[SecurityRatty] tag: owns

Three Plead Guilty in $2 Million Citibank ATM Caper

Wed, 05 Nov 2008 22:00:00 +0000

Three Ukrainian immigrants admit plundering Citibank customers using account numbers and PINs stolen from 7-Eleven cash machines. But Cardtronics, the company that owns the ATMs, hasn't been so forthcoming.

Links List 10.17.08

Fri, 17 Oct 2008 23:26:41 +0000

Novell announced this week its intent to purchase Managed Objects. We really didn’t see this coming. Novell? Can’t quite figure out the master plan here. I mean, they said they’d acquire PlateSpin back in February which made a lot of sense for bridging the gap of physical to virtual and building out a management portfolio beyond ZENworks Orchestrator. But Managed Objects? CMDBs? In this economy? We have to think back to the survey [link to survey post] we just did at Interop NY and the low scores – on importance and actual deployments – that CMDBs got. When it comes to tightening the belt, CMDBs kinda fell off the list. We’ll be looking forward to future announcements to see how this plays out.

Martin MC Brown at ComputerWorld has a great post on capacity planning and cloud computing. He discusses a new book “The Art of Capacity Planning”. The problem with the current model of data center management is that often a large number of machines may sit relatively idle while waiting for the traffic spike that causes them to be used. This is a problem because it’s simply a waste of time and resources on a whole number of levels. Enter the cloud – or at least the “hope of cloud computing”.

Numbers – what do they really mean? IDC released a statement with a whole bunch of them from their “Worldwide Quarterly Server Virtualization Tracker”. The most interesting stat: x86 Virtualization License Market Standings. VMware owns 44% of the market, but Microsoft, in its first quarter of general availability for Microsoft Hyper-V (plus Virtual Server 2005), has 23% of the market of new shipments.

U.S. Olympic Committee Trying to Take Chicago2016.com Away from Grad Student

Fri, 19 Sep 2008 15:03:00 +0000

In 2004 graduate student Stephen Frayne Jr. bought the domain name Chicago2016.com. Now the U.S. Olympic committee and the Chicago group organizing an Olympic bid for that year want it from him. They have filed through arbitration processes to have the domain turned over. The committee is currently using chicago2016.org as its domain, but that's not good enough. "We certainly see Chicago2016.com as the logical default domain for our site, and we believe having someone else control it is misleading for people seeking information about Chicago's bid," said Patrick Sandusky, a spokesperson for Chicago 2016. The Chicago Tribune article on this story describes "Chicago 2016" as "a moniker protected by trademark." I did a trademark search and there are several with that string in it, none of which were filed before 2006. Frayne launched the site to be, he claims, a forum for public discussion of Chicago's bid. He also owns Tokyo2016, another city bidding for that Olympiad, and is also being pursued for that domain. My own opinion: There are no trademarks in "Chicago 2016" that the committee can reasonably claim ownership of. Obviously it just hasn't offered Frayne enough money for the domain yet. Hat tip to DomainNameNews.

Assets Good Until Reached For

Mon, 15 Sep 2008 05:41:43 +0000

A few months back Minyanville wondered whether this subprime mess would end up as a cancer or a car crash. Guess we know the answer now. The question is - should we be at all surprised? Some smart folks have been warning for a long time. Warren Buffett famously called derivatives financial weapons of mass destruction.

Charlie Munger, as he is wont to do, went a bit further (from 2004):

I think a good litmus test of the mental and moral quality at any large institution [with significant derivatives exposure] would be to ask them, "Do you really understand your derivatives book?" Anyone who says yes is either crazy or lying.

They have many other statements in the same direction, based on their own experience from buying companies that used deriviatives where they were unable to to unwind the books and figure out who owed who. At the last Berkshire Hathaway annual meeting someone asked Charlie Munger what we could learn from past blow ups about the present crisis

It was a particularly foolish mess. We talked about an idiot in the credit delivery grocery business, Webvan. Internet based delivery service for groceries -- that was smarter than what happened in mortgage business. I wish we had those Webvan people back.

What can we learn from all this?

Well Dan Geer launched a revolution with his famous speech about risk management. He got the big picture part right on the security industry evolving into more risk management practices, however the examples we assumed that were right at the time, the financial industry are proving wrong. For one thing you can't manage a risk if you don't know the assets (back to Charlie Munger, emphasis added):

It is crazy to allow things to get too big to fail, run with knavery. As an industry, there is a crazy culture of greed and overreaching and overconfidence trading algorithms. It is demented to allow derivative trading such that clearance risks are embedded in system. Assets are all “good until reached for” on balance sheets. We had $400m of that at general re, “good until reached for”. In drug business you must prove it is good. It is a crazy culture, and to some extent an evil culture. Accounting people really failed us. Accounting standards ought to be dealt with like engineering standards.

So, yes it is about risk management, but if you build too many abstractions on top of your assets through derivative accounting and such you may find you don't have any assets when you need them. Don't fall in love with your abstractions, manage your assets.

There are some clear lessons for us in Information Security, err I mean Information Risk Management.

Margin of safety Its our job to manage risk, but this doesn't mean that we have to build layers and layer of abstraction on top of it. It also means that we help to design, build, deploy, and operate systems with margins of safety. Understanding the failure modes and accounting for this in design. Developers (because they are supposed to) and architects (because they haven't been properly trained) focus on functional requirements, building features, but on security not so much. There are many ways to improve security in a system and they are all inadequate by themselves, but we can help find cost effective improvements.

Don't fall in love with abstractions

If you have a 100,000 dekstops or 100,000 servers it hard to manage. You will need to automate and to do that you need to abstract, but you should also realize that its a drawing on a whiteboard not reality. You need abstraction assurance.

Ian Grigg commented on an earlier post

There are distinct parallels between phishing / retail payments, and the bigger investment mess. In both cases, banks would argue these are core business. In both cases, they have applied risk-based security models, and accepted some loss. In both cases, they have the ability to apply substantial experience to the monitoring, allocating and absorbing risks and losses.

In both cases, they watched and did nothing as the risks started from low, and migrated upwards. Are we at the point where regulation has killed the ability of banks to apply their (arguable) one core skill, to whit, risk-based analysis? Are banks that far out of banking that they no longer have it?

So you have to remember that top down and bottom up need to be combined.

Design for failure

Dan Geer has also told the story that he sat in a large bank's risk management training, and the trainer said "you may wonder why this works so well. it works because there is zero ambiguity over who owns what risk." Dan's thought was - "in my field we have nothing but ambiguity." Turns out the second part was right, we have nothing but ambiguity over who owns what risk; unfortunately the financial people have much more ambiguity than they thought! So we do have a lesson here after all, and it this - when the thing you thought was true isn't, the failure mode is very ugly. Design for failure - add layers of protection.

Keep it simple.

They have some smart engineers at Google to be sure, but even they had incredibly basic errors in their SSO. I have seen other obvious fails like people signing WS-Security messages, and the recipient checks for a signature but not if they trust the signer! There are so many ways to shoot yourself in the foot in a loosely coupled systems, and we have so many abstractions layered on top of each other, part of the mantra of protecting assets has to be keeping it simple.

So that is my list, to do all these things it requires that Infosec get in the game, understand the use cases, understand the business value (it should be abundantly clear that you can't simply rely on "business people" to be "business experts"), and that you not lose sight of the asset amidst all the abstraction. Finally, the systems we build security on are very primitive, a firewall and SSL are fine, a seatbelt was fine in 1935 and its still fine today, but there are lots of other safety controls in cars. ABS, airbags, traction control, they all protect the assets far better than in 1935, that's what we need to build.

Anyone can make bad assumptions (assume you know who owns what risk) and its easy to make bad abstractions (the firewall protects the information system), but when you combine bad assumptions with bad abstractions you'll get assets that are good until reached for sooner or later

Gemba & The Journey

Thu, 28 Aug 2008 13:27:40 +0000

Couple of things first before we get to the next post in the Hansei series. First, Jon Robinson was thinking about reputation damage and stock price and wrote a very lucid and smart post on the subject:

Companies think they own their reputation, but in reality they don’t. A reputation is the aggregate of the popular opinion about you. Opinions, or thoughts, belong to an individual, true or not, and a company doesn’t own a person’s thoughts, therefore a company doesn’t own its reputation. QED.

Yes. Absolutely. In fact, there are already changes in the works to the FAIR model that reflect this line of thinking that will allow us to approach reputation damage in a much more rational manner that anything else I’ve seen to date.

Second, RE: Hansei & Kaizen, Richard left the following comment.

I don’t agree with your view on Gemba even if we live in a virtual world. Look into any company’s wiring closet and you’ll immediately see a reflection in its maturity from the state of the equipment, the labeling / documentation and overall neatness. “Man with messy wiring closet, will have messy virtual servers.”

However, the true benefit in Gemba is not in the actual visual inspection. It is in in the journey from your desk to the data center / wiring closet.

I agree that the benefit is in the journey. I can’t see the wiring closet as the main destination (I just don’t see it as a useful prior). Maybe I wasn’t clear, or was taking for granted that you guys have been reading the blog for the past 2 years, but the journey needs to be to the LOB that owns the application. The example most given when describing Gemba is going to the production line to look at the issue that causes a problem in the ability to create and sell a car. The “security” journey is not to the wiring closet, but to the system itself and the logs that we have for the system and whatever network-based controls might be applicable. And we, as an industry, are just starting to understand that this “security” is only part of the picture. The whole picture is represented by the factors that create risk.

And for our “risk journey” that security journey is only a one of serveral useful pieces of prior information for use in analysis. For risk we have to also journey back to the “production line”, or, in our case, to the application/LOB owner. It may also be to corporate counsel, to marketing, to all sorts of other places in the enterprise because probable losses (a necessary measurement we need in order to understand risk) may come from many different sources in the organization. For those with FAIR knowledge, think of the six forms of loss to get an idea of what sorts of journeys we need to make.

This is why tomorrow’s post is designed to look at what should we be reflecting about, and what is needed for reflection.

Hint: our models for risk & risk management can give us an idea of how to create structure around Hansei for the IRM program.

Log Management - Day 1

Mon, 28 Jul 2008 07:03:00 +0000

Inspired by this and this here (and this too). It started from Jeremiah saying this:

“You’re hired on at a new company placed in charge of securing their online business (websites). You know next to nothing about the technical details of the infrastructure other than they have no existing web/software security program and a significant portion of the organizations revenues are generated through their websites.

What is the very first thing do on day 1?”

At about the same time, I saw a message posted to one of the mailing lists where the poster wondered: "I’ve been asked to look into finding a replacement to our current log management/auditing system. This is a field I haven’t even come close to touching before, and really don’t know the ideal things to look for (or ignore), etc. I’ve been searching through SANS site as well as googling, and I’m not coming up with a lot of great starter information. " And then he asks "Where should I start?"

This is indeed a really good question! Let's rephrase the above for the case of logging:

"You’re hired on at a new company placed in charge of TAKING CONTROL OVER THE LOGS. You know next to nothing about the technical details of the infrastructure other than they have no existing LOG MANAGEMENT process and tools... What is the very first thing do on day 1?”

So the "Day 1" of log management project. What's up?!

The very first thought that should cross you mind before you even do whatever first thing you wanted to do is "WHY?" (don't people hate those 'Why?" questions - focusing on "What?" or "How?" is soooooooo much easier....)

"Log management" is a solution, not a problem. What is your problem that you now have a mandate to solve?

Logs don't just drop on people :-) Well, not often.

What is it that motivated your boss (or his boss, or whoever) to decide to "address this", to "take control over logs?" Was it a new compliance mandate, PCI perhaps? Was it a recent incident where investigation hit the wall due to utter lack of logs? Was it a new corporation-wide IT efficiency improvement project? Was it a lawsuit where an e-discovery request was not satisfied and thus fine was levied? Was it a hot IT project that is impossible to complete without having a tool to analyze logs?

This "need" is very important since logging is a huge realm and not focusing on the need is akin to starting a journey into a hostile wilderness without a map - in other words, it might be fun for a while, but it can end badly :-)

Next, what do you actually do first? Figure out what logs are needed for this effort and what systems produce them (and who "owns" them!) Analyzing SAP logs for J-SOX is a VERY different effort from analyzing Cisco ASA logs for network troubleshooting.

Only at this point you can start thinking about "tools:" parsers, logs, databases, reports, alerts, indexing and other technical thingies as well as capacity planning, scalability, etc. This is the stage where you learn the lingo and learn to cut through marketing messaging to get to the actual tool capabilities.

So, remember: given mandate to "tame the logging monster", think "WHY?" first!

Click Fraud, Botnets and Parked Domains - All Inclusive

Mon, 28 Jul 2008 03:58:08 +0000

It gets very ugly when someone owns both, the botnet, and the portfolio of parked domains actively participating in PPC (pay per click) advertising programs, where the junk content, or the typosquatted domain names is aiming to attract high value and expensive keywords in order for the scammer to year higher on per click percentage. This is among the very latest tactics applied by those engaging in click fraud. Hypothetically, the cost to rent the botnet and commit click fraud would be cheaper than sharing revenue on per click basis with "human clickers" who earn money based on how many ads they click given a set of scammer's owned sites, where the customer supports represents a DIY proxy switching application changing their IP on the fly.

Click Forensics's recent Q2 2008 report indicates that botnets were responsible for over 25% of all click fraud activity they were monitoring during Q2. Not surprising, given that botnets have long been observed to commit blick fraud, using a common traffic exchange scheme. What's new is the use and abuse of parked domains :

"Despite indication that some of the clicks from parked domains were invalid, Google failed to disclose to the plaintiff specific domain names in which these ads were clicked on, making detection of invalid clicks difficult and even worse concealing any evidence of invalid clicks," the lawsuit alleges. RK West eventually went through its server logs and discovered the source of the clicks, said Alfredo Torrijos, one of the company's attorneys."

Will cybersquat security vendors for improving the chances of attracting high-valued keywords to later on click fraud? The trend has been pretty evident for a while, with cybersquatting increasing on an yearly basis according to multiple sources :

"Rise in pay-per-click advertising where cybersquatters link the domain name they have registered with a website containing ads promoting a variety of competing brands. The cybersquatter receives money every time internet users access this website and click on one of the ads."

However, the "internet users who are supposed to click on one of the ads on the parked domains owned by the scammers" will get clicked by a botnet owned or cost-effectively rented by the scammer. Here's a sample of currently parked domains attracting Symantec ads :

symentec .com
symantek .com
symanteck .com
symantac .com
symantaec .com
symantic .com
symmantec .com
symanntec .com
ssymantec .com
symanthec .com
symanzec .com
symanttec .com
sjmantec .com
saimantec .com
seymantec .com
symanrec .com
symantrc .com
symantwc .com
aymantec .com
dymantec .com
sxmantec .com
symantex .com
symantev .com
symabtec .com
symamtec .com
synantec .com
stmantec .com
symanyec .com
sumantec .com
symant3c .com
syman5ec .com
wwwsymantec .com
symanteccom .com
ymantec .com
syantec .com
symntec .com
symanec .com
symantc .com
symante .com
symattec .com
symantcc .com
syman-tec .com
syymantec .com
symaantec .com
symanteec .com
symantecc .com
ysmantec .com
syamntec .com
symnatec .com
symatnec .com
symanetc .com
symantce .com

As well as recent sample brandjacking Kaspersky :

kespersky .com
kasparsky .com
kaspaersky .com
kaspasky .com
kasperscky .com
gaspersky .com
kasbersky .com
kasppersky .com
kasperrsky .com
kasperssky .com
kasperskj .com
kasperskey .com
kaapersky .com
kasperaky .com
kasperdky .com
laspersky .com
kaspersly .com
kasperskt .com
kaspersku .com
kasp3rsky .com
kaspe4sky .com
kas0ersky .com
wwwkasperskycom .com
wwwkaspersky .com
kasperskycom .com
aspersky .com
kspersky .com
kasersky .com
kaspesky .com
kaspersy .com
kaspersk .com
kappersky .com
kaspessky .com
kas-persky .com
kasp-ersky .com
kasper-sky .com
kasperskyy .com
akspersky .com
ksapersky .com
kapsersky .com
kaseprsky .com
kaspesrky .com
kaspersyk .com
kaspersky24 .com
kasperskyonline .com
kaspersky-online .com

What's most disturbing is that instead of having cybersquatting taken care take of a long time, and scammers emphasizing on the junk content in order to attract the relevant ads on the bogus domains, the still trendy cybersquatting still does the magic by including the targeted word in the domain name itself.

Related posts:
Cybersquatting Security Vendors for Fraudulent Purposes
Cybersquatting Symantec's Norton AntiVirus
The State of Typosquatting - 2007

On Doomsaying (Terry Childs case)

Thu, 24 Jul 2008 08:48:00 +0000

Maybe I should call it "on stupidity" and add it to my "Nobody Is That Dumb... Oh Wait" series?

Really, when I've heard about it first, I was like "ah, come on, I am sure the journalists are just mis-reporting it; nobody is that dumb in their approach to system security."

Well, they really were that dumb.

Honestly, from the "blatant disregard of common sense", this is very, very high on the list (many in security agree, some in IT disagree). This is where the words "a huge data security risk" really sound like a mild understatement.

But you know what is the most scary about this case? The fact that there are MANY organizations who manage their networks the same way: one admin with ALL the access and NONE of the monitoring.

One person + ALL access + NO accountability = you are screwed!

Also, in light of this, do you still think that "insider attacks" is some kinda security vendor propaganda? Well, go tell Terry Childs that :-) Even though some people still think that he is a good guy (more on that on Slashdot)

What also caught my attention is that some retard called his bail ($5m) "ridiculously high." Well, if he was an outside hacker, say a Romanian script kiddie, jailed for hacking SF network, would they release him for $5m? Maybe not! Now, do you get that this case is actually MUCH WORSE! Hacker might have gained access to many assets; this guy did have access.

So, think, think, think: CAN YOUR SYSADMINS "0WN" YOUR BUSINESS? (BTW, some people think that IT "owns" you already!)

Are you OK with it?

If not, do something - start logging and monitoring (and then controlling) their actions! If you think you cannot control them, then just monitor; if you think you can neither control nor monitor, then at least log them so they will know that there will be enough good evidence to let them rot in jail for many years ... Or, if you prefer an easier alternative, stop calling your business YOUR business.

Possibly related posts:

"Protecting logs from admins"

ATM-Owner Cardtronics Issues Non-Denial Denial in Citibank Breach

Mon, 07 Jul 2008 20:30:00 +0000

The company that owns the 7-Eleven ATMs implicated in a massive leak of PIN codes issues a statement announcing that it doesn't anticipate issuing any statements.

A thin line between blog theft and promotion - another opinion

Thu, 03 Jul 2008 18:24:36 +0000

Rich Mogull has been writing a bit about his disagreement with a the SecurityRatty site posting his content (original posts here and here). These posts have set off a rash of comments and other articles on both sides of this issue. Finally Rich wrote his defining post on this topic here. Rich's position is that he owns his words. Ratty took them without his permission, ads nothing to the conversation or commentary at all and actually hosts the content rather than just linking to it. Now for those who don't know, SecurityRatty is a site allegedly owned and operated by some Russian CISSP dude. Basically, they claim they are an RSS aggregator and they just republish blog posts in their entirety. A couple of things to note though:

1. SecurityRatty does not usually add any content of their own or edit the posts in any way
2. They link back to the blogs or articles which are aggregated
3. They do appear to sell some advertising on the site
4. You can search their aggregated content on their site
5. At least recently they are removing content and feeds from their site if you request it.
6. They did not ask anyones permission that I know of before posting content

OK, now that the groundwork is laid, let me give my Shimel view on this. I disagree with Rich. Hey it is a big world and I think there is room for a dissenting opinion here. The reasons I disagree with Rich are:

1. Though Ratty plainly posts up others content, he does not hold it out as his own. He plainly gives credit to those who actually created the words and in fact links back to their sites.
2. Rich is publishing his data under a creative commons license, I am not sure if the meager ad on Ratty would qualify this as a commercial site.
3. Rich distinguishes what Ratty does from Google and other search engines (who clearly profit from Rich's content) by the fact that they just point to it. Not all together true. They also keep a cached copy of the content that you can go to as well.
4. The fact is that I have a tough time seeing any harm to Rich here. In fact if Ratty were not pointing back to Rich's site, if he did not make it as easy to see that it is just an aggregate feed or if Ratty were adding his own comments and not clearly delineating his from Rich's, I would feel differently. Some of this is directly in contrast to Rich who says that if Ratty did add his own views to Rich's, that would make it right by him.
5. Finally, I would go even further than Rich not being harmed by Ratty. I think Rich actually benefits from Ratty. It is yet another outlet for Rich's content and though not everyone reading it at Ratty may go back to Rich's site, they do know it is him and can go back easily. In fact if Rich did advertise at his site, I could understand him losing hits at his site. Otherwise if Ratty just pointed back, one could say the more hits Ratty generates, it could cost Rich more money. Much like people who link to graphics hosted elsewhere.

So, Rich I see that Ratty has stopped aggregating your content so that should be enough of a victory for you. In the long run though I think it is a Pyrrhic victory and you would have been better off with Ratty publicizing your words.