Infosec Island

McAfee Report: No Immunity from Targeted Attacks

Security provider McAfee unveiled the Threats Report: Fourth Quarter 2011 assessment which provides a summary of the threat landscape from data collected in in the latter part of 2011.

The report covers a variety of security issues, including breaches, the prevalence of spam operations, breach reports, internet threats and malware related data - which the report indicates saw levels beyond the company's previous estimate of 75 million unique variants.

The report also noted that targeted attacks present a problem that no organization can expect to be immune to regardless of the level of effort and resources dedicated to securing critical systems, a refreshingly honest admission from a security vendor.

“The threat landscape continued to evolve in 2011, and we saw a significant shift in motivation for cyber attacks. Increasingly, we’ve seen that no organization, platform or device is immune to the increasingly sophisticated and targeted threats," said Vincent Weafer, senior vice president of McAfee Labs.

Of continued concern is the rapid pace of malware targeting mobile devices, according to the report. The proliferation of smartphones and tablets as a primary interface for individuals, government, and the private sector has made them a focal point for the development of malicious agents.

"On a global basis, we are conducting more of our personal and business transactions through mobile devices, and this is creating new security risks and challenges in how we safeguard our commercial and personal data,”  Weafer said.

The following is a summary of the McAfee report's content as provided by the company:

Malware

The overall growth of PC-based malware actually declined throughout Q4 2011, and is significantly lower than Q4 2010. The cumulative number of unique malware samples in the collection still exceeds the 75 million mark. In total, both 2011 and the fourth quarter were by far the busiest periods for mobile malware that McAfee has seen yet, with Android firmly fixed as the largest target for writers of mobile malware.

Contributing to the rise in malware were rootkits, or stealth malware. Though rootkits are some of the most sophisticated classifications of malware, designed to evade detection and “live” on a system for a prolonged period, they showed a slight decline in Q4. Fake AV dropped considerably from Q3, while AutoRun and password-stealing Trojan malware show modest declines. In a sharp contrast to Q2 2011, Mac OS malware has remained at very low levels the last two quarters.

Web Threats

In the third quarter McAfee Labs recorded an average of 6,500 new bad sites per day; this figure shot up to 9,300 sites in Q4. Approximately one in every 400 URLs were malicious on average, and at their highest levels, approximately one in every 200 URLs were malicious. This brings the total of active malicious URLs to more than 700,000.

The vast majority of new malicious sites are located in the United States, followed by the Netherlands, Canada, South Korea and Germany. Overall, North America housed the largest amount of servers hosting malicious content, at more than 73 percent, followed by Europe-Middle East at more than 17 percent and Asia Pacific at 7 percent.

Spam

At the end of 2011, global spam reached its lowest point in years, especially in areas such as the United Kingdom, Brazil, Argentina and South Korea. Despite the drop in global levels, McAfee Labs found that the present spearphishing and spam are highly sophisticated.

Overall botnet growth rebounded in November and December after falling since August, with Brazil, Columbia, India, Spain and the United States all seeing significant increases. Germany, Indonesia and Russia declined. Of the botnets, Cutwail continues to reign supreme, while Lethic has been on a steady decline since last quarter. Grum made a significant comeback after a long decline, surpassing Bobax and Lethic by the end of Q4.

Data Breaches

The number of reports of data breaches via hacking, malware, fraud and insiders more than doubled since 2009, according to privacyrights.org, with more than 40 breaches publicly reported this quarter alone. The leading network threat this quarter came via vulnerabilities in Microsoft Windows remote procedure calls. This was followed closely by SQL injection and cross-site scripting attacks. These remote attacks can be launched at selected targets around the globe.

Source:  http://www.businesswire.com/news/mcafee/20120221005928/en/McAfee-Q4-Threats-Report-Shows-Malware-Surpassed

Categories: Spam and Incident Response Blogs

A Security Resolution for Developers

Article by Maureen Robinson

People often believe that if a developer is capable of creating clean, functional code that they will by default be writing secure code.

Unfortunately, this is not always the case.

Security vulnerabilities can result from poor code, functional bugs can be security bugs too, but the trickiest security issues result from code that does more than you expect...

The application may test all of its functional tests but in addition it may have additional unintended functionality that can result in a vulnerability. For instance, a web site with a SQL Injection vulnerability could work perfectly well for a normal user and then work a little too well for a malicious user.

It's important to think of abuse cases, not just use cases. Consider what are threats to this application? How would an attacker visualize (and subsequently attack) it? How do I code defensively against these threats?

Although there are many skills and abilities that may be on your personal development wish-list, if you want to write secure code, consider adding the following skills to your repertoire:

• Ability to create a mental threat model

• Should include all assets worth protecting and possible threats

• Sound knowledge of secure coding standards (known good patterns that work)

• Ideally this takes the form of both a repository of best practices and a library of secure routines you can call into

• Understand and map input paths and trust boundaries

• Enables you to make decisions on how much to trust the data your code is processing

• Know (or have a reference of) patterns of bad code and checklists to check against

• These are useful to keep in mind while coding as well as to check during a review. In pair programming the second developer can keep these in mind while the first developer is writing code

• Know how your application functions and interacts with its environment

• You can’t understand how they’d be attacked if you don’t know how they work. Applications ultimately transmit data and operate on hardware, in a network, etc. So you need to understand protocols, dependencies, communications (encryption), etc.

Cross-posted from CIOZone

Categories: Spam and Incident Response Blogs

IPv6 Protocol Implementation is Not a Security Panacea

The advent of the IPv6 protocol had produced some enthusiastic hopes for bolstering internet security over the past few years, and while it does offer a significant improvement in many respects over the languishing IPv4 protocol, many of the current problems will likely persist.

"One of the frequent rallying points for IPv6 was that it was more secure than IPv4. One network security group within a large US government organization went so far as to declare that since IPv6 is more secure, that the group decided to disband because they alleged that the next generation Internet protocol’s inherent security capabilities would address their security concerns," writes Arbor Networks' Bill Cerveny.

That may have been too optimistic of an assessment.

A report issued by researchers at Arbor Networks has revealed the first documented cases of distributed denial of service (DDoS) attacks, a favorite among hacktivist groups where a large amount of information is sent to a web server at such high frequency that it overwhelms the processing capacity or causes the system to shut down.

"For the first time, respondents to Arbor Networks 7th annual Worldwide Infrastructure Security Report indicated they had observed IPv6 DDoS attacks on their networks. This marks a significant milestone in the arms race between attackers and defenders," said Cerveny.

Another aspect of DDoS vulnerabilities where IPv6 is concerned is the vastly increased number of IP addresses attackers will have at their disposal for conducting the disruptive operations, making it more difficult for mitigation by means of blocking the offending sources.

The full implementation of IPv6 will undoubtedly be accompanied by an increased level of attacks, which should not be surprising to most given the innovative nature of assailants.

"The same thing that has made the IPv6-enabled Internet 'valuable' has also made it an increasingly valuable venue for attacks. While the frequency of attacks is relatively modest on IPv6 today, we expect that accelerated adoption will be followed in-kind by an accelerated pace of attacks," Cerveny said.

Other researchers have similarly been finding vulnerabilities in IPv6. Last year a group produced a proof of concept that demonstrated how new features in the Microsoft Windows operating system which enable IPv6 network access could potentially be exploited by a man-in-the-middle (MITM) attack.

The researchers found that default settings in the OS protocol would allow attackers to redirect information in an exploit utilizing the Stateless Address Auto Configuration (SLAAC) standard to reroute data through networks controlled by the attackers, exposing potentially sensitive data.

The one saving grace was that in order to carry out the exploit attackers would need to successfully install some hardware into the target network, making the possibility of such an event is highly improbable, yet nonetheless possible.

While IPv6 will not be the all-encompassing remedy to many security problems as some had hoped early on, it will for the most part represent an improvement over its predecessor.

“Much of the early thinking around IPv6 security being better than IPv4 security was based on the RFC requirement that IPv6 stacks include IPsec support, but that is clearly too simplistic a view (and that strict requirement has been removed in recently-released RFC 6434) . Even though IPv6 shares many security vulnerabilities with IPv4, and has some unique vulnerabilities unique to IPv6, secure network-centric service provisioning is about much more than protection for data in-flight. As always, employing a team of trained security specialists, knowledgeable about IPv6, applying proven best-practices and working methodically to counter evolving threats, is the key to protecting service availability and integrity," said John Spence of Nephos6.

Source:  http://ddos.arbornetworks.com/2012/02/a-milestone-in-ipv6-deployment/

Categories: Spam and Incident Response Blogs

The CISO as a Capable Catalyst

The last post opened up the idea that Gene Kim started me on while we recorded Episode 10 of the "Down the Rabbithole" podcast (released 2/6/12 here) which is How does a CISO become a catalyst for change, with not only responsibility - but also capability? 

Today's post seeks to provide clues and hints (there aren't really any answers) on how a CISO can gain capability (or earn it) by becoming a catalyst for positive change in his or her organization. 

This is a difficult topic because it often involves a lot of you should, and you could types of ideas - but rest assured the things I'm talking about here I've either tried myself or have had others tell me they work. 

This post also draws upon the collective ideas from the LinkedIn "SecBiz" group which has become a favorite place for many to discuss this, and I encourage you to join and participate that group as well.

First up is trying to understand whether capability should be something that a CISO is expected to have walking in the door.  More often than not, even in the age of Anonymous and non-stop cyber threats to every business, the answer is still no.  Jared Bird's[1] take is that:

"Capability will always have to be achieved (earned). If a CISO initially receives any capability when starting the position, that was capability that was left over from their predecessor. It is now the CISO's responsibility to earn more capability and solidify what may already exist." 

In a way I completely agree.  You never quite know what you're walking in to and it makes sense to make your own way.

Let me take a step back and define what I mean by capability for you first... it's the ability to catalyze positive change in the area of security and risk management in your organization (as a CISO or equivalent). 

Should the CISO have the ability to catalyze positive change walking in the door?  Sure, in a perfect world.  But look around you, this is far from a perfect world and that is far from a reasonable expectation even in today's risk climate. 

What a CISO can expect is that he or she will have to make their business value felt... that's about the only thing I think you can count on.  As a CISO you should expect that you'll be challenged to not only provide better risk abatement for the organization but also improve the overall business' ability to achieve goals.  Let's start from that premise.

Uncovering Ground Zero

Walking in (or starting fresh) in a new organization as the CISO or security leader means that you have a chance to, hopefully, define what it is you'll want to accomplish.  Most of the time, however, the organization that hired you already has some pre-conceived notions either based on the previous person in that role or other industry definitions (or *gasp* an executive head-hunter). 

Your first and only goal should be to uncover what your role really is.  If you think you're there to keep the organization free of malware, keep the security appliances humming, and keep the company 'secure' you're probably not going to last very long.

Start your digging by meeting people who probably ordinarily sit on the opposing side of the table from you.  We'll call these the delegates.  Every effective leader must always win over the delegates of his constituency... you're no different.  Find out what they care about. 

My guess is that the VP of Applications (maybe called the CTO?) probably cares about release cycles, downtime, failure rates, and streamlining effort with over-worked resources. 

Note that down.  Next go to the key stake-holders of the business.  Maybe the board of directors isn't a great place to start ...but the other C-levels definitely are. 

If you don't hold a C-level title, this tells you something immediately because if they call you the "security leader" then you have a slightly different task ahead of you, and a more monumental march to capability.  Your colleagues will be able to tell you what the organization cares to accomplish, and what its goals are. 

You'll hear things like cost reduction, productivity (remember this?), agility and other terms you should familiarize yourself with.  Here's the thing, you should probably be taking near-perfect notes right now in these meetings because you'll absolutely need this shortly.

Mapping Your Success

Once you've uncovered why you've really been hired ... and it doesn't hurt to know why the previous CISO left, or maybe that there was never one to begin with! ...it's now time to start thinking about how your security skills match up against the needs of the business.  What I recommend is taking some time to do mapping exercise.  The mapping should (and here I base this on personal experience) have 3 levels goals. 

The first level should be the business objectives, the second level should be the management objectives, and the final level should be your level, the SRM (security and risk management) objectives.  I've done a sample for you based on the highlighted terms from above, right here in Figure A.

 Figures A.

Mapping like this is a forcing function which makes you mentally justify your activities, or your proposed activities, against the goals of the business.  If you find yourself filling in this grid right to left you're doing it wrong. 

You should absolutely fill this grid starting in the left-most boxes at the business objectives level and moving right.  This is a many : many : many type of mapping... and sometimes if you have a mind-mapping tool like FreeMind, or Mind Manager it's even easier than spreadsheets.

Looking at the overall business goals on the left column forces you to understand the high-level goals you're trying to help the organization meet.  They're high-level, and probably fairly easy to "fit" things into, which is why the middle level exists.  The middle management objectives level exists to help you understand the goals of those around you. 

Each manager, executive has their own objectives that will get them promoted and help them meet their commitments to the organization.  Why do you care?  Because if your activities can positively map to their goals it's simple to show how you're helping them, not fighting them.  You've just taken a positive step in the direction of keeping a healthy relationship with the rest of your colleagues in the organization.  This is much better than the adversarial relationships security leaders normally have.

See, this type of mapping has many great benefits.  You can build better personal relationships, understand the organization better, and on and on... so how does this give you the capability you need to be a catalyst for positive risk management change? 

Elementary my good Watson... once you've got a good understanding of your organization, its goals and have a solid helpful relationship with your colleagues the capability comes almost naturally.  You're no longer doing things for the sake of security, but for the sake of business productivity, cost reduction, or agility - and you're someone people respect rather than fear.

Jared Bird  says that one of the most important things a CISO can do to earn capability in an organization is "helping the other executives recognize the value of security" and that the big requirement is to "keep things simple."

Folks, this isn't magic, but great advice I've picked up from fantastic mentors.  I pass it on, freely to anyone who wants to listen, because we need less 'security says' and more 'the business needs' discussions in the security circles if we're ever going to get our heads above water.

Good luck, I hope this helps!

[1] Jared Bird currently works as a consultant with the technology risk advisory services group at McGladrey. He specializes in network security assessments and security reviews. Jared has over 10 years of experience in information technology with positions ranging from network administration to information security management roles.

Cross-posted from Following the White Rabbit

Categories: Spam and Incident Response Blogs

NIST Pursues Health Record System Usability Testing

The National Institute of Standards and Technology (NIST) seeks manufacturers of electronic health record (EHR) systems to participate in a research effort to develop methods for assessing the usability of health information systems.

Usability is broadly defined by information technology professionals as a measure of how well a system can be applied by its intended users to achieve specified goals with effectiveness, efficiency and satisfaction.

All software systems developers strive for usability, but it is particularly important in health information systems. The usability of a health IT system can be the difference between a good and bad outcome for the patient.

The Healthcare Information and Management Systems Society (HIMSS)* has argued that usability may be the single biggest obstacle to widespread adoption and use of electronic health records in clinical settings. EHR systems must present and record often complex medical information, in a wide variety of formats, so that it can be easily accessed and used by clinicians and other users.

Accurately assessing usability involves more than simple surveys of user satisfaction. NIST is working to develop a basic framework for assessing the usability of health information technology systems and ultimately recommending performance-oriented user interface design guidelines for EHRs.

As part of this effort, NIST seeks system manufacturers willing to provide EHR systems for use in lab-based usability testing. NIST will provide a secure computing environment to safeguard the software and equipment during the course of the research, and the EHR software and equipment will be removed from all computers on which it is installed and returned to the manufacturer at the end of the testing period.

The results of the usability testing of each EHR system will be reported to its manufacturer and used to support NIST research. Individual systems will not be identified and linked to test results in any NIST reports. The systems are for research purposes only; no actual patient data will be used or accepted.

NIST anticipates that it will take approximately one year to conduct all necessary research.

Full details of intellectual property protections for the research program are in the formal Letters of Understanding that NIST will execute with participating manufacturers. To participate in the program, manufacturers must submit a request and an executed Letter of Understanding by 5 p.m. Eastern time on March 15, 2012.

Interested parties should consult the Feb. 14, 2012, Federal Register notice, “Evaluating the Usability of Electronic Health Record (EHR) Systems” (Docket No.: 120123059-2058-01) available at www.gpo.gov/fdsys/pkg/FR-2012-02-14/pdf/2012-3415.pdf for details of the program and the required Letter of Understanding.

* See, for example, the Healthcare Information and Management Systems Society (HIMSS) 2009 report, Defining and Testing EMR Usability: Principles and Proposed Methods of EMR Usability Evaluation and Rating at www.himss.org/content/files/HIMSS_DefiningandTestingEMRUsability.pdf.

The National Institute of Standards and Technology (NIST) is an agency of the U.S. Department of Commerce.

Source:  http://www.nist.gov/itl/iad/nist-seeks-health-record-system-manufacturers-to-assist-in-usability-testing.cfm

Categories: Spam and Incident Response Blogs

Anonymous, NSA, Power Grids and False Flags

So… Anonymous Is Going To Attack The Grid Huh?

Ok so Anonymous, or those claiming to be “Anonymous” have put out the word that they plan on attacking the internet’s root DNS servers.

This unqualified threat left on Pastebin somehow has translated in the minds at NSA (Gen. Keith Alexander) that Anonymous will eventually attack the power grid (America’s in this instance) and drop the power for “limited” areas of the country…

Maybe… Someday… BOOGA BOOGA BOOGA! You scared yet?… Cuz this works great at the kids birthday parties. *peers with slit eyes while making magic hands*

Seriously, Anonymous has never officially made a statement (as if they really could given their model of operation) about attacking the power infrastructure at all. Sure, there were some drops of IP addresses in the recent past that they claimed were SCADA systems (they were, but they were really only HVAC systems in various places across the country)

So where is the NSA getting this all from? Surely they are projecting a little bit here huh? Such an imagination on these guys!  Wait... What’s that? There was a movie about something like this? Oh yeah… “Live Free Or Die Hard” THAT’s where they saw this! They think Anonymous is gonna have a big FIRE SALE!

Well, it’s a logical conclusion I guess... That is until you let logic actually cloud your thinking and decide that it would not be in their best interest to do such things as a group.

Damn, there goes the screenplay I was thinking of!

FUD MUCH?

Down to brass tacks here... Dear NSA… Really? How about this, how about instead of worrying about it, you maybe force the PLC makers and their interface third party contractors into actually securing their shit?

Maybe re-design and re-tool everything a bit and re-mediate the issues in the first place so there won’t be this great ability to attack such systems as they sit on the internet?

This whole line of dialog that the Anon’s are gonna attack the grid is a bit premature and really does a disservice to us all. This is especially the case when you talk to journalists hungry for a cutline that will make the wires buzz and get their byline in big print. This is plainly just FUD of the worst kind Kieth and you should be ashamed of yourself.

First off, you are gonna tell me that Anonymous or for that matter Antisec is going to be stupid enough to attempt such a thing. This would be a death blow to the group. I mean, if they did this kind of action, then they would be the most hunted of all the problem children online.

Secondly, you are giving them WAAAAAAAAY to much credit in the technical skill department here. Look at the attacks these guys have been pulling off! They have all been quick hits at low hanging SQLi fruit and you seem to think this implies great skill?

Kieth, do you even know how to run a computer? Do you have a working knowledge of hacking? Cuz, I am telling you right here and now, I don’t think you know what you think you know... If you know what I mean.

To date, the hacks that the skiddies have pulled off have been embarrassing abd surely a pain in the ass, but they have not been 3l337 as they say in the biz, nor have they really shown any cohesive ability to plan larger and more complex operations at all. In short, and I know you have heard the term I am about to use...

Anonymous is not synonymous with APT. Please do listen to what Bejtlich said in the WSJ piece (finally he and I agree on something.. Shouldn’t the forces of gravity and magnetism stop now and implode?) This is not an issue now and I really doubt that it will be an issue later.

Unless you take into account that Anonymous may in fact not be the ones that do it… They just use the convenience of the name and their poor operational model…

Say, Is That A FALSE FLAG In Your Pocket Or Are You Just Glad To See Me?

So, this brings be to a conversation I had earlier about all of this on Twitter. I spoke of this very thing at DEFCON last summer and I would hasten you all to consider what I am saying again.

IF Anonymous does in fact attack the grid, I would put to you that it is not in fact “Anonymous” whatever that may be, but instead those nation states using the nome de plume of the collective as a cover for their actions against a sovereign nation. This is called a “False Flag” operation and it would be used to attack while having the perfect cover (thanks anonymous!) for the operation to be pinned on others.

Say China (the usual suspect) wants to test our ability to deflect such an attack and decides maybe to hit a small power grid in podunk Iowa. They could just as easily post a Pastebin saying AH HA! ANONYMOUS IS GONNA HIT THIS FACILITY! and then just do it.

Alternatively, they could claim it after the fact as Anonymous and no matter how much the Anon core would say “WE DIDN’T DO IT” no one would really believe them would they? Especially now that Keith is out of the NSA closet here huh? This is a win/win for the nation states and a lose/lose for the Anon’s really.

I warned you…. So, now the stage is set and we anxiously await the curtain to drop… *pops popcorn*

Satire Aside…

Anyway, I just wanted to re-iterate that once again we have the media running with a story that seems to have legs, and even if you read into it “This won’t happen now, but soon” it still does the trick for the government.

After all, I am sure many out there are now worried that Anonymous is after their power systems. That one day their lights will go off and a large shadow of a Guy Fawkes mask will hang in the air like some plot device from a James Bond film..

Or... wait... Like the capitol blowing up in that last Die Hard film… So, which one of you Anon’s is Thomas Jane? Sabu? Meh.

Look, see through this WSJ story as either one of two things depending on your bent and jaded nature.

1) NSA is really worried about this and not so much Anonymous but nation states using their name… (this I can get behind)

2) NSA/Keith et al. Are using this as a means to an end to get what they want… They want complicity on the part of the people to enact more laws and oversight on their part of the internet… And by proxy control over all our privacy.

Up to you guys what you think…

Either way though, I would say that Anonymous has let the genie out and they did not account for this... You all could be in some deep shit here.. Let the games begin!

K.

Cross-posted from Krypt3ia

Categories: Spam and Incident Response Blogs

US and Netherlands Expand Cybersecurity Coordination

Secretary Napolitano and Dutch Minister of Security and Justice Ivo Opstelten Sign Letter of Intent on Cybersecurity Cooperation

Secretary of Homeland Security Janet Napolitano and Dutch Minister of Security and Justice Ivo Opstelten signed a Letter of Intent to build upon cooperative cybersecurity initiatives to promote a safe, secure and resilient cyber environment.

“The United States is strongly committed to working with international partners to combat threats to security and economic stability. This Letter will help us strengthen collaboration and cooperation in the area of cybersecurity with the Dutch government to better protect the citizens of both nations,” said Secretary Napolitano.

“Cybersecurity has become a priority on the international agenda. In January, the Netherlands opened the National Cybersecurity Center, a partnership between the public, private and academic sectors. Bilateral security cooperation between the Netherlands and the United States is already strong and this Letter of Intent will further enhance our collaboration in cybersecurity,” said Minister Ivo Opstelten.

The Letter of Intent recognizes expanded coordination between the United States and the Netherlands, and outlines several areas to further collaborate on cybersecurity including incident management and response activities, control systems security, and cybersecurity exercises.

During the meeting, Secretary Napolitano and Minister Opstelten also discussed the importance of international security partnerships as well as collaborative efforts to combat terrorism and transnational crime, and ensure a stronger, safer, and more resilient global supply chain.

Secretary Napolitano traveled to the Netherlands last June to meet with her counterparts as part of the Department’s ongoing commitment to securing the global supply chain and international transportation systems.

Source:  http://www.dhs.gov/ynews/releases/20120222-napolitano-opstelten-cybersecurity-cooperation.shtm

Categories: Spam and Incident Response Blogs

Algorithms: When is Random Really Random?

A surprising amount of what we do in computer security relies upon the use of random numbers and yet not many of us actually take the time to think about how these numbers are being generated. 

We blithely assume that our computer, when required, can generate a truly random number. 

But wait! How can a machine that works in a deterministic manner generate something that is truly random.  The simple answer is that it can't.  The best we can do is to generate a number that is pseudorandom.

The fact that we rely upon pseudorandom numbers is a potential problem for IT security. After all, if a machine is using a known algorithm to generate a number that your system then treats as random, what is to stop an attacker from calculating that same number if he knows your algorithm.

It is a fundamental truth of any strong computer security that you must assume that an attacker knows the algorithms that you have used. So, perhaps one should spend a little more time understanding how pseudorandom numbers are generated in order that they are not relied upon inappropriately.

The measure of random in a number is known as entropy.  Not the entropy as physicists use it, but entropy as cryptographers use it.  Entropy is, in essence, how uncertain you are about a number.  This means that the entropy is not necessarily related to the number of bits in a number but instead to the number of possible values that number could have taken. 

Imagine being able to discard the number of bits in a number about which you were certain.  The number of bits that remain are the number of bits of entropy. Suppose, for example, a 100 bit number could take on two possible values, then you only need one bit to differentiate those two values. 

Hence, such a number would be described as having 1bit of entropy.  Obviously this is an extreme case, and I have not complicated the issue by factoring in the different types of probability distribution. 
Most mathematicians tend to define the entropy of a number X as:

  H(X) ≔ − ∑P(X=x) log₂P(X=x)

where the summation is from 0 to a number x, and P(X=x) is the probability of X taking the value x. 

So, how do you generate a number that has to greatest possible entropy. There has been much research on using activities such as mouse movements or keystrokes to generate a number that can be considered random.

But so far it appears that the activities picked to generate the numbers have proved to be not quite as random as first thought: some typists are remarkably accurate and consistent!  Other work has focused on incorporating some form of physical device into a computer that can generate truly random numbers based upon provably chaotic behaviour. 

This has two drawbacks: generating large random numbers can take an unacceptably long time, and the device might fail rendering the numbers predictable, without you knowing.

Which brings us back to the generation of pseudorandom numbers.  Most accept that this is the best method of generating numbers with sufficient entropy, whilst making the mechanism efficient and accessible enough for widespread use in computing. 

There are many algorithms in the literature but I would recommend an approach such as described in Fortuna which was an improvement by Ferguson, Schneier and Koho on a previous method called Yarrow.  Fortuna, like most approaches, relies upon a seed  which is a relatively small but truly random number. 

But, it allows for the use of modern encryption techniques such as AES which mean that although the algorithm is known it is highly unlikely that the resulting pseudorandom number sequence can be reproduced. 

What Fortuna shows is that rather than rely upon standard libraries on their own, you construct a routine that, yes, uses standard libraries, but recognises the potential attacks against those and seeks to minimise the threat by incorporating elements such as AES and SHA thereby reserving some secret information to the local machine, decreasing the chances that a third party could reproduce your number(s).

So, in short, the best way to use random numbers is by generating pseudrandom numbers but in such a way that "unreliable" sources of randomness are replaced by effectively creating your own store of entropy upon which you can draw and keeping the means by which that store is generated secret by virtue of a secret key.  

For a superb, free book that goes into great depth about random number generation, see Luc Devroye's book here (originally published with Springer-Verlag, New York, 1986).

Follow me on Twitter!

Cross-posted from Professor Alan Woodward

Categories: Spam and Incident Response Blogs

Is ICS-CERT Focused on the Right Issues?

How valuable is the ICS-CERT? Is it focused on the right issues?

A control system is generally composed of a human-machine interface (HMI) that is often a Windows-based system and field controllers.

The HMI is essentially an IT system with IT vulnerabilities. The field controllers generally use proprietary real time operating systems or embedded processors. Field controllers generally have minimal cyber security and minimal cyber logging and forensic capabilities.

Bob Radvanovsky has been working on a private project to correlate and analyze data from recent DHS ICS-CERT advisories, alerts, bulletins and notices.  What he found should not surprise anyone, nor is there much information other than what he is revealing from the public-facing U.S. CERT (ICS-CERT page) web site.

Bob will be providing a more detailed, more comprehensive report reflecting specific statistical information at a future date (undisclosed and TBD).

Results:

There are 203 reports that have been publicly made available; the first report was made available on 11-Mar-2010 (ICSA-10-070-01 - Rockwell Automation RSLINX Classic EDS Hardware Installation Buffer Overflow) on the U.S. CERT website.

Of the 203 reports that are currently, publicly available (includes all reports from 11-Mar-2010 up to and including the 3 recent update reports from 14-Feb-2012), the breakdown is as follows:

GPS-related                                                                 2      0.99%
Malware-related                                                          12     5.91%
Miscellaneous (cannot accurately put into a category) 7     3.45%
Network-related                                                             1     0.49%
Software-related                                                            2     0.99%
SCADA/HMI console-related                                      155    76.55%
Control systems-related (includes PLC, DCS, RTU)    24    11.82%

When I analyze the results of my control system cyber incident database, the most significant U.S. incidents from an impact perspective were control system-related.

These include the four control system cyber incidents that killed people, two major-cyber related electric outages, two nuclear plant shutdowns, etc.

The SCADA/HMI console-related incidents were generally of low impact other then the 2003 Northeast Outage (which did not damage equipment).

It appears that ICS-CERT seems to be focusing on the lesser important issues.

Cross-posted from ControlGlobal.com's Unfettered Blog - copyright 2012 and ff by Putman Media Inc. All rights reserved.

Categories: Spam and Incident Response Blogs

Is Information Online Legally Fair Game to Use for Marketing?

Social media sites are booming.  The amount of personal information folks are choosing to post to them, such as photos, videos, original stories, thoughts, gossip, and so on, is exploding. 

Marketers are drooling at the prospect of using all that “free” information.  Well, it’s really not free, folks.

This is a topic of growing concern.  More than I had realized until I received two separate questions in the past two weeks from two different sources (one from a group of students and another from a marketing professional at a large corporation) about the legal requirements related to using information from social media sites for marketing.

I wrote about the topic of using information from social media sites in 2010 in my blog post, “3 Privacy Mistakes For Social Media And Marketing”.  Those thoughts still apply.  Now let’s consider some of the legal issues related to activities that harvest information from social media sites to use for marketing purposes. 

Here are just a few of the legal issues that marketers, and the organizations that they work for, need to know about:

Section 5 of the Federal Trade Commission Act (FTC Act).  Your posted privacy policy is a legally binding document.  Have your marketers read it?  Do they understand it?  Are they following it?  If they are using information in ways that violate your posted privacy policy, then they are putting your entire organization at risk of civil action, sanctions under the FTC Act, or any of a wide number of other legal problems.  Not to mention bad publicity.

CAN-SPAM Act.  Many marketers are gleaning email addresses from social marketing sites.  I’ve even heard marketers brag about the large number of email addresses they’ve pulled from Facebook alone. 

Using such information to send unsolicited marketing messages could be violating the Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003 (CAN-SPAM Act).  Organizations and individuals have received multi-million dollar fines for CAN-SPAM Act violations.

COPPA.  Many marketers are interacting with everyone they can get the attention of on social networking sites, and then snagging things such as their names, home addresses, email addresses , and phone numbers if they happen to find them on their sites. 

They could be violating the Children’s Online Privacy Protection Act (COPPA) of 1998 which established the requirements by which organizations can obtain and use such personal information from children under 13 years old. 

The FTC has applied numerous multi-million fines for such activities.  Are your marketers aware of this regulation, or are they exposing your business to some hefty penalties by grabbing and using personal information of minors?

Video Privacy Protection Act (VPPA).  Even though this is a comparatively older regulation enacted in 1988 largely as a result of the release of Supreme Court Judge Robert Bork’s video rental records during his controversial Supreme Court nomination process, it is still applicable today to the ways in which videos, and similar media, are streamed over the Internet. 

Marketing folks love to know the viewing habits of the public, and many have viewed social networks as goldmine of potential information related to consumer viewer habits, and potential follow-up to those who fit their target customer profile.  If your marketers are using social media information of individuals for these types of activities without the consent of the applicable individuals, they and/or your organization could be hit with significant sanctions under the VPPA.

Consider all the other international, federal, state and local laws and industry regulations that could be added to this list, and the need to consider such legal issues when doing marketing using “found” social network information; the potential for legal nightmares should become clear and compelling.

As a final thought consider this: if you found a billfold full of credit cards and a social security card on the street, would you be able to just pick it up and start using the cards for your own personal gain, or more directly comparable, for any number of your business purposes? 

Crooks and those without a moral or ethical compass probably would, but others should know that such found information was not free for the taking and using.  The same concept should be used for information “found” online as well.

The students who wrote to me asked whether or not marketing invades privacy.   The answer is, of course it can!  That is why you need to be aware of what personal information is, and know that privacy goes beyond just knowing the specific legal restrictions for using personal information (although you certainly need to know this as well).

This post was written as part of the IBM for Midsize Business program, which provides midsize businesses with the tools, expertise and solutions they need to become engines of a smarter planet.

Cross-posted from Privacy Professor

Categories: Spam and Incident Response Blogs

NSA Wary of Potential Hacktivist Threat to Power Grid

The Wall Street Journal is reporting that National Security agency chief Gen. Keith Alexander has briefed the White House on potential threats to the nation's power grid network by hacktivist groups such as Anonymous.

The Journal states that "the group has never listed a power blackout as a goal, but some federal officials believe Anonymous is headed in a more disruptive direction. An attack on a network would be consistent with recent public claims and threats by the group."

One of the main challenges in protecting these networks is the fact that these systems were not necessarily designed with cybersecurity in mind. Rather, the security solutions have been layered on in a piecemeal fashion after the networks were operational, leaving ample room for attackers to compromise their functionality.

In the fall of 2011, Pike Research released a report examining the state of utility cyber security. The report concluded that although a great deal of attention has shifted to protecting systems that govern infrastructure, utilities have a long way to go in protecting critical networks.

"Utility cyber security is in a state of near chaos. After years of vendors selling point solutions, utilities investing in compliance minimums rather than full security, and attackers having nearly free rein, the attackers clearly have the upper hand. Many attacks simply cannot be defended," the researchers stated.

However, the Journal goes on to report that utility officials believe the threat of a catastrophic event is in highly unlikely, and that current security precautions are effective in defeating attacks on a daily basis.

"Grid officials said their systems face regular attacks, and they devote tremendous resources to repelling invaders, whether from Anonymous or some other source. 'The industry is engaged and stepping up widely to respond to emerging cyber threats; said one electric-industry official. 'There is a recognition that there are groups out there like Anonymous, and we are concerned, as are other sectors.' Another industry official noted that the electric grid has a number of backup systems that allow utilities to restore power quickly if it is taken out by a cyberattack or other event."

While widespread vulnerabilities may persist in systems governing critical infrastructure, the government maintains that actual threat levels are not as pronounced as some would lead the public to believe.

"Intelligence officials believe that, for now, the cyber threat to the power grid is relatively limited. The countries that could most quickly develop and use cyber means to destroy part of the grid — such as China and Russia — have little incentive to do it. Those who might have more incentive, like Iran or North Korea, don't have the capability," the Journal reported.

Source:  http://content.usatoday.com/communities/ondeadline/post/2012/02/report-nsa-chief-sees-possible-anonymous-hit-on-power-grid/

Categories: Spam and Incident Response Blogs

Stealth Code for New Mutation of PHP Bot Infector

Recently, I found another new mutation of a PHP bot infector, with zero percent detection by anti-virus software. There was an anti-security tool code included as well. 

For those interested, you can view this link to see that the total number of anti-virus detections was 0.

However, when I decoded the PHP backdoor, I got 17 anti-virus hits on it. It seems they locked into the c99 backdoor code remnants, which is a pretty old backdoor PHP trojan.

This leads to the question about evasion techniques and how effective anti-virus applications are at doing code de-obfuscation.

For example, if you want a currently effective AV evasion technique in PHP, it comes down to this simple line of code:

• ( g z i n f l a t e ( s t r _ r o t 1 3 ( b a s e 6 4 _ d e c o d e ( $ c o d e ) ) ) ) ;

There’s the cash money key in terms of evading most, if not all, current anti-virus tools.

However, if you have a process that runs grep against your files  looking for base64_decode and alerts you to new ones, you’ll get visibility to it and many, many others like it. Base64 encoding is still quite a popular call in PHP attack and compromise tools.

Here are some examples of this specific trivial control — here, and here. Now you have a real life example of how it pays off. So simple, yet so effective at detecting these slippery backdoors.

Finding specific nuance controls that pay off against specific threats to your assets is a key way to better security. It’s a win, all around!

Cross-posted from State of Security

Categories: Spam and Incident Response Blogs

FTC Removed Security Protocols from Website Contract

Reports have surfaced that the Federal Trade Commission failed to maintain security-related language in service contracts awarded to a public relations firm responsible for the agencies websites.

The lack of proper security precautions governing the agency's websites may have been a contributing factor to the January 24 hack of the FTC's OnGuardOnline.gov site where attackers exploited vulnerabilities in the application software employed.

In addition, the PR firm subsequently failed to take action to mitigate FTC website vulnerabilities after the initial attack, allowing for the successful defacement of the agency's Consumer.ftc.gov website.

"The initial language of the FTC's solicitation for the $1.49 million contract that created the sites that were hacked on January 24 and February 17 set out very specific language about the security requirements for the site. But by the time the contract for a set of consumer and business education websites and social media was awarded to public relations firm Fleishman-Hilliard in August of 2011, those requirements were dropped from the statement of work," Arstechnica reports.

The lack of due diligence has prompted the hosting service Media Temple to ask Fleishman-Hilliard to take down any remaining websites subject to federal security guidelines.

"We have actually asked Fleishman-Hilliard to remove any [remaining] .gov sites... We aren't a FISMA-certified hosting service," said Temple Media's Kim Brubeck.

The events leading up to the security gaff provide a prime example of the risks government agencies face when outsourcing operations. In the midst of dealing with multiple contractors, security precautions seemed to have just fell to the wayside.

"In part, the security requirements were dropped because the FTC planned to host the sites with someone other than the winner of the contract. But Fleishman-Hilliard  ended up setting up the servers for the sites themselves—on Media Temple's unmanaged server-in-the-cloud service that was never intended for .gov sites. And it appears the FTC signed off on the move. As a result, the servers provisioned for a number of FTC sites, including a site providing recommendations for business and consumer information security, were configured with an outdated version of the Drupal content management system that offered up a tempting target to Anonymous "antisec" hackers looking to embarrass the government."

The events appear to be a comedy of errors, where during the long process involved in setting up and awarding federal contracts, due diligence was not maintained and critical security requirements were not enforced.

As the federal government races to outsource services to the cloud in an effort to cut costs, the risk of oversights of this nature unfortunately become more probable.

Source:  http://arstechnica.com/business/news/2012/02/recipe-for-getting-hacked-ftc-dropped-security-requirements-from-contract-for-sites-hit-by-anonymous.ars

Categories: Spam and Incident Response Blogs

Social Media Monitoring: A Rubric for Control

Monitoring Social Media: Open Communications vs. Secret Operations and Big Brother

It seems that things are coming to a head in the strange world of government surveillance for “our” protection.

Of course I see the expeditious rise in this kind of activity due to the likes of Anonymous and Lulzsec/Antisec coming to the scene and forcing the hands of those in charge.

This is not to say that the legislation and skulduggery would not have happened without the Anon’s but it may have been more of a frog in a pot of water scenario as opposed to getting zapped in a flash.

So, in a way, you can thank Anonymous for speeding up the process as well as perhaps creating the environment for really poor ideas to be floated in a hurry to “protect” us all from the bad people.

Dealers choice there I suppose…

All this aside though, we now are faced with DHS wanting to be in charge (or at least pay General Dynamics to do the work) of monitoring “Social Media” on the internet. First off, let me assure you all that DHS monitoring Social Media is akin to a severely autistic individual being assigned as a babysitter for an infant. This is one of the worst ideas I could ever conceive of as these types of things go.

Even with GD doing all of the grunt work, the actual evaluation of any product would be carried out by analysts from DHS, and boy, they are so ill-equipped to handle this. Remember, these are the same bunch of folks that brought you that classic fiasco of “Russia is hacking our water system in Illinois!”

Suffice to say, that I do not think this will go well and that the idea in and of itself, to monitor Facebook and Twitter will only lead to more of the same old false reports of doom and attacks that the Bush administration brought out every few weeks with the terror color coded chart.

In short, FEAR FEAR FEAR! All the while, they will only target people who happen to say things in a tweet that will be overblown and have them tossed out of the country (i.e. blowing up America by the Brit recently). FUD.

Just Who Will Be Monitored Really?

Aside from the lowest of low level jiahdi’s or Anonymous, just who will be really monitored by this program do you suppose? Why, you and I of course! I mean, it’s really just open source isn’t it? The real targets are the stupid and the public here really and one must face this fact and accept it.

This is no program that will actually end up with real terrorists being caught and cells disrupted you know. See it for what it is, a means to an end to have a simulacrum of control over the internet and the people using it.

But Krypt3ia... They are doing this to catch the bad men,” you say?

Sure, you can believe that if you want to, and there may be factions within the community that think this is the case, but overall you have to look at the pool being harvested from here. Since the advent of the Patriot Act, we have seen the FBI and others over-use and subvert the law to effect warrantless searches for domestic cases much more than terrorism, the thing that the Patriot was created for.

What this really is, is a drift net approach to law enforcement because technically, the government and the LEO’s are not capable of keeping up with the crime, never mind the terrorism really. So, they fall back to the idea of we can monitor everything and after the fact go back and look at data for “anyone” to make a case.

Easy as pie…

I am not inclined to believe that these measures are to be proactive either. Predictive maybe to an extent, but in prediction, we get another whiff of control do we not? After all, the predictive nature of this type of monitoring is what the CIA and other countries do to assess when there may be an outbreak of civil disobedience or perhaps insurrection might be a word for it?

Either way, this is a means of control as well as a means to detect and perhaps deter depending the use of the owner.

It’s a tool, and it is up to the user what they will do with it. In the case of other states such as Syria, well, you can see how the technology is being used. Here in the US, I am not saying that this will be 1984 all over again, but, do you really believe that you, the citizen, in the current environment will be able to know what is going on? Will you be able to FOIA the results of the testing and the monitoring to tell if its being misused?

If you think that this will be in fact the case, I think you will be sorely surprised when you find that it’s all been classified and out of reach when you have questions. Frankly, I just see this as the next iteration of “Total Information Awareness“... You know, John Poindexter’s baby? Yeah, fun fact, it never really went away, it just went into the black budgets and or changed names.

In the end, if you have a twitter account, Facebook, MySpace, blog, etc... you will be monitored... Especially if you speak your mind or use key words that trigger an analysts attention.

Kinda like the NARUS STA’s in the MAE’s out there siphoning data too.

Oh, Don’t You Worry, No Matter What They Say, YOU Will Be Monitored

In the interim though, Congress has had a meeting over the privacy concerns over this little project by DHS. The congress-critters got all up in DHS’s face about the issue and said they are not comfortable with the program/laws around this. Now, that the congress acted on this, one might think that it would stop the program... I am not so sure it will in fact do so.

I think that the case will be made and assurances given that only those who are evil doer’s will be audited and that no privacy will be breached by such measures... “We’re here to protect you”

It’s an old argument really, but in today’s digital world, the issue is that instead of say, a black chamber opening mail in a secret building by hand, you instead have machines collecting everyone’s data and sifting through it all for key words, phrases, meme’s and other data. This then spits out the alerts and an analyst then looks at it to see if it warrants being passed along to others in the food chain.

What also may occur here is that even if it’s not terrorism, they may in fact pass data on to others who may start investigations on those hits, even out of context, as you might be an agitator or show a tendency that they feel uncomfortable about.

Today, if you buy a coffee at a Starbucks with cash AND you use WIFI AND you use encryption, YOU might be marked as suspect due to the fliers recently put out by the DOJ and the FBI on how to tell if one is a terrorist. God forbid you have a missing finger(s) as well... Then SURELY you are a jihadi or a militant. *snicker*

Oh well, fear not gentle reader... Because all of what I have said above about this one program, means nothing really. Why? Because this one program is only “one” of many out there being used by the government(s) out there to trawl the internet for data. I have mentioned a few others above and you can go look up the terms and see for yourselves.

Post 9/11, we have truly become a watched commodity via the internet and all other means of communication we can buy. All of these programs have been put together with the veneer of being in place to protect us from another 9/11 and perhaps some of them were made with the best of intentions, but this idea of monitoring social media, well, it’s a little half baked really I think.

In the end, only the stupid will be caught. I mean really, look at what lengths OBL went to with cell phones and runners with messages, do you really think that much of the global jihad is being carried out over open communications lines like Twitter and Facebook?

Sure, maybe people congregate there and THAT is useful information, but, to monitor the traffic of everyone to get targeted data on “some” users is just useless if your goal is only to go after the terrorists.

Remember... Above all it’s just a drift net to make it easy…

Making Your Own Privacy Because You Soon Will Have NONE

I guess what this whole rant is boiling down to is this, and its something I have said before on many occasions: “You alone can make the privacy that you need to prevent such monitoring” Encryption is the key to all of this.

Whether that crypto be something along the lines of PGP or Vigenere is up to you but what counts is that you are taking the pains to protect the communication that will pass over the wire. You can’t trust the owner of the wire and you certainly cannot trust that the government or, hackers for that matter, aren’t watching or monitoring you either. So, it’s up to you to make the privacy happen.

With the onset of all of this, this week we also saw the first (I assume of many) solutions for encrypted tweets come along. I for one, would love to see this solution work and be used by many on Twitter to protect their privacy, but, then again, this is kind of an oxymoron huh?

As I said earlier in the post here, who would use open lines to commit crime? So, once again, we are back to the level of what privacy can one expect as well as if one wants to be private, use a means to protect that communication. *shakes head*

After that little turn, it really becomes clear that the monitoring of twitter and the like really comes down to a privacy violation by the government to feel as though they are in control. The smart people will not be talking on twitter about blowing things up and everyone else who may say such things are doing it in jest, but will end up being investigated for their poor choice of words (140 characters at a time).

It’s a sad world we live in. I hope that congress denies the DHS their wish, but, I am also certain that if they do, DHS will only hire out again to the likes of GD to do it anyway off the books so to speak…

In the interim, I will continue to encrypt love notes to DHS and others in hopes of making their day..

OOH LOOK ENCRYPTED MESSAGES! TERRORIST! WATCH EM!

K.

Sources:

• http://www.pcmag.com/article2/0,2817,2400429,00.asp

• http://www.huffingtonpost.com/2012/02/16/dhs-monitoring-of-social-media_n_1282494.html

Cross-posted from Krypt3ia

Categories: Spam and Incident Response Blogs

The Need for a Special Forces Offensive Cyber Group

Cyber Cold War and The Need for an Offensive Cyber Special Forces Group

I was speaking to a veteran the other day that has about 20 years of service and has been in more countries than I can remember.

As we talked about the war in Afghanistan, possible future war with Iran and other current military affairs, he told me, “Things are changing. They are after military websites, online accounts and even Facebook pages of active duty troops. It is a Cyber Cold War now.”

International websites are under siege by everyone from political hacktivists to cyber-crime organizations, to Nation State backed hackers. But what is the real threat?

• Political Hacktivists – The current Anonymous leak of the intercepted FBI call concerning Anonymous told me everything I needed to know about how serious a threat political hacktivism is taken. During the call, FBI agents and British agents joke around and laugh up to the point where a senior agent joins the conference call. Then it was all business. Denial of service threats and the releasing of credit card info is a nuisance, but not really a threat, especially when compared to the other heavy crime that the FBI is used to dealing with.

• Cyber Crime – This is a lot more serious than political hacktivism. International cyber-crime is booming, and recently more money was stolen through cyber-crime than was made in the illicit drug trade. But this really is an extension of organized crime and not cyber war.

• Nation State Hackers – This is where the threat really lies. From the release of counterfeit network equipment that could be backdoored to industrial sabotage to military based espionage. This is where our military level cyber forces should be focused.

In essence we are in a Cyber Cold War. Nation State hackers are very active in attacking and compromising military, government and defense contractor sites. Terrorists are using social media sites to recruit, train and spread their poison.  It is very representative of the espionage, politics and spread of communism during the Cold War.

Is our current military cyber force capable of dealing with this threat?

I think when our cyber command was created, it had in mind the threats they were facing and had the desire to be both offensive and defensive - blocking the threats and counter-attacking in the cyber realm. But before cyber command even got off the ground, it was hamstrung by the legal and political ramifications of offensive operations.

What then is needed? We need a Cyber Special Forces group.

After the failed Bay of Pigs invasion, President John F. Kennedy realized that the US was facing a new battle with the spread of communism. He made it a priority to get Special Forces groups created and active to face this threat.

Troops were selected that were intelligent, capable and willing to learn. They were put through intense training that allowed them to move undetected in enemy territory and engage the enemy on their own terms.

As Special Forces groups evolved, their peacetime missions became two fold. They were sent into countries to train allied or somewhat friendly forces, but at the same time to gather intelligence about countries that at some point in the future may not be allied with US intentions.

Right now, our Cyber Command seems more defensive oriented. Instead of just monitoring and detecting threats, a capable offensive unit is needed.

One that can not only counter-hack, assess potential targets, train friendly nations, and stop electronic threats. But also be able to put boots on the ground and physically shut down terror cells and any other physical threats that arise from intelligence gained.

Cross-posted from Cyber Arms

Categories: Spam and Incident Response Blogs

ICS-CERT: 7Technologies TERMIS DLL Hijacking

ICS-CERT originally released Advisory ICSA-12-025-02P on the US-CERT secure portal on January 25, 2012. This web page release was delayed to allow users time to download and install the update.

Researcher Kuang-Chun Hung of the Security Research and Service Institute−Information and Communication Security Technology Center (ICST) identified an uncontrolled search path element vulnerability, commonly referred to as DLL Hijacking, in the 7-Technologies (7T) TERMIS software.

ICS-CERT has coordinated this report with 7T, and 7T has created a patch that resolves this vulnerability. ICST has confirmed this patch fully resolves the reported vulnerability.

AFFECTED PRODUCTS

The following products and versions are affected:

• TERMIS V2.10 dated November 30, 2011, and any previous version.

IMPACT

A successful exploit of this vulnerability could lead to arbitrary code execution.
Impact to individual organizations depends on many factors that are unique to each organization. ICS-CERT recommends that organizations evaluate the impact of this vulnerability based on their operational environment, architecture, and product implementation.

BACKGROUND

7T, based in Denmark, creates monitoring and control systems that are primarily used in the United States, Europe, and South Asia. 7T TERMIS software is used for district energy network management.

VULNERABILITY OVERVIEW

The 7T TERMIS software is vulnerable to DLL Hijacking. An attacker may place a malicious DLL in a directory where it will be loaded before the valid DLL. An attacker must have access to the host file system to exploit this vulnerability. If exploited, this vulnerability may allow execution of arbitrary code. CVE-2012-0224 has been assigned to this vulnerability.

EXPLOITABILITY: This vulnerability may be exploitable from a remote machine.

EXISTENCE OF EXPLOIT: No known public exploits specifically target this vulnerability.

DIFFICULTY: An attacker requires a moderate skill level to exploit this vulnerability.

MITIGATION

7T has developed a patch to address this vulnerability, which can be accessed here:

• http://termis.s3.amazonaws.com/TERMIS_2.10_18-01-2012.exe

Users may need to uninstall an earlier version of the application before installing this update.

The full ICS-CERT advisory can be found here:

Source:  http://www.us-cert.gov/control_systems/pdf/ICSA-12-025-02.pdf

Categories: Spam and Incident Response Blogs

Data Loss Prevention Step 7: Actionable Intelligence

I'm writing a series of posts to follow up on my blog post titled "Data Loss Prevention - Without the New Blinky Boxes" which addressed some of the silliness that comes with believing that DLP comes in a box, or is a product you can buy to solve your DLP needs. Welcome to part 7 (part 1 here) (part 2 here) (part 3 here) (part 4 here) (part 5 here) (part 6 here)...

In this post I'm going to bring up one of the most interesting topics (at least to me) which is gathering actionable intelligence from all of your existing investments.  Since you probably have at least 100 devices across your network generating security log information - not to mention other types of useful bits - it's imperative that as you think about doing DLP you utilize this wealth of existing information available to you... or is it?

Remember - mountains of information being generated by security devices is only useful if you can transform it into actions which can increase the security posture of your organization.

What's a SIRM?

SIRM stands for Security Information and Risk Management, and it's typically served up as a platform of technologies, and can be consumed as an in-house product or service.  SIRM is the continuing evolution of the SIM platform that many years ago started as a log aggregator which of course did not one any good because no one I know had any time to actually do anything with it. 

Why the new term SIRM?  Simple - the industry needs to evolve into risk management beyond just the traditional security event management.  In short, there is more to your organization than what the firewall and IPS generates.  While lots of events may mean an influx in attack, or simply noise... it does not adequately express or correlate business risk.

You see, today's security dashboards and consoles focus on exactly that - security - and security tends to have a very myopic view of the enterprise.  Security tends to care about bad things happening, and for good reason too!  If the security team were to start looking at the totality of organizational "events" the odds of an information security team being overwhelmed in seconds is a a sure bet.

So here we have the crux of the issue with data loss prevention - too much information to process in a meaningful way without advanced insider knowledge of your specific organization.  DLP is a Catch 22, because you never know what you're looking for (or in what format) to tell the systems you have in place to look for it. 

If you knew what you were looking for, you wouldn't need the big fancy systems to look for it... so this gets complicated and SIRM technologies combined with some good 'ol fashioned brain power can actually rescue you from drowning.

Finding a needle in a stack of needles

The difficulty in DLP is that you're looking for patterns that range from obvious to downright 007-style sneaky.  What I mean by this is that sometimes you're looking for the accidental email that sends out a boat-load of social security numbers, while other times it's a trickle of events that alone don't raise suspicion but are exfiltrating data from your organization.

There are really 3 main questions when you're thinking about the mountains of information you have at your fingertips for the purposes of avoiding leaking data from your organization.  Often times, when I've seen security teams simply "dive in" to a DLP effort it turns into an exercise of trying to find the one needle they're looking for not in a haystack, but in a haystack of needles. 

Information can be our biggest asset, and our greatest adversary when we're looking at preventing data loss.  On one hand you have information being generated (in the form of events) on every single piece of hardware and software in your organization.  Starting at the badge readers at the front door, to the access terminals (PC, laptop, mobile device or terminal), to the software - every kind of software - there are billions upon billions of events being generated every day.  This mountain of information is a fantastic asset - that is until you start to think about how you're going to process those events and figure out what they mean in real-time. 

You see, with the way that business moves these days, you don't get the luxury of running a log analysis engine overnight to figure out that you've had information stolen yesterday - you need to be able to do this in real-time (or very nearly real time). 

The challenge of course is if you turn the logging knob to maximum and point it at your log aggregator (or SIRM if you've got a copy of ArcSight [or some other SIRM platform] sitting around humming) things tend to go ka-boom quickly.  So on one end you have this wealth of information and on the other is those few events when strung together which tell you something is going wrong right now.

So here we go, let's take a look at how you can find the right needle, in that haystack of needles...

What (to log & monitor)

The simpleton answer to the what question is "everything".  This doesn't scale, of course, nor does it necessarily make sense.  I would tell you that it's intelligent to err on the side of caution though, and feed your intelligence platform as much as it can take.  Let me offer you some practical advice that has worked for me and others I have first-hand knowledge of over the years.  First, don't limit yourself to security information. 

A good intelligence platform (like a SIRM) will look at everything from a badge-swipe into your data closet to the outbound access violations your firewall is generating and everything in between.  Applications are a wealth of knowledge when it comes to logging.  Sometimes developers restrict themselves artificially when it comes to logging "security events" so let the intelligence platform decide what's important while you feed it (nearly) everything. 

Everything from successful logins to your application, to things like how long a person stays on a specific area of your application, to the database queries performed is important and can be that one key piece of information that may find the bad guys.  So my main advice - don't limit yourself to 'security events' pre-defined by the application or device.

How (to analyze)

The how is part of the magic that makes one platform simply more effective than another.  Let's be clear, more effective actually means effective, and less effective actually means inadequate.  I'd crazy how often some people complain about their logging and intelligence platforms. 

Analysts complain that you have to maintain and constantly tune the platform because it doesn't just run by itself when this is actually one of the most valuable pieces of an SIRM or intelligence platform.  You can't just set it and forget it, otherwise your intelligence engine is only as effective as the last tune-up you gave it... how many months ago? 

The analysis is purely mechanical, and it has to be with the scale we're talking about here, but the rules and analytics must be at least shared with a human.  Humans can interpret events better than machines or software and therefore are required and critical when complex analysis is required. 

Until the Autonomy IDOL platform can effectively learn human patterns to detect malice (think Minority Report) we'll still need humans to tell the machines to connect two dots which seem unrelated.  I tell you what though, those PhD's over in our Autonomy group have some serious intelligence in that platform that you have to see to believe!  In the end, the key is having a well-oiled machine which can perform advanced analytics which is constantly fine-tuned by humans.

When (to respond)

Response is key.  No matter how good the logging facility is on some platform you've heard of, no matter how good its ability to show you events relevant to your situation the most important thing your logging facility can ever tell you is when to respond. 

Knowing you were compromised by SQL injection yesterday is nice from a forensic standpoint, but it doesn't actually help you stop the intrusion.  Whether it's automatic, or requires human action - the only relevant question at the end of the day is did you stop the threat? 

I can name at least a dozen times over the past couple of years when, given the right information at the right time, massive data breaches could have been minor.  I realize with attack vectors like SQL Injection it's pretty much always "too late" to react but wouldn't it be better to tell the SEC or your investors that you have 1 table from your database stolen over having to tell them your entire database was stolen? 

These are very realistic response issues.  Having actionable intelligence giving you the ability to stop an attack either before it starts (optimally) or as it's happening (next best thing) is the "Holy Grail" of information security teams.

Now you're reading this wondering - how you can possibly implement this type of system without buying one of those "solutions" that comes in 4 rack-mountable 2U boxes right?  Odds are you've got a SIM or SIEM or maybe if you're lucky one of the more advanced SIRM platforms already in-house. 

Leveraging those platforms, and building out capability is more important than probably anything else you'll do, and brings together everything else we've talked about so far.  Knowing where your critical assets are, how they traverse your business platforms, and how your users use them is the key to plugging the holes in the boat before it sinks. 

You can do this... just don't buy into the hype around DLP and understand it's like anything else - baby steps until you have a working system.

Good luck!

Cross-posted from Following the White Rabbit

Categories: Spam and Incident Response Blogs

Why The Push For EMV Adoption In The United States?

Have you noticed all of the press lately regarding the Europay, MasterCard and Visa (EMV) card coming out of Visa?  It has been very hard to miss.  As a result, I started wondering about the purpose of this full court press for EMV.

Before getting into my post, I need to be clear that EMV only refers to the chip in the EMV card.  In the past I have gotten a lot of feedback from Visa when I referred to EMV as “chip and PIN” even though the world almost universally refers to EMV as “chip and PIN.”

With that disclaimer, since last August, Visa USA has been making a concerted effort to get merchants to adopt EMV.  Just a week or so ago, there was another push by Visa USA to entice merchants to support EMV.  So what is the driver behind this push?  That is the $64,000 question and the more you talk to processors and merchants, the more confusing it gets.

Merchants are just as puzzled as I am regarding Visa USA’s EMV push.  In the case of a number of large merchants I have spoken with, they do not get it as they refreshed their card terminals and POS equipment over the last three years and there is no way they are going to swap all of that new gear for EMV-capable equipment.  These merchants are not even looking at contactless terminals.  Such an equipment swap this soon would not be cost effective.

But merchants question what EMV would do for them.  EMV was developed in response to the fall of the Iron Curtain when fraud ran rampant in Europe.  Credit cards were being cloned at an obscene rate and card present fraud was huge. 

When EMV was fully implemented, card present fraud in Europe went to levels close to or a little lower than in the United States and EMV card present fraud has remained around those rates since. 

Given where card present fraud rates are currently in the United States, introducing EMV would have a limited effect on card present fraud and that would not be enough to offset the costs of implementing EMV or contactless terminals.

So if it is not card present fraud, it must be card not present fraud that Visa USA wants to address right?  Card not present fraud, particularly on eCommerce Web sites is running almost out of control.  I would like to say that this increasing fraud rate that is the reason for Visa USA’s push. 

However, EMV does nothing to address the rapidly rising rates of card not present fraud.  The reason is that in order for EMV to address card not present fraud, there would have to be some sort of interface written that would produce codes, single use transaction numbers or similar that could be used by the consumer online.  But no such solution exists, so card not present fraud cannot be the driver either.

Back in August Visa USA announced that merchants using EMV or contactless could avoid filing a PCI Report On Compliance (ROC) with Visa USA, so that must be the reason for the push.  At this year’s PCI Community Meeting in Phoenix, Arizona, PCI SSC General Manager Bob Russo made it very clear that regardless of what Visa USA was saying about filing a ROC; all merchants were still required to prove that they are in compliance with the PCI DSS. 

Other card brands also reinforced this statement by reaffirming that they still required the merchant’s ROC and/or AOC as proof of compliance.  As a result, merchants save themselves very little by not having to file a ROC/AOC with only Visa USA.

What about EMV being more secure?  While that is typically true for small and mid-sized merchants, large merchants that switch their own credit card transactions would still likely have card data in their switch systems if not elsewhere in their computer systems.  So claims by some, including at times Visa USA, that PCI compliance is easier with EMV are not totally true.  Large merchants in Europe will back this up.

So after 15 years of EMV, what is Visa USA trying to prove with this push of EMV?  Apparently only Visa USA can tell us because, for the rest of us, there are no business cases we can construct to justify the switch to EMV.  Obviously, Visa USA knows something that the rest of us do not.  Or do they?  I have consistently said that without any card not present fraud solution; EMV is just a solution looking for a problem.

But wait, maybe there is something here that we have been missing.  Is it possible that Google Wallet and similar current and future applications make Visa USA feel threatened?  There may be some factual basis in that statement.

At the PCI Community Meeting last fall, I spoke with a number of processors that seemed to have an idea of why Visa USA was finally pushing EMV.  These processors indicated that the EMV push was being driven by Visa USA to get EMV into the United States market before Google Wallet and similar applications could take the advantages of EMV away. 

After all, the United States is the largest credit card transaction market in the world and if EMV was not in the United States, there is no driver to get worldwide adoption pushed.

When I quizzed these processors about the supposed “advantages” of EMV, they said that was the real problem.  With the advent of smartphones and applications such as Google Wallet, EMV has no advantages.  As a result, merchants and banks have no incentive to implement EMV with these new technologies just on the horizon.

When I went back and talked to a couple of key merchants, they all said that they are waiting out the technology race to see what wins from a smartphone perspective.  If Google Wallet and the contactless approach win, then that is where they will head. 

However, a lot of merchants are betting on one-time use transaction codes displayed as bar codes to win out as they do not typically require any technology changes at their POS.  American Express went down the one-time use transaction code (15 digit number that appears like a credit card number) around five years ago, but only had limited success with it for online transactions.  However, maybe the time has come for another try.

In the end, it is the consensus of merchants and processors that Visa USA has missed the window for EMV in the United States.  Most organizations believe that if Visa USA wanted EMV in the United States, they should have pushed it long ago.

Cross-posted from PCI Guru

Categories: Spam and Incident Response Blogs

Choosing Secure Data Storage - A Difficult Dance

IT has come a long way in the past 15 years, and definitely has advanced into the realm of commodity service.

But there are still complexities under the hood of this commodity service. One of the most underestimated in complexity is data storage - it is taken for granted by everyone.

For example, I frequently talk to a high ranking manager in a software company and he constantly states that all that is needed is another disk.

At the end of the day, data storage is very far from simple. Every organization needs to provide storage service for it's requirements.

But storage is not only capacity, and one must be careful when choosing the appropriate solution for storage.

There are three basic options at the moment:

• Cloud storage services
• Open Source based storage systems
• Commercial enterprise storage systems

We will evaluate each service from the following key parameters of a storage system:

Capacity

The first (and usually only) thing we think about when we talk about storage - and the easiest to achieve. Regardless of option for data storage, capacity is upgradeable. In open source storage systems which are based on commodity hardware, upgrades are limited to the abilities of the host server/box.

The enterprise systems are much more upgradeable, but at high costs. For a cloud storage provider, capacity upgrade is nearly infinite (at least on paper). It is wise to plan ahead and consider whether future ability will support your requirements.

Input/Output Operations per Second (IOPS)

The usually forgotten and very difficult to assess parameter, but nonetheless very important. The IOPS should present the amount of operations that the system can perform on a storage within a time-frame of 1 second.

But since read and write operations on a storage can vary (sequential or random, read or write, even there are front-end and back-end IOPS when using RAID configurations).

Cloud storage services do not publish IOPS, Enterprise manufacturers always publish the IOPS number that is most beneficial to them and the open source solution mostly leaves the IOPS to the builder of the system. In any case the end result is, DO NOT TRUST THE NUMBERS.

There are some nice estimation calculators online, like wmarow's iops calculator, but use them only for reference. The smart solution is to test the storage service in a configuration as close to the one you wish to use, and assess whether performance is acceptable.

Access Bandwidth

This is not disk bandwidth, which is calculated via the IOPS. The access bandwidth is the bandwidth between the server and the storage itself. Naturally, you want this to be as high as possible. For enterprise storage systems, discussing access bandwidth is moot, since such storage is mostly connecting through Fibre Channel which has multiple links of 2, 4 or 8 Gbps.

For open source storage systems, which are mostly iSCSI based, the access bandwidth starts with 1 Gbps with Ethernet overhead. For cloud storage services, access bandwidth is a significant factor - cloud services are accessed through WAN links, where access bandwidth is limited and may be prone to congestion. When choosing a storage system, test your application with the bandwidth you are planning on using.

Redundancy and high availability

What kinds of failures and incidents can a storage system survive? Cloud services claim that they can survive a lot - short of a cataclysmic event or a nuclear bombing - but such claims should be tested. Enterprise storage systems are designed to survive nearly any hardware issue within them, and provide abilities to replicate to other systems which are at a distance of tens of kilometer (naturally, at a high high price).

Open source storage systems redundancy is dependent on actual hardware redundancy of the box the customer built, and provide some technologies for replication, which are in a different level of maturity. Always consider placing the data based on the importance to the company - can you survive without it?

Actual hardware

Storage systems are comprised of well known components - hard drives, controllers, interfaces, power supplies. For both enterprise storage systems and for cloud service the customer does not need to bother too much with the hardware - the provider constructs and combines the required hardware.

On the other hand, when preparing an open source storage, the customer usually builds the hardware which means finding appropriate hard drives, RAID controllers, redundancy in power supplies, caching mechanisms, LAN and FC interfaces.

Building a system from scratch is a great experience, but commodity devices may be prone to much more failures then specially built hardware. Testing is not very useful here, but think ahead of the very possible risk of failure of commodity components.

Reporting

Once the storage system starts working, reporting becomes an immediate issue. The customer will want to know the load on the system, on individual hard drives and logical devices, response times, utilization trends etc.

Again, enterprise storage systems shine in this area with an excellent portfolio of reporting tools, albeit usually with exorbitant prices. Cloud storage services may provide some reporting but not too in-depth, and the open source systems usually lack poorly, since the open source project is focused on functionality, not reporting.

When choosing any storage system, always ask to look at the live reports from the service/system you are planning on using.

Support

Again, once the storage system starts working, there will be problems. And I guarantee you - the problems will not be simple: either it works or it doesn't. There will be all kinds of complicated and seemingly impossible combinations of issues. And this is exactly where the customer will need support.

But there is no clear-cut answer to which type of storage system has the best support. One must tread carefully here, because good support is about having trained support personnel, but also having very dedicated support personnel. By definition, enterprise storage systems have a great advantage in this area, but this advantage can easily be ruined by a support team that juggles many projects, is used as presales or is simply not dedicated to supporting a customer.

Cloud services fall in much the same category, but it can be difficult to discuss storage issues with a cloud storage service: the engineers are impossible to reach, there is insufficient data to support an issue (reports, analysis) and the cloud service provider has usually a well crafted SLA to protect themselves from most issues.

The open source systems are an issue of support in a different way - since the systems are built with software which is written by many, there are rarely any real experts to support such a system, unless you pay someone - and even then it may be a risk.

Vendor lock-in

Cloud storage services are the strongest player in this area - if the customer chooses a cloud storage system as an important part of your infrastructure, it will adjust it's operation to the cloud system and create a 'symbiotic' bond, thus making the migration very costly.

Enterprise systems are much easier to migrate from, since they are basically just huge hard drives. If all else fails, an operating system level copy command will provide a very crude but always successful migration. Open source storage systems have no lock-in: simple hard drives, where migration is a copy-paste operation.

Conclusions

There are multiple pros and cons across our storage systems parameters, but at first glance, the enterprise storage systems have the upper hand. Bear in mind though, such systems always come with exorbitant pricing, especially on any upgrades after the initial purchase.

Therefore, such systems may be well suited for the mission critical applications, but are too price prohibitive to be used for every and any use within a company.

The cloud services are extremely flexible in expansion capacity and redundancy (at least on paper). But quality of service and support may be lacking, as well as issues in speed of access.

So cloud based storage may be only logical if you rent the full package - server plus storage in the cloud, to guarantee an overall service level. The remaining issue is lock-in: once you start using a cloud provider, leaving it may be a challenge, since you have adjusted your operation to it's service and it may be costly to shift providers.

The open source systems are an interesting project, and can provide a very cheap solution for a lower tier functions. But in order to actively use such a system would mean to dedicate an employee or a team of homegrown experts on the open source storage system, to properly support the system. Also, redundancy and high availability can become an issue in such systems.

In summary, do not choose only one storage solution: The enterprise system is well suited for the business support, but it is a huge overkill for a test or proof of concept systems. Cloud storage services are a good choice for a cloud based infrastructure, but the lock-in issue requires careful strategic approach before lock-in occurs.

So use everything, and always evaluate any solution for at least 3 months before committing to it.

Cross-posted from Information Security Short Takes

Categories: Spam and Incident Response Blogs

Researchers Demonstrate Cell Phone Tracking Vulnerability

Researchers at the University of Minnesota’s College of Science and Engineering have revealed a technique that could allow an unauthorized third-party to track the location of a cell phone using data available from cellular networks.

The vulnerability and technique for tracking was discussed in a paper titled “Location Leaks on the GSM Air Interface” presented at the 19th Annual Network & Distributed System Security Symposium.

“Cell phone towers have to track cell phone subscribers to provide service efficiently. For example, an incoming voice call requires the network to locate that device so it can allocate the appropriate resources to handle the call. Your cell phone network has to at least loosely track your phone within large regions in order to make it easy to find it,” researcher and PhD student Foo Kune said.

"The result is that the tower will broadcast a page to your phone, waiting for your phone to respond when you get a call, Foo Kune said. This communication is not unlike a CB radio. Further, it is possible for a hacker to force those messages to go out and hang up before the victim is able to hear their phone ring," a University of Minnesota press release explained.

The researchers warned that the information has the potential to be accessed by hackers or other third-parties with relatively inexpensive off the shelf hardware and know-how to access the Global System for Mobile Communications (GSM) network.

“It has a low entry barrier. Being attainable through open source projects running on commodity software,” Foo Kune said.

The researchers demonstrated the ability to track a target to within a ten-block radius in a proof of concept field test. The vulnerability represents a hazard on multiple levels the researchers believe.

“Agents from an oppressive regime may no longer require cooperation from reluctant service providers to determine if dissidents are at a protest location. Another example could be thieves testing if a user’s cell phone is absent from a specific area and therefore deduce the risk level associated with a physical break-in of the victim’s residence,” the researchers asserted.

The research team has indicated they are in contact with several mobile service providers and are working on disclosures for customers as well as a potential mitigation effort.

Source:  http://www1.umn.edu/news/news-releases/2012/UR_CONTENT_374462.html

Categories: Spam and Incident Response Blogs