[SecurityRatty] tag: real-time

The Good Get Conned-When Trust is Biological

Mon, 01 Dec 2008 11:00:35 +0000

Bruce Schnier linked to an interesting article a while back, discussing how brain chemistry causes you to trust people when demonstrate that they trust you, especially when they’re relying on you and may be vulnerable…interesting stuff:

THOMAS is a powerful brain circuit that releases the neurochemical oxytocin when we are trusted and induces a desire to reciprocate the trust we have been shown–even with strangers. The key to a con is not that you trust the conman, but that he shows he trusts you. Conmen ply their trade by appearing fragile or needing help, by seeming vulnerable. Because of THOMAS, the human brain makes us feel good when we help others–this is the basis for attachment to family and friends and cooperation with strangers

So my question: if real-life cons can easily scam people by appearing to depend on them, how does this affect the scams we see on the Net? Clearly some online cons rely on this method — the Nigerian bank scam being a prime example. It seems like social engineering scams particularly rely on this method — but not all scams. And of course many other vulnerabilities just seem to rely on people’s habits to just click links willy-nilly online, which is an impersonal event. If the net were a more personal place, we might see many more of those kinds of scams.

FBI Stoking Fear

Thu, 27 Nov 2008 09:27:35 +0000

Another unsubstantiated terrorist plot:

An internal memo obtained by The Associated Press says the FBI has received a "plausible but unsubstantiated" report that al-Qaida terrorists in late September may have discussed attacking the subway system.
[...]

The internal bulletin says al-Qaida terrorists "in late September may have discussed targeting transit systems in and around New York City. These discussions reportedly involved the use of suicide bombers or explosives placed on subway/passenger rail systems," according to the document.

"We have no specific details to confirm that this plot has developed beyond aspirational planning, but we are issuing this warning out of concern that such an attack could possibly be conducted during the forthcoming holiday season," according to the warning dated Tuesday.

[...]

Rep. Peter King, the top Republican on the House Homeland Security Committee, said authorities "have very real specifics as to who it is and where the conversation took place and who conducted it."

"It certainly involves suicide bombing attacks on the mass transit system in and around New York and it's plausible, but there's no evidence yet that it's in the process of being carried out," King said.

Knocke, the DHS spokesman, said the warning was issued "out of an abundance of caution going into this holiday season."

Got that: "plausible but unsubstantiated," "may have discussed attacking the subway system," "specific details to confirm that this plot has developed beyond aspirational planning," "attack could possibly be conducted," "it's plausible, but there's no evidence yet that it's in the process of being carried out."

I have no specific details, but I want to warn everybody today that fiery rain might fall from the sky. Terrorists may have discussed this sort of tactic, and while there is no evidence yet that it's in the process of being carried out, I want to be extra-cautious this holiday season. Ho ho ho.

Is That a Coffee Table or a Munition?

Tue, 25 Nov 2008 09:40:20 +0000

One of the standard software security prescriptions for the SDLC is to data classification and enforce least privilege. From a security perspective this sounds fantastic, especially on a whiteboard. When the rubber meets the real world road, things often turn out slightly different.

It turns out that it is hard to conduct business with excessive granularity.

Here is an article from The Economist on the challenges of space technology, commercialization and information sharing. This is widely applicable to corporate information security policies:

Gravity is not the main obstacle for America’s space business. Government is
IN THE spring of 2006 Robert Bigelow needed to take a stand on a trip to Russia to keep a satellite off the floor. The stand was made of aluminium. It had a circular base and legs. It was, says the entrepreneur and head of Bigelow Aerospace in Nevada, “indistinguishable from a common coffee table”. Nonetheless, the American authorities told Mr Bigelow that this coffee table was part of a satellite assembly and so counted as a munition. During the trip it would have to be guarded by two security officers at all times.

Exporting technology has always presented a dilemma for America. The country leads the world in most technologies and some of these give it a military advantage. If export rules are too lax, foreign powers will be able to put American technology in their systems, or copy it. But if the rules are too tight, then it will stifle the industries that depend upon sales to create the next generation of technology.

It is a difficult balance to strike and critics charge that America has erred on the side of stifling. They claim that overly strict export controls have so damaged the space industry that America’s national security is now threatened by its dwindling leadership in space technology. The system, they complain, fails to distinguish between militarily sensitive hardware that should be controlled and widely available commercial technologies, such as lithium-ion batteries and solar cells. The zealous application of the export rules is the American space industry’s biggest handicap.

Read the whole thing its fascinating. So what started off as well intentioned asset protection eventually compromised the most important asset of all - strategic advantage.

So what's a better model? I am partial to think about these sorts of problems as free trade agreements. Each integration point should have a set of policies, and enforcement mechanisms that also include compensating transactions.

For example, did you know that in the US you can buy companies that trade on other exchanges through ADRs? You buy the ADR of say a French Telco which trades on a European exchange only you buy the ADR on the NYSE or Nasdaq. Then the French Telco issues you a dividend because you are a shareholder, but the French government withholds the dividend for foreign owners. Yet because there is a free trade agreement between the two countries, the US lets you write off the unreceived portion of the dividend on your taxes. (this may or may not be the case in US-France just an example). Anyway, its not a silver bullet but its an interesting strategy.

Schoolteacher Julie Amero Released, Felony Charges Dropped

Mon, 24 Nov 2008 10:35:14 +0000

One of the real danger of technology, the reason for so much IT-Insecurity, is that many people don’t understand it well.

Case in point is the jury trial of Julie Amero, a schoolteacher who was charged with felony for allegedly showing porn to her class–when in fact the porn sites were popups caused by malware on the classroom computers that popped up while she was teaching:

a series of incompetent computer experts and overzealous prosecutors tried to claim that the pornography that appeared on the school computer browser was deliberately viewed. In reality the computer was infected with a browser hijack or other form of malware nastiness that launched a flood of porn pop-ups. There was an outpouring of support and some technical folks like Alex Eckleberry, who led an effort to prove that Julie was innocent of the charges

After a long trial, Amero has finally been vindicated. But she has still lost those years of her life spent on the case, her teaching credential, and is being charged a $100 fine. While her trial might be over, her personal troubles aren’t.

Links for 2008-11-20 [del.icio.us]

Thu, 20 Nov 2008 21:00:00 +0000

Got SIEM? - Part IV « eIQviews
Customers tend to use SIEM technologies for more reactive efforts, such as post-event forensics, rather than as a true correlation solution to determine unusual behavior or policy violations before they have a chance to affect systems and data.
SIEM Blog » Unrestricted Data Collection for Maximum Compliance and Forensic Visibility
Beast Or Buddha » Blog Archive » So we own your client database and everything important to you…
Web Developer: “Just because you can do that doesn’t mean we have a major problem like you say it is. It’s just you that did it!” SG dude: “Well more than likely, others have….we didn’t do anything fancy…”. Web Developer: “Well nothing has ever happened so it’s just you guys!” SG dude: “You have no logging”. Web Developer: “We’ve never been hacked!”
On Data Loss Prevention (DLP) » My Wife Finally Knows What I Do
The Two Kinds Of Security Threats, And How They Affect Your Life | securosis.com
We get money for noisy threats, and get called paranoid freaks for trying to prevent quiet threats (which can still lose our organizations a boatload of money, but don’t interfere with the married CEO’s ability to flirt with the new girl in marketing over email).
Marcus Ranum on Network Security - CSO Online - Security and Risk
The real best practices have been the same since the 1970s: know where your data is, who has access to what, read your logs, guard your perimeter, minimize complexity, reduce access to "need only" and segment your networks.

Mamma.com: Insider trading and XSS

Tue, 18 Nov 2008 06:55:00 +0000

Mamma.com's got issues other than Mark Cuban's insider trading allegations. As a point of reference for this conversation, Mamma.com is ranked 4064 on Alexa as of today.
I won't profess to following Mr. Cuban's public life and the occasional antics. Obviously, he's a colorful and popular figure; certainly in Dallas, if not nationally.
What follows is not a judgment of Mr. Cuban or his pending legal challenges. I'm sure the process will play itself out accordingly.
A quick summary and some reference material:
The SEC has filed insider trading charges against Mr. Cuban. "According to the SEC, Cuban dumped 600,000 shares, or all of his 6.3% stake, in the search engine Mamma.com (The Mother of All Search Engines), in June 2004 after learning about private financing that the company was proposing. By selling, he avoided losing $750,000, the SEC alleges."
The whole issue for Mr. Cuban was PIPE financing because it's "dilutive to existing shareholders’ stakes."
That's the long and the short of the current issue, and again, not my real interest here, with the exception of the bet I made with myself regarding the probable web application security posture of mamma.com.
All this talk about a popular site immediately sets off the little bell in my head (I hear it a lot).
"What's wrong with the site?" is always the first question I ask myself.

I was not disappointed.

Mamma.com exhibits the following issues:
1) XSS vulnerability in the utfout variable.

2) XSS vulnerability in the qtype variable.

3) XSS vulnerability in their Mammajobs site at the pid variable. This one's weirder still; if you drop an IFRAME in, it simply redirects to any URL you include in the IFRAME string.

4) The prospect of CSRF (rather pointless here given that its just a search engine, but but still defies best practices) appears likely given that mamma.com blindly accepts updates via GET and POST with no sign of a formkey (canary) in sight.

I figured it best to stop there, and have submitted all these to Copernic (the Momma parent company).
I am however truly disappointed that an enterprise as ambitious and motivated as Momma/Copernic seems to have thrown the baby out with the bath water when it comes to web application security.
With regard to Mark Cuban dumping his shares: maybe he was afraid of getting pwned. ;-) All kidding aside, it's a shame that the whimsical and pessimistic thoughts regarding web site security that bounce around in my head inevitably bear themselves out.

del.icio.us | digg | Submit to Slashdot

Links List 11.17.08

Mon, 17 Nov 2008 19:35:52 +0000

Wow. I think we all know that we can take or leave surveys – numbers don’t mean a lot without context. In this case the “context” is the current economic meltdown. The Society for Information Management (SIM) released the results of their 2008 IT Trends Survey – predicting an “upbeat” forecast for IT jobs; the HUGE caveat here is that the study was conducted before all the recent economic woes. Apparently organizations are using IT to drive efficiencies, streamline operations, and cut costs rather than just slashing the IT budget to save money during the downturn. What would be a nice follow-up: a quick second survey comparing responses before and after. Regardless Jerry Luftman, SIM vice president of academic affairs, still says the survey results demonstrate “that the overall state of IT remains very strong.”

The sky is falling! Trip Chowdhry, the analyst with Global Equities Research who claimed Red Hat was ‘rubbish and the entire LAMP stack is potty, too’ published some eye-opening predictions, predominantly negative, about tech business in Silicon Valley. Now Chowdhry claims that “almost every VC funded open-source company is struggling and will run out of money within the next six months.” (Probably not the most unbiased guy about open source) Matt Asay argues that organizations in general are struggling, but open-source companies are not that high on the list. (But are they high on the VC “axe” list??) He notes Alfresco, Pentaho and JasperSoft are some of the players with ‘millions in the bank and growing revenue.’ Asay also says Chowdhry has a responsibility to do real due diligence and not create myths. Take that, Chicken Little! (img from Disney-Clipart)

We’re not as far behind as we thought we were. Google presented the results of a study they conducted about how IPv6- capable “ordinary users” are at the RIPE meeting in Dubai a few weeks ago. Turns out Apple Macs drive IPv6 penetration in the US. Fifty-two percent of all IPv6 users in the U.S. own a Mac and use 6to4 (creating IPv6 addresses from an IPv4 address and tunneling packets) – making the US fifth in the list of countries using IPv6. Russia and France took first and second place with .76 and .65 percent IPv6-enabled traffic . The US is at .45 percent. Worldwide, 0.238 percent of Google users’ systems are IPv6-enabled and prefer to use IPv6 over IPv4.

Obama’s win = Google’s win? Apparently Google CEO Eric Schmidt and President-Elect Obama are very good buddies and “this terrifies Microsoft”. Now competitors are more on guard against Google’s growing empire and popularity. Although Schmidt was mentioned as a possible candidate for the country’s new national CTO position, he said he would not accept the post if asked. I guess that’s one less thing Microsoft has to worry about.

Do you know who your employees are?

Sat, 15 Nov 2008 15:18:00 +0000

Do you really?

The Financial Times in London ran an article which illustrates the risks posed by disgruntled IT professionals. According to a recent survey, 88% of redundant IT administrators claimed they would steal valuable and sensitive information from their company if they were ever fired.

A real-life example of this is the systems administrator with the Dept. of Technology who earlier this year created a password which locked officials out of the network because he feared he was losing his job.

While it is very difficult to know if an employee is thinking this way, proper background checking and screening would likely discover if they ever did anything like this to a previous employer.

When a termination is imminent, employers should close all of the employee's accounts and recover devices such as Blackberries, laptops, elctronic key cards and I.D. When we are called in to assist with terminations, we always advise emloyers and supervisors of the need to do this.

Surprisingly, many employers are not in a rush to get back laptops and other devices as they fear "upsetting" the termianted employee. If this is the case, turn over the responsibility to a professional outsourced security consultant who can take care of these duties and the company does not have to worry about being right in the "middle" of the process.

Pentagon Clears Flying Car Project for Take-Off

Thu, 13 Nov 2008 11:12:00 +0000

Pentagon mad science division Darpa is helping build thought-controlled robotic limbs, artificial pack mules, real-life laser guns, and "kill-proof" soldiers. So it comes as no surprise, really, that the agency is now getting into the flying car business, too.

Hosting Meets the Cloud Debate Part II

Wed, 12 Nov 2008 18:35:55 +0000

I have to say that Part II of this session was much anticipated after the lively interaction yesterday. It turned out to be less of a debate and more like a fireside chat. (image from pro.corbis.com)

The analysts paired up today:
Antonio Piraino (Tier1 Research)
William Fellows (The 451 Group)

My usual disclaimers on live-blogging: doesn’t include everything covered (just what was most interesting to me) and had to paraphrase some answers because I simply cannot type that fast.

Quick definition of Cloud Computing
WF: The cloud is a continuum of grid, virtualization and utility done right. It is about provisioning services instead of servers; flexible computing instead of fixed assets. Done right, the cloud abstracts users from the complexity of grid. Cloud computing is IT as a service. Cloud computing is the Third Way – not entirely in-house or outsourced, but an optimized hybridized version of both. In light of the Goldman Sachs report out resetting IT spending forecast from up 6% to down 1%, don’t underestimate the ability for enterprises to move from capex to opex by buying cloud computing instead of building it themselves.

The 451 Group conducted a survey on cloud computing in March, and then revisited it a month ago. Some interesting results:

84% have no plans to develop an internal cloud. 5% had no answer to this question. And for the 10% who did answer – the uses for a private/internal cloud were the same as those for a public cloud.
Top 6 vendors they look to help them develop an internal cloud: Microsoft, IBM, Cisco, HP, Oracle, VMware

Is it all “upside” when it comes to cloud computing?

WF: Watch out for the Trojan horse, the red flag. What about the software needed to manage all this stuff? Any management software needs to take a holistic approach to solve the problem.

AP: Increased management requirements and capability – this is actually a great story for managed hosters who can hold your hand while getting you up into the cloud. Hosters alleviate the pain points, and this is why we’re going to see continued growth and focus in the managed hosting sector.

WF: I would argue that they’re too expensive. Look at Amazon – 10 cents a hit adds up.

AP: It’s almost impossible to do an apples-to-apples comparison between cloud providers. One reason is that they charge differently. I’d say that when you’re talking about the big cloud providers, you are right – that they are expensive over the long-term, but for use in the short-term, they can be optimal.

WF: The cloud is setting big expectations. Can IT deliver? It’s nice to talk about “shared resources for the greater good” but in any organization, you will still run into issues of power and control! Plus it’s still early days for resolution of regulatory issues and compliance around the cloud.

Final Thoughts

AP: Think of the opportunities of using cloud computing resources in the areas of testing and pre-production – short-term use/environment (quick up/quick down), inexpensive, opex not capex. We’re already seeing the cloud fostering much innovation.

WF: “It’s okay to fall in love with the term.” It is real but keep the expectations lower and realistic.

AP: I agree with you. The reality is that the cloud is driving a very fundamental underlying platform change. This is not just a term or something that will fall out of fashion. There’s a real need to build trust in the cloud and leveraging shared resources in this way – so use the cloud computing term cautiously; don’t abuse it and make the cloud seem like IT’s new toy.