Opinions about information security from a risk management perspective
Securosis Blog | SQL Azure and 3 Pieces of Flair.
Adrian Lane, the database security analyst at Securosis, points out the rather limited security controls Microsoft provides for SQL Azure.
Firewall, SSL, and user authentication are the totality of the technologies prescribed.
In other words, you are on your own. We recommend Sentrigo, an agent-based database intrusion prevention solution that sits right in the database VM.
Schneier on Security: Control Fraud.
Bruce Schneier highlights “Control Fraud.” While I never heard the term before, once you read about it, it will sound familiar.
This is an interesting paper about control fraud. It’s by William K. Black, the Executive Director of the Institute for Fraud Prevention. “Individual ‘control frauds’ cause greater losses than all other forms of property crime combined. They are financial super-predators.” Black is talking about control fraud by both heads of corporations and heads of state, so that’s almost certainly a true statement. His main point, though, is that our legal systems don’t do enough to discourage control fraud.
HP And The Scary Corporate Fifth Column Concept – Hacked Off – Dark Reading.
Rob Enderle discusses employees leaking proprietary information to competitors. Rob focuses on Oracle’s efforts against HP, speculating that Larry Ellison’s hiring of Mark Hurd is part of a plan to acquire HP.
During a battle–competitive, political, or otherwise–detailed information about the other side’s strategy, weaknesses, and tactics can result in huge benefits for the firm that acquires it. In security, it is our job to plug leaks–which are difficult to find–to identify the potential for them. On the short list would be executives or employees who were passed over for critical promotions, complained about abuse, were identified as surplus but still working, or who were known to be disgruntled and aggressively looking for outside work.
Employees like this should be considered a security risk. Care should be taken to control the information they have access to, specifically looking for indications that information coming into their possession isn’t being passed outside the company.
Microsoft responds to Firesheep cookie-jacking tool – The H Security: News and Features.
It’s hard to believe that Firesheep is only two weeks old. In response to Firesheep, Microsoft said it will convert its Hotmail / Windows Live email service to SSL. Google did this for Gmail some time ago, well before Firesheep.
Facebook says it will also address the issue in the coming months.
So there is no doubt that more and more web traffic will be SSL encrypted and hidden from corporate control. I wrote about this last week, Easy fix for Firesheep creates a problem for enterprises.
Buyer Beware on SSL Certificates – fudsec.com.
If you are purchasing SSL Certificates, and you are not sure what level certificate you need, you ought to read this.
(ISC)2 Blog: Do you know Shodan?.
So here’s the basic: SHODAN (Sentient Hyper-Optimized Data Access Network) is a search engine, but instead of indexing web page content, it indexes banners information. It indexes data on HTTP, SSH, FTP, TELNET and SNMP services for almost the whole Internet. You can find it at http://www.shodanhq.com.
In other words it’s a massive port scanner to help you find vulnerable network devices. Why waste time doing your own scanning, when all you have to do is query Shodan.
Boffins devise early-warning bot spotter • The Register.
Researchers at Texas A&M have written a paper proposing a method for Detecting Algorithmically Generated Malicious Domain Names. It focuses on detecting domain fluxing, a technique used by botnets such as Conficker.
The method uses techniques from signal detection theory and statistical learning to detect domain names generated from a variety of algorithms, including those based on pseudo-random strings, dictionary-based words, and words that are pronounceable but not in any dictionary. It has a 100-percent detection rate with no false positives when 500 domains are generated per top-level domain. When 50 domains are mapped to the same TLD, the 100-percent detection rate remains, but false positives jump to 15 percent.
HTML5 Tricks Hijack Browsers To Crack Passwords, Spew Spam – Andy Greenberg – The Firewall – Forbes.
As usual, new technology spawns new threats. HTML5 will be no different.
HTML5 allows a website to run javascript processes that request data from another site, and to launch invisible scripts “in the background” on a user’s machine for long periods of time, says Kuppan. “With HTML4, after twenty seconds the browser would freeze,” he says.
And this:
Once the hacker has control of a user’s browser, it can be used to do all the same sorts of unpleasant things that botnets of malware-hijacked computers generally do: By repeatedly requesting data from another site–Kuppan says javascript can make around 10,000 requests a minute–it can overwhelm a target’s server and knock it offline. Or by creating and filling the sort of entry field typically used on corporate websites for leaving feedback, it can send mass emails to a list of addresses.
And this:
To keep users on a page longer while his scripts run, Kuppan suggests a trick that involves a clever form of “clickjacking.” Using javascript, an invisible link can be inserted wherever a user clicks on a page to open another tab with the desired destination. Since most users leave unused tabs unattended, a script can run on the original tab, potentially for hours, without the user’s knowledge.
We will need a tool which gives users better visibility into what’s going on their workstations and the ability to either automatically take actions against anomalous behavior or give users options to take actions.
TaoSecurity: What Do You Investigate First?.
Richard Bejtlich offers the obvious, but usually difficult to implement answer to the following question:
Let’s say for example, there is a cesspool of internal suspicious activity from netflow, log and host data. You have a limited number of resources who must have some criteria they use to grab the worst stuff first. What criteria would you use to prioritize your investigation activities?
Bejtlich offers two answers which generally converge into one: focus on assets, i.e. the most critical assets in your organization.
Ideally, the log, flow, event collection and analysis system you are using has the ability to discover all network attached assets and then enable you to group them into IT/Business Services. The you can prioritize your focus based on the criticality of each IT/Business Service.
Robert Graham from Errata Security tested Force-TLS and found that it does not protect against Firesheep.
First of all, the plug-in “Force-TLS” does not protect you, as some have suggested. I proved this with Twitter, where I was able to sidejack the connection with both FireSheep and Hamster. I’m not sure what Force-TLS does, but it doesn’t force a connection to be TLS/SSL. I configured *.twitter.com (the domain and all subdomains), and the URL “http://twitter.com” still appeared in the address bar.
In addition, Firesheep’s ability to successfully sniff traffic depends on your network adapter.
FireSheep works only as well as the underlying packet-capture. On a Macintosh, the adapter can be fully promiscuous, capturing everybody’s traffic on the local access-point. On Windows, some adapters (like Broadcom) will see all the traffic, others (like Intel) will only see your own traffic (useful for watching which of your own websites can be sidejacked, but not useful for sidejacking others).
Rob provides extensive details and screenshots on his test methods.
