[SecurityRatty] tag: emerge

What should we expect from the Obama Administration and the 111th Congress on Cyber Security?

Thu, 13 Nov 2008 21:00:00 +0000

Given the seriousness of the financial crisis, growing job losses and the continued meltdown of global stock markets, it’s hard to imagine that the incoming Obama Administration or new U.S. Congress will be able to focus on much else during the first several months of 2009. When they do tackle other issues, healthcare reform, tax policy and energy policy are likely to emerge at the top along with national security priorities. Not to mention that many FY2009 spending bills still need to be approved by Congress and signed by the President as well, although that is expected to happen by March 2009 at the latest.

So where does this leave cyber security issues?

A Diverse Portfolio of Fake Security Software - Part Twelve

Mon, 03 Nov 2008 13:11:25 +0000

These very latest rogue security software domains have been in circulation -- blackhat SEO, SQL injections, traffic redirection scripts -- since Friday and remain active :

premium-pc-scan .com (78.159.118.217; 89.149.253.215; 91.203.92.47)
antivirus-pc-scan .com (208.72.169.100)
securityfullscan .com (84.243.197.184)
antivirus-live-scan .com (84.243.196.136; 89.149.227.196)
windefender-2009 .com - (200.63.45.55)
windefender2009 .com

What these domains have in common, excluding the last two WinDefender ones, is the domain registrant, the DNS servers used, and that despite the fact that it has already been featured in several malicious doorways, meaning these are receiving traffic already, they forgot to upload the binaries on all of the active domains :

"Not Found. The requested URL /2009/download/trial/A9installer_.exe was not found on this server."

Registrant:
Vladimir Polilov
Email: gpdomains@yahoo.com
Organization: Private person
Address: ul. Bauma 13-76
City: Moskva
State: Moskovskaya oblast
ZIP: 112621
Country: RU
Phone: +7.9031609536

DNS servers used - ns1.freefastdns.com; ns2.freefastdns.com

Moreover, the following domains are also parked at the same IPs, but are currently in stand-by mode, yet they're also using the same DNS servers with the only difference in the registrant who seems to have been running a very extensive portfolio of bogus domains, potentially making hundreds of thousands in the process :

save-my-pc-now .com
real-antivirus .com
liveantivirustest .com
antiviruspctest .com
premium-live-scan .com
liveantivirustest .com
antiviruspersonaltest .com
mysecuritysupport .com
updateyourprotection .com
antivirus-premiumscan .com
securitylivescan .com
security-full-scan .com
secured-liveupdate .com
livepcupdate .com
protection-update .com
antivirus-scan-online .com
xpsoftupgrade .com
live-virus-defence .com

Enhanced Domain Protection Services Emerge

Wed, 24 Sep 2008 04:23:16 +0000

Registrars are beginning to offer new services to protect against domain name loss. Are they worth it? Well, they're worth something, but maybe not all the money being charged. Yesterday, Domain Name Wire revealed that GoDaddy has filed for a patent for "Domain Name Hijack Protection." The basic idea of the service is that domain name transfer-out requests are automatically ignored. The customer gets a notice that the request was received and ignored. The user then has the option of turning off the service, and must supply photo ID in order to do it. Comments on the Domain Name Wire article say it's an intentionally cumbersome process, which certainly works out well for GoDaddy, but I'm not so sure I'd call this innovative. This application may be related to GoDaddy's Protected Registration service, which similarly protects against casual transfers, a service they call Deadbolt Transfer Protection. In order to perform a transfer, more thorough verification procedures are required, probably involving genuine human beings. GoDaddy also claims to protect the domain in case of billing problems, such as "credit card expiration, failed billing or outdated contact information." If your domain expires and cannot be renewed because the credit card expired or some other such reason the domain will be placed in "invalid, protected status" for up to one year. In other words, it will be taken off-line, but not made available for anyone else to register. If you've parked it you may not notice, but if you're using the domain you will, because it won't work anymore. At this point you can go back to GoDaddy and make things right. All this costs $24.99 a year, which is a lot of money compared to the base registration. You'd be much better off with a standard domain lock and just being responsible about your domains and reading the e-mail GoDaddy sends you. And thanks to DomainNameNews for reporting that Moniker, a registrar aimed at higher-volume domain name owners, has launched their DomainMaxLock service. DomainMaxLock, like GoDaddy's Deadbolt, makes you provide more stringent identification for transfers. According to the company you must:

Provide a government I.D. number for verification of your identity.
Set up custom security questions and answers, further safeguarding your domain assets.
Provide special verification instructions and artifacts to ensure that your unique business or ownership interests are protected.
When you request that your domains be unlocked, our security team works directly with you to verify all of the above off-line - further eliminating risks of doing business in an online world!

It's essentially an admission of the failure of automated services with respect to security. The idea is we can trust humans in person, not software. The service costs $34.95 per domain per year for a limited time, but the cost will increase later to $59.99. These verification services are similar in many ways to those performed by CAs (certificate authorities). Since GoDaddy is also one of those, it's likely they can get better utilization out of that staff by offering such services.

What to watch for - the Rest of the Fortune 500 Gets Their Software Security

Thu, 18 Sep 2008 11:06:51 +0000

The financial industry drives a lot of what happens in security. They ~~have~~ had a lot of money, and lots of people try to steal from ~~them~~ their customers. They did drive some good stuff, but only from one vertical's perspective. I have advocated for awhile that software security look to other verticals to understand their security needs. Now that we're watching these behemoth financial firms vanish before our eyes, we will see the needs of insurance, manufacturing, healthcare and other verticals take on more precedence. If you want some ideas on what is important, start here. FWIW, here are some key themes that i think will emerge.

Standard Support

Mark O'Neill posted this comment to an earlier blog and it bears repeating

Take a difference I've noticed between financial services and government. I have encountered situations where a financial services customer may say "what if we just forget about using all those standards and make all these messages simpler", as they have optimization hard-wired as a goal. A government customer is (in my experience) more likely to focus on standards support for interoperability, and also to support directives that certain standards are used (e.g. XACML, let's say).

If the vendor was to build their product based solely on either customers needs, they would assume, as you say, that "the client just doesn't get it". It would be either "These government people are crazy, the people back at the bank told us those standards were not important", or else "these financial services people are crazy, we show them all the complex support for standards we have and they do not seem to care at all, they just want us to strip all that out".
In that case, the trick would be to build something down the middle, with the standards support and the optimization. But, just focusing on one sector is bad.

The financial people have been optimizing for so long and they had so much money they didn't need to worry about standards, they were the standard. But you don't need standards for standards' sake, you need...

Interoperability

The financial people didn't worry about this, the pot of gold was so big people would pay to play and build their own adapters. Architects at other companies need to figure out how to cost effectively knit things together and get authN, authZ, and audit too.

Fuzzy Edges

Take something hideous like the FIX protocol. Everyone knows its broken but they just built stuff all around in terms of accountability and other controls. they could do this because there was a living breathing audit log of transactions - a hard edge. So the financial industry drove lots of poor plumbing and compensated with hard edges. It worked well enough I suppose, but as any protocol plumber knows, you need to fix the pipes eventually. Especially if you want to...

Scale

Need to scale across domains, locations, geographies. Its not one little closed trading floor loop. Its wheels within wheels. You might say its federated autonomous nodes.

its not just technical run time scale. Its people scale. You can't assume that your tool is supported by several security people per project. The tools have to scale for one security person and a hundred developer type ratios. Better automation, better reporting, faster integration. Raise the floor one inch, but raise the whole floor.

Smaller Overall Security Budget

I saved the best for last. When the financial people wanted software security, they kept spending on network security and they added dollars to support software security tools and processes. The rest of the F500 can't or wont be able to, this means that for the software security vendors, they will need to take market share. Its not just competing against each other, its making the business case for software security over other types of security that have ossified technically but still command a rosy price, like *cough* network firewalls.

Side note, I know three financial firms that did excellent work in software security. really dug and invested time and money to make sure they are world class in that space. Strangely enough with all these firms melting down, the three I am thinking of that took a conservative approach, addressing software security in a root and branch mode,have not been named as a target for the next meltdown. Coincidence? We report, you decide.

UK Police Seize War on Terror Board Game

Fri, 15 Aug 2008 02:50:02 +0000

They said -- and it's almost to stupid to believe -- that:

the balaclava "could be used to conceal someone's identity or could be used in the course of a criminal act".

Don't they realize that balaclavas are for sale everywhere in the UK? Or that scarves, hoods, handkerchiefs, and dark glasses could also be used to conceal someone's identity?

The game sounds like it could be fun, though:

Each player starts as an empire filled with good intentions and a determination to liberate the world from terrorists and from each other.
Then the reality of world politics kicks and terrorist states emerge.

Andrew said: "The terrorists can win and quite often do and it's global anarchy. It sums up the randomness of geo-politics pretty well."

In their cardboard version of realpolitik George Bush's "Axis of Evil" is reduced to a spinner in the middle of the board, which determines which player is designated a terrorist state.

That person then has to wear a balaclava (included in the box set) with the word "Evil" stitched on to it.

Buy yours here; I first blogged about it in 2006.

Pinch Vulnerable to Remotely Exploitable Flaw

Thu, 07 Aug 2008 06:22:01 +0000

In the very same way a cybercrime analyst is reverse engineering and sandboxing a particular piece of malware in order to get a better understanding of who's being it, and how successful the campaign is once access to the command and control interface is obtained, cybercriminals themselves are actively reverse engineering the most popular crimeware kits, looking, and actually finding remotely exploitable vulnerabilities allowing them to competely hijack someone's command and control, and consequently, their botnet. The Zeus crimeware kit, which I've been discussing and analyzing for a while, is the perfect example of how once a popular underground kit start acting as the default crimeware kit, cybercriminals themselves start looking for vulnerabilities that they could take advantage of. And those who look, usually end up finding.

A remotely exploitable flaw allowing cybercriminals to remotely inject a web shell within another cybercriminal's web command and control interface of the popular Pinch crimeware that's been around VIP underground forums since June, 2007, is starting to receive the necessary attention from script kiddies catching up with the possibility of hijacking someone's malware campaign due to misconfigured command and control servers.

With the exploit now in the wild, retro cybercriminals still taking advantege of the ubiqutous command and control interface that could be easily used by other malware rathar than Pinch, "cybercriminals are advised" to randomize the default file name of the gate, and apply the appropriate directory permissions.

Monocultural insecurities are ironically started to emerge in the IT underground with the increasing commoditization of what used to be a proprietary web exploitation malware kit or a banker malware kit, allowing easy entry into the malware industry through the unregulated use of what some would refer to as an "advanced technology" that only a few cybercriminals used to have access to an year ago. Just like legitimate software vendors, authors of crimeware kits are also trying to enforce their software licenses and forbidding any reverse engineering of their kits in order to enjoy the false feeling of security provided by the security through obscurity. The result? Cybercrime groups filing for bankruptcy unable to achieve a positive return on investment due to their intellectual property getting pirated and their inability to enforce the licenses that they issue to their customers.

We're definitely going to see more trivial, but then again, remotely exploitable vulnerabilities within popular crimeware kits, which can assist both the cybercrime analysts and naturally the cybercriminals themselves. For the time being, even the most sophisticated malware campaigns aren't fully taking advantage of the evasive and stealth tactics that the kits, or their common sense allows them to - let's see for how long.

Related posts:
Russia's FSB vs Cybercrime
Crimeware in the Middle - Zeus
The Zeus Crimeware Kit Vulnerable to Remotely Exploitable Flaw
Coding Spyware and Malware for Hire

Ideal Tool to Solve Real Problems ... of the Near Future? - II

Mon, 04 Aug 2008 17:30:00 +0000

I would like to continue the discussion I started in my previous post called "Ideal Tool to Solve Real Problems ... of the Near Future?" Specifically, upon outlining some problems with logging, I will now forecast what will happen with them in 18-24 months.

Which problems will be solved and forgotten?
Which ones will simply go away?
Which ones will persist and in fact increase?
Finally, which new ones might emerge?

First, let me bet my ass that "Not knowing what to log" problem will be licked in 18-24 months; at least as far as major regulations go, people will have a pretty good idea a) what the auditors want them to log (and review!) b) what they need to log for solving their problems. Now, for esoteric log sources (and custom applications) might still present a challenge from that point of view, but for basic "staples" (firewall, network gear, major OS) the mystery will be over (again, see "Tell me EXACTLY what to log for PCI?" for reference)

Next, the problem of "Log volume" will definitely get worse, much worse. One might think that 100,000 each second is a lot of log - but there WILL BE more at many companies! Big application log explosion is coming, fueled by the need to address logging in areas where such motivation was lacking before (basically, custom and vertical applications) as well as harness the power of "uncommon" logs for such tasks as fraud analysis or SOA monitoring. Keep in mind that even though in some areas logging is NOT a preferred way of monitoring and auditing activities (see this discussion on database logs here), application logging will still explode on us...

The problem of "Log diversity" (the fact that most logs all look different in format and meaning) will get worse before it will get better - and better it WILL (!!!) get since standards are being developed. We will see people struggling with all sorts bizarro log data in the coming years. Virtualization, web services and SOA, various ERP applications and even cloud services will increase the diversity of logging in the coming years.

Similar to the above, a problem of "Bad logs" (ones that are subjective, miss key information, require groping for a crystal ball to understand, turn log analysis into dark voodooistic experience or are useless in some other way) will also follow the pattern of the above log diversity problems - it will get worse before it gets better (via the CEE standard effort that now covers the OpenXDAS effort as well!) I noticed that people started asked me questions about "how to do application logging right?" and "what to tell application developers about logging?" which almost never happened in the past. BTW, watch my blog for some uber-fun info on that!

"Getting the logs" has gotten much easier in recent years; agentless collectors like Project Lasso (which, BTW, just got updated) and grabbing files remotely via secure protocols made application log collection easier (syslog-NG with TCP transfer and buffering also helped). Next, Windows 2008 will make it MUCH easier for the whole Windows kingdom due to their use of web services (thanks Eric!). However, in the future it might resurface as we try to collect logs from "weird" places, again, clouds come to mind as well as virtual environments (e.g. how do you get logs off a dormant VM?). What's the next frontier in this area? Log discovery - automatic finding and identifying log files on systems in order to analyze and retain them (Yo, my t-shirt-making colleagues... :-))

All this, however, pales in comparison with my favorite "uber-challenge", "Making sense of logs in an automated fashion" - this baby is definitely not going away in 2-3 years. Much more research is needed to make that "log->conclusion" jump automatically without head-scratching, invoking ancient deities and cursing under ones's breath. Only then we can attempt to reliable handle "proactive logging" (i.e. analyzing various failure or compromise precursors in logs and then predicting the future based on them), another Holy Grail of logging domain.

Anything new will emerge? Yes, I think awareness of the "Logging Gap" problem will grow. "Logging gap" happens when you combine "a need to log" with utter "inability to do so." For example, this will happen when people will know that they HAVE TO log, say, for compliance, but will have no way of doing it due to application or platform limitations. This will become one of the challenges and special "logging add-ons" will appear to close the logging gap and create additional logs where activity audit is desperately needed, but native logging is not helping to achieve it.

Also, I think people will finally wake up to "Log security" challenges - i.e. producing for use as evidence, compliance attestations, etc. Log security is not getting the attention it deserves, but I think this challenge will finally emerge in full force in the next 2-3 years. My next poll will address that :-)

Anything else I missed? Share away!

Related posts:

Very few details are available for Missouri National Guard breach

Tue, 15 Jul 2008 10:15:48 +0000

Technorati Tag: Security Breach

Date Reported:
7/15/08

Organization:
National Guard Bureau

Contractor/Consultant/Branch:
Missouri National Guard ("MOGUARD")

Victims:
"Citizen-Soldier and employee"s

Number Affected:
"approximately 2,000"

Types of Data:
"some personal information"

Breach Description:
"The Missouri National Guard learned on Monday, July 14, 2008, that some personal information was compromised. Details of how this information was compromised are being withheld at this time, so as not to interfere with the ongoing law enforcement investigation."

Reference URL:
Missouri National Guard Press Release
St. Louis Post-Dispatch

Report Credit:
Missouri National Guard

Response:
From the online sources cited above:

The Missouri National Guard learned on Monday, July 14, 2008, that some personal information was compromised.

Details of how this information was compromised are being withheld at this time, so as not to interfere with the ongoing law enforcement investigation.
[Evan] Sounds like a good excuse to not reveal details.

It is important to note that we have no reason to believe that the information that was compromised was for the purpose of gaining Citizen-Soldier or employee information or that the information has been or will be used inappropriately.
[Evan] It's nice that MOGUARD can make this judgment call on behalf of the victims. Its too bad the victims are not allowed to make a determination themselves based on the facts surrounding this breach.

The Missouri National Guard has a list of those Citizen-Soldiers or employees whose information was compromised.
[Evan] Keyword is "was", and not the phrase "may have been".

Letters are being sent to these individuals and/or their Families.

The list includes approximately 2,000 individuals.

At this time we have no confirmation of misuse of Citizen-Soldier or employee information resulting from the loss.

"I am distressed that sensitive information has been compromised," Major General King Sidwell
[Evan] I am impressed when a leader of an organization steps forward and speaks about a breach. In my opinion it demonstrates strong leadership and the understanding that the "buck" ultimately stops with him.

"I am especially concerned about the problems and inconveniences this may cause for our Missouri National Guard Citizen-Soldiers and their families," King said.

Because Social Security Numbers may have been contained within the missing information, we advise individuals to monitor financial accounts continuously for suspicious activity as a matter of good practice.
[Evan] This statement provide a clue as to what "some personal information" may be.

The Missouri National Guard has safeguards in place to protect private information.

We provide ongoing privacy training to all employees.

The Missouri National Guard has taken action to rectify this unfortunate situation, and is working to insure our Citizen-Soldier’s or employee’s information receives the highest standard of security and privacy protection.

Any soldier or family member with questions should call a hotline number at 1-888-526-6664 extension 7888.

If the soldier is deployed overseas, the soldier may use the Defense Switching Network and call 312-555-9500 extension. 7888.

Commentary:
We have no idea as to what the cause of this breach may have been. Anyone want to guess? If so, post a comment.

It’s a little ironic. I was just typing an email response to an information security friend of mine about military breaches and the way the military has a completely different way of disclosing details (if any). This breach is proof positive. We'll have to see if further details emerge over time.

I sincerely hope that the owners of the "personal information" (the victims) get all of the answers that they require in order to evaluate risk themselves and make educated decisions on how they will proceed.

Past Breaches:
Unknown

Monthly Blog Round-Up - June 2008

Tue, 01 Jul 2008 07:10:00 +0000

I saw this idea of a monthly blog round-up and I liked it. In general, blogs are a bit "stateless" and a lot of good content gets lost since many people, sadly, only pay attention to what they see today. This is what is driving an idiotic campaign of such "news" as "hackers increase hacking", "compliance is hard/easy/matters/doesn't" or "awareness of virtualization/SaaS/hacking/compliance grows."

So, here is my next monthly "Security Warrior" blog round-up of top 5 popular posts and topics.

Again this month, my logging polls took the #1 spot! Poll #8 that covered context data for log analysis is analyzed here. Other popular polls include a controversial Windows Log Collection Poll (which is a poll #7) and poll #6 about logs that people actually look and poll #5 about logging challenges. Next poll is coming soon.
Not entirely surprising, my post/rant called "You Are "A Security Idiot" If ..." takes the #2 spot after being live for only a few days. Yes, we all like to point out other people's problems, especially when they are epically huge :-)
Also not surprisingly, my post "11 Signs That Your SIEM Is A Dog or "Raffy, You Killed SIM!"" is on the Top list. It is both humorous and sadly true (and backed up by other sources)
A curious subject of DLP or "data leak prevention" (specifically, the post called "So, CAN We Have DLP?") also tops the charts. My previous post on data leak 'prevention' ("In Passing on DLP") is popular as well.
Again and again, people googling for "open source SIEM" have pushed this post (this tiny old pathetic blurb) to top5. This ancient post from years ago explains why an open source SIEM will NOT emerge soon, if ever.

See you in July!

Possibly related posts / past monthly popular blog round-ups:

Technorati tags: blog, security, loggings, monthly

ICANN and IANA's Domain Names Hijacked by the NetDevilz Hacking Group

Thu, 26 Jun 2008 16:00:32 +0000

The official domains of ICANN, the Internet Corporation for Assigned Names and Numbers, and IANA, the Internet Assigned Numbers Authority were hijacked earlier today, by the NetDevilz Turkish hacking group which also hijacked Photobucket’s domain on the 18th of June. Zone-H mirrored the defacements, some of which still remain active for the time being.

Read more here - "ICANN and IANA’s domains hijacked by Turkish hacking group". A single email appears to have been used in the updated DNS records of all domains, logically courtesy of the NetDevilz team - foricann1230@gmail.com

More details will be posted as soon as they emerge.