Grok Computer Security

I’ll tell you what I want, what I really, really want from a Cloud Provider

2012-01-24T17:06:00.000-08:00

If you want mybusiness, you better make it fast

Self-service: 7x24 add, remove, change resources, workloads, andconnectivity

Elastic: scale up or down automatically within the limits I set

Available: stand up to hurricanes, DDOS, and replication storms.Your mistakes should never be my problem.

If you want my data,you better make it secure

Auditing: network and management

Network – I need to audit and or inspect all the traffic between mysystems. This includes but is not limited to traffic between users, systems,and applications even where they share the same physical host and virtualswitch.

Management – I need to see all management events that may impactthe security or configuration of my systems. This includes but is not limitedto privileged access to my systems or data through the hypervisor or cloudmanagement APIs.

Control: policy and assurance

Policy – I need to express and apply security policies via a methodthat is both human understandable and translatable into a machine-interpretedlanguage.

Assurance – I need to know when an event or incident occurs thatviolates a policy and I need a method for testing that controls exist and areeffective for enforcing my policies.

Metrics: continuous and interoperable

Continuous – Per our agreed standards of measurement I must be ableto quantify the security attributes of my system. This may include but is notlimited to measurements for: vulnerability, configuration, performance,incident detection, incident response, and incident containment.

Interoperable – All security relevant data and events must beavailable in a documented machine-readable format. It should either comply withstandards such as Cyberscope and SCAP or my preferred GR&C system.

If you want my money,you better not ask for much

Value – Not just cheaper than if I do it myself. Your servicesshould give my organization new capabilities to meet our objectives. Thesecapabilities could include user experience, logistic support, and accessibility…

No lock-in – I should be able to easily move my data and workloads backinside my enterprise or to one of your competitors.

Tell me again where these devices are made?

2012-01-19T20:54:00.000-08:00

I’ve been “upgrading” my home infrastructure:

Seagate GoFlex Network Storage
Netgear WNDR3800
(other stuff)

All my toys run linux, so imagine my surprise when this starts showing in my logs:
[LAN access from remote] from 210.51.17.227:40986 to 192.168.35.119:22, Thursday, January 19,2012 16:56:47
[LAN access from remote] from 210.51.17.227:39316 to 192.168.35.119:22, Thursday, January 19,2012 16:56:36
[LAN access from remote] from 210.51.17.227:37023 to 192.168.35.119:22, Thursday, January 19,2012 16:56:32
[LAN access from remote] from 210.51.17.227:34192 to 192.168.35.119:22, Thursday, January 19,2012 16:56:28
[LAN access from remote] from 210.51.17.227:50809 to 192.168.35.119:22, Thursday, January 19,2012 16:56:21
[LAN access from remote] from 210.51.17.227:47558 to 192.168.35.119:22, Thursday, January 19,2012 16:56:16
[LAN access from remote] from 210.51.17.227:44530 to 192.168.35.119:22, Thursday, January 19,2012 16:56:11
[LAN access from remote] from 210.51.17.227:42159 to 192.168.35.119:22, Thursday, January 19,2012 16:56:07
[LAN access from remote] from 210.51.17.227:39236 to 192.168.35.119:22, Thursday, January 19,2012 16:56:02
(repeat about 500 times)

whois 210.51.17.227?
Answer someone inside a /16 registered to Beijing Tongtai IDC of China Netcom.

Turns out my Seagate device was advertising port 22 via upnp and my Netgear was helpfully port mapping it to the Internet.

Go figure.

SQL Injection and Cross-Site Scripting (XSS) are Hot

2011-04-02T08:03:00.000-07:00

Custom and automated attacks against web sites continue as vendors and developers still have not gotten the hang of secure coding techniques.

In one case, an automated attack has infected more than 600,000 sites in about two days.

The other, was a case of a targeted attack against MySQL. Interestingly, the attackers are taking credit for this exploit.

Broad automated attacks like the first are usually driven by botnot groups who are ultimately seeking to compromise a large number of end-user systems.

The second attack is becoming less common. My guess, is that they are seeking to establish credibility for their attack skills and to demonstrate their ability to launch a 0-day hack. This sort of activity ranges from the somewhat benign: the hacker equivalent of resume fodder, or more malignantly: demonstrating value before selling their exploits to the criminal underground.

While defects will always exist, it is clear that web site providers still fail to perform the security basics: vetting code before deployment and monitoring their site for compromise.

(updated)
Current infection counts can be found (for a few of the domains hosting the malicious scripts) with Google:

HyperSentry

2010-09-22T06:34:00.000-07:00

HyperSentry is a technology that uses IPMI to allow an out-of-band method for checking hypervisor integrity.

IPMI is a backdoor to the system, so it is something that has to be managed carefully. When I did pen-testing I often found that it was not secured properly. That said, it is a very interesting idea.

I think the hardware "root-of-trust" technology: that has been developed by AMD and Intel is also interesting

I think we will see availability of tools, including Catbird, where a combination of these technologies is built-in to the system. I do have to point out that IPMI based checks have been possible for years and yet no one has touted them as a solution for detecting conventional rootkits. I've learned that anything with "IBM" in the release has a certain amount of FUD factor and it may be a year or longer before we see a real capability that can be built into a product.

Perhaps the broader implication is that work like this is common on open-source hypervisors and is much harder to perform on proprietary systems.

VA cloud outage

2010-09-02T08:39:00.000-07:00

--Virginia Gov't Agencies Suffer Massive Outage
(August 27 & 30, 2010)
A storage area network (SAN) memory card failure at the Virginia
Information Technologies Agency (VITA) left at least two dozen agencies
without the ability to conduct business. Among the affected agencies
are the Department of Motor Vehicles, which was unable to issue driver's
licenses, and the Department of Social Services, which was unable to
distribute benefits. The data center where the failure occurred is run
by Northrop Grumman.

[Editor's Note (Northcutt): The state of Virginia was an early adopter
of blades and virtualization. The advantages and economics are obvious.
These outages may prove to be a cautionary tale. With virtualization,
you end up with a lot of eggs concentrated in a fairly small basket so
that if your continuity of operations plans fail, you go down pretty
hard.

(Schultz): This is a perfect example of what can go wrong when cloud
services fail. People in general neither recognize the real risk nor
plan for loss of availability in cloud services.]

Wow, they were not running dual HBAs into the SAN? Can't be.

Outage report from VA is here: http://www.vita.virginia.gov/about/default.aspx?id=12596

I am not sure the SANS editor comments are warranted. This may be related to an architectural error in the deployment of the EMC DMX 3 and its backup.

The DMX is an SMP-based HA system with a petabyte of capacity. The comment about too many eggs in one basket is accurate with respect to the State of Virginia's use of a monster SAN, but not so much as per use of virtualization.

The real failure here is whether or not they tested their COOP capability ... ever. Then we have to ask when was the last time they ran a DR test because their time to recover seems a little long as well.

My failure analysis: over reliance on a vendor's claim that their hardware never fails.

Web site reputation

2010-08-28T07:23:00.000-07:00

Recently several companies have developed features or products to make web surfing more secure. One of these technologies uses reputation. Reputation is a measure of trust for a web site or web page. In this case trust is typically measured by how much SPAM, malicious traffic, or attacks a site is known to generate. It turns out that measuring these things is not that hard because a majority of web traffic flows through a relatively small number of gateways and backbone networks.

This is a very good idea. If a web site is known to host malware or send a lot of SPAM, then block or warn users before they visit a site. Of course, cyber-criminals have started to figure out how to bypass these checks. They simply attack sites with good reputations and get them to host the malware. In some cases, it's just a matter of providing an advertisement.

Reputation based security is still a great idea because it forces the crooks to work harder. However, we can't get over confident and rely on this technique to always protect us. This means keep your software patched, don't click on suspicious links, and ignore any offer that is to good to be true.

Alert FOX News!

2010-08-24T06:41:00.000-07:00

So, I got this funny SPAM email, and I thought someone will take this seriously and alert FOX news to yet another massive government intrusion into our lives... ;-)

By the way the SPAM came with a ZIP file that will probably p0wn your computer if you install it...

------ Begin Message
From: Alfreda Robertson
Date: Tue, 24 Aug 2010 16:04:07 +0200
To:
Subject: IRS Notification - For Tax Payer xxx-x-xxxx-x@catbird.com

Dear Tax Payer,

As part of new requirements from the IRS, all U.S. Citizens are required by law to update their computers with new tax software.

To begin the update, install the attached file

After doing so, no further action is required on your part.

Thank you for your cooperation.

Sincerely,
IRS Agent #175
Alfreda Robertson

------ End of Message

Always a good idea to keep your BIOS up to date....

2010-07-02T11:11:00.000-07:00

Looks like Sony has learned from Dell’s leaky capacitor debacle.

Sony says 535,000 laptops at risk of
overheating. More than half a million Sony laptops sold this year contain a software
bug that could lead them to overheat, the company said June 30. Sony has recorded 39
cases of overheating among Vaio F and C series laptops that have been on sale since
January. In some cases, the overheating has led the laptop case to deform. A bug in the
heat-management system of the BIOS software is to blame. Sony is asking users to
either update the software themselves or return their laptops so it can apply the update.
The fault affects 535,000 computers, although Sony is asking a total of 646,000 owners
to update their machines. The additional 111,000 machines are susceptible to several
less serious problems that have also been found in the software, said Sony. BIOS is
present in every PC and runs below the operating system, controlling the most basic
functions of the computer and interaction between major components. It is usually
invisible to users except for a BIOS start-up message that is typically seen when a PC
boots. The problem affects machines sold both in Japan and the rest of the world.
Affected models sold outside Japan are the VPCCW25FG/B, VPCCW25FG/P and
VPCCW25FG/W.

Source: Computerworld

Are Open Source Applications More Secure?

2010-03-17T06:08:00.000-07:00

Full Disclosure: I am a long time Firefox user

Recently, there have been serious security advisories for Chrome, Safari, and Internet Explorer:

http://www.eweek.com/c/a/Security/IE-Attacks-Circulate-as-Microsoft-
Updates-Advisory-766154/
http://www.v3.co.uk/v3/news/2259391/apple-updates-safari-browser

While a patch is now available for Safari (and perhaps Chrome), the community is still waiting on a fix from Microsoft.

Browsers, and Internet Explorer in particular, are the most commonly used application in the world. Additionally, most web users visit one of the top 500 sites at least once a day. This intersection makes for a very attractive target for criminals. At any given moment, the site you are visiting, even the site you are using to read this post, could be attacking you through your browser and trying to seed your system with malware.

Your first line of defense is a secure browser. I can't prove this easily, but I think an open-source browser like Firefox will always be more secure than a proprietary browser.

My advice:

Keep your browser up to date, note ie8 is not exposed by this current vulnerability
Keep your OS up to date
Run some sort of host-based intrusion protection system, if you have one of the consumer security suites you have this
Run at least a basic network firewall
Businesses should run a network intrusion protection system

For the really advanced users out there:

Make use of virtualization software and run a special purpose virtual machine for your banking and financial applications, run another virtual machine for casual web browsing and entertainment. Never ever browse the web using your host system.

One last piece of advice:

Don't forget to wear some green today!

Michael

Imagine a World where passwords were useless

2010-03-16T07:05:00.000-07:00

Recently, in the press:

March 12, The Register – (International) SSD tools crack passwords 100 times
faster. Password-cracking tools optimised to work with SSDs have achieved speeds up to 100 times quicker than previously possible. After optimizing its rainbow tables of password hashes to make use of SSDs Swiss security firm Objectif Securite was able to crack 14-digit WinXP passwords with special characters in just 5.3 seconds. Objectif Securite spokesman told Heise Security that the result was 100 times faster than possible with their old 8GB Rainbow Tables for XP hashes. The exercise illustrated that the speed of hard discs rather than processor speeds was the main bottleneck in password cracking based on password hash lookups. Objectif’s test rig featured an ageing Athlon 64 X2 4400+ with an SSD and optimised tables containing 80GB of password hashes. The system supports a brute force attack of 300 billion passwords per second, and is claimed to be 500 times faster than a password cracker from Russian firm Elcomsoft that takes advantages of the number crunching prowess of a graphics GPU from NVIDIA.

(By the way, SSD stands for Solid-State Drive -- a faster way to store data)

An SSD is much faster than a hard drive but orders of magnitude slower than fast RAM, so if these folks ran the same test with the Rainbow Tables in local RAM they'd be cracking the same passwords in 0.0053 seconds (unless this moved the performance bottleneck to the CPU).

If you want a solution, I recommend something like this.

Sometimes your already in the cloud

2010-02-25T07:44:00.000-08:00

Federal Trade Commission links wide data breach to file sharing

The Federal Trade Commission (FTC) said Monday that it has uncovered widespread data breaches at companies, schools and local governments whose employees are swapping music, software and movie files over the Internet.

http://www.washingtonpost.com/wp-dyn/content/article/2010/02/22/AR2010022204889.html?hpid=sec-tech

Peer-to-Peer (P2P) file sharing was perhaps the second killer app for the Internet (after Mosaic) because of its ease of use and utility for sharing free music and porn.

P2P is very easy to use, after installing the application select the files you want to share, then start browsing and downloading files from other users. P2P networks are comprised of millions
and often tens of millions of users -- making these applications the largest compute and storage networks in the world.

There are two big risks with P2P:

Oversharing -- incorrectly configuring the P2P application to share all of your files
Compromise -- P2P is often leveraged to download malware to unsuspecting users

The FTC warning described in the Post article arises from the problem of oversharing. For business, the problem arises because the more P2P users you have, the more likely that one or more of them are sharing confidential information -- without realizing it.

Assuring the secure configuration of P2P file sharing across more than a handful of users is very, very difficult. For a large enterprise infeasible. In an enterprise of any size, security depends on the detection of P2P and either on blocking all use or limiting use to selected systems that are subject to stringent access and configuration controls.

Don't be fooled into thinking that your firewalls protect you from this threat. Most P2P applications have been designed to bypass firewalls. P2P detection and control requires the deployment of effective Intrusion Detection (IDS) or Intrusion Protection (IPS) systems.

IPS systems will give you the capability of discriminating between types of P2P applications, selecting a response, and protecting your data.

Michael

You Should Use Profiling

2010-02-24T09:58:00.000-08:00

Thanks to Headline T-shirts for this amusing image.

Torn from the headline, "Chinese school linked to Google
attacks also linked to ‘01 attacks on White House site." Comes the thought that only idiots fail to profile threats.

For network security this is a simple matter:

Know your services and
Know your users

The first item requires that you self-check with port scans, vulnerability scans, and traffic analysis to understand your networked application and your potential vulnerabilities. You should always plan that there will be defects you do not know about -- these are called zero-day attacks. Always patch everything you can and what you can't patch will require even more protection. Between zero-day worries and the things you can't patch, you'll need intrusion detection and prevention.

The second item should be incorporated in your site user statistics and operation's processes. This means understanding on a statistical and individual basis who, where, and how your users access your network applications. Once you have a grasp of these behaviors it becomes very simple to develop two key profiles: one that describes how authorized users behave, and second, the converse -- how unauthorized users behave. For example, an Austin Texas based music store will typically have many local customers and a few other customers from around Texas or perhaps more remote places like Nashville, New York, or Los Angeles. Once you have the geographic profile of your customers it becomes very useful to think about places you don't have customers. Places like South Korea, China, Eastern Europe, and Brazil; by extension everywhere except North America. Obviously, the same store in Shanghai will have a different customer profile.

Now comes the important part.

USE THE PROFILE.

If folks from Lilliput never visit your site, treat their traffic with care, blocking it is best, but if you can't bring yourself to block them then at least redirect Lilliputian visitors to an "interest" form, gather some marketing information and put them on a white list. Now, that's for people from Lilliput visiting you, even less likely is authorized traffic from your network going to Lilliput (and really Lilliput is just a place holder for real threat countries: China for example.) IDS and IPS exist for a reason, so do firewalls, make sure you are filtering, blocking, or at least detecting traffic to specific countries and regions of the world you are not doing business with.

The Cloud is Attacking You

2010-01-22T07:20:00.000-08:00

Collected from US-CERT and other sources:

Microsoft has released out-of-band Security Bulletin MS10-002
(http://www.microsoft.com/technet/security/bulletin/MS10-002.mspx) to resolve seven privately reported vulnerabilities and one publicly disclosed vulnerability. This update includes resolution for a recently, reported zero-day vulnerability in Internet Explorer (IE) which is detailed in Microsoft Security Advisory 979352. (http://www.microsoft.com/technet/security/advisory/979352.mspx)

This vulnerability may have been used in the recent attacks on Google and other organizations. Knowledge of this attack is now widely known and the broader criminal community is now leveraging this exploit.

Organizations should review Microsoft Security Bulletin MS10-002 and apply the patches as soon as possible. US-CERT recommends that the patches be tested within your organization enterprise first and then deployed in an expedited manor. In addition to patching, the recommendations below may be leveraged to better position your organization to withstand future serious vulnerabilities.

Enable Data Execution Prevention (DEP) both in software and hardware if supported (see Microsoft KB 912923). This may provide future vulnerability resiliency. (http://support.microsoft.com/kb/912923)

Be proactive by defining internal servers that should generally be trusted that can be placed in Internet Explorer’s "Trusted Sites" list. By doing so, this may ease the impact to your organization should a future reactive measure be required to set the "Internet Zone" to a "High" security setting. (See Microsoft KB 174360 -- http://support.microsoft.com/kb/174360)

PCI compliance in the cloud (Part B)

2009-12-21T10:32:00.000-08:00

First published here on 12/14/2009:

In Part A, I discussed the functional requirements for a virtual firewall. Now let's take a look at the technologies required to make this work.

Traffic segmentation

Firewalls segment traffic. That's obvious, but think about this in the cloud. For this to work, there must be a method to assure that all traffic to/from a tenant is available for inspection and the application of access controls by the firewall. This means the virtualization host must support at least one of the following:

Routing traffic to/from a tenant system through the virtual firewall at the network layer, this is how "bump-in-the-wire" devices work. This is a poor solution in virtual environments.
Routing traffic to/from a tenant system through the virtual firewall at the hypervisor layer. This is a more efficient technique because it reduces latency and the number of CPU cycles needed to inspect packets.
Other novel techniques enabled by virtualization -- Magic. I call this "Magic" because it is now possible to create intelligence around which packets need to be inspected or filtered by the firewall.

Configuration management

Virtual firewalls must include configuration management capabilities. Why? Because it is much easier to reconfigure ports and networks in the virtual environment, or even configure a virtual machine to bridge networks. This is a tricky situation in the cloud because this capability requires visibility and integration into the cloud provider’s management framework.

Dynamic policy enforcement

Virtual machines migrate. This requires policy enforcement capabilities that are independent of location and layer 2 and 3 connectivity. Segmentation and access controls must transparently follow virtual machines as they migrate or are copied between virtualization hosts, data centers, or cloud providers.

Cloud management

Unless cloud providers wish to assume all of the responsibility for correct configuration of their customer's virtual firewalls, the provider must give their customers control of the firewall policies while at the same time preventing one customer from inappropriately blocking traffic to another customer.

Can anyone name a cloud provider who makes this all possible?

Michael

Catbird

PCI compliance in the cloud (Part A)

2009-12-21T10:29:00.000-08:00

First posted here on 12/07/2009:

The new cloud (or if you prefer hosted computing services, or IAAS) rests on top of virtualization. If we’re going to take the cloud seriously, it will have to be compliant. One of the more stringent compliance frameworks is PCI DSS. Let’s look at requirement one and start building a solution for the cloud.

PCI DSS 1.2.1, test procedure 1.1: Obtain and inspect the firewall and router configuration standards and other documentation specified below to verify that standards are complete.

Deploying virtual firewalls is insufficient, as the virtual firewall must share the support structure with the virtual machines, virtual switches, and hypervisor. Technical controls must also be deployed to validate the configuration of a virtual firewall and to detect and alert if tampering occurs.

Physical firewalls are insufficient unless every virtual machine is on a unique VLAN, VLAN hopping is mitigated, and all traffic must flow through the physical firewall. Further, virtual machine mobility must be constrained and virtual machines must be subjected to the same firewall policy regardless of physical location or layer 2 connectivity.

While sufficient, the physical solution may be impractical due to the constraints it places on deployment, consolidation, and high availability.

The optimal solution will be one that allows deployment of a best practice virtualization architecture for security, integrity, and availability, which also maximizes consolidation and the virtualization return on investment.
This requires a virtualized firewall deployment with the following characteristics:

Assurance of integrity for the security management framework
Enforcement of separation of duties for server, network, and security operations
Enforcement of least privilege
Dynamic network segmentation that is independent of location, IP address, or layer 2 connectivity
Integrated auditing and configuration management for virtualization layers

If that sounds like more than a firewall, you’re right.

Michael

Missing Russian Ship

2009-08-13T06:59:00.000-07:00

Right out of a Tom Clancy novel, a 4,000 tonne cargo ship is missing. Reportedly, this ship had nothing worth hijacking. There are not a lot of facts about this available but there are some interesting bits:

10 armed men boarded the ship about a week before it disappeared. They left 12 hours later.
The ship spent two weeks in Kaliningrad before beginning its voyage.
The Russians are searching for the ship with all available resources.

As reported here, the Russians have battlefield nuclear weapons in Kaliningrad.

I wish the Russians good luck in their search and I hope the NATO forces provide all available resources to assist.

Data Protection for Virtualized Servers

2009-04-23T20:45:00.000-07:00

I am recording a webcast live next Wednesday. It's free and only requires a short pre-registration.

Data Protection for Virtualized Servers

How many manhole covers are in San Jose, CA?

2009-04-10T07:05:00.000-07:00

From the Mercury News:

John Britton, a spokesman for AT&T, said it appears somebody opened a manhole in South San Jose, climbed down eight to 10 feet and cut four or five fiber-optic cables. Britton also said there was a report of underground cables being cut in San Carlos.
AT&T's contract with the Communication Workers of America expired at 11:59 p.m. Saturday, but Britton said "we have a really good relationship with the union" and that negotiations continue between the two sides.

It's my understanding that a single cut in one location would not cause the outage we recently experienced. There would need to be two or more cuts at strategic locations to cause an outage to cell phone, land line, and emergency services.

Knowing which manhole covers to open would require very specific knowledge of the Bay Area fiber infrastructure.

Securing the Dynamic Data Center

2009-03-31T12:56:00.000-07:00

I am recording a webcast live today. It's free and only requires a short pre-registration.

Securing the Dynamic Data Center

Conficker and April 1

2009-03-30T21:13:00.000-07:00

Well, here’s the Wikipedia entries that got me thinking:

As a countermeasure, ICANN and several TLD registrars began in February 2009 a coordinated barring of transfers and registrations for these domains”

Variant C contains code to sidestep these countermeasures by generating an expanded daily list of 50000 domains across 110 TLDs. This new pull mechanism, however, is disabled until April 1

I’ve also been following the work at SRI regarding this threat.

Even 1 million Variant C infections results in potentially 50 billion whois queries.

I think Wednesday is going to be a slow day on the Internet.

Heartland Breach

2009-02-03T20:37:00.000-08:00

Summary:

Level 1 credit card processor fails to prevent data loss effecting hundreds of millions of transactions.
Attacker installed tools on Heartland server, inside the PCI trust path network
Tools “sniffed” transactions and sent data to system(s) outside North America

“Heartland has said intruders broke into its systems sometime last year and planted malware that they used to steal the card data. The number of compromised cards still isn't known. But Heartland processes more than 100 million transactions per month.”
- Banks, customers feel the fallout of the Heartland breach. 2/2/2009. Jalkumar Vijayan, Computer World, Security.

Breach analysis:
Root cause includes but is not limited to the following:

Failure of host based intrusion prevention system (HIPS)
Failure of network based intrusion prevention systems (IDP)
Failure of configuration management, to detect changes to host and network configuration
Failure of separation of duties and detection of abuse or escalation of privilege
Failure to segment the processor network and enforce a zone of trust

In summary, Heartland failed to properly implement and enforce defense-in-depth, network segmentation and separation of duties. Remember, Heartland is a level 1 PCI processor and was required by regulation to get this right. This means Heartland's auditors failed.

Solution:
Catbird directly addresses all of the above, except for HIPS. HIPS requires an agent on every end-point, this is not a component of our architecture, which is agent-less by design. Our customers are able to implement and enforce defense-in-depth using Catbird TrustZones™ security policies, virtual infrastructure configuration management and virtual machine tracking technologies. These technologies include but are not limited to:

Policy and detection templates for IDP, to monitor and control network flows between zones and intra-machine flows inside a trust zone
Policy based configuration monitoring and enforcement using session blocking and quarantine, including quarantine of virtual machines
Monitoring of virtual administrator activities and enforcement of dual controls for virtual machine connection to network zones
Catbird TrustZones monitor and enforce network segmentation within and between machines on any network, VLAN or port group

In summary, proper deployment of Catbird TrustZones technology would have detected and prevented a data breach like the one that occurred at Heartland.

Guardians? What Guardians?

2008-12-12T11:09:00.000-08:00

Yesterday, the New York Times covered the recent arrest of Bernard L. Madoff.

Madoff, a prominent Wall Street Hedge fund manager, has admitted to running a $50 Billion Ponzi scheme.

While law enforcement has been quick to react, the revelation came when Mr. Madoff confessed to an associate. While rival Hedge fund managers had been suspicious that Madoff's results were too good to be true, THE REGULATORS HAD NO CLUE.

Years ago, there were many warnings on and off the Hill. Regulators, economists and many others sounded the alarm that allowing an entire financial industry to exist without regulations was a bad idea. However, the standard responses were: regulations are bad, the market will police itself, we can trust our Hedge fund managers. Well, look at what has happened. AIG failed to accurately assess and hedge their risks. Dozens of financial institutions have gone under and hundreds more are at risk. Hedge fund managers have admitted to running a crooked game.

The lesson is clear, systems and the people who work within them are not self-policing. Shocker. I am sure Machiavelli and Juvenalis are laughing at the continuing naivete of the human race.

Now, right now, we have a very similar pattern emerging in information technology. Institutions around the world are virtualizing like crazy. IT is deploying the vast majority of these virtual infrastructures without any of the protections I recommend here. PCI, HIPAA, SOX, you name it, these IT Groups are putting sensitive data about you and me, valuable data worth billions of dollars is at risk.

Where are the Guardians?

The Guardians are out to lunch, they missed the memo, they drank the Kool-aid from the platform vendors.

People like myself, Chris Hoff, Greg Ness, Ian Pratt, Brandon Baker and many others are sounding the alarm.

It's time for the Guardians to get to work. It's time for the IT security team to get off their butts and start addressing this issue.

Michael

Registrar's are still a weak link

2008-12-09T10:16:00.000-08:00

Very nice article on the hack against Check Free here.

Current theories center on the likelihood that a Check Free employee got suckered by a phishing or straight-up social engineering attack.

I'm going to hazard a guess that this was a spear-phish or more targeted form of attack. A quick search of Linkedin, Facebook and other social networking applications finds a treasure trove of CheckFree/Fiserv employees.

It's a small step to go from these links to a targeted attack against Fiserv IT staff.

However, as the article notes Fiserv was not the only target in this attack and Financial Institutions (FI) are dangerously reliant on a single registrar.

My recommendations:

FI's and others must monitor and protect themselves from domain hijack -- I recommend Pharming Shield.
Get social networking applications out of the data center, IT personnel must not use corporate resources (including email) to access these sites
The Financial Industry is at risk from a single-point of failure at Network Solutions. This must be addressed through community efforts and directly by the platform providers.

Happy Holidays!

Virtual Security and Compliance Webcast

2008-11-12T11:41:00.000-08:00

Recorded last week, go here to register and listen (sorry, the sound is ahead of the slides, I am trying to get that fixed).

Shout out to Tarry and everyone else who participated.

Risk mitigation for virtual infrastructures

2008-11-10T21:06:00.000-08:00

Virtualization in the Data Center introduces the following: (skip down below)

	EFFECT	RISK
1.	Flattens infrastructure and networks	Unauthorized network access or communication
2.	Adds new operating system and infrastructure layers	Denial of service and data security breach due to software defects
3.	Collapses roles and increases privilege of administrators	Escalation of privilege, abuse of privilege
4.	Increases transience, mobility and frequency of change within the data center	Misconfiguration, server sprawl and data security breach

Virtual machine (VM) hosts, clusters and data centers reduce the logical and physical segmentation of systems and networks. This flattening exacerbates the risk of unauthorized access due to reduced visibility of events on the virtualized network.

Mitigation: implement increased monitoring and access controls for each virtualized access layer and network. Monitoring must correlate virtual infrastructure management, network traffic, security events and validation of intra-VM access control policies.

The Hypervisor is a new operating system, which along with hypervisor and virtual infrastructure management tools increases the defect, vulnerability and attack threat surface of the data center.

Mitigation: incorporate all new software and management layers into your vulnerability management system (VMS). The VMS must be mandatory and integrated with automated discovery and validation of virtualized infrastructures.

Like the introduction of DBAs for SQL databases and Domain Administrators for Window’s systems, Virtual Administrators have privileges that allow them to bypass existing controls and effectively access underlying systems and data at the hardware layer.

Mitigation: implement compensating controls to log and audit all Virtual Administrator activities. Introduce dual controls and separation of duties for critical functions. You must deploy tools to perform continuous validation of these secondary controls to detect and prevent abuse of privilege. This will also reduce the risk from virtual machine breakout and hyperjacking.

Servers are now files. Virtual machine mobility, snapshots, roll-backs and other features of virtualization have magnified the rate of change within the data center. This increase in operational velocity leads to increased risk of configuration error, capacity failures and for a security breach due to incorrect configuration or a lapse of controls.

Mitigation: extend configuration and life-cycle management processes to track virtual machines. These processes must be effective regardless of the mobility and non-linear attributes of virtual machines. Configuration management tools must enforce mandatory controls and support correlation of virtual and physical infrastructure configuration attributes – extending from virtual machine internals to external network access layers. Monitor and audit direct access to virtual machines files at the operating system and storage access layers.

A few Podcasts with Dane Deutch

2008-10-31T10:22:00.000-07:00

These were done with a Catbird partner DCS NetLink.

7 Years Later

2008-09-11T13:11:00.000-07:00

Public release of PSA's WMD REPORT CARD
Focusing on efforts since 2005, our Report Card gives the government a "C".

"Moving from a D to a C in three years is progress, but not really acceptable progress," Hamilton said.

"What we need now is for the next Administration to commit itself to unwavering dedication to ensure that we capitalize on the progress we've made and push forward to improve and solidify our efforts on all fronts," Gorton said. "Now is the time to turn our resolve into action."

PDF for full report card here.

I've spent the last couple of weeks re-reading the full commission report, and I am struck by how few of their direct recommendations have been implemented. It's possible that the current administration has done more than I know, but here is the focus of the recommendations:

Chapter 13: HOW TO DO IT? A DIFFERENT WAY OF ORGANIZING THE GOVERNMENT

This chapter emphasizes 13 (see below) of the 41 recommendations made by the commission.
Of these 13, two may have been implemented, two others partially implemented, the remaining 9 are incomplete.

Failing on 9 out of 13, I give them an F!

---------------------------

1. Recommendation: We recommend the establishment of a National Counterterrorism Center (NCTC), built on the foundation of the existing Terrorist Threat Integration Center (TTIC). Breaking the older mold of national government organization, this NCTC should be a center for joint operational planning and joint intelligence, staffed by personnel from the various agencies. The head of the NCTC should have authority to evaluate the performance of the people assigned to the Center.

NCTC was established in 2004. Does the head of the NCTC have the authority to evaluate the performance of their personnel?

2. Recommendation: The current position of Director of Central Intelligence should be replaced by a National Intelligence Director with two main areas of responsibility: (1) to oversee national intelligence centers on specific subjects of interest across the U.S. government and (2) to manage the national intelligence program and oversee the agencies that contribute to it.

ODNI established in 2005. Current report card indicates incomplete, why?

3. Recommendation: The CIA Director should emphasize (a) rebuilding the CIA's analytic capabilities; (b) transforming the clandestine service by building its human intelligence capabilities; (c) developing a stronger language program, with high standards and sufficient financial incentives; (d) renewing emphasis on recruiting diversity among operations officers so they can blend more easily in foreign cities; (e) ensuring a seamless relationship between human source collection and signals collection at the operational level; and (f) stressing a better balance between unilateral and liaison operations.

The President issued a memorandum on November 23, 2004. This report from October 2005, reported "some progress." Is there anything more current?

4. Recommendation: Lead responsibility for directing and executing paramilitary operations, whether clandestine or covert, should shift to the Defense Department. There it should be consolidated with the capabilities for training, direction, and execution of such operations already being developed in the Special Operations Command.

Incomplete, this consolidation has not occurred.
5. Recommendation: Finally, to combat the secrecy and complexity we have described, the overall amounts of money being appropriated for national intelligence and to its component agencies should no longer be kept secret. Congress should pass a separate appropriations act for intelligence, defending the broad allocation of how these tens of billions of dollars have been assigned among the varieties of intelligence work.
House Appropriations Select Intelligence Oversight Panel established January 9, 2007.

6. Recommendation: Information procedures should provide incentives for sharing, to restore a better balance between security and shared knowledge.

This is addressed by H.R. 6575, Over-Classification Reduction Act, adopted on September 9, 2008. Currently incomplete pending passage by the Senate and signature of the President.

7. Recommendation: The president should lead the government-wide effort to bring the major national security institutions into the information revolution. He should coordinate the resolution of the legal, policy, and technical issues across agencies to create a "trusted information network."

Incomplete, no indication of implementation beyond studies. Ironically, the Center for Strategic and International Studies may have done this for themselves without the participation of classified networks.
8. Recommendation: Congressional oversight for intelligence-and counterterrorism-is now dysfunctional. Congress should address this problem. We have considered various alternatives: A joint committee on the old model of the Joint Committee on Atomic Energy is one. A single committee in each house of Congress, combining authorizing and appropriating authorities, is another.

Incomplete, no Joint committee comprising members of both House and Senate.

9. Recommendation: Congress should create a single, principal point of oversight and review for homeland security. Congressional leaders are best able to judge what committee should have jurisdiction over this department and its duties. But we believe that Congress does have the obligation to choose one in the House and one in the Senate, and that this committee should be a permanent standing committee with a nonpartisan staff.

Incomplete, DHS still overburdened with too much oversight. This lack of focus wastes resources and probably still leaves oversight gaps.

10. Recommendation: Since a catastrophic attack could occur with little or no notice, we should minimize as much as possible the disruption of national security policymaking during the change of administrations by accelerating the process for national security appointments. We think the process could be improved significantly so transitions can work more effectively and allow new officials to assume their new responsibilities as quickly as possible.

Incomplete, no sign that these procedural recommendations have been implemented.

11. Recommendation: A specialized and integrated national security workforce should be established at the FBI consisting of agents, analysts, linguists, and surveillance specialists who are recruited, trained, rewarded, and retained to ensure the development of an institutional culture imbued with a deep expertise in intelligence and national security.

The President issued a memorandum on November 23, 2004. Has it been implemented?

12. Recommendation: The Department of Defense and its oversight committees should regularly assess the adequacy of Northern Command's strategies and planning to defend the United States against military threats to the homeland.

Incomplete, as of April, 2008 the "GAO making several recommendations to DOD to direct NORTHCOM to take actions to address the challenges it faces in its planning and interagency coordination efforts."

13. Recommendation: The Department of Homeland Security and its oversight committees should regularly assess the types of threats the country faces to determine (a) the adequacy of the government's plans-and the progress against those plans-to protect America's critical infrastructure and (b) the readiness of the government to respond to the threats that the United States might face.

Incomplete, as stated above too many committees is more likely to lead to a failure of oversight and assessment rather than to a successful assessment and response.

Flash parties, flash crowds, now we have "flash dump"

2008-09-09T13:44:00.000-07:00

Panic ensued, as they say, and United Airlines stock price plummeted 75 percent (down from $12.30 to $3 a share) before someone realized it was an old news story and things righted themselves. The stock rebounded to $10.92 a share by Monday's closing. But not before United Airlines contacted the Sun Sentinel and demanded the newspaper retract its (6-year-old) story.

I wonder how long before we see the Google spider being intentionally manipulated?

With web 2.0 there wouldn't even be a human brain in the publishing loop.

PCI compliant but still hacked

2008-06-13T15:46:00.000-07:00

The malware on the store servers stored up records of these purchases in batches, then transmitted them to an unnamed offshore Internet service provider, the letter states. Foreign crime rings have been blamed in a number of other payment card fraud cases.

Hannaford said in its letter that it was certified a year ago as meeting card security standards and was recertified on Feb. 27. Eleazer said that was the day Visa first notified Hannaford of unusual card activity and began its investigation. That the standards did not stop the thieves, she said, "speaks to the increasing sophistication of the criminal element that propagates these attacks," she said.

It looks to me like Hannaford made the mistake of allowing "multi-level access" in a "single level" network. Servers that handle payment card data must be prevented from access to an unauthorized network or end-point.

These servers and the processors they communicate with should have been in a "PCI trust zone." All other systems would have been in an "untrusted zone." Then it would be a simple matter for IDP/NAC appliance to detect and prevent this type of breach.

Virtualization Security Getting Some Attention

2008-05-27T09:32:00.000-07:00

My response to "Who Owns Virtualization Security" blog:

Virtualization absolutely presents us with the possibility of avoiding past mistakes and making virtual infrastructure (VI) more secure than the physical infrastructure it replaces.

Why?

Virtual security appliances and hypervisor APIs have made it possible for us to build security into the VI fabric at all layers.
The virtualization platforms give us the tools to automate deployment of primary controls, secondary controls and separation of duties throughout the virtual data center.
Virtualization means we can simplify security management and make true defense-in-depth affordable for everyone.
Secure hypervisors, their APIs and the right application of security smarts means we can build agent-less security that protects against rootkits, spyware and almost all forms of malware.
Virtual security appliances allow us not only to write good security policy but also to automatically enforce policy and provide continuous compliance auditing for the VI.
All of the above means, we can create tools for secure life-cycle, trust zones, trusted data paths and secure management in ways never possible with physical infrastructure.

We (as vendors) have a responsibility to educate the IT community to the myths and realities of VI security. The platform OEMs must recognize that simply saying virtual is more secure than physical – is a disservice to all of their customers. Then, when the manufacturers provide the security community the tools and support we need _and_ intelligently inform the market about real risks, then, and only then can we make virtual more secure than physical.

(more to come)

French bank details $7.2 billion loss

2008-01-27T18:52:00.000-08:00

This sort of thing makes me think that in some cases it is more than greed. It must also be the "thrill" of beating the system.

Being smarter -- thinking you can out-smart everyone else?

Michael
---------------------------

French bank Societe Generale described Sunday how one of its traders allegedly carried out a $7.2 billion (€4.9 billion) fraud, how the loss came to light and what it is doing to ensure such a case does not recur.
The 31-year-old trader, Jerome Kerviel, started working at the bank in 2000 and spent his first five years there overseeing traders, the bank said in a five-page summary of events.

"Consequently, he had a very good understanding of all of Societe Generale's processing and control procedures," it said.

Kerviel apparently put that knowledge to use after he became a trader for the bank involved in arbitrage -- the practice of buying a portfolio of financial instruments in one market and selling a similar offsetting portfolio at the same time that had a slightly different value. The idea is that, in such trades, the risk of major loss would be minimized.

In fact, Kerviel's first portfolio of financial instruments -- in his case futures -- included genuine operations -- but the offsetting portfolio proved to be "fictitious," the bank said.

"As a result, the trader was able to hide a very sizable speculative position, which was neither consistent with nor related to his normal business activity for the bank," Societe Generale said.

French police questioned Kerviel on Friday and searched his apartment in a Paris suburb Friday night. Efforts to reach his attorneys for comment have been unsuccessful.

Finance Minister Christine Lagarde said Friday that she would meet with banking regulators Monday to establish a timeline of events that led to the massive trading loss.

According to Societe Generale, Kerviel used his early banking experience "to successfully circumvent all the controls which allow the bank to check the characteristics of the operations carried out by its traders, and consequently their real existence," it said.

For example, it said, Kerviel chose operations that had no cash movements or margin call and that did not require immediate confirmation and he canceled certain operations by using access codes assigned to other bank employees.

In addition, it said, he falsified documents and made sure that his fictitious operations involved different instruments from the ones he had just canceled, thereby reducing his chances of being controlled.

But about mid-January, bank officials detected "abnormal counterparty risk," and Kerviel's explanations led to additional controls being placed on his activities, the bank said.

Then, on Friday, January 18, Kerviel's bosses were informed and an investigation had begun.

The next day, after a large bank told Societe Generale that it did not recognize an operation, the trader "acknowledges committing unauthorized acts and, in particular, creating fictitious operations," his employer said.

By early afternoon on Sunday, January 20, the bank's fraudulent position had been calculated at approximately 50 billion euros ($73.6 billion), and "the unwinding of the fraudulent position begins in particularly unfavorable market conditions."

In fact, the timing was terrible. On Jan. 18, European markets had swooned and two days later, the Asian markets tumbled, too. By January 23, "the unwinding" was completed and the total loss calculated at 4.9 billion euros ($7.2 billion).
Since then, the bank said, it has tightened its controls to ensure such an operation cannot recur.

Virtualised desktops will end laptop management

2007-10-03T11:30:00.000-07:00

With virtual desktop infrastructure (VDI) there are at least three modes of operation:

IT controls VDI completely, desktop is "thin" only IT approved virtual machines are allowed
IT does not completely control the desktop, options get complicated fast:
a) user virtual machines are allowed
b) user controls the host

Looking at option 2a, we could have rogue guests, infected guests, any kind of guest ... telling them apart and acting accordingly will be fun!

Looking at option 2b, I can buy a Macintosh or linux or windoze and as long as I can run the IT approved virtual machine, then IT is happy. But what if my Macintosh is owned by the Uzebek barbarian horde? Have I just given the Horde access to my corporate network?

Lot's of interesting questions arise. We have our own use case right here at Catbird. The "approved" IT image is Windows XP with Microsoft Office.
We allow a VDI where an employee can use a Macintosh to run Windows in a vm. We're happy until there is a mac worm!

For example, an organization using Active Directory to lock down their desktops ... Active Directory does nothing to lock down a Macintosh.

How is a windows savvy IT team going to cope with users running Ubuntu, Fedora, Macintosh ... VDI is going to lead to an explosion of host operating system diversity. This will be very exciting for those of us running Windows under duress.

Their will be a huge value in giving IT the tools to manage and secure a highly diverse and constantly changing environment.

Another one from SANS newsbites

2007-09-22T09:07:00.000-07:00

A vulnerability scan would have warned them that their Cerberus implementation was open to attack. Either they were not validating their security compliance, or they were not following an effective process for curing their vulnerabilities.

--Layered Technologies Customer Data Stolen (September 19 & 20, 2007) An attack on a helpdesk application in Layered Technologies' support database has compromised the security of personally identifiable data of as many as 6,000 of the server hosting company's customers. The data include names, addresses, phone numbers and server login details.
Layered Technologies is asking all its customers to change their login credentials. The attack occurred on the evening of September 17, 2007.
http://www.theregister.co.uk/2007/09/19/layered_technologies_breach_disclosure/print.html
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9038040&source=rss_topic17

Highlights from a recent SANS News bites

2007-09-19T07:14:00.000-07:00

From SANS ... note that bank account details are now worth $400/per account.

TOP OF THE NEWS

--Ameritrade May Have Been Aware of Breach for a Year (September 14, 15 & 17, 2007) Online brokerage TD Ameritrade Holding has acknowledged that a data security breach has compromised more than 6.3 million accounts. The database contains customer names, addresses, account numbers, Social Security numbers (SSNs) and birth dates. The attackers gained access to the database through a backdoor program they had installed on the TD Ameritrade network. TD Ameritrade says it has removed the rogue code from its systems. The intrusion was discovered in the course of an investigation into stock-related spam that had been reported by the company's customers. An attorney representing plaintiffs in a planned class action lawsuit against the online broker alleges that the company knew of the data security problem for a year before customers were notified. Furthermore, the suit alleges that the company kept entering customer data into the vulnerable database during an internal investigation.
http://www.theregister.co.uk/2007/09/15/ameritrade_database_burgled/print.html
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9036639&source=rss_topic17
http://www.amtd.com/newsroom/releasedetail.cfm?ReleaseID=264044
http://www.informationweek.com/shared/printableArticle.jhtml?articleID=201807006

--Symantec Report: Malware Moves Toward Commercialism (September 17 & 18, 2007) Cyber attackers aiming to damage computers or inconvenience users are giving way to more financially motivated criminals. According to Symantec's most recent Internet Security Threat Report, cyber criminals are turning to good business practices to ply their trade. Some malware purveyors are offering guarantees about the performance of their products as well as updates to keep the products current. The report also notes that phishers are scouring social networking sites to gather personal information, which they then use to create targeted emails that lure recipients to phony sites where they can harvest valuable data.
Stolen bank account details are being sold online for as much as US $400 apiece. In addition, levels of pump-and-dump schemes and image-based spam have decreased.
http://www.technewsworld.com/story/59374.html
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9036819&source=NLT_SEC&nlid=38
http://www.itnews.com.au/News/61398,fraudsters-go-all-out-for-social-networkers.aspx

The Game Is Not Over -- Security for your web site

2007-08-09T16:33:00.000-07:00

Man-in-the-middle (MITM) attack against SSL plus Sitekey/Passmark – The Stop-Phishing Research Group at Indiana University demonstrates that if you are not very careful about the URL and the SSL certificate, and most people are not, the attacker will be successful
Sniffing a connection to steal session cookies to bypass user authentication – Robert Graham of ErrataSec, has demonstrated why you need a security barrier for your laptop at Starbucks (If his name for this attack sticks "side-jacking" then we might as well all give up and start referring to SSL as a condom for your browser)
If you think you don’t have to worry about these exploit techniques, then you better have the Security Excuse bingo card (found on Schneier on Security),

It looks pretty bad. SSL can be bypassed, authentication cookies can be stolen. If you follow the blogosphere’s impression of the recent Blackhat/Defcon events, it's all useless and there is nothing we can do to stop the crooks. To top it all off, there isn’t just one Hackistan (great Yak snacks by the way) there are many Hackistan’s and no web site is to small or broad-band connected PC to innocent for them to exploit.

Truth is, if a malicious hacker with the capabilities of a Grossman, Skoudis or Moore is after your site, then you will get hacked. Lucky for you these guys are busy™.

Solutions? Focus on your business needs and take some precautionary steps:

Run traditional vulnerability scans (because Skoudis and Moore teach us that the old problems are new again)
Run a web application scanner and use a secure coding inspection tool, Grossman and Zorkul are better, but it’s foolish not to automate everything you can
Use SSL from start to finish on your web-site, you have an obligation to protect the integrity and security of all the data exchanged between your site and your customer’s browser – otherwise your giving it away to any crook with a copycat access point or a promiscuous wireless card
Don’t ignore MITM because you think it is hard, it gets easier to do every day – Lucky for all of us, it’s also getting easier to protect against and detect MITM, Pharming, Highjack and Malware Injection, I know someone who can help
Last but not least, plan on getting hacked, have an incident response plan and be prepared, playing security excuse bingo is a losing strategy

Get started today!

Disregard any pop-up security windows you receive

2007-08-09T09:54:00.000-07:00

I received this in my mail today:

Dear Electronic Crimes Task Force Member,

CSO magazine is conducting a survey in cooperation with the U.S. Secret Service and CERT Coordination Center, the 2007 eCrime Watch. The purpose of this project is to uncover electronic crime trends.

CSO magazine’s sister company, IDG Research Services, has been commissioned to help us collect your feedback. Please click on the following URL to begin the survey or copy and paste the URL into your browser:

https://url-hidden

Disregard any pop-up security windows you receive. (Emphasis mine)

Please be assured that any information you provide is confidential and your responses will be used only in combination with those of other survey respondents. This survey should take no more than 10 minutes of your time. If you have any questions about this survey please contact IDG Research Services at ------@idg.com or ATSAIC ----------, USSS, San Francisco Field Office 415/-------.

Thank you in advance for your help.

Of course my first thought, was that this was a phishing attack. I couldn't imagine CSO and the ECTF telling me to "Disregard any pop-up security windows you receive."

Imagine my surprise and relief, when I went to the site and there were no warnings. So, they got it right, the SSL certificate was correct and unexpired ... but everyone is so accustomed to that not being the case, that as a matter of course they included the disregard pop-ups message. Is our infrastructure broken or what?

Virtually Secure

2007-08-08T09:52:00.000-07:00

Christofer Hoff has a good post here. In particular,

Combine that with NAC agents on the hosts and...whether or not it actually works is neither here nor there. They told they story and here it is. It's good to be king.

His point being that Cisco doesn't have to worry about when they are going to deliver a product or even how will it will work when they do ...

Meanwhile, back in your virtualized data center, you can be warm and happy knowing that Cisco's virtually shipping product has you virtually secure already. Nice, huh?

What about Real Security -- Real Security for Virtualized Infrastructures? You've deployed half a dozen quad-core systems and thrown out 150 obsolete boxes. Maybe you had IPS and NAC in your datacenter already, but do you have it now? If your virtual windows 2000 server get's infected and starts attacking the other systems on the host, how will you know?

Maybe you will know when the infection begins to spread to other hosts and their virtual servers, but by then you will have a real mess on your hands.

The right answer involves doing something today, not waiting for a vendor to implement a solution next year. Here is the pragmatic prescription for today, virtual servers are servers, period.

If there reliability and security are important to your business then you have to secure them with same mature IT processes that you use for everything else:

Specify the appropriate security requirements at the start
Determine and implement secure baselines that meet your business and security requirements
Validate/test that the performance and security of your systems meets the stated requirements before you put them in production
After deployment, test them again -- virtualization really helps you here
Use change control and segregation of duties -- (ITIL and ISO 17799 driven) processes and controls to keep working systems, working
Patch management and vulnerability management are a continuous process -- don't treat these problems with a calender ... not unless you like emergencies
Continuously monitor your network and systems, use the protection appropriate to the value of the data or business operations, such as:
- Gateway: firewall, anti-spam, anti-malware, content filtering, vpn ...
- Network: vulnerability monitoring, IDS/IPS, NAC, Policy management and compliance ...
- Endpoint: Anti-malware, AAA, log analysis, patching, encryption ...
Disaster/Business continuity planning, incident response and training have to include your virtual infrastructure -- DR/BP might be a big driver behind your virtualization effort, but nothing substitutes for a good test.

Do all of the above, appropriately to the level you need, don't wait to become the next security breach. It's more about the process than the tools.

I hate Passwords #10

2007-08-06T08:23:00.000-07:00

From IP: link here

What I think needs to be done is that the public needs to be educated about these sites, and the security risk they pose.

The "public" is already being educated. We tell them over and over that they should not share their password with anyone. The problem is that the public gives up their password all too easily. We can keep blaming the public, and we will, but we should also try to understand why someone will give up their Yahoo (or other service) password easily, while the same person would never share their ATM PIN.

I think the public is pretty smart, but they learn best when they experience immediate consequences from their actions. Right now, I know that identity theft and losses from this behavior are at a tolerable level because most of the public are still willing to give their password away -- where the same public will never forgot to lock their car door at the shopping mall parking lot.

If the consequences (or at least people's awareness of these consequences) get a lot worse, we will either see a change in behavior or the deployment of technologies to eliminate reliance on passwords (tokens, client-side certificates ...).

Voting Software Security

2007-08-03T17:07:00.000-07:00

Matt Blaze's group reviewed the Sequoia system's code. From his blog:

We found significant, deeply-rooted security weaknesses in all three vendors' software.
The problems we found in the code were far more pervasive, and much more easily exploitable, than I had ever imagined they would be.
Deliberate backdoors in these systems, if any existed, would be largely superfluous

My humble opinion: this is a great opportunity for the open source community to get together with the private sector (hello Fortify) to solve this problem.

Computer Market will keep growing

2007-08-03T12:11:00.000-07:00

I learned a long time ago that no market grows fast forever....

Toni Sacconaghi, an analyst with Sanford C. Bernstein & Co., has chipped in on the gloom and doom scenario as well in a new research report.

"As the use of server virtualization rises, a negative impact on x86 server demand appears all but inevitable," he wrote. "While we still forecast positive x86 server unit growth in 2007 and 2008, our forecast calls for shipments to contract in 2009 and for growth to be about zero between 2007 and 2012, compared with historical double-digit gains."

This analysis varies from wrong, to really really wrong.

I agree with Ashlee Vance in the Register, virtualization is going to drive the demand for huge well-integrated multi-core systems, but there will still be plenty of need for ever more horsepower on the desktop and for dedicated blade or 1U system in the data center to feed specific CPU intensive applications.

I think we will eventually see desktop virtualization follow in the server virtualization footsteps, but when I look down the hall and see dedicated 4 core systems on people's desks, I find it hard to believe that we're going to see a sharp reduction in the growth of this market.

Bad Things

2007-07-10T14:38:00.000-07:00

Bad thing #1: Don't take bribes in China.

Bad thing #2: Don't install today's MS Update without backing up!

My woes began early this AM when I installed the patch and rebooted. During start-up Data Execution Prevention (DEP) killed the Malicious Software Removal UI, then svchost, outlook and other applications began giving the choice between terminate and debug. I'd estimate that I have sent dear MS about 100 debug messages in the last four hours. Sweet.

I'm back up now, but I had to relax the settings on DEP before I could get a clean start-up. My intuition is that this is related to the core-duo microcode patch.

Three words: Network Attached Storage.

Without a good backup I'd a been toast. Even with the backup and uninstalling the patches I made a semi-permanent change to DEP's behavior that I have not been able to undo. Ouch.

SSL Security the Verisign Way

2007-07-09T08:00:00.001-07:00

My analysis of Verisign's FAQ at http://www.verisign.com/ssl/ssl-information-center/faq/extended-validation-ssl-certificates.html#a1

Indicates that with the EV certificate "advanced" browsers will paint the URL bar green.

Since user's have been trained to ignore the color of the URL bar and phishers can probably paint the URL bar any color they want -- this is useless.

Quoting from their FAQ:

With the EV certificate the CA will: Provide a reasonable assurance to the user of an Internet browser that the website the user is accessing is controlled by a specific legal entity identified in the EV Certificate by name, address of Place of Business, Jurisdiction of Incorporation, and Registration Number

In the US this amounts to something like a credit check or D&B report to verify that the applicant for an EV certificate has provided the correct name and address for their entity. Given the 55 million user ids floating around since the TJ Max breach this is not very useful.

Outside the US, Europe and Japan this is pointless. I imagine that if I wanted to form a company named "Cisco LTD" in the Bahamas and register the domain "ciscoltd.com" I could have my copy cat site with an EV cert sometime later this week. I could do this in the States too, I'd just take the precaution of paying cash for a PO box at Mailboxes Etc. first.

Here is the best part from Verisign's EV Cert procedure, here's what they promise that they will not do:

EV Certificates focus only on the identity of the Subject named in the Certificate, and not on the behavior of the Subject. As such, an EV Certificate is not intended to provide any assurances, or otherwise represent or warrant:
That the Subject named in the EV Certificate is actively engaged in doing business;
That the Subject named in the EV Certificate complies with applicable laws;
That the Subject named in the EV Certificate is trustworthy, honest, or reputable in its business dealings; or
That it is “safe” to do business with the Subject named in the EV Certificate.

Let's read that carefully. The EV Certificate is not intended to provide any assurances that is "safe" to do business with the Subject named in the EV Certificate.

Tell me again why the EV certificate is good for consumers?

Making our mark

2007-06-22T19:16:00.000-07:00

It was time to go. We’d succeeded in breaking into their primary systems and had installed our backdoor. We hung the company shirt and other marketing tchotchke around the room.

Now we had to get out quietly. We waited until we could mix with a shift change and left unnoticed in the crowd.

At the front entrance, we asked to see the security chief. The guards were confused. They didn’t believe us when we said that their boss was in his office. Our mission was complete. The news was not good.

We’ve turned south now. The Aleutians are falling behind us. I can see the first hint of dawn, and home is six hours away.

The end, (part 7 of 7) (go back to part 1)

TriCipher Responds

2007-06-22T18:41:00.000-07:00

After I published TriCipher USB key, Tim Renshaw, VP Field Solutions at TriCipher responded with the following confirmations and clarifications:

Yes, we use two authentication "stores". In the TriCipher solution (our name aludes to our 3-key technology) set, we use public key crypto, but instead of having a single private key and public key, each user has 2 private keys and a public key. A private key the user controls and a second private key kept on the TriCipher ID Vault appliance. Of course, then there is a 3rd key, the public key.

For our "USB key" feature, the USB device serves as the 2nd "what you have" factor and of course works in conjunction with the user's password. These two components are used to recreate what is best to think of as the "user's key". Note that loss or theft of the USB key provides an attacker no attack vector to guess or work backward to the password. Same with theft of the password. Whether phished, pharmed, keylogged or social engineered in any way, possession of the password alone is useless without the USB key.

The "user's key" is used in conjunction with the other private key for that user kept on the ID Vault (ID Vault key). To properly authenticate both the user's key and the ID Vault key are used to co-sign, if you will, and consequently create a standard, x.509 certificate based, verifiable signature for any client-SSL enabled relying party site.

Important points:
Relying party needs no TriCipher code to accomplish this standards-based function.
The two private keys for each user are never recombined anywhere to be compromisable in a single location.
The user's private key is never stored anywhere, ever.

No, we do not get in the middle between authenticating sites and users. We utilize the true two-way, mutual authentication SSL mechanism built into both the server and client ends. All our "magic sauce" briefly described above is done between the client and the TriCipher ID Vault directly. It is pretty accurate to think of the connection between the client and the ID Vault as forming a secure, virtual smart card. Certainly as far as all the client code is concerned, the signature is performed by a local, smart card as we again use the existing standards for signing procedures, CAPI and PKCS11.

I still have to wonder about the compromised computer kiosk. If I insert my USB key into an 0wned system, can that system rip the token from the key and log my password?

TriCipher USB key

2007-06-15T09:09:00.000-07:00

From the marketing glossy it would seem they use public key crypto, with two authentications stores. One is on the key and the second is on the Web.

The key is used to authenticate you to the TriCipher key vault on the web. TriCipher then authenticates you to the financial web site. My guess is that you establish an SSL tunnel to TriCipher using a certificate on the key. You then authenticate yourself to TriCipher using something you know. Then TriCipher somehow authenticates you to the bank and establishes an SSL session between you and the bank that is already authenticated.

My guess is that TriCipher starts as a man-in-the-middle and then somehow hands off the session, maybe a reverse tunnel is established from the bank back to you?

Since you're running software off of the key and your authentication to TriCipher involves a cert and something you know, it's possible to evade key loggers. One method would be for TriCypher to display a captcha image back to the user which the user combines with their pass-phrase to create a one-time key for the session.

But this is all guess work from a marketing glossy. Might be fun to try it out.

Phishing and Pharming

2007-06-14T14:26:00.000-07:00

I work at a startup. It should come as no surprise that I think we do some very cool things. About a year ago, our Marketing VP realized that we had the ability to offer protection against a certain type of attack.

She created this product.

We’re still often asked, “What are Phishing and Pharming?" Here is my response:

Phishing and Pharming are common attack methodologies designed to harvest authentication credentials and personally identifying information (PII). Criminals use these attack methods to gain unauthorized access to financial, e-commerce, health care or other institutions. The attackers then sell, trade, or use these stolen identities to commit further compromises. Over 90% of these attacks target financial institutions.[1] Ultimately, these identity thefts result in billions in damages from these institutions. [2]

Phishing attacks begin with an email or instant message, the “lure” which tricks the victim into giving up their identity. Common Phishing attacks succeed 3-5% of the time, more advanced techniques like Spear-Phishing achieve 15% success rates.[3] A study at the Indiana University indicated that Phishing attacks that utilize social networks might achieve success rates as high as 70%. [4]

Pharming attacks do not require a lure or any voluntary action from a user. With Pharming, the attacker compromises the network infrastructure of the victim web site. Pharming attacks are typically not detectable by the victim and may go unnoticed for hours or even days. The bank customer almost never detects these attacks and once they are detected, the victim financial institutions are notorious for not disclosing their costs. With clever construction a Pharming attack can achieve more than an 80% success rate.

Pharming is a collection of several old and new attack techniques including: DNS or domain hijack, DNS cache poisoning, Man-in-the-Middle (MITM), script injection, malware seeding and related site attacks involving cross-site scripting (XSS), frames, pop-ups and numerous other exploits of the user’s browser. In March of 2005, one Pharming attack diverted 1,304 domains and harvested over 7,000 victims in only a few hours.[5] More recently a sophisticated Pharming attack targeted 50 financial institutions -- this attack affected at least 1,000 systems per day.[6]

Protecting against these attacks[7]
Phishing is a form of social engineering, preventing these attacks requires a combination of user education and implementation of technologies to make it easier for potential victims to recognize fraudulent sites.

Pharming attacks start with an exploit against the network and application infrastructure of a web site. Financial institutions should perform the following actions to protect against Pharming:

Protect your entire site with SSL; educate users to look for the padlock
Monitor your domain and DNS infrastructure for cache poisoning, hijack and spoofing
Monitor your web servers and DMZ systems for vulnerabilities; implement a continuous security process for vulnerability and patch management of these critical systems
Monitor web content for script injection and unauthorized modifications; extend this monitoring to partner sites which include content via frames or cross-site scripting
Implement a secure web “watermark” that validates the security of your web site; educate your users to look for and verify the watermark is correct
Develop a security response plan with your service providers to react quickly and cooperate to take down a malicious site targeting your institution

For both Phishing and Pharming, provide simple mechanisms for your customers to report abuse or suspect web sites. The prevalence of these attacks will continue to rise with the swell of e-commerce. Responsible institutions must increase the difficulty (and the resulting cost) of making a copycat web website and they must implement continuous monitoring and response processes to respond in the event of an attack.

Citations

APWG Activity Report. (2007 April). Published by the Anti-Phishing Working Group. Retrieved June 14, 2007 from http://www.antiphishing.org/reports/apwg_report_april_2007.pdf
Phishing and Pharming (2006 January). Published by McAfee. Retrieved June 14, 2007 from http://www.mcafee.com/us/local_content/white_papers/wp_phishing_pharming.pdf
'Spear Phishing' Tests Educate People About Online Scams. (2006 August). Written by David Bank of the Wall Street Journal. Retrieved June 14, 2007 from http://online.wsj.com/public/article/SB112424042313615131-z_8jLB2WkfcVtgdAWf6LRh733sg_20060817.html?mod=blogs
Social Phishing. (2005, December 12). Written by Tom Jagatic, Nathaniel Johnson, Markus Jakobsson, and Filippo Menczer School of Informatics Indiana University, Bloomington. Retrieved June 14, 2007 from http://www.indiana.edu/~phishing/social-network-experiment/phishing-preprint.pdf
SANS ISC Diary. (2005 March). From Sans Internet Storm Center. Retrieved June 14, 2007 from http://isc.sans.org/diary.html?date=2005-03-31
Elaborate ‘pharming’ attack targeted 50 banks. (2007, February 22). Written by Jeremy Kirk of the IDG News Service. Retrieved June 14, 2007 from http://www.infoworld.com/article/07/02/22/HNpharmingattackonbanks_1.html
Protection recommendations from numerous sources including: Microsoft, Symantec, SANS, RSA, CSO Online, Network World and others:

http://www.consumerfraudreporting.org/pharming.php
http://www.csoonline.com/fundamentals/quicklists_pharming.html
http://www.networkworld.com/research/2005/071805-pharming.html?
http://www.verisign.com/static/030910.pdf
http://www.microsoft.com/athome/security/privacy/pharming.mspx
http://www.apani.com/net-news/0606/82
http://www.wired.com/news/infostructure/0,1377,66853,00.html
http://www.cs.indiana.edu/pub/techreports/TR641.pdf,
http://www.infoworld.com/article/07/02/23/HNsecondgoogledesktopattack_1.html
http://reviews.cnet.com/4520-3513_7-5670780-1.html
http://www.securityfocus.com/columnists/429

Nigerian Scam Emails Just Keep Coming

2007-06-11T07:26:00.000-07:00

This scam is older than the Internet, I think it started when the first FAX machine was installed in Nigeria. I used to feel sorry for people who fell for this.

Got this message (how many millions have we all spent on SPAM filters and these still come through) on IP today:

Hello My Good friend, But you don't know my name do you?

How are you today? Hope all is well with you and your family?, Good, thanks for asking. You may not understand why this mail came to you. Oh, I understand, you send this to millions of people because it still works! But if you do not remember me, you might have receive an email from me in the past regarding a multi-million-dollar business proposal which we never concluded. US Law Enforcement gets HUNDREDS of complaints per day about the 419 scam ...

I am using this opportunity to inform you that the multi-million-dollar business has been concluded with the assistance of another partner from India who financed the transaction to a logical conclusion. Probably some poor fool who doesn't know he has been scammed.

Presently, I am in London for investment projects with my own share of the total sum. Nigerian fraudsters make so much money, it is the number 1 scam on the US Government's export page. Meanwhile, I didn't forget your past efforts and attempts to assist me in transferring those funds despite that it failed us some how.

Now contact my Personal Assistant in Abuja, Nigeria and ask him to send you the CERTIFIED CASHIER CHEQUE Look at that! British spelling, maybe he really is in London... of US$1.2M which I wrote in your name in appreciation of your past effort in helping me.

Below is his contact informations:

Name: Mr. Allusine Sakoh
Email: allusinesakoh55@hotmail.com

Who would have thought that "Allusine Sakoh" would be such a popular hotmail address. I imagine they stopped using Yahoo after they reached allusinesakoh666.

Tel: +234-803-537-6903 234 is the Nigerian country code, I wonder if they accept collect calls?

Feel free and get in touched with him for the sending of the draft to any address where you would prefer the draft to be mailed. Please do let me know immediately
you receive the CASHIER DRAFT.

Yes, but will you need to pay a

Clearance fee, paid before the check can be sent?
Commission paid to your Nigerian friend for sending the check?
Some new wrinkle?
Over one million hits on Google for "Nigerian scam"
A greedy fool and his money are soon parted ...

At the moment, I am very busy here in London because of the investment projects which I, and the new partner are having at hand but would appreciate your update once the cheque is deliverred Hey! Another typo, doesn't happen much with these guys. to you thru my email:

Finally, accept my goodwill my dear friend.

Thank you once again and may God bless you.

Mr.Aku Ubah.

This county treasurer got 14 years... More information from the Nigerian Consulate in Atlanta, Georgia.

When you see this email, press delete.

Fourth time is a charm

2007-06-04T08:13:00.000-07:00

It was 23:30 local time. We’d just adjusted our tools for another try. Lights had switched off as the last few employees had left. We knew it was time to move.

The “finger” pressed the button, the lock released. Now, on to the prize: we entered the room into the camera’s blind spot. We were behind the server farm. The safety lighting gave us a clear view past the racks. Our targets (the file servers, databases and external firewall) were all in this room. We knew that we had to move fast, capture the data, and, if possible, backdoor the firewall so that we could re-enter from the Internet — this was our goal.

We had arranged our priorities. If we could capture next year’s product design, our client would be chagrined. If we could capture the design for two years hence, they would be appalled. If we could backdoor the firewall and demonstrate the ability to pillage at will… It’s an interesting job; we were earning our payday by emulating our client’s worst enemy or most ruthless competitor.

Part 6 of 7, (to be continued)

Phishing email

2007-05-29T08:29:00.000-07:00

I recently received a phishing message that looked like this:

Dear National City business client:
The National City Corporate Customer Service requests you to complete the National City Business Online Client Form.

This procedure is obligatory for all business and corporate clients of National City.

Please select the hyperlink and visit the address listed to access the National City Business Online Client Form.

http://session-9681849.nationalcity.com/corporate/
onlineservices/TreasuryMgmt/

Again, thank you for choosing National City for your business needs. We look forward to working with you.

***** Please do not respond to this email *****

This mail is generated by an automated service.
Replies to this mail are not read by National City Corporate Customer Service or technical support.

--------------------------------------------------------------

Of course, the actual link points to http://session-9681849.nationalcity.com.userpro.tw/corporate/
onlineservices/TreasuryMgmt/
The site 'userpro.tw' is being used for malicious purposes. The other hidden component of this message was below the dashed line, "hidden" by setting the font to white: (or near white -- FFFFF3, FFFFF6 and FFFFFF were used)

interface: 0x36, 0x1, 0x63, 0x6256, 0x988, 0x2572, 0x80, 0x7637, 0x57264282 end, SGK, include, B870, K8H, WV5O, UK5, create. 0x6, 0x8549, 0x119, 0x8820, 0x402, 0x81, 0x31 8XU: 0x873, 0x5224, 0x2, 0x2, 0x9, 0x8, 0x080, 0x515, 0x43, 0x96767749, 0x88, 0x340, 0x25 0x2, 0x49725777, 0x56099999, 0x29944557, 0x7245, 0x725 M06D: 0x02484306, 0x7392, 0x33, 0x538, 0x525, 0x67920133, 0x3282 XLM: 0x4 2PEU: 0x014, 0x48384334, 0x1, 0x1, 0x11505955, 0x9691, 0x63, 0x189, 0x85388483, 0x113, 0x81125589, 0x0528 0x081PZ: 0x10, 0x7513, 0x410, 0x0375, 0x134, 0x5 CRA: 0x16, 0x58937392, 0x181, 0x27551688, 0x026, 0x5300, 0x45, 0x427, 0x41491833, 0x43275927, 0x9, 0x2, 0x7, 0x462 0x33, 0x0589, 0x771, 0x69, 0x3, 0x96524563, 0x588, 0x8388, 0x3, 0x17, 0x8769, 0x137, 0x4, 0x2211, 0x30 engine KMY9 engine stack: 0x0016 tmp: 0x43286114, 0x88, 0x04, 0x2, 0x095, 0x65, 0x79461383, 0x18078378, 0x65882286, 0x1, 0x6, 0x06 CHA start: 0x3520, 0x1064, 0x69, 0x047, 0x214, 0x062, 0x678, 0x227 0x91708961, 0x0625, 0x2, 0x0, 0x278, 0x2, 0x0, 0x7, 0x09339745 2TWO: 0x14, 0x1, 0x90402223, 0x572, 0x1980, 0x4, 0x9, 0x6377, 0x6914, 0x43462100, 0x848, 0x26 Q8BE: 0x37865183, 0x11, 0x06, 0x2, 0x2132, 0x3, 0x70656885, 0x3758 HKU: 0x1114, 0x1914, 0x2, 0x45, 0x263 0x4, 0x3930, 0x3, 0x4, 0x3, 0x4, 0x0, 0x79365666, 0x4856, 0x57, 0x0, 0x77, 0x4, 0x10401843, 0x6317 0x11658786, 0x0, 0x5 YTIZ, Z5JV, WOJ, api, create0x14424486, 0x17907803, 0x590, 0x13855537 0x591, 0x6, 0x22, 0x2126, 0x81675440, 0x67351277, 0x6, 0x1 serv: 0x36026386, 0x6, 0x7, 0x772, 0x64, 0x8180, 0x9701, 0x50750989, 0x7, 0x9, 0x87, 0x3058, 0x5, 0x263, 0x23 7Z1 common KXLL hex 0x0071, 0x63

I'm curious about the code: do you think the hex was used to defeat Bayesian SPAM filters, a programming mistake by the Phisher or something else?

Pain relief for SOX audits

2007-05-24T15:27:00.000-07:00

Got this note from a colleague today:

THERE IS HOPE :).. Here is what we turned up.... reading through the details to see what it REALLY means!:

The PCAOB's proposed changes could do just that. The governing body is proposing to allow companies to conduct a risk assessment, which will help them identify the most likely avenues for financial fraud. Auditors might then require more stringent compliance in those areas -- such as sophisticated forensics that allow auditors to find out who made changes to the general ledger and when -- while allowing less likely fraud avenues, such as backup tampering, to come under less scrutiny.

and

And the PCAOB is considering adopting more detailed guidelines for how SOX audits are conducted, Davis observes. "There have been some concerns because there's no real accreditation for SOX auditors, as there are for [Payment Card Industry] standards," he says. "This would help set some common standards for what a SOX audit entails and what qualifications an auditor has to have."

Looks like the PCAOB has also done extensive work to allow the auditors more latitude to scale the their work to match the size and complexity of an organizations -- Great news for smaller public companies.

Hello and a Question for Michael

2007-05-24T06:57:00.001-07:00

My beautiful espousa forwarded this message to me from a friend:

Something came up today and I have a quick question for Michael: In a nutshell, someone online accessed my checking account (with Washington Mutual) and drew out 500.00 from USAA (the bank with which I have a savings account, a credit card and renters' insurance.)

I recently did an online electronic transaction from USAA, telling them to remove funds from my Washington Mutual account (like I do every month) to pay off an insurance premium.

Between last night and this morning, a transaction took place whereby 500.00 was transferred via a "USAA Internet Chk" from my WaMu account to an alleged USAA accont somewhere, or probably, just through USAA and out a back door. I have both USAA and Washington Mutual investigating it, but boy, it's a rude way to start someone's morning!

Anyway Michael, if you have a view of what may have happened, I'd love to hear it. The only thing differently I've done recently is to reset my DNS server numbers in my wireless router to those of openDNS.com, a free service that supposedly prevents phishing, etc. I've since reset the router to just get DNS numbers automatically (I'm with Verizon).

Sorry to bother you with this, but you're probably much savvier than any of these folks and might have some insight. As it is, I'm grateful that ------y keeps her money with a separate bank, though we do have other WaMu Joint accounts... Makes us gunshy to use the internet for banking transactions (emphasis is mine) - or at least to maybe designate just one, and then to feed it funds for electronic fund transfers at the time bills come due...

All the best,
N------

This sort of thing is very uncommon, but we always jump to the conclusion that we've been hacked by a criminal. This is the email I sent back to my friend last night:

Hello N------,
Go to a friends house or a system at work and change all of your passwords! Don't use your computer, it may have been compromised.

Never re-use a financial site password with any other site.

Change the password on your router and other network equipment.

Have an expert look at your computer, if it has been compromised you'll need a professional to get it fixed. If it were me, I would back up my data and reinstall from secure media.
If you were not phished then your bank may have been pharmed.

It is very unlikely that an outsider directly compromised the the bank. If you used a unique id and password, a random hacker would not gained access by guessing your password.

There are many possible explanations for your problem.
Someone you know compromised your access:
They knew enough about you to access your account. If this is true the bank will be able to follow the money to them.

Some stranger compromised your access:
If you used your bank password at a secondary web site the secondary web site might have been compromised, leading to a compromise of your bank account.
Your system may have been compromised through an attack launched by a web site that you have visited. These days criminals compromise you via the web and install a program to record the web sites and passwords you use (keystroke logger). Once they captured your bank password they would have set up a transfer to withdraw money from your account.
You may have been phished or pharmed. I doubt you were phished, but pharming is very hard to detect. In a pharming attack the criminals impersonate your bank web site by hijacking the infrastructure the site relies on. You think you're visiting WAMU or USAA but in reality you have been redirected to a fraud site.

An employee at one of your banks has exploited a flaw in the bank's security:
Banks have several layers of protection to prevent this, but criminals are very creative at exploiting loopholes or flaws in network or web application security.

Either USAA or WAMU has made a transaction error:
This doesn't happen often, but it does happen. Personally, I have had my bank process duplicate transactions on more than one occasion. The situation you describe is very suspicious but it may turn out to just be a simple mistake.

Take care and feel free to contact me directly.

So what do you think, did I give my friend good advice?

Top 10 Reasons Why You Might be a Domestic Terrorist

2007-05-22T07:15:00.000-07:00

You believe the Constitution is the highest law of the land.
You believe that absolute power corrupts absolutely.
You believe that all governments regardless of their construction are subject to corruption and abuse of power.
You believe everyone has the right to bear arms.
You believe that everyone has basic rights that may not be infringed.
You believe all persons have equal protection under the law.
You believe the State can not unfairly confiscate your property.
You believe that the State shall not force people to testify against their will.
You believe that you have the right to publicly complain about the government and its policies.

And the number one reason why you might be a home-grown domestic terrorist:

1. You might disapprove of what I have to say, but you will defend my right to say it.

My thanks and appreciation to the Founders, Locke, Hobbes and to the many others who contributed to this list.

Edited to add:
Another Enemy of the People?

Pen testing

2007-05-04T09:05:00.000-07:00

Hi Michael,

I was wondering if I could get a little pen testing advice. What were the primary factors in determining the cost for a penetration test? In general, what is a ball park range that is reasonable to charge for say, 5 external IPs/servers?

Thanks,

(name withheld)

Well, like everything, that will depend on several factors.

Is this an external attack only, or internal, external and wireless?
Is social engineering involved, will a physical penetration be attempted?
Will you be dumpster diving?

My guess from your question is that you are performing a remote network penetration test without social engineering.

The scope of work then depends on the level of adversary you are imitating:

Motivated attacker, a user with inside knowledge or an attack by a professional seeking monetary gain
Robot master, someone looking for bots to add to their army
Opportunist, a script-kiddie or other non-professional attempting to crack systems because it's a rush

Level 3 is a little above what you can do with a flat Nessus scan. I'd certainly add a little MetaSploit work and some light web application inspection, looking for obvious input flaws.

Level 2 will run several well-known exploits and perhaps a 0day. You need to take a very careful look at the attack surface, validate all web applications for input checking (multiple encodings) and prevention of script or SQL injection.

Level 1 will do all of the above, plus deep research on the target and target employees, this level is beyond the capability of a small-business IT defense.

For a client with only five external IP, simulating either a level 2 or level 3 attack is your best bet.

You should be able to perform a Level 3 with automated tools and a little manual work involving the more interesting targets, three hours per IP address is probably a reasonable guess, but you won't actually spread your time that evenly.

Level 2 is tougher; a true attacker of this type hits you and moves on. However, since we can't predict the exact exploits that this attacker would use, a pen-tester has to perform a far more thorough review of the attack surface. This attack simulation will start at a few minutes per IP address, but you should expect to spend 5-10 hours (each) inspecting specific web application services and web server code for flaws. You will need to run exploit and possible denial-of-service attacks. Economically, you can’t bid this at more than 5-10 hours per IP address, but you could easily double that amount of time if you run into an interesting web application.

My estimates include, the time for testing, data gathering and report writing -- never under-estimate the time you will spend on the report. The report is the most lasting and visible product of your efforts.

Most small clients can bite-off a blend of these two attack scenarios. Cover all of the systems with an automated scan and a little manual follow-up, but spend a day or two taking a hard look at their primary web server and/or back-end.

Sample Stay out of Trouble Language

2007-04-08T09:21:00.000-07:00

This posting is provided "AS IS" with no warranties.

The question of safe penetration testing or security research comes up time an again. Good guys get prosecuted too. [1] [2]

So, to follow-up my comment on RSnake's recent post, here is something that I have used to stay out of trouble.

DISCLAIMER: I am not a lawyer. If in doubt, ALWAYS, ALWAYS, ALWAYS get professional advice from an attorney. I hope this document puts the reader on the right track and helps keep them out of trouble.

CompanyName (“COMPANY”) hereby accepts the services and the related terms and conditions set forth in the attached Statement of Work (the “SOW”) of SecurityResearcher (“HACKER”).

COMPANY expressly acknowledges that the performance of these services will require HACKER to gain access to COMPANY confidential and proprietary network and information assets, and authorizes this access for the purposes described in the SOW, subject, however, to the Mutual Nondisclosure Agreement, dated ____________________, between COMPANY and HACKER (the “NDA”).

Due to the nature of the services contemplated by the SOW, COMPANY acknowledges that no representation or warranty can be made by HACKER with respect to such services or the efficacy thereof. In particular, COMPANY acknowledges that damage to COMPANY systems or information could result from the performance of such services, and that, following completion of such services, there can be no assurance that the COMPANY network will be secure or that unauthorized access thereof will not occur.

WITHOUT LIMITING THE FOREGOING, HACKER MAKES NO EXPRESS OR IMPLIED REPRESENTATIONS WITH RESPECT TO ITS PERFORMANCE OF THE SERVICES HEREUNDER OR ANY DELIVERABLES CONTEMPLATED HEREBY, INCLUDING WITHOUT LIMITATION ANY REPRESENTATION OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.

In order to induce HACKER to perform its services COMPANY is accepting the terms and conditions and making the representations set forth herein, and COMPANY irrevocably waives and releases, and shall be stopped from asserting, any claims for damages or otherwise arising out of or in connection with the services, except as expressly contemplated by the NDA.

COMPANY represents and warrants that the COMPANY information systems to be accessed by HACKER do not contain confidential or proprietary information or other property belonging to any person other than COMPANY, or any classified information. By accepting HACKER’s services, COMPANY assumes any and all liability for any disclosure of any third-party confidential or proprietary information assets, or any classified information, arising out of or resulting from such services, and agrees to indemnify, defend and hold harmless HACKER from and against any claim, loss or liability asserted by any person arising out of or relating to any such disclosure, subject, however, to the NDA.

COMPANY expressly authorizes HACKER to gain access, including without limitation external network access and without regard to the COMPANY Information Security Policy, to all COMPANY computer networks and information systems which is reasonable and necessary, in HACKER’s sole judgment, for the purposes described in the SOW, and COMPANY acknowledges that such access shall be obtained by HACKER with the express permission of COMPANY and that such access is not a violation of any federal, state or local laws, rules or regulations, including without limitation the Computer Crime Act of 1986, as amended, or the Economic Espionage Act of 1996, as amended. Execution of this SOW by the representative of COMPANY shall constitute a representation and warranty by COMPANY that such representative is duly authorized to do so and has received all requisite governmental consents and approvals which may be necessary or appropriate to execute this SOW and to carry out the terms hereof, including without limitation the preceding sentence.

Accepted and approved by:

Name Title

Signature Date

Remote Microsoft Outlook and Vista Exploit

2007-03-31T08:54:00.000-07:00

A new vulnerability is being exploited against Microsoft Outlook and all Microsoft Windows Operating Systems: Windows 2000 SP4 through Vista.

The exploit allows remote attackers to execute programs on your system or create a denial of service. There is no patch available for this exploit.

This is the first remote exploit against Vista and the security community is concerned that this vulnerability may be converted into a wide-spread attack worm.

The Community recommends:

All users make sure their Anti-virus software and detection files are up to date.
Spread of this exploit by email may be prevented by blocking all .ani, .cur, .ico and .jpg files at your email gateway.

Additional information about this vulnerability may be found at these links:

UPDATE: 4/2/2007, Microsoft plans early patch update to address this flaw:
Microsoft Response Center Update
UPDATE: 4/3/2007, Microsoft has released a patch.
MS07-017

I will update this blog post as more information becomes available.

Request to exit

2007-03-13T21:16:00.000-07:00

The industry calls it a Request-To-Exit (RTE). Some are motion sensitive, others require the push of a button, and a very few require another wave of the badge. We’d examined the client’s public areas. Some of their RTEs were motion sensitive, and some used a button. What about the data center? We knew that the RTE could be a weak spot. The security system might log the RTE, but even here at the data center, it would probably not trigger an alarm. The motion sensitive types unlock at any close approach, and pressing a button is a normal event. If we could trigger an RTE and avoid forcing the door, we would have more time to work.

Our view was limited. We had a four-by-eight-inch view above the door handle. We could see another camera, a blank stretch of wall and a small corner of a lit room. We watched for shadows and assembled our tools.

We knew the probable height and position of the button. Could we reach it? The door was not the automatic-opening type. The dead bolt was open, but the electromagnetic lock was closed. We’d taken our MacGyver shopping list to a local hardware store, our $40 worth of spare parts versus a multi-million dollar data center. We made the viewing scope from 1/2 inch narrow pipe, carpet tape, and a convex mirror. We bent the pipe and squeezed the mirror below and past the door. The data center was on a raised floor, and we had a three-fourth-inch clearance. We had our window. In the three-inch mirror, there was the button! We quickly assembled the “finger.” The mirror became a problem because we needed to have both of our devices in view, as we squeezed down next to the door. Two pairs of hands blindly working, while a third pair of eyes directed, and a fourth kept watch. You know what they say about convex mirrors: “Objects in mirror are closer than they appear.”

Part 5 of 7, (to be continued)

ICANN Factsheet: Root server attack on 6 February 2007

2007-03-09T20:39:00.000-08:00

I'm reading through the the ICANN factsheet (08mar07.pdf) and this paragraph jumps out at me.

A third category is the huge increase in individual Internet users installing routers in their homes, usually to provide wireless access or to link up several computers in the house. These consumer products usually come with the same password and a large percentage of home users never change this default password, making it easy for hackers to seize control of them for their own ends. If consumers were encouraged to change the default password or if router manufacturers were persuaded to provide each unit with a different password, then future attacks against the Net’s infrastructure could be tackled at (the) source.
(my emphasis)

I know there has already been quite a bit said about this topic here, here and here. However, this particular paragraph is written by the people who make sure that the wheels stay on the Internet's bus. This is really a very important issue and it's time the router vendors solve this problem.

The factsheet is well written and introduces a lot of information regarding the attack. Now that is has been published I can speak a little about it here. (Full disclosure: Catbird performs DNS monitoring for some of the root service providers.)

After the attack I reviewed our aggregate DNS and web performance data. Catbird gathers over one million data samples each day so I had more than enough to choose from. I chose a random samples of our monitors and developed the two charts included in this post.

The Feb 6 attack occurs around the midpoint of each chart. The attack hit two of the thirteen root servers very hard, but as you can see from these graphs the downstream DNS providers and the web sites they serve were not affected.

I make this point because I do not believe the attackers intended to bring down the Internet. I think that this was the performance test of an attack botnet. This attack combines good advertising with a live product demo. I will not be surprised to hear about a rise in DDOS attacks and extortion demands made against high-value commerce web sites.

I recommend that we all brush up on our understanding of anycast, GeoDNS and related defenses against DDOS.

Airline Security Since 9/11

2007-03-08T15:14:00.000-08:00

Over on Schneier's blog, there is a lively discussion about an article link Bruce posted. I posted a comment, but have more to say below.

What real security improvements have been made?

Stronger cockpit doors
Air Marshals
Passengers (and crew) who know that resisting the hijacker may be the best course of action

Regarding number three, it is not always necessary to fight the hijacker. In 2004, Eritrean hijackers seeking political asylum, diverted a plane to the Sudan.

However, in the continuing to fight the last war department, we have multi-million dollar projects to build a hijack-proof plane.

SAFEE coordinator Daniel Gaultier said: "You never reach zero level of threat, no risk, but if you equip planes with on-board electronics, it will make them very difficult to hijack."

<sarcasm>Sure, electronics will make it better. Just like the on-board electronics in RFID equipped passports. Electronics always make you safer.</sarcasm>

It is important that we address known threats and act to make people feel safer on airplanes but what are we doing about the next threat?

We could be loading baggage into blast-proof cargo containers, but as I pointed out in my comment, this is being fought by the airlines themselves. The airlines must believe it is much cheaper to just pay-off the relatives or sue Libya.

What else? Protecting our ports of entry? You could ship an entire tank division through one of our ports, let alone a chemical, biological or nuclear weapon. Meanwhile people think building a 2000-mile fence to keep out our gardeners, housekeepers and building contractors is a good idea. Hello, New Orleans, sorry all those folks actually helping you rebuild the city... Please send them back to Mexico. If I were Bin Laden, I would be driving a taxi in New York, availing myself of our excellent hemodialysis care, while personally selecting the next target.

Does anyone really think that a terrorist will risk dying of thirst crossing the Mexican border, when they can just as easily enter the country on a Princess Cruise? Am I the only person who saw Speed 2?

The latest craze with liquids on airplanes, is an example of the hype involved here. These activities do not make us safer and will most likely lead us to ignore the real warning signs. After all, smokers are (warning: may be inappropriate for some viewers) still finding ways around the system.

If individual safety is more important than lobbyist dollars or inconvenience, then we should be building safer planes, blast-proof cargo containers, banning most carry-ons and getting rid of those awful snacks. We also need a homeland security organization that consults with people like the Tofflers, Vinges and Harlan Ellison.

Popular Blog Software Cracked

2007-03-04T12:02:00.000-08:00

A successful attack was made on the WordPress 2.1.1 download. The attacker modified the files theme.php and feed.php. These modifications created a backdoor which would allow a user to gain privileged access to any server running WordPress 2.1.1.

All users have been requested to update immediately to WordPress 2.1.2. Users who access updates through the Subversion repository were not compromised.

Important Update to Super Bowl web site hack

2007-02-28T21:31:00.000-08:00

Super Bowl Infection - Analysis of One Break-in

One of the victims has provided their analysis of the attack and their lessons learned. Important reading for any web site developer.

My thanks to the Internet Storm Center for providing a channel for this information.

I blogged on this earlier.

Hidden in wait

2007-02-27T23:51:00.000-08:00

As we waited, we had time to think and review the plan. To us, the world’s greatest hackers are an unknown. No one knew their names and no one would know their faces. The celebrities in the paper are not the best. For tonight, we had to be the best. Otherwise, our faces would be on tape, and we would just be more bad boys who’d been caught.

We arrived at the target floor. We knew there were cameras everywhere. If they saw us in this area, we’d only have a few minutes before guards arrived. Our next stop was the fire suppression closet.

Now the challenge: we had to build our device. We worked by light reflected through a four-by-eight-inch window. As people left for home, they passed our closet, but we remained undetected.

We’d examined the company’s card key system and checked it on the Web. Card key systems are everywhere and they almost all use the same operating methods.

Part 4 of 7, (to be continued)

Outsmarting the motion detectors

2007-02-27T09:15:00.000-08:00

We waited until the building was mostly empty. We knew this business, this client. Their operations were 24/7. We arrived in the early evening and had already examined the ground and the building plans in detail. We knew our route. The weather had been perfect: rain with wind. This would mask the infrared, mess with the ultrasound. Still, we knew we had to be quick, and our timing had to be good.

We waited 40 yards from a garage exit. We could see the guard shack, but the patrol was out of sight. We waited until a distraction caused the guards to look the other way. We dashed for the ramp. We couldn’t avoid the sensors, but hoped that after a night of false alarms ours would be ignored. We had to get inside the Garage quickly. A car came down the ramp as we dashed up. This might fool the guards on the motion camera; they’d see the car, but not us. Did the driver see us? We were past him in a blink on the blind side, but one look in the mirror would be all it took.

Up the ramp and into the garage. There was another camera straight ahead. Two seconds to pass the camera, we would show for a few frames on a bank of sixteen monitors. Then into the fire escape. The team climbed past the public areas quickly and silently, before the guards could reach the stairwell. We listened for the sound of pursuit while our hearts pounded – tough work for computer jocks.

Part 3 of 7, (to be continued)

Get out of jail free cards

2007-02-23T11:07:00.000-08:00

In the hotel, we met with our client. He gave us two “pass” cards. We joked that the cards said, “Let these guys go, but scare them first.” We knew the procedure. The guards would call the police before calling their boss. The police had guns.

The security chief would wait in his office hoping to hear the good news. He wrote on our passes that they were good for one night only. Trust is carefully measured.

Catching us would be good news. It would inform our client that his system beat us. However, our job was to deliver an honest assessment of his security risks. Idiots are caught every day.

Part 2 of 7, (to be continued)

Penetration Testing

2007-02-21T23:41:00.000-08:00

It’s Friday, for the second time.

We left Asia yesterday and are a few hours past the International dateline, traveling parallel to the Aleutian Islands. Sunrise is ahead of us. Our moonlit challenge is behind us.

We had been a team off and on for the last ten years -- C programmers, UNIX kernel engineers, and now a tiger team paid to sneak into secure data centers.

As trained security consultants, our clients paid us to break in -- with the full knowledge of our employer, the company’s security chief -- but without the knowledge of site security.

We’re going to turn south soon. Home is ahead. We have been away for two weeks, carefully planning and arranging to perform the task that took less time from start to finish than the remainder of our flight.

During that time, we analyzed the building and planned the technical part of our attack. We determined the systems that needed our backdoor. We carefully arranged our timing with the security chief; he knew we were coming, but his staff did not. This was a test. Were they as good as they thought they were?

The motion sensors, cameras and guards were on one side. Our skill, technical experience and creativity were on the other. Our job was to determine if the physical security and technical safeguards would be enough to keep us from breaching the physical security of their data center and creating a backdoor to the Internet.

Part 1 of 7, (to be continued)

I Hate Passwords #12

2007-02-18T20:55:00.000-08:00

There are three basic types of authentication, often called “factors.”

Something you know
Something you have
Something you are

Passwords, ATM cards and fingerprints are examples of these factors. There are many good techniques for putting these authentication methods into practice. Probably the most familiar two-factor method is the ATM card with PIN.

'Drive-by Pharming' Attacks Potential Threat to Broadband Users

Many users, however, do not change their default password issued by the router manufacturer, Ramzan said. According to a separate informal study conducted by Indiana University, up to 50 percent of home broadband users are susceptible to this attack.

Examples like this are reason #12 for why I hate passwords. Vendors, including ATM machine vendors, continue to ship all of their devices with the exact same administrator password. The problem is not that the device has a default password. The problem is that every device (e.g. Linksys router) has the same default password. When you are building devices that dispense cash or connect to the Internet, this practice is unacceptable. Where I differ from Ramzan, is that I believe the responsibility lies with the router manufacturers not the users. The manufactures must stop this practice of using default passwords.

Security research has analyzed this area for ages. The manufacturers have no excuse for continuing to ship products that are insecure from the start. Here are a few of the available solutions:

Use the device serial number, or the last four digits of the serial number as the initial password. This works for home or SOHO routers (only visible to the owner) and ATM machines (located behind a locked panel)
Prompt the owner for a new administrator password. Make it easy, any four digits (PIN) will suffice as long as the device resists password cracking.
Add another factor. Ship ATM machines with a “manager” ATM card (chain it to a holder behind that locked panel). Network devices could include a soft token with their installation software. This soft token would also simplify setting up wireless devices with WPA-2 security.
Use challenge response questions instead of a password. Ask the user three questions out of a pool of thirty, then select one question each time the user needs administrative access. While this will not work for the ATM machine, it is fine for network access.

I hope that someone out there at Netgear or Linksys is watching, because they are responsible for this problem. If finding out that your broadband router is an open door to your home network is not bad enough, I’ll leave you all with this very educational video on door locks, which shows that your front door is wide open too.

MySpace (in)Security

2007-02-14T14:00:00.000-08:00

I'm in Chicago, listening to United's hold music (95 minutes and counting), catching up on my DarkReading.

A prime example of this problem is MySpace, which has been hit by the same vulnerability six times because it has not properly stopped attackers from entering malicious text through stripping. In providing a consumer benefit, MySpace has made its site far more dangerous to those very same consumers.

Attackers at MySpace are using the MySpace tools to introduce exploit code into a MySpace web page. MySpace is responding by attempting to delete the offending code from the content.

As RSnake notes, this has led to an oscillating conflict between the MySpace web coders and the attackers. It looks something like this:

Attacker

Submit(Post_html) where Post_html equals:
>html start ... [embedded exploit] ... html end<

Defender (server side of submit function)

Clean(Post_html) {
    If Found_Exploit(Post_html)
        Post_html = Strip_Exploit(Post_html)
    Post-to-Web(Post_html)
}

This conflict oscillates because after each improvement the Defender makes to the “Strip_Exploit” logic, the Attacker adapts her efforts to defeat the system. To get out of this situation, the defender needs to change the rules.

There are many ways to solve this problem. I’ll delve into two examples: with “stripping” the Defender could iterate over the data until clean; another solution is to use Substitution instead of Strip.

Example 1: Defender using strip

Clean(Post_html) {
    If Found_Exploit(Post_html)
        Clean( Strip_Exploit(Post_html) )
    Else
        Post-to-Web(Post_html)
}

Recursion prevents the attacker from passing a nested embed attack through the Strip function. As an alternative to recursion, the defender could iterate through a loop until the exploit code is gone:

While Found_Exploit(Post_html)
    Set Post_html to Strip_Exploit(Post_html)
Repeat
Post-to-Web(Post_html)

Another solution is to replace the exploit code with a safe substitution. For example, if the offending code is “Crake” then replace each instance of Crake with “Oryx.” It is vital that the replacement text is the same length or less than the length of the exploit text – otherwise, the attacker may discover a method to overflow the buffer you are using to contain Post_html.

Example 2: Defender using substitution

While Found_Exploit(Post_html)
    Set Post_html to Replace_Exploit(Post_html)
Repeat
Post-to-Web(Post_html)

Meanwhile, I recommend you disable scripting when you browse a page at MySpace.

Securing the Corporate Network When There is No Perimeter

2007-02-12T16:35:00.000-08:00

Do not try and bend the spoon. That’s impossible. Instead, only try to realize the truth … There is no spoon – Spoon Boy, The Matrix

Early computer security thinking taught that computer security followed the patterns of Physical Security. The object was to create a secure perimeter and then strictly control ingress/egress through a few gateways. Early pen-testing often-included attempts to gain physical access to a facility or specific system because everyone “knew” that physical access always trumped computer or network security.

Following those principals, every reasonable security architect specified firewalls, locked doors and CCTV to safeguard their systems. These elements became part of the “building code” for any secure facility.

Dear Readers, it’s time we updated our building code. We’ve had our digital Earthquakes and Hurricanes. This architecture of hardened perimeter and gateway firewall is obsolete. Today’s mobile devices carry threats and bad behavior directly onto your core network. Wireless and p2p are everywhere and the botnets, malware and Trojans ride in on port 80 and masquerade as harmless web surfing.

Today’s security architect must design and implement processes across their network comprehensively and with proper attention to every server, desktop, laptop, dormant virtual machine and wireless enabled device. Use automation to protect against flash-threats and Warhol worms. Use malware and behavioral analysis to detect Spear Phishing, targeted Trojans and command-and-control networks.

The new building code for networks requires endpoint security. The building specification for endpoint security includes but is not limited to:

Continuous vulnerability and patch management
Malware protection and host integrity
Policy enforcement and compliance validation
Policy and behavior based Pre and Post network admission control
Continuous performance and security monitoring

There are many products in this space. I recommend being wary of complexity and forklift upgrades. Look for products that simplify operations and solve real IT problems along with improving security.

Microsoft Security Response Center Blog

2007-02-09T15:35:00.000-08:00

I did want to note that this month, the Thursday before the Second Tuesday is actually the second Thursday of the month. That will be the case for March as well.

We sometimes get people who associate the Advance Notification with the first Thursday of the month, so I wanted to remind folks that it’s actually tied to the second Tuesday, the release day. So, if you have any reminders for today’s notification for March tied to the first Thursday of March, you’ll want to update them to March 8 2007: which is when we’ll make the next Advance Notification.

If that isn’t perfectly clear to you, I recommend further reading.

One item is clear, this will be an important patch event for most Microsoft users. There are a fair number of Critical and Important patches for core operating system and application elements. It would be nice to know which CVE are being addressed .

Turning Your Typo into Profit

2007-02-09T00:11:00.000-08:00

Have you noticed what happens when you mistype the name of your favorite web site? As reported by Daniel Wesemann at the Internet Storm Center this is not an accident, this is a profit center.

A few sites like www.gogle.com go where intended – www.google.com. Type in www.googe.com and you end up at Go Daddy. Just a little while ago, my browser would have shown me, “Cannot find server or DNS error.” Now on my Dell system, most of my mistakes take me to a customized Dell/Google results page. Being redirected to a search engine might seem innocuous, but this is actually a real bad thing™.

As Daniel points out in his blog entry these redirect sites create an opportunity for the pharmers and phishers
Some SSL/VPN software relies on the standard DNS behavior to redirect you to your companies internal servers
Getting redirected to an unexpected site can be very embarrassing, in this instance Bell South users were redirected to porn sites and who can forget when www.whitehouse.com was an explicit porn site?

These are all a form of hijacking. How bad is this? Just last year a Phisher was targeting Wells Fargo customers with a “welsfargo” URL. Wells Fargo has registered the domain “welsfargo.com” but has not redirected the domain as Google did with Gogle. The folks at Wells Fargo need to correct this lack.

If you have an e-commerce or popular web site then you need to protect yourself and protect your customers:

1. Register the confusingly similar domain names and configure their DNS records to point to the correct site

2. Monitor all of your domain records and DNS servers for failure or compromise

3. Deter the pharmers with protection against defacement, cross-site scripting and man-in-the-middle attacks

Another Attack on DNS Root Server Infrastructure

2007-02-07T16:05:00.000-08:00

Hackers overwhelm key Web computers

For those of you who need more information, Wikipedia has a good article on why DNS root servers are important to everybody.

Every time you type a URL, or click on a link in your web browser a DNS server directs your computer’s browser to the right server on the Internet. For performance reasons, you usually use the DNS server on your local network or one provided by your ISP. Your local DNS server relies in-turn, on other DNS servers in a tree-like hierarchy. Ultimately, all DNS servers rely on the smooth functioning of the thirteen DNS root servers.

An attack on the root servers is an attack on the fundamental structure of the Internet. It’s the DDOS equivalent of a doomsday device. This the sort of thing a villain like Ernest Blofeld would attempt; it could be the action of a sociopath, the prelude to a grand attempt at extortion, the test of an info-weapon or an act of war.

Fortunately, as noted by John Crain, this type of attack has become much harder to pull-off. However, Harder ≠ Impossible. The current infrastructure can handle an enormous load, but there are limits. The picture below shows the situation at 11:00 AM PST:

Picture 1: dnsmon.ripe.net (2/6 17:00 UTC - 19:00 UTC)

As you can see in this reporting period, two of the thirteen servers are still experiencing significant load. The following picture shows the effect of the attack from its beginning:

Picture 2: dnsmon.ripe.net (2/6 08:00 UTC - 2/7 08:00 UTC)

As you can see, the attack hit server ‘’G’’ and ‘’L’’ the hardest. The red spikes indicate an average probe failure rate exceeding 90%.

Most likely, this attack will not affect you directly. It is a lot like a solar flare’s effect on radio communications – there’s a lot more noise in the system today and don’t be surprised if you notice a slightly different “feel” to the Internet today.

The lesson here?

Performance monitoring is often a leading indicator to an attack on your computer infrastructure. It is important to understand your baseline performance and monitor the systems you rely on for any significant deviation from baseline.

For the Internet, we can thank the very good folks at RIPE .

Web Site Security Affects You

2007-02-05T15:40:00.000-08:00

1987 - Mitnick invades system at Santa Cruz Operation. Santa Cruz police travel to Los Angeles to search apartment where call coming into SCO originates. ( …) Mitnick's representation bargains felony charge down to misdemeanor. Sentence: three years probation.

At SCO, Mitnick found his way in via “war-dialing” onto a UNIX system. Did he crack root? No, root on this system had no password at all… Kevin wasn’t after SCO, he wanted UNIX source so he could get even deeper into Ma Bell’s computers.

20 years later, another hacker discovers a system they can access, only this guy isn’t after big business, he was after YOU.

Last week, Websense discovered that several Super Bowl related web sites had been hacked. According to news reports, these systems were compromised on or before January 26, but engineers at the affected sites were not alerted until February 2^nd. For a period of a week, a malware package installed on the victim web server attacked every visitor to the site.

You might not discover “Hackistan” but Hackistan wants to discover you. I intend no offense to my friends from South East Asia, but I like this idea of Hackistan (more on this later).

The crooks are making the Internet their own. Gone are the days when Kids broke into systems to prove their l33t skill, the game is all about money now. And the money is getting very very big.

We can only guess how many systems this attack affected. Enough however, that it appears that the malware server in China was failing under load. Get the irony? The bad guy’s computer was crashing because he had too many victims phoning home.

This hacker was not after fame. No vandalism or political messages, the web sites continued to operate as normal. By the way, I don’t consider people like this to be hackers… this person is a crook, a perpetrator after your login, passwords, credit card info – anything and everything he could get, so he could sell your identity or rip you off directly.

Solution? Simple:

If you have a computer, keep it patched and use a personal firewall.
If you have a web site, monitor the hell out of it.Find someone who will watch your web site and the entire infrastructure it relies on. Don’t settle for a once a quarter/month scan. Find someone who looks at your web site the way the hackers do. Pay them to check it now and check it every day, 365 days a year. This is not a choice any more.

Michael