[SecurityRatty] tag: scary

I was right!

Fri, 21 Nov 2008 06:15:00 +0000

Allen does the dance-of-I-was-right...

*ahem*

In my blog in July, I predicted that we would be seeing a perfect storm as cyber criminals start to see diminshing returns on PII (credit card info, mothers maiden names and the kind of things they have been going after up until now) and thus start looking at the business information that they have been ignoring.

According to usatoday, internet thieves are making big money stealing corporate info.

"Elite cybergangs can no longer make great money stealing and selling personal identity data. Thousands of small-time, copycat data thieves have oversaturated the market, driving prices to commodity levels. Credit card account numbers that once fetched $100 or more, for instance, can be had for $10 or less, says Gunter Ollmann, chief security strategist at IBM ISS, IBM's tech security division."

As I said in my original article - the only problem with this is the establishment of a market. The cyber-criminals have established a very viable underground trading system but they now need businessed to want to dip their toes in something that is highly illegal. It seems this is happening.

The scary thing is how much information is actually being pulled out of the organisation. The criminals are literally dumping everyone's My Documents directory with no real aim to a storage facility outside of the organisation and yet the companies are not aware of this.

My advice? Take measures now while the enemy are just getting established. How you manage to protect your employees' and customers' PII will determine how well you survive the next part of the battle - your company secrets.

Also, don't be tempted to get information on your competitors from shady people. They may just be doing the same thing to you.

PS1: (PII = personally identifiable information - anything that can be linked to a person and is usually stuff you don't want the public to know like your credit card details, address, salary, health, etc)

PS2: Thank you to TaoSecurity for the story. Read Richard Bejtlich's post for more information. His take on the story is that it is all to do with money. Of course it is, if you think information security is about antivirus and firewalls then you are truely wrong.

Worm Risk Spurs Critical Microsoft Patch

Wed, 12 Nov 2008 21:00:00 +0000

A scary security flaw that would allow malicious worms to infect one PC and then automatically jump to others prompted Microsoft to release a rare out-of-cycle patch in October. The glitch is critical for both 32-bit and 64-bit versions of Windows XP and Windows Server 2003, and for Windows Server 2000. Microsoft says that targeted attacks exploited the hole prior to the patch's release, and that "detailed exploit code" is currently available online.

Scary criminal activity and data theft

Wed, 12 Nov 2008 12:28:00 +0000

Even though one knows that criminals are increasingly behind some of the larger data breaches, it not until we get hit on the head do we pay attention. I just read this recent article from USA Today about the latest attacks on corporate intellectual property - I tell you, this is serious stuff.
Any organization not taking this very seriously is doing a disservice to its stakeholders and shareholders.

The problem seems intractable - for every hole you think you have blocked two open up to allow these criminals to grab data. What does any organization do?

I think the answer lies in the data itself - one cannot go about protecting the periphery to protect the asset. One has to protect the asset itself - in this case the data. If the data itself is always encrypted, at rest as well as in motion (even when it is grabbed of the computer by malware), we might have a shot at preventing this.

Else we are putting our collective heads in the sand thinking that encrypting the laptop drive or USB device is enough...

Great advice form the Trend Micro site

Sun, 09 Nov 2008 12:19:03 +0000

Clickjacking is a very real threat and I believe it will become more pronounced in the future.
It would be well for you to educate yourselves in its dangers.

clipped from newsletters.trendmicro.com

Threat and Cybercrime Trends: Click or Treat

Halloween may be over, but unfortunately, every click includes a trick when you get clickjacked. Clickjacking is a scary, new security threat similar to cross-site scripting—an attack that dates back to the 1990s?. The threat occurs when hackers and scammers hide malicious content under the guise of legitimate Web pages—in essence stealing your mouse click. Hackers can use iFRAMES or malicious JavaScript to load this content from a third-party site using any browser. And clickjacking uses any type of link—from image links in the form of buttons to text links. Unfortunately, you do not even know when you land on a hijacked page.

Links List 10.31.08

Fri, 31 Oct 2008 18:10:53 +0000

Happy Halloween!

What an interesting time to hold a technology conference. The DLA Piper Global Technology Leaders Summit last week brought together CXOs from Amazon, Walmart.com, Stanford, Safeway, Microsoft, Sun, Cisco and others to discuss the state of IT in general and how the economy is impacting it. Some highlights:

“Cloud computing for large enterprises is a dead duck, in the opinion of several venture capital firms.”

“The current slowdown in the U.S. macroeconomy is definitely going to hurt the IT industry, as it will most of the nation’s businesses, for at least the next year and most likely into the next two years.”

NetApp cancelled its first user conference slated for 2009 citing economy-driven restrictions on business travel.

We recently wrote about the possible upside for MSPs in this economic downtown. A survey from EquaTerra of more than 200 outsourcing service suppliers announced that “more than 40 percent of those polled had seen increased demand levels, despite the economic downturn.” The survey suggests that outsourcing projects are changing, with a strong focus on quick return on investment replacing longer-term initiatives to improve end-to-end business processes, according to InfoWorld. So as we saw during our own surveys this year, it looks like IT will spend time and money against the practical projects that should and could get done and not taking on ITIL and CMDB projects.

Jonathan Schwartz as a puppet talking about open source and his ponytail. The driest Sesame Street take-off you’ll ever see. Check out the video here. For those of you playing a drinking game at home, “ponytail”.

Denise Dubie posted a follow up to her article Novell’s Managed Objects buy, and shared insights from different commenters, including yours truly.

One of our favorites, the IT Skeptic was featured on John Willis’ blog this week, answering some questions about CMDB, ITSMF and more. He also provided his insight into IBM Tivoli, although he “tries to stay non-partisan”.

Inexplicable. HP posted Halloween-themed videos about datacenters on YouTube this week. Unlike the great IBM videos about the mainframe, these videos speak techno-babble without tempering the lingo with being funny or tongue-in-cheek. Various frightening creatures share information on service management processes and discuss virtualization techniques to help consolidate hardware. Scary.

Malware installed? Thats scary!

Fri, 24 Oct 2008 11:46:40 +0000

Malware products are waiting for you out there kiddies!
Be careful when you visit sites you dont normally go to.

clipped from www.securecomputing.net.au

Compromised Halloween websites passing along rogue software

An internet search using the keywords “halloween costumes”?may turn up?a number of legitimate sites that have been compromised, and users might end up with rogue anti-virus software on their machine.

Trick or Treat

Wed, 08 Oct 2008 20:00:00 +0000

October's here, and you can't escape the coming onslaught of Halloween. Children (and quite a few adults) dressed up as vampires, ghosts, goblins and other scary creatures, going around asking people for treats and threatening them with tricks if they don't provide them. A cynical person might boil it down to a a combination of scare tactics and extortion. So what does this have to do with IT security and compliance? Unfortunately, the way security and compliance professionals have traditonally gone about obtaining funds and resources for tools and projects necessary to do their jobs all too closely parallels what happens on Halloween. We frequently use scare tactics such as new threats (the trick) to get management to cough up the funding and resources (the treats) we need to accomplish what we view as our jobs...

Companies own up to virtual security blind spot

Tue, 30 Sep 2008 20:00:00 +0000

The vast majority of companies have little or no security in place for their virtual systems. That is a scary statistic revealed in a survey of attendees at the recent VMWorld 2008 conference in Las Vegas.

Twelve billion dollars!

Wed, 13 Aug 2008 10:37:00 +0000

Sounds like a Dr. Evil sound bite :). In fact this could be the potential impact of the 41 million cards stolen - according to security company Jefferson Wells. The amount is a result of simple multiplication - 41 million x $300 for each card lost. On the higher end, no doubt.

While I don't think the real cost is anywhere close to that (even by an order of magnitude), it is still a large number. Even at street price of $2 per card, someone must be making 41 million x $2 = $82M!

More scary to imagine, is where this stolen data is going, what kind of money they are making and what illegal stuff is being done with it.

SANS Webcast: Security for Web Services and SOA

Mon, 04 Aug 2008 07:29:54 +0000

Last week I did a SANS webcast with Jacob West from Fortify on Web Services and SOA Security issues. I also did another SANS Webcast on Web services security way back in 2005. I went back and looked at the 2005 slides and its really scary how the issues are still there. Again we see developers making hellacious progress and security treading water (in a moving stream). From 2005:

Many (most?) classic Information Security mechanisms are not as relevant in securing Web Services:

Firewalls:SSL

SSL

Session based access control

Policies & mechanism domains are blurred by integration and decoupling

Lack of end to end visibility

I realize that security is a system level issue and it takes a long time to change things at that level, but what's more concerning to me is that the typical infosec mindset remains the same. Should we be surprised by rampant phishing and fraud? I am frankly surprised the numbers are so low given the opportunities that the attackers have via the glacial pace of security improvements. Its been three years since that list and I could write the same exact one today for SOAP, REST, SOA, Web 2.0 whatever. Maybe the main reason, beyond failure of imagination, why infosec is so far behind developers is that infosec lacks tools. Developers automate everything possible. Security doesn't. The most promising thing about static analysis is not the ability to find everything, its the ability to find many important things in an automated way. Infosec needs to stop giving people fish and teaching people to fish. Look at Fortify's vulncat site which has a Taxonomy of Coding Errors. Fortify's Seven (plus one) pernicious kingdoms are:

Input Validation and Representation
API Abuse
Security Features
Time and State
Errors
Code Quality
Encapsulation
*. Environment

These vulns are then integrated to find security bugs in a variety of frameworks - Axis, Axis2, Websphere and .Net. The tools give security people a richer understanding about the actual state of security in their web services, the ability to communicate and debate design improvement tradeoffs with developers, and cogent advice on how to address the issues.

It would be fantastic if the list of security issues in 2011 is different from the one 2005 that we are still stuck with.