Vulnerability Assessments and Penetration Testing

Stuxnet 2.0?

2011-10-19T13:12:00.002-04:00

Stuxnet 2.0? Researchers find new 'cyber-surveillance' malware threat

By Ryan Naraine | October 18, 2011, 12:14pm PDT

Summary: Symantec warns of a new high-end Trojan that’s “nearly identical to Stuxnet” but notes that the malware has a completely different goal.

[ UPDATE: McAfee says DuQu's main objective is espionage and targeted attacks against sites such as Certificate Authorities (CAs). ]

Researchers at Symantec have sounded an alarm for a new piece of malware with “striking similarities” to Stuxnet, the mysterious computer worm that targeted nuclear facilities in Iran.

The new malware, identified as Duqu, is a highly specialized Trojan capable of gathering intelligence data and assets from entities, such as industrial control system manufacturers, in order to more easily conduct a future attack against another third party.

[ Inside Stuxnet: Researcher drops new clues about origin of worm ]

“The attackers are looking for information such as design documents that could help them mount a future attack on an industrial control facility,” according to Symantec’s security response team.

Symantec said it got a copy of the in-the-wild malware from an unnamed research lab with strong international connections.

The company found that parts of Duqu are “nearly identical to Stuxnet” but noted that the malware has a completely different goal.

Duqu is essentially the precursor to a future Stuxnet-like attack. The threat was written by the same authors (or those that have access to the Stuxnet source code) and appears to have been created after the last recovered Stuxnet file. Duqu’s purpose is to gather intelligence data and assets from entities, such as industrial control system manufacturers, in order to more easily conduct a future attack against another third party. The attackers are looking for information such as design documents that could help them mount a future attack on an industrial control facility.

The company said Stuxnet and Duqu shared the same modular structure, injection mechanisms, and a driver that is digitally signed with a compromised key.

[ Stuxnet: A possible attack scenario ]

Unlike Stuxnet, Symanted said the new malware does not contain any code related to industrial control systems. It was built to be a remote access Trojan (RAT) that does not self-replicate.

“The threat was highly targeted toward a limited number of organizations for their specific assets. However, it’s possible that other attacks are being conducted against other organizations in a similar manner with currently undetected variants,” the company warned.

The attackers used Duqu to install another infostealer that could record keystrokes and gain other system information. The attackers were searching for assets that could be used in a future attack. In one case, the attackers did not appear to successfully exfiltrate any sensitive data, but details are not available in all cases. Two variants were recovered and, in reviewing our archive of submissions, the first recording of one of the binaries was on September 1, 2011. However, based on file compile times, attacks using these variants may have been conducted as early as December 2010.

One of the variant’s driver files was signed with a valid digital certificate expiring August 2, 2012. The digital certificate belongs to C-Media Electronics Incorporation, company with headquarter in Taipai, Taiwan. The certificate was revoked on October 14, 2011.

Symanted noted that Duqu uses HTTP and HTTPS to communicate to a command and control server which is currently operational.

Some more details on Duqu:

Through the command and control server the attackers were able to download additional executables, including an infostealer that can perform actions such as enumerating the network, recording keystrokes, and gathering system information. The information is logged to a lightly encrypted and compressed local file, which then must be exfiltrated out.

The threat uses a custom command and control protocol, primarily downloading or uploading what appear to be JPG files. However, in addition to transferring dummy JPG files, additional data for exfiltration is encrypted and sent, and likewise received.

Finally, the threat is configured to run for 36 days. After 36 days, the threat will automatically remove itself from the system.

Symantec’s researchers believe that the creators of Duqu had access to the source code of Stuxnet.

A technical paper describing the similarities between Stuxnet and Duqu can be found here [PDF].

Kick off your day with ZDNet's daily e-mail newsletter. It's the freshest tech

Cybercrime claimed 431 million adult victims last year and cost $114 billion

2011-09-09T18:45:00.001-04:00

Cybercrime claimed 431 million adult victims last year and cost $114 billion, according to a report published Wednesday.

The Norton Cybercrime Report 2011 said over 74 million people in the United States were cybercrime victims last year, suffering $32 billion in direct financial losses.

Cybercrime cost China around $25 billion, Brazil $15 billion and India $4 billion in the past 12 months, said the report from computer security firm Symantec, maker of the Norton anti-virus software.

According to the report, more than two-thirds of online adults -- 69 percent -- have been victims of cybercrime at some point in their lives, resulting in more than one million cybercrime victims a day.

Cybercrime rates were even higher in China and South Africa. Eighty-five percent of Chinese respondents to the Norton survey and 84 percent of South Africans said they have been victims of cybercrime.

The report found a growing threat from cybercrime on mobile phones.

Ten percent of adults online have experienced cybercrime on their mobile phones and the number of reported new mobile operating system vulnerabilities increased from 115 in 2009 to 163 in 2010.

"There is a serious disconnect in how people view the threat of cybercrime," said Adam Palmer, Norton lead cybersecurity advisor. "Cybercrime is much more prevalent than people realize.

"Over the past 12 months, three times as many adults surveyed have suffered from online crime versus offline crime, yet less than a third of respondents think they are more likely to become a victim of cybercrime than physical world crime in the next year," Palmer said.

For the survey, interviews were conducted with nearly 20,000 people in 24 countries, Symantec said.

Spear Phishing

2011-07-06T10:00:00.001-04:00

By now most everyone has heard the term “phishing”.

Wikipedia defines phishing as an attempt to acquire sensitive information such as usernames, passwords and credit card details by masquerading as a trustworthy entity in an electronic communication.

Communications purporting to be from popular social web sites, auction sites, online payment processors or IT administrators are commonly used to lure the unsuspecting public.

Phishing is typically carried out by e-mail spoofing or instant messaging, and it often directs users to enter details at a fake website whose look and feel are almost identical to the legitimate one.

Phishing is an example of social engineering techniques used to deceive users, and exploits the poor usability of current web security technologies.

IDP recently carried out an authorized phishing attack for one of its customers and found that over 50% of the staff gave up their email passwords in an email that, if examined closely, was obviously bogus.

So what is spear phishing?

The difference between phishing and spear phishing is while the former floods thousands or even millions of inboxes, the latter targets a small group of previously-identified people, sometimes only a handful who work at the same company or in the same organization.

With the increased popularity of social networking sites (Facebook, Twitter, etc.), the bad guys are now able to select specific individuals (and businesses) and direct their malicious activity in a very granular fashion, just as you’d spear a fish.

"Today's spear phishing is not only more prevalent but also much more technically proficient," say Dave Jevans, chairman of the Anti-Phishing Working Group (APWG), an industry association dedicated to fighting online identity theft.

"They're not going for a password, anymore, they're getting people to install crimeware on their computers," said Jevans.

Like the more common phishing, spear phishing attacks are launched as emails that try to con the recipient into clicking a link that leads to a malicious Web site. Those sites can take almost infinite forms, from fake account log-in screens to ones that tout a software upgrade to widely-used software, such as Adobe Flash.

Once the malicious link or email is clicked the attacker is able to install a program that infects the computer, giving criminals access to that machine -- and through it, others -- or to confidential information, like account passwords obtained by secretly monitoring the PC's keystrokes.

According to reports by the likes of Bloomberg, the recent IMF spear-phishing attack targeted one of its workers and planted malware on a machine, which was then presumably used to scout the network for data to steal.

But the IMF incident is only the most recent in a series of specialized attacks this year aimed at targets from the Oak Ridge National Laboratory and the French foreign ministry to Google's Gmail.

All have one thing in common: They relied on spear phishing to fool users into installing malware or revealing account information.

So what can individuals you do?

Well, very simply, maintain awareness, think before you click, keep your antivirus and antimalware software up to date and remember that anyone can be an unwitting target.

What about businesses?

Educating staff is first and foremost. Make sure there are polices, processes and procedures in place that everyone follows – but more importantly, that they understand.

From a technical perspective, ensure that your perimeter defenses (stateful firewalls, IDS / IPS, VPNs, blacklists, access control, etc.) are current, properly configured, monitored and regularly tested.

In summary, maintaining a defensive posture is not rocket science. Common sense, diligence and thoughtfulness is 90% of the game.

Defending Against Insider Threats To Reduce Your Risk

2011-07-01T10:12:00.002-04:00

Insider threats are often overlooked when it comes to information security, but in fact insider threats account for the large majority of information theft and compromised systems. Who better to leverage their access and knowledge than those who often times have the keys to the kingdom.

I read a good white paper this morning by CA Technologies (ca.com) entitled Defending Against Insider Threats To Reduce Your Risk. You can read an excerpt here:

http://www.idpnow.net/documents/Defending_Against_Insider_Threats.pdf

The focus of the article is that insider threats are increasing. The 2009 e-Crime Watch surveyed 523 organizations and found that 51% of these organizations had experienced an insider attack, up from only 39% of organizations three years earlier. That number is probably much higher in that insider attacks often go unreported. The point is that businesses must be vigilant in looking at insider risk the same way they do external risk – perhaps even more.

The white paper goes on to talk about how insider risks manifest themselves and how these attacks are carried out, but the recommendations to reduce these risks is the important takeaway. If businesses would ensure these relatively simple “best practices” are in place, the odds of an insider attack being successful are greatly diminished.

Develop and enforce comprehensive written acceptable use policies. All organizations should have detailed acceptable use policies for all employees and should make employees review and sign the policy annually. This is a basic step but one that organizations often overlook. Having a written security policy will not necessarily prevent insider attacks, but it can still be useful for providing the entire organization with a baseline of what is acceptable usage and the proper methods for handling sensitive data.

Ineffective management of privileged users. All IT environments have privileged users (admin, root) that have total access to key systems, applications, and information. This is not only a security risk, but it can also make compliance much more difficult. Sharing administrator passwords is another common problem which could lead to inappropriate access to your systems and information and an inability to identify specifically who performed which action on each system.

Inappropriate role and entitlement assignment. The management of user roles and entitlements is one of the biggest challenges that many IT organizations face. Overlapping roles and duplicated or inconsistent entitlements are all common problems that can Lead to improper access to, and use of, sensitive information. In addition, the lack of automated de-provisioning can Lead to excessive entitlements or orphan accounts, both of which provide openings through which disgruntled insiders can Launch an attack.

Poor information classification and policy enforcement. Effective protection against improper access or use of information requires strong control over user identities, access, and information use. Most organizations have some controls in these areas, but do not have a unified and robust approach to truly protect their information assets.

Weak user authentication. Access to highly sensitive information often only requires simple password authentication, and does not take into account other contextual information (e.g., the user's location) that might raise the risk of breach.

Poor overall identity governance. Effective protection against improper access or use of information requires strong control over user identities, access, and information use. Most organizations have some controls in these areas, but do not have a unified and robust approach to truly protect their information assets.

Inadequate auditing and analytics. Many companies have no way to continuously audit access to help ensure that only properly authorized individuals are gaining access, and that their use of information complies with established policy. Even if they have auditing tools in place, the sheer volume of Log data generated makes it very difficult for organizations to sift through the data and identify breaches or threats.

Cyber-Security Breaches Hit 90 Percent of Businesses

2011-06-28T13:14:00.002-04:00

Saw this article this morning and decided it was too important not to repost:

http://www.channelinsider.com/c/a/Security/Cyber-Security-Breaches-Hit-90-Percent-of-Businesses-Report-410815/

Hackers want your passwords

2011-06-27T11:34:00.004-04:00

Password exploitation is the hacker’s most common objective when it comes to compromising a system or stealing information. Why then don’t we pay more attention to securing this critical piece of information?

We are forever being told that we should use complex and difficult (to remember) passwords. This is not the best advice, because you can actually make usable, easy to remember and highly secure passwords. In fact, usable passwords are often far better than complex ones.

How to hack a password

The work involved in hacking passwords is very simple. There are five proven ways to do so:

Asking: Amazingly, the most common way to gain access to someone's password is simply to ask for it. As social engineering becomes more pervasive, users are often tricked into providing their passwords by various means, but at the end of the day, the hacker’s modus operandi is simply to ask for it. My experience from social engineering engagements says that as many as 50% of users in a business will willingly give up their password if the request is made in an innocent context. Not only that, but people often tell their passwords to colleagues, friends and family. Having a complex password policy isn't going to change this.
Guessing: This is the second most common method to access a person's account. It turns out that most people choose a password that is easy to remember, and the easiest ones are those that are related to you as a person. Passwords like: your last name, your wife's name, the name of your cat, the date of birth, your favorite flower etc. are all pretty common. This problem can only be solved by choosing a password with no relation to you as a person.
Brute force attack: Very simple to do. A hacker simply attempts to sign-in using different passwords one at the time. The plethora of free automated brute force attack tools make this method as easy for the hacker as sitting back and letting his computer do the work. The only thing that stops a brute force attack is higher complexity and longer passwords (which is why IT people want you to use just them).
Common word attacks: A simple form of brute-force attack is where the hacker attempts to sign-in using a list of common words. Instead of trying a different combination of letters, the hacker tries different words. Numerous lists of these “common” passwords exist on the Internet for easy download.
Dictionary attacks: Same concept as common word attacks - the only difference is that the hacker now uses the full dictionary of words. Again, there are hundreds of dictionaries available for free download from the Internet. Many of these dictionaries have been specifically constructed for the sole purpose of hacking passwords.

When is a password secure?

The single most important thing you can do when creating a password, aside from not telling it to someone, is to do so knowing how passwords are hacked and to create one that makes the hacking process longer; i.e. days, months or years. Knowing that a hacker will most likely be using an automated tool or script, you want to make the script take longer to run in the hope that the hacker will give up and move on to a more attractive target.

The measure of a secure password is how many password guesses or requests can be accomplished each second. The number varies, but most web applications cannot handle more than 100 sign-in requests per second. In other situations, especially if the hacker has gained access to a local network, literally thousands of requests can be generated each second.

There are 94 printable ASCII characters on the keyboard (printable characters represent upper and lower case letters, digits, punctuation marks, and miscellaneous symbols). That means each character in a password can have one of 94 possible values.

So, in an 8-character password, there are 6.09568939 × 10¹⁵possible combinations.

Regardless of the number and power of a single or multiple computers for that matter, a password with that many possible combinations will be hard to break.

Making usable and secure passwords

Common guidelines for choosing good passwords are designed to make passwords less easily discovered by intelligent guessing:

Password length should be around 12 to 14 characters if permitted, but in no case less than 8 characters.

Avoid any password based on repetition, dictionary words, names of any sort, letter or number sequences, usernames, or dates.

Include numbers, and symbols in passwords.

Use capital and lower-case letters.

Avoid using the same password for multiple sites or purposes. For example:

Construct by some random pattern known only by you and prepend it with the second letter of the website or application, then append it with the first letter of the website or application. This way all you have to remember is the base 6-character password – but it becomes unique for each website or application by using a characteristic from the website or application.

Cybercrime is generational

2011-06-22T09:43:00.004-04:00

The motivation behind cybercrime is ever evolving and has become generational. That means businesses must remain proactive in knowing their enemy. If you understand the methods and motivation of your enemy, you are more likely to mount a viable defense.

The first generation of cybercriminals (early to late 1990’s) had a common theme: “I did it to prove that I could”. Notoriety and ego were the primary motivators. They also tended to be younger – often students.

First generation cybercriminals focused in being disruptive and making their presence known by causing indiscriminate damage to any vulnerable computer on the Internet. Their first priority was to get noticed.

The second generation of cybercriminals (early 200x’s) turned their attention to money as in “Show me the money!” Now the focus, motivation and priority became profit.

Botnets (large networks of infected computers) became the preferred attack vector allowing cybercriminals to generate millions of spam emails and execute distributed denial of service (DDoS) attacks. Interestingly, these cybercriminals did little to cover their tracks and evade detection.

The third generation of cybercriminals (mid 200x’s) was marked by a higher level of sophistication where the attackers became more organized and discrete.

Hacker groups evolved and began to operate like more traditional organized criminal enterprises. Similar to the previous generation, they had one motive: profit. The technology became secondary. For these criminals, cybercrime was just a means to an end – an easier way to extort and conduct fraud.

This generation looked to target businesses handling large sums of money, particularly in the financial sector.

The fourth generation of cybercriminals (late 200x’s to present) is marked by the development and sale of exploit kits and other hacking software. The rise of criminal-to-criminal activity distinguishes the fourth generation of cybercriminals.

As characterized by “organized crime”, cybercrime evolved into a robust and efficient underground, providing the opportunity for cybercriminals to buy and sell goods and services to each other. As vulnerabilities in software and networks were discovered, cybercriminals developed malware to exploit those vulnerabilities – often selling malware to others or taking their “cut” – even going so far as to “license” their malware.

Malware distribution services, such as IFRAMES.BIZ, evolved that were capable of pushing malware out to infect thousands of hosts. The sophistication of the malware enabled cybercriminals to quickly infect large numbers of computers, send spam, host illegitimate sites, steal sensitive information, execute DDoS attacks and conduct many other criminal activities.

Fourth generation of cybercriminals are also characterized by identity theft and brought the buying and selling stolen identity data to a new level.

Social networks for cybercriminals also emerged, with sites providing reputational rankings of buyers, sellers and partners in the cybercrime marketplace.

As the cybercrime economy has matured, it brings cybercriminals the benefits of specialization and distributed risk. Cybercriminals talented in finding new vulnerabilities and writing exploits can specialize in that area and easily support themselves by selling their exploits.

The same dynamic applies to malware authors, distributors, botnet owners and others in the cybercrime supply chain. Because of this specialization, the sophistication of cyber-attacks increased across the board. This specialization and distribution enables cybercriminals to distribute the risk of being caught.

The current generation of cybercriminals continues to leverage the “power” of malware.

Cybercriminals are continuing to refine and fine-tune each element of the cybercrime supply chain. Today’s cybercriminals are more entrepreneurial and business-savvy than past generations. As a result, attacks continue to grow in sophistication and frequency.

Other evolving current generation threats include:

Pay-Per-Install (PPI)

These scams work where a single PPI site may partner with thousands of “affiliates” who then distribute the malware. The affiliates are paid based on the number of malware installs they can generate – often thousands each month. The exponential factor can result in millions of infected system every month.

APT: Advanced Persistent Threats

I blogged about APT recently: http://idpnow.blogspot.com/2011/06/apt-advanced-persistent-threat-what-is.html. This focus has become much more prominent beginning in 2010 a as name or “label” for targeted attacks on specific organizations by determined, well-coordinated cybercriminals.

Productivity In Cyber Crime

Automation is the name of the game. Just like legitimate businesses, cybercriminals look to do more with less. Automation enables cybercriminals to be more productive using malware authoring tools and scripting techniques.

Malware Tech Support

Leveraging the trend in licensed malware has resulted in the commercialization of malware to the extent that some malware authors even offer technical support under the guise that what they do is for “research only.”

Unfortunately, the legal consequences for selling malware is fuzzy. It is generally not illegal as long as the malware author does not use the malware himself to compromise another computer. Further, many of these malware authors operate from countries that effectively shield them from civil actions.

What Can Businesses Do?

It goes without saying that the only constant is change. Cybercriminals will continue to change and evolve – both from the motivational aspects as well as from the increasingly sophisticated techniques they use.

Businesses can best defend themselves by:

Conducting ongoing, comprehensive information security risk assessments. Risk awareness, risk assessment and risk mitigation should form the basis from which businesses develop their cyber defenses. IDP has experience and proven methodologies to assist businesses with this important first step.

Investing in security products that are made based on supporting the risk-based information security policy. Simply throwing hardware and software at the problem is not the answer. Investments in this area need to be strategically and thoughtfully deployed. Security investments need to be based on policy, with organizational (upper management – board level) acceptance.

Engaging an in-house or strategic security partner. This is essential to staying ahead of cybercriminals curve.

Deploying real time monitoring and threat detection / prevention capabilities. This can be accomplished in-house or through a trusted third party who specializes in this area.

Establishing a threat intelligence capability to monitor existing trends and emerging threats that could impact your business. Many businesses participate with or establish relationships with peers, industry groups, government agencies and vendors as trusted sources

Privacy Rights Clearinghouse - See how pervasive cyber attacks really are.

2011-06-17T09:04:00.011-04:00

Lately, it seems like every day there is a new disclosure by a well-known company who has had their network compromised – and client data stolen. Just yesterday, the WSJ had an article about ADP being the latest victim. Add their name to Citigroup, Sony, RSA, the CIA and Lockheed Martin and you get the sense that this is just the tip of the iceberg. How many other successful exploits have taken place that were not publicized or occurred below the radar?

I found an interesting site that is worth taking looking at: Privacy Rights Clearinghouse. Specifically, http://www.privacyrights.org/data-breach/new provides a great menu-based approach to seeing just how many exploits have actually taken place and you can slice and dice the information in a variety of ways:

Selecting all the boxes resulted in a 531-page report that looks like this:

As you can see, malicious attacks are pervasive and their frequency, sophistication and success just keeps growing as businesses of all sizes try to defend their digital assets.

It all starts with governance, best practices, awareness and training. If businesses would focus on these areas, fully 80% of what the bad guys are doing could be stopped. The time is now.

Citi says 360,000 accounts hacked in May cyber attack

2011-06-16T09:46:00.003-04:00

I had no sooner posted the previous blog when I saw this. Citigroup has some serious issues.

http://news.yahoo.com/s/nm/20110616/bs_nm/us_citigroup_hacking

Citigroup Left The Barn Door Open

2011-06-16T09:19:00.001-04:00

A data breach at Citigroup may have compromised the personal information of more than 200,000 of the bank's credit card customers.

"During routine monitoring, we recently discovered unauthorized access to Citi’s Account Online," a company spokesman, Sean Kevelighan, explained in a statement on June 9.

Citi is no stranger to embarrassing disclosures of its customers' personal information. In February, it mailed about 600,000 of its customers' tax documents with their social security numbers printed on the outside of the envelope.

Last week I blogged about the “80 / 20” rule and how 80 percent of cyber intrusions and exploits can be prevented by "best practices".

The recent Citigroup attack seems to fall into the 80% category. News reports have said that Citigroup was exploited by "sophisticated" attacks. But security experts say that at least by today's standards, most of these attacks were far from advanced, except perhaps in their simplicity.

To begin with, statistically speaking, very few attacks pass the sophistication threshold. According to the 2011 Data Breach Investigations Report from Verizon, "only 8% of data breaches represented a 'high' attack difficulty," said Rob Rachwald, director of security strategy for Imperva, in a blog post.

Citigroup seems to have fallen victim to basic URL hacking – which is far from sophisticated.

Attackers "leapfrogged between the accounts of different Citi customers by inserting various account numbers into a string of text located in the browser's address bar," an unnamed security expert told The New York Times.

In other words, attackers took advantage of the fact that the Citi Card website failed to hide actual account numbers in the URL string. "It would have been hard to prepare for this type of vulnerability," said the security expert, who's familiar with the investigation.

In fact, it would have been easy to prepare for this type of vulnerability, known as "Insecure Direct Object References," which is so widespread that it ranks as the fourth most dangerous vulnerability on the Open Web Application Security Project top 10 list of Web application vulnerabilities.

Perhaps Citigroup's developers and automated code-scanning tools failed to spot the use of real account-related information in URL strings. But that's where penetration testing is supposed to fill in, and it's obvious from numerous recent breaches, involving Citigroup, Sony, and others that "pen testing" wasn't employed.

"When you look at how the breaches are occurring, it's like penetration testing 101. Ethical hackers are taught to test computer security on the good guy side," Alex Cox, principal research analyst at NetWitness, said in an interview last month.

"So, a lot of times people aren't applying the idea of, let's hire someone to break in and see if he can do something realistically. But if you've got a good pen-test team, that's a really good way to understand where your vulnerabilities are," he said.

Or to reverse Cox's advice, by not conducting penetration testing on their Web applications, businesses won't know where all of their vulnerabilities are, and thus won't be prepared to repel attackers. Which, like recent attacks, doesn't seem very sophisticated.

In summary, an analogy seems appropriate.

Tom: How’s your health?

Henry: Fine.

Tom: How do you know?

Henry: Because I feel fine and I don’t think I have any issues.

Tom: Have you been to a doctor recently for a checkup?

Henry: No.

Tom: Then how can you really be sure how healthy you are?

Well the same goes for Citigroup. They might have thought their online system was healthy, but without having made the effort to get it checked they really didn’t know – and in this case they weren’t very healthy.

APT - Advanced Persistent Threat - What is it?

2011-06-14T12:21:00.002-04:00

APT - Advanced Persistent Threat - What is it?

The term was actually coined by the US Air Force in 2006 as a way to communicate with counterparts in the unclassified public world. If the USAF wanted to talk about a certain intrusion or attack with uncleared personnel, they could not use the classified threat name, so they choose APT as a common moniker that could apply to all such situations.

What is important when referring to an APT is that is references a specific threat from specific sources. It is not meant as a catchall description for some vague or unknown cyber-attack.

Heretofore, APT was most frequently applied to specific groups operating in the Asia-Pacific region, but there is considerable discussion as to whether adversaries in Eastern Europe operating using the same tools, tactics, and procedures as traditional APT, should also have the APT label.

In the commercial sector, an IT security professional usually does not make the distinction or really care where the threat is originating from, rather that he or she will take the same defensive actions regardless of the source or nationality of the adversary.

APT entered the common lexicon in early 2010 when Google announced its intellectual property had been the victim of a targeted attack originating from China. Although Google was far from the only victim, the company’s visibility and its high profile public disclosure put a new face on these types of attacks and the lengths attackers would go to gain access to proprietary corporate and military information.

Insofar as a definition, APT means:

Advanced means the adversary can operate in the full spectrum of computer intrusion. They can use the most pedestrian publicly available exploit against a well-known vulnerability, or they can elevate their game to research new vulnerabilities and develop custom exploits, depending on the target’s posture.

Persistent means the adversary is formally tasked to accomplish a mission. They are not opportunistic intruders. Like an intelligence unit, they receive directives and work to satisfy their masters. Persistent does not necessarily mean they need to constantly execute malicious code on victim computers. Rather, they maintain the level of interaction needed to execute their objectives.

Threat means the adversary is not a piece of mindless code. The opposition is a threat because it is organized, funded and motivated. Some people speak of multiple “groups” consisting of dedicated “crews” with various missions.

In brief, APT is an adversary who conducts offensive digital operations (called computer network operations or perhaps computer network exploitation) to support various state-related objectives.

APT is characterized by devotion to maintaining some degree of control of a target’s computer infrastructure, acting persistently to preserve or regain control and access. Unclassified briefings by counter-intelligence and military analysts use the term “aggressive” to emphasize the degree to which APT pursues these objectives against a variety of government, military, and private targets.

IS APT NEW?

When the Google attack entered the public arena, many people wondered if APT was something new. The answer to this question depends on one’s perspective, plus understanding some history. As mentioned earlier, the term APT is approximately 4 years old.

Richard Bejtlich, founder of TaoSecurity and director of incident response for General Electric describes APT activity in terms of offender, defender, means, motive, and opportunity.

He breaks APT targets into four phases:

1) late 1990s — military victims;

2) 2000-2004 — non-military government victims;

3) 2005-2009 — defense industrial base;

4) 2009-present — intellectual property-rich targets and software companies.

He points out that analysts currently assess APT activities as supporting four main goals.

· Political objectives such as maintaining internal stability.

· Economic objectives that rely on stealing intellectual property from victims. Such IP can be cloned and sold, studied and underbid in competitive dealings, or fused with local research to produce new products and services more cheaply than the victims.

· Technical objectives that further their ability to accomplish their mission. These include gaining access to source code for further exploit development, or learning how defenses work in order to better evade or disrupt them. Most worryingly is the thought that intruders could make changes to improve their position and weaken the victim.

· Military objectives that include identifying weaknesses that allow inferior military forces to defeat superior military forces.

WHAT SHOULD DEFENDERS DO TO COUNTER APT?

The most effective counter-APT weapon is a trained and knowledgeable information security analyst. Tools are always helpful, but the best advice is to educate business leaders about the threat so that they support organizational security programs conducted by competent and informed staff.

On a technical level, building visibility in to one’s organization will provide the situational awareness to have a chance to discover and hopefully frustrate APT activities.

The Disconnect Between Security & The Business

2011-06-13T10:44:00.002-04:00

Saw an interesting item this morning and decided to re-tweet it as well as include it in my blog. (http://jadedsecurity.net/2011/06/07/the-disconnect-between-security-the-business/) Yes, there is a disconnect between security and “the business” and I believe it is the primary driver for so many successful exploitations. What many businesses don’t yet fully grasp is that security is a business mandate, not an IT function. Security needs to be driven from the top down and not delegated to the “guys down in IT”. As the article says, “The new buzzword of the times is GRC (Governance, Risk, Compliance)…..”. Certainly, IT has an important role, but IT is not the driver. Governance, risk and compliance starts at the top. If businesses really want to reduce information security risk they need to have processes and procedures in place that are driven by governance mandates where risk is assessed and ultimately mitigated by compliance with the processes and procedures. It’s not inexpensive, but it is surely less expensive that a breach and all the associated costs.

The Old 80 - 20 Rule

2011-06-10T09:45:00.002-04:00

Attended ISSA-Baltimore chapter's second InfoSec Summit yesterday in Laurel Md. The keynote speaker was Dr. Ron Ross Ron Ross, computer scientist at National Institute of Standards and Technology (NIST). He had an interesting observation that 80 percent of cyber intrusions and exploits can be prevented by "best practices". Best practices might be defined differently depending on who you ask, but at the end of the day it’s the simple stuff - firewalls, good authentication, adherence to processes and policies, patch management, training, etc. Would your business pass the 80 – 20 test? In my experience most don’t, but I can show you how.

2010-02-16T11:03:00.003-05:00

Chip and PIN: The technology is no

longer secure

Date: February 16th, 2010

Author: Michael Kassner

Chip and PIN transaction systems were thought to be secure. The only way to bypass the technology required a stolen card and knowing the PIN. That is no longer the case.

I first learned about Chip and PIN Security when writing a piece about counterfeit credit/debit cards. The point of the article was to shed light on how cybercriminals steal financial information and ultimately our money. I presented a technology called MagnePrint as one possible solution. Several TechRepublic members mentioned another technology that they thought was better called chip and PIN.

Chip and PIN Security

Chip and PIN systems were created to prevent skimming. Replacing the magnetic strip with an embedded microchip supposedly eliminates that possibility. In fact, many consider chip and PIN security a strong two-factor authentication.

Several members also mentioned that chip and PIN technology is prevalent in Europe and why cybercriminals are more focused on stealing credit/debit card information in the United States. This article goes far enough to say that adoption of Chip and PIN technology in the United States is inevitable for that very reason.

How it works

Customers do not see much difference when using a chipped card. It works like this:

1. At the checkout counter, a customer places his or her card in a Pin Entry Device (PED).

2. The PED accesses the chip on the card.

3. The card is then verified by the financial institution providing the card.

4. Once the card is proven authentic, the customer enters the PIN.

5. The PED verifies that the entered PIN matches the PIN cached on the chip.

6. If it is a match, the transaction goes through.

So, what’s the problem? Quite simply, it’s the cost. The article mentions that:

“The card issuers cite the enormous cost of rolling out chip and PIN technology, estimated to be around $5.5 billion, and they rest safe in the knowledge that it is the merchants in the U.S., and not the card issuers, who are responsible for the financial costs of credit card fraud.”

Not quite perfect

I have been studying chip and PIN technology for awhile now. It obviously makes it more difficult to obtain a person’s financial information. But, it’s not perfect. My first inkling of this came from watching the BBC news report Chip and PIN ‘security risk’.

Basically, the PEN hardware is compromised, allowing the criminal to obtain the card’s financial information and PIN digitally. For whatever reason, the transaction traffic to and from the PEN was not encrypted. Still the PEN has to be physically altered for this attack to work, making it a risky endeavor.

New flaw

The same University of Cambridge research team that uncovered the PEN hardware flaw recently discovered a new problem with chip and PIN technology. Professor Ross Anderson, a member of the team points out the seriousness:

“We think this is one of the biggest flaws that we’ve uncovered - that has ever been uncovered - against payment systems, and I’ve been in this business for 25 years.”

Susan Watts of the BBC, presented a documentary (http://www.bbc.co.uk/blogs/newsnight/susanwatts/2010/02/new_flaws_in_chip_and_pin_syst.html) about the research called New flaws in chip and PIN systems revealed. Unbelievably, a transaction can be completed without knowing the PIN. To explain, let’s step through the attack process:

1. The attacker obtains a stolen credit/debit card.

2. Next, the stolen card is inserted into the attacker’s card reader which is connected to a notebook.

a. Also connected to the notebook, is some hardware that interfaces with a fake card via a cable.

3. The criminal starts the payment process by inserting the fake card into the store’s PEN.

4. The PEN accesses the chip to verify the card’s authenticity.

5. Next, the PEN asks the attacker for the PIN via the display screen.

6. The criminal enters any 4 numbers, it doesn’t matter.

7. The software/hardware developed by the researchers then somehow fools the PEN into believing the correct PIN was entered and a signature authorized the purchase.

If you get a chance, watch the video in the documentary. It shows a simulated transaction and the Cambridge researchers explain how they accomplished the attack. The following illustration and picture depicts the equipment used to implement the attack (courtesy of the University of Cambridge research team): http://www.bbc.co.uk/blogs/newsnight/susanwatts/2010/02/new_flaws_in_chip_and_pin_syst.html

If I understand correctly, the PIN exchange only involves the card’s chip and the PEN. That information was leveraged by the researchers to create a Man-in-the-Middle attack. The research team’s paper Chip and PIN is broken (pdf) mentions:

“A man-in-the-middle device, which can intercept and modify the communications between card and terminal (PEN), can trick the terminal into believing that PIN verification succeeded without actually sending the PIN to the card.

A dummy PIN must be entered, but the attack allows anyone to be accepted. The card will then believe that the terminal did not support PIN verification, and has either skipped cardholder verification or used a signature instead. Because the dummy PIN is never sent to the card, the PIN retry counter is not altered.”

What’s next

One of the reasons I have been following chip and PIN technology, is to see if and when it will be adopted in the United States. I asked Professor Anderson about this and his response was:

“I’ll be talking about EMV (chip and PIN standard) at the Federal Reserve Bank’s conference in New York on April 1st. I’ll be arguing the Fed should insist that the EMV specification be fixed before they allow its introduction in the United States.

The vendors are keen enough to sell the technology in the USA, where the card payment market is worth billions. If the result is a much improved EMV 5.0, then it will presumably come here to Europe in due course.”

One other area of concern that I found interesting is the transition credit/debit card. If the chip and PIN system gains traction, not every merchant will have the correct PED immediately. According to the researcher team’s report, this opens another attack avenue.

If the chip and PIN card includes a magnetic strip as a fall back method for making purchases, the card can still be cloned and the information may remain valid when that person obtains the official chip and PIN card.

Final thoughts

I am not sure where I read this, but it has a lot of “street cred”:

“The whole purpose behind security is to make it more difficult so thieves will go somewhere else as well as eliminating amateurs. Still no matter what you develop, there’s going to be someone who’s going to find a way around it.”

Michael Kassner has been involved with with IT for over 30 years. Currently a systems administrator for an international corporation and security consultant with MKassner Net. Read his profile or Twitter at MKassnerNet.

How secure is your credit card info?

2009-09-09T16:56:00.002-04:00

In light of the biggest identity theft case ever prosecuted in America, the spotlight is being turned on just how secure is our credit and debit card information?

........Espousing a completely different view is Jerry Tabeling who is the president of IDP, a company that carries out vulnerability assessments of networks and online business applications."Our information is a lot more secure after all the publicity we have had about attacks," he said."But yes there are still problems that still exist though it is getting safer."These, Mr Tabeling told the BBC, tend to centre around a retailer not doing a good enough job securing its network.
...
Meanwhile Mr Tabeling, an IT security specialist, suggested that all consumers need to play a more proactive part in policing their own transactions and their credit information.

Creating a rogue CA certificate

2008-12-30T14:46:00.000-05:00

by Alexander Sotirov

We have identified a vulnerability in the Internet Public Key Infrastructure (PKI) used to issue digital certificates for secure websites. As a proof of concept we executed a practical attack scenario and successfully created a rogue Certification Authority (CA) certificate trusted by all common web browsers. This certificate allows us to impersonate any website on the Internet, including banking and e-commerce sites secured using the HTTPS protocol.

Our attack takes advantage of a weakness in the MD5 cryptographic hash function that allows the construction of different messages with the same MD5 hash. This is known as an MD5 "collision". Previous work on MD5 collisions between 2004 and 2007 showed that the use of this hash function in digital signatures can lead to theoretical attack scenarios. Our current work proves that at least one attack scenario can be exploited in practice, thus exposing the security infrastructure of the web to realistic threats.

This successful proof of concept shows that the certificate validation performed by browsers can be subverted and malicious attackers might be able to monitor or tamper with data sent to secure websites. Banking and e-commerce sites are particularly at risk because of the high value of the information secured with HTTPS on those sites. With a rogue CA certificate, attackers would be able to execute practically undetectable phishing attacks against such sites.

The infrastructure of Certification Authorities is meant to prevent exactly this type of attack. Our work shows that known weaknesses in the MD5 hash function can be exploited in realistic attack, due to the fact that even after years of warnings about the lack of security of MD5, some root CAs are still using this broken hash function.

Co-authored by Alexander Sotirov, Marc Stevens, Jacob Appelbaum, Arjen Lenstra, David Molnar, Dag Arne Osvik, Benne de Weger

Further details:

Detailed explanation
Slides from the 25c3 presentation
Demo site (set your system date to August 2004 before clicking)

Colliding certificates:

This work was presented at the 25th Chaos Communication Congress in Berlin on December 30, 2008.

For press or general inquiries, please contact the team at md5-collisions@phreedom.org

The Definition Of Security

2008-09-26T13:55:00.009-04:00

There is much debate about how to define security - as in digital or IT security.

All too often IT security is spoken of as a "cost to the business". On a broader level I believe IT security is a responsibility management has it its stakeholders. That's not a definition of IT security, simply what it is.

Keeping with the concept of what IT security is - well it is not a cost to the business; rather, it is an investment by the business. It only becomes a cost to the business AFTER an exploit has taken place and digital information has been compromised or stolen.

Another fallacy I hear in my travels is that an investment in IT security is nothing more than an insurance policy; i.e. insurance that the digital information will remain safe if the proper investment is made to protect it.

A businesses' investment in IT security is not an insurance policy. An insurance policy pays the insured to compensate for a covered loss. Certainly, there are various types of business insurance a company can buy for data loss, but that is missing the point, because we're talking about IT security, not insurance.

So what then is the definition of IT security?
By Daniel Miessler on September 3rd, 2008

The process of maintaining an acceptable level of perceived risk.

There are a few things to like about this definition.

Process. i.e. it doesn't end.
Acceptable. This alludes to the fact that the organization's upper management decides-based on the entity's goals as a whole-how much risk to take on. The crucial piece here is that this isn't for security professionals to decide.
Perceived. In short, "you don't know what you don't know". And this is where security professionals come in. Their entire job is to ensure that management is making informed decisions.
Risk. As we all know, it's not a good idea to use words with disputed definitions as part of another definition. And since risk is one such word, I'll clarify briefly how I define risk. In general, I prefer NIST's description from NIST Publication SP 800-30:

Risk is a function of the likelihood of a given threat-source's exercising a particular potential vulnerability, and the resulting impact of that adverse event on the organization. To determine the likelihood of a future adverse event, threats to an IT system must be analyzed in conjunction with the potential vulnerabilities and the controls in place for the IT system.

This reveals a few primary components: likelihood, threat-source, vulnerability, and impact. The word "function" used in the definition is pivotal; it reveals that if any of the values increase or decrease, the total risk does as well. I also prefer to add asset
value to the equation, and this is a popular choice.

Ultimately, however, the definition of risk can be reduced to a much more usable, less academic form, and this is the way you are going to be most successful communicating it with those who are not security professionals.

A risk is a chance of something bad happening.

Too simple? Not really. It's instantly understandable to virtually everyone, but at the same time it does not contradict the more complex definitions.

So when should you use one definition vs. the other?

In general, use the simple version. Getting entangled in the infinite number of ways risk can be calculated is something to avoid. It drains time and rarely accomplishes anything when broken down much farther than is described above.

So, written out (i.e. without the word "risk") we arrive at:

Security is the process of maintaining, based on what we know, an acceptable level of likelihood that something bad will happen to the organization.

…and once again, in it's more succinct and elegant form:

Security is the process of maintaining an acceptable level of perceived risk.

Hackers defaced collider site, say reports

2008-09-17T07:43:00.000-04:00

Hackers defaced collider site, say reports
Published: 2008-09-12

UPDATED: A group of online vandals compromised the security of a server at the Large Hadron Collider (LHC) this week, putting up a Web page mocking the site's security but not the experiment, according to reports in two U.K. newspapers.

The attacks, which appear to have compromised a server at the European Organization for Nuclear Research (CERN), which runs the LHC, resulted in a server portal for one of the science teams being defaced by a group calling itself the Greek Security Team, according to an article in the U.K.-based Daily Telegraph. The defaced page mocked the security of the site, calling the IT staff "school kids," according to an article in the Times Online.

"We don’t know who they were but there seems to be no harm done," James Gillies, a spokesman for CERN, told the Times. "It appears to be people who want to make a point that CERN was hack-able."

CERN, the largest particle collider in the world, made history this week when the giant $8-billion machine was activated and its first beam of particles completed the 27 kilometer circuit underground. The two test beams created so far have been dumped, as the technical teams calibrated and check the performance of the large experiment. Eventually, the collider will smash two beams of particles into each other in an attempt to detect elementary particles not present since the Big Bang and gain insight into the nature of gravity.

The hackers targeted a server hosting the portal for the science team responsible for the Compact Muon Solenoid Experiment (CMS) at CERN. The organization's press office did not immediately return an e-mailed request for comment.

UPDATE: Two readers who have translated the Greek Web site have disagreed with the newspaper reports of the incident. The defaced Web page does not belittle the LHC's security, but appears to make fun of other hackers in the Greek Internet underground scene, the readers maintain. More can be found on this security researcher's blog.

If you have tips or insights on this topic, please contact SecurityFocus

Jerry Tabeling quoted in recent BBC News article

2008-08-06T07:57:00.002-04:00

In light of the biggest identity theft case ever prosecuted in America, the spotlight is being turned on just how secure is our credit and debit card information?

Mr. Tabeling was interviewed by the BBC for his thoughts.

Read about it here: http://news.bbc.co.uk/2/hi/technology/7544313.stm

Final Word on DNS Chatter

2008-08-05T15:49:00.005-04:00

Unless something of significant interest occurs, this will be my last post on the DNS flaw that everyone has been talking about for the past several weeks.

Before I leave the subject I'd like to throw out two valuable links.

1) Determine if your ISP has installed the proper patches - http://www.doxpara.com/ (click the "Check My DNS" button)

2) IntoDNS - http://www.intodns.com This site provides a very nice snapshot of your ISP's DNS configuration. Just enter your domain name and click on the report tab.

Most Security Breaches Go Unreported

2008-08-02T12:32:00.000-04:00

Most Security Breaches Go Unreported

An RSA survey found the e-mail-borne malware and phishing that affected 69% of respondents' companies, may not have led to serious consequences in every instance.

By Thomas Claburn, InformationWeek
Aug. 1, 2008
URL: http://www.informationweek.com/story/showArticle.jhtml?articleID=209901208

More than 89% of security incidents went unreported in 2007, according to survey of about 300 attendees at this year's RSA Conference.

Security incidents, as defined by the study, represent "an unexpected activity that brought sudden risk to the organization and took one or more security personnel to address."

Some of the security incidents, such as the e-mail-borne malware and phishing that affected 69% of respondents' companies, may not have led to serious consequences in every instance. But 29% of those answering the survey said their organizations experienced customer or employee data leakage. Twenty-eight percent reported insider threats or theft and 16% reported intellectual property theft.

"With 29% of respondents stating that they experienced the leakage of employee or customer data in 2007, it is alarming to see that only 11% of those types of incidents went reported," said Tim Mather, chief security strategist for RSA Conference, in a statement. "Security professionals need to remain cognizant of the regulations that their organizations must comply with and ensure they are taking steps to properly report the security incidents that are required by law -- whatever they may be."

Such findings echo a recent a study of over 500 data breach forensic investigations conducted by Verizon Business Security Solutions. According to Bryan Sartin, VP of investigative response at Verizon, the publicly reported breaches are "just the tip of iceberg." He said that less than 5% of the more than 500 cases covered in the Verizon study involved some form of disclosure.

In short, companies appear to be far more insecure than they acknowledge. The RSA survey indicates that 46% of companies experienced no security incidents in 2007, 19% experienced 1 to 2, 14% experienced 3 to 5, 7% experienced 6 to 10, 3% experienced 11 to 20, and 13% experienced more than 20 security incidents.

The top security challenge, according to respondents, is lost or stolen devices (49%), followed by non-malicious employee error and employee education (tied at 47%), budgetary constraints (44%), external hacking threats (38%), executive buy-in (26%), and malicious insider threats (22%).

The Impact of Dan’s DNS Debacle on Internet Risk

2008-07-30T16:42:00.002-04:00

Blogger: Pete Lindstrom

On July 8th, Dan Kaminsky of IOActive announced a major DNS “vulnerability” in conjunction with a number of major DNS vendors. The announcement was off the charts in fanfare and attention, but what was the real impact on risk?

First, it is worth noting that this “bug” is more properly classified as a new attack technique invented by Dan. It combines two vulnerabilities that have been well-known for some time – the ability to guess non-random transaction IDs and the use of Additional RRs to insert new entries into the DNS cache. A fix against either of these vulnerabilities also negates the attack itself.

The fundamental question that determines the risk impact revolves around whether it is reasonable to expect fewer or more incidents that use this technique when comparing the period prior to disclosure -- or, more properly, before the date of Dan’s invention of the technique (this also assumes prior art) – with the period after invention/disclosure and into the future. If the disclosure reduces the number of those incidents, then risk is reduced; if the disclosure increases the number of those incidents, then risk is increased.

With that litmus test as our guideline, it is useful to break down the functional elements of risk and look at the impact on threats, vulnerabilities, and consequences (we will cover consequences, then vulnerabilities, and finally threat).

Consequences
Though the consequences are the same before and after disclosure, it is worth discussing the impact here, given that the implication was that the “entire web” could be taken down. The nature of the attack requires the following:

An attacker must convince/trick a user into making a DNS request for a domain that doesn’t already exist in their DNS server’s cache. The expectation here is that s/he can be easily tricked into doing this.
Then, the attacker must simultaneously attack the DNS server by guessing the transaction ID. According to Kaminsky, the request/attack phase can be done reliably in about 10 seconds.
The attack is DNS server-specific. Only users on the same DNS server are affected.
Propagation: once the cache is poisoned, anyone requesting that domain will be routed to a malicious server.

Without combining this attack with other attack techniques, there can be three results:

Spoofing of a single website for multiple, perhaps many, users using the same DNS server. Presumably, this would be followed by more traditional phishing and malware attacks.
Denial-of-service by rerouting traffic from a legitimate site thereby taking potential customers or “eyeballs” away.
Denial-of-service be rerouting traffic from a legitimate high volume site to a legitimate low-volume site thereby overloading the servers on the low-volume site.

Because of the point-to-point (user-to-website) nature of the attack, to do something that constitutes “taking over the entire web” is infeasible by a longshot.

The bottom line analysis for the effect on risk due to a change in consequences from pre-invention to post-invention: no change, and therefore no impact.

Vulnerabilities
These vulnerabilities have existed for years, and there have been workarounds for years. Along with this announcement, new patches were introduced in all major DNS server solutions. It is reasonable to assume that many DNS server implementations have been patched, though public accounts have suggested that number is in the 66%-75% range.

Bottom line analysis: the vulnerability level has been reduced, probably significantly, and the affect is positive for risk reduction. If 100% of DNS servers were patched, then overall risk would be reduced for this attack (assuming that there were actual attacks using this technique in the past.)

Threats
The real question regarding risk impact comes in the arena of the less-controllable manipulation of threat. The general threat equation revolves around an attacker’s willingness to attack, based on his/her own cost/benefit analysis that compares the cost to attack to the expected benefits, tempered by the potential for being caught and penalized.

Cost to attack – prior to disclosing the invention, there were likely few, if any attackers with “prior art” that mirrored this technique. It is anybody’s guess how many potential attackers might have figured it out eventually, but they would have had to come from the pool of folks with enough expertise to do so – I am going to guess 500,000 people.

After the disclosure, the hints provided in the press release, the podcast, the sorted stories, and the blog entries made it much easier to figure out. Let’s guess that 5 million people could execute the attack. With automated tools, that number goes up to 50 million.

These numbers are estimates that illustrate the nature of the exercise. You are welcome to fill in your own estimates and come to your own conclusions.

Bottom line analysis: a significant increase in threat and corresponding risk.

Net Effect
The risk manager's challenge is to weigh the decrease in vulnerable systems compared with the corresponding increase in threat, within the context of number of incidents and anticipated future incidents. Given the sheer size differential, it is difficult to conceive of a situation where risk is not increased.

Sometimes it "feels" like someone is taking action for the greater good, when that action actually creates a negative impact for all. For example, it is common for people to believe that raising prices of scarce resources during times of trouble (e.g. gasoline in the hurricane Katrina aftermath) is unconscionable even though a majority of economists recognize that raising prices actually provides for the greater public good. Vulnerability discovery and disclosure, and attack inventions, might feel like the right thing to do, but the net result is almost always a negative impact.

IDP Announces The Release Of Its Latest Internet Security Offering

2008-07-29T11:43:00.002-04:00

Baltimore, MD (07-29-08) - IDP, LLC, a local Internet security consulting firm, has announced the release of its latest vulnerability assessment and penetration testing offering.

Built with commercial, open source and custom developed software modules; this comprehensive enterprise offering is ideally suited for every business who wants to ensure there are no external or internal vulnerabilities in their networks that could be exploited by malicious attackers.

Hackers and malicious insiders are an undeniable threat to your organization's network. They have sophisticated tools and backdoor programs at their disposal with which to steal information, perform unlawful or unauthorized activities, and cover their tracks. Security professionals charged with protecting their organizations can become overwhelmed in developing specialty applications to combat these threats.

The unfortunate reality is that all networks are constantly being probed and scanned for "open doors", poorly configured perimeter and internal hosts, weak passwords and authentication, software bugs and application design flaws.

"Every day businesses who believe they are not attractive targets or who think they are secure are spending untold amounts of money remediating previously unidentified vulnerabilities", says Jerry Tabeling, President of IDP. The investment to identify and correct problems before they are exploited is just a fraction of the monetary, good will and business losses an attacker can bring about.

IDP is currently offering a no cost, no obligation consultation to assist businesses quantify their risk tolerance and develop an ROI for the company's stakeholders. For more information contact Jerry Tabeling or visit http://www.idpnow.net.

About IDP:
IDP specializes in assisting businesses assess vulnerabilities in their networks, identify intrusions and implement remediation solutions to prevent intrusions in the future.

Contact:
Jerry Tabeling, President
IDP, LLC
http://www.idpnow.net
http://idpnow.blogspot.com

Kaminsky on How He Discovered DNS Flaw and More

2008-07-23T15:13:00.001-04:00

By Kim Zetter-Wired Blog NetworkJuly 22, 2008 | 8:49:55 PM

Dan Kaminsky is understandably swamped today, given the unexpected early release of information about the critical DNS flaw he discovered that potentially affects the security of every website on the internet.

But he found some time to speak with Threat Level about how he discovered the vulnerability that has system administrators scrambling to patch before an exploit -- which is expected to go public by the end of today -- is widely available.

Kaminsky discovered the bug by chance about six months ago, which he promptly disclosed to people in the DNS community. At the end of March, an emergency summit was convened at Microsoft's headquarters, gathering 16 people from around the world to discuss how to address the problem.

On July 8, Kaminsky held a press conference announcing a multi-vendor patch and urging DNS server owners to upgrade their software with the patch immediately. But he declined to disclose details of the bug until next month, when he plans to deliver a talk about the flaw at the Black Hat Hacker Conference. Until then, Kaminsky asked researchers not to speculate about the bug, to avoid giving hackers information that could help them exploit it.

Thirteen days after that press conference, however, the security firm Matasano inadvertently released details about the bug on a blog post that the company quickly removed, but has been re-posted elsewhere.

I spoke with Kaminsky about that disclosure, among other issues.

Threat Level: So how pissed off are you?

Dan Kaminsky: (Laughs) I am not the important part here. The important thing is that people patch.

I have to be blunt. The drama is fun and interesting and cool, but it's a distraction. (The important thing is that) it's a really bad bug that really impacts every website you use and your readers use. It impacts whether or not readers are even going to see the article you're about to write. Now I could get into a big fight with lots of people ... and that might happen at some point! But it's a distraction from right now, which is, you know, we did good. We got 13 days of a patch being out without the bug being public. That's unprecedented. I'm pretty proud of at least 13 days. I would have liked 30, but I got 13 ... But the circumstances of how it went public are not what's important today. There will be a time for that, just not now. What is important now is people need to patch.

TL: There were a lot of people who balked at patching because they didn't know the details of the bug.

DK: Well you know, there were people who said, 'Dan, I wish I could patch but I don't know the bug and I can't get the resources I need to patch it.' Well you know the bug now.

You know, Verizon Business has a blog entry where they say that the greatest short-term risk from patching DNS was from the patch itself, from changing such a core and essential element to their systems. I know this. I was a network engineer before I was a security engineer. So that's why we took such extraordinary lengths to try to get people as much time as possible (to patch their systems). There's just a lot of complexity in doing something on this scale. This is something I think a lot of people don’t realize. It was difficult to get the patches even written, let alone get them all released on a single day.

But let me tell you, the complete lack of whining from the (DNS software) vendors ... if I could have gotten as little whining from the security (professionals) ... no I'm not going to say that. It's so tempting! I'm simply going to say this in positive terms. I wish everybody could be as cooperative and understanding and as helpful as Microsoft and ISC (the Internet Systems Consortium) and Cisco and everyone else was who worked so hard to get customers what they needed to protect our networks.

TL: How did you come across the bug? You said in the press conference on July 8 that you hadn't even been looking for this. So what were you doing when you found the bug?

DK: If you look at the history of my talks ... one year I had done some stuff on triangular routing. It's where you have multiple hosts that are all trying to host the same data and you want the fastest one to host it.

So I'm working at this, and I'm wondering if I can, like, use DNS races to figure out the fastest name servers to provide data. I started thinking about this trick I had done (before) with CNAMES -- they're an alias in DNS.

I realized I could look up a random name, and then whichever random name won would override the record for www.mywebsite.com. Essentially, I was looking for a faster way to host data on the internet and I remembered I have ways of overwriting which record the name server uses for 'www' by looking up something else and having it overwrite. And then I thought about that for a second. Wait, it's going to overwrite whatever is wwww.mywebsite.com! This kind of has security implications! Because if it works you can get around all of our DNS cache-poisoning protections. Then it worked!

I first tried it about six months ago. It took a couple of days to get working. I wrote it in Python to begin with and it was pretty slow. Then I rewrote it in C and it wasn’t slow anymore. It was a couple of seconds. That's when I realized I had a problem.+

TL: Then what did you do?

DK: I looked at it for a while, talked to a couple of really, really trusted people about it. Eventually I went to Paul Vixie (of ISC).

I've been ... looking at other issues with DNS for some time and I had already been working with Vixie on some of the fallout from last year's talk, when I was talking about DNS re-binding attacks. So I go to Paul and I say, Listen, we've got a bigger problem. And I send him the code and the packets and the details. And then there's that moment of, Yeah, we do have a problem.

Paul's an institution in the DNS realm and he basically goes ahead and contacts everybody and brings in Florian Weimer from Germany and brings in representatives from Cisco, Open DNS ... And we start talking on (an e-mail) thread for a couple of weeks about what the implications of this are. A couple of weeks in we realized we should probably have a summit and we should probably have it soon. So I asked Microsoft if they'd provide hosting and they absolutely agreed. On February 20 I had mailed Paul Vixie. And on March 31, 16 people from around the world were in Microsoft headquarters.

When I say there was no b.s. from the vendors, there was just no b.s. from the vendors. They got it. They understood they were in trouble. We skipped past the entire "Is it really a bug?" phase, that's still continuing in public (discussions).

TL: But you’ve got to understand why people said that. You acknowledged that in not disclosing the details, you opened yourself up to people being skeptical about the bug.

DK: People are allowed to be very, very skeptical. But, you know, don't be so skeptical that you're telling people to not patch.

This is a really bad bug. And for everyone who (says), Oh, I knew about this years ago . . . no, you didn't. Stop pretending you did. Because every time you say it, another network doesn't patch (their system).

This (attack takes) ten seconds to hijack the net. . . . Unless you like other people reading your e-mail, go patch. If you want to actually see Google and Yahoo and MySpace and Facebook and the entire web, if you actually want to see the correct web sites, go patch. The debate about whether this bug is new or old is ultimately useless. In ten seconds, the ISP DNS servers are taken over.

TL: It was kind of pie-in-the-sky to think that everyone was going to sit on their hands for 30 days and not post information about what they thought the bug was wasn't it?

DK: You know, a lot of people did. The guys who were actually smart enough to find the bug (didn't disclose it). The people who have been complaining have been people who couldn’t figure it out.

The people who could figure it out e-mailed me privately. And that says a lot. . . . The people who were good enough to figure out the bug by themselves I am incredibly gracious and appreciative of them for mailing me and helping me get the thirteen days that I got.

TL: How quickly did you get the first response from someone who discovered what the bug was?

DK: It was a couple of days.

TL: How far along are people in patching the DNS servers? Do you know how many have been patched?

DK: Way more than I ever would have hoped, (but) less than I would have liked. We were in the high double digits (in terms of percentages). We were getting some pretty good pickup on this patch. The last time I looked at people who were testing against my site it was somewhere in 30 to 40 percent . . . people who were going to my site to test their name servers.

There are a couple million name servers on the internet. There are many million more that are not physically on the internet but are behind firewalls. Ultimately any name server that is not patched is vulnerable and will probably eventually be attacked. The attack is just too good and too easy. My grandma's going to be in the audience (at Black Hat). My grandma's going to understand the bug.

Security Risk Analysis Basics For Solution Providers

2008-07-23T09:21:00.005-04:00

I saw an interesting article this morning by Steve Bigelow from searchsecuritychannel.com. Although his article is entitled Security Risk Analysis Basics for Solution Providers, it does a good job articulating why it is important for the client to understand the reality of threats, both from inside and outside the organization.

Steve does a good job pointing out the differences between a risk and a threat, and why they need to be evaluated independently in the context of a company's overall security strategy.

The first and last paragraphs really say it all - "No matter how much effort and resources go into securing IT infrastructures, businesses still face a wide range of risks as a result of threats and vulnerabilities like configuration errors, intrusions, viruses and even employees themselves. Corporations are rarely skilled or objective enough to perform thorough evaluations of their own security strategies, so solution providers can step in to perform a security risk analysis -- a detailed investigation that examines every aspect of the client's security posture, identifying weaknesses and recommending corrective actions."

"Security risk analyses are rarely one-time endeavors. The results of periodic analysis can often be used as waypoints that help an organization maintain a proper security posture in the face of changing threats, technologies and corporate cultures......."

Click on the title to see the full article.

Black Market For Stolen Data Is Thriving

2008-07-22T18:41:00.003-04:00

Vulnerability assessments have never been more important!

Did you know that malicious attackers are selling your digital assets to the highest bidder?

Whether it's a customer list, a pricing matrix, harvested email addresses, credit card numbers, social security numbers, passwords or confidential strategic plans, your digital assets are being offered to the highest bidder on black market online auctions. What's more, most of the time you are not even aware the information has been compromised.
Security firm Symantec Corp. reports a significant rise in the amount of data theft and data loss to the online black market. Dean Turner, director of Symantec's Global Intelligence Network, says, "If I had to guess, I'd say the losses could reach multimillions, if not billions, of dollars worldwide."

Steve Sakamoto-Wengel, the Maryland attorney general's consumer protection counsel for regulation, legislation and policy, agreed and said, "Remember the TJX Companies data breach last year? That was 47 million credit card numbers, maybe more, obtained by hackers just for those purposes."

"A lot of these chat rooms and Web sites are international, based in other countries," Sakamoto-Wengel said. "It's hard to track who is behind them."

Businesses need to continue to invest in digital security. Executives who say "it won't happen to me" or "who would want our information" are doing a disservice to their stakeholders.

Understanding where the "open doors" are and what vulnerabilities exist in your systems are the first steps in keeping malicious attackers at bay. Arms-length vulnerability assessments by certified security professionals should be a line item in every IT budget. Don't be penny wise and pound foolish!

DNSstuff Freeware Detects Vulnerable DNS Servers

2008-07-18T12:28:00.005-04:00

By Brian Prince (eweek.com)
2008-07-17

DNSstuff has released a new tool to help organizations detect if their DNS servers are vulnerable to the DNS protocol flaw revealed last week.

DNSstuff.com is offering a free tool for organizations looking to test the susceptibility of their domain name servers to a fundamental flaw in the Domain Name System protocol revealed publicly last week.

A provider of on-demand DNS and network analysis tools, DNSstuff made the freeware, which company officials have dubbed DNS Vulnerability Check, available on its site Wednesday. The tool is meant to test for the vulnerability reported by Dan Kaminsky, director of penetration testing for IOActive.

Hacking Online Banking and Credit Card Transactions – And How to Prevent It

2008-07-17T17:13:00.006-04:00

By Daniel V. Hoffman, CISSP, CWNA, CEH

The Scenario

You go to a coffee shop for a cup of coffee and to utilize the shop’s Wi-Fi HotSpot to surf the web. You connect to the hotspot network and decide to perform some online banking or to purchase something online. By the way, this could happen to you at home, as well. As an end-user, you feel quite secure, as you see the lock in the bottom corner of your Internet browser, symbolizing that the online banking or online credit card transaction is safe from prying eyes. Your data, including username, password, credit card info, etc. will be encrypted with 128-bit encryption. So it's secure, right?

It is not uncommon to perform banking and to purchase products online with your credit card. It is also a common thought that doing so is secure, as this is done via SSL. For the most part, this is true and the sessions are secure. Discover Card, for example, posts the following statement on their website:

Figure 1

The problem is that it is not “virtually impossible” for someone else to see your data, such as login information or credit card numbers. It can actually be relatively easy, as you’ll see, if you as an end-user are not knowledgeable about how you can be exploited and know the signs that this is occurring.

Figure 2 (Indicates a Secure SSL Session)

Continuing with the scenario, what you didn’t realize is that a hacker has intercepted your Online Banking login credentials and credit card information and can now log into your Online Banking Website or purchase items with your credit card. How is this possible, since SSL was used and is hard to break? The answer is that you made a fatal mistake that subjected you to an SSL Man-in-the-Middle (MITM) attack.

The Attack

The fatal flaw that enabled the sensitive information to be stolen is possible when an end-user is not properly educated on an easy to do and well-known SSL exploit – SSL MITM.

Here’s how it’s done:

The hacker goes to coffee shop and connects to the same Wi-Fi network you are connected to. He runs a series of utilities to redirect other user’s data through his machine. He runs a number of other utilities to sniff the data, act as an SSL Certificate Server and to be the Man-the-Middle. The following diagram shows a very simplified graphic of how your SSL Banking session should work under normal conditions, then how it would work during an attack:

Figure 3

Figure 4

An important concept to grasp here is that a certificate is used to establish the secure SSL connection. This is a good thing, if you have a good certificate and are connecting directly to the website to which you intended to use. Then all your data is encrypted from your browser to the SSL website where the bank’s website will use the information from the certificate it gave you to decrypt your data/credentials. If that is truly the case, then it is pretty darn hard for a hacker to decrypt the data/credentials being transmitted, even if he is able to sniff your data.

This is a bad thing if you have a “Fake” certificate being sent from the hacker, and you are actually connecting to his machine, not directly to the bank’s website. In this case, your credentials are being transmitted between your browser and the hacker’s machine. The hacker is able to grab that traffic, and, because he gave you the certificate to encrypt the data/credentials, he can use that same certificate to decrypt your data/credentials.

Here are the exact steps a hacker could use to perform this attack:

The first thing he would do is turn on Fragrouter, so that his machine can perform IP forwarding

Figure 5

After that, he’ll want to direct your Wi-Fi network traffic to his machine instead of your data traffic going directly to the Internet. This enables him to be the “Man-in-the-Middle” between your machine and the Internet. Using Arpspoof, a real easy way to do this, he determines your IP address is 192.168.1.15 and the Default Gateway of the Wi-Fi network is 192.168.1.1:

Figure 6

The next step is to enable DNS Spoofing via DNSSpoof:

Figure 7

Since he will be replacing the Bank's or Online Store’s valid certificate with his own fake one, he will need to turn on the utility to enable his system to be the Man-in-the-Middle for web sessions and to handle certificates. This is done via webmitm:

Figure 8

At this point, he is setup and ready to go, he now needs to begin actively sniffing your data passing through his machine including your login information and credit card info. He opts to do this with Ethereal, then saves his capture:

Figure 9

He now has the data, but it is still encrypted with 128-bit SSL. No problem, since he has the key. What he simply needs to do now is decrypt the data using the certificate that he gave you. He does this with SSL Dump:

Figure 10

The data is now decrypted and he runs a Cat command to view the now decrypted SSL information. Note that the username is “Bankusername” and the password is “BankPassword”. Conveniently, this dump also shows that the Banking site as National City. FYI, the better, more secure banking and online store websites will have you first connect to another, preceeding page via SSL, prior to connecting to the page where you enter the sensitive information such as bank login credentials or credit card numbers. The reason for this is to stop the MITM-type attack. How this helps is that if you were to access this preceeding page first with a "fake" certificate and then proceeded to the next page where you were to enter the sensitve information, that page where you would enter the sensitive information would not display. That is because the page gathering the sensitive information would be expecting a valid certificate, which it would not receive because of the Man-in-the-Middle. While some online banks and stores do implement this extra step/page for security reasons, the real flaw in this attack is the uneducated end-user, as you'll soon see:

Figure 11

With this information, he can now log into your Online Banking Account with the same access and privileges as you. He could transfer money, view account data, etc.

Below is an example of a sniffed SSL credit card purchase/transaction. You can see that Elvis Presley was attempting to make a purchase with his credit card 5440123412341234 with an expiration date of 5/06 and the billing address of Graceland in Memphis, TN (He is alive!). If this was your information, the hacker could easily make online purchases with your card.

Figure 12

Also Real Bad News for SSL VPN Admins

This type of attack could be particularly bad for corporations. The reason for this is that Corporate SSL VPN solutions are also vulnerable to this type of attack. Corporate SSL VPN solutions will often authenticate against Active Directory, the NT Domain, LDAP or some other centralized credentials data store. Sniffing the SSL VPN login then gives an attacker valid credentials to the corporate network and other systems.

What an End-User Needs To Know

There’s a big step and end-user can take to prevent this from taking place. When the MITM Hacker uses the “bad” certificate instead of the “good”, valid certificate, the end-user is actually alerted to this. The problem is that most end-users don’t understand what this means and will unknowingly agree to use the fake certificate. Below is an example of the Security Alert an end-user would receive. Most uneducated end-users would simply click “Yes”… and this is the fatal flaw:

Figure 13

By clicking “Yes”, they have set themselves up to be hacked. By clicking the “View Certificate” button, the end-user would easily see that there is a problem. Below are examples of the various certificate views/tabs that show a good certificate compared to the bad certificate:

Figure 14
(Good Certificate) (Bad Certificate)

Figure 15
(Good Certificate) (Bad Certificate)

Figure 16
(Good Certificate) (Bad Certificate)

How an End-User Can Prevent This

Again, the simple act of viewing the certificate and clicking “No” would have prevented this from happening.
Education is the key for an end-user. If you see this message, take the time to view the certificate. As you can see from the examples above, you can tell when something doesn’t look right. If you can’t tell, err on the side of caution and call your Online Bank or the Online store.
Take the time to read and understand all security messages you receive. Don’t just randomly click yes out of convenience.

How a Corporation Can Prevent This

Educate the end-user on the Security Alert and how to react to it.
Utilize One Time Passwords, such as RSA Tokens, to prevent the reuse of sniffed credentials.
When using SSL VPN, utilize mature products with advanced features, such as Juniper’s Secure Application Manager or Network Connect functionality.

Conclusion

This type of attack is relatively easy to do in a public Wi-Fi hotspot environment. It could also easily happen on a home Wi-Fi network, if that Wi-Fi network isn’t properly configured and allows a hacker to connect to that home network. An educated end-user and sound security practices by corporations can protect your valuable data.

Cross Site Scripting (XSS) Poses Significant Risk

2008-07-14T12:26:00.008-04:00

"In general, cross-site scripting refers to that hacking technique that leverages vulnerabilities in the code of a web application to allow an attacker to send malicious content from an end-user and collect some type of data from the victim." (acunetix.com).

"Websites today are more complex than ever, containing a lot of dynamic content making the experience for the user more enjoyable. Dynamic content is achieved through the use of web applications which can deliver different output to a user depending on their settings and needs. Dynamic websites suffer from a threat that static websites don't, called "Cross Site Scripting" (or XSS dubbed by other security professionals)." (cgisecurity.com)

Cross site scripting holes have been found in many well known websites including FBI.gov, CNN.com, Time.com, Ebay, Yahoo, Apple computer, Microsoft, Zdnet, Wired, and Newsbytes.

"A web page contains both text and HTML markup that is generated by the server and interpreted by the client browser. Web sites that generate only static pages are able to have full control over how the browser interprets these pages. Web sites that generate dynamic pages do not have complete control over how their outputs are interpreted by the client. The heart of the issue is that if mistrusted content can be introduced into a dynamic page, neither the web site nor the client has enough information to recognize that this has happened and take protective actions." (CERT Coordination Center).

"Cross Site Scripting allows an attacker to embed malicious JavaScript, VBScript, ActiveX, HTML, or Flash into a vulnerable dynamic page to fool the user, executing the script on his machine in order to gather data. The use of XSS might compromise private information, manipulate or steal cookies, create requests that can be mistaken for those of a valid user, or execute malicious code on the end-user systems. The data is usually formatted as a hyperlink containing malicious content and which is distributed over any possible means on the internet. " (acunetix.com).

As a software developer the way to protect against XSS is simple - never trust user input and always filter metacharacters. This will eliminate the majority of XSS attacks. For example, converting (ignore the brackets - they are just here for formatting purposes) [<] to [&lt] and [>] to [&gt] is suggested when it comes to script output, as is translating [(] to [&#41] and [)] to [&#41], ["] to [&#34], ['] to [&#39], [#] to [&#35] and [&] to [&#38]. Even after making these sort of changes, it is best to always have an independent third party scan your website for XSS vulnerabilities.

From the user's perspective only follow links from websites you trust. As an example and although somewhat cumbersome, if you visit a website and it links to CNN, instead of clicking on that link, go directly to CNN's main site and use its search engine to find the content. This will probably eliminate ninety percent of the problem.

Another way to protect yourself is to turn off Javascript in your browser settings and in IE adjust your security settings to high to prevent cookie theft. This may impede navigation in some websites, but it will make web surfing safer.

Lastly, don't be fooled by websites that use SSL (https). You are no more protected than websites that are not encrypted, because the web applications work the same way in either case.

Additional reading can be found at:

http://www.sitepoint.com/blogs/2005/07/18/cross-site-scripting-could-make-you-lose-your-cookies/

http://www.cert.org/advisories/CA-2000-02.html

http://msdn.microsoft.com/en-us/library/ms533046.aspx

http://en.wikipedia.org/wiki/Cross-site_scripting

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1947

http://www.cgisecurity.com/articles/xss-faq.shtml

800 Vulnerabilities in Anti-Virus Products

2008-07-11T17:18:00.003-04:00

OBERURSEL, Germany--(BUSINESS WIRE)--

“During the past few months, specialists from the n.runs AG, along with other security experts, have discovered approximately 800 vulnerabilities in anti-virus products.

The conclusion: contrary to their actual function, the products open the door to attackers, enable them to penetrate company networks and infect them with destructive code. The positioning of anti-virus software in central areas of the company now poses an accordingly high security risk.

The tests performed by the consulting company and solutions developer n.runs have indicated that every virus scanner currently on the market immediately revealed up to several highly critical vulnerabilities. These then pave the way for Denial of Service (DoS) attacks and enable the infiltration of destructive code – past the security solution into the network. With that, anti-virus solutions actually allow the very thing they should instead prevent.”

AV-Vulnerabilities Q1/2008 - Source : University of Michigan

More information:
http://blogs.zdnet.com/security/?p=1445&tag=nl.e540

Fundemental DNS Flaw

2008-07-09T10:30:00.002-04:00

Yesterday, Dan Kaminsky, a security researcher disclosed a fundamental flaw with the Domain Name System (DNS), the mechanism that translates URLs into IP addresses and visa versa. This flaw makes it possible to guess values in advance and assert a malicious server as the authoritative DNS server for a any site, including bank and e-commerce sites.

Dan Kaminsky, director of penetration testing services for IO Active, found the DNS flaw earlier this year. Dan proactively worked with the affected parties prior to his public announcement. Although he did not disclose any technical details, he said, "the severity is shown by the number of people who've gotten onboard with this patch."

Back in March, Kaminsky said 16 researchers gathered at Microsoft to see whether they understood what was going on, as well as what would be a fix to affect the greatest number of people worldwide, and when they would issue this fix.

In a unified response to address the flaw, Kaminsky said the researchers all decided to conduct a synchronized, multivendor release. Accordingly, Microsoft in its July Patch Tuesday released MS08-037. Cisco Systems, Sun Microsystems, and BIND were expected to roll out patches on Tuesday as well.

The coordinated release covers a wide variety of vendors with DNS servers and DNS clients. Not all of the DNS client vendors have announced patches. Most systems will be patched automatically. Those that require a manual patch will have 30 days to patch their systems before additional details are made public.

This issue also affects Internet service providers used by home users, but hardware routers used by home users should not be affected.

Kaminsky intends to release details before Black Hat 2008, on August 7 and 8 in Las Vegas.

Not a day goes by without a new revelation of how malicious attackers can compromise your systems. Although this most recent security alert is far reaching and could potentially affect huge numbers of users, there are hundreds of other known vulnerabilities lurking in business systems. This is just more reinforcement to invest in ongoing vulnerability assessments.

To check to see if your system is vulnerable, Kaminsky has provided a DNS checker

Quantifying Risk & ROI In Vulnerability Assessments

2008-07-08T10:18:00.005-04:00

Question: What is the course for the budget-strapped executive, who assumes that the current security systems are good enough, robust enough, and up-to-date enough to stop the next wave? How does he prove due diligence, and assure all stakeholders that their confidence in the systems under his control is well placed? A difficult, costly and often intimidating process!

Answer: Clearly, the only solution is to monitor and assess the exact vulnerability state of every component of the infrastructure constantly and consistently. Outsourced security operations will offer many advantages and excellent services in this regard, which can greatly enhance the overall security level of the enterprise. Costs, however, are often difficult to justify in real terms, and for most security spends a true ROI is difficult.

Where the risks are clear, the solution is often seen as a necessary evil rather than an investment, but where vulnerability assessments are concerned, determining an accurate ROI can be a highly involved process, and is practically impossible to achieve in isolation.

The real return on investment for vulnerability assessment technology and technical audit services cannot be determined simply as a factor of risk mitigation, but MUST also incorporate the improvement effect that these systems have on ROI calculations for more specific security architecture, such as firewalls, IDS, biometrics and the like.

To illustrate this concept: the necessity of a firewall is clear for any Internet-connected concern, and its worth can be clearly demonstrated in pure risk mitigation and network protection terms. The continual stringent maintenance and accurate configuration of that firewall, however, directly impacts its effectiveness and therefore its worth, and hence ROI.

Regular assessment of its configuration, and timeliness of patching newly discovered problems, maintains or increases the effectiveness, and therefore the worth of that firewall.

True ROI calculations for vulnerability assessment must include the real threat that a compromise of these assets poses to the security of other, linked and/or underlying systems, data, and processes.

Assumptions:

The value of information is often considered to be at least as important as the value of a company's physical assets.

Protecting the confidentiality, integrity, accuracy and accessibility of company information is important to a firm's ability to function in today's business environment.

A breach of a company's information systems could result in the disclosure not only of its information, but also its trading partners' sensitive data.

Biggest threat is unauthorized users - including insiders, hackers, corporate raiders / intelligence gathering companies (they use and sell this information to other companies), professional criminals.

Most E&O, liability, business continuation and property insurance policies require a proactive security policy - and vulnerability assessments go a long way in satisfying that requirement

Statistically, the average percentage of a firm's information technology budget that is spent on information security is between 1-2% of average revenues

Three drivers in decision to proceed:

What is the loss resulting from a breach occurring?

Downtime

Compromised / damaged / stolen data

Monetary cost

Legal costs

Costs related to loss of system / data availability

Lost business

Internal / external services to correct / remediate situation

Costs related to loss of information integrity / confidentiality

What is the probability of a threat occurring?

Challenge, status or thrill

Every day, your network is being scanned and probed by a variety of automated tools and people seeking nothing more than "breaking in". This occurs whether you know it or not - guaranteed, so the threat is indeed real - it's happening today.

Most first time exploits go undetected. You usually don't know about it until it is too late and the damage has been done.

Damage to electronic assets, data, reputation or ability to conduct business.

Can occur purposefully, by accident or by random "luck of the draw"

Loss of customer trust

Ability to win future business

What is the / probability that that a threat would be successful?

Probability of an asset being compromised can be estimated based on the availability and ease of performing the exploit and the attractiveness of the target.

This probability of compromise is then combined with the possible loss or cost resulting from a security breach to determine a risk value for the asset.

Until an assessment is performed you don't know how available or easy it is for a vulnerability to be identified and exploited.

What you don't know, CAN hurt you.

Unknown vulnerabilities make a target very attractive and without regard to the company or what it does, once vulnerabilities are identified they are posted on various Internet sites for all to see - and take advantage of.

Firewalls are not enough.

Your investment is small relative to the cost of a vulnerability being exploited!

Hacking - What, When, And How?

2008-07-04T11:42:00.001-04:00

Hacking - What, When, And How?

Posted using ShareThis

Small Businesses Are Not Immune From Attack

2008-07-03T08:17:00.001-04:00

Large businesses have long known that they are targets for malicious attackers and have taken proactive steps to prevent intrusions.

A common misperception among small businesses(*) is that they are safe from attack. Statements like “who would want to attack us” or “we don’t store information anyone would be interested in” are often what the owners and managers of small businesses think to themselves when it comes to Internet security. They assume they are safe because “we have a firewall in place and our IT guys said we were ok”. Nothing could be further from the truth.

The reality is that random IP scans go on all day long with the attackers looking for nothing more than an easy target. Aside from purposeful, targeted attacks perpetrated by criminals, random trolling for unsuspecting targets make up the greatest percentage of attacks. It’s not so much that businesses fail to take Internet security seriously, but that they don’t really have a handle on where their vulnerabilities lie. Additionally, IT staff (if there is one) are too busy putting out the daily fires to really take the time to fully understand and appreciate where they are vulnerable.

The solution is simple. Engage a qualified, certified third party to conduct a vulnerability assessment and penetration test. Using a combination of open source, commercial and self-developed tools, these security professionals will assess your environment and make specific recommendations to “close the doors” and ultimately provide a disincentive for malicious attackers from choosing you as a target.

(*) Businesses with revenues under $50m.

Hackers are here. Where are you?

2008-07-02T12:34:00.001-04:00

Hackers and malicious insiders are an undeniable threat to your organization's network. They have sophisticated tools and backdoor programs at their disposal with which to steal information, perform unlawful or unauthorized activities, and cover their tracks. Security professionals charged with protecting their organizations can become overwhelmed in developing specialty applications to combat these threats.

This is my first posting to what I anticipate will be an ongoing effort to promote the importance of "closing those open doors" and keeping your digital assets protected. Going forward I look forward to including snippets of useful information, pertinent articles, my experiences in the field and tips to keep malicious attackers at bay.

All feedback is welcome and I'll do my best to respond as appropriate.

Thanks for visiting my blog and I hope you return soon.