Tuesday, December 28, 2010

Predictions for 2011

Here are a few predictions for 2011:
  • Cybercrime will continue to grow and more Zeus-like malware will continue to flood the black market.
  • Data loss prevention systems and DDoS protection will be on everyone's mind after the Wikileaks debacle. 
  • The perimeter will continue to fade with the use of mobile devices being attached to the network (tablets, phones, etc..). How to secure the data on these devices and the network needs to be reviewed.
  • A rise in malware based apps for Smartphones, especially on the Android platform since its open. This is the next big risk that's just waiting to happen.
  • Cloud based providers will be breached and we'll start seeing some of the potential dangers about blind trust to a service provider.
  • Social media will continue to be a sore spot with information security and it will be interesting to see how companies deal with the growing need for these sites, while securing data.
  •  The media will pay more attention to cyber attacks.
  • Security vendors will continue to merger until we're left with three major players that do everything. 
If you have any more, let me know.

Thursday, December 23, 2010

People Are The Weakest Link

In today's modern day network companies are spending millions protecting their perimeter and keeping the bad guys at bay. They invest in firewalls, web filtering, intrusion prevention systems (IPS), SSL encryption, VPN's, spam filters, etc, to stop the malicious no-gooders from gaining access to their precious data. But what if the bad guys were already in your network? That's today dilemma.

Targeted attacks by persistent individuals will entail days if not weeks of physical reconnaissance on the organization they're looking to infiltrate. This will include watching when employees enter the building and what their habits are around the work place. Trying to get close enough to get a picture of their company badges in order to replicate one and gain access. Going through their trash at night or "dumpster diving", attempting to find information about the company that might not be public. Dressing in a stolen or replica uniform that could allow hackers to walk through the front door without being stopped, and much more. (Have you ever held the door for the Fedex delivery man while he walked up to the building holding a large box? Are you sure that was a Fedex delivery or did you just give some hacker access to your building?)

Another area that doesn't really get looked at enough is the complete and almost blind trust that people allow their cleaning crews. Many if not most cleaning crews are hired as a third party and are normally given keys to almost every office and room in the organization. What if a janitor making minimum wage was given $1000 to put a hardware keylogger on the CEO's workstation for a week and than send it back via mail to a P.O box? Better yet what if he was given multiple hardware keyloggers and asked to place them on the IT staffs desktops for a day, collecting as many high level logins as possible. The hacker for around $1500 dollars could have almost every admin login to the network and systems without even using a computer.

Another way that hackers gain access to an organization is through phishing and social engineering. They use these techniques to con people into giving them information they need. This is normally done over the phone and through an e-mail campaign directed at a compnay to make it look like the correspondence was legitimate. Examples of these would be e-mails coming from someone claiming to be from IT asking you to enter your username and password into a new system as a test (This is a text book example of a phishing e-mail, collecting the credentials that you just gave up willingly to a hacker). Or someone calling as the companies Helpdesk explaining to you that there's been an issue on the system and you need to change your password right away, oh and by the way here's a secure password for you to use.

So as companies continue to tighten their network perimeter the hackers are going to continue going after the low hanging fruit, the employees. You can have a $50 million dollar IT Security budget blown away by the receptionist being tricked into giving away her password over the phone.

Now that the perimeter is relatively secured, its time to start looking inward and securing the new target area; except here you can't buy hardware to stop the attacks. You need to educate the people on how to act and what to look for, which is easier said than done.

Tuesday, December 21, 2010

How secure is "The Cloud"?

I don’t trust Google at all and what ever happened to their mantra of “Don’t be evil”?! That being said, if this was some startup that was offering this service instead of Google would you feel the same way?

Where does the data reside? Who has access to it? Is it backed up? If so where do the backups reside? etc...Its not the point of having data off site, its not having the guarantee and control of the data after its offsite. I’m satisfied with the technology of having it delivered securely to where the data silo’s reside, its after the data's at rest where the security issue comes into play.

This being said some data is more confidential than others and some companies might benefit from this model. If you think about it this is really nothing new, customers have been pushing their data to MSP's or hosting there data in co-locations for years.
You need to look at the confidentiality, integrity, and availability of the data to make a wise decision. Do you really know whats going on with your data at all times? Are you sure people aren't making copies of your backup tapes (confidentiality) or changing the data after it was at their site (integrity) and are you guaranteed you'll be able to get to your data when needed (availability)? Etc, etc, etc...

You also take this risk with internal employees and data, but you have the control to make adjustments and take action quicker when the data resides in-house.

I think this is all based off risk. If you can afford the risk it might be a good idea. That’s the major reason customers of MSPs actually went down this road to begin with. The risk and price of doing business was acceptable to doing business without it.

So I guess it depends on the company and the data being stored, but if possible it wouldn't be my first choice. 

Wednesday, December 8, 2010

4CHAN/WIkileaks "Operation: Payback" & "Operation: Avenge Assange"

 The 4CHAN (aka Internet pranksters) “Anonymous” group have taken down multiple sites in retribution of the way Wikileaks has been treated by the media and affiliated organizations. They're calling their attacks "Operation: Payback" & "Operation: Avenge Assange". The following companies and people have had their websites knocked off-line:

·        Mastercard

·        Visa

·        Paypal

·        Joe Liebermans website

·        Sarah Palins website

·        Julian Assange’s Swedish prosecutor

·        PostFinance

These site have been taken down by the group “anonymous” by distributing a DDoS tool called Low Orbit Ion Cannon that allows the downloading computer to participate in a voluntary botnet aimed at these sites. In response the “Anonymous” site has been hit with a counter DDoS attack knocking their site off-line.

A DDoS (Distributed Denial of Service) attack uses multiple machines sending network traffic to a particular service or device in order to overwhelm it with requests, hence not making service available to the public.

A botnet is a group of machines running particular software under the originator (aka Bot herder) that can have the machines in the botnet perform certain commands on a very large scale. The average size of a botnet has around 20,000 computers under the control of the Bot herder.

The DDoS method has continually been used as a successful way to attack a site without the ability to trace it back to a particular person or group. This also allows a relatively easy way to stop a web presence without fear of legal action or responsibility of the attacker. It would be great to start seeing ISP’s take a more proactive stance against DDoS attacks.

DDoS attacks haven’t gone away and are still a constant threat by attackers. The 4CHAN group DDoS is a great example of hactivism, or the hacking or breaking into computer systems for a political or socially motivated purposes (right or wrong). This is also interesting because these attacks aren’t directed towards a particular political group, but rather against private companies that are affiliated with the political group. This is an interesting way of attacking an organization by attacking the services they use to do business.

Saturday, December 4, 2010

Wikileaks Cablegate: An Information Security Case Study

The Wikileaks Cablegate fiasco will be used as an information security case study and eye opener to everyone in the security community. Despite how you feel about the leaks one thing is for sure, the protection of data has to increase.

Here are a few topics from Cablegate that should be thoroughly reviewed and studied from an InfoSec insight:

How did 250,000 classified records make there way out of the secure DoD SIPRNet and NIPRNet networks and onto  wikileaks for public disclosure? How can the DoD go through all the work of creating a secured network and than not establish a secured data leakage protection program? According to one report there were too many users on these networks with promiscuous permissions that allowed DoD classified computers to deploy removable media, such as USB drives with write capability. I'm sure we'll see DLP solutions being marketed heavily by vendors within the next year all the while using Cablegate as a major marketing push.

The website has sustained an incredible amount of DDOS attacks against its domain before and after publishing the Cablegate records. They were being hit with a steady 10Gbps of network traffic forcing them to host their domain with Amazons webservers. This was an interesting choice because they used the cloud to mitigate the DDOS traffic. They were than dropped shortly after by Amazon and their DNS provider stating that they were dropping the domain due to the amount of traffic that was destined to it. They supposedly dropped the domain because it was causing outages for other clients that were utilizing their services.

The real reason is most likely due to having pressure from United States Senators lobbying to have this site removed, and they were successful in doing just that. Having no where to go they brought up the site which is a Swiss domain that is being hosted out of Sweden. I find this particularly interesting in two way: (1) Both of these countries are neutral and are in the mindset to "stay out" of other countries affairs, giving Wikileaks more of a chance to stay on-line by having these countries fight their political battles. (2) Now that they aren't affiliated with any American company its going to be harder for the United States to peruse legal action against them. It seems that America might have accidentally protected wikileaks by forcing it out of its jurisdiction.

Only time will tell.

Tuesday, November 30, 2010

How Much Do You Think Your Identity Is Worth??

Lets start off by thinking how much we assume our identity is worth in dollars. Think about it for a minute.

Okay, now that everybody has their assumed "identity worth" in their head, let me show you how much you're actually worth on the black market.
  1. The average stolen credit card with corresponding security code goes for about $1.
  2. Freshly stolen credit cards go for about $2.
  3. If you specify which bank you want the credit card from its about $4.
  4. Searches for the mothers maiden name of a potential victim costs around $10.
  5. Look ups for a Social Security number are around $4.
Each one of these can be purchased on multiple underground websites dedicated to selling your compromised identity at a very low cost. If we think about this strictly from a supply and demand mindset, the volume of stolen information is incredible.

Good luck!!

Sunday, November 28, 2010

Department of Homeland Security is Seizing Domain Names (ICE)

Immigration and Customs Enforcement (ICE) one of the legs of the Department of Homeland Security has seized over 70 domain names in the past few days. Right now they're looking for sites that sell illegal goods, copyrighted music, etc and are replacing the site with the image on your left.

I actually don't have a problem with the government stepping in and seizing these domains IF the site was actually serving illegal content. I do feel slightly uncomfortable about the owners not being contacted first before their domain names were seized. I also believe that the owners of these domains have the right to defend themselves and their actions in the court of law. Or in most cases probably disappear and create a new site.

If these sites were selling or performing illegal actions that were against the law I'm proud of the DHS for taking the step towards cleaning the internet. I don't think its going to be very successful since they'll just switch domain names but its the thought that counts right?

Now when ICE starts taking down sites that they deem "inappropriate" we have an issue. Its always a fine line giving the government any type of power. They normally end up abusing it.

Lets see if ICE can show some self constraint, because we all know its little brother the TSA obviously can not.

Saturday, November 27, 2010

Hackers Take Advantage of the Holiday Season

As the Christmas season is now officially upon us hackers are poised to take advantage of our good cheer and generosity. Unbeknownst to the average consumer, hackers are using SEO (Search Engine optimization) in order to have their malicious sites pushed towards the top of search engine return queries.

The hackers have sites created with search terms like "Cyber Monday", "Black Friday", "Walmart Sales", etc. in order to have their polluted sites brought up when consumers are searching for deals on the Internet.

These sites will normally attempt to install malware through vulnerabilities located within the unsuspecting victims browser. The type of malware being installed could be anything, but its always financially motivated. This could be anything from fake-antivirus to trojan based code stealing credentials. Either way its bad news.

So if you're shopping on the Internet this holiday season stick to the sites you know are secure and valid. Don't go poking around for deals on the Internet this season, because if its to good to be true, it most likely is.

Friday, November 26, 2010

Network card based rootkits (The Rootkit Game Changer)

Guillaume Delugré, a security engineer for a French security firm has been able to create a working hardware based rootkit within the firmware of a NIC using only publicly available documentation on the internet.

Read the article here:

This will allow "The Bad Guys" an entry way to a device that doesn't have code living on the operating system itself. This completely renders any anti-malware/rootkit software utterly useless since this software is only looking on the operating system itself. You can format the machine as much as you like, but this rootkit's here to stay.

Speaking with a well known Information Security expert 2 weeks ago on this very subject he seemed very unconcerned with the possibility that hardware based rootkits would become a threat in the near future. I wonder if he's changed his mind after seeing this news.

Since the majority of all hardware is made over seas in countries like Taiwan, whats to stop someone or some organization implementing code into this hardware that will essentially give them complete control over hardware they sell?

Albeit its probably not good for business if this was to be found (Google "SONY Rootkit"), but what about a rouge group that's working within one of these companies? We've already seen digital signatures stolen out of Taiwan to be used in Stuxnet.

This is not out of the realm of possibility.

TSA (The Squeezing Administration)

For all of us that will be traveling during the holiday seasons be prepared to get more then you bargained for!!

The TSA is taking more then just your privacy from you, they're taking away your rights. When a TSA agent can't tell the difference between a shy 3 year old and a terrorist, America has a fundamental problem and needs to get back to basics. How are you supposed to tell your kids that strangers aren't allowed to touch them unless they're wearing a shiny TSA badge. Its warped.

For the TSA employee saying that we "Gave up our rights when we bought an airline ticket", we never gave them up they were taken from us by force and now they're being abused.

This in the words of Bruce Schneier is only accomplishing one thing, "Security Theater". This is a knee jerk reaction that's only trying to intimidate people into compliance against our personal freedoms.

Whats next? Freedom-Pats for trains, buses, taxi cabs, and car pools?

Thursday, November 25, 2010

Stuxnet a Wake-Up Call

With all the hullabaloo created by Stuxnet and the Iranian centrifuges in recent weeks, its hard not to think about possible dooms-day scenarios. According to one inside report the Stuxnet worm has caused the following damage on the Iranian certfuges causing them to shut down until further notice. (This is all hearsay):

The worm “specifically controls frequency converter drives” that normally run between 807 Herz and 1210 Herz, researcher Eric Chien of the computer security company Symantec, said in an e-mail to the AP. “These are subsequently changed to run at 1410Hz, then 2Hz, and then 1064Hz.”

Iran nuclear expert David Albright said it was impossible to say what would cause a disruption strong enough to idle the centrifuges but “Stuxnet would do just that. “It would send (centrifuge) speeds up and then suddenly drop them,” said Albright of the Washington-based Institute for Science and International Security, which has tracked Iran for signs of covert proliferation.

Albright and a colleague, Andrea Stricker, last week released a study applying Chien’s finding to centrifuges. He said the worm appeared capable of pushing centrifuge speeds above their normal speeds, up to 1,410 Herz, or cycles per second, and then suddenly dropping speeds to 2 cycles per second, disrupting their operations and destroying some in the process.

Read the entire article here:

So if this is true the designers of the worm seem to have created it in a way that it would only disrupt and destroy the equipment capable of bringing Iran into the "Nuclear Club". With all the focus going on about the who and the why of Stuxnet, we're not looking into the future about what I'm calling "Stuxnets Revenge".

What if the designers didn't want to just stop the machinery from working? What if they wanted mass causality of life? With global terror roaring through the world I see this as only a matter of time. When will we wake up and start protecting our critical infrastructure? We can't wait for a "Cyber 9/11" before we start taking action. At that point its just too late.