An amusing image from Adam Shostack's blog to help you understand when to use pie charts, i.e. never. The yellow = the pie not eaten, the silver = the pie that's been eaten.
CNet News reported yesterday afternoon that:
The U.S. Federal Trade Commission has notified nearly 100 organizations that data from their networks has been found on peer-to-peer file-sharing networks, the agency said on Monday.
The FTC notices went to private and public entities, including schools and local government agencies and organizations with as few as eight employees to as many as tens of thousands, the FTC said in a statement. The sensitive information about customers and employees that was leaked could be used to commit identity fraud, conduct corporate espionage, and for other crimes.
Unfortunately file sharing based on peer-to-peer technology is only a part of the problem. Some firewalls and most intrusion prevention systems (IPSs) can block peer-to-peer file sharing. However, the problem is actually much worse - the growth of browser-based file sharing applications designed to bypass most firewalls and IPSs.
Palo Alto Networks, a next-generation (as defined by Gartner) firewall vendor, recognizes and can control or block 88 different file sharing sharing applications. Of these, 40 use peer-to-peer technology, 39 are browser-based, and 9 are client-server. Therefore if your network security infrastructure can control or block peer-to-peer file sharing, you are solving less than half the problem.
For more information about the hundreds of applications that ought to be controlled or blocked, go to Palo Alto Network's Applipedia.
An amusing image from Adam Shostack's blog to help you understand when to use pie charts, i.e. never. The yellow = the pie not eaten, the silver = the pie that's been eaten.
Mitre, via its Common Weakness Enumeration effort, in conjunction with SANS, just published the 2010 CWE/SANS Top 25 Most Dangerous Programming Errors. Heading the list are:
For each weakness this report provides a Description, Prevention and Mitigation techniques, and links to more reference material. This is well worth reading.
While the term, Advanced Persistent Threat (APT) is not a new term, it is being used much more often since the breach announcement Google made in January. I wrote about it here and here.
Mandiant, a security consulting firm, defines the APT "as a group of sophisticated, determined and coordinated attackers that have been systematically compromising U.S. government and commercial computer networks for years. The vast majority of APT activity observed by MANDIANT has been linked to China." You can read more about what they have to say here.
Mandiant did a webinar on February 18 called Malware Behaving Badly, in which they compared Mass Malware Threats to Advanced Persistent Threats. As of today, Feb 20, Mandiant has not posted the webinar on its site.
Richard Bejtlich defined APT in this January 16, 2010 blog post:
Bejtlich goes on to itemize APT objectives, which interestingly does not include stealing money:
Mike Cloppert, a security engineer at Lockheed Martin, wrote about APTs in mid-2009 in his Security Intelligence series of blog posts. In Security Intelligence: Introduction (pt 1), he defines APT as "any sophisticated adversary engaged in information warfare in support of long-term strategic goals." Note his focus on the adversary and goals rather than just the techniques.
In summary then, APTs do represent techniques that are more difficult to detect because the adversary, when faced with an above average defense, does not move on to a weaker target. The adversary is persistent and will escalate tactics. Second the focus is on stealing intellectual property rather than money to advance the adversary's strategic technical, economic, political, and military goals.
Trustwave's recently published 2010 Global Security Report shows that the top two attack vectors, by far, resulting in breaches are Remote Access Applications and Third Party Connections. Here is the list of the top five:
> 95% Remote Access Application
> 90% Third Party Connection
> 15% SQL Injection
> 10% Exposed Services
< 5% Remote File Inclusion
Clearly for each breach they investigated, there was more than one attack vector. It's also important to note that 98% of their investigations were on Payment Card Data breaches. No surprise since Trustwave is focused primarily on PCI compliance. The report does not indicate what percentage of the breaches occurred at organizations for which Trustwave was the QSA.
Regardless of these caveats, I believe it is worthwhile to note the total dominance of Remote Access Application and Third Party Connections.
It is imperative that organizations upgrade their firewalls to provide network segmentation (zoning) and to be able to recognize and control the use of most major application categories including Remote Access Applications.
Unfortunately you will have to register here to get the full report.
IEEE Spectrum published an article about three techniques for hiding information in VoIP calls, thus showing again that bits are bits.
Hiding secret messages in MP3 or video files has been done for many years. From the bad guys perspective, there is the problem that copies of these files are left on many servers when they are transmitted by email for example, and therefore can be investigated after the actual transmission is completed.
Hiding information in the VoIP protocol itself leaves nothing behind to be investigated.
DarkReading published a good article about breaches caused by malicious insiders who get direct access to databases because account provisioning is poor and there is little or no database activity monitoring.
There are lots of choices out there for database activity monitoring but only three methods, which I wrote about here. I wrote about why database security lags behind network and end-point security here.
The February 2010 issue of Information Security magazine has a face-off between Bruce Schneier, the realist, and Marcus Ranum, the dreamer, on the topic of anonymity on the Internet.
Schneier says attempting to eliminate anonymity cannot work. More importantly, he goes on to say:
"Mandating universal identity and attribution is the wrong goal. Accept that there will always be anonymous speech on the Internet. Accept that you'll never truly know where a packet came from. Work on the problems you can solve: software that's secure in the face of whatever packet it receives, identification systems that are secure enough in the face of the risks. We can do far better at these things than we're doing, and they'll do more to improve security than trying to fix insoluble problems."
Schneier's piece is so good, you must read the whole thing.
American Medical News reported today (Feb 1, 2010) that the first lawsuit has been filed by a state Attorney General for a personal medical information privacy violation under the HITECH Act. The HITECH Act, part of the 2009 stimulus bill, was designed to strengthen HIPAA, which until then had limited penalties for violations.
If the HITECH Act itself was not enough of a wake up call, this lawsuit surely ought to be.
Due to time constraints this week, I'm doing a new type of post. Rather than commenting on the stories I find most interesting, I am posting a list of stories I found interesting but without commenting. For each one, I provide the headline linked to the story and the first paragraph or two of the story so you can decide if it's worth reading in it's entirety.
Monday, January 25, 2010
What's Your DEP and ASLR Status? If you recall, Google says they were attacked by hackers based in China using a zero-day vulnerability in Internet Explorer. That vulnerability affected almost all versions of IE, but the attack was mitigated on some by systemic defenses like DEP and ASLR.
Flaws in the 'Aurora' Attacks The attackers who unleashed the recent wave of
targeted attacks against Google, Adobe, and other companies, making off
with valuable intellectual property and source code, shocking the
private sector into the reality of the potential threat of
state-sponsored cyberespionage -- but they also made a few missteps
along the way that might have prevented far worse damage.
Tuesday, January 26, 2010
'Aurora' code circulated for years on English sites; Where's the China connection? An error-checking algorithm found in software used to attack Google and other large companies circulated for years on English-speakinglanguage books and websites, casting doubt on claims it provided strong evidence that the malware was written by someone inside the People's Republic of China.
Aurora-style attacks swiped oil field data from energy giants; Social networks implicated in planning Google assault At least three US oil giants were hit by cyberattacks aimed at stealing secrets, in the months before the high-profile Operation Aurora attacks against Google, Adobe et al in December.
Targeted attacks against Marathon Oil, ConocoPhillips, and ExxonMobil took place in 2008 and followed the same pattern as the later Aurora assaults. Information harvested by the attacks included "bid data" that gave information on new energy discoveries, according to documents obtained by the Christian Science Monitor.
Wednesday, January 27, 2010
Hydraq (aka Aurora) attack's resiliency uncovered Security researchers continue to peel back the layers on the Trojan.Hydraq aka Operation Aurora attacks first reported publicly earlier this month, and the techniques employed by the threat to stay alive on infected machines were apparently neither cutting-edge, nor particularly sophisticated.
According to researchers with Symantec -- who've published a series of blogs examining various technical elements of the Trojan.Hydraq campaign -- the attack used methods commonly observed in other malware programs to remain alive inside of the organizations it infiltrated, restart after systems restart.
Cost of data breaches increased in 2009; Ponemon Institute research says malicious attacks are the most costly breaches The cost of data breaches continues to rise, and malicious attacks accounted for more of them in 2009 than in previous years, according to a study published today.
In conjunction with study sponsor PGP Corp., Ponemon Institute today released the results of its fifth annual "U.S. Cost of a Data Breach" report. The news isn't good, according to the research firm's founder, Larry Ponemon.
Personal data stolen? Don't count on being told promptly Andrea Rock of Consumer Reports highlights one of the findings of the new Ponemon report: Not only are data breaches from criminal attacks on U.S.-based companies’ financial and customer data on the rise, but your odds of being promptly informed if you’re a breach victim aren’t very high, according to a new data breach report just released by the Ponemon Insitute.
The rise of point-and-click botnets This post highlights a graphic from Team Cymru, a group that monitors studies online attacks and other badness in the underground economy. It suggests an increasing divergence in the way criminals are managing botnets, those large amalgamations of hacked PCs that are used for everything from snarfing up passwords to relaying spam and anonymizing traffic for the bad guys, to knocking the targeted host or Web site offline.
Where art thou conficker? Researchers noted this week that the buzzworthy Trojan.Hydraq campaign that was used to hack Google and some other tech giants employed some of the same techniques used by our dear old pal Conficker to remain resident on infected PCs. Which causes one to ponder, what happened to this attack which a year ago captured the interest of so many people for some particular reason?
Thursday, January 28, 2010
Haiti spam leads to new malware As rescue efforts continue in Haiti, the world waits with bated breath for more good news about survivors. Unfortunately, while most people are thinking of ways to help victims, cybercriminals are using the tragedy to further their own malicious causes. Blackhat search engine optimization (SEO) poisoning attacks related to this tragedy have already led to FAKEAV infections. However, the most recent FAKEAV run appears to be only the start of more Haiti-related malware attacks.
Friday, January 29, 2010
The state of computer security in the UK eSecurity Planet reports: British security consulting firm 7Safe and the University of Bedfordshire have released the UK Security Breach Investigations Report 2010, which looks at the current state of computer security in the UK through an analysis of actual data breaches.
Key findings include the fact that 69 percent of data compromises occurred in the retail sector, 85 percent of cases resulted in stolen payment card information, and SQL injection was used in 60 percent of attacks.
Simmering over a 'Cyber Cold War' New reports released this week on recent, high-profile data breaches make the compelling case that a simmering Cold War-style cyber arms race has emerged between the United States and China.
A study issued Thursday by McAfee and the Center for Strategic and International Studies found that more than half of the 600 executives surveyed worldwide said they had been subject to “stealthy infiltration” by high-level adversaries, and that 59 percent believed representatives of foreign governments had been involved in the attacks.
Here is a link to another story about the above mentioned McAfee survey.
CIA, PayPal under bizarre SSL assault The Central Intelligence Agency, PayPal, and hundreds of other organizations are under an unexplained assault that's bombarding their websites with millions of compute-intensive requests.
The "massive" flood of requests is made over the websites' SSL, or secure-sockets layer, port, causing them to consume more resources than normal connections, according to researchers at Shadowserver Foundation, a volunteer security collective. The torrent started about a week ago and appears to be caused by recent changes made to a botnet known as Pushdo.
Saturday, January 30, 2010
A tad too late, Google begins phase-out of IE6 Not that long after a Google employee running Internet Explorer 6 was hacked, creating an international incident, Google has announced that they will begin withdrawing support for IE6 in their own services.
New security features in Google Chrome Google has announced a number of security enhancements that are being implemented in Chrome. Some have already been implemented in other browsers, including Firefox and IE and in significant add-ons like NoScript.
