Mar

17

One of the most distressing things about being a security professional in today’s IT environment is what seems like a lax attitude towards securing customer information. All that could change if a ruling by the FTC against ValueClick, a spammer, stands up in court. In addition to settling with ValueClick regarding violations of the CAN-SPAM act, the FTC claims that ValueClick is also liable for not following their own advertised security policies.

“In the past, companies that failed to protect customer data have argued that they are immune from prosecution unless consumers can directly prove that they suffered harm from the breach of their personal information,” Kamber explains. “Given that hackers are generally pretty good at covering their tracks, this argument — if accepted — would mean that few companies would have to account for their negligence.”

quotes an article at Dark Reading. Kamber is Scott Kamber, a partner at Kamber Edelson LLC, a legal firm that specializes in cyber security law.

This would be a novel first, and a good one as well. To date, companies and other organizations that disclose their customers confidential information have been in for not much more than credit counseling and fraud monitoring on these customers behalf. This, frankly, is a slap on the wrist. Until organizations are held liable, in a significant way, for disclosing sensitive information, they will see little incentive for taking preventative measures.

For some context, in the last few years, hundreds of millions of people have had their confidential information disclosed to unauthorized parties. While it might prove burdensome for businesses to have to pay any sort of real damages when they fail to take adequate measures to protect confidential information, I believe that’s the only way to see that the necessary measures are actually taken, since it’s clear that the market can’t police itself.

Mar

13

The expanding use of RFID chips, and their ever-decreasing size, has led to what sounds like science fiction to me. A company called Nox Defense has created RFID tags so small that they are calling it “RFID dust”, and saying these tags can be scattered on the ground and then, per the original article on HelpNet:

People pick up the ID-Dust on their shoes, which covert RFID readers track, triggering video surveillance and alerting security personnel on hand-held devices. The Nox software creates a complete history of exactly where the person travels and when, and combines a facility map with real-time video surveillance.

It’s pretty incredible to me that we can now make these chips so small that they are 1) unnoticable and 2) small enough to stick to your shoes yet still have the ability to transmit radio signals any significant distance. Add to that doing so with any sort of encryption, which they also claim. I’d say it sounds like witchcraft, but the world moves on, and perhaps it’s true.

Years ago, Xerox developed active badges that would track your presence in the PARC as you moved around. Doors would unlock for you as you approached if you had access. The phones were also hooked into the system: if the phone rang, it was for someone in the room at the time.

So what’s the point of that story? The employees at Xerox were aware that they were being tracked, and being the type of people who worked at PARC, they had in some sense signed up for that sort of treatment. But even Xerox didn’t track you in the bathroom.

The creation of RFID tags that are now embedded in passports, computer equipment, and now even small enough to be scattered on the ground is enabling a culture of surveillance that’s deeply troubling to me. I don’t have enough faith left to believe that people won’t abuse that power, and the continuing abuse of National Surveillance Letters doesn’t do much to convince me that I’m being overly suspicious.

I don’t dispute that employers should be able to protect their equipment, that they should put up with employees stealing from them. This leaves me conflicted: I don’t support theft, I don’t support a culture of surveillance either. There has to be a way to balance these things out, but it’s gonna take someone smarter than me.

Feb

28

Six botnets are responsible for generating 85% of all spam emails, acccording to an article at Dark Reading today. I’ve known for a while that botnets are a serious threat, including in their arsenal of naughty tricks spam, vulnerability scanning, infecting other computers, stealing information from their host computers (you don’t keep your credit card numbers in Quicken, do you?) and distributed denial of service attacks. It was a shock to find that so few botnets send all that spam that clutters up inboxes.

Researchers with Marshal’s TRACE team have identified six botnets that together are currently responsible for distributing 85 percent of all spam, Dark Reading has learned.

This article came at a an opportune time. I’ve been thinking lately that in addition to all these current problems, which involve fairly visible (and traceable) activities, botnets could be very useful in cyberwarfare. I’m thinking here of the true cyberwarfare, where a foreign power decides to take out the information infrastructure of a rival country or group.

Such a militarily-oriented botnet would not need to draw attention to itself by sending out spam messages or participating in a DDOS attack, at least not until it was directed to spring into action. It would need minimal direction, and so much like a mole in an espionage novel, such a botnet could exist for years, dormant, waiting only for the command to attack the military, government or civilian IT infrastructure of the rival country.

Alternatively, you wouldn’t even really need to attack anyone. Can you imagine the economic damage to the US if every computer infected by a large botnet (these can number in the millions of computers) was suddenly directed to reformat it’s hard drive?

Feb

27

Newly discovered flaws in VMWare allow malware applictions running in VMWare to escape the sandbox. These application can view and modify files in the underlying host operating systems, according to this article on Compuworld, although to be fair it’s popping up on a number of sites.

As of Sunday, there was no patch available for the flaw, which affects VMware’s Windows client virtualization programs, including Workstation, Player and ACE. The company’s virtual machine software for Windows servers and for Mac- and Linux-based hosts are not at risk.

“Why should we care?” you might ask. Over the couple of years, there’s been a movement towards virtualized infrastructure in larger IT shops, and even some smaller ones. This allows companies to provide “part” of a server to an individual user, application, or team, but host that partial server on another larger server, or even a cluster or grid computer. These virutual servers can be scaled and reconfigured more easily than a real, physical server as well. This makes more efficient use of the computing infrastructure, plus makes it very easy to set up and tear down new virtual servers. It’s a win-win situation.

The discovery of this flaw that allows applications to “see” the underlying host OS could be a significant problem for the budding trend towards virtualization if it’s not addressed soon. VMWare isn’t currently telling us when a patch will be available, but they provide a work-around in the meantime:

“On Windows hosts, if you have configured a VMware host-to-guest shared folder, it is possible for a program running in the guest to gain access to the host’s complete file system and create or modify executable files in sensitive locations,” confirmed VMware.

VMware has not posted a fix, but it instead told users to disable shared folders.

So until a fix is available, if you’re running VMWare in Windows, disable those shared folders, folks.

Feb

20

Botnets, those pernicious threats to internet life, liberty and pursuit of happiness, may have a new enemy. Researchers at the Georgia Tech are using traffic analysis of IRC and HTTP to try to identify botnets in the wild. The theory is that botnets need to communicate with their command and control infrastructure, and that they tend to look like, well botnets rather than people when they do so.

While my description above is a bit tongue-in-cheek, botnets are really a serious threat. There are estimates that they contribute up to 80% of spam email, and they’re regularly used in denial of service attacks like the one we see ongoing right now with  WordPress.com blogs. They’re particularly difficult to identify, track, and combat, and there are documented instances of hundreds of thousands and over a million botnet zombie computers under the control of a single individual.

While it’s too early to tell if this new approach will help significantly in the fight, any means we have to help combat botnets are welcome at the party.

[Georgia Tech via Ars Technica]

Feb

20

A California District Court judge has ordered WikiLeaks to be taken off line in response to a complaint from Swiss bank Julius Baer we find from CSO magazine.  This answers why WikiLeaks disappeared off the internets earlier this week.

The order in the U.S. came after a Swiss bank, Julius Baer, earlier this month filed a complaint against the site and San Mateo, California-based Dynadot, Wikileaks’ domain-name registry, for posting several hundred of the bank’s documents.

Some of those documents allegedly reveal that Julius Baer was involved in offshore money laundering and tax evasion in the Cayman Islands for customers in several countries, including the U.S.

WikiLeaks serves an interesting and controversial role, providing a way for leakers to anonymously post information that they believe should be in the public eye. It’s difficult to argue that the site couldn’t be abused by someone posting confidential company information that really has no business in the public eye. Conversely, with the rampant secrecy shown by the government, even to the extent of refusing to allow citizens to know who is informing public policy (remember the Vice President’s energy policy meetings?) tools like WikiLeaks are essential if we are not to become a police state.

It would be disappointing if the service were to go away for the long term. WikiLeaks sites in other countries are still on line as of this writing.

Feb

18

I did a security audit a few years ago for a healthcare provider’s IT department. One of the things I pointed out was that while I was asked when I signed in to their facilities for my name and car license plate, nobody asked for picture ID. Additionally, I noted that on several occasions when entering the building, the receptionist had a sign on the desk: “if you need assistance, pick up the phone and dial x…”. When I asked, I was told this person was part-time. Clearly, these folks didn’t feel they needed very good physical security.

You’d think on the other hand, that the federal government, in particular people like the Treasury and the Nuclear Regulatory commission would be more sensitive to the needs of physical security, which is why this article in the Washington City Paper is such an amazing story. This 19 year old mother of two bluffed and blustered her way into very secure facilities doing little more then acting like she belonged there.

Witnesses who later realized they’d seen the thief said she passed muster at the time. The fact that she didn’t have an escort, one secretary reasoned, proved that she belonged in the building. Another employee described the potential suspect as dressing and acting like a typical secretary at the NRC. Those who stopped and questioned her gave up on their suspicions as soon as she started talking.

Her excuses were flimsy inventions. But people don’t like confrontations. They feel they’ve done enough if they ask a question and get an answer.

When I first started out from college, I held a job at a defense contractor, and we were very specifically told that if we found people wandering around who we didn’t recognize, that we should challenge them. We were also told what to do in the event we didn’t get answers that were satisfactory: walk the person to security. I had an occasion once where I encountered a group of visitors in a secured area, and they were without an escort. I knew that one of the VPs had visitors in, so I very cordially asked them whom they were visiting, and escorted them to the VPs office, remarking when I arrived that I had found them without an escort. I didn’t stay long enough to find out if the VP was at all interested in that, or to give him my name.

I’ve seen what it takes to combat this sort of problem, and it’s really only a couple of things:

Following up on that last point, having a single person in charge of an area can be a big help as well. Psychology research shows that people look at others around them to help make a decision. They ask themselves “well, what is Bob doing? He’s not challenging the stranger, so I shouldn’t either.” Unfortunately, Bob is looking around as well, with the same question in mind.

Having a person who is in charge does two things: it means that the person in charge should not be looking at others to decide if they should challenge, and it gives others a person to whom they can address their concerns if they’re uncomfortable challenging by themselves.

Feb

15

Securing WordPress

February 15, 2008 | Leave a Comment

Found online today was this helpful article at Web Design Goldmine on securing WordPress. If you’re a fan of WP (as I obviously am) it’s a good read.

Feb

14

Spreading Fixes by Worm

February 14, 2008 | 1 Comment

Microsoft is researching ways to spread computer fixes by making them more like worms, per this interesting article in The New Scientist.

Milan Vojnović and colleagues from Microsoft Research in Cambridge, UK, want to make useful pieces of information such as software updates behave more like computer worms: spreading between computers instead of being downloaded from central servers.

I’m unsure how I feel about this, but I think it’s mostly negative, and that disappoints me. On the positive side, I think that it’s a cool idea that you’ve got autonomous pieces of software that are making their way around the net, and trying to install themselves on machines. It offloads servers, eliminates the need to go off hunting for fixes, all in all, noble goals.

I think where my concern comes from is that these types of worms are going to make use of the very same types of mechanisms used by the eeeevil worms to spread, or if not, then the eeeevil worms will soon start to masquerade or abuse the new mechanisms provided for the good ones. How do you tell the good guys from the bad guys?

In such an environment, I’d be inclined to disable the services such a “white-hat” worms use to access my systems until I had a good deal more opportunity to study how they really work in the wild. What do you think?

Feb

14

Corporate IT departments are incorporating a new way of meeting corporate IT needs, called Software as a Service (SaaS).  SaaS promises outsourced application management, reduced infrastructure costs, and easily terminated services if needs change. Whether SaaS delivers on these promises is the subject of another post, but it’s certain that SaaS presents some compelling reasons, to both the providers and consumers of services, to adopt cross-domain single-sign on (SSO).

Read more

« go backkeep looking »

Blogroll

WP Themes