	Unauthorized network access or communication
2.	Adds new operating system and infrastructure layers	Denial of service and data security breach due to software defects
3.	Collapses roles and increases privilege of administrators	Escalation of privilege, abuse of privilege
4.	Increases transience, mobility and frequency of change within the data center	Misconfiguration, server sprawl and data security breach

Virtual machine (VM) hosts, clusters and data centers reduce the logical and physical segmentation of systems and networks. This flattening exacerbates the risk of unauthorized access due to reduced visibility of events on the virtualized network.

Mitigation: implement increased monitoring and access controls for each virtualized access layer and network. Monitoring must correlate virtual infrastructure management, network traffic, security events and validation of intra-VM access control policies.

The Hypervisor is a new operating system, which along with hypervisor and virtual infrastructure management tools increases the defect, vulnerability and attack threat surface of the data center.

Mitigation: incorporate all new software and management layers into your vulnerability management system (VMS). The VMS must be mandatory and integrated with automated discovery and validation of virtualized infrastructures.

Like the introduction of DBAs for SQL databases and Domain Administrators for Window’s systems, Virtual Administrators have privileges that allow them to bypass existing controls and effectively access underlying systems and data at the hardware layer.

Mitigation: implement compensating controls to log and audit all Virtual Administrator activities. Introduce dual controls and separation of duties for critical functions. You must deploy tools to perform continuous validation of these secondary controls to detect and prevent abuse of privilege. This will also reduce the risk from virtual machine breakout and hyperjacking.

Servers are now files. Virtual machine mobility, snapshots, roll-backs and other features of virtualization have magnified the rate of change within the data center. This increase in operational velocity leads to increased risk of configuration error, capacity failures and for a security breach due to incorrect configuration or a lapse of controls.

Mitigation: extend configuration and life-cycle management processes to track virtual machines. These processes must be effective regardless of the mobility and non-linear attributes of virtual machines. Configuration management tools must enforce mandatory controls and support correlation of virtual and physical infrastructure configuration attributes – extending from virtual machine internals to external network access layers. Monitor and audit direct access to virtual machines files at the operating system and storage access layers.

A few Podcasts with Dane Deutch

noreply@blogger.com (Michael) — Fri, 31 Oct 2008 17:22:00 +0000

These were done with a Catbird partner DCS NetLink.

7 Years Later

noreply@blogger.com (Michael) — Thu, 11 Sep 2008 20:11:00 +0000

Public release of PSA's WMD REPORT CARD
Focusing on efforts since 2005, our Report Card gives the government a "C".

"Moving from a D to a C in three years is progress, but not really acceptable progress," Hamilton said.

"What we need now is for the next Administration to commit itself to unwavering dedication to ensure that we capitalize on the progress we've made and push forward to improve and solidify our efforts on all fronts," Gorton said. "Now is the time to turn our resolve into action."

PDF for full report card here.

I've spent the last couple of weeks re-reading the full commission report, and I am struck by how few of their direct recommendations have been implemented. It's possible that the current administration has done more than I know, but here is the focus of the recommendations:

Chapter 13: HOW TO DO IT? A DIFFERENT WAY OF ORGANIZING THE GOVERNMENT

This chapter emphasizes 13 (see below) of the 41 recommendations made by the commission.
Of these 13, two may have been implemented, two others partially implemented, the remaining 9 are incomplete.

Failing on 9 out of 13, I give them an F!

---------------------------

1. Recommendation: We recommend the establishment of a National Counterterrorism Center (NCTC), built on the foundation of the existing Terrorist Threat Integration Center (TTIC). Breaking the older mold of national government organization, this NCTC should be a center for joint operational planning and joint intelligence, staffed by personnel from the various agencies. The head of the NCTC should have authority to evaluate the performance of the people assigned to the Center.

NCTC was established in 2004. Does the head of the NCTC have the authority to evaluate the performance of their personnel?

2. Recommendation: The current position of Director of Central Intelligence should be replaced by a National Intelligence Director with two main areas of responsibility: (1) to oversee national intelligence centers on specific subjects of interest across the U.S. government and (2) to manage the national intelligence program and oversee the agencies that contribute to it.

ODNI established in 2005. Current report card indicates incomplete, why?

3. Recommendation: The CIA Director should emphasize (a) rebuilding the CIA's analytic capabilities; (b) transforming the clandestine service by building its human intelligence capabilities; (c) developing a stronger language program, with high standards and sufficient financial incentives; (d) renewing emphasis on recruiting diversity among operations officers so they can blend more easily in foreign cities; (e) ensuring a seamless relationship between human source collection and signals collection at the operational level; and (f) stressing a better balance between unilateral and liaison operations.

The President issued a memorandum on November 23, 2004. This report from October 2005, reported "some progress." Is there anything more current?

4. Recommendation: Lead responsibility for directing and executing paramilitary operations, whether clandestine or covert, should shift to the Defense Department. There it should be consolidated with the capabilities for training, direction, and execution of such operations already being developed in the Special Operations Command.

Incomplete, this consolidation has not occurred.
5. Recommendation: Finally, to combat the secrecy and complexity we have described, the overall amounts of money being appropriated for national intelligence and to its component agencies should no longer be kept secret. Congress should pass a separate appropriations act for intelligence, defending the broad allocation of how these tens of billions of dollars have been assigned among the varieties of intelligence work.
House Appropriations Select Intelligence Oversight Panel established January 9, 2007.

6. Recommendation: Information procedures should provide incentives for sharing, to restore a better balance between security and shared knowledge.

This is addressed by H.R. 6575, Over-Classification Reduction Act, adopted on September 9, 2008. Currently incomplete pending passage by the Senate and signature of the President.

7. Recommendation: The president should lead the government-wide effort to bring the major national security institutions into the information revolution. He should coordinate the resolution of the legal, policy, and technical issues across agencies to create a "trusted information network."

Incomplete, no indication of implementation beyond studies. Ironically, the Center for Strategic and International Studies may have done this for themselves without the participation of classified networks.
8. Recommendation: Congressional oversight for intelligence-and counterterrorism-is now dysfunctional. Congress should address this problem. We have considered various alternatives: A joint committee on the old model of the Joint Committee on Atomic Energy is one. A single committee in each house of Congress, combining authorizing and appropriating authorities, is another.

Incomplete, no Joint committee comprising members of both House and Senate.

9. Recommendation: Congress should create a single, principal point of oversight and review for homeland security. Congressional leaders are best able to judge what committee should have jurisdiction over this department and its duties. But we believe that Congress does have the obligation to choose one in the House and one in the Senate, and that this committee should be a permanent standing committee with a nonpartisan staff.

Incomplete, DHS still overburdened with too much oversight. This lack of focus wastes resources and probably still leaves oversight gaps.

10. Recommendation: Since a catastrophic attack could occur with little or no notice, we should minimize as much as possible the disruption of national security policymaking during the change of administrations by accelerating the process for national security appointments. We think the process could be improved significantly so transitions can work more effectively and allow new officials to assume their new responsibilities as quickly as possible.

Incomplete, no sign that these procedural recommendations have been implemented.

11. Recommendation: A specialized and integrated national security workforce should be established at the FBI consisting of agents, analysts, linguists, and surveillance specialists who are recruited, trained, rewarded, and retained to ensure the development of an institutional culture imbued with a deep expertise in intelligence and national security.

The President issued a memorandum on November 23, 2004. Has it been implemented?

12. Recommendation: The Department of Defense and its oversight committees should regularly assess the adequacy of Northern Command's strategies and planning to defend the United States against military threats to the homeland.

Incomplete, as of April, 2008 the "GAO making several recommendations to DOD to direct NORTHCOM to take actions to address the challenges it faces in its planning and interagency coordination efforts."

13. Recommendation: The Department of Homeland Security and its oversight committees should regularly assess the types of threats the country faces to determine (a) the adequacy of the government's plans-and the progress against those plans-to protect America's critical infrastructure and (b) the readiness of the government to respond to the threats that the United States might face.

Incomplete, as stated above too many committees is more likely to lead to a failure of oversight and assessment rather than to a successful assessment and response.

Flash parties, flash crowds, now we have "flash dump"

noreply@blogger.com (Michael) — Tue, 09 Sep 2008 20:44:00 +0000

Panic ensued, as they say, and United Airlines stock price plummeted 75 percent (down from $12.30 to $3 a share) before someone realized it was an old news story and things righted themselves. The stock rebounded to $10.92 a share by Monday's closing. But not before United Airlines contacted the Sun Sentinel and demanded the newspaper retract its (6-year-old) story.

I wonder how long before we see the Google spider being intentionally manipulated?

With web 2.0 there wouldn't even be a human brain in the publishing loop.

PCI compliant but still hacked

noreply@blogger.com (Michael) — Fri, 13 Jun 2008 22:46:00 +0000

The malware on the store servers stored up records of these purchases in batches, then transmitted them to an unnamed offshore Internet service provider, the letter states. Foreign crime rings have been blamed in a number of other payment card fraud cases.

Hannaford said in its letter that it was certified a year ago as meeting card security standards and was recertified on Feb. 27. Eleazer said that was the day Visa first notified Hannaford of unusual card activity and began its investigation. That the standards did not stop the thieves, she said, "speaks to the increasing sophistication of the criminal element that propagates these attacks," she said.

It looks to me like Hannaford made the mistake of allowing "multi-level access" in a "single level" network. Servers that handle payment card data must be prevented from access to an unauthorized network or end-point.

These servers and the processors they communicate with should have been in a "PCI trust zone." All other systems would have been in an "untrusted zone." Then it would be a simple matter for IDP/NAC appliance to detect and prevent this type of breach.

Virtualization Security Getting Some Attention

noreply@blogger.com (Michael) — Tue, 27 May 2008 16:32:00 +0000

My response to "Who Owns Virtualization Security" blog:

Virtualization absolutely presents us with the possibility of avoiding past mistakes and making virtual infrastructure (VI) more secure than the physical infrastructure it replaces.

Why?

Virtual security appliances and hypervisor APIs have made it possible for us to build security into the VI fabric at all layers.
The virtualization platforms give us the tools to automate deployment of primary controls, secondary controls and separation of duties throughout the virtual data center.
Virtualization means we can simplify security management and make true defense-in-depth affordable for everyone.
Secure hypervisors, their APIs and the right application of security smarts means we can build agent-less security that protects against rootkits, spyware and almost all forms of malware.
Virtual security appliances allow us not only to write good security policy but also to automatically enforce policy and provide continuous compliance auditing for the VI.
All of the above means, we can create tools for secure life-cycle, trust zones, trusted data paths and secure management in ways never possible with physical infrastructure.

We (as vendors) have a responsibility to educate the IT community to the myths and realities of VI security. The platform OEMs must recognize that simply saying virtual is more secure than physical – is a disservice to all of their customers. Then, when the manufacturers provide the security community the tools and support we need _and_ intelligently inform the market about real risks, then, and only then can we make virtual more secure than physical.

(more to come)

French bank details $7.2 billion loss

noreply@blogger.com (Michael) — Mon, 28 Jan 2008 02:52:00 +0000

This sort of thing makes me think that in some cases it is more than greed. It must also be the "thrill" of beating the system.

Being smarter -- thinking you can out-smart everyone else?

Michael
---------------------------

French bank Societe Generale described Sunday how one of its traders allegedly carried out a $7.2 billion (€4.9 billion) fraud, how the loss came to light and what it is doing to ensure such a case does not recur.
The 31-year-old trader, Jerome Kerviel, started working at the bank in 2000 and spent his first five years there overseeing traders, the bank said in a five-page summary of events.

"Consequently, he had a very good understanding of all of Societe Generale's processing and control procedures," it said.

Kerviel apparently put that knowledge to use after he became a trader for the bank involved in arbitrage -- the practice of buying a portfolio of financial instruments in one market and selling a similar offsetting portfolio at the same time that had a slightly different value. The idea is that, in such trades, the risk of major loss would be minimized.

In fact, Kerviel's first portfolio of financial instruments -- in his case futures -- included genuine operations -- but the offsetting portfolio proved to be "fictitious," the bank said.

"As a result, the trader was able to hide a very sizable speculative position, which was neither consistent with nor related to his normal business activity for the bank," Societe Generale said.

French police questioned Kerviel on Friday and searched his apartment in a Paris suburb Friday night. Efforts to reach his attorneys for comment have been unsuccessful.

Finance Minister Christine Lagarde said Friday that she would meet with banking regulators Monday to establish a timeline of events that led to the massive trading loss.

According to Societe Generale, Kerviel used his early banking experience "to successfully circumvent all the controls which allow the bank to check the characteristics of the operations carried out by its traders, and consequently their real existence," it said.

For example, it said, Kerviel chose operations that had no cash movements or margin call and that did not require immediate confirmation and he canceled certain operations by using access codes assigned to other bank employees.

In addition, it said, he falsified documents and made sure that his fictitious operations involved different instruments from the ones he had just canceled, thereby reducing his chances of being controlled.

But about mid-January, bank officials detected "abnormal counterparty risk," and Kerviel's explanations led to additional controls being placed on his activities, the bank said.

Then, on Friday, January 18, Kerviel's bosses were informed and an investigation had begun.

The next day, after a large bank told Societe Generale that it did not recognize an operation, the trader "acknowledges committing unauthorized acts and, in particular, creating fictitious operations," his employer said.

By early afternoon on Sunday, January 20, the bank's fraudulent position had been calculated at approximately 50 billion euros ($73.6 billion), and "the unwinding of the fraudulent position begins in particularly unfavorable market conditions."

In fact, the timing was terrible. On Jan. 18, European markets had swooned and two days later, the Asian markets tumbled, too. By January 23, "the unwinding" was completed and the total loss calculated at 4.9 billion euros ($7.2 billion).
Since then, the bank said, it has tightened its controls to ensure such an operation cannot recur.

Virtualised desktops will end laptop management

noreply@blogger.com (Michael) — Wed, 03 Oct 2007 18:30:00 +0000

With virtual desktop infrastructure (VDI) there are at least three modes of operation:

IT controls VDI completely, desktop is "thin" only IT approved virtual machines are allowed
IT does not completely control the desktop, options get complicated fast:
a) user virtual machines are allowed
b) user controls the host

Looking at option 2a, we could have rogue guests, infected guests, any kind of guest ... telling them apart and acting accordingly will be fun!

Looking at option 2b, I can buy a Macintosh or linux or windoze and as long as I can run the IT approved virtual machine, then IT is happy. But what if my Macintosh is owned by the Uzebek barbarian horde? Have I just given the Horde access to my corporate network?

Lot's of interesting questions arise. We have our own use case right here at Catbird. The "approved" IT image is Windows XP with Microsoft Office.
We allow a VDI where an employee can use a Macintosh to run Windows in a vm. We're happy until there is a mac worm!

For example, an organization using Active Directory to lock down their desktops ... Active Directory does nothing to lock down a Macintosh.

How is a windows savvy IT team going to cope with users running Ubuntu, Fedora, Macintosh ... VDI is going to lead to an explosion of host operating system diversity. This will be very exciting for those of us running Windows under duress.

Their will be a huge value in giving IT the tools to manage and secure a highly diverse and constantly changing environment.

Another one from SANS newsbites

noreply@blogger.com (Michael) — Sat, 22 Sep 2007 16:07:00 +0000

A vulnerability scan would have warned them that their Cerberus implementation was open to attack. Either they were not validating their security compliance, or they were not following an effective process for curing their vulnerabilities.

--Layered Technologies Customer Data Stolen (September 19 & 20, 2007) An attack on a helpdesk application in Layered Technologies' support database has compromised the security of personally identifiable data of as many as 6,000 of the server hosting company's customers. The data include names, addresses, phone numbers and server login details.
Layered Technologies is asking all its customers to change their login credentials. The attack occurred on the evening of September 17, 2007.
http://www.theregister.co.uk/2007/09/19/layered_technologies_breach_disclosure/print.html
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9038040&source=rss_topic17

Highlights from a recent SANS News bites

noreply@blogger.com (Michael) — Wed, 19 Sep 2007 14:14:00 +0000

From SANS ... note that bank account details are now worth $400/per account.

TOP OF THE NEWS

--Ameritrade May Have Been Aware of Breach for a Year (September 14, 15 & 17, 2007) Online brokerage TD Ameritrade Holding has acknowledged that a data security breach has compromised more than 6.3 million accounts. The database contains customer names, addresses, account numbers, Social Security numbers (SSNs) and birth dates. The attackers gained access to the database through a backdoor program they had installed on the TD Ameritrade network. TD Ameritrade says it has removed the rogue code from its systems. The intrusion was discovered in the course of an investigation into stock-related spam that had been reported by the company's customers. An attorney representing plaintiffs in a planned class action lawsuit against the online broker alleges that the company knew of the data security problem for a year before customers were notified. Furthermore, the suit alleges that the company kept entering customer data into the vulnerable database during an internal investigation.
http://www.theregister.co.uk/2007/09/15/ameritrade_database_burgled/print.html
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9036639&source=rss_topic17
http://www.amtd.com/newsroom/releasedetail.cfm?ReleaseID=264044
http://www.informationweek.com/shared/printableArticle.jhtml?articleID=201807006

--Symantec Report: Malware Moves Toward Commercialism (September 17 & 18, 2007) Cyber attackers aiming to damage computers or inconvenience users are giving way to more financially motivated criminals. According to Symantec's most recent Internet Security Threat Report, cyber criminals are turning to good business practices to ply their trade. Some malware purveyors are offering guarantees about the performance of their products as well as updates to keep the products current. The report also notes that phishers are scouring social networking sites to gather personal information, which they then use to create targeted emails that lure recipients to phony sites where they can harvest valuable data.
Stolen bank account details are being sold online for as much as US $400 apiece. In addition, levels of pump-and-dump schemes and image-based spam have decreased.
http://www.technewsworld.com/story/59374.html
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9036819&source=NLT_SEC&nlid=38
http://www.itnews.com.au/News/61398,fraudsters-go-all-out-for-social-networkers.aspx

The Game Is Not Over -- Security for your web site

noreply@blogger.com (Michael) — Thu, 09 Aug 2007 23:33:00 +0000

Man-in-the-middle (MITM) attack against SSL plus Sitekey/Passmark – The Stop-Phishing Research Group at Indiana University demonstrates that if you are not very careful about the URL and the SSL certificate, and most people are not, the attacker will be successful
Sniffing a connection to steal session cookies to bypass user authentication – Robert Graham of ErrataSec, has demonstrated why you need a security barrier for your laptop at Starbucks (If his name for this attack sticks "side-jacking" then we might as well all give up and start referring to SSL as a condom for your browser)
If you think you don’t have to worry about these exploit techniques, then you better have the Security Excuse bingo card (found on Schneier on Security),

It looks pretty bad. SSL can be bypassed, authentication cookies can be stolen. If you follow the blogosphere’s impression of the recent Blackhat/Defcon events, it's all useless and there is nothing we can do to stop the crooks. To top it all off, there isn’t just one Hackistan (great Yak snacks by the way) there are many Hackistan’s and no web site is to small or broad-band connected PC to innocent for them to exploit.

Truth is, if a malicious hacker with the capabilities of a Grossman, Skoudis or Moore is after your site, then you will get hacked. Lucky for you these guys are busy™.

Solutions? Focus on your business needs and take some precautionary steps:

Run traditional vulnerability scans (because Skoudis and Moore teach us that the old problems are new again)
Run a web application scanner and use a secure coding inspection tool, Grossman and Zorkul are better, but it’s foolish not to automate everything you can
Use SSL from start to finish on your web-site, you have an obligation to protect the integrity and security of all the data exchanged between your site and your customer’s browser – otherwise your giving it away to any crook with a copycat access point or a promiscuous wireless card
Don’t ignore MITM because you think it is hard, it gets easier to do every day – Lucky for all of us, it’s also getting easier to protect against and detect MITM, Pharming, Highjack and Malware Injection, I know someone who can help
Last but not least, plan on getting hacked, have an incident response plan and be prepared, playing security excuse bingo is a losing strategy

Get started today!

Disregard any pop-up security windows you receive

noreply@blogger.com (Michael) — Thu, 09 Aug 2007 16:54:00 +0000

I received this in my mail today:

Dear Electronic Crimes Task Force Member,

CSO magazine is conducting a survey in cooperation with the U.S. Secret Service and CERT Coordination Center, the 2007 eCrime Watch. The purpose of this project is to uncover electronic crime trends.

CSO magazine’s sister company, IDG Research Services, has been commissioned to help us collect your feedback. Please click on the following URL to begin the survey or copy and paste the URL into your browser:

https://url-hidden

Disregard any pop-up security windows you receive. (Emphasis mine)

Please be assured that any information you provide is confidential and your responses will be used only in combination with those of other survey respondents. This survey should take no more than 10 minutes of your time. If you have any questions about this survey please contact IDG Research Services at ------@idg.com or ATSAIC ----------, USSS, San Francisco Field Office 415/-------.

Thank you in advance for your help.

Of course my first thought, was that this was a phishing attack. I couldn't imagine CSO and the ECTF telling me to "Disregard any pop-up security windows you receive."

Imagine my surprise and relief, when I went to the site and there were no warnings. So, they got it right, the SSL certificate was correct and unexpired ... but everyone is so accustomed to that not being the case, that as a matter of course they included the disregard pop-ups message. Is our infrastructure broken or what?

Virtually Secure

noreply@blogger.com (Michael) — Wed, 08 Aug 2007 16:52:00 +0000

Christofer Hoff has a good post here. In particular,

Combine that with NAC agents on the hosts and...whether or not it actually works is neither here nor there. They told they story and here it is. It's good to be king.

His point being that Cisco doesn't have to worry about when they are going to deliver a product or even how will it will work when they do ...

Meanwhile, back in your virtualized data center, you can be warm and happy knowing that Cisco's virtually shipping product has you virtually secure already. Nice, huh?

What about Real Security -- Real Security for Virtualized Infrastructures? You've deployed half a dozen quad-core systems and thrown out 150 obsolete boxes. Maybe you had IPS and NAC in your datacenter already, but do you have it now? If your virtual windows 2000 server get's infected and starts attacking the other systems on the host, how will you know?

Maybe you will know when the infection begins to spread to other hosts and their virtual servers, but by then you will have a real mess on your hands.

The right answer involves doing something today, not waiting for a vendor to implement a solution next year. Here is the pragmatic prescription for today, virtual servers are servers, period.

If there reliability and security are important to your business then you have to secure them with same mature IT processes that you use for everything else:

Specify the appropriate security requirements at the start
Determine and implement secure baselines that meet your business and security requirements
Validate/test that the performance and security of your systems meets the stated requirements before you put them in production
After deployment, test them again -- virtualization really helps you here
Use change control and segregation of duties -- (ITIL and ISO 17799 driven) processes and controls to keep working systems, working
Patch management and vulnerability management are a continuous process -- don't treat these problems with a calender ... not unless you like emergencies
Continuously monitor your network and systems, use the protection appropriate to the value of the data or business operations, such as:
- Gateway: firewall, anti-spam, anti-malware, content filtering, vpn ...
- Network: vulnerability monitoring, IDS/IPS, NAC, Policy management and compliance ...
- Endpoint: Anti-malware, AAA, log analysis, patching, encryption ...
Disaster/Business continuity planning, incident response and training have to include your virtual infrastructure -- DR/BP might be a big driver behind your virtualization effort, but nothing substitutes for a good test.

Do all of the above, appropriately to the level you need, don't wait to become the next security breach. It's more about the process than the tools.

I hate Passwords #10

noreply@blogger.com (Michael) — Mon, 06 Aug 2007 15:23:00 +0000

From IP: link here

What I think needs to be done is that the public needs to be educated about these sites, and the security risk they pose.

The "public" is already being educated. We tell them over and over that they should not share their password with anyone. The problem is that the public gives up their password all too easily. We can keep blaming the public, and we will, but we should also try to understand why someone will give up their Yahoo (or other service) password easily, while the same person would never share their ATM PIN.

I think the public is pretty smart, but they learn best when they experience immediate consequences from their actions. Right now, I know that identity theft and losses from this behavior are at a tolerable level because most of the public are still willing to give their password away -- where the same public will never forgot to lock their car door at the shopping mall parking lot.

If the consequences (or at least people's awareness of these consequences) get a lot worse, we will either see a change in behavior or the deployment of technologies to eliminate reliance on passwords (tokens, client-side certificates ...).

Voting Software Security

noreply@blogger.com (Michael) — Sat, 04 Aug 2007 00:07:00 +0000

Matt Blaze's group reviewed the Sequoia system's code. From his blog:

We found significant, deeply-rooted security weaknesses in all three vendors' software.
The problems we found in the code were far more pervasive, and much more easily exploitable, than I had ever imagined they would be.
Deliberate backdoors in these systems, if any existed, would be largely superfluous

My humble opinion: this is a great opportunity for the open source community to get together with the private sector (hello Fortify) to solve this problem.

Computer Market will keep growing

noreply@blogger.com (Michael) — Fri, 03 Aug 2007 19:11:00 +0000

I learned a long time ago that no market grows fast forever....

Toni Sacconaghi, an analyst with Sanford C. Bernstein & Co., has chipped in on the gloom and doom scenario as well in a new research report.

"As the use of server virtualization rises, a negative impact on x86 server demand appears all but inevitable," he wrote. "While we still forecast positive x86 server unit growth in 2007 and 2008, our forecast calls for shipments to contract in 2009 and for growth to be about zero between 2007 and 2012, compared with historical double-digit gains."

This analysis varies from wrong, to really really wrong.

I agree with Ashlee Vance in the Register, virtualization is going to drive the demand for huge well-integrated multi-core systems, but there will still be plenty of need for ever more horsepower on the desktop and for dedicated blade or 1U system in the data center to feed specific CPU intensive applications.

I think we will eventually see desktop virtualization follow in the server virtualization footsteps, but when I look down the hall and see dedicated 4 core systems on people's desks, I find it hard to believe that we're going to see a sharp reduction in the growth of this market.