• 4 Security Priorities for Banks - BankInfoSecurity

The successes of several HacKid conferences and the first ever DefCon Kids last year got me thinking about starting to teach my kid a little bit more about computers than he probably learns in school. Programming seemed like the obvious choice to me as that is where I started years ago. Yeah, it was only Basic but at least I learned the concepts.

With a little bit of Googling the top choice seemed to be a language called Scratch hosted over at MIT. At this point I didn’t really know much about it so I put a call out to the Twitterverse since I know many of us have elementary-aged kids.

grecs: Introducing kid to programming with a free tool called Scratch. Anyone out there tried it? Thoughts?

@danphilpott got back to me suggesting Logo but then later retracted that answer as it was “good for it’s time but [he] think[s] there have been better educational languages developed.” He then referenced Wikipedia’s Educational Programming Language page. Wow, what a great reference! It had a nice overview on Scratch.

Scratch is a visual programming language based on and implemented in Squeak. It has the goal of teaching programming concepts to children and letting them create games, videos, and music. In Scratch, all the interactive objects, graphics, and sounds can be easily imported to a new program and combined in new ways. That way, beginners can get quick results and be motivated to try further. …

This language looked like the perfect fit for me as it focuses on elementary-aged kids, is open source, and runs on a Mac. And then there was @danphilpott‘s Logo suggestion…

Logo is a language that was specifically designed to introduce children to programming. The first part of learning Logo deals with “turtle graphics” (derived from turtle robots used as early as 1969 with proto-Logo. In modern implementations, an abstract drawing device, called the turtle, is used to make programming for children very attractive by concentrating on doing turtle graphics. …

Back on Twitter @mahmoudhossam also suggested Greenfoot and pointed me to an article about it written by James Gosling. The Educational Programing Language wiki describes it as:

Greenfoot is an interactive Java development environment developed primarily for educational purposes. It allows easy development of two-dimensional graphical applications, such as simulations and interactive games. It is mainly aimed at programming education (object-oriented programming with Java) at high school and early university level.

Although Greenfoot is a great suggestion, it looks like it’ll be a few years before the kiddos are ready for that level of complexity.

The other nice thing about the Educational Programming Language wiki page was at the bottom, there was a matrix that matched grade levels to programming languages. So for someone pre-school through 2nd grade it recommended:

• Logo (Logo Foundation)
• Guido van Robot
• Karel
• Scratch (site)
• Baltie 2
• Stagecast Creator

For grades 2 through 4, it listed:

• Logo (Logo Foundation)
• RoboMind
• Scratch (site) or Etoys
• Stagecast Creator

From the Logo Foundation site (also hosted by the good folks over at MIT) I even learned Scratch is an implementation of Logo. Since Scratch is a derivative of Logo, I felt even more confirmed that my original selection of Scratch was a great way to start out.

Be sure to checkout Scratch’s Support page with a getting started guide, video tutorials, and tours. I also noticed an offshoot of Scratch called BYOB (Build Your Own Blocks) that I’ll probably checkout. Hosted by Berkeley, it comes with a complete course called “CS 10 – The Beauty and Joy of Computing using BYOB.”

#####

The good news about all this was that after I installed Scratch and showed the kiddo a few things, he seemed to pick it up fairly quickly. Today’s post image is from Bricks Bots & Beyond. See ya!

Cite: http://www.google.com/safebrowsing/diagnostic?site=metacafe.com

 

“Of the 15199 pages we tested on the site over the past 90 days, 5944 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 2012-05-18, and the last time suspicious content was found on this site was on 2012-05-17.”

 

 

openx-master.info
ICANN Registrar: DomainContext Inc
Created 17 May 2012

*****

metaafe.info (t’s worrying that a malicious incident on metacafe.com involved a domain so similarly named – metaafe.info – that points to human managed attack, not just random scanning for and automated use of vulnerable OpenX installs)

ICANN Registrar: DomainContext Inc
Created 17 May 2012

*****

openxmasters.info
ICANN Registrar: DomainContext Inc
Created 17 May 2012

 

Some other recently reported bad domains have been:

ptsector.com
ICANN Registrar: Register.com, Inc
Created 8 May 2012

Registrant: Jacob Hayes, hiltonparis390@yahoo.com

*****

MULTIPLEXTENT.COM (http://www.google.com/safebrowsing/diagnostic?site=multiplextent.com)
ICANN Registrar: Register.com, Inc
Created 15 May 2012

Registrant: Jacob Hayes, hiltonparis390@yahoo.com

*****

WEBEXPERTEST.COM (http://www.google.com/safebrowsing/diagnostic?site=WEBEXPERTEST.COM)
ICANN Registrar: Register.com, Inc
Created 15 May 2012

Registrant: Jacob Hayes, hiltonparis390@yahoo.com

Subject: “FWD: ALERT: You have an E-Card from your Secret Admirer.

 

Clicking on the URL leads you here – just so we’re all clear, nobody actually has a crush on you (sorry):

 

Click on “My Profile and Pics” and you end up at adultfriendfinders.com:

 

The Privacy Policy hyperlink and Terms of Use hyperlink are both adultfriendfinder.com URLs:

Episode 671 - Judge Knows Code, Mobile Malware, No paycheck for Flashback, and Faceboom PM Malware.

Trending Security News Security news stories this week focused on smartphone security and GPS tracking; our Security Development Conference in DC; and a report on security technology trends with a few stories also covering malware stats and cyber-attacks...(read more)

This book is probably the most thought-provoking book on security I read in the last 5-7 years! While I'm somewhat known from my proclivity to exaggerate, I assure you this is not an exaggeration. As I was reading it, I felt like I connected to deep layers of the subconsciousness of security industry.
In fact, the influence this book already had on me is palpable: I found myself using some of the terms (such as author’s favorites, “intellectual capital” and “CASE”) and concepts on the next day after I started reading it.

As a brief summary, the book investigates the evolution of the way we do information security from the “hacker-lead” late 1990s to “compliance-heavy” late 2000s and today. The author also highlights dramatic problems with today's approach to security and suggests some of the solutions in the way people think and operate around security.

In fact, it might be one of the most influential books ever written in history of security industry - the one that appeared at the best possible time when it’s most needed. Along the same line, I have grown worried about the ranks of security professionals who are not hands-on with technology and who have never secured production systems. Just as the author, I've been grown frustrated with the ranks of idiots who equate compliance and security. Even author’s rant about ethics is something I've been thinking for years.

The author slaughters a few of the sacred cows of security industry: one that “executives are clueless” and the one that we “must have reliable actuarial data on incidents to stay relevant.” He also highlights a few categories of security products, which are notorious for not delivering value and explains the reasons for that. Most of his points are backed up by specific cases from his experience, going back to the end of 1990s when the security industry was born.

And, of course, as with any thought-provoking writing, I cannot say I agree with every word I read. For example, I am much less negative on the vulnerability assessment technology than the author (I don't think they give you 50% “false negatives” on common platforms today). Furthermore, I abhor the use (misuse, really) of “ROI” for justifying security spending. Style-wise, the author is a little too fond of repetitions to my taste. However, having a summary after each chapter is a great idea.

Finally, despite the unreasonably high price, I feel that every member of the security community MUST read this book. Literally every chapter will have insights that will make you a better security professional today.
All book reviews.About me: http://www.chuvakin.org

Hosts

• Chris Gerling – @secbitchris
• Mike Bailey – @mpbailey1911
• Andrew Borel – @andrew_secbit

Guests

• Dr. Tran
• Emwave
• Professor Farnsworth

News Items

• ANONYMOUS CLAIM: ‘WE HAVE ACCESS TO EVERY CLASSIFIED DATABASE IN THE U.S. GOVERNMENT’
• http://www.theblaze.com/stories/anonymous-claim-we-have-access-to-every-classified-database-in-the-u-s-government/
• Pentagon boosts contractor cybersecurity program
• http://thehackernews.com/2012/05/pentagon-boosts-contractor.html
• “The effort, known as the Defense Industrial Base (“DIB”) program, is a voluntary information-sharing program in which the Department of Defense shares “unclassified indicators and related, classified contextual information” about cyber-attacks and threats with defense contractors.”
• “In exchange, defense contractors report known intrusions and can receive forensics analysis and damage assessments from the government after those attacks. In an optional part of the program, the DIB Enhanced Cybersecurity Services, the government shares additional classified threat and technical data with defense contractors and Internet service providers. “
• 17 year old Teenager arrested over TeamPoison hacking attacks
• http://thehackernews.com/2012/05/17-year-old-teenager-arrested-over.html
• “A teenage boy has been arrested on suspicion of being a member of “TeamPoison”, a computer hacking group that has claimed responsibility for 1,400 offences including an attack on the phone system of Scotland Yard’s counter-terrorism unit last month. These include attacks on the United Nations, the UK Anti-Terrorist Hotline, MI6 and RIM, as well as politicians including Nicolas Sarkozy and Tony Blair.”
• “The boy, who police suspect used the hacker nickname ‘MLT’ and was a spokesman for TeamPoison, was interviewed at a local police station on offences under the Computer Misuse Act on Wednesday. The arrest is part of an ongoing investigation by the Police Central e-Crime Unit (PCeU) division of the Metropolitan Police into various hacking gangs who have made headlines in the last year or so.”
• “TeamPoison’s highest-profile attack was mounted against Scotland Yard’s counter-terror hotline last month, has also claimed responsibility Distributed Denial of Service attacks against banks in collaboration with Anonymous, another “hacktivist” group with similar anti-corporate and anti-authority politics.”
• 55,000+ Twitter Accounts Hacked, How To Tell If Yours Was Among Them
• http://www.technobuffalo.com/internet/social-networking/55000-of-twitter-accounts-hacked-how-to-tell-if-yours-was-among-them/
• How to Securely Share a Password with Someone Using LastPass
• http://lifehacker.com/5909321/how-to-securely-share-a-password-with-someone-using-lastpass
• Not a bad way to avoid “hey, what’s the password to $server” and yelling the answer over the cubicle walls for all to hear.
• Other ways to securely share or transfer passwords/acess
• FBI Wants Backdoors in Facebook, Skype and Instant Messaging
• http://www.wired.com/threatlevel/2012/05/fbi-seeks-internet-backdoors/

• Everyone Has Been Hacked. Now What?

• http://www.wired.com/threatlevel/2012/05/everyone-hacked/

• ‘Unknowns’ Hacking Group Hits NASA, Air Force, Harvard and Others in ‘Hacking for Good’ Effort

• http://www.theblaze.com/stories/unknowns-hacking-group-hits-nasa-air-force-harvard-and-others-in-hacking-for-good-effort/

Use Our Discount Codes

• Use code SecuraBit_Connect to get $150.00 off of ANY training course. The discount code is good for all SANS courses in all formats.
• FREE exam attempt with corresponding course purchase for SANSFIRE 2012 with code SecuraBit_SFGIAC
• Use code 36449 for 20% off your Syngress order!

Upcoming events

• http://www.secore.info

Links

• http://www.carolinacon.org
• http://www.rvasec.com
• http://www.richsec.com
• http://www.gh0st.net

Chat with us on IRC at irc.freenode.net #securabit
iTunes Podcast – http://itunes.apple.com/us/podcast/securabit/id280048405
iPhone App Now Available – http://itunes.apple.com/us/app/securabit-mobile/id382484512?mt=8

Please welcome a guest-blogger, Sarah Turner, who authored today's report. Sarah is a malware analyst in the UAB Computer Forensics Research Laboratory and is the editor of our daily "Emerging Threats By Email" report. I asked her to put together an article about a prevalent spam campaign that has been running wild for about a month now. While the HISTORICAL malware described below is fairly well detected, each morning when a new version has come out the detection has been low, with improvement over the next 24-48 hours. If you see a message like this, RESIST TEMPTATION! DO NOT CLICK!

_-_
gar

Social Engineering: Facebook PhotoGuest blogger: Sarah Turner

This campaign utilizes social engineering containing subject lines that insinuate a photo is enclosed that was obtained from a social media site or public domain depicting the recipient or the ex girlfriend of the recipient in a scandalous or otherwise embarrassing predicament.

The campaign only uses 8 subjects, shown below.

• FW:Check the attachment you have to react somehow to this picture
• FW:They killed your privacy man your photo is all over facebook! NAKED!
• FW:Why did you put this photo online?
• FW:You HAVE to check this photo in attachment man
• RE:Check the attachment you have to react somehow to this picture
• RE:They killed your privacy man your photo is all over facebook! NAKED!
• RE:Why did you put this photo online?
• RE:You HAVE to check this photo in attachment man

The email body can vary between the 3 samples shown below:

Hey,
I have a question-have you seen this picture of yours in attachment?? Three facebook friends sent it to me today...why did you put it online? wouldn't it harm your job? what if parents see it? you must be way cooler than I thought about you man :))))Hate to bother you,
But I really need to ask you - is it you at this picture in attachment? I can't tell you where I got this picture it doesn't actually matter...The question is is it really you???.I'm sorry,
I got to show you this picture in attachment. I can't tell who gave it to me sorry but this chick looks a lot like your ex-gf. But who's that due??.

all of which encourage the recipient to open the attachment and see the image to which they’re referring. Typically the attachment is in the form of a .ZIP containing an executable, however the attachments received on May 16, 17, and 18, the attachment extension was not as a .ZIP but as “.jpg.exe”.

The first few times this malware was received (April 20 – 23), once it was downloaded and prompted to run, it acted as an AntiVirus Software.

After that, the received malware was identified as Cutwail delivering Zeus. The executable would be prompted to run and there would be no recordable network traffic but multiple changes would be made to your Registry and a new file, named svchost.exe would be added to your computer. The executable received today had a detection of XXXX on Virus Total.

UAB has 11 prominent MD5’s associated with this campaign (and a couple mis-formed files)

count md5_hex
24998 b42cf3d2cc829aba1e771f9517b2b97d (38 of 41 detects at VirusTotal)
21754 57f40166fd7cafe84ef51fe5f7776c51 (21 of 41 detects at VirusTotal)
21011 77e7fc1b2addc8ee5ea74e3592d4ab89 (14 of 41 detects at VirusTotal)
14918 76e144a572b4c52e3ddb8bd860dfbdd9 (36 of 41 detects at VirusTotal)
9562 5dea03a160543724d7cf4adda93a28ae (36 of 41 detects at VirusTotal)
9138 061f96cf8f7713d17e580900ba20c6b4 (31 of 42 detects at VirusTotal)
8286 9badf88e346bd0530d4e5248d2bb2f35 (37 of 42 detects at VirusTotal)
6362 d60bfa876dc382908fbcde1c96d5b95f (36 of 42 detects at VirusTotal)
5604 bf7b30a96dc8be8bbfb826158afb2379 (34 of 42 detects at VirusTotal)
4742 8cc36756d15560335ed53c47bd7cbc5e (36 of 42 detects at VirusTotal)
2538 d6f05da06a26d9d731273a0fa26dd7e1 (12 of 42 detects at VirusTotal)
This campaign was seen for the first time on 4/20/12 and was the top campaign seen today. Below is the full list of days and receipt counts from prior to this week. receiving_date count
---------------- ------
2012-04-20 6372
2012-04-21 20819
2012-04-22 3182
2012-04-23 5739
2012-04-29 14918
2012-05-03 9252
2012-05-04 308
2012-05-06 2
2012-05-07 9138
2012-05-08 8286
2012-05-08 13
2012-05-11 1279
2012-05-12 4325
2012-05-16 7260
2012-05-17 17053
2012-05-17 13751
2012-05-18 4701
2012-05-18 2538 We have seen at least 6,757 unique IP addresses used to send us copies of this email with one of these malware attachments. When the malware is fresh, as it is each morning in the Emerging Threats By Email report, the detection rates are much lower. For example, here is the status from the May 17th Emerging Threats By Email report: So, yesterday morning when the report was written, that version of the malware had 7 detects, although as of this writing it has 14.

Resilient: "re·sil·ient" /riˈzilyənt/ - Able to withstand or recover quickly from difficult conditions.

 

Is your enterprise resilient ...or are you still trying to push security?  What's the difference?

When you start down the path of formalizing a secure software development program, one of the first things you are normally asked to do is to identify "gates" in your SDLC to ensure that code does not go out into the wild without first going through a security assessment. These gates are normally policed in some way by an application security team, which is frequently centralized, and sits outside the core development organization. One, unintended, consequence of  this approach is that at the enterprise level it can create yet another organizational silo, or to put it another way another instance of "them" and "us".

 

Perhaps the most disruptive aspect of adopting agile development practices is that over time it puts pressure on these silos and starts to break them down. The most obvious example of this is the traditional relationship between "developers" and "testers", but recently this trend has spread to engineering and operations. In particular the practices of continuous delivery  which aims to reduce risk of releasing software by enabling more frequent releases has put this traditional software security approach under some strain. Because how do you enforce a security gate when you are releasing software weekly if not daily?  Given this scenario there are two approaches: you can "park" these incremental releases into bigger ones and release the software to the public in bigger chunks less frequently, or you can integrate security tightly into the development process so that risk of releasing insecure software is reduced to a tolerable level.

 

The foundational practice of continuous delivery is the establishment of a deployment pipeline. The goal of the pipeline is to put small code changes through a series of defined stages, each with it's own feedback mechanism, before declaring it releasable. Deployment pipelines come in all shapes and sizes but they essentially follow a pattern of unit, integration, acceptance and system tests with the understanding that a certain quality threshold must be met before being promoted to the next. When these stages are linked together they form a pull system that builds confidence in any change, the further it progresses down the pipeline.

 

The challenge from an application security perspective is to workout how to introduce appropriate security checks into the pipeline so that our confidence in the security consequences of any change builds as new code makes it way through the pipeline.  At the first stage of a pipeline when you are concerned with the correctness of code you can run static analysis tools to look for secure coding errors and fail the build if they are detected. Open source tools like Sonar can help you run static analysis tools like Findbugs and FX-Cop on checkins. Commercial tools like Coverity and Fortify also have plugins that allow you to integrate with popular build tools like Jenkins as well.  Once you move into acceptance testing testing new Behavior Driven Frameworks like Cucumber and EasyB allow you to automate "abuse cases" into regression test suites, and once again builds can be configured to fail if the test results indicate there is a problem. Vulnerability scans can be run as part of system tests, although the output from those scans will typically need some form of manual review. Last, but not least comes the release step, by now the code has been thorough something of a gauntlet and hopefully there is a fair amount of confidence in the proposed changes.

 

However, from a security perspective, we are interested in more than just the code.  Versions of components like web servers and their configuration are just as important in reducing risk as detecting SQL injection opportunities. Luckily, configuration management is as much a part of continuous delivery as software development. Configuration is treated on an equal basis as source code and changes are put through the same pipeline. Tools like Puppet can take those changes and apply them into production using the same mechanism that was used during development. Once deployed servers can be monitored for configuration drift and action can be taken as necessary.

 

Continuous delivery techniques do not remove the need for an application security team, but as agile practices, mature and become widely adopted in  the enterprise we want to make sure that our application security responsibilities do not become an obstacle to the business as it becomes leaner. Given the trend to release software on a more frequent basis it maybe that the long term home for your application security team could be in your release engineering group where they can interact with development and operations in a more integrated fashion.

When I first got a copy of Elementary Information Security, based on its title, weight and page length, I assumed it was filled with mindless screen shots of elementary information security topics, written with a large font, in order to jack up the page count.  Such an approach is typical of far too many security books.  With that, if there ever was a misnomer of title, Elementary Information Security is it.

 

For anyone looking for a comprehensive information security reference guide - Elementary Information Security is it. While the title may say elementary, for the reader who spends the time and effort to complete the book, they will come out with a complete overview of every significant information security topic.

 

The book is in fact a textbook meant to introduce the reader to the topic of information security.  But it has enough content to be of value to everyone; security notices or experienced professional.

 

Author Richard Smith notes that if you want to get a solid understanding of information security technology, you have to look closely at the underlying strengths and weakness of information technology itself, which requires a background in computer architecture, operating systems and computing networking.

 

With that, Elementary Information Security is a tour de force that covers every information security topic, large and small. The book also provides a relevant overview of the peripheral topics that are embedded into information security. 

 

In 17 chapters covering over 800 pages, the book is well organized and progressively gets more complex.  Two large chapters of the book are freely available online, with chapter 3 here and chapter 9 here.

 

The following are the chapters in the book, which shows a comprehensive overview of all of the core areas around information security:

 

1. Security From the Ground Up
2. Controlling a Computer
3. Controlling Files
4. Sharing Files
5. Storing Files
6. Authenticating People
7. Encrypting Files
8. Secret and Public Keys
9. Encrypting Volumes
10. Connecting Computers
11. Networks of Networks
12. End-to-End Networking
13. Enterprise Computing
14. Network Encryption
15. Internet Services and Email
16. The World Wide Web
17. Governments and Secrecy

 

 

The early chapters focus on the fundamentals of computers and networking, and the core aspects of information security.  The chapters progress in complexity and deal with distributed systems and more complex security topics.  The mid-chapters deal with cryptography, starting with an introduction to the topic, into more complex topics and scenarios.  One is hard-pressed to find an information security topic not covered in the book.

 

Chapter 1 is on Security from the Ground Up and lays the groundwork for what security is.  Various topics around risk are detailed; such as identifying, prioritizing and assessing risks.

 

Chapter 2 is on Controlling a Computer and reviews the underlying architecture around computers. 

 

For some people, much of their learning about information security is based on rote memorization.  In the book, Smith eschews this and each chapter closes with a glossary of topics, and penetrating questions.   There are also problem definitions which detail practical situations with the hope that the reader can create and adequate security solution.  The reader who spends extra time reviewing the questions will find that it will significantly help in their mastering the myriad topics.

 

The goal of the questions and exercises is to make the knowledge real. Some of the exercises include watching movies with computer security related topics such as The Falcon and the Snowman, Crimson Tide, and others.  For example, in The Falcon and the Snowman, the author asks the reader to identify two types of security measure that would have helped prevent theft of the crypto keys.  In Crimson Tide, it asks the reader to consider the missile launch procedures portrayed in the film and asks if it is possible for a single person to launch a nuclear missile.  Another scenario is that under what circumstances a recipient should accept an unauthenticated message.  It also asks the reader to give an example of a circumstance in which accepting an unauthenticated message would yield the wrong result.

 

The book is not meant as a For Dummies guide to the topic, and it assumes a college-level comprehension of relevant mathematical concepts.  Note though that the requisite math is detailed in the sections on encryption and cryptography.

 

The book is also the first textbook certified by the NSA to comply with the NSTISSI 4011 standard, which is the federal training standard for information security professionals.  The author notes on his blog that in order to gain that certification, he had to map each topic required by the standard to the information as it appears in the textbook.

 

Given the value of the book, (ISC)² should consider using this title as a reference for their CISSP certification.   With all of the CISSP preparation guides available, even the Official (ISC)2 Guide to the CISSP CBK, one is hard pressed to find a comprehensive all-embracing security reference such as this.  Some may even want to simply use this book as their definitive CISSP study guide.

 

For those looking for a single encyclopedic reference on information security, they should look no further than Elementary Information Security.   Richard Smith has written a magnum opus on the topic, which will be of value for years to come.

 

 

 

 

 

Ben Rothke is the author of Computer Security: 20 Things Every Employee Should Know.

Introduction

Since it was first released in 2009, Sniper Forensics has provided digital forensic investigators something that has (in my opinion, for many years) been missing from their arsenal...a sound, repeatable methodology.

By integrating the Sniper Forensics methodology into their daily case work, investigators the world over have blogged, tweeted, texted, and emailed me that their cases have been solved faster and with greater accuracy than ever before.  The methodology just plain works, each and every time.  However, to date, the world of digital forensic has been the only beneficiary to this deadly accurate methodology.  Post incident...find out what happened.

Well get ready...That's all about to change.

Sniper Forensics: Reloaded takes aim at the world of Incident Response and proves that this methodology is just as sound here as it is in digital forensic investigations.  Why?  Because the focus remains on the mind of the responder, not on a specific tool (or suite of tools).  The weapon is still a strong, steady, and repeatable methodology, the scope (cross hairs) is still deductive reasoning, and the trigger squeeze is still logic.  While the target shifts slightly, the means by which you identify how the bad guys got in, what they did once they got there, and how they made their get-away remains the same.

The Breach Triad

In digital forensics investigation, one of the key components to understand is The Breach Triad.  To review, the three components of the triad are, Infiltration, Aggregation, and Exfiltration.  In short, the bad guys have to find a way into the target network, the bad guys have to do something bad (like steal data), and the bad guys still need to make their getaway.  This same framework can be applied to incident response with the same residual benefit to the responder...a clear picture of the likely target.

Infiltration

When responding to an incident, you (or at least I am) responding to something that is currently happening.  This is one of the key differences between post mortem forensic investigations and incident response, although not exclusively (I have worked plenty of investigations in which the attackers still had access to the target system(s)).  In one, you are being asked to determine what happened, while in the other, you are being asked to determine what's happening.  That being the case, a logical conclusion can be made that somebody did something that provided them with access to the target network.  Like in post mortem forensics, the bad guys have to first gain access, before they can do the really bad stuff.

Obviously this can take on one of any number of different shapes, albeit generally with a bit more complexity than our standard post mortem forensics case.  The main reason for this, honestly,  is sheer numbers.  There are a lot of people that work for most companies.  Small companies may have several dozen employees (or smaller in some cases), while large companies may have tens or hundreds of thousands of employees, so a would-be intruder has a pretty large attack surface.  And unfortunately we all know that humans are the weakest point in any defense in depth strategy.  People click on phishing emails, people visit infected non-business related websites, people have crummy passwords, people plug in infected USB drive (etc, etc, etc), and most people, almost never consider security to be part of their daily work.

To adequately defend their network, security professionals  have to identify and mitigate every potential attack vector.  ALSO, they need to stay abreast of emerging trends and threats and respond to them (hopefully) before they become a problem.  If this sounds like a daunting job...that's because it is.  It's an incredible amount of work just dealing with the technical specifics of such an undertaking, not to mention what we affectionately have dubbed, "The eighth layer of the OSI model", office politics.  Taking ALL of that into consideration, if just one mistake is made...just one misconfiguration, or bad password, or end user error...and it can be game over.  You see, while the defenders have to prepare for every potential scenario, the attackers only have find a single weakness.

Once an attacker gains access to the target network (beach head), it's only a matter of time before they identify additional hosts, infiltrate those and expand the systems they can access.  I wrote a blog post a while back on my personal blog, "TheDigitalStandard.blogspot.com" titled, "The Mole Hole".  In it, I talked about a penetration test I had recently conducted in which this exact scenario played out in front of me.

The network seemed to be shored up pretty well.  No unnecessary services running , no arbitrary ports open, no outdated applications running...the usual.  So while I was running an ARP spoof attack and sniffing network traffic I came across a user ID named, "test".  "Surely not", I remember thinking to myself.  These folks have a pretty good network and really decent security...it can't be that easy.  So, I checked my pcap in Network Miner to see which system that user ID was being passed to and I tried it, along with the password, "test". 

(SIDE NOTE...in my former life, I was an Unix admin with a pretty large company.  When we would roll out new server builds, we had a test account called, "test" that had the password, "test".  Once we had completed the build, we would remove the test account, and roll the server from QA into production.  Apparently my team was not the first ones to think of this...)

So, I used the "test" account with the password, "test" and lo and behold...BAM...I was in.  From there, I was able to use that system to scan a separate network segment, and dump NTLM hashes...several of which belonged to domain accounts...and one of which was in the domain admins group.  At that point it was game over...I was domain admin and could come and go as I pleased, and it was time to set up a conference call with the customer and tell them that they were p0wn3d.

The whole point in my sharing that example is that it illustrates quite nicely how an entire network can be compromised by a single user ID with a bad password.  Once that happens, the attackers then have free reign in your corporate infrastructure to do as they please.

OK Chris, we are adequately scared, but really, so what.  So bad guys get in.  Big deal.  What are they going to do?  I mean really, what's the worst that can happen?  Well, I will cover that in my next post in this series called, "Aggregation".  In the interim, why don't you run a couple of Google searches on the terms, "data breach 2011", and "hackers steal data".  Jot down some notes, and keep them handy...we'll talk again next month! 

A friend of mine sent me an e-mail asking for my opinion on some tools for a DRP (Disaster Recovery Planning) project. It’s a subject that I haven’t touched for a long time, but in the end the thought process around his question ended up being so interesting from a security planning perspective that I thought it could be good material for a post.

He asked me about two specific tools, LDRPS and Archer. We had a good experience with LDPRS when we worked together on a BCP/DRP project a few years ago, and someone suggested Archer to him. As I said above there’s been a long time since I worked with BCP processes, but I spent a few minutes researching the current state of those tools in order to provide him a decent opinion.

The interesting aspect of his question is that it replicates a very common dilemma we often face when we are developing tools roadmaps and architectures. The Best of Breed x Generic solution.

I haven’t put my hands on those tools for BCP, but I’m certain that LDRPS is better than Archer on a simple feature by feature comparison. LDRPS was developed by Strohl, later acquired by Sungard, two companies specialized on availability services. It’s used by a lot of Fortune 500 companies and it’s been evolving for more literally decades.

Archer, on the other hand, is a GRC tool that happens to have a BCP module. It’s a tool to solve a broader variety of problems than LDRPS, and I bet that it won’t have all the bells and whistles LDRPS has for developing and testing disaster and business continuity plans. But (and there is always a but)…

The wider scope for Archer can be the source of its weakness on this case, but it’s also its major strength. There are a lot of common steps and similarities in the BCP/DRP processes and other processes supported by other Archer modules, such as Risk Management, Compliance Management and Vendor Management. For all these processes it’s necessary to identify data, assets, locations and other components of the organization, establish ownership, value/impact and interdependencies. And that’s what could make Archer the best pick for my friend. Depending on this organization’s strategy for those other processes they might be able to leverage some work already done or re-use the data being gathered for the BCP project on those other processes. They may end with a tool that is not the best available for developing Business Continuity and Disaster Recovery plans, but they might be getting more value by leveraging the data obtained during that project on other fronts.

Integration and data sharing is one of the key aspects of a successful security strategy. Good security architects and managers will always consider that when choosing the tools to implement that strategy.

Permalink | Leave a comment  »

I am told that the Cabinet Office ID team are going to Washington to look at the Open Identity Exchange . I assume this is linked to the Open Identity Foundation although I see some subtle, and some not so subtle, differences in the backers.

I welcome the change of heart.

However, if HMG is indeed planning to respond to market forces I do remind them that there is, as yet, little overlap between the openID operations and those used by the banks and transaction and payment clearing services, or by fixed and mobile telcos, ISPs and pay TV operators. The main reason is that they are technology solutions to what is a problem of trust in people processes.

Will DWP really use Open ID solutions?

Would anyone in financial services trust an ID issued by Government any more that they trust the passport and utility bill they are required by law to use for the worthless "know  your customer" rituals that get in the way of customer service. 

It is interesting to note that most of the headline industry names in the Open ID consortia commonly check the context against the footprint for that ID before authorising any  transaction that puts them at significant risk of fraud.

Where does that put them under the planned European Data Protection Regulation, if they base operations inside the EU?

The issues of inter-operability across the different families of ID systems, both within and across national boundaries, are among the reasons why so much on-line trade within the EU is routed via the United States. 
 
But is HMG context to rely on ID operations based outside the EU, let alone the UK?  

Meanwhile at least 20% of the population, including most of us for our last decade on this planet, are incapable of reliably using anything that requires us to remember a password or use a keypad.  Given that elderly voters may actually outnumber those of the facebook generation who have bothered to register that presents a political  problem. 

Sooner or later we will need an exercise to reconnect debate over ID policy with human
ans well as electornic reality.  

Take Our Poll

If the smartphones of ESET bloggers are any indication, scams executed via SMS text, known as smishing or SMS phishing, are on the rise. I don't do a lot of texting, which makes a smish easy to spot on my phone, but I just read an amazing statistic from a Pew report: Users 18 to 24 years send or receive an average of 109.5 SMS texts sent per day. With this flurry of micro-sized messages, it’s easy to understand why users might not check closely before clicking on a convincing-sounding link on a text that looks like it might have come from a friend or legitimate company. When you do, your troubles may just be beginning.

Sending messages designed to trick the recipients into clicking on a deceptive link was once reserved for fake but real-looking scam emails trying to fool users into visiting malicious sites on their PC, but scammers have realized there are (on average) far fewer protections on smartphones, and no small number of potential victims.

It had to happen, just a few years back you only used your mobile phone to make calls, but now it’s become much more. For everything from surfing the web, to sending emails, viewing videos and listening to music, your mobile device is more like a computer that just happens to make phone calls. It also happens to contain a lot of your personal information, making it readily available.

If a scammer can trick you into visiting a malicious site that attempts to get you to install malicious snooping or premium-rate SMS apps which may be wrapped around legit apps, that may just be the beginning of trouble. Many users wouldn’t notice an app silently sending premium-rate SMS texts to some far-flung country, until they got the bill. But things can get dicey when you try to convince your cell provider to reverse the charges. And the app you downloaded may look and function the same as the legitimate app by the same name, so you’d be none-the-wiser, at least at first.

In our example above you can see the domain name looks legit, until you realize that the end of the URL belongs to a website very different from Wal-Mart. But if you’re in a hurry would you spot this?

Of course, one thing we should note in this example: it’s extremely unlikely that Wal-Mart has suddenly decided to dole out $1000 gift cards to a lucky few. This one even creates a fake sense of urgency by claiming you’d better act before the remaining 161 are claimed. Sound fishy (pun intended), but hey, these things propagate because similar SMSishing campaigns worked, and the numbers seem to be growing. With falling rates for sending SMS texts these days, and an increasing number of target smartphones, there is an attractive and target-rich environment for cyber-scammers.

Defending Against Smish

So what can you do to protect yourself? The first thing I suggest is restricting your mobile app downloading to the official marketplace for your device, not some third party website. The official marketplace portals, such as Google play for Android, increasingly have scanners in place to detect and remove malicious or scam apps, giving you a margin of safety.

Also, in the same way it’s not a good idea to just click on email links without thinking, you should think twice about clicking on SMS text links before you do. It’s easy enough to open a link in your mobile browser and navigate directly to the website in question – without following the link.

You might also want to lock down your device using its security setttings or even install security software that can spot scams before you fall for them. If you beef up your security on the device, it will help reduce the access potential scammers have to your personal information, and make you a tougher target to exploit – via SMSishing or any of a variety of other scams that are targeting mobile devices.

FYI: ESET Mobile Security for Android is now available through the Google play store.

“Compliance” is sometimes considered a dirty word in the information security world, particularly when companies take a “tick box” or “check box” approach to achieving it before an audit instead of treating continuous compliance as a part of business as usual. Infosec expert and ‘cynic’ Javvad Malik interviews Neira Jones (@NeiraJones on Twitter), Head of [...]

SpiderLabs Research Team Contributions from:

@jgrunzweig

@ethackal

@claudijd

There was a new web server DoS tool released yesterday called HULK (Http Unbearable Load King).  Here is a snippet from the blog page:

In my line of work, I get to see tons of different nifty hacking tools, and traffic generation tools that are meant to either break and steal information off a system, or exhaust its resource pool, rendering the service dead and putting the system under a denial of service.

For a while now, I have been playing with some of the more exotic tools, finding that their main problem is always the same… they create repeatable patterns. too easy to predict the next request that is coming, and therefor mitigate. Some, although elegant, lack the horsepower to really put a system on its knees.

For research purposes, I decided to take some of the lessons I’ve learned over time and practice what I preach.

Enforcing Python’s engines, I wrote a script that generates some nicely crafted unique Http requests, one after the other, generating a fair load on a webserver, eventually exhausting it of resources. this can be optimized much much further, but as a proof of concept and generic guidance it does its job.

HULK Profile

HULK is a python script that will use various techniques to make the requests dynamic and thus more difficult to detect with defensive signatures.  For instance, HULK will rotate both User-Agent and Referer fields as shown below:

Here is the section of code where the request is being built:

When HULK is run against my local Apache web server, I get requests similar to this -

GET /?CFEGD=MBDPVA HTTP/1.1
Accept-Encoding: identity
Host: 192.168.1.103
Keep-Alive: 116
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; SV1; .NET CLR 2.0.50727; InfoPath.2)
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Connection: close
Referer: http://engadget.search.aol.com/search?q=ALXUW
Cache-Control: no-cache
GET /?ASH=REHRKP HTTP/1.1
Accept-Encoding: identity
Host: 192.168.1.103
Keep-Alive: 110
User-Agent: Opera/9.80 (Windows NT 5.2; U; ru) Presto/2.5.22 Version/10.51
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Connection: close
Referer: http://www.google.com/?q=VUCWJE
Cache-Control: no-cache
GET /?UALK=USXGPJD HTTP/1.1
Accept-Encoding: identity
Host: 192.168.1.103
Keep-Alive: 110
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/532.1 (KHTML, like Gecko) Chrome/4.0.219.6 Safari/532.1
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Connection: close
Referer: http://engadget.search.aol.com/search?q=ZNWFXTOD
Cache-Control: no-cache

Notice the bolded entries are indeed dynamic and change their payloads with each request.  Also note, however, that the python urllib2 libary is overwriting the "Connection: keep-alive" request header designation specified by the request.add_header() function and instead using "Connection: close".  So much for trying to optimize that part of the attack...

THOR (ModSecurity Rules) Profile

Since the attack tool's name is using the Marvel comics super-hero name, we thought that we would also pay hommage to The Avengers movie that is currently out and call our ModSecurity defense rules THOR (Thumping Http Obvious Requests).

While the HULK tool does achieve its goal of randomizing the payloads of various headers, it is still quite easily identifiable due to the request header ordering of the requests.  The request header ordering is always:

• Accept-Encoding
• Host
• Keep-Alive
• User-Agent
• Accept-Charset
• Connection
• Referer
• Cache-Control

Even though HULK defines a certain order of request headers using the request.add_header() function call, the actual order of the headers at run time is dictated by the dictionary key ordering of the python implementation.

This ordering is a unique fingerprint for this tool as no other legitimate web clients have this header ordering.  Therefore, I created the following ModSecurity rule to identify HULK traffic:

SecRule REQUEST_HEADERS_NAMES ".*" "id:'11',chain,phase:1,t:none,log,drop,msg:'Request Header Ordering Alert: Potential Attack Tool - HULK DoS.',setvar:'tx.header_order=%{tx.header_order}, %{matched_var}'"
SecRule TX:HEADER_ORDER "@streq , Accept-Encoding, Host, Keep-Alive, User-Agent, Accept-Charset, Connection, Referer, Cache-Control""

This ruleset will create a custom variable that holds the request header name ordering. It then checks to see if it matches our HULK profile.  If so, it will then initiate a drop action to quickly terminate the connection.  

HULK vs. THOR

Let's now pit these two superheros against each other!  These are some sample entries for how it would look when HULK is run against a ModSecurity/THOR site:

[Fri May 18 12:04:29 2012] [error] [client 192.168.1.103] ModSecurity: Access denied with connection close (phase 1). String match ", Accept-Encoding, Host, Keep-Alive, User-Agent, Accept-Charset, Connection, Referer, Cache-Control" at TX:header_order. [file "/usr/local/apache/conf/crs/base_rules/modsecurity_crs_15_custom.conf"] [line "1"] [id "11"] [msg "Request Header Ordering Alert: Potential Attack Tool - HULK DoS."] [hostname "192.168.1.103"] [uri "/"] [unique_id "T7ZzDcCoAWcAAV8cETwAAAAB"]
[Fri May 18 12:04:29 2012] [info] [client 192.168.1.103] (9)Bad file descriptor: core_output_filter: writing data to the network
[Fri May 18 12:04:30 2012] [error] [client 192.168.1.103] ModSecurity: Access denied with connection close (phase 1). String match ", Accept-Encoding, Host, Keep-Alive, User-Agent, Accept-Charset, Connection, Referer, Cache-Control" at TX:header_order. [file "/usr/local/apache/conf/crs/base_rules/modsecurity_crs_15_custom.conf"] [line "1"] [id "11"] [msg "Request Header Ordering Alert: Potential Attack Tool - HULK DoS."] [hostname "192.168.1.103"] [uri "/"] [unique_id "T7ZzDsCoAWcAAV8fEYIAAAAE"]
[Fri May 18 12:04:30 2012] [info] [client 192.168.1.103] (9)Bad file descriptor: core_output_filter: writing data to the network
[Fri May 18 12:04:30 2012] [error] [client 192.168.1.103] ModSecurity: Access denied with connection close (phase 1). String match ", Accept-Encoding, Host, Keep-Alive, User-Agent, Accept-Charset, Connection, Referer, Cache-Control" at TX:header_order. [file "/usr/local/apache/conf/crs/base_rules/modsecurity_crs_15_custom.conf"] [line "1"] [id "11"] [msg "Request Header Ordering Alert: Potential Attack Tool - HULK DoS."] [hostname "192.168.1.103"] [uri "/"] [unique_id "T7ZzDsCoAWcAAV8bEUsAAAAA"]
[Fri May 18 12:04:30 2012] [info] [client 192.168.1.103] (9)Bad file descriptor: core_output_filter: writing data to the network
[Fri May 18 12:04:30 2012] [error] [client 192.168.1.103] ModSecurity: Access denied with connection close (phase 1). String match ", Accept-Encoding, Host, Keep-Alive, User-Agent, Accept-Charset, Connection, Referer, Cache-Control" at TX:header_order. [file "/usr/local/apache/conf/crs/base_rules/modsecurity_crs_15_custom.conf"] [line "1"] [id "11"] [msg "Request Header Ordering Alert: Potential Attack Tool - HULK DoS."] [hostname "192.168.1.103"] [uri "/"] [unique_id "T7ZzDsCoAWcAAV8eEYQAAAAD"]
[Fri May 18 12:04:30 2012] [info] [client 192.168.1.103] (9)Bad file descriptor: core_output_filter: writing data to the network
[Fri May 18 12:04:30 2012] [error] [client 192.168.1.103] ModSecurity: Access denied with connection close (phase 1). String match ", Accept-Encoding, Host, Keep-Alive, User-Agent, Accept-Charset, Connection, Referer, Cache-Control" at TX:header_order. [file "/usr/local/apache/conf/crs/base_rules/modsecurity_crs_15_custom.conf"] [line "1"] [id "11"] [msg "Request Header Ordering Alert: Potential Attack Tool - HULK DoS."] [hostname "192.168.1.103"] [uri "/"] [unique_id "T7ZzDsCoAWcAAV8dEUQAAAAC"]
[Fri May 18 12:04:30 2012] [info] [client 192.168.1.103] (9)Bad file descriptor: core_output_filter: writing data to the network

As an added benefit, using the ModSecurity drop action (which issues a TCP FIN packet to forcefully close the connection) seems to cause HULK to freeze.  :)  After receiving the inital 10 requests, and issuing the drop, HULK sits idle and does not send anymore requests.  Apparently HULK only deals well with cleanly terminated HTTP responses.

Round 1 goes to THOR!

Cover to The Mighty Thor #272 (June 1978).

Art by John Buscema.

Social media introduces risk – no doubt about it. As security pros, our first inclination is to of course ban it’s use on our networks altogether because it’s the safest approach. But, it’s also the wrong one.

Like it or not, social media has forever changed the way we do business, for the better. According to Pew Research Center’s Internet & American Life Project, two-thirds of adult internet users today are social networking site users. And they’re not lurkers – over half of internet users share photos, 37 percent contribute rankings and ratings, about a third create content tags and share personal creations, and 26 percent regularly post comments on sites and blogs.

As mobility trends seep into popular culture, devices like smartphones and tablets only accelerate these social adoption trends. At the moment, nearly a third of mobile users visit social networking sites from their devices and that number is growing. As Pew Internet puts it, “mobile is the needle and social is the thread in how information today is woven into our lives.”

And if you need more evidence that prohibiting social media use is a bad idea, how about this one? Many employees openly state that a total ban on the technology would mean trying to find a work-around that inevitably, is in violation of IT policies. This leaves the network even more vulnerable than a scenario in which reasonable limitations are put in place and the right tools are used to monitor and protect corporate assets.

Of course there is no denying social media is a significant threat to our networks. Click jacking and malicious codecs are two common threats thanks to sites like Facebook. Spear phishing is much more persuasive because of the wealth of personal information so many of us eagerly share with people we’ve never met. So where does that leave us? Security teams are in a difficult spot for sure, but all is not lost.

To dial up your social media safety, rely on these three approaches:

1. Create Policy. Social media policies will vary wildly from organization to organization. But there is one universal must of a social media policy: you need one. Write it, disseminate it and enforce it. Even better, don’t make it shelfware and don’t write it in legalese—make it something anyone from the mailroom to the boardroom can understand and follow.
2. Educate Your Users. While developing policy is key, so too is educating all your employees, contractors, and anyone else with access to your network about the risks. Policies mean nothing if no one knows anything about them. User education should be engaging and comprised of information they need to know.
3. Implement Layered Security. It doesn’t take imagination to practice good security hygiene, it takes discipline. And it’s the meat-and-potatoes fundamentals that will get us out of this jam, including stong endpoint management, network segmentation, user monitioring and DLP.
For more on safe social media, download the new eBook, A 3 Step Guide to Safe Social Media. In it, you’ll find more tips on how to protect your network and a mini-informational guide your users will find eye-opening.