March 2008 - Posts
In a recent security breach , 4.2 million credit and debit card numbers were exposed and exploited from a grocery chain which were compliant with the PCI security standard :
"The latest exposure of millions of credit and debit card numbers by Hannaford Bros., a grocery chain with 271 locations in New England and Florida, raises new questions about the value of the credit card industry's controversial security rules, known as PCI. The Payment Card Industry Data Security Standard was put in place by major card brands, including Visa and MasterCard, to ensure that retailers take sufficient steps to protect customers' financial data. More than 3,600 U.S. retailers comply with--or are working to come into compliance with--the PCI program.
But retailers and security vendors know that PCI compliance is a slippery concept in terms of determining who is, and is not, up to par. And the Hannaford breach--in which 4.2 million credit and debit card numbers were exposed even as the company's Web site states that it "has been certified as compliant" with PCI--demonstrates to the rest of the world just how fluid this concept really is. .."
I've had a chance to visit a grocery chain in the US with 600 locations and was surprised to see the awareness to security issues. However, being compliant with PCI was their number one goal.
Without picking on a specific industry, I believe security standards (such as PCI) must define more concrete rules and list technologies which are required, supportive or optional to meet them. More important, however, is to define how to use those tools (it is not enough to collect logs where you have no one to inspect them in a timely manner)
Hannaford will need to sell lots of lettuce to mop up this mess:
- 4.2 Million - Account numbers exposed
- 1,800 - Fraud cases connected with breach ... so far
- $197 - Average per-record cost of a breach in 2007
The following list was posted by my favorite blogger regarding the state of enterprise security.
- Permanent compromise is the norm, so accept it. I used to think digital defense was a cycle involving resist -> detect -> respond -> recover. Between recover and the next attack there would be a period where the enterprise could be considered "clean." I've learned now that all enterprises remain "dirty" to some degree, unless massive and cost-prohibitive resources are directed at the problem.
--> This imply that security operations is not like helpdesk calls or server management where the goal is to resolve everything.
- We can not stop intruders, only raise their costs. Enterprises stay dirty because we can not stop intruders, but we can make their lives more difficult. I've heard of some organizations trying to raise the $ per MB that the adversary must spend in order to exfiltrate/degrade/deny information.
--> Indeed. Similarly to the basic jungle rule, you need to run faster then just one other Zebra, the lion will do the rest.
- Anyone of sufficient size and asset value is being targeted. If you are sufficiently "interesting" but you don't think you are being attacked and compromised, you're not looking closely enough.
--> However, in wide spreading worms such as STORM, you might be targeted just becuased you are there.
- Less Enterprise Protection, more Enterprise Defense. We need to think less in terms of raising our arms to block our face while digitally boxing, and more in terms of side-stepping, ducking and weaving, counter-punching, and other dynamic defenses.
--> Amen. Any practical methods we can use ?
- Less Prevention, more Detection, Response, Disruption. One of my laws from my books is Prevention eventually fails. Your best bet is to identify intrusions and rapidly contain and frustrate the intruder. You have to balance information gathering against active responses, but most organizations cannot justify what are essentially intel gathering operations against the adversary.
--> Just like in any other battlefield, the best defense is offense.
- Less Vulnerability Management, more System Integrity Analysis. Vulnerability management is still important, but it's an input metric. We need more output metrics, like SIA. Are all the defenses we institute doing anything useful? SIA can provide some answers.
--> Wait until you see Forefront Stirling. You will find some nice surprises there.
- Less Totality, more Sampling. In security, something is better than nothing. Instead of worrying about determining the trustworthiness of every machine in production, devise statistically valid sample sizes and conduct SIA, tactial traffic assessment, and other evaluation techniques and extrapolate to the general population.
--> Just show me how to pass an audit with this approach.
- Less Blacklisting, more Whitelisting. Organizations are waking up to the fact that there is no way to enumerate bad and allow everything else, but it is possible to enumerate good and deny everything else.
--> Indeed. This is a new approach adopted even by Microsoft Forefront.
- Use Infrequency/Rarity to our advantage. If your organization adopts something like the FDCC on your PCs and whitelists applications, the environment will be fairly homogenous. Many organizations are deciding to make the trade-off between diversity/survivability and homogeneity/susceptibility in favor of homogeneity. If you're going down that path, why not spend extra attention on anything that deviates from your core load? Chances are it's unauthorized and potentially malicious.
- Use Blue and Red Teams to measure and validate. I've written about this a lot in my blog but I'm seeing other organizations adopt the same stance.
--> I always wanted to be on the red team.
This post is taken from USA Today. A newspaper I personally get to read only while staying at hotels across the US. I always thought USA TODAY is the newspaper for the average American who is more focused on NFL,NHL and NBA rather on world politics and technology and science (although all those topics have their place in the paper).
" SEATTLE — Two days after actor Heath Ledger died, e-mails began moving across the Internet purportedly carrying a link to a detailed police report divulging "the real reason" behind the actor's death. Ledger had been summarily drafted into the service of a botnet.
Bots are compromised computers controlled by profit-minded crooks. Those e-mails were spread by a network of thousands of bots, called a botnet. Anyone who clicked on the link got instantly absorbed into the fast-spreading Mega-D botnet, says security firm Marshal. Mega-D enriches its operators, mainly by distributing spam for male-enhancement pills.
Largely unnoticed by the public, botnets have come to inundate the Internet. On a typical day, 40% of the 800 million computers connected to the Internet are bots engaged in distributing e-mail spam, stealing sensitive data typed at banking and shopping websites, bombarding websites as part of extortionist denial-of-service attacks, and spreading fresh infections...
The botnet problem shows no sign of easing. Security firm Damballa pinpointed 7.3 million unique instances of bots carrying out nefarious activities on an average day in January — an astronomical leap from a daily average of 333,000 in August 2006. That included botnet-delivered spam, which accounted for 91% of all e-mails in early March, up from 64% last June ... "
The rest of the article describes STORM (a combination of bot, worm and rootkit) which I plan to dedicate several posts for soon. Stay tuned :-)
A mail thread you can be found only with highly dedicated security team.
(some changes were made to keep privacy and IP)
From: SR
Sent: Sunday, March 16, 2008 8:47 AM
Subject: did you take my chair
Look, it is not a nice feeling to come to work and notice that someone took your chair.
Before I start with a full blown investigation, including the involvement of law enforcement, please bring it back asap.
Thank you
SR
From: EZ
Sent: Sunday, March 16, 2008 8:55 AM
You should use “honey-pot” chair and catch the malicious user
Thanks,
From: BB
Sent: Sunday, March 16, 2008 12:55 PM
We should also do User Mapping on chairs, I mean I can steal his and replace it with someone else’s unmarked chair and take that someone’s chair…
From: ZR
Sent: Sunday, March 16, 2008 1:13 PM
Investigation was not part of the POR (Plan Of Record) for beta1.
You should wait for Beta2 …
From: GM
Sent: Sunday, March 16, 2008 1:23 PM
I agree
There is also a simple workaround for Beta1, sit on the floor.
From: ZR
Sent: Sunday, March 16, 2008 4:43 PM
BTW, Did you run e2e (end to end) test on SR sitting on the floor?
From: GM
Sent: Sunday, March 16, 2008 4:49 PM
Until you define the E2E scenario, I can’t test it…
I am blocked on spec.
From: AH
Sent: Sunday, March 16, 2008 5:28 PM
But, of course, if you haven’t documented this yet, then it may well as not have been tested.
And, if possible, then the screen cap would be really helpful to our users.
I admit finding this item on Maariv first, but this is crazy anyway you turn it around:
" To the long list of objects vulnerable to attack by computer hackers, add the human heart.
The threat seems largely theoretical. But a team of computer security researchers plans to report Wednesday that it had been able to gain wireless access to a combination heart defibrillator and pacemaker.
They were able to reprogram it to shut down and to deliver jolts of electricity that would potentially be fatal — if the device had been in a person. In this case, the researcher were hacking into a device in a laboratory.
The researchers said they had also been able to glean personal patient data by eavesdropping on signals from the tiny wireless radio that Medtronic, the device’s maker, had embedded in the implant as a way to let doctors monitor and adjust it without surgery. "
Full report is published at:www.secure-medicine.org
Bruce Schneier, One of my favorite bloggers has recently posted this:
"We know what we don't like about buying consolidated product suites: one great product and a bunch of mediocre ones. And we know what we don't like about buying best-of-breed: multiple vendors, multiple interfaces, and multiple products that don't work well together. The security industry has gone back and forth between the two..
The real problem is that neither solution really works, and we continually fool ourselves into believing whatever we don't have is better than what we have at the time. And the real solution is to buy results, not products. ..
Honestly, no one wants to buy IT security. People want to buy whatever they want -- connectivity, a Web presence, email, networked applications, whatever -- and they want it to be secure. That they're forced to spend money on IT security is an artifact of the youth of the computer industry. And sooner or later the need to buy security will disappear.
It will disappear because IT vendors are starting to realize they have to provide security as part of whatever they're selling. It will disappear because organizations are starting to buy services instead of products, and demanding security as part of those services. It will disappear because the security industry will disappear as a consumer category, and will instead market to the IT industry.
The critical driver here is outsourcing. Outsourcing is the ultimate consolidator, because the customer no longer cares about the details. If I buy my network services from a large IT infrastructure company, I don't care if it secures things by installing the hot new intrusion prevention systems, by configuring the routers and servers as to obviate the need for network-based security, or if it uses magic security dust given to it by elven kings. I just want a contract that specifies a level and quality of service, and my vendor can figure it out. "
While I agree that this is a desirable future, I don’t see it happening soon:
1. When evaluating and selecting products or services customers are looking for the TCO ($$) rather than how secure the offer is.
2. Attackers are looking at the organization as a hole and plan their moves accordingly, each step elevates access achieved by previous step. Hence a cross technology security system is required.
3. I believe companies realize by now the threats in outsourcing elements like security. Technologies and procedures are simply not matured enough to be outsourced as easily as other IT operations.
4. Unlike other areas of outsourcing, we have the attackers sitting and (actively) looking for new security faults.
"The CULT OF THE DEAD COW (cDc), the world's most attractive hacker group, announced the release of Goolag Scanner, a web
auditing tool. Goolag Scanner enables everyone to audit his or her own web
site via Google. The scanner technology is based on 'Google hacking' "(Feb 20th)
And of course, the first big discovery was released after just two weeks:
"Lubbock, TX - March 4th, 2008 - CULT OF THE DEAD COW (cDc), the world's most
attractive hacker group, announced today that it has discovered terabytes of
pornographic content on Chinese government Web servers. The sexually explicit
images were exposed with Goolag Scanner, a Web auditing tool that uses Google
search to reveal Web site vulnerabilities. Goolag Scanner was released on
February 20th by the cDc and has one hundred thousand downloads to date."
March 6, 2008 (Computerworld) Badly written, insecure software products are hurting people and costing businesses and individuals billions of dollars every year, says David Rice, in his new book Geekonomics: The Real Cost of Insecure Software (Addison-Wesley Professional, 2007). Yet far from being penalized for it, software vendors have been rewarded with greater market share and profits because of the lack of accountability in the software industry
Is this the beginning of a new phase in security software evolution (called extinction) ?
A recent Internet Security Outlook Report issued by CA warns that social networks and Web 2.0 are among the top potential targets for online attacks in 2008.
Here are the top 3 predicted trends:
1. Bots will dominate 2008: The number of computers infected by botnets will increase sharply in 2008.
2. Smarter malware: There are new levels of sophistication in malware. Malware will target virtualized computers and increasingly use obfuscation techniques to hide in plain sight.
3. Social networking sites in the crosshairs: Social networking sites will become increasingly popular and, as a result, more vulnerable. The large number of aggregated potential victims and relatively small concern for computer security make these sites a windfall for cyber thieves.
Some comments and observations:
- Bots are probably the killer web application. However, a good bot (like storm) is a bot which you have no way to know its size (unless you buy a service provided by its operators).
- The interesting trend in malware development is the introduction of virtualizes computers as targets. Companies deploying virtual computers need to look for ways to secure their infrastructure (the host) as well the guests. I wonder whether any of you my readers is aware of technologies which help securing such infrastructures (like VMWare, XEN or Virtual server) .
- Social networking is a mystery to me. People are willing to share private information about themselves but don't understand how come they fall victims to identity theft or phishing attacks.
Case 1 (March 3rd): "..The world has been reminded that the era of the teen hacker is far from dead, with the arrest of a fresh-faced 18 year-old for allegedly masterminding a botnetting operation...
The New-Zealand-based accused, Owen Thorn Walker, is said to have been the leader of a group of programmers that set up a botnet that infected 1.3 million computers with the purpose of stealing credit cards and manipulating stock trades. ..."
Case 2 (Feb14th): "..A teenager identified by U.S. law enforcement officials only as "B.D.H." pleaded guilty this week to charges that he used botnets to illegally install adware on hundreds of thousands of computers in the U.S., including some belonging to the military. .."
While we tend to think of the cybercrime economy as driven by organized crime (who said mafia?) and cyber terrorists, it is refreshing to read that they days of the script kiddies are not over. They just got smarter.
As some of you already know, I work at Microsoft on Microsoft security suite codename "Stirling".
Working on a V1 product is an exciting experience, we get to think, argue, decide and design many new features (often in this order) we hope will better protect our customers.
The team in Haifa is in charge of several key features of the product. On of the key feature is nicely described in the product information page as :
"..In addition to protection provided by individual technologies, “Stirling” technologies act as a distributed system by sharing information with each other, allowing for correlation of security information to identify complex threats. Protection technologies included in “Stirling” can be set to dynamically respond to these threats through a variety of remediation techniques, making it easier for the IT administrator to address new threats. .."
Stay tuned, more to come soon.