[SecurityRatty] tag: comment

Feds Start Moving on Net Security Hole

Wed, 08 Oct 2008 20:05:00 +0000

Following a massive security hole that opened this summer, the U.S. government is now asking the public for comment on who should control and sign the net's most important document. Security experts say it's about time.

Sarah Palin's E-Mail

Wed, 24 Sep 2008 12:01:58 +0000

People have been asking me to comment about Sarah Palin's Yahoo e-mail account being hacked. I've already written about the security problems with "secret questions" back in 2005:

The point of all these questions is the same: a backup password. If you forget your password, the secret question can verify your identity so you can choose another password or have the site e-mail your current password to you. It's a great idea from a customer service perspective -- a user is less likely to forget his first pet's name than some random password -- but terrible for security. The answer to the secret question is much easier to guess than a good password, and the information is much more public. (I'll bet the name of my family's first pet is in some database somewhere.) And even worse, everybody seems to use the same series of secret questions.
The result is the normal security protocol (passwords) falls back to a much less secure protocol (secret questions). And the security of the entire system suffers.

Interview with Lenny Heymann, Interop General Manager

Tue, 23 Sep 2008 16:47:39 +0000

Interop General Manager Lenny Heymann, took some time out of his very busy show schedule to talk with us at Interop New York this year.

We chatted about the growth of the show and how much that growth reflects the industry itself. Since the bust earlier in the decade both Interop Las Vegas and New York shows have grown year over year – not just in attendees and exhibitors but in topics covered in the conference tracks. As any of us who are in the space know, it’s a rapidly changing market and Interop strives not just to cover the latest trends but also to get ahead of them while still making sure that they are relevant.

The show’s mission overall has expanded beyond “just” networking to cover performance and new trends like virtualization, cloud computing and SAAS that all affect network performance. It is a mirror for the demands on the network (and network admins) and the convergence we see going on that make managing the network so complex today.

Responding to criticisms about the lack of interoperability at the show, Lenny says, “Our special sauce is interoperability.” And in fact the expanded mission of the show ensures that there are more interoperability issues to deal with and he invites the community to comment and share feedback on this core mission.

Last, we talked about InteropNet. We’ve loved our participation in it this year for a variety of reasons – from the opportunity to work with other cool vendors in an intensive and real-life/real-time environment to the true sense of camaraderie and “getting it done” that everyone shares on the InteropNet team to the wonderful atmosphere of hard work AND hard play that you have to experience to believe.

We talked with Lenny about how he measures InteropNet “success” and the answer was illuminating. They’ve got high expectations at Interop; they expect the network to just work, so the focus is actually not on uptime and SLAs – that’s a given. “Nothing less than perfection works here.” (Let me tell you, after my horrible experience with the super slow and inaccessible network at the VMworld conference, that is definitely not always the case. Maybe InteropNet should sell its services…hmmmm…) Rather, it’s about being able to showcase technologies and strategies for networking and interoperability – or as we’re interpreting that, basically “walking the walk – which in the end is what InteropNet is all about.

See the full video here.

What to watch for - the Rest of the Fortune 500 Gets Their Software Security

Thu, 18 Sep 2008 11:06:51 +0000

The financial industry drives a lot of what happens in security. They ~~have~~ had a lot of money, and lots of people try to steal from ~~them~~ their customers. They did drive some good stuff, but only from one vertical's perspective. I have advocated for awhile that software security look to other verticals to understand their security needs. Now that we're watching these behemoth financial firms vanish before our eyes, we will see the needs of insurance, manufacturing, healthcare and other verticals take on more precedence. If you want some ideas on what is important, start here. FWIW, here are some key themes that i think will emerge.

Standard Support

Mark O'Neill posted this comment to an earlier blog and it bears repeating

Take a difference I've noticed between financial services and government. I have encountered situations where a financial services customer may say "what if we just forget about using all those standards and make all these messages simpler", as they have optimization hard-wired as a goal. A government customer is (in my experience) more likely to focus on standards support for interoperability, and also to support directives that certain standards are used (e.g. XACML, let's say).

If the vendor was to build their product based solely on either customers needs, they would assume, as you say, that "the client just doesn't get it". It would be either "These government people are crazy, the people back at the bank told us those standards were not important", or else "these financial services people are crazy, we show them all the complex support for standards we have and they do not seem to care at all, they just want us to strip all that out".
In that case, the trick would be to build something down the middle, with the standards support and the optimization. But, just focusing on one sector is bad.

The financial people have been optimizing for so long and they had so much money they didn't need to worry about standards, they were the standard. But you don't need standards for standards' sake, you need...

Interoperability

The financial people didn't worry about this, the pot of gold was so big people would pay to play and build their own adapters. Architects at other companies need to figure out how to cost effectively knit things together and get authN, authZ, and audit too.

Fuzzy Edges

Take something hideous like the FIX protocol. Everyone knows its broken but they just built stuff all around in terms of accountability and other controls. they could do this because there was a living breathing audit log of transactions - a hard edge. So the financial industry drove lots of poor plumbing and compensated with hard edges. It worked well enough I suppose, but as any protocol plumber knows, you need to fix the pipes eventually. Especially if you want to...

Scale

Need to scale across domains, locations, geographies. Its not one little closed trading floor loop. Its wheels within wheels. You might say its federated autonomous nodes.

its not just technical run time scale. Its people scale. You can't assume that your tool is supported by several security people per project. The tools have to scale for one security person and a hundred developer type ratios. Better automation, better reporting, faster integration. Raise the floor one inch, but raise the whole floor.

Smaller Overall Security Budget

I saved the best for last. When the financial people wanted software security, they kept spending on network security and they added dollars to support software security tools and processes. The rest of the F500 can't or wont be able to, this means that for the software security vendors, they will need to take market share. Its not just competing against each other, its making the business case for software security over other types of security that have ossified technically but still command a rosy price, like *cough* network firewalls.

Side note, I know three financial firms that did excellent work in software security. really dug and invested time and money to make sure they are world class in that space. Strangely enough with all these firms melting down, the three I am thinking of that took a conservative approach, addressing software security in a root and branch mode,have not been named as a target for the next meltdown. Coincidence? We report, you decide.

Linksys WRT610N Review

Tue, 16 Sep 2008 05:27:41 +0000

My review of the Linksys WRT610N at Macworld: The router works quite well at handling Wi-Fi and other functions, but is terrible at working with Mac OS X, one of the advertised features of the product. The WRT610N is a revised design of the previous simultaneous dual-band (2.4/5 GHz) Draft N WRT600N model which had far worse problems.

Linksys addressed many of my concerns with that previous device. The 610N can mount a drive and share it via SMB and FTP, have two full-speed connections running over both bands without skipping a beat, and supports several methods of getting the one-click WPS (Wi-Fi Protected Setup) to work. Read the review for all the details, but I can't recommend this router to Mac users with any needs beyond basic networking; I'm perfectly happy to give it a full thumbs-up for Windows XP and Vista users, however.

WPS is a particular mess, by the way. Linksys has four somewhat distinct methods of using WPS to enable a password-free encrypted connection between a client and a base station: a button on the front that, when pressed, turns on WPS; and three modes (one of them similar to that button) accessible via their Web configuration software. One option is to get the base station to create a short PIN that's then entered on the client system as an out-of-band confirmation that there's no man in the middle.

Apple, by contrast, has a single way of joining a WPS-offering base station: it displays the network's name in bold. Select the network, and Mac OS X displays a key code that needs to be entered on the base station. But the WRT610N can't handle that option. If you put the WRT610N into a mode in which Apple can spot the device as offering a WPS handshake, you can't enter the code into the Linksys router!

This shows that there's still rough edges in the WPS protocol that two of the highest-selling makers of Wi-Fi gear can manage to not mesh up their respective options. (Apple declined to comment for my Macworld story; Linksys confirmed the lack of compatibility, but put the burden on Apple's doorstep.)

Craig Balding to Speak at World Summit of Cloud Computing

Mon, 15 Sep 2008 16:59:25 +0000

I’ve been sitting on this for a while and I’m glad I can now finally say it…

I’m delighted to announce that I have been invited to present at the World Summit of Cloud Computing, to be held in Israel on 1-2 December 2008.

The event is organised by Avner Algom from the IGT (Israeli Association of Grid Technologies). Putting my invitation to one side, I have to say its a stunning lineup of speakers. Its a who’s who of Cloud players. Avner has clearly done his homework!

Obviously I’ll be talking about the security aspects of Cloud Computing, delving into some of the areas I’ve written about here and some new material that I’m currently working on.

If you work for a company that is consdering future plans and Cloud Computing, you might want to take a look over the agenda. Compared to some other conferences, the ticket prices seem very reasonable to me.

Registration is now open.

If you have any questions, feel free to leave a comment below. I’ll do my best to get them answered. Also, if you know anyone that might benefit from 2 days in a beautiful part of Israel getting up to speed on Cloud Computing, feel free to send them this link.

Who is "dodacrazy" and what is a "montize buddy"?

Thu, 11 Sep 2008 18:53:55 +0000

Check this out:

http://blogs.technet.com/steriley/archive/2008/06/25/directly-connect-to-your-corpnet-with-ipsec-and-ipv6.aspx#3122377

Hey Steve you and your montize buddy Scott will soon have your hands full after the federal officers come down on your data scams and as for your educational acts i'm not buying it and if others are willing to trade your data for their profits guess there are fools born everyday tunnels oh I see drug dealers right Stevo

Normally I delete spam from my comments, and have occasionally deleted mindless ranting criticism (I encourage vigorous discussion of ideas, but won't allow personal attacks). However, this guy's comment is just...weird.

What's a "montize buddy Scott"? I know lots of Scotts, and once even admired a particular "Montgomery Scot." But "montize"? Maybe it's a new kind of malt.
I don't believe I'm perpetuating any data scams, none that I know of, anyway. If any of you, my readers, feel that I'm scamming your data, I guess I haven't concealed that fact well enough. Oops, sorry! We'll have to add another item to the constantly-growing list of data breaches.
While it's true that some of my conference appearances aren't free, no one is certainly forced to buy any of my "educational acts." A lot of my presentations you can download for free!
I never look in tunnels for my supplies, they're too dark and you can never be totally certain of what you're getting.

Thanks, dodacrazy, for a good Thursday morning laugh!

Summarizing August's Threatscape

Wed, 10 Sep 2008 02:57:32 +0000

Following the previous summaries of June's and July's threatscape based on all the research published during the month, it's time to summarize August's threatscape.

August's threatscape was dominated by a huge increase of rogue security software domains made possible due to the easily obtainable templates for the sites, several malware campaigns targeting popular social networking sites, Russian's organized cyberattack against Georgia with evidence on who's behind it pointing to "everyone" and a few botnets dedicated to the attack making the whole process easy to outsource and turn responsibility into an "open topic", several new web based botnet management kits and tools found in the wild, evidence that the 76service may in fact be going mainstream since the concept of cybercrime as a service is already emerging, and, of course, a peek at India's CAPTCHA solving economy, where the best comment I've received so far is that every site should embrace reCAPTCHA, so that while solving CAPTCHAs and participating in the abuse of these services in question, they would be also digitizing books. As usual, August was a pretty dynamic month for the middle of summer, with everyone excelling in their own malicious field.

01. McAfee's Site Advisor Blocking n.runs AG - "for starters"
False positives are rather common, especially when you're aiming to protect the end user from himself and not let him gain access to "hacking tools", but you're flagging security tools as badware and missing over half the SQL injected domains currently in the wild due to the fact that SiteAdvisor's community still haven't reviewed them - that's not good

02. The Twitter Malware Campaign Wants to Bank With You
Twitter, just like every Web 2.0 application, isn't and shouldn't be treated as a unique platform for dissemination of malware, since it's dissemination of malware "as usual". This particular malware campaign was not just executed by a lone gunman, but also, was taking advantage of a flaw allowing the author to add new followers potentially exposing them to the malicious links serving banker malware. For the the time being, MySpace, Facebook and Twitter accounts are the very last thing a malicious attacker is interesting in puchasing accounting data for, but how come? It's all due to the oversupply of automatically registered accounts at other popular services, whose ecosystem of Internet properties empower cybercriminals with the ability to launch, host and distribute malware in between abusing the very same company's services for the blackhat SEO campaign and redirection services. Theoretically, a distributed network build upon the services provided by a single company is faily easy to accomplish due to the single login authentication applied everywhere. A singly bogus Gmail account results in a blackhat SEO hosting blogspot account, flash based redirector hosted at Picasa, and a couple of thousands of spam emails sent automatically sent through Gmail in order to abuse it's trusted email reputation

03. Compromised Web Servers Serving Fake Flash Players
If aggressiveness matter, this campaign consisting of remotely injected redirection scripts at legitimate sites next to on purposely introduced malware oriented domains, was perhaps the most aggressive one during the month. Fake flash players, fake windows media players and fake youtube players are prone to increase as a social engineering tactic of choice due to the template-ization of malware serving sites for the sake of efficiency

04. Pinch Vulnerable to Remotely Exploitable Flaw
With Zeus vulnerable to a remotely exploitable flaw allowing cybercriminals to hijack other cybercriminal's Zeus botnet, private exploits targeting the still rather popular at least in respect to usefulness Pinch malware are leaking, allowing everyone including security researchers to take a peek at a particular campaign running unpatched Pinch gateway

05. Phishers Backdooring Phishing Pages to Scam One Another
Backdooring phishing pages is perhaps the most minimalistic approach a cybercriminal wanting to scam another cybercriminal is going to take. The far more beneficial approach that I've encountered on a couple of occassions so far, would be to backdoor a proprietary web malware exploitation kit, release it in the wild, let them put the time and efforts into launching the campaigns, then hijack their botnet. In fact, the possibilities for backdooring copycat web malware exploitation kits in order to take advantage of the momentum while introducing a non-existent kit has always been there at the disposal of malicious attackers. One thing's for sure - there's no such thing as a free web malware exploitation kit, just like there isn't such thing as a free phishing page

06. Email Hacking Going Commercial - Part Two
In between the scammers promising the Moon and asking for anything between $20 to $250 to hack into an email account, there are "legitimate" services taking advantage of web email hacking kits consisting of each and every known XSS vulnerability for a particular service in an attempt to increase the chances of the attacker. And given that the majority of these have been patched a long time ago, social engineering comes into play. Do these services have a future? Definitely as more and more people are in fact looking for and requesting such services, in fact, they're willing to pay a bonus considering how exotic it is for them to have any email that they provide hacked into and the accounting data sent back to them

07. The Russia vs Georgia Cyber Attack
Event of the month? Could be, but just like every "event of the moth" everyone seems to be once again restating their "selective retention" preferences. What is selective retention anyway? Selective retention is basically a situation where once Russian is attacking another country's infrastructure, you would automatically conclude that it's Russian FSB behind the attacks and consciously and subconsciously ignore all the research and articles telling you otherwise, namely that the FSB wouldn't even bother acknowledging Georgia's online presence, at least not directly. Moreover, talking about the FSB as the agency behind the cyberattacks indicates "selective retention", talking about FAPSI indicates better understanding of the subject.

In times when cybercrime is getting ever easier to outsource, anyone following the news could basically orchestrate a large scale DDoS attack against a particular country in order to forward the responsibility to any country that they want to. In Russia vs Georgia, you have a combination of a collectivist society that's possessing the capabilities to launch DDoS attacks, knows where and how to order them, and that in times when your country is engaged in a war conflict drinking beer instead of DDoS-sing the major government sites of the adversary is not an option.

Selective retention when combined with a typical mainstream media's mentality to "slice the threat on pieces" instead of turning the page as soon as possible, is perhaps the worst possible combination. Furthermore, coming up with Social Network analysis of the cyberattacks would produce nothing more but a few fancy graphs of over enthusiastic Russian netizen's distributing the static list of the targets. The real conversations, as always, are happening in the "Dark Web" limiting the possibilities for open source intelligence using a data mining software. Things changed, OPSEC is slowly emerging as a concept among malicious parties, whenever some of the "calls for action" in the DDoS attacks were posted at mainstream forums, they were immediately removed so that they don't show up in such academic initiatives

08. 76Service - Cybercrime as a Service Going Mainstream
The reappearance of the 76Service allowing everyone to log into a web based interface and collect all the accounting and financial data coming from malware infected hosts across the globe for the period of time for which they've bought access, indicates that what used to be proprietary services which were supposedly no longer available, are now being operated in a do-it-yourself fashion. Goods and products mature into services, so from a cost-benefit analysis perspective, outsourcing is naturally most beneficial even when it comes to cybercrime

09. Who's Behind the Georgia Cyber Attacks?
If it's the botnets used in the attacks, they are known, if it's about who's providing the hosting for the command and control, it's the "usual suspects", but just like previous discussion of the Russian Business Network, it remains questionable on whether or not they work on a revenue-sharing basis, are simply providing the anti-abuse hosting, or are the shady conspirators that every newly born RBN expert is positioning them to be.

Cheap conversation regarding the RBN ultimately serves the RBN, and just for the record, there's a RBN alternative in every country, but the only thing that remains the same are the customers, tracking the customers means exposing the RBN and the international franchises of their services, making it harder to identify their international operations. And given that the "tip of the iceberg", namely RBN's U.S operations remain in tact, talking about taking actions against their international operations in countries where cybercrime law is still pending, is yet another quality research into the topic building up the pile of research into the very same segments of the very same ISPs.

Just for the record - these "very same ISPs" are regular readers of my blog, and if you analyze their activities, they're definitely reading yours too, ironically, surfing through gateways residing within their netblock that are so heavily blacklisted due to the guestbook and forum spamming activities that their bad reputation usually ends up in another massive blackhat SEO campaign exposed.

10. Guerilla Marketing for a Conspiracy Site
Conspiracy theorists may in fact have a new wallpaper to show off with

11. Banker Malware Targeting Brazilian Banks in the Wild
When misinformed and not knowing anything about a particular underground segment, a potential cybercriminal would stick to using such primitive compared to the sophisticated banker malware kits currently in the wild. These sophisticated banker malware kits are often coming in a customer-tailored proposition, with their price increasing or decreasing based on the specific module to be included or excluded. For instance, a module targeting all the U.S banks that has been put in a "learning mode" long before it was made available to the customers can be requested and is often available with the business model build around the customer's wants

12. Compromised Cpanel Accounts For Sale
Despite the massive SQL injection attacks, accounting data for Cpanel accounts coming from malware infected hosts seems to be once again coming into play, which isn't surprising given the filtering capabilities and log parsing tools today's botnet masters are empowered with. These very same compromised Cpanel accounts and the associated domains often end up so heavility abused that it's tactics like these that are driving the underground multitasking mentality, namely, abusing a single compromised account for each and every malicious online activity you can think of - even hosting banners for their blackhat SEO services

13. A Diverse Portfolio of Fake Security Software - Part Two
In August we saw a peek of fake security software, neatly typosquatted domains whose authors earn revenue each and every time someone installs the software. The vendors behind this software are forwarding the entire process of driving traffic to those excelling in aggregating traffic and abusing it. As anticipated, underground multitasking started taking place within the fake security software domains, with the people behind them introducing client-side exploits in order to improve the monetization of the traffic coming to the sites

14. DIY Botnet Kit Promising Eternal Updates
There's no such thing as a (quality) free botnet kit. What's for free is often the leftovers from a single feature of a more sophisticated proprietary botnet kit. This one in particular is however trying to demonstrate that even a plain simple GUI botnet command and control software can achieve the results desired by an average script kiddie, and not necessarily satisfy the needs of the experienced botnet master

15. A Diverse Portfolio of Fake Security Software - Part Three
As far as trends and fads are concerned, the majority of the domains are currently parked at up to four different IPs, with most of them going into a stand by mode once they get detected and reappear back couple of weeks later

16. Fake Celebrity Video Sites Serving Malware - Part Two
Due to the template-ization of fake celebrity video sites, and simple traffic management tools combined with blackhat SEO tactics, these sites are also prone to increase in the next couple of months

17. Web Based Botnet Command and Control Kit 2.0
It's releases like these that remind us of the amount of time, efforts and personal touch that a malicious attacker would put into such a management kit, currently acting as a personal benchmark as far as complexity and features indicating the coder's experience with botnets is concerned. What's he's failing to anticipate is that this kit is sooner or later going to turn into the "MPack of botnet management"

18. A Diverse Portfolio of Fake Security Software - Part Four
Keep it coming, we'll keep it exposing until we end up getting down to the "fake software vendor" itself

19. Automatic Email Harvesting 2.0
Email harvesting is slowly maturing into a vertically integrated service provided by vendors of managed spamming services. This email harvesting module is aiming to close the page on text obfuscation in respect to fighting spam, and is successfully recognizing and collecting such publicly available emails. From a psychological perspective though, the end users who bothered to obfuscate their emails are less likely to fall victims into phishing scams, with the obfuscation speaking for a relatively decent situational awareness on how they emails end up in a spammer's campaign

20. Fake Porn Sites Serving Malware - Part Three
As a firm believer in sampling in order to draw conclusions on the big picture, an approach that has proven highly accurate in modeling historical and upcoming tactics and behavior, a single fake porn site serving malware campaign usually exposes a dozen of misconfigured redirectors, which thanks to their misconfiguration despite the evasive features available within the kits, expose another dozen of malware campaigns

21. Facebook Malware Campaigns Rotating Tactics
With no particular flaw exploited other than the social engineering tactic of using already compromised Facebook accounts who would automatically spam all their friends with links to flash files hosted at legitimate services, the more persistent the campaign is, the higher the chance that it will scale enough. This campaign in particular is mainly relying on rotation of tactics, namely different messages, different services and file extensions used in order to trick someone's friend into visiting the URL. With the number of users increasing, the most popular social networking sites are naturally going to be permanently under attacks from cybercriminals

22. Fake Security Software Domains Serving Exploits
Despite that it's a single brand, namely the International Virus Research Lab that's introducing client-side exploits within it's portfolio of domains, the opportunity for abuse may be noticed by the rest of the brands pretty fast

23. Exposing India’s CAPTCHA Solving Economy
Taking into consideration the mentality surrounding a particular country's cybercriminals, how they think, how they operate, what do they define as an opportunity, and how much personal efforts are they willing to put into their campaigns, I wouldn't be surpised if a Russian vendor offering 100,000 bogus Gmail accounts for sale has in fact outsourcing the account registration process to Indian workers, paid them pocket change and is then reselling them ten to twenty times higher than the price he originally paid for them.

The text based CAPTCHAs used at the major Internet portals and services, are so efficiently abused by this approach that continuing to use is directly undermining the trust these email providers and services often come with as granted

Want Free Passes to Interop NY Conference Sessions?

Tue, 09 Sep 2008 16:30:57 +0000

Are you attending Interop NY? We have two FREE conference passes to attend ALL of the great educational sessions.

To put yourself in the running, please respond via comment to the following question: Why do you attend Interop? What does interoperability mean to you?

The first two to comment on the blog with a response will receive the code to register FREE for conference sessions at Interop. Make sure you leave your e-mail address with your comment to collect the code!

BT, Phorm, and Me

Mon, 08 Sep 2008 02:23:54 +0000

Over the past year I have gotten many requests, both public and private, to comment on the BT and Phorm incident.

I was not involved with BT and Phorm, then or now. Everything I know about Phorm and BT's relationship with Phorm came from the same news articles you read. I have not gotten involved as an employee of BT. But anything I say is -- by definition -- said by a BT executive. That's not good.

So I'm sorry that I can't write about Phorm. But -- honestly -- lots of others have been giving their views on the issue.