USA Today: Hackers got into 18 computer servers at World Bank

Did you see the USA Today article on the World Bank intrusions?

Cyberintruders used the Internet to crack into at least 18 computer servers at the World Bank Group last July.

One bank memo lists the breached servers and makes this assessment: "As of 9/9/08 we have determined that 5 of the compromised servers contain sensitive data, and care must be taken to determine the amount of information that may have been transmitted outside of the World Bank Group."

Wow, sounds like old school system penetrations. And here we thought all the hacking nowadays was through browser and email exploits.

Banks, indeed, are not the only targets. Corporate intrusions in general are on the rise, says Phil Neray, vice president at database security firm Guardium. Cybercrooks seek out PCs used by privileged insiders so they can access sensitive databases and other PCs. "Many organizations don't have any real-time monitoring or alerting mechanisms in place to identify unauthorized activities," Neray says.

Hopefully the state of information security in private industry is a lot better these days but somehow I doubt it. The risk needs to be palpable enough for CEOs to give a crap. As for the realtime monitoring, that should really be the last line of defense. The detective control to catch whatever preventative controls don't.

To me this type of article underscores the need to look at security in breadth across the enterprise as well as in depth. It's like securing a house. You don't put an iron door on a tin shed. Hackers are looking for the one way in. So make all the ways in a little bit harder.

Infosec Fortune Cookie Friday

Mitigating a risk with a stringent security control can create its own risk: that of business interruption.

Replacing Passwords

NY Times has an article on authentication without using passwords.

The solution urged by the experts is to abandon passwords — and to move to a fundamentally different model, one in which humans play little or no part in logging on. Instead, machines have a cryptographically encoded conversation to establish both parties’ authenticity, using digital keys that we, as users, have no need to see.
...
As users, we would replace passwords with so-called information cards, icons on our screen that we select with a click to log on to a Web site. The click starts a handshake between machines that relies on hard-to-crack cryptographic code.
...
“Users on shared systems can easily set up a simple PIN code to protect any card from use by other users,” Mr. Cameron said.

While I don't deny that passwords have their problems, I want to think this solution over a little. Meanwhile, if anyone out there is awake, I'm curious to hear your thoughts.

Changes

All I can say to this is, 'bout time:

IT directors will play a dramatically reduced role in working with security professionals, says the Information Security Forum, which has issued a report that outlines how businesses' view of security is evolving. Chief risk officers, chief security officers and chief operation officers will be more involved in security strategy, according to the ISF. The change is fueled by Enterprise Risk Management and companies' increasing vision of merging physical security with information security, reports the ISF. Network World (07/31)

The downside of the above is that information security requires highly technical solutions and so either security talent has to migrate and disperse into IT organizations (not a bad thing) or strong ties between infosec talent and IT have to remain, or perhaps both. Otherwise infosec becomes all high level strategy with extremely poor execution. The Network World article goes on to say:

less than 3 out 10 information security professionals believe they are focused on delivering solutions to the business.

When you hear people talking about information security enabling the business, this is what they are talking about. The goal isn't simply to prevent or reduce risk. It's to enable the business to move forward with opportunities but with a tolerable level of risk. To do that you have to come up with creative solutions-- finding ways to say yes instead of no.

Davies points out that there is currently a large increase in information security professionals reporting to chief risk officers (CRO), chief security officers (CSO) and chief operation officers.

Infosec stepping away from IT makes it more difficult to build trust and alliances at the worker level which is crucial in building a security culture where IT personnel help the security group rather than avoiding them. Appointing infosec point of contact within various IT organizations can help.

The upside of this move outside of IT is that the struggle between sometimes opposing goals of IT and Infosec can happen at a higher management level where it often belongs. Infosec can gain a bit more authority, to be weilded very carefully, of course. This arrangement also gives the proper business focus to security groups and provides better visibility of security issues to upper management.

DNS

So, how about that DNS vulnerability, huh?

Brings back memories of the days gone by when vulnerabilities and attacks regularly threatened the entire internet rather than being as targeted as they are now. Well, I guess this time there's a pretty ubiquitous hole that can be used for targeted attacks until folks patch. If they haven't they're nuts.

Meanwhile... Dan K suggests using OpenDNS since they were fixed before many ISPs. Having one place provide DNS to a lot of people kind of paints a giant target on their backs but then again that's no different than any major ISP's DNS servers. OpenDNS beat a lot of ISP's to the punch in patching so maybe that is an indiciation of the kind of shop they run. Plus they offer content filtering, typo fixing, and phishing protection features. Nice.

But, you probably knew all that, right?

So why didn't you tell me? :)

Infosec Fortune Cookie Friday

It is written: One who swings the great bat of authority cannot spare a helping hand.

Infosec Fortune Cookie Friday

It is written, one who only says "no" with arms folded and lips pursed builds only adversaries, not security. And should be slapped. Hard.

One who seeks a way to say "yes" shall find many allies to help him along the long and twisting road to a secure organization... unless the CEO drives him nuts first...

One who says "no" should not merely explain why afterwards, but beforehand, too...

One who writes fortune cookie sayings about security really needs a vacation...

Missing Backup Tapes

C|Net News article: Bank of New York Mellon says customer data exposed

The Bank of New York Mellon says sensitive data of more than 4 million people owning shares in public companies was exposed after a box of back-up data storage tapes went missing in February. The data included names, addresses, and Social Security numbers.

Where the hell do these tapes go, anyway? When I read these tapes-gone-missing articles I always picture armed robbers running the tape truck off the road ala some kind of armored car heist. But no, they just go missing, they're not proven to be stolen. It must be the work of Chinese hackers taking a break from planting rogue trees to disable the nation's power infrastructure.

I've been out of the loop on backups for awhile. Does backup software make it easy (if not the default) to encrypt data? If not, it's definitely time.

Hacker Safe

Does McAfee's Hacker Safe badge (aka ScanAlert) really suggest a consumer is safer shopping at a site displaying this badge? By now you've probably heard the answer is no.

Russ McRee's blog post and video show that "Hacker Safe" should not be taken too literally: the websites displaying this badge are not necessarily safe from hacking. Many are explicitly vulnerable.

Rather than adding to the emotion and arm waving, I thought it might be helpful to look at a couple of specific points.

Assuming "Hacker Safe" is intending to suggest the site is safe from hackers; nevertheless, security professionals know, as should the general public, that perfect security and perfect safety are not possible in an imperfect world populated with error prone people.

Scanning a site and finding no known vulnerabilities has never meant the site was safe, and it never really showed a completely accurate view of risk. Although five or ten years ago this type of scan offered more assurance than it does today. Why? The growth of criminal hacking activity, 0-day attacks, targeted attacks, and the increase in browser- and malware-based attacks means the other attack vectors and unknown attacks are more likely to be used now than they used to be.

So what gives an accurate picture, other certifications like TRUSTe? Maybe. Any certification, whether of website's security or a security professional's skills and experience, or a Jeep's off-road capability, are a shortcut to highly detailed, long term, careful, knowledgeable evaluation of real world performance. Certifications are, in a sense, a mechanism for transferring trust (or, call it confidence), from the certifier in the subject under scrutiny to the individual evaluating the subject. If the individual trusts (has confidence in) the certification, then they can transfer their trust (confidence) to the certified subject.

The key question is how much trust you have in the certification. The hacker doesn't care if you're certified, she just finds a vulnerability and uses it. A person can have an alphabet soup after their name but what matters is whether they can do a good job as a security pro. The rocks that you hang up your Jeep on probably knocked the Trail Rated badge off already.

But if the certification is objective, considers enough factors, and tests thoroughly enough, then the certification more closely approaches a measure of real world performance without taking the time necessary for each person to evaluate the subject in depth. All we have to do is evaluate the evaluation.

Some type of certification is usually better than nothing at all but in the case of "Hacker Safe" it appears to be more focused on marketing than on a useful, objective evaluation. Combined with the name of the program itself, trust in this certification probably should be fairly low. Perhaps McAfee will improve it as ScanAlert, looking for XSS, and denying use of the banner to sites that don't pass the tests.

Meanwhile we continue to rely on personal methods for risk mitigation: watching our bank and credit card statements, checking credit ratings periodically, etc.

Targeting Restaurants

Just in case we forgot that modern computer criminals are intelligent, motivated human beings, likely to select whatever target works best to meet their goals, here's an article on several who decided to put the crosshairs on Dave & Busters restaurants for financial info and came away with thousands of credit cards. As internet crime becomes more of a widespread daily threat to the average Joe, I guess we all need to get better at personal risk mitigation.

You Know about KnujOn?

Who loves spam? Anyone? Well, some boneheads out there actually send money to attempt to buy stuff listed in spam. Grr. The rest of us hate it and want it gone.

There's a guy out there who decided to fight back and formed KnujOn (spell it backwards). Anyway, he's been really successful in shutting down sites and turns out most of the spam is concentrated among a small number of registrars, some in China and one, Dynamic Dolphin, not far from my home here in Colorado if one is to believe the address information.

Here's his article on the top 10 worst offenders. Want to help? Have a look at his website and start reporting your spam to him per the directions.

The Insider Threat

How many times have you heard it? Insider threat makes up 75% of cyber attacks. Or, is it 80% ? Or 85%?

Enough already! I can't take it any more!

I first heard this 10 years ago as a fledgling infosec geek from a company called Trident Data Systems who quoted a government study pegging the number at 80%. Since then I've heard this type of statistic quoted at anywhere from 50% to 90%. Studies and surveys seem to post lower, but similarly diverse, numbers.

So, I'm getting a wee bit weary of hearing people quoting this apocryphal statistic, passing it around. So much so that now I have to coin a new term: "urban statistic."

...On the other hand, being able to play the FUD card at any time is kind of handy. Why analyze threats and risk and apply appropriate controls? That's too hard. It's so much more fun to just scare people. F-U-D -- that spells "security"!

And besides, everyone knows 90% of all statistics can be made to say anything....

50% of the time.

Google Street View Becomes Driveway

This article on SecurityProNews describes a situation where a Google Street View camera car enters and films someone's driveway.

When The Smoking Gun tipped off Janet McKee as to Google's impromptu visit, she said it was "a little bit creepy to think of someone filming our home without me knowing about it."

The Google camera car left public property (prohibited by Google) and drove up the couple's winding driveway. The reaction would have probably been different had the images not found themselves at the fingertips of billions.

This is dumb, but I admit it does creep me out a little bit that my own house is viewable by the planet. But why? Instead of people having to physically be present to ogle my abode -- so I can see them by peeking out the window -- they can anonymously view it at any time, entirely unknown to me.

Whereas I rely on the obscurity afforded by the physical world's limitations, when those limitations go away, what is the impact to my privacy, confidentiality?

Should I throw a tarp over the Jeep lest someone stumble across my street view and find themselves a cheap source for parts?

Should I worry that criminals now have an easier time casing my house?

For now, the world's internet users still have to click their way to our houses. But as more information comes online about each of us, we'll have to rethink some basic assumptions about our security and privacy.

Targeting Oddball Platforms

Another article on targeted attacks. Larry Seltzer makes an interesting point towards the end of the article about the use of oddball operating systems and applications.

Some experts might recommend that you use alternative platforms like the Mac or OpenOffice, but these really don't help at all with targeted attacks. If someone's rolling out a new vulnerability for a targeted attack, it's just as easy for them to do it on OpenOffice and the Mac, which have numerous vulnerabilities, as for Windows. In fact, it's easier and cheaper for them to do it on the alternatives, where the price for a new, unpatched vulnerability is probably much cheaper than for Windows.

I'd think oddball platforms probably help with mass attacks. Those attacks are more likely to target Windows and more likely to be a bigger issue for home users. So, switching over to an alternative platform could make more sense for the home user; the cost/benefit analysis probably looks different than it would to an enterprise.

What makes the most sense, I think, is to make sure you continue patching regularly, and use security software like firewall, anti-spyware / anti-virus. When I say "firewall" I mean the kind that detects and blocks outbound network traffic on a per-process basis as well as inbound traffic.

Advance Auto Parts Store Data Breach

From The Register:

Advance Auto Parts, the US motoring parts retailer, is the latest firm to give up customer credit card data to hackers.

The bad guys gleaned financial information on up to 56,000 customers, through an attack affecting 14 stores nationwide...

Advance Auto Parts website provides more information. So this only affects a handful of stores. Interesting. Methods and perps unknown.

I'm a big fan of companies being held accountable to standards of due care in the form of PCI standards and legal obligations. Significant penalties encourage companies to do the right thing.

Having worked at companies whose execs and upper management didn't give a rip about data security, due care, or anything that didn't involve raking in money, and having heard from more than a few infosec peers that this is the rule, not the exception, the only way my data and yours is going to stay protected is through penalties.

Penalties that significantly affect the bottom line --- or better, penalties that personally affect CEOs: in the form of wearing orange jumpsuits. The only reason SOX got any traction in companies is the threat of jail time for management. HIPAA has been largely ignored by a surprising number of healthcare companies. Bigger fines and jail time for execs would fix that fast.

And remember, we wouldn't even be hearing about these breaches in the first place if it weren't for California's SB1386 and all the copycat state laws that states created thereafter. The effect of these laws should be obvious to anyone following infosec news before and after 2003. Companies were hardly voluntarily disclosing data breaches --- until they were required to by law.

Even then, I'll bet cash money there are still companies ignoring this requirement. I've already posted about delayed notifications. Penalties and laws don't fix everyone and everything, but they do help to counter temptation and encourage honesty.

Radio Tracking for Backup Tapes

Fujifilm bugs backup tapes with LoJack device

Looks like it runs $150/mo to track your tapes and reduce the likelihood of tapes going missing as has happened to quite a number of organizations over the last few years.

Is this really the best solution? How often do tapes go missing and how much damage does it cause? What level of risk mitigation does this technology afford? How does encryption of the data on the tapes compare in cost? Those are the questions I'd be asking myself if I were in a position of managing this risk.

I think I'd rather know my lost tapes were unreadable than to possibly know where my readable lost tapes were. Y'know?

I say "possibly" because I am guessing the lojack thingy is probably not 100% tamper resistant.

Michael

Laptop theft exposes patients' medical data

Laptop theft exposes patients' medical data (C|Net News)

The computer was stolen in February ... but officials did not notify the patients of the theft until Thursday, saying they didn't want to spread unnecessary alarm, according to The Washington Post.

Pure infosec brilliance.

Targeted Malware Used in Hannaford Credit Card Heist

Targeted Malware Used in Hannaford Credit Card Heist (eWeek)

A targeted malware attack described as "new and sophisticated" is to be blamed for the data breach at Hannaford Bros. Co. that exposed more than four million credit and debit card numbers to identity thieves, the supermarket chain said in a letter to regulators in Massachusetts.

...the malicious Trojan was programmed to hijack what is described as "Track 2" data from the magnetic stripe of credit and debit cards being swiped at Hannaford's checkout counters.

The Hannaford breach is the first publicly acknowledged theft of sensitive card authorization data in transit between a retailer and bank for authorization.

CanSecWest hacking contest here. OS X Leopard vs. Vista vs. Linux. Entertaining, but hope no one actually thinks the results will be conclusive. You certainly wouldn't make risk based decisions on the results... would you?
Anymore, with true 0-days becoming more and more commonplace, even though your risk may be lowered a bit by using an OS that seems to have fewer vulnerabilities discovered per year, it's still not worth comparing until the reliability factor goes way, way up. Until that number reaches one remotely exploitable vulnerability every 5 or 10 years (like OpenBSD, say?), you still need to "worry" and stack up your defense in depth security controls.

We're still at a point in OS software reliability where it's like comparing a 70's Italian roadster to a 70's British roadster. One may drive an extra day or two longer before breaking down but who cares? They both spend more time in the shop than on the road.

Espionage and China

This article by the Washington Post makes an interesting read regarding the threat of economic espionage from China and Chinese nationals.

I wonder how much current concern about this topic is grounded in reality versus hysteria. It'd be worth finding out how many cases of corporate espionage involve countries other than China, and how many are perpetrated by U.S. citizens or by non-Chinese foreign nationals. Maybe it seems like there's an epidemic of Chinese espionage simply because those are the stories that sell best.

Infrastructure Attacks

I'm not big on arm waving, notions of cyber terrorism, or blowing things out of proportion. Still, this PC World article is kind of interesting. It reports on internet-based infrastructure attacks on cities in an undisclosed location (outside the U.S.). While the reality of these specific attacks is news, the possibility of such attacks is surely no huge surprise to anyone in IT security.

As long as one doesn't jump to conclusions or fall into the trap of overestimating the risk because of its recency or other factors, such a report is a good reminder that infosec professionals need to methodically analyze and address a wide array of threats and risks. Of course, not all infosec pros have to deal with this sort of issue.

Another reminder are the (count them) five undersea cable cuts in the Middle East. Whether from anchors, sharks, terrorists, intelligence agencies, or just normal failures that the media hypes into a story ("Cable cuts happen on average once every three days"), there are lots of risks that maybe we don't think about, and occasionally the unlikely does occur. Thinking carefully about such rarities, we may choose to accept the risk even if our ill adapted brains scream that we need to prepare immediately right after reading the news article.

Back to the infrastructure attacks. The motivation in this instance was extortion. When doing risk analysis at different levels (individual facility, city, county, state, country) I could see that motivation would change the nature of the threat and risk. I wouldn't expect extortion to be extremely widespread or coordinated in locale or temporally. The impact of such an attack might be more limited. If instead the motivation of the threat source was some sort of military action, terrorist action, etc., that would change matters and the scope of impact would be greater if the attack were successful.

Let's hope the infrastructure security folks are on top of this. It makes me a little nervous to read "The U.S. is taking steps to lock down the computers that manage its power systems, however." Shouldn't we have already done that years ago?

Article in The Register:

A security researcher says he has observed criminals using a new form of attack that causes victims to visit spoofed banking pages by secretly making changes to their high-speed home routers.

Talk about a targeted attack... Thing is, broadband users don't have all have the same router so that lowers the usefulness of this attack for the big money criminal operations, I would think, even if the attack can be carried out over the internet versus in a car across the street. Homogeneity in the digital gene pool does pay off, I think.

Seems this would be more on the level of neighborhood crime. Perhaps in the future when people are more tech savvy overall, this type of crime will make stealing radios and CDs out of cars obsolete. Meanwhile I suppose this attack could be interesting if the target of the attack is, let's say, a financial planner...

While the likelihood is probably on the low side, impact is high. But really, who cares? Changing your router password is not that tough. A near zero risk mitigation cost is a no-brainer no matter what the risk.

Although it's One More Thing for the average home user has to fix. Wouldn't it be neat if manufacturers could set the router password to be unique per box or at least chosen from a reasonably sized set? DIP switches? Programmed Logic Array? A batch of different EEPROMs? If they can print unique serial numbers can't they give routers unique passwords?

Backwaters Internet

My parents are still on dialup. It's like some kind of backwater, third world, armpit of the internet ruled by evil war lords. You're standing buck naked in the middle of a town square during a firefight between warring factions and if you want body armor or a helmet, you have to mail order it from China.

I was trying to get Mom's computer updated. Symantec A-V hadn't been updated since December. Mostly it went ok on 56k modem. Until it bombed. It couldn't install the latest LiveUpdate software. So I went to a free internet hotspot and even that took me 2 hours to work through. I can't see a home user being this patient. And we wonder why there are bot networks?

This is to say nothing of the giant patches that have to be installed every month (assuming auto update is enabled). And then there's 3rd party patches. Good luck with that. This constant deluge of patching and signature updates and software updates is maddening. Microsoft seems to be getting it together when comparing patch volumes for Win2k, XP, 2003, and Vista (so far).

Even so, most systems are just too hard to keep secure. They require constant attention and vigilance, tinkering, and time. It's almost as tough as trying to keep my Jeep running...

When do we fix the problem?

So, with the increase in internet crime we seem to keep hearing about over, and over, and over again in security news publications, the attackers have really ramped up their sophistication. The information security game has radically changed and it sounds like the good guys are losing. This article in PC World talks about new malware techniques for evading detection.

The bad guys are testing their code against anti-virus engines to ensure they aren't detectable. This technique is mentioned along with numerous other depressing techniques used by the cybercrime underground in this report by Peter Gutmann.

For years we've been patching to address shoddy programming, installing anti-virus updates and then anti-spyware, we've used firewalls to hide gobs of insecure servers, and so on. Not that any of this works all that well for the average user (or we wouldn't have so many botnet members falling in home user IP space). It burns up a lot of time in the corporate world.

I don't think we can keep ignoring the underlying, fundamental problems in computer security for much longer. We need something for the disease not the symptoms. At some point the pain will get large enough to pass it on to the software vendors. Perhaps there will actually come a time that users would rather be secure than get the next greatest feature. Or am I being too optimistic again?

Helpdesk Social Engineering

This article discusses attacks on Xbox Live accounts. The key point is that of social engineering of helpdesk/support employees. Call up the helpdesk of the target, pretend to be the account owner, request password reset, et voila.

Same thing in IT security of course. Fundamentally it's an authentication issue. Or lack of one. You want to use a something-you-have, or more commonly, a something-you-know (and-others-don't) aka a secret.

I've set an optional password on bank accounts where they ask it before they can make any changes over the phone or even in person. Simple. Effective. We've all run into the common "please verify your mailing address for me" verification, usually following entry of an account number. If attackers know your name there's that little detail of online white pages to get them the info. In a previous incarnation, the company I worked for would verify you by your SecurID using a website. That's solid. But kind of a pain.

Once again it's a balance. Don't forget when looking at the risk of social engineering that there is also the risk of time lost to a cumbersome password reset process. You want optimal security, not ultimate security.

If your company's helpdesk isn't doing some reasonable authentication before doing password resets, then it's probably about time work with 'em to develop a new, simple process. With a priority based on risk analysis, obviously... but with this being an easy, common attack, I bet the risk ranks fairly high on the list.

You do have a risk list, don't you?

Privacy or Security Engineering

Sears has a portal that lets you lookup past purchases. It also allows you to lookup purchases of others if you know their name and phone number. In violation of their own privacy policy. Oops.

The article makes a lot of noise about privacy issues, but to me this is primarily another example of poor (or no) security engineering.

By analyzing the data sensitivity, existing requirements (like that privacy policy), and the data flow for the portal, it should've been obvious that stronger authentication and authorization controls were needed.

Banning Hacking Tools

Here's another tale of government trying to stop crime by banning general purpose tools that are used in crime, as well as to protect against it. Security, network, and system administrators should regularly use tools to detect vulnerabilities. These tools are used by hackers (and so would be illegal). But this is precisely why they should be available to everyone. To level the playing field. Fortunately the law's guidance improves the situation slightly, but the overarching approach is fundamentally flawed.

As a deterrent it is almost wholly ineffective. If someone is already breaking into computers they are already disregarding the law. Another law prohibiting the use/distribution of the tools used in committing crime is only a deterrent in that it slightly increases the risk to the perpetrator by increasing the penalties if caught (like armed robbery vs. plain old robbery, although in this case, simple social engineering is probably as much or more effective than some of these tools). If the criminal already is willing to take the risk of jail time, then what's a little more added on?

It also is an attempt to simplify catching cyber criminals, I suppose. Tracking them through cyberspace is hard. Much easier if all you have to do is find people with "Evil" tools. Except for that niggling problem of justice. People not breaking into computers will have the tools, so how do you tell the two apart? Intent, it turns out. I'm sure that's nice and crisply defined.

Perhaps the law was intended to keep these tools out the hands of the bad guys in the first place? Even if you somehow banned the transfer of these tools into the UK, since it's the Internet, trying to stop the distribution of, well, anything, isn't exactly a cake walk. And if legit folks get to use the tools, then this law can do nothing to control the flow of these tools.

IT and security professionals need the tools to protect themselves. The criminals will have the tools whether you ban them or not. (They aren't going to give up their life of crime and take up professional knitting). They'll have other techniques like phishing (let's ban email!) and social engineering (cursed evil telephones!). So with laws that ban dual purpose tools, all you're really doing is tipping the balance in favor of criminals. Brilliant.