Wired put together an incredible article on Stuxnet, one of the most sophisticated piece of malware in history.  The level of complexity that was built in is incredible:

• Multiple zero-day payloads built in to propagate through an organization’s weakest systems;
• Skipping over targets that are irrelevant, have no value, or are marked as friendly territory;
• Focused on finding a very unique system with a unique configuration;
• Self reporting and auto-updating through centralized C&C servers;
• Stolen security certificates to bypass detection; and
• A whole lot more…

This gets me excited for several reasons:

1) The intelligence gathering that was required to design this attack had to have been very complex – knowledge, or guesstimates, of what the target IT environment may look like, bets made on the payloads to get to it’s destination, attack entry-points, and the list goes on.

2) The technological advances that were made to build this were incredible but very scary.  This is a blue print…a road-map for the future of security vulnerabilities – intelligent malware.  A key take away is that the security world is about to be turned on it’s head.  I do not believe the industry is prepared to detecting and prevent these types of threats.  The existence of this type of code means that it is possible to continue improving attack vectors for penetrating organizations.  This was seen with the evolution of a technique called phishing, to spear-phishing, to whaling.  As history, continuously, repeats itself, we should be seeing more of these viruses being detected in corporate environments over the next several years to steal highly confidential data.  An organized group with significant resources was able to design a framework for delivering this type of attack.  Other, less resourceful, groups are most likely in process of understanding how to adapt this framework.

3) Being able to continuously release a new variant without significant detection but yet adapting after learning more about the environment is incredible – an intelligence exercise that learned from it’s mistakes.  Here’s a visual graphic of the cluster’s of infections taken from the Symantec Dossier on Stuxnet:

Here’s a link to the story and a link to the technical dossier.

No tags

I’ve been meaning to write about this topic for a while but haven’t had the opportunity to do so.  Being the last man standing for the evening in my new office, I figured I would take the time and explore this topic.  This topic fascinates me because it affects each and every single person using the internet every day.

I tried to log-on to my PlayStation Network account this weekend so I can play some Call of Duty and was very dissapointed – the Sony network was down.

Sony is warning its millions of PlayStation Network users to watch out for identity-theft scams after hackers breached its security and plundered the user names, passwords, addresses, birth dates, and other information used to register accounts. Sony’s stunning admission came six days after the PlayStation Network was taken down following what the company described as an “external intrusion”.

[...]

Sony’s advisory means that the company was likely storing passwords, credit card numbers, expiration dates, and other sensitive information unencrypted on its servers. Sony didn’t say if its website complied with data-security standards established by the Payment Card Industry.

http://cyberinsecure.com/sony-playstation-network-breached-77-million-users-private-data-stolen/

I didn’t get a warning.  Sony, what the hell?  My PlayStation Network log-on credentials may have been stolen and you don’t tell me about it?  This means that my username and password are out there in some master list next to 77 million other individuals.  To top it off, the way Sony built their authentication, the username for the account is your e-mail address.  This has profound implications that are greater than just my personal security.  This means that if you use the same password on your e-mail account and your SonyPlaystation Network account, then the owner of the list can log-on to your e-mail account without you knowing about it.  Here’s the moment of truth dear reader, how many of you use the same password for your banking, discount broker, 401(k) accounts, social networking applications, online shopping, and your corporate e-mail (the list goes on)?

(Yes I’m ignoring two-factor authentication from my analysis for now.  For those advocating that two-factor authentication is meant to prevent that this risk I say: one of the factors has now been broken and your security can still be compromised.)

This has profound implications to the general population.

First:

By having access to your e-mail, your personal identity may be stolen and misrepresented.  There are plenty of documented cases of money-transfer scams. The scammer logs-on to your e-mail, rotates your password, and starts e-mailing your contacts.  The e-mails usually say that you are stuck in a country for vacation and your money was stolen.  Can they (your friends) transfer money to them?

This leads me to the core of my argument – you must must must follow the following three guidelines when using passwords:

1. Follow the standard best practices for password selection (ie. usage of uppercase/lowercase/special characters, minimum number of characters, etc..)

2. Never use one password that is the same across your e-mail, bank, and social network applications.  This includes all those other sites that you don’t particular realize you are using (ie. youtube, dropbox, etc..).  Once that password is leaked, it has been compromised.  Instead, I recommend thinking of password security as a layered onion.  Those assets that are closest to you (ie. your banking / financial applications) should be set as the most complex passwords and should be different than your e-mail account.  Passwords to your social networking applications should be different than your e-mail account and your bank account. Passwords to your social networking applications should be different than passwords to your general use passwords.  Etc and etc… This is a basic concept called defense in depth.

3. Be prepared to ditch a password at any time you feel that it’s compromised and don’t look back.  Compromise could be anything from someone seeing it over your shoulder as you type it in, detecting a key-logger on a machine, to being subject to a man-in-the-middle attack.

Second:

By having a list of names, e-mail accounts, and passwords – attacks on your organization may occur.  By targeting personnel they know work for your organization, the same personnel that may have had a PlayStation Network account, they are able to circumvent a layer of security.  There’s more on this particular topic that I’ll save for another time

Shame on you Sony for not encrypting our personal information.  The truly scary part isn’t that Sony got hacked…it is that most companies do not take precaution to encrypt this data.  The ROI on doing the encryption just isn’t there.

No tags

Presented a webinar recently on the Mass State Privacy laws that went into effect on March 1, 2010.  Check it out at:

http://www.appsecinc.com/solutions/mass201/index.shtml

No tags

I recently had a chance to peruse a study published by the The Ponemon institute - The US Costs of Data Breaches.  Some interesting points I was (not-s0) surprised by:

1. The cost of the data breaches in 2008 is $202 per lost record!  Out of that, $152 goes to indirect costs (loss of future business, reputation, and good-will impacts) and the remaining $50 go to direct costs of managing the incident.  That’s a significant amount.  In addition to that, indirect costs are visibly going up (from $88 in 2005 to $152 in 2008).
2. The healthcare industry is the most significant industry affected by indirect costs – 6.5% of “abnormal churn rates” (meaning loss of customers), closely followed by the financial sector (5.5%), and the services industry (5.0%).
3. Forty-four percent of all breaches involved outsourced third parties.
4. While malicious acts (i.e. hacking, stealing data) were responsible for 12% of all incidents, a stunning 88% of incidents were due to insider negligence!
5. Finally, last but not least, out of the potential preventive measures, the most important measure that that organizations implemented was conducting “training and awareness programs” (53%), followed by “additional manual procedures and controls” (49%), closely followed by and expanded use of encryption and identity and access management solutions.

While I’m not surprised at the cost of the breach, it’s important to note that over the last several years, the cost growth has leveled off.  This means organizations are getting better at handling and responding to incidents (maturity in the industry, great!).  The bad news is that these incidents do have a direct correlation to customer retention  (between 0%-9% of your customer base may be impacted – see squiggly graph on page 5 of the report).

I was also not surprised that 44% of all incidents involved third parties.  Data security controls do not necessarily apply to an environment outside of the organization.  It is important to ensure that the vendors and partners that handle your data take adequate precautions.

What I was surprised about was the latter two points.  88% of all incidents are because of negligence?  Only 53% of organizations conduct training and awareness program right after the incident?  If employee awareness was heightened, then the 88% number should quickly drop.  This means organizations are not doing enough follow-up (there seems to be a 25% gap).

Key Take Aways:

1. Ensure your organization checks the security of your data at your vendors.  Just because they say it’s all great, does not mean that it is.  Implement audits (AUPs, SAS 70s, etc..) to ensure that adequate security controls are applied throughout your vendor’s organization.
2. Conduct preventive training and awareness programs on security for your employees.  With 88% of all cases being due to negligence and at $202 cost per lost record, I can’t imagine that the ROI of spending some money on training is not worth the potential impact of an event.

No tags

You never know what one may find around your organization’s fax machine.  I recently heard a story that I’d like to share with my readers. It’s a story about personal security awareness.  It’s a story about trust.  It’s…a short story.

One day, a busy office bee was going about their daily business, running back and forth faxing items.  For any bee that’s ever faxed anything, they know that some fax machines are slow.  This bee was sending a particularly large fax through.  Waiting for the fax to complete, the bee looked for a fax confirmation from the previous day.  One particular confirmation caught this bee’s eye….

Why did it stand out?

You see, this fax machine was of particular nature.  Aside from the success/failure confirmation, it printed the first page that was sent.  Low and behold, one fax caught the bee’s eye:

Joe Shoe
Personal Address
City, State Zip

Date

Ameritrade Investments
Attn: Account Representative

To Whom It May Concern:

Please transfer $500,000 from my account (XLB1231411) to the account of my brother, Jimmy Shoe (XLB1141321).  If you have any questions, please call me at (212) 555-5555 or email me at Joe.Shoe@ivyleagueschool.edu.

Sincerely,

<signature>

Joe Shoe

What caught the bee’s eye?  Look over the letter and think about it before reading further.

Well – what didn’t catch their eye?  This bee was holding the keys to Joe Shoe’s life!

• Joe’s account numbers were revealed.
• Joe’s brother’s account (and name was revealed).
• Joe’s personal address and personal phone number was revealed.
• Joe’s school was revealed (an ivy too..)
• Not only that, this person had a ton of cash in their account!
• In addition to that, the signature was there too!

A quick search on Google for Joe Shoe revealed that they were a prominent lawyer in the region.  Security is all about awareness.  Being aware of your environment and protecting your assets is key to security.  This fax machine was located in a high traffic area (we’re talking about 100 people on the floor).  Not only that, but the fax date just happened to have been two months before today’s date.  That means this piece of paper was there for two months.  Who knows who else saw this paper?  Who knows who’s now living life in the shoes of Joe Shoe…

Organizational Lesson Learned: I’ve been asked a lot of times – what is fax security?  It’s protecting the data that’s being sent to / from your organization in unconventional manner.  Enabling fax confirmation shows that a message went through.  Disabling the printing of the document with the confirmation – may be a good idea.  If you can’t, then education and awareness is critical.  Teach your employees to use cover letters when sending faxes.  Use Joe Shoe as the model example to teach why it’s important to always be alert.

Personal Lesson Learned: If your organization doesn’t disable printing of pages on faxes, make sure you grab your confirmation!  Some fax machines have the ability to store jobs.  If you’re really concerned – use cover sheets!

No tags