Those interested in learning a bit more about national cyber warfare and vulnerabilities that the US has in this regard should watch the CBS program, 60 Minutes, where they discussed this. Most of their sources are very credible and I heard very little that wasn’t a current reality.
North Korea is probably not to blame for the DDOS attacks in 2009
July 13, 2010Many of you might remember the distributed denial of service (DDOS) attacks that hampered several US websites about a year ago. The source of the attacks appeared to come from North Korea. Now, the US says that there is no conclusive evidence that the attacks came from North Korea at all. This is very common. A good hacker will attack a system from a non-friendly nation state. In other words if you want to attack the U.S., use a North Korea computer to do it because there is little if any cooperation in working to identify the culprit. Of course the computer in North Korea would be controlled by one in the U.K. which would be controlled by one in Iran, etc. These are the standard tactics experienced hackers use to keep from getting caught. In this particular DDOS attack case they say that it is very unlikely that the culprit will ever be found.
Apple isn’t more or less secure than other operating systems
July 9, 2010I am not saying that Apple isn’t more or less secure than another operating system. But I do run across those that feel Apple can do no wrong and that the Apple operating system and other software that Apple creates is nearly bug free and vulnerability free. All software has bugs and vulnerabilities and Apple is no different. For example, a couple weeks ago, Apple issued an updated version of its Safari web browser that fixes AT LEAST 48 security flaws. All software has vulnerabilities and all software needs to be patched. Don’t get in the mindset that you are using something that is exempt.
Malicious websites continue to be hackers’ weapon of choice
July 7, 2010For a couple of years now I have been explaining how the weapon of choice for hackers is to use malicious websites. It is exponentially easier for them to exploit systems and these methods completely bypass traditional network firewall and intrusion detection and prevention systems. Take for example, the series of attacks that were reported June 9, 2010. Tens of thousands of webpages were found to be infected with malware. So the hackers discovered a vulnerability in Microsoft IIS that they could exploit in an automated way. They then infected the website to redirect visitors to malicious servers where malware is installed to the users desktop. A redirection is very easy to do and takes only a single line of code. There were more than 100,000 web pages that were compromised in this attack alone. These aren’t just unknown sites either, it includes The Wall Street Journal and many other sites that many of your users access every day. Organizations need to think beyond the network-based intrusion detection system if they really want to protect their networks.
Guide to Malware and Attack Methods
June 30, 2010Many of you will remember the whitepaper I wrote just before 2010 was ushered in called the “Top 10 Information Security Threats of 2010.” I have done this for several years; Top 9 in 2009, Top 8 in 2008 and so forth. This year, the top threat I felt organizations were going to have to deal with was malware and it sure looks like that is coming to pass. As I look back on my blog posts for this month alone, more than one half of them deal with the issue of malware. A few months ago I wrote an article on malware. It is somewhat of a beginners guide but it has gotten some good reviews because I break down the methods that cyber criminals use to perpetuate malware. I know some organizations have used it for internal trainings. If you didn’t get a chance to see it, I would suggest taking a look. I hope it helps keep your organizations a bit safer. Click here to view the guide.
Identifying security vulnerabilities is only the first step
June 29, 2010Most information security experts talk about vulnerability management quite a bit. This includes using external vulnerability assessments and penetration testing to determine your level of exposure to outside hackers and the like. Unfortunately, that is where vulnerability management ends for many organizations and by itself offers little threat mitigation. Identifying the vulnerabilities is step 1 but there are several other steps if you want this information to improve your security posture. Determining the legitimacy and reality of identified vulnerabilities for your organization is another step. Prioritizing patching and other mitigation strategies is another. And finally, implementing the fixes where needed is the final step. Most organizations don’t do these additional steps which at a minimum don’t do anything to improve their security and could in fact increase their liability if an information data breach occurs (knowing the vulnerability existed and doing nothing about it). This issue gets more complicated for organizations that need to comply with various regulations or requirements. For example, those that must adhere to the PCI DSS are required to do quarterly vulnerability assessments. All-too-often the emphasis is placed on doing whatever it takes to pass an audit as opposed to what it takes to be the most secure. I thought this article from Dark Reading was good at highlighting the issues.
Cyber Security Risks for SEC Filings
June 25, 2010
If you belong to a public company, you are familiar with the SEC filing requirements you have to disclose risks to the stock and bottom line. Many public companies have now started including cyber security risks as part of those SEC filings. This includes Google after hackers compromised internal systems. The Google SEC filing states “because the techniques used [by hackers]…change frequently and often are not recognized until launched against a target, we may be unable to anticipate these techniques or to implement adequate preventative measures.” If you are part of a public company, you may want to consider something similar.
Subscribers information wasn’t the only thing captured in the Apple data breach
June 22, 2010
Goatse, the hacking firm that discovered the vulnerability on AT&T’s website that found 144,000 iPad subscriber’s information including name, account number and email address does not like how AT&T has portrayed them. They wrote an explicit response to that letter here . I still think Goatse could have done things a bit differently. According to them, they notified a third party, who Goatse claims was a journalist, and then promptly destroyed the data. In other reports that I read, there were several third parties that were notified. I don’t have any idea if they were all journalists or not. The proper way to handle situations like this (if you aren’t trying to get free publicity and truly just trying to do the right thing) is to contact AT&T directly and work with them until the vulnerability is fixed. Then you can disclose what happened. This is of course much easier than it sounds but I still don’t think that Goatse followed the right steps. But that doesn’t put them in the wrong either. They could have done much worse with the vulnerability they discovered and information they gathered.
All that being said, I found something very interesting in the Goatse response that I hadn’t thought of before. One of the pieces of information that they captured (or rather systematically guessed and then verified through data extraction) is the ICC-IDs. This is the unique identifier on the iPad. Using the ICC-IDs, someone could potentially identify the location of any particular iPad owner and track everywhere the user goes. This could have very serious security ramifications, especially when you consider those that were among that list of 144,000. If this were really possible (which no one has shown that it really is yet), it is certainly a privacy issue but would hedge on a national security problem. Imagine if a foreign government knew exactly where all the top military leaders and the secretary of state were at all times. There are a lot of scary scenarios that we could talk about if this were really possible. But I didn’t think of the risk the ICC-IDs could potentially have when I wrote my initial blog post.
Patch for zero-day Adobe flaws will be available on June 29
June 18, 2010There are still many people that do not believe that malware can be installed on their computer unless they perform some action that enables it. For example, they think they have to click on a link, or open a file attachment before they are infected. This simply isn’t the case anymore. Take for example the recent Adobe Flash vulnerability. Specially crafted PDF documents can trigger this malware being installed on your system just by visiting a website. This vulnerability is so critical that Adobe had to accelerate their scheduled quarterly update to reduce the risk since this exploit is being actively seen in the wild. The vulnerability in Flash was available June 10 and the fixes for Reader and Acrobat will be available on June 29.
Insurer claims non-liability in $3.3M data breach in Utah
June 17, 2010My wife’s personal information was among those in the 1.7 million record data breach of a local hospital in Utah. In this case, backup tapes were stolen and later recovered and appeared to have not been used. The hospital made a claim to the 3rd party provider, Perpetual Storage, who made the mistake allowing the tapes to be stolen. The claim is for $3.3 million dollars, which the hospital said they had to pay in breach notification, credit monitoring, and other fees and costs associated with the breach. Perpetual Storage had an insurance policy with Colorado Casualty Insurance Co. for information security breaches. Colorado Casualty Insurance is saying that they are not liable and don’t have to pay. This is actually more common than you would think. Just because you have an insurance provider, doesn’t mean that it’s is a good risk mitigation strategy. Research these companies carefully. Find out what policies they have paid out and which ones they haven’t. Read the fine print. You could be paying for a policy that doesn’t help you when you really need it.
Malware Found in Windows Mobile-based Smartphone Applications
June 16, 2010
There have been several times when I talk about users downloading software from the Internet which contains malware. What I have told people is that hackers will download the legitimate versions of these programs, repackage them with malware and then post them back to the Internet where people will download them. This happened recently for Windows Mobile-based smartphone applications where scammers copied and repackaged the applications with malware and posted them on at least nine legitimate download sites. In this case, the malware was designed to make calls to premium rate numbers around the world. So if your phone is infected, you would be hit with what could be a very large phone bill.
Security Alert for Windows XP and Server 2003 Users
June 15, 2010Perimeter E-Security customers should be aware of a Microsoft Windows XP and Server 2003 exploit. Exploit code has been posted online that shows attackers exactly how to compromise Windows XP and Server 2003 operating systems remotely. This is possible due to a newly discovered security flaw in the way Windows Help and Support Center process links. These systems are supposed to work based on a fixed “whitelist” (a list of approved and authorized URLs), however a security researcher at Google has shown how cyber criminals can add URLs to that whitelist. As a result, an attacker could trick a user into following a link which could download any file the hacker would like. The link and downloaded files can use the same permissions as the systems current user. Many systems are configured by default with the user having administrative privileges.
Microsoft said “Given the public disclosure of the details of the vulnerability, and how to exploit it, customers should be aware that broad attacks are likely,” this includes worms and a host of other malware that can automatically exploit this code through a variety of methods.
This is worse than most vulnerabilities we see. Most vulnerabilities allow the system to be compromised in a specific way that may allow limited access or flexibility to the hacker. This vulnerability makes it very easy for the cyber criminal to install any software they want as if they are the system administrator.
The solution?
- There is no automated fix from Microsoft at this time. However, there is a manual ”work around.”
The manual “work around” involves editing the Registry. Note – only experienced system administrators should manually edit the registry. One wrong move can cause major stability and bootup problems. The details for the registry edit can be found in the Microsoft Security Advisory (2219475).
Beware that Microsoft says that this may break links that you are trying to use in the Help and Support Center. Microsoft has also posted a knowledge base article with a “fixit” here.
- Stay tuned for more details from Microsoft
Microsoft is working on a patch. The Google researcher who discovered the flaw has released a fix; however, Microsoft says that this fix is easily bypassed and that users should not rely on the Google fix to resolve the problem.
While Microsoft is working on a patch, Perimeter E-Security continues to encourage users (especially those using XP) to create a limited user account for everyday computing. Read more on this here. This will go a long way to protect systems from this exploit as well as many others we have seen in the past and will likely see in the future.
Contact us today at 800.234.2175 to talk with a security expert if you have further questions.
Tags: Windows XP exploit, Server 2003 exploit, vulnerability assessment tools, IT security, application penetration testing, managed service providers, intrusion detection system, security penetration testing
Critical Zero-Day Vulnerability in Adobe Reader and Flash Player
June 15, 2010There is a critical zero-day flaw in Adobe Reader and Adobe Flash Player that can allow attackers to take full control of vulnerable computers. Of course, because nearly everyone has Adobe Reader and Flash Player, and because it is a 0-day exploit that means that nearly everyone is vulnerable. Well, that isn’t entirely true because it affects only particular versions, but still, it will affect a lot of people. There are some reports that say that the vulnerability is being exploited “in the wild”. The scary thing about application vulnerabilities is that they often affect more than just the operating system. This one is a good example where this flaw exists in Windows, Mac, Linux and Solaris.
Federal Court Absolves a Firm That Exposed Social Security Numbers
June 15, 2010I was really glad to see this article: http://www.theregister.co.uk/2010/06/04/privacy_suit_absolution/
Lawsuits, as a result of data breaches, were out of control. Sure, if a company has a breach that results in fraud or identity theft, I can understand why someone would want to sue the company. I believe that if a breach occurs, and it is at all possible that identity theft or fraud might occur as a result, that the company should offer credit monitoring services for people. But what I have never agreed with are those suits filed by individuals or groups where no identity theft has occurred, no fraud occurred, and there is little or no chance of having that happen and still, they get sued. The Ninth US Circuit Court of Appeals has ruled that a man whose personal information, including his social security number, was exposed has no legal standing to seek damages BECAUSE HE DID NOT SUFFER MATERIALLY AS A RESULT OF THE BREACH. This is how it should be. I remember the class-action lawsuit against the Veterans Affairs where they had to pay $20 million and no identity theft or fraud had occurred. There were 26.5 million records exposed, so was everyone going to get $0.50 after the attorneys were paid. These lawsuits have been ambulance-chasing lawyer’s dreams for some time. I am glad it is moving in another direction…
iPad Owners Exposed – AT&T and Apple Security Breach
June 11, 2010
Read about it here. Here is what I think about it.
Poor website security practices by AT&T lead to the breach, but like many breaches, AT&T is just the third party. So when everyone references this breach in the future it will be Apple’s name, not AT&T. That being said, this is somewhat symbolic because emails by themselves usually don’t constitute a data breach. It is unclear what other information, if any, was also captured. This is an interesting case because no other time would anyone care about email addresses being exposed. This isn’t about a data breach, it is about a group being able to capture an exclusive list of America’s most influential people and their private email addresses. A list like this simply doesn’t exist. But Goatse (the security consulting group) was able to write a script that systematically harvested these addresses from the AT&T website for any iPad owners that signed up for the 3G service. While they say 114,000 emails were compromised, it is likely that many others were compromised as well. Personally, this is where I think Goatse stepped over the line. They detected and exploited the vulnerability. They told AT&T about it. They wanted press and they have it. But they said that they gave the vulnerability exploit and script to others. Who are these others? What did they do with this information? It is always a slippery slope when a rogue security firm does this type of thing in the first place. But if you are going to do this and already be in a “grey area”, you really shouldn’t give the script out to others to use. That is what makes it go from grey to black very quickly. Let’s all remember it is just email addresses (as far as we know). It isn’t like someone hacked into the government, took over the presidents “red phone” and called in a nuclear strike. But due to the high profile nature of those compromised (you can’t get much higher profile), AT&T and Apple will take a lot of heat for this.
Malware on USB Drives
June 8, 2010Who doesn’t want a free USB Drive? It is one of the most popular “swag” items at conferences. At a recent show, IBM handed out USB drives without knowing there was a present loaded on them. The USB sticks were infected with malware. This is one of a thousand ways your remote employees, travelers, etc. can bring infections and compromised computers back into your network environment where they can spread. Who would ever question a USB drive being handed out by IBM? This emphasizes the need for endpoint security solutions, especially those that can detect malware on portable media.
Network-Based IDS/IPS and Their Value and Challenges in the Current Market
June 3, 2010I was recently asked to answer some questions for a magazine article about network-based IDS/IPS and their value and challenges in the current market and environment. These were some of my responses:
What are the greatest challenges now?
- Attacks are becoming so sophisticated that hackers have developed methods to bypass or subvert traditional IDS/IPS systems.
- Additionally, more and more hackers are using Malware to do their dirty work for them rather than traditional inbound attacks where IDS/IPS systems are most effective. If the hacker can get malware on the internal system, it renders IDS/IPS systems useless. This is why methods to install and spread malware have absolutely exploded; especially malware websites (although this is just one of several methods). Once malware in installed in the local system, the bad guys can create encrypted tunnels back to their command and control networks. IDS/IPS systems cannot read encrypted packets so essentially this all happens “under the radar” from traditional security solutions.
Which industries are most/least vulnerable?
- Any industry that houses valuable data is always a greater target. These include anything that can assist in identity theft or fraud for the hackers. Usually this means companies that house financial data or personally-identifying data. So, banks and healthcare providers are at the top of the list.
What are myths and realities about some of the current strategies and solutions?
- Unfortunately, people still think that edge-based security solutions are enough to keep the bad guys out. A firewall, network-based IDS/IPS and other technologies that are in the network or “cloud” are still necessary but are far from enough to keep the hackers at bay.
What are the key points you want to make in this interview?
- See the answer above to myths and realities again…then…the only effective way to secure sensitive data and mission-critical systems are through the next generation HOST-BASED intrusion prevention system. Rather than network-based systems that can be bypassed or subverted, HIPS can be installed directly on the system you are trying to protect. It can protect it at a much higher level than traditional network-based solutions. It combines signature matching capabilities to behavioral techniques. When combined with 24×7 management and monitoring, it offers the greatest protection for these targeted industries. And, don’t feel like you have to install HIPS everywhere…you only need it on those “mission-critical” systems that if they were compromised by a hacker or were unavailable for a period of time, it would be problematic for your organization.
Google Collects Street View Wi-Fi data
June 2, 2010If it wasn’t scary enough to login to Google Street View and see your home or place of work online (and for everyone else to see as well), but what Google wasn’t telling us was that they had also been collecting Wi-Fi data as their collection vehicles were driving around everywhere. Originally they said they were only collecting the SSIDs and MAC addresses from wireless networks but as it turns out, they collected a lot more data than that including payload data. Certainly (in my opinion) I don’t think Google needed to capture any more than just the basic Wi-Fi info, but my guess is that this has already changed so much it doesn’t matter much. But again it shows that people that want to live in a world that doesn’t have a “big brother” need to get on the next spaceship.
U.S. House Has Drafted New Data Privacy Legislation
May 27, 2010Those that believe we already have enough legislation around data privacy may be shocked to find out that the U.S. House has drafted some new data privacy legislation. It is getting quite a bit of resistance from both sides. Some that say it doesn’t go far enough and others that say it goes too far. It essentially creates distinctions between covered information (which is opt-out) and sensitive information (which is opt-in). Covered information includes things like name, address, phone numbers, email and government issued identification such as a social security number. Sensitive information includes medical records, race, sexual orientation, financial records, etc. It is getting a lot of press right now and my guess is that this version of the bill won’t make it, but I think something similar to this will pass at some point.
