Verizon Business Christian Moldes as a great post about Plane Crashes and Security Breaches and how they are very similar. He hits it right on the head! During our engagement wrap-up meetings where we explain the various potential scenarios an attacker can use to break into a client’s network we are always asked to put a specific ranking on a specific risk. I argue that that almost doesn’t matter because normally the big breaches are not from a single vulnerability but many chained together.

Christian quotes Malcom Gladwell, and says:

The typical [plane] accident involves seven consecutive human errors.

When we work with clients we normally see that breaches are caused by a chaining of at least three errors: exploitation of a vulnerability, then a mis-configuration is used to find a privileged account user name and password, and then data is found on the network somewhere it wasn’t supposed to be that the privileged account has access too.

Even with many controls in place you cannot always prevent a security breach. This is the exact reason why we recommend that incident response policies and processes (Which should be tested like you test your Disaster Recovery processes!) should be the FIRST THING you implement when building a security program at an organization followed by detective controls such as logging to detect a breach as soon as possible.

Related posts

• P2P: Still A Risk (0)
• Health Industry Should Beware HITECH (0)

When I talk with executives about IT and cost cutting invariably two topics come up: Virtualization and the Cloud. Don’t get me started on the cloud, and the chance for rain, so lets talk about Virtualization and some items that some may be unfamiliar with (especially those in the SMB).

By now, most companies have adopted, or at least looked into, overhauling their IT infrastructure with virtualization solutions. Virtualization is said to reduce costs, simplify management and scalability, and limit the toll computing has on the environment. Since 2005, virtualization software has quickly changed the landscape of enterprise computing.

For those unfamiliar with the concept, virtualization involves abstracting computer resources by combining several physical systems into virtual machines on one powerful system. Virtualization consolidates underutilized hardware, such as servers, storage devices, and network resources, virtually partitioning it for multiple machines.

The reason virtualization has become such a favorable trend in IT computing is probably because the advantages are so easy to grasp. First of all, the physicality of managing hundreds of machines is simplified while allowing for a scalable infrastructure. Plugs and cables do not have to be rearranged every time there is a change in hardware. This reduces the workload of the system administrator. Virtualization allows hardware resources to be pooled such as sharing storage or network bandwidth, so hardware does not go underutilized. Less hardware means less energy costs, both to run and to cool. Altogether, these advantages lower the costs for infrastructure, hardware, power, and cooling.

You’ve probably had the green benefits of virtualization stressed to you. According to VMware, for every server virtualized, you can save about 7,000 kilowatt hours, or four tons of CO2 emissions, every year. Virtualization can cut the power demand of ten machines down to one and save almost 80 percent on an electricity bill. VMware even has a green calculator on their website which allows you to see your virtualization benefits in terms of energy savings, cost reduction and environmental impact. A quick calculation shows that virtualizing 200 servers is the equivalent of planting 4,000 trees.

Of course, businesses are more concerned with reducing costs than reducing the size of their carbon footprints. With this in mind, there are a few disadvantages, or at least pitfalls, that may be created with a switch to virtualization.

But there is a down side – it is likely that performance degradation will occur when switching to a virtualization infrastructure if the virtual infrastructure was not properly architected. (which seems to be the case all too many times we get involved). In most organizations there is often a lack of tools and expertise available to monitor and analyze virtual environments to find and correct issues that affect performance. A study by Aberdeen shows that enterprises that had an 85% success rate in identifying performance issues in a physical environment, now only have a 37% success rate in a virtualized one. Also, improved response time for managing business-critical applications fell from 67% in a physical environment to 39% in a virtual one.

Many enterprises find that there is a tradeoff between decreased staffing and power costs and less than optimal performance. Sometimes this means that the advantages manifested by virtualization are less than expected so ensure you have adequately measured the minimum performance requirements for your infrastructure before you go run off and virtualize everything.

Related posts

• Understanding Your Attackers with a Honeypot (0)
• Server Hack Leads to Data Loss, Suicide (0)
• New OWASP Top 10 Uses Risk Assessment Approach to Web App Security (0)
• How Much Is Your Malware Infected Computer Worth? (0)
• Hackers to VAServ: “it was ur own stupidity and excessive passwd reuse” (0)

While most traditional social engineering is used to exploit the vulnerabilities of the HumanOS over phone or online communications, we can’t rule out the possibility that social engineering can be most successful when it is face-to-face (plus it is a heck of a lot of fun!). Even though it puts the social engineer at direct risk, it offers the most reward for their efforts since it gives them direct access to your company’s office and hardware.

For years now, forward-thinking companies have been performing their own social engineering penetration tests to discover bugs in the human hardware. In these cases of face-to-face social engineering at your company office, these techniques can be divided into the following roles:

The Service Technician
The service technician is a social engineer who poses as person with a legitimate reason to enter your office. They usually impersonate a service technician or repairman who has been hired to fix some company hardware, but they may also pose as co-workers, police, bankers, tax authorities, or insurance investigators. This kind of criminal will often take their time to investigate the right thing to say and who to ask for. In some cases, all they need is an authoritative, earnest tone of voice. After all, they only need to be able to fool your receptionist.

The Tailgater
The tailgater is someone who bypasses physical security by allowing others to use their security cards to let them in an office. The tailgater may simply grab the door before it closes as an employee enters the office, or they may casually ask for an employee to hold the door for them. With a nonchalant tone of voice, many employees just assume that they are supposed to be there.

The Aggressor
The aggressor is not really a social engineer, but he does use his tricks while face-to-face with your employees. The aggressor simply attacks one of your employees to steal their security card, and then uses it to casually enter the building. The aggressor will investigate the physical security around an office building to determine where the security cameras are and chose an unseen place to hide.

The Charmer
In 2007, a thief broke into the ABN Amro bank in Antwerp and made off with $21 million in diamonds. This single thief bypassed one of the most hi-tech security systems in the world not with brute force or an Ocean’s 11 level of complexity and organization, but with a stolen passport, a box of chocolates, and personal charm. The charmer, who was never caught, posed as a successful businessman and visited the bank frequently, befriending the staff and gradually winning their confidence. He even brought them chocolates. He ultimately gained VIP access and used his passcard to walk right into the vault he knew contained the uncut diamonds. If this charmer can successfully bypass a $2 million security system, what chance does your company have?

While it does put the social engineer in direct risk, face-to-face social engineering is obviously one of the easiest and most rewarding scams for criminals. If you are implementing social engineering assessments at your organization, make sure they do some face-to-face social engineering!

Related posts

• Server Hack Leads to Data Loss, Suicide (0)
• Hackers to VAServ: “it was ur own stupidity and excessive passwd reuse” (0)
• Blocking the Big Ten (0)
• “Disinformation” Now a Big Trend Among Hackers (0)
• Why did they even have the data in the first place? (0)

Although I think DDoS extortion is declining due to the rising lucrative ransomware and scareware tactics, DDoS extortion remains interesting to me due to its sheer supervillainary. (plus the stories sound cool when you tell them). I was giving the example to a CSO I met today and after telling the story he asked, “How do I survive a DDoS Extortion Attack”, so here is how:

Businesses hit with these attacks have almost no reprisal to fight back and even have a disincentive to alert authorities who could work to defend against them.

DDoS, distributed denial of service, extortion occurs when a hacker threatens to utilize a vast botnet of many infected computers to bombard a single target online. By using up the target’s resources to accommodate the botnet traffic, legitimate traffic is unable to access the site, causing a denial of service. This prevents businesses from using their website, which may be integral to their business operations.

Before the DDoS attack, the extortionist will contact the site webmaster and offer to spare them from the attack for a payment. If the payment is not made by the given date, then the attack begins and the price usually increases.

Companies have three ways to retaliate: pay the attacker, use DDoS protection, or go to the authorities. Unfortunately, most companies choose to simply pay the attacker since it is the easiest and least expensive way to fix the problem. This only emboldens these kinds of attacks, causing more extortion on other companies.

It is possible to use DDoS protection to block bots, but in the extortionist will warn that if such an attempt is made then they will only increase the number of bots attacking the website, making it much more expensive to deal with.

Going to the authorities can be so ineffective that extortionists will not even discourage their target from doing so. Extortion attacks usually come from other countries, usually Eastern Europe, where the FBI has little recourse. Furthermore, businesses are afraid of reporting the crime because it could damage their brand if it got out that they were helpless against extortionists. This makes it harder for any countermeasures to be developed since it is impossible to tell how often extortion occurs, how much money is extorted, and who are the targets of extortionists. According to experts, every online gambling site is paying an extortion, usually around $40,000.

For these, reasons too often companies will simply remain quiet about the extortion and pay their fee. The ransom is much less than the costs incurred from a denial of service attack. Sometimes, the extortionist even gives their victim the opportunity to pay for an attack on a competitor. Why not? It gives the victim a chance to level the playing field and the extortionist a chance to make even more money.

The best way to combat attacks like these is for businesses to put aside competitive differences and share their information regarding security and cyberattacks with industry peers and law enforcement authorities. But that’s never going to happen and businesses are likely to continue to fight an every-man-for-themselves battle.

Until then, it’s up to companies to build up internal protections and beef up their security to protect against botnet attacks. Also, if this ever starts to happen to your business you can always contact me and I can see how I can help!

Related posts

• I can guess your Social Security Number (0)
• Server Hack Leads to Data Loss, Suicide (0)
• How Much Is Your Malware Infected Computer Worth? (0)
• Hackers to VAServ: “it was ur own stupidity and excessive passwd reuse” (0)

I received an email from John Zurawski at Authentify that I thought was worth posting. I personally am tired of bailing out the banks and continuing to spend tax payer money so I want to ask Congress to Step Up, start using our money for things that matter, and start to protect the end user’s by requiring the banks that don’t properly implement security controls to pay. John asked in his email for me to repost his email and ask others for help. Read below and if you are heading to RSA stop by the booth and sign the petition if you agree.

I’m emailing to ask for your help in something that can make a difference at the RSA Conference.  In recent months it’s become apparent that many smaller banks, credit unions and ultimately small businesses are being victimized by organized cyber criminals.  We at Authentify, along with many others, believe it’s time to stop the bleeding.  The regulatory oversight of the financial services industry has plenty of “guidance”, but few actual requirements to protect their customers from sophisticated online criminals.  The breaking point has come with a bank suing it’s customer for being a “cyber-victim” and asking the courts to declare its security procedures as “commercially reasonable”.  The technologies exist to prevent most malware inflicted financial losses.  It’s time to get Congress to get involved.  Just as the federal government is making funds available to healthcare to get health records digitized and online, it’s time to use TARP funds or other sources – to REQUIRE that financial services firms protect their customers.

Authentify will be seeking signatures on a petition to Congress in its booth at the RSA Conference next week.  We have put this effort ahead of our new product introductions and other RSA promotions.   Please stop by Booth #732 on the Expo floor if you believe it’s never commercially reasonable to let a bank’s customer’s be victimized by malware.

Related posts

• No related posts.

Honeypots are a lot of fun for security professionals. We get to trick the tricksters who try to trick security systems. These opportunities give us whitehats a chance to be a little devious for once and get in the heads of those we are protecting against.

So Microsoft conducted a little honeypot of their own to collect some data on the kinds of automated password attacks hackers are using to break into user accounts. They created a fake FTP server and allowed hackers to go to town trying to crack the password for about a year. The FTP logged and processed the information gathered by login attempts.

The honeypot gathered hundreds of user names and tens of thousands of password that have been used in automated attacks. The data told us a few things we already knew, basically that the most common password hack attempts resemble the most commonly used passwords. But the data told us one new thing that we did not already know about password cracking. That is, simply having a long password isn’t good enough anymore if it is still dictionary-based. The honeypot attackers routinely used passwords 8-10 characters in length and would even try passwords 10, 15, or 20 characters long. Also, hackers are persistent, even for using automated systems. One tenacious attacker attempted 400,000 passwords to crack the fake FTP.

The emphasis on password strengthening is now more relevant than ever with the reemergence of “L0phtCrack” – a password auditing software. L0phtCrack attempts to crack passwords at swift speeds by scanning through a dictionary of words and forming probable password guesses. Basically, it does the exact same thing as the automated password crackers the hackers use, but for whitehat purposes. Of course, critics are worried that L0phtCrack is a double-edged sword since it could be used for that very purpose.

Passwords are actually the easiest security measure to ensure protection. As long as your password follows the basic password strengthening guidelines – length, alphanumerical, case variance, special characters, etc – it should never be cracked. At least, not by an automated tool.

Related posts

• No related posts.

We bid for some FISMA work at NASA so I thought I would share with everyone what NASA hasn’t been doing properly….You might think that out of all U.S. federal agencies, NASA would be among the top ranking in cybersecurity defense. But according to a report issued by the Government Accountability Office, the National Aeronautics and Space Administration has been hit with 1,120 security incidents in 2007 and 2008.

It seems at NASA, malware installations, data breaches, stolen laptops, and botnet infections are commonplace. Among the stolen information were unencrypted data on a prototype hypersonic jet and plans for a lunar orbiter space telescope. Some time ago, 82 NASA computers were found to be part of a Ukranian botnet and 86 computers were infected by the Zoneback Trojan.

Since then, NASA was told to plug up its security holes, but the new report by the GAO says NASA has not done enough. Apparently, it isn’t difficult for intruders to infiltrate NASA networks and steal, delete, or modify mission critical information.

As the report states, “NASA’s high profile and cutting edge technology makes the agency an attractive target for hackers seeking recognition, or for nation-state sponsored cyber spying.” NASA’s security gaps make the administration susceptible to stolen data by competing space programs or private sector networks who wish to gain a competitive advantage. At the same time, terrorist groups may use cyber attacks to disrupt or destroy NASA missions. Still, attacks could come from identity thieves who could access sensitive employee information on NASA’s nearly 20,000 employees.

I believe the security gaps at NASA put our national interests at risk and weaken the strategic technological advantage of the US. But, simply the existence of these security holes creates an embarrassing situation which may embolden hackers to increase their attacks on other government agencies. After all, if security is so poor at NASA then how much better could it be at crucial military organizations?

Related posts

• No related posts.

So I was talking with a client last week and they mentioned that they haven’t seen any new blog posts from me in a while. I said that was weird because I had just posted yesterday.When i get back to the office, I go online to this site from another PC and low and behold, no blog post.

Apparently, I was logging into and using our beta site because I had my hosts file specifically pointed to a different server that hosted our beta site. So…there are a bunch of blog posts that you will see coming that were actually posted months ago!

Related posts

• No related posts.

Since the Christmas Day underpants bomber revitalized our terrorism fears, I have been thinking about the similarities between preventing terrorists from physically attacking us and protecting our digital information from hackers and cyberwarfare groups.

The Department of Homeland Security is reluctant to admit that there are no amount of security measures that can be taken to guarantee 100% safety at all times from terrorist attacks. Security engineers must also be aware of this fact. Cyberdefenses can never fully guarantee protection. What can be done in both cases is to make it as difficult as possible for the enemy to bypass the cyber and physical defenses we do create. We analyze their current attacks and schemes to make sure that existing attacks will not breach defenses. We also attempt to understand what future attacks will look like, always trying to be one step ahead of the enemy.

The enemy in both cases consists of small, agile groups that operate within networks. Whether it is an Al Qaeda branch or the Ukranian Fan Club, both organizations are small and nimble enough to promote faster organization than their adversaries. Most IT security teams as well as the Department of Homeland Security are large, powerful organizations whose greatest weaknesses is their slow response time due to their sizes and internal bureaucracies. As we have seen from the underpants bomber, the DHS has perhaps become too large and slow to connect disparate pieces of information that would have prevented the bomber from boarding the plane.

In both struggles, the main problem is the issue of safety versus freedom, or protection versus convenience. How many airport security measures will people endure in order to improve their safety? IT security professionals struggle with the idea of promoting safety without impeding the freedoms of the business. Social networking and file sharing can be very useful tools for businesses, but they also greatly increase the chances of malware infections and cybercrime hacks.

It would be unreasonable to eliminate freedom entirely for the sake of safety in both scenarios. After all, if you never take your business online then you will never be hacked – just like if you never go on a plane you will never attacked by a terrorist passenger.

Related posts

• No related posts.

With the end of 2009 approaching, cybersecurity engineers as well as cybercriminals are looking to next year to see what the future of internet security holds. Where will current cybercrime trends go and what new ones will emerge? Well, here are a few of my predictions on what virtual mines the Internet landscape will have in 2010.

Emboldened Social Engineering – This should be no surprise to anyone in cybersecurity or who has read this blog before. In 2009 cybercriminals realized that social engineering is the easiest way to obtain sensitive information from users. And while social engineering was big this year, it will continue to grow exponentially next year. Expect social engineers to become more organized and bolder in their methods. There may be more incidents where social engineers visit sites physically to gain trust and information that no software can physically protect.

Social Networking Sites Will Become a Bigger Target – Social networking sites like Twitter and Facebook are only gaining popularity and no amount of security warnings are going to keep users away. Cybercriminals will use these sites to their advantage in two ways. While I believe the sites themselves will become more proactive in creating security defenses, the third party applications made for these sites will have exploitable vulnerabilities. Additionally, social networking site users will increasingly become the victims of social engineering. These sites give social engineers a terrific medium for contacting, communicating with, and taking advantage of users.

Ransomware Will Replace Scareware – Hijacking a users PC and holding it for ransom may seem outrageous, but it’s happening now and proving to be more profitable than scareware tactics that users are now growing wise to. Expect cybercriminals to go where the money is – users would rather pay a small price to regain control of their PCs than go through the trouble of manually removing malware – or nuking their PCs.

Mobile Devices Will Be Hit Hard – Mobile phones have enjoyed their short lives mostly free of threats while continuing to propagate. But now that they have increased in complexity, becoming mini notebook computers, the likelihood of vulnerabilities has also increased. 2009 saw the Sexy Space botnet and the iPhoneOS.Ikee – what awaits our precious smartphones in 2010?

Organized Cybercrime – The cybercrime underground has evolved into an elaborate economy where, in 2009, cybercriminals have begun to network, collaborate, and pool resources for mutual gain. Malware infected PCs and botnets are bought and sold like commodities. I expect this trend will continue in 2010, and it may be the most dangerous prediction. Combating such cybercrime organizations will require the same organization among security experts.

Related posts

• No related posts.