[SecurityRatty] tag: regulation

Data privacy, security laws have far-reaching impact

Thu, 06 Nov 2008 21:00:00 +0000

Massachusetts has enacted data privacy and data security regulations that will make it eke out California for the most wide ranging state privacy and security laws--laws that are likely to impact the policies, practices, procedures, contracts and training used by companies nationwide. The Massachusetts Office of Consumer Affairs and Business Regulation determined that there was a significant need for set of comprehensive standards that ensure businesses are taking practical steps to safeguard personal information. While many of these practices are probably adopted by most companies in some way, shape or form--now a laundry list of minimum standards will be required. And, since it may be impractical for a company to treat information collected from Massachusetts residents differently than others--many companies across the country will

AF083-022: Visualization for Command and Control of Cyberspace Operations

Fri, 17 Oct 2008 20:01:42 +0000

AF083-022 TITLE: Visualization for Command and Control of Cyberspace Operations

TECHNOLOGY AREAS: Air Platform, Information Systems, Space Platforms, Human Systems

The technology within this topic is restricted under the International Traffic in Arms Regulation (ITAR), which controls the export and import of defense-related material and services. Offerors must disclose any proposed use of foreign nationals, their country of origin, and what tasks each would accomplish in the statement of work in accordance with section 3.5.b.(7) of the solicitation.

OBJECTIVE: Develop visualization techniques for planning and execution of Cyberspace operations.

DESCRIPTION: Fulfilling the Air Force mission “… to fly and fight in Air, Space, and Cyberspace” requires effective C2 tools for the observation, planning and execution of cyberspace operations. Conventional battlespace visualization tools were developed for the physical world (i.e., geospatially oriented), where the battlespace, weapons and effects are concrete, often observable entities. Cyberspace and its critical electronic infrastructures are an artificial world that must be created, modified and sustained by the warfighter. This artificial world of cyberspace has concrete links back to the physical world that shape the information landscape, affect the decision-making process, and control the communication channels crucial to C2.

Standard, geospatially oriented C2 tools are not suitable for providing cyber combatants with comparable situation awareness to understand events, evaluate options, and make decisions in the electromagnetic domain. The combatants in the cyber domain needs to be able to quickly see and understand not just the physical relationships of the traditional battlespace, but also the logical relationships and information dependencies in the abstract landscape of cyberspace. Cyber C2 visualizations need to provide information for strategy, tactics and execution of effects that may, or may not, have physical correlates. Examples of these cyber events include network attack detection, attack identification, damage assessment, denial of service (DOS) warnings, and information warfare or cyber-attack operations.

For example, a commander may be planning to intentionally disrupt a portion of his network to investigate a cyber-attack. He will need to understand what ripple effects will occur across the functionally diverse and geographically distributed network. These ripple effects will have both a cyber component (e.g., locations that will lose connectivity or suffer degraded performance characteristics) and a real-world component (e.g., information about enemy forces may be unavailable or delayed, reducing blue force effectiveness) that must be visualized, explored and tasked from within his C2 tools.

Decision makers will greatly benefit from innovative visualization tools that can improve their understanding of all aspects of the Cyber domain. These aspects include 1) the current state of the information environment, the physical and virtual battlespace and enemy and friendly capabilities and vulnerabilities; 2) the scope and scale of courses of action that affect information or information networks; 3) the primary effects and ripple effects of an operation in both the physical and cyber battlespaces, and 4) the risks for collateral damage associated with cyber warfare activities.

PHASE I: Identify cyberspace characteristics relevant to C2 visualization. Identify correlation methods and visualization techniques to understand battlespace, operations, and effects. Define metrics to evaluate efficacy. Document results in a written report, including mockups of proposed visualizations.

PHASE II: Construct a working prototype to demonstrate integrated visualization of cyber data showing 1) the status of information environment, 2) its effect on the conventional battlespace, and 3) the status of information operations. Evaluate effectiveness using metrics defined in Phase I.

PHASE III / DUAL USE: Military application: Additional military applications include command and control environments, like the Air Operations Centers (AOCs). Commercial application: Monitoring and defending infrastructures (e.g., financial and energy) against cyber-attacks. Visualization cyberspace is beneficial for security of commercial communication and information networks.

REFERENCES:

1. ‘Air Force leaders to discuss new ‘Cyber Command’

2. Laura S. Tinnel, O. Sami Saydjari, and Joshua W. Haines, An Integrated Cyber Panel System, IEEE Computer Society,

3. Anita D’Amico and Stephen Salas, Visualization as an Aid for Assessing the Mission Impact of Information Security Breaches, IEEE 2003.

4. Tim Bass, “Cyberspace Situational Awareness Demands Mimic Traditional Command Requirements,” AFCEA Signal Magazine, February 2000.

KEYWORDS: visualization, cyber, human factors, planning, situation awareness, command and control, HCI

Reference. SITIS Topic Details, Visualization for Command and Control of Cyberspace Operations

Are Business Risk and Technical Security Part of a Natural Fourier Series?

Wed, 08 Oct 2008 06:25:03 +0000

Decade after decade politics moves from regulated economies to de-regulated economies. Changes are usually are triggered by “unpredictable events” (in political speak). We are almost certainly about to go onto a period of heavy government regulation of the financial services industry where “unpredictable events” or “failure” in plain English is blamed on inadequate of regulation. [...]

Cross-Border Data Flows and Increased Enforcement

Wed, 08 Oct 2008 00:42:07 +0000

As information flows become more international, the regulation of those data flows is enforced more frequently at the national or local level. The challenge for companies is that consistent rules among regulators are unlikely while penalties and audits increase.

Massachusetts issues new rules for businesses to protect personally identifiable information, Congress considers FISMA reform

Wed, 24 Sep 2008 20:00:00 +0000

As reported in the Boston Globe on September 23rd, the Massachusetts Office of Consumer Affairs and Business Regulation issued regulations earlier this week that will place new requirements on businesses to safeguard personally-identifiable information (PII)...

In-Flight VoIP Ban: Against FCC Rules? Highly Desirable?

Tue, 16 Sep 2008 05:50:22 +0000

Think-tank wonders whether banning in-flight VoIP constitutes a violation of FCC rules about blocking services: The Progress and Freedom Foundation's Barbara Espin uses the ban on in-flight VoIP by American Airlines (facilitated by provider Aircell) to make a broader argument about what she calls the FCC's "ad hoc approach to broadband network management issues." It's clever. American discloses that calling isn't allowed, and VoIP isn't even technically within the FAA or FCC's purview, as far as I can determine. The FAA could choose to regulate it as a safety issue. PFF generally tilts anti-regulation, and has as what it calls its "supporters" a broad area of multiple system cable operators and telecom firms, including Comcast, which was singled out and fined by the FCC for its undisclosed network disruption of P2P connections.

Espin references Joe Sharkey's excellent column on in-flight calling in Sunday's New York Times: Sharkey, a veteran travel writer, who survived a mid-air collision over the Brazilian Amazon a few years ago, looks at varying attitudes about calls made during flights. He quotes Aircell's Jack Blumenstein saying what I've telling folks for months: Aircell has a lot of techniques to block VoIP calls already, and "as we identify new ways that people are trying to do voice calls on the airplane, we just kind of zero in and knock those off." Many geeks have assumed Aircell is a bunch of unsavvy folks who wouldn't be able to figure out how to disrupt their clever workarounds for making VoIP. (I keep noting that introducing jitter for suspicious data connections wouldn't disrupt legitimate applications, but would destroy VoIP call quality.)

Assets Good Until Reached For

Mon, 15 Sep 2008 05:41:43 +0000

A few months back Minyanville wondered whether this subprime mess would end up as a cancer or a car crash. Guess we know the answer now. The question is - should we be at all surprised? Some smart folks have been warning for a long time. Warren Buffett famously called derivatives financial weapons of mass destruction.

Charlie Munger, as he is wont to do, went a bit further (from 2004):

I think a good litmus test of the mental and moral quality at any large institution [with significant derivatives exposure] would be to ask them, "Do you really understand your derivatives book?" Anyone who says yes is either crazy or lying.

They have many other statements in the same direction, based on their own experience from buying companies that used deriviatives where they were unable to to unwind the books and figure out who owed who. At the last Berkshire Hathaway annual meeting someone asked Charlie Munger what we could learn from past blow ups about the present crisis

It was a particularly foolish mess. We talked about an idiot in the credit delivery grocery business, Webvan. Internet based delivery service for groceries -- that was smarter than what happened in mortgage business. I wish we had those Webvan people back.

What can we learn from all this?

Well Dan Geer launched a revolution with his famous speech about risk management. He got the big picture part right on the security industry evolving into more risk management practices, however the examples we assumed that were right at the time, the financial industry are proving wrong. For one thing you can't manage a risk if you don't know the assets (back to Charlie Munger, emphasis added):

It is crazy to allow things to get too big to fail, run with knavery. As an industry, there is a crazy culture of greed and overreaching and overconfidence trading algorithms. It is demented to allow derivative trading such that clearance risks are embedded in system. Assets are all “good until reached for” on balance sheets. We had $400m of that at general re, “good until reached for”. In drug business you must prove it is good. It is a crazy culture, and to some extent an evil culture. Accounting people really failed us. Accounting standards ought to be dealt with like engineering standards.

So, yes it is about risk management, but if you build too many abstractions on top of your assets through derivative accounting and such you may find you don't have any assets when you need them. Don't fall in love with your abstractions, manage your assets.

There are some clear lessons for us in Information Security, err I mean Information Risk Management.

Margin of safety Its our job to manage risk, but this doesn't mean that we have to build layers and layer of abstraction on top of it. It also means that we help to design, build, deploy, and operate systems with margins of safety. Understanding the failure modes and accounting for this in design. Developers (because they are supposed to) and architects (because they haven't been properly trained) focus on functional requirements, building features, but on security not so much. There are many ways to improve security in a system and they are all inadequate by themselves, but we can help find cost effective improvements.

Don't fall in love with abstractions

If you have a 100,000 dekstops or 100,000 servers it hard to manage. You will need to automate and to do that you need to abstract, but you should also realize that its a drawing on a whiteboard not reality. You need abstraction assurance.

Ian Grigg commented on an earlier post

There are distinct parallels between phishing / retail payments, and the bigger investment mess. In both cases, banks would argue these are core business. In both cases, they have applied risk-based security models, and accepted some loss. In both cases, they have the ability to apply substantial experience to the monitoring, allocating and absorbing risks and losses.

In both cases, they watched and did nothing as the risks started from low, and migrated upwards. Are we at the point where regulation has killed the ability of banks to apply their (arguable) one core skill, to whit, risk-based analysis? Are banks that far out of banking that they no longer have it?

So you have to remember that top down and bottom up need to be combined.

Design for failure

Dan Geer has also told the story that he sat in a large bank's risk management training, and the trainer said "you may wonder why this works so well. it works because there is zero ambiguity over who owns what risk." Dan's thought was - "in my field we have nothing but ambiguity." Turns out the second part was right, we have nothing but ambiguity over who owns what risk; unfortunately the financial people have much more ambiguity than they thought! So we do have a lesson here after all, and it this - when the thing you thought was true isn't, the failure mode is very ugly. Design for failure - add layers of protection.

Keep it simple.

They have some smart engineers at Google to be sure, but even they had incredibly basic errors in their SSO. I have seen other obvious fails like people signing WS-Security messages, and the recipient checks for a signature but not if they trust the signer! There are so many ways to shoot yourself in the foot in a loosely coupled systems, and we have so many abstractions layered on top of each other, part of the mantra of protecting assets has to be keeping it simple.

So that is my list, to do all these things it requires that Infosec get in the game, understand the use cases, understand the business value (it should be abundantly clear that you can't simply rely on "business people" to be "business experts"), and that you not lose sight of the asset amidst all the abstraction. Finally, the systems we build security on are very primitive, a firewall and SSL are fine, a seatbelt was fine in 1935 and its still fine today, but there are lots of other safety controls in cars. ABS, airbags, traction control, they all protect the assets far better than in 1935, that's what we need to build.

Anyone can make bad assumptions (assume you know who owns what risk) and its easy to make bad abstractions (the firewall protects the information system), but when you combine bad assumptions with bad abstractions you'll get assets that are good until reached for sooner or later

76Service - Cybercrime as a Service Going Mainstream

Wed, 13 Aug 2008 04:08:43 +0000

Disintermediating the intermediaries in the cybercrime ecosystem, ultimately results in more profitable operations. Controversial to the concept of outsourcing, some cybercriminals are in fact so self-sufficient, that the stereotype of a mysterious 76service server offered for rent could in fact easily cease to exist in an ecosystem so vibrant that literally everyone can partion their botnet and start offering access to it on a multi-user basis. Evil? Obviously. Extending the lifecycle of a proprietary malware tool? Definitely.

The infamous 76service, a cybercrime as a service web interface where customers basically collect the final output out of the banking malware botnet during the specific period of time for which they've purchases access to the service, is going mainstream, with 76Service's Spring Edition apparently leaking out, and cybercriminals enjoying its interoperability potential by introducing different banking trojans in their campaigns.

In this post, I'll discuss the 76service's spring.edition that has been combined with a Metaphisher banking malware, an a popular web malware exploitation kit, with two campaigns currently hosting 5.51GB of stolen banking data based on over 1 million compromised hosts 59% of which are based in Russia. Screenshots courtesy of an egocentric underground show-off.

Some general info on the 76service :

"Subscribers could log in with their assigned user name and password any time during the 30-day project. They’d be met with a screen that told them which of their bots was currently active, and a side bar of management options. For example, they could pull down the latest drops—data deposits that the Gozi-infected machines they subscribed to sent to the servers, like the 3.3 GB one Jackson had found. A project was like an investment portfolio. Individual Gozi-infected machines were like stocks and subscribers bought a group of them, betting they could gain enough personal information from their portfolio of infected machines to make a profit, mostly by turning around and selling credentials on the black market. (In some cases, subscribers would use a few of the credentials themselves). Some machines, like some stocks, would under perform and provide little private information. But others would land the subscriber a windfall of private data. The point was to subscribe to several infected machines to balance that risk, the way Wall Street fund managers invest in many stocks to offset losses in one company with gains in another."

The 76service empowers everyone who is either not willing to spend time and resources for building and maintaining a botnet, launching campaigns, and SQL injecting hundreds of thousands of sites in order to take advantage of the long tail of malware infected sites that theoretically can outpace the traffic that could come from a SQL injected high-profile site.

Next to the spring.edition, the winter edition's price starts from $1000 and goes to $2000, which is all a matter of who you're buying it from, unless of course you haven't come across leaked copies :

"Assuming that the dealer offering what he claimed was the 76service kit was correct, the profit is not only in the kit, but in selling value added services like exploitation, compromised servers/accounts, database configuration, and customization of the interface. Prices start between $1000 to $2000 and go up based on added services. The underground payment methods generally involve hard-to-track virtual currencies, whose central authority is in a jurisdiction where regulation is liberal to non-existent, and feature non-reversible transactions. The individual or group called "76service" was easy to track down on the Web, but not in person."

It's interesting to monitor how services aiming to provide specific malicious services are vertically integrating by expanding their portfolio of related services -- taka a spamming vendor that will offer the segmented email databases, the advanced metrics, and the localization of the spam messages to different languages -- or letting the buyer have full control of anything that comes out of a particular botnet for a specific period of time in which he has bought access to it. For instance, DDoS for hire matured into botnet for hire, which evolved into today's "What type of stolen data do you want?" for hire mentality I'm starting to see emerging, next to the usual interest in improving the metrics and thereby the probability for a more succesful campaign.

Ironically, this cybercrime model is so efficient that the people behind it cannot seem to be able to process all of the stolen data, which like a great deal of underground assets loses its value if not sold as fast as possible. The result of this oversupply of stolen data are the increasing number of services selling raw logs segmented based on a particular country for a specific period of time.

Time for a remotely exploitable vulnerability in yet another malware kit about to go mainstream? Definitely, unless of course backdooring it and releasing it doesn't achieve the obvious results of controlling someone else's cybercrime ecosystem.

Related posts:
The Underground Economy's Supply of Goods and Services
The Dynamics of the Malware Industry - Proprietary Malware Tools
Using Market Forces to Disrupt Botnets
Multiple Firewalls Bypassing Verification on Demand
Managed Spamming Appliances - The Future of Spam
Localizing Cybercrime - Cultural Diversity on Demand
E-crime and Socioeconomic Factors
Malware as a Web Service
Coding Spyware and Malware for Hire
Are Stolen Credit Card Details Getting Cheaper?
Neosploit Team Leaving the IT Underground
The Zeus Crimeware Kit Vulnerable to Remotely Exploitable Flaw
Pinch Vulnerable to Remotely Exploitable Flaw
Dissecting a Managed Spamming Service
Managed "Spamming Appliances" - The Future of Spam

Speaking of Security Podcast #117

Sun, 10 Aug 2008 20:00:00 +0000

Click to Download/Listen (07:47)

In a recent RSA Web Seminar focused on the new FACTA Identify Red Flags provisions, industry analyst, Ken Herbert, with Frost & Sullivan, explained what financial institutions or creditors need to know about the upcoming November 1 FACTA deadline and provided some key recommendations for complying with the regulation. In this week's podcast, we'll share some of the questions and answers from this online event. To learn more, watch the entire webcast replay.

Customer Privacy, Malware & Government Regulation

Thu, 07 Aug 2008 13:37:29 +0000

Free Webcast New breeds of malware – spyware, adware, Trojans, and viruses – are rapidly infecting networks and exposing businesses and their customers to unprecedented security risks. T...