Quote on securing the Internet

Securing the Internet against denial of service attacks is a near impossibility, and punishing those who launch such attacks when the culprits are countries is infeasible. -- Eugene Schultz, member SANS NewsBites Advisory Board
Src: SANS NewsBites

Quote on business culture

Data breaches and thefts are due to a lagging business culture – absent a new eCulture, breaches will, and continue to, increase. -- Reader comments from John Franks
Src: Monster.com Breach May Preface Targeted Attacks - Security Fix | WashingtonPost

Quote on business survival

In the realm of risk, unmanaged possibilities become probabilities. Any business and its survival is dependent on one thing: a managed progression through a world of accelerative change. -- David Scott, author of I. T. Wars: Managing the Business-Technology Weave in the New Millenium
Src: I.T. Wars | The Business Forum Online

Data breach victims may not get directly notified

This article from USAToday.com discusses the various reasons why victims of a data breach (Monster.com and Heartland are the most recent) may not get direct notification of the breach.

With 45 states having distinct data-loss disclosure laws, I believe it's time to level the playing field and establish a preemptive federal data-loss disclosure law that would apply throughout the US.

Src: Data-theft victims in Monster, Heartland cases may not be notified | USATODAY.com

UK's Personal Information Promise

The UK's ICO Commissioner, Richard Thomas, spoke clearly about the need to protect data:
Data protection is good for business [...] Organisations are waking up to the fact that privacy is now so significant that lapses risk reputations and bottom lines [...] Protecting people’s personal details should not be left to chance. I urge all CEOs and their executive teams to take personal responsibility for treating data protection as a corporate governance issue affecting the whole organisation. They have to make sure that safeguarding the personal information of the customers and staff is embedded in their organisational culture.
Src: ICO Press Release
In the UK, the Information Commissioner’s Office (ICO) is "independent authority set up to promote access to official information and to protect personal information." Src: ICO.gov.uk

As of today, over twenty organizations have signed the 10-point Personal Information Promise which states that organizations will:

1. value the personal information entrusted to us and make sure we respect that trust;
2. go further than just the letter of the law when it comes to handling personal information, and adopt good practice standards;
3. consider and address the privacy risks first when we are planning to use or hold personal information in new ways, such as when introducing new systems;
4. be open with individuals about how we use their information and who we give it to;
5. make it easy for individuals to access and correct their personal information;
6. keep personal information to the minimum necessary and delete it when we no longer need it;
7. have effective safeguards in place to make sure personal information is kept securely and does not fall into the wrong hands;
8. provide training to staff who handle personal information and treat it as a disciplinary matter if they misuse or don't look after personal information properly;
9. put appropriate financial and human resources into looking after personal information to make sure we can live up to our promises; and
10. regularly check that we are living up to our promises and report on how we are doing.
Src: ThisIsMoney.co.uk

Src: Personal Information Promise | ICO.gov.uk

SSN-based UserID and Password

With the increased awareness of data security, it seems unthinkable that in 2009, a company would be so careless as to setup an internet-accessible website where user id and passwords would be based on social security numbers (SSN).

EideBailly, which bills itself as a top 25 CPA firm in the US, describes its new login procedures where the password is derived from the user id, and both are based on the employee's SSN.
***Please note new login procedures*** [emphasis from source document]

Enter your social security number as the User Name and last four digits of that same number as your PIN. Click on the “Log in” button. A new screen will open to “Set Up Your New Account.” In the User Name and Password field, type in a unique User Name and password. The password is case sensitive and must contain at least six characters, one of which must be a number. Enter an e-mail address to be used if you lose your password. Enter a security question and answer. Click on “Create the User.”
Src: EideBailly Employee Benefits Login Page

Bot software peers at victims' screens

It is no secret that spyware can record all of your keystrokes. Theft of financial data (credit cards, bank accounts, electronic payment accounts) is regularly reported as the primary motive for hackers.

The good news: financial institutions are (slowly) changing the way they authenticate users. ING.com for example presents users with a graphical numeric pad (like a calculator) for part of the authentication data.

The bad news: as was suspected, hackers have also changed their methods and are now reported to also be recording snapshots of the user's screen (or general area around the mouse pointer).

Src1: Bot software peers at victims' screens | SecurityFocus
Src2: Ozdok: Watching the Watchers | SecureWorks

Test your defenses against malicious USB flash drives

Implementing a security solution or process without testing it is like believing security cameras will stop crime; both provide a false sense of security.

The article from Computerworld contains a small snippet of code that you can use to check (yes, "trust but verify" as Reagan would say) that Autorun is properly disabled on your USB devices.

Src: Test your defenses against malicious USB flash drives | Computerworld

Quote on two-factor authentication

"Two factor authentication is not emailing your password to someone else so that they can remind you of it when you forget it." -- Andrew Hay

Src: Twitter / Andrew Hay: two factor authentication ...:

An Inquiry into the Nature and Cause of the Wealth of Internet Miscreants

Academic security researchers have released a paper on the how organized crime profits on the Internet underground economy. They monitored IRC channels for 7 months, and logged over 13 million messages (2.4GB of data).

"The total wealth generated from credit card fraud in the channel is over $37,000,000" and over $93 million dollars when including other forms of financial data.

Src: 'An Inquiry into the Nature and Cause of the Wealth of Internet Miscreants'

McAfee Report - Businesses risk losing over $1 trillion from loss or theft of data and other cybercrime

A report released today (January 29, 2008) and sponsored by McAfee warns of the risks that the global recession pose to intellectual property and security: businesses risk losing over $1 trillion from loss or theft of data and other cybercrime.

Here are highlights of the research, conducted by Purdue University’s Center for Education and Research in Information Assurance and Security (CERIAS):
  • Recession puts intellectual property at risk
  • Commitment to protecting vital information varies
  • Intellectual property is now an international currency
    "Cybercriminals are increasingly targeting executives using sophisticated phishing techniques"
  • Employees steal intellectual property for financial gain and competitive advantage
  • Geographic threats to intellectual property
[Editor's note: the sponsor of this report is McAfee which has a definite stake in cybercrime fighting tools and services]

Src: McAfee

The 7 dirty secrets of the security industry

This article by Network World's Joshua Coman is a must read for anyone who (still) believes that product X, service Y, or compliance certificate Z can bring you information security.

Notable quotes:
Compliance in and of itself does not equal security...

Compliance is supposed to raise the minimum standard of security, but it just gets us to do what we are required to do and nothing else.

Technology without strategy is chaos.
Src: The 7 dirty secrets of the security industry - Network World [Tx to @gattaca]

What the Web knows about you

A long but fascinating read about the amount of personal information that can be found online, including in some cases, Social Security Numbers.

Src: What the Web knows about you | ComputerWorld [Tx @BrianHonan]

New Fake Antivirus - "Total Defender"

PandaLabs just reported seeing a new fake antivirus program over the weekend, called "Total Defender." It seems the program isn't asking its users to purchase the software - which likely means that it will act as a conduit for more nefarious purposes in the future (i.e. a backdoor).

Src: New Rogue: Total Defender - PandaLabs [Tx @lithium]

Innovation in firewalls? You bet!

What do you get when you put 3 giants of security in a room to discuss firewalls and IPS? Watch this presentation from Richard Stiennon, Chief Research Analyst for IT-Harvest as he interviews Martin McKeay, Amrit Williams, and Mike Murray.

Innovation in firewalls? You bet. | ThreatChaos

How to Use Twitter for Informatin Mining

Lenny Zeltser of the SANS Internet Storm Center provides insights and warnings for those using Twitter about the amount of data and connections that can be mined from your Twitter activity.

Src: How to Use Twitter for Informatin Mining - SANS Internet Storm Center

Websense report - State of Internet Security Q3-Q4 2008

Digesting the latest report from Websense reveals a bleak picture for the 2nd half of 2008. Let's review the findings and elaborate:
77 percent of Web sites with malicious code are legitimate sites that have been compromised.
Meaning that instead of primarily registering new sites, attackers are instead choosing to compromise existing ones.
70 percent of the top 100 sites either hosted malicious content or contained a masked redirect to lure unsuspecting victims from legitimate sites to malicious sites.
Attackers are choosing to compromise the very sites that people use frequently and normally trust (e.g. CNET Networks, BusinessWeek.com, BillOReilly.com, the New York Times, Facebook, Twitter)
sites that allow user-generated content comprise the majority of the top 50 most
active distributors of malicious content.
Web 2.0 allows for rich interactions with other users and content. However, it also provides hackers with powerful means to infect new machines by taking advantage of the dynamic and rich nature of the content that can be served (i.e. scripting).
57 percent of data-stealing attacks are conducted over the Web (a 24% increase)
The web has become the new weapon of choice for hackers, allowing massive theft of data, distributed over numerous law enforcement jurisdictions, making it hard to quickly investigate and prosecute.
The Web Remains the Number-One Attack Vector
The top 10 web attack vectors are not surprisingly centered around browser vulnerabilities, flaws with media software (PDF, Flash, ActiveX, RealPlayer, QuickTime), social engineering, third-party apps, and DNS weaknesses.

Src: State of Internet Security Q3-Q4 2008 | Websense

In the long run, the cops (feds) always win

A fascinating story of intrigue and deception, that of an FBI agent who became a system administrator for one of the top underground markets for "carders" (i.e. sites that transact in credit card and other financial data).

Src: Three years undercover with the identity thieves | InfoWorld.com

Personal Privacy And Frequent Flyer Elite Status

If you ever come to wonder about the amount of information that people are voluntarily flaunting about themselves and what can be done with it, then read this post from fellow Blogger Dave Lewis.

Personal Privacy And Elite Status | Liquidmatrix Security Digest

The AutoRun that won't get disabled

So you thought you disabled AutoRun on your Microsoft Windows operating system. But did you? Depending on the methodology you followed, it might not be fully disabled.

Src: US-CERT Technical Cyber Security Alert TA09-020A -- Microsoft Windows Does Not Disable AutoRun Properly

Risk Measure and Risk Metric

Very insightful post about the difference between a Risk Measure and a Risk Metric. In short, the metric is the human interpretation of what was measured.

Src: Risk Measure and Risk Metric | RiskGlossary.com

McAfee 2009 Threat Predictions

The McAfee 2009 Threat Predictions report just issued paints a grim picture of malware reality as it stands today - "We have seen more malware in the past 12 months than ever before."

In 2008, 1.5 million pieces of malware were identified; that's 171 new pieces of malware detected every hour (2.85 every minute). "Malware is a business, and that business is thriving."

Src: 2009 Threat Predictions | McAfee

Heartland Payment Systems Breached

[Update1: As many as 100 million credit cards may have been compromised Src: WashingtonPost ]

Heartland Payment Systems publicly admitted that they were "the victim of a security breach within its processing system in 2008" and has hired forensic investigators to help. But sometimes you have to read between the lines to extract truth out of public releases.
No merchant data or cardholder Social Security numbers, unencrypted personal identification numbers (PIN), addresses or telephone numbers were involved in the breach.
So, this means that the hackers have my credit card number, my name, and the encrypted PIN.

Src: Heartland Payment Systems | 2008breach.com

Why Technology Won't Prevent Identity Theft

In addition to his own blog, Bruce Schneier also writes for outfits like The Wall Street Journal. In this opinion piece, here is what he had to say about balancing security with ease of use:
Security is a trade-off, and any well-designed authentication system balances security with ease of use, customer acceptance, cost, and so on. More authentication isn't always better. Banks make this trade-off when they don't bother authenticating signatures on checks under amounts like $25,000; it's cheaper to deal with fraud after the fact. Web sites make this trade-off when they use simple passwords instead of something more secure, and merchants make this trade-off when they don't bother verifying your signature against your credit card.
Src: Why Technology Won't Prevent Identity Theft - WSJ.com

Choosing a good chart

Ask any technical writer and they will tell you that a good document (or presentation) takes careful planning of both textual and graphical content. The folks at ExtremePresentation (tm) blog have a diagram to help you identify which type of chart to use.

Src: The Extreme Presentation(tm) Method: Choosing a good chart
[ Direct link to PDF ]
[Update1: Another resource (web site) to help you choose your chart]

Time to Take the Theoretical Seriously

Chris Wysopal, CTO of Veracode, has an article on the double-edged sword of vulnerability research and disclosure. Here are a few quotes:
The hope that no one is willing, or no one is able, to implement an attack is not a security strategy.
Yet, the necessity of demonstrating such attacks before the vulnerabilities are fixed is dangerous, both for Internet users and for researchers. By raising the amount of work required for researchers to get their voices heard it makes it all the more likely attackers will build the tools first.
Src: Time to Take the Theoretical Seriously | SecurityFocus [Tx @ioerror]

Malware - catch and do not release

Ever wanted to find out how the good guys (and gals) capture malware and analyze it? This post from the SANS Internet Storm Center shows you just how it is done and just how easy it is for one piece of malware to call home and grab more malware.

Src: SANS Internet Storm Center

Social Media Defined

A fellow Security Professional, Martin McKeay, asked Twitter users to define social media. Here's my perspective on this revolutionary concept:
Social media is the convergence of technology and freedom of expression, allowing instant publishing of one's thoughts and opinions free of editorial control.

Social media tears down the last barrier to communication - distance. Its users enjoy the freedom of expression, the instant delivery of content and feedback, and the ability to connect to countless others, making us one small world in a great sea of humanity.

Dr. Christophe Veltsos, January 19th, 2009

The Social Engineering Pyramid

The handlers of the SANS Internet Storm Center have created a Social Engineering Pyramid that illustrates the differences in mass Internet attacks, spear phishing, and targeted attacks.

Src: SANS Internet Storm Center; Cooperative Network Security Community - Internet Security - ISC

Windows7 UAC & desktop dimming

While beta testing Windows7, I was somewhat baffled by the message that greeted me. See for yourselves as to whether this is a bright or dim move...

Mind your hashes

Are MD5 hashes broken? Well, sort of. Not quite broken enough to make them inadmissible in court (as of end of 2008) but broken enough that with the right tools (and time), one can generate two different sets of input files that have the same MD5 hash value.

DidierStevens has lots more details and a proof of concept on his blog. Didier was able to create an evil file that contains the same MD5 hash as a known good file and thus would pass Authenticode verification.

Here is a site where you can find code to create your own MD5 hash collision.

Builders, Breakers, and Malicious Hackers

Software has a dirty secret - it's flawed. Who is going to fix it? The builder, the breaker, or the hacker? Jeremiah Grossman manages to expose and explain the fragile balance between those three entities and why we won't have secure software anytime soon.
Builders build software, which gives breakers something to break. Breakers break software, a defensive sanity checking process, and provide insights into what attacks are theoretically possible... Then at some point malicious hackers hack said software, making what was previously possible probable. - Jeremiah Grossman, CTO of WhiteHat Security
Src: Builders, Breakers, and Malicious Hackers | Jeremiah Grossman Blog

It's time to start issuing PC licenses

Known as the Cyber Cynic of ComputerWorld, Steven J. Vaughan-Nichols, recently wrote an article arguing for the licensing of PC users. Here's what Dr.InfoSec had to say:
A hybrid approach of licensing PC users and providing virtualized desktops may be the best approach.

Imagine a $100 device that would be instantly on, where you could not save anything (including malware taking over) and where the user would be brought to his/her virtual desktop with all of the enterprise-class protections that are considered best practices today.

So where does licensing fit in this picture? If you have a need to use a *real* PC (is there such a thing anymore), you would need to be licensed in safe computing (much like your state or country licenses safe drivers). If you are found to be in violation of safe computing practices, your license may be revoked and you will be brought back to the virtual desktop environments.
Src: It's time to start issuing PC licenses - Computerworld Blogs

Storm Botnet Makes A Comeback

Does malware ever die? It seems that the Storm worm which was all but left for dead is making a comeback as Waledac, with new and improved (read harder to detect and infiltrate) architecture.

Src: Storm Botnet Makes A Comeback - DarkReading

Watch a movie of Malware in action

If you ever wanted to see, from the safety of not actually experiencing it, how malware behaves and tricks users into doing things like installing programs or providing credit card numbers...

Src: Rash of Rogue Security Malware - PandaLabs

IT security standards planetarium

A picture is worth a thousand words - how about if it depicts almost 50 security standards?

Src: IT security standards planetarium

The Bumper List of Windows 7 Secrets

Everything (and more) that you ever wanted to know about fully utilizing the new and improved features of Windows 7 (beta).

Src: Tim Sneath : The Bumper List of Windows 7 Secrets

Laptop stolen from office containing finger prints, names, Social Security numbers, addresses, dates of birth and other information

Could it get any worse than realizing that a stolen laptop happened to contain not only social security numbers but also fingerprint images in addition to names, addresses, etc?

Src: Laptop stolen from office containing finger prints, names, Social Security numbers, addresses, dates of birth and other information | OSF Data Loss Database

USB Encryption Fail

Every once in a while a story surfaces that illustrates just how easily one can fail at security. In this case, an employee of NHS Central Lancashire in the UK managed to lose a USB stick containing sensitive data about Preston Prison patients' health.

While the data was encrypted, the password was apparently "attached to the device" on a memo note when it went missing.

Src: Apology after prisoners' health info goes missing - Lancashire Evening Post

Police hacking laws moving from Germany to the rest of Europe

A fellow blogger over at Security4all has some chilling details about a wave of law-enforcement related changes happening in Europe. Police are being armed with custom-made Trojans and traditionally privacy-leaning laws are being modified in several European countries.

Src: Police hacking laws moving from Germany to the rest of Europe. Do as I say, not as I do. | Security4all

Woman beats immigration biometric system with sticky tape

As pointed out by No Tech Hacking's Johnny Long, it is often possible to beat a complex technological solution with some simple alternatives - case in point:

"...the man had helped many South Koreans enter Japan using the method, in which people put special tape containing imitation fingerprints on their fingers to cheat the fingerprint scanner at immigration."

Src: Woman details immigration scam | The Daily Yomiuri

What is an “effective” Control?

One of the many sources of information security news and advice that I subscribe to is the SecurityMetrics mailing list. Last week, Wade Baker of Verizon Business Security Solutions summarized when security controls can be considered effective, efficient, or optimal.
If it does what it’s supposed to, to the degree it’s supposed to, it’s effective (no matter how much risk, or what % of attacks, etc it reduces). If it does that for a cost that is low relative to its effectiveness, it’s efficient. At the point where the cost of increasing effectiveness exceeds the incremental benefit of doing so, it’s optimal. - Wade Baker, Verizon Business Security Solutions
Src: Verizon Business Security Blog » Blog Archive » What is an “effective” Control?

New phishing ploy exploits secure sessions to hijack data

Are traditional web security controls (HTTPS) useless? A new phishing attack has surfaced that exploits a user's browser if he/she is logged into their bank while also surfing the web (aka "in-session phishing"). So, you might be logged into your bank over a secure session but the attacker uses YOUR browser to piggyback onto your bank session.

Src: New phishing ploy exploits secure sessions to hijack data - SC Magazine US
Src: Move aside e-mail phishing, in-session phishing is in! | Oracle Blog

How to beat Downadup at its own game

[Updated on Jan 16: number of infected machines is now just under 9 million]
[Updated on Jan 14: number of infected machines is now 3,521,230 up 1 million from the previous day]

Downadup is one of those fascinating pieces of malware that connects to various web addresses to download and install a predefined executable - which could allow more malware to be loaded.

Where Downadup is different from other botnets is the way in which it chooses, on a predefined basis, the names of the web addresses it will check on a particular day. Instead of a traditional list of preregistered web domains (e.g. evil1.com, evil2.com, etc), Downadup has a complex algorithm that generates domain names which change daily and use timestamps from other public web sites to come up with things like "qimkwaify .ws, mphtfrxs .net, gxjofpj .ws, imctaef .cc, and hcweu .org."

While the good guys can examine the code and thus be able to predict which domain name the worm will use on a given day, they cannot actually take control of the compromised machines which connect to them as it would be considered illegal in many countries. So instead, they patiently waited and counted the number of machines connecting. The tally so far: almost 2.4 million machines infected by the Downadup worm.

Src: How Big is Downadup? Very Big. | F-Secure Weblog
Update1: More than One million new infections | F-Secure Weblog
Update2: Worm infects 1.1M Windows PCs in 24 hours | ComputerWorld
Update3: Latest F-Secure Blog entry

EFF Surveillance Self-Defense Project

The EFF (Electronic Frontier Foundation), a bastion for digital civil rights, has released a beta version of their Surveillance Self-Defense Project (SSD) which aims to "educate the American public about the law and technology of government surveillance in the United States, providing the information and tools necessary to evaluate the threat of surveillance and take appropriate steps to defend against it."

The SSD seeks to answer questions about what the government can do and what you can do to protect yourself against government spying.

Src: The SSD Project | EFF Surveillance Self-Defense Project

Creating a Mac-on-Stick using Mini vMac

The idea behind this item is strange but intriguing: it looks like you can emulate one of the old Macs (up to system 7.5.5) on a USB. If only I had more time...

Src: Creating a Mac-on-Stick using Mini vMac | No Thick Manuals

(Under)mining Privacy in Social Networks

Three Google employees have written a paper about the dangers to your online privacy due to the amount of information available from social networking sites, their activity streams, and the potential for connecting the dots (linkages) which would allow some users (or their connections) to be identified by merging social graphs (i.e. connection patterns).

Here's an excerpt of the paper's introduction:
...we point out three distinct areas where the highly-interlinked world of social networking sites can compromise user privacy. They are
• lack of control over activity streams,
• unwelcome linkage, and
• deanonymization through merging of social graphs
Src: Could your social networks spill your secrets? | New Scientist
Direct link to paper

Contents of Your Transportation Pass Revealed

Researchers at the Université catholique de Louvain have demonstrated that the contact-less (RFID) Belgium transportation card called MOBIB can actually reveal information about birthdate, zipcode, and the last three travels.

I think that 2009 will have many more such revelations about the dangers of proximity-based technology, whether used for transportation or more importantly things like identification (drivers license) and passports.

Src: The Information Security Group, Université catholique de Louvain, Belgium [Tx @DidierStevens]

2008 - The year of malware

According to PandaLabs (Spanish security vendor), in 2008 they saw an average of 35,000 malware samples a day, 22,000 of those being new samples.

Another dire bit of news reported by PandaLabs is the growth of "fake" antivirus which they estimate generates over $13 million a month for hackers.

Src: 22,000 new malware samples created every day in 2008 | Net-Security.org

County Posts Social Security Numbers Online

It is unusual (or maybe insensitive) in 2009 to see someone as bold as Pottawatomie County Clerk Nancy Bryce who said "I don't think that's going to happen." In her view, it is unlikely that someone would use the Social Security numbers listed on county records (home sales and mortgage records) that are accessible on the Internet.

Src: County Posts Social Security Numbers Online KOCO Oklahoma City

First documented case of Spear Phishing for 2009

Lenny Zeltser at the The SANS Internet Storm Center (think of it as the NOAA of cyber storms) has a write-up on a Swedish company that received an executable attachment masquerading as a spreadsheet analyzing the current acquisition market. The phishing email was sent only to executives at that company and the malware is believed to be a first-stage downloader which would then grab (and install) more malware.

Src: SANS Internet Storm Center

Fake CNN malware attack spins Gaza angle

Another round of social engineering attacks has surfaced, this time pretending to be a CNN report about the situation in Gaza. If you didn't ask for it, don't read it, and don't download any software (or updates, which are still software). The attack masquerades as an Adobe update but instead installs banking credential stealing software.

Src: Fake CNN malware attack spins Gaza angle | ComputerWorld

Looking at the Crackpal.com Phishing-For-Hire Scheme

Do you ever wonder what would happen if you clicked on the link that just landed in your inbox? Wes McGrew has a nice bit of investigative reporting, complete with snapshots.

Src: McGrew Security Blog » Blog Archive » Looking at the Crackpal.com Phishing-For-Hire Scheme

No Patch for Human Stupidity

This week's quote comes from Charlie Martin over at PajamasMedia/Edgelings who wrote a nice article about the big security-related events of the week (Md5 collision for SSL certs, Twitter phished, Twitter admin account guessed).
The lesson is that our security problems don’t lie in our technology, but in ourselves. The attacks this week [phishing attack on Twitter users & someone guessing the password for one of the Twitter admins] succeeded because, unfortunately, there is no patch for human stupidity. Charlie Martin
Src: Edgelings.com » No Patch for Human Stupidity

One Hacker's Audacious Plan to Rule the Black Market in Stolen Credit Cards

This is a fascinating article on the rise and fall of Max Butler. Complete with deception, power and intrigue, the story takes you into an underground economy where stolen credit card numbers are traded like a grain of rice.

Src: One Hacker's Audacious Plan to Rule the Black Market in Stolen Credit Cards | Wired

Alex Hutton on Risk Management

Alex Hutton of the RiskAnalys.is blog left a comment on another security blog (Domdingelom's Blog): "Risk management is really the act of correlating exposure to risk to your capability to manage risk"

Src: Domdingelom Blog