[SecurityRatty] tag: previous

Government Can Determine Location of Cell Phones without Telco Help

Wed, 26 Nov 2008 03:06:43 +0000

Triggerfish, also known as cell-site simulators or digital analyzers, are nothing new: the technology was used in the 1990s to hunt down renowned hacker Kevin Mitnick. By posing as a cell tower, triggerfish trick nearby cell phones into transmitting their serial numbers, phone numbers, and other data to law enforcement. Most previous descriptions of the technology, however, suggested that because of range limitations, triggerfish were only useful for zeroing in on a phone's precise location once cooperative cell providers had given a general location.
This summer, however, the American Civil Liberties Union and Electronic Frontier Foundation sued the Justice Department, seeking documents related to the FBI's cell-phone tracking practices. Since August, they've received a stream of documents—the most recent batch on November 6—that were posted on the Internet last week. In a post on the progressive blog Daily Kos, ACLU spokesperson Rachel Myers drew attention to language in several of those documents implying that triggerfish have broader application than previously believed.

Blogging from DeepSec 2008 in Vienna

Sun, 16 Nov 2008 19:24:00 +0000

I am already back stateside from DeepSec and I am now flying to CSI 35th in DC; finally I had time to prepare my DeepSec blog post.

First, I enjoyed DeepSec conference and I am grateful for the invitation to speak there. I love European conferences – and not only for having infinitely (with that being an under-statement of the year) superior coffee during breaks :-) In particular, I liked the audience for my presentation (slides will be posted here soon) and I think the audience liked my material and myself too :-)

What also impressed me a lot was Ivan Ristic speech, which was the second day keynote. He started by simply stating that ‘security industry has failed’ and that ‘a desktop is lost.’ His proof was in typical numbers like “75% of corporate systems are infected with at least 1 malware piece per system”, “1 million of malware types” and “25,000 unique malware samples a day seen.” However, he then broadened the subject and talked about how not only “a trusted desktop” is gone, but the entire world of “trust everything [on a system], all the time” is gone (his ideas were similar to what I planned to present in my HITB 2008 presentation about “the 0wned world”)

I also like how he positioned all those “security user prompts” (in Vista and even before) as a proof that security technologies have failed and now we have to rely on the user to make security decisions (which will obviously fail as well since users are now fully conditioned to “see a chunk of technical mumbo-jumbo, then click OK”)

It was also interesting how he connected a lot of security failures to his “#1 reason: all programs run with all privileges of the user that runs them.” In fact, he illustrated it by reminding the audience that “everybody runs untrusted code every day today [web browser + Javascript, etc] while nobody did this 30 years ago.” He also beat up blackisting as an approach to security (but then again, everybody does it today :-)) - what was interesting that he opined that “we will spend the next 10 years proving that whitelisting will fail just as we spent previous 10 years proving that blacklisting fail.” His main point was that global “onslaught” of whitelisting and code signing will kill all sorts of useful things AND provide little security.

He then called for everybody to think about solving the hard, possibly non-sexy problems. This is the part where I could have used more details :-)

So, a fun speech (even though my telling of it is a bit jumbled… check out his slides whenever they are posted) – and a fun conference overall. Worth a 12 hour flight :-)

Do you know who your employees are?

Sat, 15 Nov 2008 15:18:00 +0000

Do you really?

The Financial Times in London ran an article which illustrates the risks posed by disgruntled IT professionals. According to a recent survey, 88% of redundant IT administrators claimed they would steal valuable and sensitive information from their company if they were ever fired.

A real-life example of this is the systems administrator with the Dept. of Technology who earlier this year created a password which locked officials out of the network because he feared he was losing his job.

While it is very difficult to know if an employee is thinking this way, proper background checking and screening would likely discover if they ever did anything like this to a previous employer.

When a termination is imminent, employers should close all of the employee's accounts and recover devices such as Blackberries, laptops, elctronic key cards and I.D. When we are called in to assist with terminations, we always advise emloyers and supervisors of the need to do this.

Surprisingly, many employers are not in a rush to get back laptops and other devices as they fear "upsetting" the termianted employee. If this is the case, turn over the responsibility to a professional outsourced security consultant who can take care of these duties and the company does not have to worry about being right in the "middle" of the process.

Once again, worrisome financial news prevails

Thu, 13 Nov 2008 21:00:00 +0000

Start to finish, the week was full of news related to the sorry state of the global economy, with Sun capping things off by announcing it will cut thousands of jobs. Casting a little hopeful light on yet another week of dismal news was optimism from IT professionals who say that, unlike with previous downturns, they aren't being ordered to make drastic cuts.

Hacking arrests doubled in Japan in 2007

Sun, 09 Nov 2008 21:00:00 +0000

Arrests associated with unauthorized access to computers more than doubled in Japan in 2007 compared to the previous year, according to figures released by Japan's Ministry of Justice.

Summarizing Zero Day's Posts for October

Tue, 04 Nov 2008 05:28:07 +0000

Here's a brief summary of all of my posts at Zero Day for October. You can also go through previous summaries for September, August and July, as well as subscribe to my personal RSS feed or Zero Day's main feed.

Notable articles for October - Scammers introduce ATM skimmers with built-in SMS notification; Inside an affiliate spam program for pharmaceuticals; CardCops: Stolen credit card details getting cheaper.

01. Cybercriminals syndicating Google Trends keywords to serve malware
02. Scammers introduce ATM skimmers with built-in SMS notification
03. Atrivo/Intercage's disconnection briefly disrupts spam levels
04. Adobe posts workaround for clickjacking flaw, NoScript releases ClearClick
05. Asus ships Eee Box PCs with malware
06. Fake Microsoft Patch Tuesday malware campaign spreading
07. Secunia: popular security suites failing to block exploits
08. Survey: 88% of Mumbai's wireless networks easy to compromise
09. Adobe's Serious Magic site SQL Injected by Asprox botnet
10. Inside an affiliate spam program for pharmaceuticals
11. Google to introduce warnings for potentially hackable sites
12. Lack of phishing attacks data sharing puts $300M at stake annually
13. CardCops: Stolen credit card details getting cheaper
14. Cybercrime friendly EstDomains loses ICANN registrar accreditation
15. Phishers apply quality assurance, start validating credit card numbers
16. Spammers targeting Bebo, generate thousands of bogus accounts

Undetectable Sinowal/Torpig Trojan Steals More Than 300,000 Bank Accounts

Fri, 31 Oct 2008 17:12:57 +0000

Security researchers at RSA’s FraudAction Research Lab have uncovered how a banking Trojan may have stolen the login credentials of as many as 300,000 online bank accounts. The Sinowal (AKA Torpig or Mebroot) trojan has also stole email and FTP account login details. Previous attempts to track the source of the Trojan were unsuccessful. The haul [...]

Making Security Vendor Review a Continuous Process

Thu, 16 Oct 2008 11:23:23 +0000

The IT security market is moving faster than almost any area of technology. The churn of new companies popping up and existing companies getting acquired or disappearing can be seen by comparing a Magic Quadrant with the previous year's version. The ever-changing threat is the major driver for this hyperactivity.

Every security professional needs a list of the vendors used, including open-source projects. Don't just do due diligence with new vendors. Do a vendor check when you are renewing support or upgrading a product, and ensure that you check the status of all your vendors at a regular frequency. Have any vendors been acquired? Are they suddenly cool? Having problems with product vulnerabilities? Talking to their other customers about end of life for a product before there's a formal announcement?

We can help you with this - don't hesitate to call or e-mail us on the status of any IT security vendor before making a purchase or renewing a big-ticket support agreement. At a minimum, you may want to do this before your annual internal budget setting.

Non-cooperation in the fight against phishing

Thu, 16 Oct 2008 09:32:24 +0000

Tyler Moore and I are presenting another one of our academic phishing papers today at the Anti-Phishing Working Group’s Third eCrime Researchers Summit here in Atlanta, Georgia. The paper “The consequence of non-cooperation in the fight against phishing” (pre-proceedings version here) goes some way to explaining anomalies we found in our previous analysis of phishing website lifetimes. The “take-down” companies reckon to get phishing websites removed within a few hours, whereas our measurements show that the average lifetimes are a few days.

These “take-down” companies are generally specialist offshoots of more general “brand protection” companies, and are hired by banks to handle removal of fake phishing websites.

When we examined our data more carefully we found that we were receiving “feeds” of phishing website URLs from several different sources — and the “take-down” companies that were passing the data to us were not passing the data to each other.

So it often occurs that take-down company A knows about a phishing website targeting a particular bank, but take-down company B is ignorant of its existence. If it is company B that has the contract for removing sites for that bank then, since they don’t know the website exists, they take no action and the site stays up.

Since we were receiving data feeds from both company A and company B, we knew the site existed and we measured its lifetime — which is much extended. In fact, it’s somewhat of a mystery why it is removed at all! Our best guess is that reports made directly to ISPs trigger removal.

The paper contains all the details, and gives all the figures to show that website lifetimes are extended by about 5 days when the take-down company is completely unaware of the site. On other occasions the company learns about the site some time after it is first detected by someone else; and this extends the lifetimes by an average of 2 days.

Since extended lifetimes equate to more unsuspecting visitors handing over their credentials and having their bank accounts cleaned out, these delays can also be expressed in monetary terms. Using the rough and ready model we developed last year, we estimate that an extra $326 million per annum is currently being put at risk by the lack of data sharing. This figure is from our analysis of just two companies’ feeds, and there are several more such companies in this business.

Not surprisingly, our paper suggests that the take-down companies should be sharing their data, so that when they learn about websites attacking banks they don’t have contracts with, they pass the details on to another company who can start to get the site removed.

We analyse the incentives to make this change (and the incentives the companies have not to do so) and contrast the current arrangements with the anti-virus/malware industry — where sample suspect code has been shared since the early 1990s.

In particular, we note that it is the banks who would benefit most from data sharing — and since they are paying the bills, we think that they may well be in a position to force through changes in policy. To best protect the public, we must hope that this happens soon.

Comments, administrivia, and the future of the infosec professional

Wed, 15 Oct 2008 18:29:13 +0000

Back when the spam was spiraling out of control, I configured my blog to close comments after 90 days. I’ve removed the limitation now, for two reasons: the spam is under control, and I wanted to reply to a comment made to my post on IPsec/IPv6 direct connect.

On 13 August, jcorey asked about how to deal with those who firmly believe that the only answer to any security problem is to inspect everything at the edge. This is an important question, and I wanted to give Joe an answer. (You might have to scroll down when you click the previous link, it seems that linking to individual comments is broken.)

Today, 15 October, I wrote a little thesis as an answer to his question. I’m calling it out in a separate post because I want to make sure those of you with aggregators that don’t update when posts receive new comments still have a chance to reply with your thoughts. I’ll also repost it here:

jcorey-- You've nailed the biggest obstacle to deploying something like direct connect. Many security professionals have been taught that there simply is, and never will be, a process or technology that allows you to trust anything that originates from outside your corpnet. These professionals cling to this belief, and have been the cause that allowed the whole “detection” market to bloom.

Let me be clear: this total lack of trustworthiness is no longer absolutely true. Of course there will be times when unknown machines will be used by known and unknown people to access your information. But what about one particular subset -- known humans, with known portable computers -- can't we do something better than treat them as toxic invaders?

Indeed we can. And that's what I'm proposing with direct connect. The technology -- managed, of course, with the right processes -- exists so that you can extend the trust to known computers even though you don't trust the network they're connected to. This is because you have mechanisms that:

1. Allow you to configure the machine according to your requirements (domain join, group policy)

2. Dictate computer and user authentication requirements (IPsec policies, smart cards)

3. Limit what the users of these machines can do (UAC, non-admin, Forefront Client Security, Windows Firewall, even software restriction policies)

4. Validate the health of machines initiating incoming connections and remediate if necessary (NAP, System Center Configuration Manager)

5. Limit the threat of attacks against stolen computers (domain logon, smart cards, BitLocker with TPM)

With the robust authentication, validation, configuration, and control mechanisms available to you, I simply don't see that there's any need to fall back to “detection” now. Detection technologies were -- and remain -- necessary for the times when we have no clue about the health of client computers and when we had no way to gauge the intent of the users. But it is truly reflective of a head-in-the-sand mentality to assume that this is a complete description of what's capable today.

You know, someone once asked me what it takes to be a security professional. I answered that there are two primary elements: become a networking/packet wonk, and be willing to change your opinions when the right evidence comes along. Indeed, I suspect that many security folk have forgotten the need to keep their wonikness updated, which in turn makes them resist new ideas regardless of the strength of the evidence. I'm not very proud of what I just wrote, because I loathe generalities, but I'm not sure what else to think here. Sigh.

Joe’s question is important and strikes at the foundation of what it means to be a security professional today. I’m eager to continue this conversation, because it’s reflective of what I sense to be a radical shift in our jobs—we are, or should be, no longer the wolf-crying propeller-head who sits in the basement and twiddles with the firewall. Instead, our job should be defined as one who’s charged with protecting the organization’s information from attack, while maximizing its utility to authorized users, according to the principles of least privilege. Your thoughts?