[SecurityRatty] tag: crashes

The "A"

Mon, 01 Dec 2008 10:57:00 +0000

Information Security sits in a strange area somewhere between Business and IT in a little space that really hasn't been properly defined. It is exciting here.

Generally, most people in Information Security today did not start out as pure Information Security people, they evolved. And where they evolved from gives one a clue as to their mindset and how they see themselves.

Some come from an Audit background and you'll recognise these guys from their love of lists and frameworks - they dream of Cobit controls and little boxes that are waiting for ticks. Somehow they have tons of documentation and they know it all and can find it all. They generally drive Volvo's and like order.

But most InfoSec guys come from an IT background and it shows. I guess that, having said that, most hackers come from an IT background too. And it shows.

Now, lets consider the C-I-A triangle thingum. Quick lesson for those who don't know it - there are three aspects of information that Information Security wishes to preserve - the Confidentiality, the Integrity and the Availability. From my experience, most IT people are governed by Availability - the "A". In fact, when an IT contract is drawn up - there is no SLI or SLC but there will always be an SLA. With very specific terms, measurements and penalties.

If the Firewall crashes and has to be rebuilt. What will the IT manager be most interested in? The A - how fast can you get the traffic moving again?

So we have tools to measure uptime in 99.999999999999999s and such and anything that can cause network downtime (or if the network is up and the services such as mail are down - same difference) is taken care of. Spam, worms, viruses etc.

I guess that hackers (those that define what we do) are also IT background people. They seem to be more concerned with big-bang, widely deployed DoS attacks and stealing IT resources. At least, they used to be, until they discovered that they could make money from stealing information. Actually, I may be naive but I don't believe that the hackers we have today are the same as those we had in the past... I believe that we have a new generation of hackers - criminals who merely use the Internet to steal money because that it where the money is easiest to steal.

The problem is that we were lucky in a way that our old tools worked against the threats that we had - firewalls, antiviruses, etc etc. They don't work against people breaking into our networks and stealing information. For that we need a new generation of Information Security people (or the old generation to update their game)...

Here is a quick poll to see which generation you are in:

1. What is the one piece of information on your network that your competitors would love to see?
2. What is the percentage of mails coming into your network that are spam?
3. What mail is going to competitors?
4. What is the process for someone to order a pencil?
5. What is a blog?
6. Who in your organisation uses facebook for business?
7. How many of your PCs have up-to-date antivirus?
8. What is the worst virus out at the moment?
9. Do you believe that your Firewall is configured correctly?

The answers are as follows:
1. This is ESSENTIAL to know if you want to be in the next generation. And you can't guess this. You may think that it is something financial but most financial information can be guessed by your competitors anyhow. You may think it is a recipe or special way of doing something but any established company has had their recipe ripped off anyhow and can beat any new competitor by competitive pricing. It may be new product information. It may be staff information. It may be the CEO's contact list. Don't guess - find out.

2. Who cares? Certainly not the CEO. Maybe the CIO. "We are saving you x amount of bandwidth and your users x amount of time" is nice but won't save the business from closing down due to data loss. Operationalise this and get on with your job.

3. Good to know. I'm sure that if you told your CEO/CIO "Last week we detected 5 large emails going to our competitors from inside our R&D department" you'd have his full attention.

4. Good to know. Who does the ordering? Who does the okaying? Who does the paying? If you know all of this then you know how business works. And when things go wrong - you'll be able to help.

5. And do you want your staff to use them? And if they do, what can they put on them? What are they puting on them?

6. This is an interesting question because Facebook is usually an issue of "The A" (productivity). But it can be an issue of C and I.

7. Who cares? Again, this is an operational issue. Viruses that jump onto your radar are usually ones that attack "the A" but its the ones that are pushing information out of your organisation that are sneaky enough not to have sgnatures and not to be discovered. You will have PCs without up-to-date antivirus and you will have viruses. The trick is not to let your information be stolen by viruses. Also, keep backups so if a PC does get wiped out - you can get the information back again (but this is an operational issue again).

8. Trick question - the answer is - the one you don't know about. Old generation InfoSec guys can rattle off names of viruses that are all in the top 10 at the moment.. New generation viruses are targetted and usually do their worst before a pattern is out.

9. Old generation answer - yes. New generation answer - who cares? Information flows all over including in and out of the Firewall. Firewalls also usually rely on port security but most everything runs on port 80 anyhow so the Firewall should be configured but it doesn't kep us safe - more work needs to be done for that.

I find that it is not very easy to move from old generation to new generation InfoSec. The main difference is that old generation was very technical and appealed to the technical nature of computer geeks. The new generation is business oriented and requires more interaction with people, more meetings, more time with people. Ouch.

There will always be a place for technical people in Information Security but as the tools mature and "just work" there is less demand. And a background in technology is very useful when the technical guys try to "BS" you.

And "the A" is very important too. Protecting your network from being brought down. Protecting information from disappearing. Stopping viruses. Etc. But the new generation will need to consider "the I" and "the C" as well because the attacks against these and the importance of protecting information against disclosure or manipulation will increase.

This post was done to add my voice to what Rich says so quickly and concisely in the securosis blog.

Credit Cards Failing Open

Thu, 30 Oct 2008 16:35:34 +0000

Most consumers are aware that when you close a credit card account, it’s not really closed. For “convenience” reasons, recurring subscription charges such as your cable bill will continue to be approved. You can kind of see where the credit card companies are coming from, but it’s a pretty weak argument. The cable company just needs to notify me that the credit card on file is no longer valid, and I’ll update my information. Problem solved.

But that credit card weirdness is nothing compared to the one I’m about to describe.

Before we do that, let’s take a moment to discuss the design principle of failing securely. The general idea is that if a security mechanism fails, it should fail closed. If your firewall crashes, it should block all traffic, not allow all the packets through. If the power source to your card key system is interrupted, it shouldn’t unlock all the doors. If the connection between your application server and your LDAP directory is severed, subsequent authentication requests should be rejected, not approved. This is not rocket science.

So back to credit cards. I had a conversation last night with an old friend who related a bizarre situation they had encountered during the QA process for one of their web applications. One of their tests involved repeatedly attempting a credit card transaction using a canceled/expired American Express card. Here’s what they saw in their logs, paraphrased by me:

Attempt 1: Denied
Attempt 2: Denied
Attempt 3: Denied
 .
 .
 .
Attempt 49: Denied
Attempt 50: Denied
Attempt 51: Approved

What the…? Approved? That can’t be right. So they ran the test again. Every time, after multiple consecutive rejected attempts, the transaction would inexplicably go through. The threshold wasn’t always 50, but the general pattern was consistent — keep trying and eventually it’ll work. Clearly, this had to be a bug in the code, but a deep-dive into the guts of the application turned up nothing. The application security group got American Express on the phone to see if they had any insight on this odd behavior. The answer? They didn’t concede the failure was on their end, despite log data showing the successful authorization codes.

My gut instinct would be that the application requesting the transactions wasn’t failing securely (e.g. network connection to AmEx timed out, so just approve the transaction). But that explanation wouldn’t account for authorization codes coming back.

So what in the world is going on here? Why would the system behave this way? Is it by design? I can’t think of a single legitimate use case for failing open like this. If this is actually a design decision by the credit card companies, I have no doubt that someone in our audience knows the rest of the story.

Summarizing Zero Day's Posts for September

Tue, 07 Oct 2008 06:54:00 +0000

As usual, here's September's summary of all of my posts at Zero Day. You may also want to catch up and go through August's and July's summaries, next to adding my personal RSS feed or Zero Day's main feed to your RSS reader.

Notable article for September - Spamming vendor launches managed spamming service.

01. DoS vulnerability hits Google's Chrome, crashes with all tabs
02. Malware and spam attacks exploiting Picasa and ImageShack
03. Spamming vendor launches managed spamming service
04. Facebook introducing new security warning feature
05. Google downplays Chrome's carpet-bombing flaw
06. Targeted malware attack against U.S schools intercepted
07. The most "dangerous" celebrities to search for in 2008
08. Norwegian BitTorrent tracker under DDoS attack
09. Attacker: Hacking Sarah Palin's email was easy
10. Bill O'Reilly's web site hacked, attackers release personal details of users
11. India's government: At last, we've cracked Blackberry's encryption
12. Memory exhaustion DoS vulnerability hits Google's Chrome
13. 44% of second hand mobile devices still contain sensitive data
14. Spammers attacking Microsoft's CAPTCHA -- again

Movie Plot Threats in The Guardian

Thu, 04 Sep 2008 01:56:57 +0000

We spend far more effort defending our countries against specific movie-plot threats, rather than the real, broad threats. In the US during the months after the 9/11 attacks, we feared terrorists with scuba gear, terrorists with crop dusters and terrorists contaminating our milk supply. Both the UK and the US fear terrorists with small bottles of liquid. Our imaginations run wild with vivid specific threats. Before long, we're envisioning an entire movie plot, without Bruce Willis saving the day. And we're scared.

It's not just terrorism; it's any rare risk in the news. The big fear in Canada right now, following a particularly gruesome incident, is random decapitations on intercity buses. In the US, fears of school shootings are much greater than the actual risks. In the UK, it's child predators. And people all over the world mistakenly fear flying more than driving. But the very definition of news is something that hardly ever happens. If an incident is in the news, we shouldn't worry about it. It's when something is so common that its no longer news - car crashes, domestic violence - that we should worry. But that's not the way people think.

Psychologically, this makes sense. We are a species of storytellers. We have good imaginations and we respond more emotionally to stories than to data. We also judge the probability of something by how easy it is to imagine, so stories that are in the news feel more probable - and ominous - than stories that are not. As a result, we overreact to the rare risks we hear stories about, and fear specific plots more than general threats.

The problem with building security around specific targets and tactics is that its only effective if we happen to guess the plot correctly. If we spend billions defending the Underground and terrorists bomb a school instead, we've wasted our money. If we focus on the World Cup and terrorists attack Wimbledon, we've wasted our money.

It's this fetish-like focus on tactics that results in the security follies at airports. We ban guns and knives, and terrorists use box-cutters. We take away box-cutters and corkscrews, so they put explosives in their shoes. We screen shoes, so they use liquids. We take away liquids, and they're going to do something else. Or they'll ignore airplanes entirely and attack a school, church, theatre, stadium, shopping mall, airport terminal outside the security area, or any of the other places where people pack together tightly.

These are stupid games, so let's stop playing. Some high-profile targets deserve special attention and some tactics are worse than others. Airplanes are particularly important targets because they are national symbols and because a small bomb can kill everyone aboard. Seats of government are also symbolic, and therefore attractive, targets. But targets and tactics are interchangeable.

The following three things are true about terrorism. One, the number of potential terrorist targets is infinite. Two, the odds of the terrorists going after any one target is zero. And three, the cost to the terrorist of switching targets is zero.

We need to defend against the broad threat of terrorism, not against specific movie plots. Security is most effective when it doesn't require us to guess. We need to focus resources on intelligence and investigation: identifying terrorists, cutting off their funding and stopping them regardless of what their plans are. We need to focus resources on emergency response: lessening the impact of a terrorist attack, regardless of what it is. And we need to face the geopolitical consequences of our foreign policy.

In 2006, UK police arrested the liquid bombers not through diligent airport security, but through intelligence and investigation. It didn't matter what the bombers' target was. It didn't matter what their tactic was. They would have been arrested regardless. That's smart security. Now we confiscate liquids at airports, just in case another group happens to attack the exact same target in exactly the same way. That's just illogical.

This essay originally appeared in The Guardian. Nothing I haven't already said elsewhere.

Red Light Cameras Don't Work

Mon, 25 Aug 2008 08:19:23 +0000

Interesting: the solution to one problem causes another.

"The rigorous studies clearly show red-light cameras don't work," said lead author Barbara Langland-Orban, professor and chair of health policy and management at the USF College of Public Health. "Instead, they increase crashes and injuries as drivers attempt to abruptly stop at camera intersections."
Comprehensive studies from North Carolina, Virginia, and Ontario have all reported cameras are associated with increases in crashes. The study by the Virginia Transportation Research Council also found that cameras were linked to increased crash costs. The only studies that conclude cameras reduced crashes or injuries contained "major research design flaws," such as incomplete data or inadequate analyses, and were always conducted by researchers with links to the Insurance Institute for Highway Safety. The IIHS, funded by automobile insurance companies, is the leading advocate for red-light cameras since insurance companies can profit from red-light cameras by way of higher premiums due to increased crashes and citations.

And, of course, the agenda of the government is to increase revenue due to fines:

A 2001 paper by the Office of the Majority Leader of the U.S. House of Representatives reported that red-light cameras are "a hidden tax levied on motorists." The report came to the same conclusions that all of the other valid studies have, that red-light cameras are associated with increased crashes and that the timings at yellow lights are often set too short to increase tickets for red-light running. That's right, the state actually tampers with the yellow light settings to make them shorter, and more likely to turn red as you're driving through them.
In fact, six U.S. cities have been found guilty of shortening the yellow light cycles below what is allowed by law on intersections equipped with cameras meant to catch red-light runners. Those local governments have completely ignored the safety benefit of increasing the yellow light time and decided to install red-light cameras, shorten the yellow light duration, and collect the profits instead.

The cities in question include Union City, CA, Dallas and Lubbock, TX, Nashville and Chattanooga, TN, and Springfield, MO, according to Motorists.org, which collected information from reports from around the country.

Impersonating StopBadware.org to Serve Fake Security Warnings

Sun, 20 Jul 2008 23:30:51 +0000

Malware is known to have been hijacking search results, take for instance the rogue Antivirus XP 2008 as a recent example, but it's even more interesting to see other rogue security software impersonating Stopbadware.org in order to server fake security warnings that ultimately lead to fake security software.

stopbadware2008 .com (58.65.238.171) is one of these examples, where stopbadware2008 .com/antivirus.php redirects to infectionscanner .com and attempts to trick the user into installing download.infectionscanner.com /AntvrsInstall.exe. The message used :

"Reported Insecure Browsing: Navigation blocked. Due to insecure Internet browsing your PC can easily get infected with viruses, worms and trojans without your knowledge, and that can lead to system slowdown, freezes and crashes. Also insecure Internet activity can result in revealing your personal information. To get full advanced real-time protection for PC and Internet activity, register Antivirus 2008. We recommend you to protect your PC now and continue safe Internet browsing."

There's in fact even more rogue software using the same IP (58.65.238.171), courtesy of HostFresh :
virus-scanner-online .com
security-scanner-online .com
viruses-scanonline .com
virus-scanonline .com
antivirus-scanonline .com
download.antivirus-scanonline .com
topantivirus-scan .com
topvirusscan .com
virusbestscan .com
virus-detection-scanner .com
antivirus-scanner .com
infectionscanner .com
virusbestscanner .com
internet-security-antivirus .com

It would be interested to monitor whether or not the template for the fake security warning would start getting used on a large scale.

Related posts:
A Portfolio of Fake Video Codecs
Fake PestPatrol Security Software
Got Your XPShield up and Running?
Localized Fake Security Software
A Diverse Portfolio of Fake Security Software
RBN's Fake Security Software

Video: Stealth Bomber Crashes

Fri, 06 Jun 2008 09:22:00 +0000

You don't see this often: Here is just-released video of a Stealth bomber crash that occurred last February in Guam.

Is Back-Up A Part of Security?

Tue, 06 May 2008 16:17:23 +0000

I’ve come up against this question many times when talking to vendors. It seems like if a vendor is selling some sort of backup and archiving product, then they say it is an important part of security — if they don’t have a backup/archive product as part of their portfolio, they shrug it off and say it is NOT part of security but rather just another aspect of network administration. This is where genuine security concerns border on marketing and hype.

But there are some cases where exploits can cause data loss and hard drive crashes, so that’s where the issue definitely falls under the security umbrella. A new study however has discovered that this is actually pretty rare:

A new university study suggests that hard-drive-killing attacks launched by hackers are actually pretty rare — but when they do occur, they can be more costly than most companies think.

The study, published last quarter by professors at the University of Pepperdine and commissioned by data recovery vendor Deepspar Technologies, looks at the causes of hard drive failure and offers insights on just how “fatal” a fatal drive error can be.

Aside from physical theft, hard drive failure is the most common cause of data loss on PCs, the study says, accounting for 38 percent of data loss incidents. In about 30 percent of these cases, the loss of access is the result of drive problems, where corruption of the media makes the data unreadable.

Apparently they have estimated the average hard drive loss costs about $2900 in lost data and productivity, assuming some data is recoverable. Read the full story at DarkReading.

OnStar Offers a Model for IT Security

Fri, 07 Mar 2008 08:08:35 +0000

At the recent Gartner Mobile and Wireless Conference, Sanjay Khunger, the chief technologist of GM's OnStar unit, gave a presentation on the history of OnStar's satellite-based remote safety, security and diagnostic service. GM looks at auto safety as being in three distinct phases: before the crash, during the crash and after the crash. Another way to look at this is preventing/avoiding the crash, surviving the crash and recovering after the crash. GM designs features into cars in each of those phases (anti-lock brakes to avoid crashes, chassis design and airbags that reduce injury during the crash, and so on). I always thought of OnStar as a "push the button to call for help" service, but Khunger explained how it was an integrated part of GM's overall safety strategy.

Beyond the obvious capabilities to call for help after a crash, OnStar has features that also apply to the first two phases. Hands- and eyes-free navigation and cell phone capabilities minimize driver distraction and reduce accidents. Remote proactive diagnostics and remote door unlock services reduce the time a driver spends standing next to a dead car on the side of the road. Multiple sensors in the vehicle provide information on the type of crash and the number of occupants so that emergency personnel have more information to ensure that EMTs have the right equipment to best save lives at the crash scene.

This isn't meant to be a commercial for OnStar - if you watch sports on TV, you've already seen plenty of those. However, GM's placement of a security-related service in the larger context of customer safety really hits home on a larger point: Security and, just as importantly, safety need to be worked into all the critical business and IT processes at your business. The biggest bang for the buck comes from avoiding incidents - minimizing vulnerabilities in applications, not just by having secure development life cycles but by thinking about user safety. What are the abuse cases where a user or customer might accidentally put themselves in danger? What features are built into your business applications to avoid those situations?

Financially, OnStar makes more money by helping its customers avoid accidents. But stuff happens, and building in instrumentation, response and recovery features to minimize damage during an incident and speed to ensure swift resumption of business after an incident is important, as well. This applies as much to car crashes as it does to identity theft incidents, insider attacks and every other IT security "crash." Build security into your critical business processes, and keep your customers safe.

Pentagon Unveils Rogue Spy Sat Shootdown Plan

Thu, 14 Feb 2008 16:00:00 +0000

In the next week or so, the U.S. military is going to try to take out a malfunctioning spy satellite before it crashes to Earth -- and maybe releases a toxic gas in the process.