[SecurityRatty] tag: lazy

Summertime security: No letup for IT

Thu, 26 Jun 2008 20:00:00 +0000

What ever happened to the lazy days of summer? For IT and security managers in businesses, hospitals and universities across the country, summer is just another season to get things done. Here's a roundup of IT security projects we're hearing about.

Opinion: Where are those infosec jobs?

Thu, 22 May 2008 09:00:00 +0000

Those news reports of vastly increased information security spending just around the corner may sound awfully cheerful, but Jon Espenschied detects some lazy -- or is it wishful? -- thinking.

SQL Server PerfMon counters for access methods and buffer manager

Tue, 29 Apr 2008 09:18:07 +0000

In this episode of the screencast series "PerfMon Counters for the SQL Server DBA," SQL Server MVP Kevin Kline focuses specifically on SQL Server counters. Kline shares best practices for using access method counters to watch for IO intensive operations, such as full table or clustered index scans and page splits. You'll also learn why it's important to monitor the buffer manager in SQL Server, that is, keep an eye on lazy writer, page utilization and how quickly pages age out of the buffer.

Fidel Castro exports his criminals, but we give guns to ours.

Wed, 23 Apr 2008 11:03:00 +0000

I was shocked to hear the news on CBS yesterday that the Army and Marine Corps are allowing convicted Felons to join their ranks. Are recruiters that desperate or just plain lazy?

The newscaster said that the Army and Marine Corps are going to open their doors to Felons who have been convicted of Robbery, Burglary, sex offenses and making terroristc threats. What can they be thinking? Have the lunatics started running the assylum?

These are some of the worst offenses on the books. I could somewhat understand if they said: "we are going to make allowances for those who have been convicted of multiple DUI/DWIs and as a result, have been declared felons". This new policy sounds like a plot taken straight out of Hollywood...."The Dirty Dozen" springs to mind.

One would think that the military upper echelon have enough on their plate everytime a story breaks about a young girl being raped in Iraq or Japan by U.S. military personnel. One can only imagine the future problems that will arise when they willingly open their doors to convicted child molesters, rapists, robbers, burglars and terrorist sympathisers/radicals.

The Navy and Airforce should be conrgratulated on failing to stoop so low. I hope they resit the temptation to put the same uniforms that have been worn so proudly in the past by decent human beings on those who should be wearing prison jump suits.

Maybe if the Government paid soldiers a decent salary, which is to say, much more than the $3,000 per month that they now get to put their lives in harm's way instead of giving it to Government contracting companies who charge the Government as much as $250,000 per year per contractor AND many times overcharge and over-bill the very same Government who are willing to pay a king's ransom in the first place.

Romanian Script Kiddies and the Screensavers Botnet

Mon, 07 Apr 2008 23:48:40 +0000

Shall we turn into zombies, and peek into the modest botnet courtesy of Romanian script kiddies, that are currently spamming postcard.scr greeting cards? Meet the script kiddies. This botnet is going nowhere mostly because knowing how to compile an IRC bot doesn't necessarily mean you posses a certain know-how, a know-how that experienced botnet masters have been outsourcing for years. Malware is obtained through links pointing to :

xhost.ro/filehost/phrame.php?action=saveDownload&fileId=15735
xhost.ro/filehost/phrame.php?action=editDownload&fileId=12923
xhost.ro/filehost/phrame.php?action=saveDownload&fileId=3656
xhost.ro/filehost/phrame.php?action=editDownload&fileId=10936

Scanners result : Result: 22/32 (68.75%)
Trojan.Zapchas.F; IRC/BackDoor.Flood; Backdoor.IRC.Zapchast
File size: 735139 bytes
MD5...: 015e5826084f2302b4b2c3237a62e244
SHA1..: 7d05949f6dfffdc58033c9d8b86210a9bd34897c

Sample traffic output :
"NICK Mq2kC01
USER las "" "pic.kauko.lt" :Px7aW6
USER las "" "Helsinki.FI.EU.Undernet.org" :Px7aW6
USERHOST Mq2kC01
NICK :Rk1zK50
AWAY :Eu te scuip in cap si'n gura, tu ma pupi in cur si'n pula =))!
MODE Mq2kC01 +i
ISON loverboy loveru SirDulce
JOIN #madarfakar
USER kzg "" "Helsinki.FI.EU.Undernet.org" :Ho5xI1
NICK :Vm3uF52
MODE Mq2kC01 +wx"

And in next couple of hours, the most interesting domain that joined the IRC channel was :

Ny2fW15 is fwuser@mails.legislature.maine.gov * Kg1jT7
Ny2fW15 on #madarfakar
Ny2fW15 using Noteam.Vs.undernet.org I'm too lazy to edit ircd.conf
Ny2fW15 is away: Eu te scuip in cap si'n gura, tu ma pupi in cur si'n pula =))!
Ny2fW15 has been idle 1min 31secs, signed on Fri Apr 04 12:05:17
Ny2fW15 End of /WHOIS list.

This botnet's futile attempt to scale is a great example of the growing importance of knowlege and experience empowered botnet masters, as a key success factor for sustainability, and also, basic understanding of economic forces, namely, when they're not making an investment there cannot be a return on investment on their efforts at the first place. Take a peek at the efficiency level of remote file inclusion achieved by another botnet, and at alternative botnet C&C channels courtesy of botnet masters realizing that diversity is vital.

Another mortgage company out of business leads to more documents in the dumpster

Wed, 19 Mar 2008 11:57:40 +0000

Technorati Tag: Security Breach

Date Reported:
3/19/08

Organization:
Affordable Realty

Contractor/Consultant/Branch:
None

Victims:
Customers

Number Affected:
"hundreds"

Types of Data:
"Social Security numbers and financial records"

Breach Description:
"Social Security numbers and financial records of customers of a Flint-based realty mortgage company have been found in a dumpster. "

Reference URL:
WJRT ABC Channel 12 News

Report Credit:
Dawn Jones, ABC12 News Team

Response:
From the online source cited above:

The personal information of hundreds of local residents is now out in public view.

Social Security numbers and financial records of customers of a Flint-based realty mortgage company have been found in a dumpster.

Affordable Realty occupied office space inside the Ben Agree building on Dort Highway for years.

The company was evicted and all of its sensitive customer information ended up outside in a dumpster or on the ground nearby.
[Evan] Maybe the company figured that they had nothing to lose and just vacated the property. There is liability however. The leader(s) of the company is/are morally, ethically, and probably legally responsible for proper document destruction. There really is no excuse.

Included in the papers are bankruptcy statements, financial records, Social Security numbers and addresses of clients who once did business with Affordable Realty.

Witnesses say the business had recently been evicted and they report seeing Genesee County Sheriff's Deputies clearing the office space a few days ago.
[Evan] So am I safe to assume that the Genesee County Sheriff's Deputies actually had a hand in the poor handling of sensitive documents? Perhaps they could have been more careful and taken the time to identify sensitive documents before throwing them in the dumpster.

Since that time, at least one person claims to have seen people rummaging through the dumpster, picking up papers, going through them very carefully and walking away with some.

We talked to Genesee County Sheriff Robert Pickell about how this type of personal information should be handled.

"What the process server should have done is get the stuff, call the landlord and say 'I'm packing this up, I'm putting it into my truck, I'm taking it to my warehouse. You're gonna have to pay for the storage,'" Pickell told ABC12's Dawn Jones.
[Evan] And what the Sheriff's Deputies should have done is taken more care before throwing the documents in the dumpster.

The sheriff talks more about identity theft and how to protect your identity coming up later today on ABC12 News.

Commentary:
This isn't the first time we have read about personal information being discarded/disclosed in a public dumpster after a company has gone out of business. Last month included Union Mortgage Services of Cleveland, Inc. and First Magnus Financial Corporation. Throwing large amounts of documentation containing personal information in the trash is completely in-excusable and lazy. The good thing is that the companies are now out of business; the bad thing is that they may have taken some good people along with them.

I am concerned and uneasy about the fact that the Genesee County Sheriff's Deputies did not notice or take the time to investigate what the documents contained.

Past Breaches:
Unknown

Stolen University Health Care laptop requires notification of 4800

Fri, 14 Mar 2008 07:39:01 +0000

Technorati Tag: Security Breach

Date Reported:
3/13/08

Organization:
University of Utah

Contractor/Consultant/Branch:
University Health Care

Victims:
patients

Number Affected:
4,800

Types of Data:
"names, social security numbers and personal health information"

Breach Description:
"Possibly 4,800 patient’s information could be compromised, when a laptop with names, social security numbers and personal health information was stolen from University Healthcare"

Reference URL:
KUTV Channel 2 News

Report Credit:
KUTV Channel 2

Response:
From the online source cited above:

Possibly 4,800 patient’s information could be compromised, when a laptop with names, social security numbers and personal health information was stolen from University Healthcare over two weeks ago.

The hospital says that someone broke into a locked office and took a lap top and a flash drive.

The hospital does not believe that whoever stole the laptop was searching for the patient’s information.
[Evan] What leads the hospital to believe this? There's no money in selling or using compromised confidential information, right? WRONG!

The hospital also says that the laptop is password protected and it is confident that the person who stole the laptop will not be able to access the information.
[Evan] Seriously, remarks like this demonstrate complete information security incompetence.

The information on the laptop is varies for patients. Not all patients have social security numbers listed with the hospital.

University Healthcare began mailing out letters to people affected by the theft this week

The University Healthcare is trying to figure out which patients had information on that computer and what the information was. The hospital says that this process caused the notification delay.
[Evan] Not knowing what confidential information is where is a very common problem in today's organizations.

University Healthcare is providing the 4800 patients with a year of free credit monitoring and is making changes in their policy.
[Evan] I feel like doing some math. The cost for full disk laptop encryption, maybe $100 - 150. The cost for investigation of the breach (say 20 hours @ $100/hr.), reconstruction (say 20 hours @ $100/hr.), notification ($300 to draft letter and maybe $2,400 to address and mail), and credit monitoring ($15/mo. x 12 months x 4800 customers) might cost $870,000. Maybe the hospital didn't believe they would ever lose a laptop or have one stolen that contained sensitive information. Risk management anyone?!

Employees will no longer be allowed to download sensitive information onto laptops, even if they're password protected.
[Evan] This is not the root of the problem. We have an information security governance and management problem. No easy fix.

University Healthcare apologizes for the problem and the notification delay.

Commentary:
It's Friday! I have some time on my hands, and I am getting tired of poor security of personal information. I go through phases.

One thing that is worth mentioning, we (meaning information security personnel) must go through the arduous task of data inventory and classification if we are to be effective. We should know what confidential information we create, collect, store, transfer, and/or destroy. We need to know where confidential information is throughout the lifecycle. We need to know what the threats are. We need to know what the vulnerabilities are. We need to know what the risks are. We need to know the costs of compromise (hard and soft dollars) when possible. We need to know the costs of protection. Maybe most importantly, we need to measure all of our efforts against the organizational goals and objectives. The list goes on and on and on.

If you are charged with securing your company's information assets, you need to understand that this is a serious business and not for the faint of heart. We don't just password protect and install firewalls for a living. We solve complex technical and political problems every day. If you need additional training (we all do) then get it. Don't look for shortcuts, because there aren't any. The dichotomy is that most effective solutions are simple and not complex. Simple sometimes gets confused with shortcut, but a shortcut is lazy. The money is good, but the challenges are GREAT.

OK, I've rambled enough. I'm stepping down from the podium now. Thanks for reading!

Past Breaches:
Unknown

Loads.cc's DDoS for Hire Service

Tue, 11 Mar 2008 18:35:53 +0000

Snakes never whisper in one another's ear - it's supposed to tickle. In a blog post yesterday, Sunbelt Labs pointed out on the re-emergence of the Botnet on Demand Service that I covered last year. It's great to see we're on the same page, or wiki article as we can always expand the discussion. In need of more such fancy snakes admin panels courtesy of a web based malware C&C? Here are four more related :

legendarypornmovies.net/ts (88.85.81.211)

slutl.com/ts (88.85.78.7)

cwazo.net/ts (83.222.14.218)

oin.ru/ts (194.135.105.203)

Now the juicy details regarding loads.cc. During the time of posting this, the malicious domain is starting to redirect to a very descriptive one, which basically says "given up on ddos-ing", and a featured ad in between loads.cc's old interface is pitching the new service - contextual advertising consultations, as you can see in the attached screenshot. Apparently, a little more in-depth research acts as public pressure, especially when they're lazy enough to have a great deal of malware variants "phone back home" to their promotional domain. However, the current one responding to 67.228.69.191 is hosted by SoftLayer, and is using ns1.4wap.org as DNS server provided by Layered Technologies again confirming the Russian Business Network connection since, both, Layered Technologies and SoftLayer are known to have been and continue providing services to the RBN, knowingly or unknowingly. Moreover, the malware infected counter at the stats section continues reporting new additions.

Being one of the most venerable examples of DDoS for hire services, it's worth reposting its FAQ in an automatically translated fashion, so that a better perspective to the dynamics of offering such services is provided to the readers. Here's the FAQ on using the service, which is relatively easy to understand :

- All that is pure downloads nothing is loaded simultaneously

- The "mix" is not Buro countries on specified individual prices

- Loaded only those countries which are specified in the problem

- The country is determined to maxmind geoip

- When it ALL loaded all countries and the price of downloads is calculated separately for each country that is DE for the download you pay for a $ 0.2 PE 0.03

- Prices for downloads can sometimes vary slightly this watch themselves

- As such, the concept of mix does not exist, each country has its own price, and if the country is not clearly specified in the price is $ 30 price / 1k

- The money is withdrawn from the account in accordance with the facts and running leaps ekze by car users

- In the balance on deposit $ 5 or less stopped loading

- No minimum, it is possible to load even though 3 pc 10k limit pointing in the problem

- The claims, made by ALREADY download will not be accepted, DICOM small parties or do the test to check quality

- Following the establishment of tasks it must be activated by clicking on the link in the status, the same method could be suspended

- Pole challenge "received" shows how many bots believed assignment, it is usually little more than a "loaded" on the fabric sur somehow prichnam some boats were not able to download and run your ekze dolzhili or not yet know

Undercover DDoS in between contextual advertising, or "giving up on DDoS" entirely? Let's wait and see, without being naive enough to forget that this among the hundreds of other DDoS for hire services currently available in the wild.

Is Risk Management a People Problem?

Mon, 10 Mar 2008 12:45:47 +0000

In today’s post, I’m going to link you to a blog post by someone who used the phrase “Security is a People Problem”. I hesitate to do so, because some people might think that I’m going to write an “aha, you’re wrong and I’m smart” article here. That’s not my intention. It’s just that the author used the phrase in a sense that I agree with but it made me think more about a subject I’ve been working on - and I thought I’d use this forum as a means to “think aloud” with you (because you folks tend to be smarter than the average bear).

As we’re prone to do here at RMI, I’ve been thinking hard about security, risk and how organizations can become more effective. We’ve been thinking very hard about metrics and measurement and governance and compliance and assurance and so on and so forth. And one thing hit me funny today within that context, it’s the mention of the axiom “Security is a People Problem”.

In his article, “What can CISOs learn from the Societe Generale debacle” Khalid Kark writes:

Security is first and foremost a people problem: Societe Generale probably had good set of security products and technologies in place, but all the security technology in the world won’t necessarily help if an employee is in a position to figure out the processes and has the ability to disable the alarms. It does drive home the point that the insider threat may not be the most popular form of attack, but it usually is the most damaging.

When most people use the phrase, they mean it in this context - it is an association Deming’s second obstacle; “Relying on technology to solve problems” with the practice of Risk Management. Arthur of Emergent Chaos was kind enough to offer his opinion when I briefly chatted him about the subject. When asked, “What do you think people mean they say ’security is a people problem’, he replied:

Mostly, I think it means that people are inherently trusting and also lazy, so things like phishing and soc. engineering tend to work even on trained people. It could also mean that security that doesnt’ take into account useability is doomed to fail if it’s going to make people jump through hoops.

SECURITY IS LOTS OF PROBLEMS

Now I think both quotes are correct. And as I’ve thought about the subj. this AM, I’ve come back to the concept that any individual security “issue” is really related to some human actor (even a natural disaster as a cause impacts people and quality of service). But what does that mean for Risk Mangement? If individual issues are at the whim of the individual actors involved, does that mean Risk Management is a “people problem”? May I answer “Yes”, but with a caveat?

RISK MANAGEMENT IS AN ORGANIZATIONAL BEHAVIOR PROBLEM

So if the specific act of “secure” is mainly in the hands of people (in ability to attack and/or defend), then, in my mind, Risk Management becomes an Organizational Behaviour problem. An organization, though made up of people, almost always acts differently than the whim of any one member. Let me offer that IRM is an Org. Behaviour issue because:

The risk tolerance of an organization is (should be?) set by the board and by senior management (a group or groups).
This risk tolerance is expressed by Policy. It is organizational communication from the group in 1 to individuals who are now all individually accountable in the same manner (they are treated as a group or organization).
The effectiveness of matching “security” to risk tolerance is a function of the security department, audit, external stakeholders like consultants or government actors, and senior management (in their willingness to allocate resources to an operational expense vs. some other “bucket”). Again, groups (or organizations) of people working under the same premise.

In fact, if you read the Forrester blog post through the lense of Org. Behaviour, you’ll find that many of the lessons to be learned mentioned there aren’t so much people lessons as they are organizational lessons - because what enabled the security at Soc. Gen. was a break down not in technology, not in control, but in the absense of controls, and therefore is a Risk Management issue at it’s heart.

I say Soc. Gen. was a Risk Management issue because Sr. Mgmt. there should have been aware of the risk. It’s not like this hasn’t happened before (in fact, I recently read a good breakdown of freuqency of such incidents from Protiviti in which they show that these sorts of things happen every 18 months or so). So either Sr. Mgmt. was aware of the risk and did not act upon it by changing the behaviour of the organization (my point two, above), or they were not aware of the risk - an ignorance that could only be the result of a non-chalant view of Operational Risk by Sr. Mgmt (point one).

AM I SPLITTING HAIRS?

If you accused me of being to particular here, I’d probably plea “guilty” (after all, people *do* make up organizations). But if we’re going to actually apply fields of study to the problems in our industry, we can not ignore the differences between affecting individual actors, and affecting the organization as a whole, and the key to understanding how to influence an organization is to understand Organizational Behaviour.

Obstacles For Information Security & Risk Management

Thu, 06 Mar 2008 10:51:34 +0000

Some final cursory thoughts on Deming today, although if it’s ok with you I’ll reserve the right to blog about him again as I study the man more. I’m excited about today’s topic, as what he says here were some of the things that attracted me to Deming in the first place.

In addition to his 14 points and 7 deadly diseases, he has 4 “Lesser Category of Obstacles” that organizations must overcome if they are going to reach a decent solution to the problems they face. However, whereas Deming wrote these for individual businesses, I think of these in context of our general industry. My comments are generalizations, to be sure, but I think these characterizations are not without merit.

In no small way, we do collectively operate as an ad-hoc organization. We’re not unionized or otherwise federated, but there is a certain brotherhood even among the disparate personality types in our industry (despite how snarkily we deal with each other at times). If we can allow ourselves to think with a federal vision for the industry - acknowledging that the answers we seek are neither simple nor apparent - then I believe the Lesser Category of Obstacles can serve as guidelines from which to operate as we move forward.

DEMING’S LESSER CATEGORY OF OBSTACLES:

1. Neglecting long-range planning.

Despite the best efforts of many very smart people in our industry (Read or Listen to Ranum on the future of the industry), this is an issue that those with the power and ability to shape the direction and future of InfoSec (i.e. standards bodies and governments) seem to need address. The balance between prescriptive ISMS and flexible governance is a grey area that needs more separation of hue, more direct study of how and why Governance, Risk and Compliance can and should work together to protect not just consumer data, but the interests of the data owners.

2. Relying on technology to solve problems.

I don’t think I need to write a ton about this one. If you’re confused and think that technology will solve your InfoSec issues - I’ll refer you to Richard Bejtlich on the subject.

3. Seeking examples to follow rather than developing solutions.

Too many professionals seem to suggest we take the lazy way out. “Just give me a prescriptive ISMS and allow me to transfer my risk to the checklist. Whatever you do, don’t make me think about the best way to secure my data because the uncertainty involved makes my stomach all knot up.”

Let me offer that this mode of thinking is not only an offense against Deming proverb #3 here, it’s also a sin against #1, 2, and 4.

4. Excuses, such as “Our problems are different.”

*ding*ding*ding*ding*ding*

We *have* to get over ourselves. I would offer that we must humbly view ourselves as just are another area of operational risk, without pretense for our perceived intelligence. They say a little knowledge can be a dangerous thing. I would offer that just because we’ve lost our innocence concerning the level of sophistication needed to utterly destroy a corporate body using “cyber-warfare” doesn’t mean we’ve got any claim to intellectual superiority concerning risk and the decisions our organizations make (despite our recommendations to the contrary).

Once we realize that, fundamentally, we’re not as unique as we think we are - we can stop pretending we’re an island and start looking to what other disciplines do and learn from them.