Thursday, January 24, 2008

Article in The Register:

A security researcher says he has observed criminals using a new form of attack that causes victims to visit spoofed banking pages by secretly making changes to their high-speed home routers.

Talk about a targeted attack... Thing is, broadband users don't have all have the same router so that lowers the usefulness of this attack for the big money criminal operations, I would think, even if the attack can be carried out over the internet versus in a car across the street. Homogeneity in the digital gene pool does pay off, I think.

Seems this would be more on the level of neighborhood crime. Perhaps in the future when people are more tech savvy overall, this type of crime will make stealing radios and CDs out of cars obsolete. Meanwhile I suppose this attack could be interesting if the target of the attack is, let's say, a financial planner...

While the likelihood is probably on the low side, impact is high. But really, who cares? Changing your router password is not that tough. A near zero risk mitigation cost is a no-brainer no matter what the risk.

Although it's One More Thing for the average home user has to fix. Wouldn't it be neat if manufacturers could set the router password to be unique per box or at least chosen from a reasonably sized set? DIP switches? Programmed Logic Array? A batch of different EEPROMs? If they can print unique serial numbers can't they give routers unique passwords?

Tuesday, January 22, 2008

Backwaters Internet

My parents are still on dialup. It's like some kind of backwater, third world, armpit of the internet ruled by evil war lords. You're standing buck naked in the middle of a town square during a firefight between warring factions and if you want body armor or a helmet, you have to mail order it from China.

I was trying to get Mom's computer updated. Symantec A-V hadn't been updated since December. Mostly it went ok on 56k modem. Until it bombed. It couldn't install the latest LiveUpdate software. So I went to a free internet hotspot and even that took me 2 hours to work through. I can't see a home user being this patient. And we wonder why there are bot networks?

This is to say nothing of the giant patches that have to be installed every month (assuming auto update is enabled). And then there's 3rd party patches. Good luck with that. This constant deluge of patching and signature updates and software updates is maddening. Microsoft seems to be getting it together when comparing patch volumes for Win2k, XP, 2003, and Vista (so far).

Even so, most systems are just too hard to keep secure. They require constant attention and vigilance, tinkering, and time. It's almost as tough as trying to keep my Jeep running...

Sunday, January 13, 2008

When do we fix the problem?

So, with the increase in internet crime we seem to keep hearing about over, and over, and over again in security news publications, the attackers have really ramped up their sophistication. The information security game has radically changed and it sounds like the good guys are losing. This article in PC World talks about new malware techniques for evading detection.

The bad guys are testing their code against anti-virus engines to ensure they aren't detectable. This technique is mentioned along with numerous other depressing techniques used by the cybercrime underground in this report by Peter Gutmann.

For years we've been patching to address shoddy programming, installing anti-virus updates and then anti-spyware, we've used firewalls to hide gobs of insecure servers, and so on. Not that any of this works all that well for the average user (or we wouldn't have so many botnet members falling in home user IP space). It burns up a lot of time in the corporate world.

I don't think we can keep ignoring the underlying, fundamental problems in computer security for much longer. We need something for the disease not the symptoms. At some point the pain will get large enough to pass it on to the software vendors. Perhaps there will actually come a time that users would rather be secure than get the next greatest feature. Or am I being too optimistic again?

Saturday, January 12, 2008

Helpdesk Social Engineering

This article discusses attacks on Xbox Live accounts. The key point is that of social engineering of helpdesk/support employees. Call up the helpdesk of the target, pretend to be the account owner, request password reset, et voila.

Same thing in IT security of course. Fundamentally it's an authentication issue. Or lack of one. You want to use a something-you-have, or more commonly, a something-you-know (and-others-don't) aka a secret.

I've set an optional password on bank accounts where they ask it before they can make any changes over the phone or even in person. Simple. Effective. We've all run into the common "please verify your mailing address for me" verification, usually following entry of an account number. If attackers know your name there's that little detail of online white pages to get them the info. In a previous incarnation, the company I worked for would verify you by your SecurID using a website. That's solid. But kind of a pain.

Once again it's a balance. Don't forget when looking at the risk of social engineering that there is also the risk of time lost to a cumbersome password reset process. You want optimal security, not ultimate security.

If your company's helpdesk isn't doing some reasonable authentication before doing password resets, then it's probably about time work with 'em to develop a new, simple process. With a priority based on risk analysis, obviously... but with this being an easy, common attack, I bet the risk ranks fairly high on the list.

You do have a risk list, don't you?

Saturday, January 05, 2008

Privacy or Security Engineering

Sears has a portal that lets you lookup past purchases. It also allows you to lookup purchases of others if you know their name and phone number. In violation of their own privacy policy. Oops.

The article makes a lot of noise about privacy issues, but to me this is primarily another example of poor (or no) security engineering.

By analyzing the data sensitivity, existing requirements (like that privacy policy), and the data flow for the portal, it should've been obvious that stronger authentication and authorization controls were needed.

Banning Hacking Tools

Here's another tale of government trying to stop crime by banning general purpose tools that are used in crime, as well as to protect against it. Security, network, and system administrators should regularly use tools to detect vulnerabilities. These tools are used by hackers (and so would be illegal). But this is precisely why they should be available to everyone. To level the playing field. Fortunately the law's guidance improves the situation slightly, but the overarching approach is fundamentally flawed.

As a deterrent it is almost wholly ineffective. If someone is already breaking into computers they are already disregarding the law. Another law prohibiting the use/distribution of the tools used in committing crime is only a deterrent in that it slightly increases the risk to the perpetrator by increasing the penalties if caught (like armed robbery vs. plain old robbery, although in this case, simple social engineering is probably as much or more effective than some of these tools). If the criminal already is willing to take the risk of jail time, then what's a little more added on?

It also is an attempt to simplify catching cyber criminals, I suppose. Tracking them through cyberspace is hard. Much easier if all you have to do is find people with "Evil" tools. Except for that niggling problem of justice. People not breaking into computers will have the tools, so how do you tell the two apart? Intent, it turns out. I'm sure that's nice and crisply defined.

Perhaps the law was intended to keep these tools out the hands of the bad guys in the first place? Even if you somehow banned the transfer of these tools into the UK, since it's the Internet, trying to stop the distribution of, well, anything, isn't exactly a cake walk. And if legit folks get to use the tools, then this law can do nothing to control the flow of these tools.

IT and security professionals need the tools to protect themselves. The criminals will have the tools whether you ban them or not. (They aren't going to give up their life of crime and take up professional knitting). They'll have other techniques like phishing (let's ban email!) and social engineering (cursed evil telephones!). So with laws that ban dual purpose tools, all you're really doing is tipping the balance in favor of criminals. Brilliant.