Wednesday, October 3, 2007

Virtualised desktops will end laptop management

With virtual desktop infrastructure (VDI) there are at least three modes of operation:

  1. IT controls VDI completely, desktop is "thin" only IT approved virtual machines are allowed
  2. IT does not completely control the desktop, options get complicated fast:
    a) user virtual machines are allowed
    b) user controls the host
Looking at option 2a, we could have rogue guests, infected guests, any kind of guest ... telling them apart and acting accordingly will be fun!

Looking at option 2b, I can buy a Macintosh or linux or windoze and as long as I can run the IT approved virtual machine, then IT is happy. But what if my Macintosh is owned by the Uzebek barbarian horde? Have I just given the Horde access to my corporate network?

Lot's of interesting questions arise. We have our own use case right here at Catbird. The "approved" IT image is Windows XP with Microsoft Office.
We allow a VDI where an employee can use a Macintosh to run Windows in a vm. We're happy until there is a mac worm!

For example, an organization using Active Directory to lock down their desktops ... Active Directory does nothing to lock down a Macintosh.

How is a windows savvy IT team going to cope with users running Ubuntu, Fedora, Macintosh ... VDI is going to lead to an explosion of host operating system diversity. This will be very exciting for those of us running Windows under duress.

Their will be a huge value in giving IT the tools to manage and secure a highly diverse and constantly changing environment.
Posted by No comments:
Labels:

Saturday, September 22, 2007

Another one from SANS newsbites

A vulnerability scan would have warned them that their Cerberus implementation was open to attack. Either they were not validating their security compliance, or they were not following an effective process for curing their vulnerabilities.
--Layered Technologies Customer Data Stolen (September 19 & 20, 2007) An attack on a helpdesk application in Layered Technologies' support database has compromised the security of personally identifiable data of as many as 6,000 of the server hosting company's customers. The data include names, addresses, phone numbers and server login details.
Layered Technologies is asking all its customers to change their login credentials. The attack occurred on the evening of September 17, 2007.
http://www.theregister.co.uk/2007/09/19/layered_technologies_breach_disclosure/print.html
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9038040&source=rss_topic17
Posted by No comments:

Wednesday, September 19, 2007

Highlights from a recent SANS News bites

From SANS ... note that bank account details are now worth $400/per account.

TOP OF THE NEWS

--Ameritrade May Have Been Aware of Breach for a Year (September 14, 15 & 17, 2007) Online brokerage TD Ameritrade Holding has acknowledged that a data security breach has compromised more than 6.3 million accounts. The database contains customer names, addresses, account numbers, Social Security numbers (SSNs) and birth dates. The attackers gained access to the database through a backdoor program they had installed on the TD Ameritrade network. TD Ameritrade says it has removed the rogue code from its systems. The intrusion was discovered in the course of an investigation into stock-related spam that had been reported by the company's customers. An attorney representing plaintiffs in a planned class action lawsuit against the online broker alleges that the company knew of the data security problem for a year before customers were notified. Furthermore, the suit alleges that the company kept entering customer data into the vulnerable database during an internal investigation.
http://www.theregister.co.uk/2007/09/15/ameritrade_database_burgled/print.html
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9036639&source=rss_topic17
http://www.amtd.com/newsroom/releasedetail.cfm?ReleaseID=264044
http://www.informationweek.com/shared/printableArticle.jhtml?articleID=201807006

--Symantec Report: Malware Moves Toward Commercialism (September 17 & 18, 2007) Cyber attackers aiming to damage computers or inconvenience users are giving way to more financially motivated criminals. According to Symantec's most recent Internet Security Threat Report, cyber criminals are turning to good business practices to ply their trade. Some malware purveyors are offering guarantees about the performance of their products as well as updates to keep the products current. The report also notes that phishers are scouring social networking sites to gather personal information, which they then use to create targeted emails that lure recipients to phony sites where they can harvest valuable data.
Stolen bank account details are being sold online for as much as US $400 apiece. In addition, levels of pump-and-dump schemes and image-based spam have decreased.
http://www.technewsworld.com/story/59374.html
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9036819&source=NLT_SEC&nlid=38
http://www.itnews.com.au/News/61398,fraudsters-go-all-out-for-social-networkers.aspx
Posted by No comments:
Labels:

Thursday, August 9, 2007

The Game Is Not Over -- Security for your web site

  1. Man-in-the-middle (MITM) attack against SSL plus Sitekey/Passmark – The Stop-Phishing Research Group at Indiana University demonstrates that if you are not very careful about the URL and the SSL certificate, and most people are not, the attacker will be successful
  2. Sniffing a connection to steal session cookies to bypass user authentication – Robert Graham of ErrataSec, has demonstrated why you need a security barrier for your laptop at Starbucks (If his name for this attack sticks "side-jacking" then we might as well all give up and start referring to SSL as a condom for your browser)
  3. If you think you don’t have to worry about these exploit techniques, then you better have the Security Excuse bingo card (found on Schneier on Security),

It looks pretty bad. SSL can be bypassed, authentication cookies can be stolen. If you follow the blogosphere’s impression of the recent Blackhat/Defcon events, it's all useless and there is nothing we can do to stop the crooks. To top it all off, there isn’t just one Hackistan (great Yak snacks by the way) there are many Hackistan’s and no web site is to small or broad-band connected PC to innocent for them to exploit.

Truth is, if a malicious hacker with the capabilities of a Grossman, Skoudis or Moore is after your site, then you will get hacked. Lucky for you these guys are busy™.

Solutions? Focus on your business needs and take some precautionary steps:

  • Run traditional vulnerability scans (because Skoudis and Moore teach us that the old problems are new again)

  • Run a web application scanner and use a secure coding inspection tool, Grossman and Zorkul are better, but it’s foolish not to automate everything you can

  • Use SSL from start to finish on your web-site, you have an obligation to protect the integrity and security of all the data exchanged between your site and your customer’s browser – otherwise your giving it away to any crook with a copycat access point or a promiscuous wireless card

  • Don’t ignore MITM because you think it is hard, it gets easier to do every day – Lucky for all of us, it’s also getting easier to protect against and detect MITM, Pharming, Highjack and Malware Injection, I know someone who can help

  • Last but not least, plan on getting hacked, have an incident response plan and be prepared, playing security excuse bingo is a losing strategy

Get started today!
Posted by No comments:
Labels:

Disregard any pop-up security windows you receive

I received this in my mail today:

Dear Electronic Crimes Task Force Member,

CSO magazine is conducting a survey in cooperation with the U.S. Secret Service and CERT Coordination Center, the 2007 eCrime Watch. The purpose of this project is to uncover electronic crime trends.

CSO magazine’s sister company, IDG Research Services, has been commissioned to help us collect your feedback. Please click on the following URL to begin the survey or copy and paste the URL into your browser:

https://url-hidden

Disregard any pop-up security windows you receive. (Emphasis mine)

Please be assured that any information you provide is confidential and your responses will be used only in combination with those of other survey respondents. This survey should take no more than 10 minutes of your time. If you have any questions about this survey please contact IDG Research Services at ------@idg.com or ATSAIC ----------, USSS, San Francisco Field Office 415/-------.

Thank you in advance for your help.
Of course my first thought, was that this was a phishing attack. I couldn't imagine CSO and the ECTF telling me to "Disregard any pop-up security windows you receive."

Imagine my surprise and relief, when I went to the site and there were no warnings. So, they got it right, the SSL certificate was correct and unexpired ... but everyone is so accustomed to that not being the case, that as a matter of course they included the disregard pop-ups message. Is our infrastructure broken or what?
Posted by No comments:
Labels:

Wednesday, August 8, 2007

Virtually Secure

Christofer Hoff has a good post here. In particular,
Combine that with NAC agents on the hosts and...whether or not it actually works is neither here nor there. They told they story and here it is. It's good to be king.
His point being that Cisco doesn't have to worry about when they are going to deliver a product or even how will it will work when they do ...

Meanwhile, back in your virtualized data center, you can be warm and happy knowing that Cisco's virtually shipping product has you virtually secure already. Nice, huh?

What about Real Security -- Real Security for Virtualized Infrastructures? You've deployed half a dozen quad-core systems and thrown out 150 obsolete boxes. Maybe you had IPS and NAC in your datacenter already, but do you have it now? If your virtual windows 2000 server get's infected and starts attacking the other systems on the host, how will you know?

Maybe you will know when the infection begins to spread to other hosts and their virtual servers, but by then you will have a real mess on your hands.

The right answer involves doing something today, not waiting for a vendor to implement a solution next year. Here is the pragmatic prescription for today, virtual servers are servers, period.

If there reliability and security are important to your business then you have to secure them with same mature IT processes that you use for everything else:
  1. Specify the appropriate security requirements at the start
  2. Determine and implement secure baselines that meet your business and security requirements
  3. Validate/test that the performance and security of your systems meets the stated requirements before you put them in production
  4. After deployment, test them again -- virtualization really helps you here
  5. Use change control and segregation of duties -- (ITIL and ISO 17799 driven) processes and controls to keep working systems, working
  6. Patch management and vulnerability management are a continuous process -- don't treat these problems with a calender ... not unless you like emergencies
  7. Continuously monitor your network and systems, use the protection appropriate to the value of the data or business operations, such as:
    • Gateway: firewall, anti-spam, anti-malware, content filtering, vpn ...
    • Network: vulnerability monitoring, IDS/IPS, NAC, Policy management and compliance ...
    • Endpoint: Anti-malware, AAA, log analysis, patching, encryption ...

  8. Disaster/Business continuity planning, incident response and training have to include your virtual infrastructure -- DR/BP might be a big driver behind your virtualization effort, but nothing substitutes for a good test.
Do all of the above, appropriately to the level you need, don't wait to become the next security breach. It's more about the process than the tools.
Posted by No comments:
Labels:

Monday, August 6, 2007

I hate Passwords #10

From IP: link here
What I think needs to be done is that the public needs to be educated about these sites, and the security risk they pose.
The "public" is already being educated. We tell them over and over that they should not share their password with anyone. The problem is that the public gives up their password all too easily. We can keep blaming the public, and we will, but we should also try to understand why someone will give up their Yahoo (or other service) password easily, while the same person would never share their ATM PIN.

I think the public is pretty smart, but they learn best when they experience immediate consequences from their actions. Right now, I know that identity theft and losses from this behavior are at a tolerable level because most of the public are still willing to give their password away -- where the same public will never forgot to lock their car door at the shopping mall parking lot.

If the consequences (or at least people's awareness of these consequences) get a lot worse, we will either see a change in behavior or the deployment of technologies to eliminate reliance on passwords (tokens, client-side certificates ...).
Posted by No comments:
Labels:
Subscribe to: Posts (Atom)