[SecurityRatty] tag: region

Southeast Asia: Perspectives on Compliance

Tue, 02 Sep 2008 20:00:00 +0000

This past weekend, I left Southeast Asia after a week-long trip to Bangkok, Singapore and Manila. The week was spent in back-to-back meetings with customers and our local sales teams, and the majority of our discussions centered on PCI DSS and compliance in general. One clear takeaway: Compliance is one of THE growing areas of concern for businesses in the region.

I found the degree to which customers in the region were concerned about compliance to be a bit of a surprise. I say 'surprise' because I often hear that compliance isn't as much of an issue outside of the U.S. From what we're seeing, though, the regulatory environment in non-U.S. geos, including Southeast Asia, is becoming more complicated...

Serializable XmlDocument

Mon, 18 Aug 2008 22:58:00 +0000

It's surprising that XmlDocument isn't marked [Serializable], because it's very natural to serialize one into a stream. I wanted to put an object into ASP.NET ViewState the other day, and quickly ran into this roadblock, because part of the object included an XmlDocument, which is not serializable. A quick search revealed that most people deal with this problem by storing a string instead. Indeed, that was where I started, but I quickly realized that there are multiple places in my code where I want to do this sort of thing, and I don't want to have to mess with it in each data structure that contains an XmlDocument.

So I put together a simple class that holds an XmlDocument and implements ISerializable and called it SerializableXmlDocument. I'm sharing the source code here in the hopes that

a) somebody will find it useful, and

b) somebody smarter than I am will point out how I screwed it up and help me make it better.

SerializableXmlDocument includes implicit conversion operators to make it easy to convert to/from an XmlDocument. It holds the actual document in a property called Value. This "isomorph" pattern is one that I picked up from Craig.

While writing this code, I also wrote a helpful extension method for getting a byte array out of a MemoryStream that is exactly the length of the data written to the stream so far (CopyUpToSeekPointer). So don't go looking in the docs for MemoryStream for this method :) This is obviously not the most efficient way to consume bytes written to a MemoryStream since it copies the data into a new byte array, but it's very convenient in many scenarios.

Here is SerializableXmlDocument.cs:

using System;
using System.Runtime.Serialization;
using System.Xml;
using System.IO;

namespace Pluralsight.Samples
{
    [Serializable]
    public class SerializableXmlDocument : ISerializable
    {
        public SerializableXmlDocument() { }
        public SerializableXmlDocument(XmlDocument value)
        {
            this.Value = value;
        }

        public XmlDocument Value { get; set; }

        #region ISerializable implementation
        public SerializableXmlDocument(SerializationInfo info,
                                       StreamingContext context)
        {
            byte[] serializedData = (byte[])info.GetValue("doc",
                typeof(byte[]));
            if (null != serializedData)
                this.Value = Deserialize(serializedData);
        }

        public void GetObjectData(SerializationInfo info,
                                  StreamingContext context)
        {
            byte[] serializedData = null;
            if (null != Value)
                serializedData = Serialize(Value);
            info.AddValue("doc", serializedData);
        }
        #endregion

        #region implicit conversion to/from XmlDocument
        public static implicit operator SerializableXmlDocument(
            XmlDocument doc)
        {
            return new SerializableXmlDocument(doc);
        }
        public static implicit operator XmlDocument(
            SerializableXmlDocument sdoc)
        {
            return sdoc.Value;
        }
        #endregion

        #region Xml serialization helper methods
        private static byte[] Serialize(XmlDocument doc)
        {
            MemoryStream stream = new MemoryStream();
            doc.Save(stream);
            return stream.CopyUpToSeekPointer();
        }
        private static XmlDocument Deserialize(byte[] serializedData)
        {
            XmlDocument doc = new XmlDocument();
            doc.Load(new MemoryStream(serializedData, false));
            return doc;
        }
        #endregion
    }
}

...and here's the CopyUpToSeekPointer extension method for MemoryStream:

using System;
using System.IO;

namespace Pluralsight.Samples
{
    public static class MemoryStreamExtensionMethods
    {
        public static byte[] CopyUpToSeekPointer(
            this MemoryStream stream)
        {
            // copy only the part of the buffer
            // that contains the serialized document
            long length = stream.Position;
            byte[] buffer = stream.GetBuffer();
            byte[] result = new byte[length];
            for (int i = 0; i < length; ++i)
                result[i] = buffer[i];
            return result;
        }
    }
}

...and here's a sample object that uses SerializableXmlDocument:

using System;

namespace Pluralsight.Samples
{
    [Serializable]
    public class Item
    {
        public string Name { get; set; }
        public SerializableXmlDocument Data { get; set; }

        public void Print()
        {
            Console.WriteLine("Name: {0}", Name);
            Console.WriteLine(Data.Value.OuterXml);
        }
    }
}

...and here's a sample program that creates an instance of Item, serializes it, then deserializes it, printing diagnostics along the way to show that it's working properly.

using System;
using System.Xml;
using System.Runtime.Serialization.Formatters.Binary;
using System.IO;
using Pluralsight.Samples;

class DemoProgram
{
    static void Main(string[] args)
    {
        XmlDocument doc = new XmlDocument();
        doc.LoadXml("text");

        Item item = new Item
        {
            Name = "Testing 123",
            Data = doc,
        };

        // print object before serialization
        item.Print();

        BinaryFormatter formatter = new BinaryFormatter();
        MemoryStream stream = new MemoryStream();
        formatter.Serialize(stream, item);

        byte[] serializedItem = stream.CopyUpToSeekPointer();

        Console.WriteLine("Serialized data (base64): {0}",
            Convert.ToBase64String(serializedItem));

        item = (Item)formatter.Deserialize(
            new MemoryStream(serializedItem, false));

        // print object after deserialization
        item.Print();
    }
}

Here's the output of the previous sample program:

Flame away!

Corporate Identity Theft

Sat, 16 Aug 2008 05:58:30 +0000

I remember a talk by the value investor Mason Hawkins (Longleaf Funds) where someone asked him about investing overseas. He answered that he does, but mainly in places where the British flag flew at some point, where there is a rule of law. Here is one example of what he is worried about and why investing in places where your assets have no legal protection does not give the investor a margin of safety.

Hermitage Fund was until recently the largest fund in Russia. From the Business Week story "Hijacking the Hermitage Fund"

Corruption, intimidation, robbery, violent assault, forgery, large-scale fraud. No, not the subject of the latest John Grisham novel, but sensational allegations, made public Apr. 4 by Hermitage Capital Management -- until recently the largest foreign portfolio investor in Russia. In a detailed and damning report, titled Criminal Justice -- Russian-Style, Hermitage alleges the fund's Russian subsidiaries have fallen victim to an elaborate con designed to defraud the fund of hundreds of millions of dollars.

The most sensational part of Hermitage's allegations is that the attempted larceny was carried out with the direct connivance of officials in the Russian police. Hermitage alleges the police seized documents and equipment that were instrumental to the attempted fraud, which involved bogus court cases based on forged documents, the aim of which was to sue Hermitage subsidiaries for hundreds of millions of dollars. "The most shocking thing is not that there are corporate raiders in Russia who attempt to steal your shares," says Jamison Firestone, managing partner of Firestone Duncan, Hermitage's law firm. "The shocking thing is that the police worked hand-in-hand with them, and actually performed the theft of the documents so that the corporate raiders could then do their work."

From the most recent Hermitage Fund letter, here is the current state:

So the two-pronged scam worked in one area and failed in another. The perpetrators weren’t able to steal the assets from us based on the fake court claims, but they were able to steal $230 million from the Russian government by filing amended tax returns on behalf of our stolen companies. What makes this story even more shocking is that we filed six 255-page criminal complaints with the Russian authorities in December last year, one month before the tax fraud took place, and they did nothing to stop it. Two complaints were sent to the Russian General Prosecutor, two to the Russian State Investigative Committee and two to the Internal Affairs Department of the Interior Ministry. There was enough information to prevent the fraud and indict a number of people behind it if the government had acted.
Instead of doing anything to save the Russian state from this highly sophisticated and organized looting, two of our complaints were thrown out immediately; two were returned to the same Interior Ministry official we were complaining about (essentially, he was being asked to “investigate himself”); and one was thrown out for “lack of any crime committed.” Only one complaint was taken seriously. It was taken up by the Russian State Investigative Committee in early February, but before it could get any traction, the case was lowered to the South region of the Moscow district of the State Investigative Committee (the lowest level of the Committee) and by June, another senior Interior Ministry official whom we had named in our complaint had joined the “investigation” team (again, to “investigate himself”). To this day there has been no serious response by the Russian authorities to this massive fraud against the Russian state.
As we described in our April letter, the problem of corporate “raiding” is now so endemic in Russia that President Medvedev speaks about it as one of the biggest problems faced by Russian businesses. In this case, raiders have taken this problem to a new and absurd extreme by “raiding” the Russian state itself and so far getting away with it. Together with HSBC, we will shortly be filing new criminal complaints with the Russian General Prosecutor and Russian State Investigative Committee as well as with many law enforcement authorities outside of Russia. It is hard to predict what will happen next in this unfolding and unbelievable saga, but as always we will keep you updated on any further developments as they arise.

Of course we see individual identity theft on a regular basis (actually as Ross Anderson points out its not really identity theft but poor controls on the bank's parts using SSNs as secrets and so on), but you dont see a major corporation stolen every day.

Coordinated Cyber Attacks Hit Websites Due To Russian-Georgian Conflict

Tue, 12 Aug 2008 11:05:04 +0000

Conflict between Georgia and Russia on the ground has been accompanied by the relaunch of cyber-attacks against Georgian government websites. The Georgian presidential (www.president.gov.ge) and other government websites (such as www.parliament.ge) were left inaccessible by assaults over the weekend, in a repeat of attacks in late July before tensions over the breakaway region of South [...]

Automated Spim on Microblogging Site Via MSN Messenger

Thu, 07 Aug 2008 17:12:09 +0000

There's been a fair amount of Twitter coverage recently, but it's worth noting that other countries have their own versions of Twittering and some of them have seem to be a little easier to use in conjunction with Instant Messaging, whereas Twitter still seems to have a need for third party services, add-ins and other tools to get the job done if the service used is something other than Google Talk, Livejournal Chat or Jabber (if it's now more straightforward for other clients too, please let me know!)

Either way, the below illustrates why adding Instant Messaging features to services such as Twitter can cause problems in the long run and needs to be considered carefully.

We were alerted to the fact that a large amount of Spam seemed to be coming out of China in the last day or two (indeed, one contact mentioned to me that this particular message had been sent to their Honeypot around 29,000+ times, which is a lot of spamming for one URL however you look at it). The spam in question seemed to have been sent via a Spambot, and the only mentions of this URL so far in search engines seems to be related to China - shall we take a look?

The URL in question (with part of it redacted) is

http: //5834******/ ;)

You'll notice the spam is short, snappy and also includes a little smiley-face thing at the end. In fact, it looks a little bit like the kind of link people send to their contacts on Twitter, doesn't it?

Well, let's see - a quick search and we find this:

Click to Enlarge

A page from Fanfou.com, which I believe is a Chinese site "inspired" by Twitter with much of the same features and functionality. In fact, it has one feature working straight off the bat that Twitter users previously had to rely on plugins for - the ability to send messages to their page via MSN Messenger updates.

http: //5834****** doesn't actually resolve anywhere - however, a quick Ping to that address and we have an IP:

Click to Enlarge

Type the IP address into the browser, and via some geolocational technology, you'll see a region specific version of the following dating website:

Click to Enlarge

Go back to the page on Fanfou.com, scroll down and select any of the clickable links and surprise - the same page appears. This particular account on Fanfou has something like 30+ pages devoted to endless Spim links via MSN. They link to placeholder pages, sites that look as though they've been suspended and / or deleted with no way to determine what content was there previously - all interspersed with "Twitter" style messages throughout such as this:

Again, note everything is coming via MSN. By this point, you're probably wondering exactly how they allow you to send messages to their Twitter-style pages. Well, the solution is quite clever - check out the IM page. You enter your MSN address, and when you login to your MSN account, you'll suddenly find you have a new IM buddy who wants to be a contact:

Add it, and whenever you want to put a message on your page, send it an instant message and, lo and behold, your Tweet-style message has appeared on your page:

Click to Enlarge

In conclusion, the steps here appear to be

1) Create a Spambot that infects users via MSN Messenger
2) Tailor the messages it sends to be short and sweet, just like a Twitter-style message
3) Set up an account on a service such as Fanfou.com that makes it easy to send messages to your page via MSN Messenger (or other IM services affected by your bot)
4) Infect the PC running your MSN Messenger account then watch as it spams the userpage with whatever messages you want it to send.

Of course, the links can be anything from dating sites and ringtone adverts to infection files and exploits - all made so much more easier (and far less time consuming than manually typing in URLs to your userpage) by the functionality built into the site you happen to be using. It's also worth noting that the accounts sending the Spim don't have to be set up by the spammer - they could be compromised accounts that had been hijacked when clicking a rogue IM link, which is a great way of filling out the spamming ranks very quickly.

This is definitely something Twitter - and any other site out there involved in microblogging - need to keep an eye out for, and consider carefully when thinking of adding integration with popular Instant Messaging clients.

We detect the file sending the weblinks via MSN as Foubot.

Research and Writeup: Christopher Boyd, Director of Malware Research
Additional Research: Chris Mannon, Senior Threat Researcher

A New Generation of Tech in DC

Fri, 18 Jul 2008 17:24:20 +0000

Perception is often a form of reality. When I look back at the first Dotcom revolution, the first thing I think of is the massive rise of technology and creative energy in Silicon Valley. But I soon start thinking about the atmosphere that fostered that spirit and energy, a fun and easy-going vibe that allowed individuals to act like, well individuals! The fun laid-back atmosphere had many stories and tales of crazy parties to celebrate the success that was happening. Indeed those mavericks lived a “Play Hard, Work Harder” lifestyle.

I recently spoke with a friend who left the DC region for a position in Silicon Valley. When I asked what he thought of the move he said, “Well, you have the same giant buildings with technology company names on the outside rising out of nowhere. You have the same high quality of engineer, but it seems that the difference is in DC, everyone wears a suit or a tie and looks down upon you if you grab a drink at lunch, or unwind like a younger person would.”

I thought long and hard about his comment and decided that I would have to find out for myself. Is the DC area high tech community really that stuffy? Do people really not enjoy a good stiff drink after a long day?

Last night, I attended the Twin Tech party, a sponsored happy hour with the worthy goal of “mixing up our vast, and somewhat fragmented technology culture here in the greater DC region”. I can officially say, the DC tech scene is changing and it’s changing fast.

Let’s start with the venue, instead of holding this event in the suburbs (McCormick & Schmicks anyone?) or at a large hotel bar, they chose to have the event at a trendy up-and-coming part of town in what can be best described as one of DC’s hottest bars, Local 16. Not only that, because of the overwhelming response to attend, they had to rent out the bar next to it as well.

I expected that I would arrive and find the place mostly empty and have a few suits there chatting over a drink or 2. Instead I found myself at the overflow bar with a number of young up and comers in the space. It was impossible to get into the original venue, and the second venue was packed as well! Amongst all the people I found a friendly, happy, open vibe that allowed for great conversation, and interesting discussion about new technologies and the ideas people had about using and building the future.

It was the best of both worlds for a young technologist. I was able to discuss the topics and issues that were most facilitating and relevant (Social Networking from a corporate perspective, new blogging ideas, how new media is helping old media, etc), while still having a great time, and allowing myself to be properly refreshed for a hot DC summer night.

ShareThis

Fort Lewis soldiers exposed by laptop theft

Fri, 11 Jul 2008 09:44:02 +0000

Technorati Tag: Security Breach

Date Reported:
7/9/08 (UPDATED 7/11/08 - Laptop with information about soldier found; Lacey teen arrested)

Organization:
United States Army

Contractor/Consultant/Branch:
Fort Lewis*

*The principal Fort Lewis maneuver units are the 1st Brigade, 25th Infantry Division and the 3d Brigade, 2nd Infantry Division. It is also home to the 593d Corps Support Group, the 555th Engineer Group, the 1st MP Brigade (Provisional), the I Corps NCO Academy, Headquarters, Fourth ROTC Region, the 1st Personnel Support Group, 1st Special Forces Group (Airborne), 2d Battalion (Ranger), 75th Infantry, and Headquarters, 5th Army (West). Fort Lewis has more than 25,000 soldiers and civilian workers, source: About Fort Lewis

Victims:
Soldiers

Number Affected:
~800 - 900

Types of Data:
"personal information"

Breach Description:
"A laptop computer that was reported stolen from an Army employee’s truck last week contained personal information on about 800 to 900 Fort Lewis soldiers, said military and Lacey police officials."

Reference URL:
KING Channel 5 News
Tacoma News

Report Credit:
Elisa Hahn, KING Channel 5 News

Response:
From the online sources cited above:

A laptop computer that was reported stolen from an Army employee’s truck last week contained personal information on about 800 to 900 Fort Lewis soldiers, said military and Lacey police officials.

In this case, an Army employee told Lacey police he left the laptop and a 500-gigabyte removable hard drive on the seat of his Dodge truck, parked unlocked in front of his house overnight July 3
[Evan] Storing personal information on removable devices such as laptops, external hard drives and flash drives without encryption, strike one. Moving the mobile device outside of a controlled area is strike two. Leaving the mobile device overnight in an unlocked vehicle in plain sight of passers-by is an emphatic strike three.

He reported them stolen about 10 a.m. on July 4.
[Evan] A soldier's personal information stolen on the day our country celebrates our independence is insulting.

A post spokeswoman said officials were notifying the involved soldiers out of concern that the case might put them at risk for identity theft.

the Army began no later than Wednesday notifying the affected soldiers through e-mail and phone calls. They’ll get follow-up letters.

Officials said the employee, a civilian military personnel specialist, appears to have violated Army standards and policies for protecting personal information and government property.

Army laptops and removable storage devices containing personal information are generally restricted to on-post workplaces but can be signed out with a supervisor’s permission.

They’re also supposed to be password-protected and personal information is supposed to be encrypted

The Army is assisting Lacey police with the theft investigation and conducting its own review, said Catherine Caruso, a Fort Lewis spokeswoman.

"We’re not releasing anything more about what information was inappropriately compromised or about the soldiers whose information was involved," Caruso said.

"Clearly it was personal information regarding 800 to 900 soldiers from Fort Lewis. Beyond that, we’d rather not specify."

there was no classified, secret or top-secret information on the laptop and the hard drive.

Caruso said the employee was working on a project regarding a particular unit at a location other than his office.

She said "it would be inappropriate to speculate" about what potential disciplinary action the worker might face if he is found to have broken security rules.
[Evan] It is probably inappropriate to speculate, but you know we will anyway. My guess is that there is another person looking for a job in the Olympia, Washington area.

Since the theft, post officials have set new training requirements for military personnel staff and prepared a memo for each employee to sign outlining the safeguarding and reporting requirements

Commentary:
When someone's poor judgment creates unnecessary risk to military personnel it carries a little more weight for me. These men and women give everything to protect us. Without them I wouldn't be able to write this, and without them you wouldn't be able to read it.

Past Breaches:
United States Army:
June, 2008 - Walter Reed Army Medical Center breach through P2P
April, 2008 - Excel Spreadsheet on the web exposes Army officers and civilians

CBAC & Medical Identity Theft

Thu, 10 Jul 2008 06:09:41 +0000

Good story to keep in mind for those of you working on CBAC. Claims neeed protection and verification. Why steal an identity when you can capture a claim? (hattip: askelizabeth)

The Sopranokovs

The Russian mob comes to town with a new scam—medical identity theft.

When FBI special agent Ted Price peered through the window of a dingy brick storefront on Southwest Morrison Street in March, it was what he didn’t see that caught his attention.

The business, called UnimedCorner, claimed to provide ailing seniors with orthotics—braces and other devices to correct foot, joint and back problems.

Price and other federal investigators were skeptical.

On Unimed’s showroom floor, Price saw wheelchairs, motorized scooters, a variety of canes and, on the walls, a selection of amateurish paintings and framed photographs. There was no evidence, however, of the kinds of equipment for which Unimed had billed Medicare nearly $2 million in the previous couple of months.

“I observed wheelchairs and canes through the window but did not see any orthotics in the store,” Price later wrote in a search-warrant affidavit. “It is a sign of fraud that the store is not stocking the items [for which] it is billing.”

By the time Price arrived on the scene, the company’s owner, a shadowy Russian immigrant named Alexandr Shcherbakov, was long gone.

Today, Shcherbakov’s store sits undisturbed. The message light on the phone blinks, dead potted plants droop and a stuffed toy monkey slumps in a glass display case.

And behind the cash register hangs a framed poster of television’s best-known mobsters, the Sopranos.

From interviews and information presented in federal affidavits, it is clear Shcherbakov moved to Oregon to commit a crime elegant and lucrative enough to make Tony Soprano envious: medical identity theft.

...

“Medical identity theft is the new frontier for organized crime,” says Alex Johnson, a former FBI agent who investigates fraud for Regence BlueShield. “Pretty much anybody can set up a mom-and-pop operation and start cranking out claims.” Someday, most Americans will need a cane, wheelchair, home hospital bed or another of the items healthcare professionals call “durable medical equipment,” or DME.

For those over 64 and without private insurance, there’s a good chance federally funded Medicare will pick up the tab for that equipment. Last year, according to federal statistics, Medicare spent $8.6 billion on DME.

Here’s the way the system is supposed to work: A doctor prescribes a device such as a wheelchair for a patient, who presents his prescription to a DME supplier. The supplier provides the equipment and bills Medicare, which typically pays 80 percent of the cost. Unlike pharmacists, who fill prescriptions under strict scrutiny of state and federal watchdogs, DME suppliers are lightly regulated. “DME is very vulnerable to fraud,” says Consuelo Woodhead, the chief healthcare fraud prosecutor for the U.S. Attorney’s Office in Los Angeles. “It doesn’t require any background in medicine, any kind of professional licensure or appreciable capital.

There are barriers of entry in other medical fields, but not in DME.” To operate, DME suppliers simply need a place of business, a business license and liability insurance. Unlike pharmacists, DME suppliers operate under an honor system: The feds count on them to supply the equipment they claim to provide to the beneficiaries who need it.

That honor system is not working.

The epicenter of DME fraud, according to the federal Department of Health and Human Services, is South Florida, where Medicare billing for DME quadrupled from 2002 to 2006 to $1.7 billion. Investigators found much of that increase was due to fraud. In 2006, federal inspectors revoked the licenses of 634 DME suppliers in South Florida, nearly half the DME dealers in the region.

Later the same year, raids in Southern California yielded similar results: The feds shut down 95 DME suppliers. Many of the DME suppliers shut down around Los Angeles were run by immigrants from the former Soviet Union. It’s probably no coincidence that when the feds raided Los Angeles DME suppliers, some Angelenos fled to cities where there was less scrutiny—such as Portland.

Why I welcome the Hannigan Report

Thu, 03 Jul 2008 14:00:00 +0000

As an RSA 'Evangelist' with pan-EMEA responsibilities, I obviously take a special interest in what's happening in the information security world that pertains to this region. Last week saw the publication in the UK of the long-awaited Hannigan Report -- detailing the steps that UK Government departments have taken -- and are expected to take -- to mitigate recent data leakage events which have occurred, most notably in the instance of HMRC.

It's a cracking read and one I'd recommend to all insomniacs with an penchant for such topics, but I have to say, I'm actually pretty encouraged by what I read...

If you are headed to Pakistan - watch your back

Thu, 26 Jun 2008 23:20:00 +0000

So much goes on in the murky world of Polictics that we often do not know what is afoot until long after the fact. Take a look at today's bombshell for instance.

Everyone seemed to be shocked to hear that North Korea came clean about their nuclear weapons capability and were rewarded by the lifting of some sanctions. This is a total "180" from their behavior not that long ago when they were flexing their nutrition-deprived muscles and thumbing their noses at the rest of the world.

This in turn is making me wonder about the threats from Afghanistan's President Karzai to Pakistan. President Karzai has been very vocal regarding Pakistan's involvement in his country's border area and his warnings suggesting Afghanistan's intent to attack their neighbor seems to be starting to agitate the Paskistani authorities. Which makes me wonder....is Karzai's theatrics a way to open the door for his U.S. protectors to launch an attack on the Pakistani border?

If this is the case, than Americans travelling to Pakistan should really consider if they need to be there and if they do, they should give serious consideration to their safety while there. We were recently contacted by a U.S. company who had business in Pakistan and rightfully so, they were worried for their safety. There are no doubt, many sympathizers in Pakistan, especially near the Afghan border who have little love for America or it's citizens. Further strikes (no matter how justifeid they may be), will only heighten this dislike/distrust.

If you are headed to that region, be well aware of what might lay ahead and plan accordingly.