[SecurityRatty] tag: urged

Feds urged to provide cybersecurity incentives

Wed, 19 Nov 2008 02:00:00 +0000

President-elect Barack Obama needs to take a new approach to cybersecurity, with government providing incentives for private businesses to adopt security measures, the Internet Security Alliance, a cybersecurity group, said today.

Presented By:

Expedition Week Continues Tonight

Seven nights of one great discovery after another continues tonight at 9P e/p only on National Geographic Channel. From the ancient pyramids to the ocean depths, from lost cities to outer space, travel with the latest generation of intrepid explorers as they make one great discovery after another. Expedition Week, only on National Geographic Channel.
www.natgeotv.com/expedition

Ads by Pheedo

Hackers launch PDF attacks, exploit just-patched Reader bug

Thu, 06 Nov 2008 21:00:00 +0000

Attackers are exploiting one of the vulnerabilities in Adobe Reader that was patched earlier this week, a security researcher warned Friday as he urged users to update as soon as possible.

What's Happiness Got to Do With It?

Wed, 29 Oct 2008 07:00:44 +0000

Gartner's own John Pescatore has issued a 12 world post:

The best security program is at the business with the happiest customers.

Happiness? Really? That's the measure of program effectiveness? I would see those 12 words and raise them one word (13 if you're scoring at home):

There's a fine line between happy customers and playing piano in a bordello.

I mean the people running hedge funds and derivative books at AIG, Lehman and friends had lots of happy customers for the last decade!

To me the happy customer is a classic IT copout "we just did what the "business" asked". Like we're just a bystander or something. Its our job to create business value and be business like. We should seek to empower out customers, not make them happy.

Please understand I am not that guy who says IT security has to be the "bad cops" who deny everything the business wants to do. Just saying it is our job to raise the bar where we can. Raising the bar does not always create super happy customers in the short run, but it does empower companies.

Unfortunately, playing piano in the bordello is what a lot of security groups do and even big analyst firms. The path of least resistance ain't always the way. Here is an example. I was at a client many years ago, they wanted to build a big Identity Management solution, so of course they wrote a big RFI got responses from Sun, IBM, Oracle and friends. The bids were in the $3-5 million range. Pretty big projects for an Infosec team. So what do you do? Call up a big analyst firm and get some advice, right?

A week goes by and we get an audience with the "guru" from the Big Analyst Firm. The client has pretty detailed requirements, what systems they want to connect to, what use cases they are looking to solve for, and so on. We anxiously await the knowledge the analyst is about to transfer to us. His response was as follows - "what kind of shop are you? IBM shop? Oracle shop?" "Ummm...we are a huge company we have everything." "Well if you are more of a IBM shop you should go with them. If you are more of a Oracle shop you should go with them." That was the extent of a 30 minute conversation. True story.

Of course, the one value proposition of the Big Analyst Firms is that they supposedly can tell you what everyone else is supposedly doing. There is some value in this I grant you. And it does make for happy customers because even when you force your customers to change, you can say "Well geez, I know its hard but the Big Analyst Firm says that everyone is doing it." But is this security improvement?

Back in 2004, I went to a great security conference, it was Information Security Decisions (they are back in Chicago next week). It was in Chicago, downtown on the river. Tom Davern even took us all out on a boat for lunch one day. Anyway, there was one truly great talk there. It wasn't Fred Cohen debating Gary McGraw on application security which was outstanding (in which Fred uttered the memorable line "I agree with Gary everywhere he agrees with me." (Gary won the debate, his best line - "We know how to win the software security war, but we don't know how to manage the peace" still the problem today actually)) It wasn't Pete Lindstrom showing his security metrics framework (which is still a great starting point). it wasn't Dan Geer's fireside chat.

The truly great talk, though, was by the now departed Robert Garigue. It was called "Its the End of the CISO as I Know It, (And I Feel Fine)." The whole end to end talk was wonderful, there are several things in there that I still use every single day like the separate security models for Infostructure and Infrastructure but the point I want to talk about is the CISO role.

Garigue talked about the two most prevalent CISO models - the jester and the bad cop. The jester CISO

Sees a lot
Can tell the king he has no clothes
Can tell the king he really is ugly
Does not get killed by the king
Nice to have around but…how much security improvement comes from this ?

The jester has happy customers! At least for awhile.

Again I grant you bad cop is not the way to go either (and while this already long post could read harsh on John Pescatore's pithy summary, I give him a lot of points for saying that security needs to be customer conscious).

We have all seen bad cop CISOs who

Changes happened faster that he was able to move
Did not read the signs
Good intentions went unfulfilled
A brutal way to ending a promising career
Sad to have around but…how much security improvement comes from this ?

Obviously these models of CISOs are not solving our information security problems. Instead Dr. Garigue points us to Charlemagne as a better model

King of the Franks and Holy Roman Emperor; conqueror of the Lombards and Saxons (742-814) - reunited much of Europe after the Dark Ages.
He set up other schools, opening them to peasant boys as well as nobles. Charlemagne never stopped studying. He brought an English monk, Alcuin, and other scholars to his court - encouraging the development of a standard script.
He set up money standards to encourage commerce, tried to build a Rhine-Danube canal, and urged better farming methods. He especially worked to spread education and Christianity in every class of people.
He relied on Counts, Margraves and Missi Domini to help him.
Margraves - Guard the frontier districts of the empire. Margraves retained, within their own jurisdictions, the authority of dukes in the feudal arm of the empire.
Missi Domini - Messengers of the King.

This is the way forward! Find software security champions in the architecture and development groups,help them understand the real security issues. They will find solutions you have not thought of. Same for DBAs, same for business analysts even. Its all about beating the bushes, education, and decentralizing security services. Specifically, he points out this important mandate for IT security

Knowledge of risky things is of strategic value

How to know today tomorrow’s unknown ?
How to structure information security processes in an organization so as to identify and address the NEXT categories of risks ?

To me this is our mandate and measure of effectiveness. Empower our customers, educate, and create business value. If I am a CISO I don't want 20 people reporting to me who do firewall ruleset changes. I want one champion in 20 different groups - development teams, architects, DBAs, business analysts.

A concrete example, infosec can continue to go along with the herd and follow the "what everyone else is doing architecture" meanwhile developers are connecting every single thing in your business to the Web. I have been doing integration and new technology projects for a long time, and let me tell you - Change does not always create happy customers in the short run. But the chart below shows that information security is maybe more concerned with not causing waves rather than adapting.

How long can developers evolve, connect everything and security people not change anything? Herb Stein said, "things that can't go on forever, don't. "At some point these chickens are coming home to roost, there is a yawning gap between rapidly evolution connecting the enterprise and the 13 year old and counting security architecture that "Everyone else is using" and when those chicken come home to roost you may not have happy customers then. Here is my 12 words:

The best security program is at the business with sustainable competitive advantage.

EC praises Google's data-retention move, asks for more

Wed, 10 Sep 2008 20:00:00 +0000

The European Commission welcomed Google's reduction in data retention times for people's search data but it urged the company and its rivals to go even further in order to safeguard European citizens' privacy, the regulator said Thursday.

Improve Security with "A Layer of Hurt"

Thu, 31 Jul 2008 15:13:00 +0000

Hello, Michael here.

I got a lot of interesting comments from my TechEd 2008 presentation entitled, "How To Review Your Code And Test For Security Bugs," but the most comments and questions were reserved for fuzz testing; I was blown away by the number of people who thought fuzz testing was hard, or that you only left fuzz testing to ‘leet hackers.

During the presentation I mentioned in some depth how to perform fuzz testing, and what parts of an application should be fuzz testing targets. I also introduced an idea (that's not new) to help people who have never performed fuzz testing begin fuzz testing with very little cost and friction. The idea is to add a small layer of code to an application to automatically mutate untrusted data as it comes into an application; I called that code layer "a layer of hurt."

Before I continue, I want to point out that fuzzing is an SDL requirement, but the idea in this blog post is not an SDL requirement, it's just another way to help meet SDL fuzzing requirements.

Adding a layer of hurt, as shown in the picture below, is pretty simple as it involves adding code to an application to tweak data as it comes into an application. You can work out where to place the fuzzing code by looking at your threat models to see where data crosses trust boundaries. You could also simply grep the code looking for APIs that read data, for example:

Read from files: fread, ReadFile
Reading from sockets: recv, recvfrom
For .NET code, any stream.Read

You get the picture.

The fuzzing code should appear right after the API that reads that data.

For example, C or C++ code that reads from a UDP socket and then fuzzes the data before it's consumed by the rest of the application might look like this:

char RecvBuf[1024];
int BufLen = sizeof(RecvBuf);

int result = recvfrom(
   RecvSocket,
   RecvBuf,
   BufLen,
   0,
   (SOCKADDR *)&SenderAddr,
   &SenderAddrSize);

#ifdef _FUZZ
Fuzz(RecvBuf,&BufLen);
#endif

Or, in C#, code that reads from an untrusted file:

FileStream fileStream = new FileStream(filename, FileMode.Open, FileAccess.Read);
uint len = (uint)(fileStream.Length);
byte[] fileData = new byte[fileStream.Length];
fileStream.Read(fileData, 0, (int)len);
fileStream.Close();

#if _FUZZ_
Malform pain = new Malform();
fileData = pain.Fuzz(fileData);
#endif

In both code examples, Fuzz() mutates the incoming data. In the C++ case, the fuzzing code looks like this:

void Fuzz(_Inout_bytecap_(*pcbBuf) char *pBuf,
_Inout_ size_t *pcbBuf) {

if (!pcbBuf || !pBuf || !*pcbBuff || *pBuf) return;
if ((rand() % 100) > 5) return; // fuzz about 5% of Buffers

size_t cLoop = 1 + (rand() % 4);

for (size_t j = 0; j < cLoop; j++) {

    size_t i=0,
      iLow = rand() % *pcbBuf,
      iHigh = 1+rand() % *pcbBuf,
      iIter = 1+rand() % 8;

    if (iLow > iHigh)
      {size_t t=iHigh; iHigh=iLow; iLow=t;}

char ch=0;
switch(rand() % 9) {

      case 0 : // reset upper bits
        for (i=iLow; i < iHigh; i++)
          pBuf[i] &= 0x7F;
        break;

      case 1 : // set upper bits
        for (i=iLow; i < iHigh; i++)
          pBuf[i] |= 0x80;
        break;

      case 2 : // toggle all bits
        for (i=iLow; i < iHigh; i++)
          pBuf[i] ^= 0xFF;
        break;

      case 3 : // set to random chars
        for (i=iLow; i < iHigh; i++)
          pBuf[i] = (char)(rand() % 256);
        break;

      case 4 : // set NULL chars to (possibly) non-NULL
        for (i=iLow; i < iHigh; i++)
          if (!pBuf[i])
            pBuf[i] = (char)(rand() % 256);
        break;

      case 5 : // swap adjacent bytes
        for (i=iLow; i < __max(iHigh-1,iLow); i+= iIter)
          {char t=pBuf[i]; pBuf[i] = pBuf[i+1]; pBuf[i+1]=t;}
        break;

      case 6 : // set to random chars every n-bytes
        for (i=iLow; i < __max(iHigh-1,iLow); i+= iIter)
          pBuf[i] = (char)(rand()%256);
        break;

      case 7 : // set bytes to one random char
        ch=(char)(rand() % 256);
          for (i=iLow; i < iHigh; i++)
            pBuf[i] = ch;
        break;

      default: // truncate stream
        *pcbBuf = iHigh;
        break;
     }
   }
}

The sample C# and C++ fuzzing code is available as a ZIP file at the end of this post.

This code is an example of dumb-fuzzing, which is fuzzing with little or no regard for the data structure being manipulated. If you've never performed any kind of fuzz testing in the past, then you will probably find bugs with this simple fuzzing technique. Once you have weeded out the low-hanging bugs, you may need to turn your attention to smarter fuzzers. For example, in theory, this code would find few if any bugs in a PNG parser, because PNG files have a built in check-sum, so if you fuzz a PNG file, you'd have to recalculate the checksum to get decent code coverage.

When I showed this code during my presentation, I urged people to add it to their applications today if they currently don't do fuzz testing, and simply run their applications through their normal testing processes. Within three days of my presentation I received emails from people saying they had found bugs. I have no doubt others did too.

One of the comments I made during the session was,"If you can't spend the time on great fuzzing, fuzz anyway" and adding a "layer of hurt" is a reasonable start.

Please feel free to sound off if you have ideas to help improve the code and let us know what you think, either through email or comments to this post.

Airlines Warn Customers Of Ticket Invoices Spam With Infected Attachments

Mon, 28 Jul 2008 15:44:16 +0000

Several airlines have warned customers that bogus e-mails posing as ticket invoices contain malware and urged them to immediately delete the messages. Airlines that issued warnings include Delta Air Lines Inc., Northwest Airlines Corp., Sun Country Airlines and Midwest Airlines Inc. Sun Country also reported these e-mails to Yahoo, Hotmail and the United States Computer [...]

Airlines warn customers of infected ticket invoices

Sun, 27 Jul 2008 20:00:00 +0000

Several airlines, including Delta and Northwest, have warned customers that bogus e-mails posing as ticket invoices contain malware and urged them to immediately delete the messages.

Security Briefing: June 23rd

Mon, 23 Jun 2008 06:39:10 +0000

Not bad. I actually managed to get a good night sleep.

Click here to subscribe to Liquidmatrix Security Digest!.

And now, the news…

Google and Wildcard Domains | GNUCITIZEN
Trojan plays anti-China games for hacking | The Economic Times
Villains Getting Smarter: Are We, Too? | Korea Times
Agency Sees Theft Risk for ID Card in Medicare | NY Times
Universities urged to tighten computer security | The Arizona Daily Star
Organised e-crime targets students for recruitment | ZDNet UK
Time to dismount the hamster security wheel of pain | The Regsiter
New security awareness posters aid the battle | Cambridge Network

Tags: News, Daily Links, Security Blog, Information Security, Security News

University of Florida student information online for years

Thu, 12 Jun 2008 06:41:30 +0000

Technorati Tag: Security Breach

Date Reported:
6/11/08

Organization:
University of Florida

Contractor/Consultant/Branch:
Office for Academic Support and Institutional Services

Victims:
Students

Number Affected:
"more than 11,300"

Types of Data:
"names, addresses and Social Security numbers"

Breach Description:
"GAINESVILLE, Fla. - University of Florida officials today mailed letters of notification to more than 11,300 current and former students regarding a privacy breach that resulted in names, addresses and Social Security numbers being posted online that may have been accessible to the public."

Reference URL:
University of Florida
Miami Herald
Inside UF
United Press International

Report Credit:
University of Florida

Response:
From the online sources cited above:

GAINESVILLE, Fla. - University of Florida officials today mailed letters of notification to more than 11,300 current and former students regarding a privacy breach that resulted in names, addresses and Social Security numbers being posted online that may have been accessible to the public.
[Evan] Not "may have been". The information was accessible to the public and was not even protected by a password.

The student information was actively used from 2003 through 2005 and remained posted until it was recently discovered during a routine audit of UF systems.
[Evan] If I am reading this right, this means that some of the personal information was available publicly for ~5 years!

School officials emphasized that the site would not have been easy to find and they do not believe it was accessed by anyone outside the school.
[Evan] There is no security through obscurity.

"The risk of someone outside actually finding this information and using it inappropriately is very low," - Steve Orlando, UF Spokesman
[Evan] I wonder how Mr. Orlando came to the conclusion that the risk of disclosure and misuse is "very low". As I understand, the server was publicly accessible, presumably via the internet. If so, was the site indexed by search engines like Google, Yahoo, and Microsoft? It is much easier to find information through a search index because folder structure is much less relevant. The fact that this information was available for 3-5 years adds to the risk too. I only know what I read and based on this and experience, I wouldn't classify this as a "very low" risk situation. Either way, the risk was increased due to poor information security practice and was not necessary.

"We've done computer forensics, and we don't have any evidence that anybody accessed this information," he added.
[Evan] This indicates poor logging and monitoring which are both essential detective controls (in most situations). Information security personnel (or admins) should be empowered to reconstruct events.

"But because we can't say that with absolute certainty, we're going through with the notification out of an abundance of caution," Orlando said.
[Evan] I am NOT a fan of the "abundance of caution" claims that seem more popular in breach notifications lately. Organizations would be best advised to use an "abundance of caution" in the prevention and early detection of breaches by applying sound information security principles.

Since 2005, the site has been "dormant but accessible," said university spokesman Steve Orlando. "It was just sitting there."

The information has been removed and is no longer available online or elsewhere in the UF systems.

The breach occurred when former student employees of the Office for Academic Support and Institutional Service, or OASIS, program created online records of students participating in the program.

The student employees posted the information online so that they could work with it from remote locations, but they did not install security measures to keep others from accessing it as well
[Evan] I have so many questions and arguments. Were the students aware of the risks? If not, then there is probably an information security training and awareness problem. Why was it necessary to include Social Security numbers in the records? Why were the seemingly untrained students allowed to post the information without being stopped or detected? I have many more questions, but I am starting to confuse myself now.

The university sent letters of notification to about 11,300 students whose information is believed to have been potentially compromised.
[Evan] Here's my take on the word "compromised". If an organization cannot provide reasonable assurance that the information has not been subject to unauthorized disclosure, modification, or destruction, then the information has been "compromised".

University officials were unable to find contact information for about 570, so they are asking students who were enrolled in CLAS from 2003 to 2005 and did not receive a letter but who believe their information may have been compromised to call UF’s Privacy Office Hotline at 866-876-HIPA and provide the requested information.

Anyone who thinks he or she may be one of the 570 people who were not notified is urged to go to privacy.ufl.edu and read the information posted there before calling the privacy hotline.

"This would certainly appear to be the largest privacy breach we've had," Orlando said.

We're in the process of strengthening some of those policies regarding what information can be posted and what security measures should be in place
[Evan] Good start.

Victim Reaction:
"Why would it be necessary to use a Social Security number instead of something else?" asked Reixach, pointing out that students were given ID numbers. "It's just silly".

"It's negligence on their part, especially if anyone has been affected with identity theft,"

Johann Arias, a spring CLAS graduate, had not heard about the breach Wednesday and said UF should be doing more to notify those affected.

"They always make information very prominent when you have a hold or owe them money," Arias said.

Commentary:
This is a case where poorly trained students are granted access or obtained access to confidential information and posted the information to an unsecured location which went undetected for years. Bad all around.

Past Breaches:
May, 2008 - University of Florida doctor loses job over breach
November, 2007 - University of Florida student info online

Presenting Security Ideas or Driving Agendas?

Sat, 24 May 2008 07:39:04 +0000

I opened the OWASP Europe Conference this week with a slide (below) about vendor neutrality. In essence I urged attendees to consider the motivations of those presenting various ideas at the conference; including myself of course. During the conference it was pointed out that the moderator of a panel “The PCI 6.6 Dogfight - [...]