[SecurityRatty] tag: party

Data Breach At Benefits Company Affects Google Employees

Fri, 04 Jul 2008 00:53:03 +0000

Google employees hired before 2006 have been warned to watch out for possible attempts to steal their identities. InformationWeek reports that in a letter last month, Google attorney Lewis A. Segall alerted New Hampshire Attorney General Kelly A. Ayotte that computers had been stolen from Colt Express Outsourcing Services, a third-party employee benefits administrator for Google [...]

Third-party Exchange Server 2007 backup and restore tools

Thu, 03 Jul 2008 06:12:29 +0000

Streaming and brick-level backups take too long in Exchange Server 2007. Learn about two third-party tools to quickly back up and restore Exchange 2007 data.

Gartner: Seven cloud-computing security risks

Tue, 01 Jul 2008 20:00:00 +0000

Cloud computing is fraught with security risks, according to analyst firm Gartner. Smart customers will ask tough questions, and consider getting a security assessment from a neutral third party before committing to a cloud vendor, Gartner says in a June report titled “Assessing the Security Risks of Cloud Computing.”

Using Nessus Attack Scripting Language (NASL) to find application vulnerabilities

Tue, 01 Jul 2008 07:51:54 +0000

For anyone who doesn't speak NASL, network security expert Mike Chapple has a firm handle on the Nessus Attack Scripting Language. In this brand-new addition to our Nessus 3 Tutorial, Chapple provides examples of NASL scripts that can find known vulnerabilities in your customized or third-party applications.

Summarizing June's Threatscape

Tue, 01 Jul 2008 03:05:01 +0000

June's threatscape that I'll summarize in this post based on all the research conducted during the month, was a very vibrant one. With the return of GPcode, a remotely exploitable flaw in the Zeus crimeware kit allowing both, researchers and malicious parties to assess the severity of a particular banker malware campaign, the increasing use of malicious doorways next to ICANN and IANA's DNS hijacking, all speak for themselves and how diverse the threats and, of course, the abilities to maintain a decent situatiational awareness about what's going on have become.

01. U.K's Crime Reduction Portal Hosting Phishing Pages - nothing new here since vulnerable sites are to be "remotely file included" and SQL injected to locally host anything on behalf of a malicious party. Risk and responsibility forwarding is one thing, but having a crime reduction portal hosting phishing pages is entirely another. The phishing pages was shut down in less than 12 hours upon notification

02. Price Discrimination in the Market for Stolen Credit Cards - Tracking down "yet another stolen credit cards for sale" service in the wild, the price discremination that they applied greatly reflects the current lack of transpararency for a potential buyer of stolen credit cards, and how higher profit margins are driving the entire business model. With script kiddies running their own botnets and undermining the sophisticated botnet master's high profit margin business model by undercutting their prices, stolen credit cards are not what they used to be - an exclussive good. Nowadays, they are a commodity good and often a bargain

03. Blackhat SEO Redirects to Malware and Rogue Software - Sampling an active blackhat SEO campaign out of the hundreds of thousands currently active online, releaved a large portfolio of domains serving Zlob variants by pitching them as fake codecs that the end user should download if they are to view the non existent adult content at the sites. Where's the OSINT mean? It's in the fact that the codecs and the fake security software phone back to UkrTeleGroup Ltd's network

04. Using Market Forces to Disrupt Botnets - With the current oversupply of malware infected hosts, and botnet masters embracing the services model for anything malicious, in this post I discussed the radical security approach of puchasing already infected malware hosts on a per country basis, disinfecting them and forcing them to update all the software on the infected PCs. Of course, on an opt-in basis. The possibility to directly provide incentives for botnet hunters to shut down whatever they come across to on a daily basis, and that's a lot of botnets, is also there

05. Who's Behind the GPcode Ransomware? - The title speaks for itself, the research with enough actionable intelligence gathered in the shortest timeframe possible is already proving accurate and highly valuable. How come? Stay tuned for more developments

06. ImageShack Typosquatted to Serve Malware - In a rare instance of a creative attack combining typosquatting in order to impersonate ImageShack and serve malware by redirecting users to an image file that is actually forwarding to the binary, I was recently tipped by the folks at TrendMicro who are also following this that the site is up and running again. Not for long

07. Fake YouTube Site Serving Flash Exploits - Next to using the usual set of exploits courtesy of a commodity web malware exploitation kit, this campaign was also using flash exploits. Even more interesting is the fact that the password stealer obtained was attempting to phone back to a misconfigured malware command and control interface, basically allowing you to assess the campaign from the eyes of the "campaigner"

08. Monetizing Web Site Defacements - Web site defacements are getting monetized just like SQL injections are in order to locally host a blackhat search engine optimization campaign on a vulnerable site with a high page rank. In this post I've assessed such monetization courtesy of a web site defacer at The Africa Middle Market Fund

09. Malicious Doorways Redirecting to Malware - Yet another large domains portfolio exposed though a malicious doorway redirecting to fake porn and video sites serving Zlob variants, tracking down the initial spamming of the malicious doorways across multiple vulnerable forums and guestbooks

10. The Zeus Crimeware Kit Vulnerable to Remotely Exploitable Flaw - When cyber criminals get advised to patch their vulnerable versons of the Zeus Crimeware Kit, you know there's a monoculture in the crimeware market. This flaw released publicly in May, 2008, not just allows others to hijack someone's ebanking botnet, but also, vendors and researchers to better assess a vulnerable Zeus command and control location

11. Fake Celebrity Video Sites Serving Malware - When templates for fake video and adult sites are just as available as they are now, anyone can take advantage of this cheap social engineering track that seems to work just fine. Compared to relying on blackhat search optimization to acquire traffic, some of the campaigns were SQL injected at vulnerable sites in order to drive traffic to them, next to several other tactics which when combined can result in a lot of people unknowingly visiting the sites

12. Phishing Campaign Spreading Across Facebook - An internal phishing campaign was circulating across Facebook, which got taken care of thanks to coordinated efforts with Facebook's security folks. There's also an indicating tha they are currently typosquatting other social networking sites like Hi5 for instance

13. Underground Multitasking in Action - As a firm believed in taking a random sample for a particular threat segment, this was once of these cases confirming the confidence I've built into anticipating upcoming tactics and strategies to be used

14. An Update to Photobucket's DNS Hijacking - Despite that Photobucket didn't oficially acknowledge the DNS hijacking, the hosting provider the NetDevilz hacking team used issued a statement. Ironically, the Turkish hacking group used the same provider weeks later to redirect ICANN and IANA's domains to Atspace.com

15. Fake Porn Sites Serving Malware - Among the largest domains portfolio of malware serving porn sites I've exposed in a while, all of them naturally remain active since they are hosted on a partition of RBN's diverse network. Visualizing a malicious doorway or the entire ecosystem provides a better understanding at how structured the ecosystems are

16. Backdoording Cyber Jihadist Ebooks for Surveillance Purposes - Despite that in this case we have a cyber jihadist backdoording his own released books, the international intelligence community next to law enforcement are known to have expressed interest in backdooring suspect's PCs, so why not SQL inject the cyber jihadist forums themselves?
17. Right Wing Israeli Hackers Deface Hamas's Site - When you read that Hamas's site is hacked, you ask yourself the following, do they even have a web site that's up the running? The answer to which would be the fact that even Hezbollah has been maintaining an Internet infrastructure since 1998
18. ICANN and IANA's Domain Names Hijacked by the NetDevilz Hacking Group - A fact is a fact, no comment here, go through all the technical details of the hijacking, including some actionable intelligence on who's behind the hijacking
19. The Malicious ISPs You Rarely See in Any Report - Who's tolerating malicious activities on their network, and how is the RBN related to all this? Well, when combined, the tiny parts of these ISPs represent a tiny part of the Russian Business Network itself

Third-party software vendors and the new IBM z10 technology

Mon, 30 Jun 2008 10:31:55 +0000

Above-the-operating-system infrastructure software products are now making their way onto the IBM z10. TCO/ROI studies indicate they can bring significant benefits to z/OS shops. The mainstay vendors are upping the ante with increased support packages that make these products more useful. From Web-enabling database interfaces, management and governance, to application modernization, the vendors are doing what they can to meet today's needs of z10 users.

Third-party software vendors and the new IBM z10 technology

Mon, 30 Jun 2008 10:31:55 +0000

Civilians Ask Whats With All the Privacy Act Kerfluffle?

Thu, 26 Jun 2008 17:51:41 +0000

And by “kerfluffle”, I mean these articles:

GAO Privacy Report
Technology Liberation Front
Center for Democracy and Technology
And how about an analysis of the Privacy Act from DOJ for background reasons?

Well, let’s talk about how privacy and the Government works with Uncle Rybolov (please hold the references to Old Weird Uncle Harold until we’re through with today’s lesson please).

We have a law, the Privacy Act of 1974. Think about it, what significant privacy-wrenching activities happened just a couple of years prior? Can we say “Watergate Scandal“? Can we say “Church Committee“? Suffice it to say, the early 1970s was an era filled with privacy issues and is where most of our privacy policy and law comes from. Remember this for later: this was the 1970’s!

Each of the various sections of the Privacy Act deals with a particular data type. For instance, Title 13 refers to data collected by the Census Bureau when they’ll go count everybody in 2010.

The Privacy Act talks about the stuff that everybody in the Government needs to know about: how you’re going to jail if you disclose this information to a third party. For those of you who have ever been in the military or had to fill out a government form that required your social security number, the light in the back of your head should be going off right now because they all have the warnings about disclosure.

Remember to respect the privacy of the beach huts and chairs photo by Joe Shlabotnik

When it comes to IT security, the Privacy Act works like this:

You realize a need to collect PII on individuals.
You do a privacy impact assessment to determine if you can legally collect this data and what the implications of collecting the data are.
You build rules about what you can do normally with the data once you have collected it. This is called the “routine use”.
You write a report on how, why, and about whom you’re collecting this information. This is known as the “System of Record Notice”.
You file this report with the Federal Register to notify the public.
This IT system becomes the authoritative source of that information.

IE, no secret dossiers on the public. We’ll suspend our disbelief in FISA for a minute, this conversation is about non-intelligence data collection.

Now the problem with all this is that if you stop and think about it, I was 1 year old when the Privacy Act was signed. Our technology for information sharing has gone above and beyond that. We can exchange data much much much more quickly than the Privacy Act originally intended. As a result, we have PII everywhere. Most of the PII is needed to provide services to the citizens, except that it’s a royal PITA to protect it all, and that’s the lesson of the past 2 years in Government data breaches.

Problems with the Privacy Act:

The SORN is hard to read and is not easy to find.
Privacy Act data given to contractors or “business partners” (aka, state and local government or NGOs) does not have the same amount of oversight as it does in the Government.
Data given to the Government by a third-party is not susceptible to the Privacy Act because the Government did not collect it. Wow, lots of room for abuse–waterboarding-esque abuse.
Privacy Act procedures were written for mainframes. Mainframes have been replaced with clusters of servers. It’s easy to add a new server to this setup. Yes, this is a feature.
If you build a new system with the same data types and routine uses as an already existing SORN, you can “piggyback” on that existing SORN.
It’s very easy to use the data in a way that isn’t on your “routine use” statement, thus breaking the entire privacy system.

Obviously, at this point, you should have gotten the hint that maybe we need to revise the Privacy Act. I think GAO and OMB would agree with you here.

So, what alternatives do we have to the existing system?

Make blanket data types and do a PIA and SORN on them regardless of where that data lies.
Bend the Paperwork Reduction act and OMB guidance so that we don’t collect as much information.
Make the Privacy Act more specific on what should be in SORN, PIA, and routine use statements.

To be honest, it seems like most of this is already in place, it just needs to get tuned a little bit so we’re doing the right things. Once again, the scale of the Government’s IT infrastructure is keeping us from doing the right thing: there isn’t enough time in the day to do PIAs on a per-server basis or to keep track of every little bit of data. You have to automate our privacy efforts in some fashion.

And this is why, dear readers, I think the Government needs DLP solutions more than the private sector does. Too bad the DLP vendors are stuck on credit cards and social security numbers.

Bookmark to:

Needed: Agency CSOs

Thu, 26 Jun 2008 08:49:33 +0000

Check out this article by Andy Boots on the Tech Insiders blog.

It brings up an interesting point: Agencies do not typically have a CSO-level manager. According to FISMA, each agency has to have a CISO whose primary responsibility is information security.

But typically these CISOs do not have any authority over physical security or personnel security: in reality, they work for the CIO and only have scope over what the CIO manages: data centers, networks, servers, desktops, applications, and databases.

Except for one thing: we’re giving today’s Government CISO a catalog of controls that contain physical and personnel security. The “party line” that I’ve gotten from NIST is that the CISOs need to work through the CIO to effect change with the areas that are out of their control. I personally think it’s a bunch of bull and that we’ve given CISOs all of the responsibility and none of the authority that they need to get the job done. In my world, I call that a “scapegoat”.

To be honest, I think we’re doing a disservice to our CISOs, but the only way to fix it is to either move our existing CISOs out of the CIOs staff and make them true CxOs or write a law creating an agency CSO position just like Clinger-Cohen created the CIO and FISMA created the CISO.

Bookmark to:

A Question of Integrity: To MD5 or Not to MD5

Wed, 25 Jun 2008 15:50:57 +0000

Cloud Storage offers pay per drink off-site storage. Data to be saved is shuffled from the customer to the Cloud Storage Provider by the network. This all works wonderfully most of the time, what you upload is what you get back later. But what happens where the gremlins strike and what you send is not what is received?

This happened recently to some Amazon S3 customers. There were complaints in the AWS forums about ‘S3 Corruption’. The first post in the forum was recorded at Jun 22, 2008 5:05 PM PDT (although in subsequent posts some people reported emailing Amazon prior to this):

we are having some serious S3 issues.

all data we store on S3 has gone through the same code path for months. starting a couple days ago a small percentage of the objects we are retrieving are not checksumming to the correct values. we hash and store objects by checksum and rehash the objects when we retrieve to ensure there is no data corruption. all the objects we’re having issues with were uploaded at approximately the same time period a few days ago.

we’ve stored 10’s of millions of objects in S3 and never encountered such problems. please let me know ASAP if you have any idea what could be going on here. thanks.

Amazon responded 6 minutes later (!) and started investigating. To troubleshoot they asked customers to email aws@amazon.com with the ‘Bucket-Name and few keys that you believe are having issues’.

Others weighed in reporting similar problems. Amazon provided status updates and on Monday Jun 23rd at 6:10pm PDT, provided the following explanation:

We’ve isolated this issue to a single load balancer that was brought into service at 10:55pm PDT on Friday, 6/20. It was taken out of service at 11am PDT Sunday, 6/22. While it was in service it handled a small fraction of Amazon S3’s total requests in the US. Intermittently, under load, it was corrupting single bytes in the byte stream. When the requests reached Amazon S3, if the Content-MD5 header was specified, Amazon S3 returned an error indicating the object did not match the MD5 supplied. When no MD5 is specified, we are unable to determine if transmission errors occurred, and Amazon S3 must assume that the object has been correctly transmitted. Based on our investigation with both internal and external customers, the small amount of traffic received by this particular load balancer, and the intermittent nature of the above issue on this one load balancer, this appears to have impacted a very small portion of PUTs during this time frame.

What are some of the takeaways?

If you are directly using the AWS S3 API, make sure to calculate and send MD5 checksums along with actual data. Check status return codes - an HTTP 400 error code means ’something went wrong’ - respond appropriately.
If you are relying on 3rd party tools to access S3, be sure to check with your software vendor that they are following the advice from Amazon to use MD5. If they are not then your data can get silently corrupted…
Downloads, aka HTTP GETs, can also be affected. The thread in the forum continues and questions are asked as to whether the corruption caused by the loadbalancer was affecting both incoming and outgoing traffic. The conclusion was yes. If you are hosting media on S3, and the browser is using partial GET requests (to download in chunks) then the corruption will not be automatically detectable.
If your business relies on Cloud Storage, are you prepared to wait a 36 hours for a resolution? This isn’t a swipe at Amazon, this is true for any provider. Check your SLA’s, check the trouble ticket resolution times, ask about availability of experts for troubleshooting etc.
Cloud Providers will increasingly need to instrument their services such that they can ‘early detect’ negative operational events. In this case, Amazon has stated plans to use better logging and analysis to automate detection of unusual error patterns (i.e. anomoly detection).
This incident - caused by an Amazon malfunctioning loadbalancer - did not make it onto the AWS status page at http://status.aws.amazon.com/. Taking Amazon at face value, this incident only affected a small number of transfers, relative to the total number of S3 transfers. But this begs the question, what level of outage or service problem needs to happen before Amazon will flag the issue on their status page? On a sidenote, based on the timestamps, 31 hours passed between the loadbalancer being taken out of service and Amazon providing the explanation on the forum.
When Amazon update their S3 API documentation, it would be useful to have entries in the S3 API index for ‘checksum’, ‘MD5′, ‘integrity’ and ‘corruption’.
Stepping back, will customers hold Cloud Service Providers to a higher standard than their own internal IT teams?

I’m sure there are more takeaways I didn’t cover. What say you?

###

Kudos for the heads-up on the S3 issue goes to my friend and colleague Jason Harper - network supremo and crypto-head. Thanks Jason!