Wednesday, February 25, 2009

Cloud Computing Privacy

As organizations and individuals make the move to cloud computing service such as storage, video, financial, social networks, the question of how to retain privacy becomes more important. Each site or system has a different privacy policy, different security architecture, and different potential risks. These can vary widely, and individuals and organizations each have concerns about how their data is stored, used, and made available.

The World Privacy Forum, has both an in depth report (PDF) and brief tips for consumers and business organizations. If your organization is considering using cloud based services, this is a great starter document to review, with details on the Electronic Communications Privacy Act, the PATRIOT act, HIPAA, the Fair Credit Reporting Act, and many other related laws, policies, and requirements that may affect your data and disclosure. It also discusses subpoenas, ownership, and even venue, making it the most complete cloud computing privacy overview that I've seen.

They suggest simple behaviors such as reading the terms of service, limiting what data you make available, and how the provider will use your information. With the recent outcry about Facebook's
Terms of Service change - and their subsequent change and clarifications, this is very much a current topic.

Wednesday, February 18, 2009

netForensics Acquires High Tower Assets

netForensics announced their acquisition of the assets of High Tower today. Note that they are acquiring the assets, rather than the company itself - an interesting difference. Per the email sent to customers and partners:

"netForensics is proud to announce our agreement to acquire the assets of High Tower Software. I would like to take this opportunity to pledge our continued commitment to the success of your business and welcome you to the netForensics family."
netForensics goes on to explain that High Tower products will be available as standalone solutions and as extensions to the netForensics nFX One product line. netForensics has typically been seen as a standout in the log management and data mining arena - this acquisition will likely expand their portfolio nicely.

Customers can call +1 732-393-6060 with questions - the first of which will likely be what the change in support means for existing High Tower customers. In addition, readers may also want to review our previous posts on High Tower's demise, as the comments thread has further detail about High Tower's fall.

Tuesday, February 17, 2009

LinkedIn to Malware

ITNews reports that hundreds of fake LinkedIn profiles promising nude celebrity pictures are, as might be expected, lures to malware sites. Unlike other social sites, LinkedIn is likely not as easy of a target as other sites might be - limitations on profile visibility and the more closed networking circles that the site is based on will limit the spread, as will the content, which is not typical of a professional social networking site.

Targeting LinkedIn users wouldn't be very difficult - I wouldn't be surprised to see more advanced tactics in the future.

The Case For Full Disk Encryption: Military Gear On the Open Market

Military.com's recent article "US Gear Ending up in Pakistan Markets" offers a great example of why organization wide full disk encryption is a good idea. One of the items that author Shahan Mufti found for sale was a Maintenance Support Device (a ruggedized laptop), which contained "documents and photographs inside the computer" that indicated that "the assigned user of the laptop likely belonged to the U.S. Army's 864th Engineer Combat Battalion". In addition, "the computer also contained dozens of manuals on how to operate, assemble and trouble shoot U.S. Army equipment".

It is not at all surprising that the paper versions of these support documents are also available. What is surprising is that a military laptop does not have protections preventing unauthorized users from accessing it. While combat systems may need to be operated at short notice by other members of a team, laptops and desktop computers would benefit from having at least data partitions encrypted.

For most companies, encrypting portable devices is a good first step, and full disk encryption is easily available in a variety of price ranges and support models. From a risk management perspective, being able to confidently state that a stolen device which contained sensitive data was encrypted and inaccessible when stolen is a huge benefit - one which many current laws recognize as a means of avoiding their disclosure notification clauses.

We've discussed using TrueCrypt 6.0 for Windows as a free solution in the past, but many vendors offer enterprise ready products as well.

Monday, February 16, 2009

Heartland Payment Systems Breach - First Arrests Made

StorefrontBacktalk has further detail about the Heartland Payment Systems data breach, including the fact that the malware hid in the slack space on the disk, and that it was detected with temp files. The current suspects are Eastern European, but three arrests have been made in Tallahassee after suspects used cards with data stolen in the breach. Interestingly, the suspects were using gift cards, rather than credit cards, and according to the article Wal-Mart was a favorite location.

Heartland's next step according to StorefrontBacktalk is to investigate end to end encryption, noting that PCI is not sufficient. The article points out that card data is unencrypted, requiring connections to be encrypted, rather than the data that travels over them. This process of pushing encryption to the endpoints would require a significant infrastructure change - every endpoint card might well require an encryption key and a PIN. The good news is an approach with endpoint encryption and in-transit encrypted data means that your vulnerable points are decreased to points owned by the issuing bank, and that PCI compliance would become much simpler. The comments are well worth a read for the technically inclined.

Friday, February 13, 2009

When CAPTCHAs fail - phpBB Drug Spam


As many forum owners quickly discover, there is a reason that most popular forum software allows CAPTCHAs as a requirement for user creation. The image above shows what appears to be an automated tool seeing heavier use recently that posts to phpBB forums. A quick Google search for coreod offers examples of the spam - but the gotcha here is that at least some of the forums that these were posted to use CAPTCHAs, and that many usernames are used.

There are a number of tricks that can help:

  1. Ask the bot additional questions: "Are you a bot?" or "How did you find out about this forum?" often net responses using the userID that the bot fills forms in with.
  2. You might also add a hidden form field in the new user form - bots will fill it, users won't.
  3. Delete users who do not respond to verification email within a reasonable timeframe.
  4. Use an RBL (Realtime Block List)
  5. Use user limitation plugins - Russel John's blog has an older post with some good starting ideas. The phpBB support site requires registration, but has a number of posts on the same topic.
If you're a forum admin, you'll have to commit to some time spent cleaning up your user list. You may also want to use a Google Alert to help monitor for spam on your site.

Thursday, February 12, 2009

Security Humor: Password Character Requirements

NotAlwaysRight, a site that posts stories of customers causing woe has a great password reset story today:

Customer: “Are their any requirements for the password?”

Me: “The only requirement is that the password has to be at least 6 characters in length - numbers, letters or both.”

The punchline isn't what you'd expect - but should bring a smile to the face of any helpdesk or security staffer who reads it.

Tuesday, February 10, 2009

Helix Going Commercial

Many computer forensics and incident response staffers have used Helix as their preferred bootable liveCD environment. The folks at e-fense are taking Helix to a commercial format, with a $14.95 per month e-fense forum membership.

A number of alternatives are still available, but many are out of date:

For our readers: where do you turn for a LiveCD these days, and why?

Monday, February 9, 2009

Grossman's Unanswered Questions

Jeremiah Grossman, one of my favorite web application security bloggers, recently posed a few of his unanswered questions - here's my take on a few of them, but be sure to read the comments thread. Anton Chuvakin's note that "firewall + website = web application firewall" in the minds of some rings true after my own experiences with compliance efforts.

1. Do people trust QSAs who consider PCI-DSS 6.6 met if their organization only uses a network vulnerability scanner with a few web application security checks?
For those not in the know, a QSA is a "Qualified Security Assessor" - a PCI approved assessor. PCI-DSS 6.6 (updated detail) says that you can use any of the following:
1. Manual review of application source code
2. Proper use of automated application source code analyzer (scanning) tools
3. Manual web application security vulnerability assessment
4. Proper use of automated web application security vulnerability assessment (scanning) tools
The problem that Grossman points to here is that some vendors will use a vulnerability scanner that doesn't provide deep software analysis capabilities - using Nessus instead of WebInspect, for example. My answer here is a firm "No". The capabilities found in full featured application vulnerability scanning tools are far more advanced than those found in most standard host vulnerability scanners. Vendors like Qualys are expanding their capabilities here, and other vendors are or have already. My answer will likely change as these features become increasingly more capable, but for now unless the QSA explicitly explains it, this doesn't appear to be the right solution.

Does this mean that organizations without internal technical expertise won't take a QSA's analysis at face value? Not at all. One of the major reasons that QSAs exist is because organizations need or want 3rd party assessments, and they trust those assessors to help them meet their PCI requirements.
3. As a result of economic downturn, what notable security projects are being cut from last years budget?
Training is being slowed down, and colleagues at other organizations note that they are cutting major initiatives - SIM/SEM technology, new IDS/IPS deployments, and other major hardware and software purchases are being delayed or are being re-scoped to highly critical areas. They're also getting more push to build internally.

The number of vendor calls, and the aggressiveness of those vendors is also increasing. I'm fielding more cold calls, and we're seeing things like the quick Google AdWord snap-ups following High Tower's demise.

I'm looking at the pullbacks as an opportunity - the frenetic pace of security device and technology deployment over the past few years has resulted in a wealth of existing information that frequently isn't as well leveraged as it could be.
5. Will secure code purchasing standards lead to secure code?
Sadly, no. I've seen some efforts along these lines, but I think that we'll see more success by putting testing tools into the hands of developers, as well as greater organizational maturity - secure code re-use for example.

As penalties for security issues become a more frequent topic of contractual negotations, this may begin to change. I've been advocating such a change in my own organization for a while.

Friday, February 6, 2009

Fun With Vundo: Checking Your Java Version

I've been receiving an increasing number of calls about Vundo infected systems. Vundo is an adware trojan, with a nasty habit of infecting machines with downlevel Java versions. As is often the case, many users either ignore the Java auto-updater, or are unaware that Java needs to be updated.

A quick and easy way to check is to visit the Java Tester at http://www.javatester.org/version.html. Your users need to be running a version higher than 1.5.0.7 (also known as version 5.0 release 7) .

Java versions can also be checked from the Control Panel by opening the Java panel.

Finally, users can also check each browser individually by manually checking their plugins.

  • Firefox can be checked by going to Tools -> Add-ons -> Plugins.
  • Internet Explorer is uglier - Tools -> Manage Add-Ons will leave you with a list that may include multiple Java versions.
Vundo has made its way into various ad networks, and users who normally browse relatively safely have been infected via their out of date Java versions. A typical infection includes:
  • Popup ads
  • Desktop background changes
  • Screensaver changes
  • Windows updates may be disabled
  • Anti-malware and other security programs may be deleted or disable
Removal can typically be handled by a combination of Malwarebytes and bootable AV such as AVST's BART CD.

Parking Tickets and Social Engineering


(not the actual ticket - Creative Commons attribution licensed image courtesy singsing_sky)

Lenny Zeltser of the ISC reports that he recently investigated malware that was spread after victims visited a URL that was included on a parking violation flyer on their car. The BBC picked up the story, meaning copycats are far more likely as this hits major news media. Make sure you check out Lenny's article, as his malware analysis is always worth a read.

The bigger question is if we'll see more of this - I suspect yes. We've seen penetration testers use "lost" thumbdrives in parking lots to get into secure networks and the US military has banned thumb drives on some of their networks due to possible threats.. Now we've gone to the next level and rely on users typing in a URL to compromise their own machines. This would be particularly easy on college campuses or other venues during game days or other events, when many people receive parking tickets because they are unfamiliar with the parking rules, or may have parked in the wrong location.

The best technical fix for organizations is likely a combination of border URL filtering (or DNS blackholing), a good centrally managed AV solution, and strong host level anti-malware software. I've seen a lot of good results with Malwarebytes recently, particularly when removing trojans that the major AV companies miss or are unable to properly clean, and that's what I will be recommending to end users.

Wednesday, February 4, 2009

An Analysis of Firewall Rulebase (Mis)Management Practices

Mike Chapple, John D'Arcy, and Aaron Striegel, all from the University of Notre Dame recently published an article titled "An Analysis of Firewall Rulebase (Mis)Management Practices" (edit: link updated) in the ISSA Journal - described as the first widespread analysis of firewall management practices through a survey of firewall administrators and their supervisors.

According to the article, the survey was based on a series of open and closed ended questions which assessed the state of an organization's firewalls, their management practices, and the issues that were encountered with them. With 101 valid results, and 148 total respondents, this is a sizable survey of firewall administrators. In addition, they surveyed supervisors of firewall managers. In both cases, the distribution reached across industry.

Their findings are interesting -

  • An average ruleset size double what it was in 2000.
  • A high correlation between platform and ruleset size.
  • A high turnover or churn rate for firewall changes.
Error rates were also a key part of the study - they found that 91% of administrators believed that least one error was introduced into their ruleset in the average month, and half of those administrators believe they go unfixed.

The article suggests that appropriate staffing levels and skillsets, as well as automated error detection are the best routes to fixing these issues. I would suggest a third step as well - a clear initial design and well defined rules for how rules are written, their syntax, and how they are tracked over time.

Overall, an interesting read for firewall administrators and supervisors or management of organizations with firewalls.

Tuesday, February 3, 2009

RFID and Passport Cloning in the Register

Edit: Paget's presentation is available at: http://video.google.com/videoplay?docid=-282861825889939203, and he notes that he is working with the Passport Cart, the Enhanced Technology Driver's License, and the other WHTI components - a different RFID technology than the US passport.

The Register took a trip with Chris Paget in San Francisco, and captured and cloned RFID tags - but it sounds like the cloning may have been limited to the tag ID, and not the content. As Paget notes, "It's mainly to defeat the argument that you can't do it in the real world, that there's no real-world attack here, that it's all theoretical."

As I've discussed previously, the US RFID enabled passport requires key data about individual users to release the actual content of the passport. I do not currently know of any implementation that trusts the RFID tag ID alone as an authenticator or identifier - but that doesn't meant that it might not be used that way, much as we've seen the SSN used widely.

The Register says that "Because the technology employs no encryption and can be read from distances of more than a mile, the tags are highly susceptible (PDF) to cloning and tracking, researchers have concluded". This isn't the case with the US passport RFID tags. Other RFID standards can allow reads from a longer distance, however the greatest distance that has been popularly announced for reading the 13.56 Mhz tags used in US passports is approximately 30 feet with specialized gear.

It is worth noting that in my own testing, the tag ID was often accessible from greater distances than the tag data was - and that at longer distances, I often got incorrect tag ID readings.

The Register points out that the card ID is a unique identifier, and could be used for tracking. Again, with a closed RFID blocking shield and highly limited range, this tracking would be difficult at best.The data contained in the passport is not highly sensitive - it includes birthdate, picture, and other details, but is not data beyond the scope of that which can be accessed in common online databases.

The ability to uniquely identify American passports is perhaps the greater danger, but again the limited range limits the threat to a 30 foot range with most practical readers.

In the end, Paget's work serves at yet another reminder that the technology, as implemented, has flaws that could be fixed. Passport tags should have a unique certificate to prevent cloning, and use of RFID should be carefully examined - in many cases it may not be the best technology available, or the design and usage models should be carefully considered.

Monday, February 2, 2009

XKCD: Security

XKCD fans have probably already seen this, but for those who haven't...


A wrench may or may not be an RFC compliant method of escrowed key retrieval.


Sony and Biometrics? Mofira

Engadget reports that Sony announced a finger vein biometric system that it calls "mofira". The Akihibaranews post about it describes it as a "The user-friendly technology offers quick response and high accuracy and comes in a compact size for mounting on mobile devices such as a personal computer or mobile phone.". The technology's claimed .1% false rejection rate, and .0001% false acceptance rate places it closer to an iris reader under ideal conditions, and far beyond most normal face, fingerprint, or hand geometry scanners.

The most interesting part isn't the capability of the technology though - what should catch our attention is that Sony is a major manufacturer of commodity consumer devices, including a wide range of cell phones and laptops, meaning that we might see it used in a variety of places. While Lenovo has used fingerprint scanners for some time on their corporate laptops, biometric authentication has not been widely adopted elsewhere. A low false rejection rate technology from a major consumer products company could change that.