31. January 2010 · Comments Off on Top IT Security Risk stories of the week · Categories: Top Stories · Tags: , ,

Due to time constraints this week, I'm doing a new type of post. Rather than commenting on the stories I find most interesting, I am posting a list of stories I found interesting but without commenting. For each one, I provide the headline linked to the story and the first paragraph or two of the story so you can decide if it's worth reading in it's entirety. 

Monday, January 25, 2010

What's Your DEP and ASLR Status? If you recall, Google says they were attacked by hackers based in China using a zero-day vulnerability in Internet Explorer. That vulnerability affected almost all versions of IE, but the attack was mitigated on some by systemic defenses like DEP and ASLR.

Flaws in the 'Aurora' Attacks  The attackers who unleashed the recent wave of
targeted attacks against Google, Adobe, and other companies, making off
with valuable intellectual property and source code, shocking the
private sector into the reality of the potential threat of
state-sponsored cyberespionage — but they also made a few missteps
along the way that might have prevented far worse damage.

Tuesday, January 26, 2010

'Aurora' code circulated for years on English sites; Where's the China connection?  An error-checking algorithm found in software used to attack Google and other large companies circulated for years on English-speakinglanguage
books and websites, casting doubt on claims it provided strong evidence
that the malware was written by someone inside the People's Republic of

Aurora-style attacks swiped oil field data from energy giants; Social networks implicated in planning Google assault   At least three US oil giants were hit by cyberattacks aimed at
stealing secrets, in the months before the high-profile Operation
Aurora attacks against Google, Adobe et al in December.

Targeted attacks against Marathon Oil, ConocoPhillips, and
ExxonMobil took place in 2008 and followed the same pattern as the
later Aurora assaults. Information harvested by the attacks included
"bid data" that gave information on new energy discoveries, according
to documents obtained by the Christian Science Monitor.

Wednesday, January 27, 2010

Hydraq (aka Aurora) attack's resiliency uncovered   Security researchers continue to peel back the layers on the
Trojan.Hydraq aka Operation Aurora attacks first reported publicly
earlier this month, and the techniques employed by the threat to stay
alive on infected machines were apparently neither cutting-edge, nor
particularly sophisticated.

According to researchers with Symantec — who've published a series of blogs examining various technical elements of the Trojan.Hydraq
campaign — the attack used methods commonly observed in other malware
programs to remain alive inside of the organizations it infiltrated,
restart after systems restart.

Cost of data breaches increased in 2009; Ponemon Institute research says malicious attacks are the most costly breaches   The cost of data breaches continues to rise,
and malicious attacks accounted for more of them in 2009 than in
previous years, according to a study published today.

In conjunction with study sponsor PGP Corp., Ponemon Institute
today released the results of its fifth annual "U.S. Cost of a Data
Breach" report. The news isn't good, according to the research firm's
founder, Larry Ponemon.

Personal data stolen? Don't count on being told promptly  Andrea Rock of Consumer Reports highlights one of the findings of the new Ponemon report: Not only are data breaches from criminal attacks on U.S.-based
companies’ financial and customer data on the rise, but your odds of
being promptly informed if you’re a breach victim aren’t very high,
according to a new data breach report just released by the Ponemon

The rise of point-and-click botnets  This post highlights a graphic from Team Cymru, a group that monitors studies online attacks and other badness in the
underground economy. It suggests an increasing divergence in the way
criminals are managing botnets, those large amalgamations of hacked PCs
that are used for everything from snarfing up passwords to relaying
spam and anonymizing traffic for the bad guys, to knocking the targeted
host or Web site offline.

Where art thou conficker?  Researchers noted this week that the buzzworthy Trojan.Hydraq campaign
that was used to hack Google and some other tech giants employed some
of the same techniques used by our dear old pal Conficker to remain
resident on infected PCs. Which causes one to ponder, what happened to this attack which a
year ago captured the interest of so many people for some particular

Thursday, January 28, 2010

Haiti spam leads to new malware  As rescue efforts continue in Haiti, the world
waits with bated breath for more good news about survivors.
Unfortunately, while most people are thinking of ways to help victims,
cybercriminals are using the tragedy to further their own malicious
causes. Blackhat search engine optimization (SEO) poisoning attacks related to this tragedy have already led to FAKEAV infections. However, the most recent FAKEAV run appears to be only the start of more Haiti-related malware attacks.

Friday, January 29, 2010

The state of computer security in the UK  eSecurity Planet reports: British security consulting firm 7Safe and the University of Bedfordshire have released the UK Security Breach Investigations Report 2010, which looks at the current state of computer security in the UK through an analysis of actual data breaches.

Key findings include the fact that 69 percent of data compromises
occurred in the retail sector, 85 percent of cases resulted in stolen
payment card information, and SQL injection was used in 60 percent of

Simmering over a 'Cyber Cold War'  New reports released this week on recent, high-profile data breaches
make the compelling case that a simmering Cold War-style cyber arms
race has emerged between the United States and China.

A study issued Thursday by McAfee and the Center for Strategic and International Studies
found that more than half of the 600 executives surveyed worldwide said
they had been subject to “stealthy infiltration” by high-level
adversaries, and that 59 percent believed representatives of foreign
governments had been involved in the attacks.

Here is a link to another story about the above mentioned McAfee survey.

CIA, PayPal under bizarre SSL assault   The Central Intelligence Agency, PayPal, and hundreds of other
organizations are under an unexplained assault that's bombarding their
websites with millions of compute-intensive requests.

The "massive" flood of requests is made over the websites' SSL, or
secure-sockets layer, port, causing them to consume more resources than
normal connections, according to researchers at Shadowserver
Foundation, a volunteer security collective. The torrent started about
a week ago and appears to be caused by recent changes made to a botnet known as Pushdo.

Saturday, January 30, 2010

A tad too late, Google begins phase-out of IE6  Not that long after a Google employee running Internet Explorer 6 was hacked, creating an international incident, Google has announced that they will begin withdrawing support for IE6 in their own services.

New security features in Google Chrome  Google has announced a number of security enhancements that are being implemented in Chrome. Some have already been implemented in other browsers, including Firefox and IE and in significant add-ons like NoScript.

30. September 2009 · Comments Off on Twitter is dead · Categories: Application Security, Breaches · Tags: , , ,

According to Robert X. Cringeley, long time computer industry pundit, Twitter is dead. Why?

"Twitter is dead because it is now so popular that the spammers and
the scammers have arrived in force. And history tells us that once they
sink their teeth into something, they do not let go. Ever.

Twitter scams aren't new. But I've never seen so many hit in a single week or with such rigorous precision."

Symantec has a nice blog post about one of the underlying problems with Twitter, i.e. since Twitter is limited to 140 characters, people use "URL shorteners" instead of the actual URLs to which they are referring. Therefore you have no idea where you are going when you click on the shortened URL.

Cringely closes with this:

Spam will kill Twitter's usefulness for everyone but relentless
Internet marketers, unless the brainiacs at TwitCentral can figure out
a better way to block it. Smart people have tried and failed everywhere
else, though. I don't hold out much hope.

My view is that just as with any new technology, if there are real benefits people will tolerate the risks for some period of time and third parties will develop solutions to mitigate the risks. This is the history of the whole IT security industry.

Take email for example. Email has been so valuable that people tolerated spam for some time. Then third parties developed anti-spam solutions for which enterprises were willing to pay and consumers got as a feature of either their email client or anti-malware product.

On the other hand, there is still a huge amount of email spam, which means that email spamming is still profitable. Therefore there are tons of people who either are not availing themselves of anti-spam filters or for some reason still fall for spam scams.

Yet with all that spam, there is no sign of email dying due its immense value.

07. September 2009 · Comments Off on Court allows bank customer to sue bank for “negligent” security practices · Categories: Authentication, Breaches, Funds Transfer Fraud, Legal, Risk Management, Security Management, Vendor Liability · Tags: , , , ,

Computerworld reported last week that a judge in Illinois ruled that a couple who lost $26,500 when their bank account was breached can sue the bank for negligence for not implementing "state-of-the-art" security measures which would have prevented the breach.

While bank credit card issuers have been suing credit card processors and retailers regularly to recoup losses due to breaches, this is the first time that I am aware of that a judge has ruled that a customer can sue the bank for negligence.

The more detailed blog post by attorney David Johnson, upon which the Computerworld article is based, discusses some really interesting details of this case.

The plaintiffs sued Citizens Financial Bank for negligence because it had not implemented multifactor authentication. The timeline is important here. The Federal Financial Institutions Examination Council (FFIEC) issued multifactor authentication guidelines in 2005. By 2007, when the plaintiffs' breach occurred, the bank had still not implemented multifactor authentication. The judge, Rebecca Pallmeyer of the District Court of Northern Illinois, found this two year delay unacceptable. 

Two interesting complications – (1) The account from which the money was stolen was from a home equity line of credit account, not a deposit or consumer asset account. (2) This credit account was linked to the plaintiffs' business checking account. I discussed the differences between consumer and business account liability here. Fortunately for the plaintiffs, the judge brushed these issues aside and focused on the lack of multifactor authentication.

One issue that was not addressed – where was Fiserv in all of this?
They are the provider of the online banking software used by Citizens
Financial Bank. Were they offering some type of multifactor
authentication? I would assume yes, although I have not been able to
confirm this.

In conclusion, attorney David Johnson makes clear that this ruling increases the risk to banks (and possibly other organizations responsible for protecting money and/or other assets of value) if they do not implement state-of-the-art security measures.

The Washington Post reported yesterday that there is an increase in "funds transfer fraud" being perpetrated by organized crime groups from Eastern Europe against small and medium U.S. businesses. 

It's hard to know the extent of this type of crime because there is no breach notification requirement since no customer information is disclosed. However, many companies are reporting these crimes to the FBI and of course to their banks.

The risk of funds transfer fraud to businesses is much higher than to consumers for the following reasons:

  • Dollar amounts are higher.
  • Under the Uniform Commercial Code, businesses only have two days to dispute charges they feel are unauthorized. Consumers have 60 days from the time they receive their statements.
  • Because banks are liable for the consumer losses and less so for the business losses, they invest more resources in protecting consumers.

The complete article in the Washington Post is well worth reading.

In a previous post, I highlighted one of the techniques used by cyber criminals where they surreptitiously install the Clampi trojan on a PC in order to get the login credentials needed for online banking.

Recommended actions:

  • Install anti-virus/anti-malware agents on all workstations and keep them up-to-date
  • Use an end-point configuration management system to discover all workstations, to assure the above mentioned agents are installed and up-to-date, and to assure that unauthorized software is not installed
  • Implement firewall policies to (1) assure that only authorized people (i.e. people in authorized roles) using only authorized workstations can connect to financial institutions to perform funds transfer transactions, (2) assure that people not authorized cannot connect to financial institutions, (3) generate alerts when there are attempts to violate these policies
  • Implement a process where funds transfer transactions are reviewed on a daily basis by someone other than the person or people who perform the transactions

20. August 2009 · Comments Off on 8 Dirty Secrets of the IT Security Industry – Provocative headline; content not so much · Categories: Application Security, Compliance, Innovation, Risk Management, Security Management · Tags: , , , , ,

CSO Online Magazine has an article about IBM ISS Security Strategist Joshua Corman's concerns with the security industry. While I agree with much of what he says, I disagree with his core premise, expressed in Dirty Secret 1. Here are my comments on each of Josh's eight dirty secrets.

"Dirty Secret 1: Vendors don't need to be ahead of the threat, just the buyer – This is the problem that leads to the seven "dirty secrets" that
follow. In essence, Corman said, the goal of the security market is to
make money, not to ensure the customer's security.

I find it surprising that a representative of one the largest and most profitable enterprises in the world attacks other vendors for wanting to make money, as if making money is bad. Is he serious about attacking capitalism? Is security some special market where profits are bad? From my perspective, making money is the result of solving client problems and helping them meet their objectives.

"Dirty Secret 2: AV certification omissions – While AV tools detect replicating malware like worms, they fail to identify such as [sic] non-replicating malware as Trojans."

Aside from the grammar issue, I agree that some vendors are having difficulty keeping up with the constantly evolving threat landscape. However, this creates opportunities for new vendors. Joseph Schumpeter called this "creative destruction."

"Dirty Secret 3: There is no perimeter – Corman said those who truly believe there's still a network "Perimeter" may as well believe in Santa Claus."

There has never been a perimeter in the sense that if you just protect the edge of your network, you are safe. I do agree that it can be difficult to know where that edge is. However, there is still an important role to be played by a perimeter firewall that understands applications, users, and content. Beyond that, good security has always been about "defense-in-depth."

"Dirty Secret 4: Risk management threatens vendorsRisk
management really helps an organization understand its business and its
highest level of risk, Corman said. But a company's priorities don't
always map to what the vendors are selling."

Again, this allusion to disreputable vendors. At any point in time, there surely are disreputable vendors. But they don't last long. Of course any IT Security control being deployed should be in the context of how risk is being reduced.

"Dirty Secret 5: There is more to risk than weak software – Corman
said the lion's share of the security market is focused on software
vulnerabilities. But software represents only one of the three ways to
be compromised, the other two being weak configurations and people."

No argument here, but not really new. The issues around security awareness training, for example, are much deeper than lack of money being spent on it. Regarding configuration management, has the issue been lack of attention or lack of good products to deal with the issues? It's a hard problem.

"Dirty Secret 6: Compliance threatens security – Compliance with such laws and industry standards as Sarbanes-Oxley and PCI DSS
drives companies to spend far more on security than they might
otherwise. Security vendors have obviously seized upon this fact,
offering products that do everything from offer PCI compliance out of
the box to ultimate cure-alls for healthcare entities coping with the
demands of HIPAA. Of course, this too leads to companies buying security tools that fail to properly address the particular risks they face."

I surely agree that compliance threatens security and there surely are cases where vendors have been successful by focusing on compliance rather than on reducing risk. When an organization "only" focuses on compliance requirements it falls short of what it can and should be doing to protect its assets. In fact, compliance represents a floor or bare minimum level of security.

Put another way, if you only focus on compliance, you will surely not be maximizing the value of your security investment. At the very least, there is no way that regulatory bureaucracies can keep up with the changing threat landscape. 

"Dirty Secret 7: Vendor blind spots allowed for Storm – The Storm botnet, as an archetype, is being copied and improved. The Storm era of botnets is alive and well, nearly two years from when it first appeared, Corman said."

As I said in my comment on Dirty Secret 2, some vendors may not be responding to the changing threat landscape, but there are others who are. If you feel your vendors are not responding, look for new ones. There is a lot of innovation in the IT Security industry.

"Dirty Secret 8: Security has grown well past "do it yourself" – Technology
without strategy is chaos, Corman said. The sheer volume of security
products and the rate of change has super-saturated most organizations
and exceeded their ability to keep up."

Any actions or tactics that are not part of a strategy is obviously chaos. First Corman says that vendors are not keeping up and now he is saying that enterprises cannot keep up (without his help). With all due respect, let's remember that Corman is part of IBM's consulting organization. On the other hand, there is no harm in repeating that technology by itself is not the answer. It's people, process, and technology, as it has always been.

18. August 2009 · Comments Off on Gmail vulnerability shows the value of strong (high entropy) passwords · Categories: Authentication, Malware, Risk Management, Security Management, Security Policy · Tags: , , , , , , , , ,

Weak passwords and other password issues continue to be the bane of every security manager's existence. Becky Waring from Windows Secrets reports on a Gmail vulnerability where an attacker can repeatedly guess your password using Gmail's, "Check for mail using POP3"
capability. This is a service Gmail provides that enables you to use an email client rather than the Gmail browser interface. You can read the details of the vulnerability at Full Disclosure.

The unfortunate reality is that we have reached a point in the evolution of technology that if an attacker is in a position to implement an unimpeded repetitive "guessing" attack on your password, like this Gmail vulnerability, there is no password you can remember that can survive the attack. In other words, if you can remember the password, it's too weak, and it will be cracked.

NIST Special Publication 800-63 rev1 "Electronic Authentication Guideline" Appendix A (Page 86) discusses the concepts of password strength (entropy) in detail.

The only way you can really protect yourself is by using an automated password manager. LifeHacker has a very good review of the top choices available.One of the side benefits of these products, is that you should not have to physically type your passwords, thus reducing the risk associated with keyloggers, which I discussed in previous posts here and here.

Steve Gibson has a site called Perfect Passwords that automatically generates high entropy passwords.

At the very least, follow the advice in Becky Waring's column.