[SecurityRatty] tag: yesterday

Relentless Reflection - What it Means in Risk Management

Tue, 26 Aug 2008 13:55:40 +0000

Picking up from yesterday, Today I’d like to talk about:

HANSEI - WHAT IS “RELENTLESS REFLECTION?” - And why we’re talking about it in the context of Risk Analysis.

Recall from yesterday’s post about how I got to thinking about the concept of Hansei-Kaizen, “relentless reflection” and “continuous improvement” and how we might apply that to risk management. It’s a concept born of Toyota and is, in some way, the foundation for “Lean” production.

Call me biased, but I think that Hansei - the act of ‘relentless reflection’ made structured is the analytical function. And I hate to debate (post-mortem) the father of Toyota quality success when he says that Hansei is the “check” in Plan/Do/Check/Act, but I think that Hansei also applies to the “Plan” of the P/D/C/A or Deming cycle.

You’ll recall the P/D/C/A cycle can be thought of even as an implementation of Scientific Method, in that it is Observation & Hypothesis Creation (P), Experiment (D), Analysis (Check), and Act (Revise/New Hypothesis, etc…). Well then as such, the Hypothesis creation involves creating a model or creating an expected outcome for data using the currently accepted model.

So in our industry there is an opportunity for Relentless Reflection in both the Observation and Hypothesis (Plan) creation steps, and the Check step. We create an estimate for control strength, or probable losses in the context of risk- then we go to Experiment step. That hypothesis can be put it into production, have an audit, have a penetration test, whatever, in the context of the Do step. BTW - using Hansei/Analytics in Plan is one way that strong analytical functions can really make penetration testing more useful - as a means to test the estimates and inputs into a model. It’s Penetration Testing 2.0! (<- tongue fully in cheek, yes)

Those who are versed in the reasons to merge Six Sigma and Lean together are probably already seeing where I’m going with this today. But before you think that a simple DMAIC function is all that is needed to create proper “Hansei”, let me encourage you to keep reading.

Now if the analytical function can said to be “reflection”, why must it be relentless?

One word. Change. There are essentially four separate “landscapes” or sources of change that we face (more on those tomorrow). But anyone who has tried to manage system compliance, log management or policy exceptions knows that change is possibly the most difficult thing we security professionals must manage. And when you think about it, there aren’t too many other business functions like information security where significant visibility and insight about the environment is needed for “complete” information (get bullish on Log Management is my recommendation).

HANSEI STEPS ADAPTED TO INFORMATION SECURITY

This is one of those quality control concepts that we can mangle adopt. At Toyota, Hansei-Kaizen includes the following basic steps:

1. Initial problem perception
2. Clarify the problem
3. Locate area/point of cause
4. Investigate root cause (using an ask why 5 times approach)
5. Countermeasure
6. Evaluate
7. Standardize

Now it’s important to note that part of this includes the concept of Go See For Yourself, called “Gemba“. Gemba can be translated as “the actual place” or “the place where virtue or truth is found.” At Toyota this might mean going to the shop floor to see the issue at hand in the production line. But for us, that’s a problem because we live in the virtual world. There’s usually not much use in hanging out in the wiring closets to try to see the problems.

But if you combine the concept of Gemba with the concept of “Nemawashi” –the process of discussing problems and potential solutions with all those affected- we can forge a similar concept using risk analysis. That is discussing the issue and the risk associated with an issue (what some people would call “risk management”) with the business/LOB/data owner and let them accept authority and the risk decision. We, the risk analyst, our goal is simply to perform items 1-5 (presenting countermeasure options that include transferring or accepting risk). By going to the line of business and involving them, responsibility is shared. Also, if you structure organizational behavior right, personal risk is transferred!

This sort of approach is also in harmony with concepts like “mutual ownership of problems,” or “genchi genbutsu,” (solving problems at the source instead of behind desks), and the “kaizen mind,” (an unending sense of crisis behind the company’s constant drive to improve).

One of the criticisms I have with the way most people try to implement DMAIC into “Lean”

REQUIREMENTS

Now to get this done, I really see three significant requirements.

1.) A change in political structure.

2.) Models that provide consistent, defensible analysis.

3.) A Quantitative approach. This means using actual units of measurement (not just amorphous percents, ordinal scales, etc.) for risk and it’s subsequent factors. Sure there are times when Q&D qualitative approaches are acceptable, but policy should be to have quantitative analysis whenever and wherever possible.

That last item - the quantitative approach - is really quite important. And the reasons why will be discussed further in tomorrow’s post:

“What should we be reflecting about? & What is needed for reflection?”

P.S. Your comments and suggestions, as always, are welcome.

P.P.S Those who may be familiar with Lean/SixSigma/Kaizen sorts of mashups may be thinking - “hey, an Analytical step is built into SixSigma”. Well, yes there is some prevision for analytical functions based on statistics, but I find SixSigma geared towards creating a State of Knowledge about operational processes, not towards creating a State of Wisdom for CISO’s around security & risks “big questions”. In otherwords, the analytical function in DMAIC is in the context of Kaizen, and a different step than “reflective” analytics.

Facebook Worm Still Going Strong

Mon, 25 Aug 2008 05:57:04 +0000

A colleague of mine had a private message sent to them on Facebook yesterday from the account of a friend. The message is related (of course) to the recent Facebook worm:

Click the link, and you'll see something like this:

Click to Enlarge

Yes, it's Ye Olde Fake Codec installer, hosted on what appears to be a hacked website. As always, pay close attention to what you're being sent from your friends. If it doesn't seem like something they'd send you, that's probably because they didn't...

Microsoft admits posting flawed update

Thu, 21 Aug 2008 20:00:00 +0000

Microsoft re-released one of its Aug. 11 security updates yesterday, explaining that it had posted an incomplete version to its own download center last week.

American Launches In-Flight Broadband Pilot

Wed, 20 Aug 2008 04:33:21 +0000

Welcome back, mile-high Wi-Fi: American Airlines has turned on Internet service in its fleet of 15 767-200s today. These aircraft ply routes between New York's JFK and three cities: San Francisco, Los Angeles, and Miami. Service is $13 per flight, and bandwidth is expected to be 1.5 Mbps (uncompressed) upstream and downstream, although the service provider, Aircell, claims some advantages above that.

This is a big day for Aircell, which spent tens of millions to acquire the exclusive spectrum license that allows them to shoot Mbps to and from planes. My big question will be whether coverage remains seamless across an entire flight--how often one has to reconnect their VPN would be a big issue. If Aircell has architected the network correctly, passengers should never be reassigned an IP address, and connections shouldn't be dropped even if there's a hiccup in air-to-ground communication.

I've covered in-flight broadband for several years, and I've been wondering lately whether we'd be waiting until 2009 to see real production service. American is calling this a 3-to-6 month pilot to see what their passengers think. Just yesterday, I wrote up veteran travel writer Joe Brancatelli's frustration with the lack of information and some misinformation about in-flight broadband.

You can read more background on American's plans and Aircell's technology in a post I wrote for BoingBoing on 24-June-2008.

The web browser is sick but wheres the cure?

Thu, 14 Aug 2008 07:11:14 +0000

Blogger: Ramon Krikken

The web browser is one of those peculiar pieces of software, having to accept input from arbitrary sources and then parse and render the data that is sent to it. Part of this it does by itself, and other parts are taken care of by handlers and plug-ins. In doing so, it displays hypertext, images, videos, and even runs active content like Flash, JavaScript, and ActiveX.

But however much we love the browser, we’ve also come to hate the myriad of vulnerabilities that affect it. Everything from cross-site scripting to remote code execution via maliciously formed animated cursor files and Flash content can make browsing a hazardous activity. The browser is sick, and that’s not desirable for a platform we use for important business and personal transactions.

Worsening the browser’s diagnosis is the recent paper from Mark Dowd and Alexander Sotirov, sub-titled “Setting back browser security by 10 years,” which discusses how to bypass Microsoft Vista’s memory protection capabilities with some added effort for the exploit designers. It’s not that all of the techniques are necessarily new, but the browser appears to be particularly vulnerable to easy exploitation.

Surprising? Not exactly, when we take into account that the browser is suffering from the same disease as the general purpose operating system: bloat and compatibility. We expect the browser to do ever more, but everything we used it for before still needs to work as if it were yesterday. It feels a bit like people insisting on using a cardboard box as a safe, and wondering why their money keeps getting stolen.

It’s not like we haven’t been working on the browser’s cure, though. There have been some improvements in the browsers themselves, the operating systems have also implemented compensating controls, but most of all, there has been an enormous push for securing the web applications that deliver the data in the first place. Unfortunately, the latter two won’t help secure the browser in the long run.

The first issue is that not all content will come from ‘nice’ servers, the second that the server can only make an educated guess on how a browser will parse and render a given set of data, and the third that operating system controls have their own limitations, whether by design or implementation (for example needing to re-compile existing code to enable certain protections.) The browser, in the end, has to be mostly responsible for keeping itself safe; the operating system must assist it in doing so.

So we’re in a pickle. The browser is sick (and the operating system is too), but it’s hard to cure it without a redesign that will undoubtedly impact compatibility, the ever-so-desired multi-functionality, or its ease of use. We can layer defenses by using web filtering in the enterprise environment, but in the end – for the consumer market in particular – we need to fix the browser itself. I can think of a few things I think might help:

Some kind of site security policy to restrict where the browser loads auxiliary content from, and which data it can ‘trust’, when loading a web page (I’d prefer mandatory enforcement, and adding an HTML tag to be able to indicate blocks of untrustworthy data.)
Restricted compartments for plug-ins to run in, ensuring that their bugs cannot easily affect the whole browser.
Better software development practices for the plug-ins and content parsers themselves, so that they’re less vulnerable, and compiled with the latest protection measures to begin with.

All of this means more work, and some of it means a lot of unhappy reactions when things stop working. Even then we will of course still have to deal with additional vulnerabilities, such as those that may be present in hardware, but we will at least have taken prudent steps to ‘find a cure.’

Military trolling at Black Hat

Tue, 12 Aug 2008 13:35:23 +0000

Forgot to post this yesterday. I was in the military and I came out OK.

clipped from www.internetnews.com

Hackers: Uncle Sam Wants You

UPDATED: At Black Hat, agencies including the FBI, US-CERT, and the military make the pitch for assisting in the U.S.’s fight against cybercrime and cyberwar.

Email Hacking Going Commercial - Part Two

Fri, 08 Aug 2008 10:31:54 +0000

Malware authors seeking financial gains from releasing their trojans often promote them as Remote Access Tools, which if we exclude the built-in anti-sandboxing and antivirus software killing capabilities, could pass for a RAT. In a similar deceptive fashion, email hacking services are pitched as email password recovery services.

Hacking as a Service sites seems to be popping out like mushrooms these days, thanks primarily due to the fact that yesterday's script kiddies are today's entrepreneurs trying to even monetize the process of bruteforcing. Here's their pitch :

"Well.. There is nothing different in our services. Like other group, we simply crack email addresses , and provide you the current password used by the victim to you for a suitable price. Nothing unique that we can brag about.... We don't hack NASA or CIA , we cannot hack a bank and steal a million dollars.. We just crack email password .. AND WE DO A HECK OF A JOB IN IT !! We cannot be as presentable as the other groups, trying to look as formal and corporate, as if they are running a Major Corporate Office. However they present it...password retrieval, online investigation.. access recovery...blah blah blah.. the most simplest way to put it is.. : Email Password Cracking: !! And since everyone else is busy faking it, or trying to be more presentable, we utilize our skills to get you what you want.. i.e. THE EMAIL PASSWORD. No buttering up, no marketing skills.. plain hardcore hacking !! So, since you now know what we do , and want us to do the job for you, please proceed to the order page for your relevant TARGET EMAIL and submit your request. All said and done, we will get the elusive password & send you a couple of proofs. You decide upon the authenticity of the proofs, and let us know if you are comfortable going ahead with the payment. PAY US, AND YOU GET THE PASSWORD !And as they say......."

How much are they charging for the bruteforcing? $150 for starters, which is prone to increase due to their bla bla bla about how sophisticated it was to obtain the password - given they actually manage to deliver the goods :

"Many groups charge a fixed price for an email cracking. We undertake more kinds of projects than anyone else. Frankly, each email is a different project in itself. We cannot charge you $100, for something which we can do for $50. Subsequently, we cannot charge you $100, for something which should be priced at $200. But we charge a minimum of $150 USD so that we end up taking orders from ONLY those who really need it. It is a small amount for the level of satisfaction, facts/truth and relief that you would ultimately achieve from this.It depends upon the nature of the job, the accessibility factor. and many other reasons likes:-

1- The email service provider
2- The target itself. How net-savvy he/she is.
3- Complexity of the password
4- Urgency of job and many other things collectively.

We will let you know our charges once we have the desired results only. Be assured, we wont charge you the moon. We charge only what we deserve, and is acceptable by you. Trust us !!"

Some of their answers to the frequently asked questions :

" - Who are you? Where are you from?
We are Hire2Hack Group. Member of our group are students in information technology, at some university in England, France, Italy, Japan, Australia, Canada, Brasilia and at United States of America.

- What services do you provide?
We can hack ANY EMAIL password for you very fast, reliable, secure and worldwide for a suitable price.

- Can you really hack password or just a making a shit scam?
Well, lot of people, lot of groups, companies do this service, but not guaranteed. This is only you can choose which group you want to Order. Be careful with these people. You can believe only on them who claims to provide proof before you really pay them.

- Is there any tool available to crack password?
Yes there is. And we are not giving it to you.

- How long does it takes to crack a password?
Each account is different and hacking time vary. On average, it might take about 1 to 3 days, but it may take anywhere from 24 hours to 30 days or more depending on how difficult is the hacking of each account.

- How can I believe you, that you got password?
We will provide you some good proofs before requesting you to pay us. The proof can be anything, you can decide what kind proof you need.

- Is there person will know that his/her email id has been cracked?
No, we provide you only the original password. That mean the current active password. Your victim/target will not realized that she/he has been hacked. NEVER, we said !

- How I will pay you, I do not have credit card or I do not want to give my credit card number on net?
Well, you can use international money transfer service such as Western Union (www.westernunion.com) or Money Gram (www.moneygram.com). These services immediate transfer money on same day or same hour. You can locate their agents in yours area from their website.

- Do I have to give you my password?
No. Any service which requires your password is simply trying to scam you out of access to your account.

- How will I know you really have the password?
We will show you the proofs.. which are mostly convincing.

- Since you have the password anyway, will you give it to me?
NO. Do not waste your time or ours. We will not release the password until full payment is made - no exceptions. We have had people request our service and once we recover the password, they reset the subject account then ask us for the original password so they can reset it back - the answer will be no. We have also had people ask if they could have the password since we've already recovered it and they cannot pay - the answer will be no. No password will be released until payment has been made in full - no exceptions.

- Will you recover more than one password? Can I request more than one email account?
Yes, but a separate request must be filled out for each one as you will only be billed for each successful recovery. If we have previously recovered a password for you and you have not paid, we will not begin any new request for you until your previous request is paid in full with exceptions for our established clientele. We charge at minimum US $100 for each account hacked.

- Do you reset or change the current password?
No. We do not try to guess the current password or the secret question's answer, we do not change their password. We give you only the Original password, which the victim is currently using.

- Is this confidential? Do you share my information with anyone else?
No, Not at all, Not in any case, its a trust between you and us. Your information will be respected as long as you abide by our Terms and Conditions and Privacy policy. We keep your personal records and requests confidential in our database but we respect your right to privacy and will not rent, share, sell, or trade any personal information unless required by law. But, if you engage in any spamming or fraudulent actives, Your information will be given to the appropriate authorities."

So you've got script kiddies cracking email addresses and probably engaging in the rest of the usual cybercrime activities, who are spam sensitive, and would expose their customers if they start spamming from the cracked emails? Now that's socially responsible, isn't it.

Targeted attacks are sexy, but bruteforcing email accounts no matter the number of proxies and wordlists that they have access to is so irrelevant, that social engineering a potential victim into infecting herself with malware through a live exploit URL seems to be the method of choice, next to a plain simple phishing email of course. In this case, what they're asking for in respect to the victim's details is the victim's country and victim's language, so that a localized social engineering or phishing attack can take place. However, this particular group seems to be using a standard bruteforcing tool.

One thing's for sure - cybercrime is getting easier to outsource, and with potential customers starting to have access to services they didn't a couple of years ago, fake scammers are also emerging in between the real ones.

The Four Horsemen of CLeopatra's Barge

Thu, 07 Aug 2008 16:36:03 +0000

One of the more interesting session I went to yesterday was a talk by Chris Hoff called "The Four Horsemen of the Virtualization Apocalypse." (If you've never read Hoff's blog, you should check it out at http://rationalsecurity.typepad.com/.)

I thought I was keeping a close eye on security and virtualization issues, but this talk illustrated how wide and varied the topic really is. This was not about Blue Pill and it wasn't about having security monitors in the hypervisor - instead he focused on how virtualizing physical devices (e.g. switches, systems) will cause lots of problems for security architects and administrators.

Briefly, here are the four horsemen:

Conquest - Translating your physical capacity planning implementation to virtual devices probably won't work.
Death - Virtualized networks lack several physical attributes assumed by security applications and high-availability devices today - you'll probably have to re-architect it all to get the same functionality, which might not even be possible in your new virtual world
War - Adding security VAs takes away precious resources that could have been used to dynamically add VMs. It is a war of resources.
Famine - With all of the redesigning and accommodation happening, security costs are going to eat into any savings you make on server consolidation.

Now, if you want to read the much more thorough version, see Hoff's original post here.

Okay, how does this all relate to the title of my post? Not much. However, much later on day one, things really started rolling.

After being crowded out of the Shadow Bar, a bunch of us ended up over at Casa Fuente (A cigar bar in Caesars forum). Five minutes after arriving, someone spilled a drink in my lap, big fun! It turns out that it was Stepto's birthday, and Hoff makes sure everyone has a drink and we all sing happy birthday to Stepto. Check out part of it, courtesy of Jack Daniel:

Immediately after the toast, Jennifer Jabbusch knocks over a table, falls to the floor and begins having a seizure. Stepto rushes over, trying to help, and just about that time, she flips over and starts laughing - total fakeout! Everybody bursts out laughing.

Shortly after that, they closed for the night and kicked us out and we all headed over to Cleopatra's Barge. There weren't enough seats or tables for us, but I noticed that the "reserved" barge seating was empty. Drawing upon a clever technique (i.e. sometimes called "asking") I social engineered a waitress into letting us have the reserved area. Within mere minutes, several security geeks are on the dance floor, doing us proud.

This leads me to the Four Horsemen of Cleopatra's Barge. (Though I was out there too, I am excluding myself since simply because I can.)

JJ, for leadership
Hoff, who owned the dance floor.
Ryan Naraine, for getting low, low, low
David, for letting his hair down.

Though our collective dancing does not signal the end of the world, it certainly capped an excellent day

Phishers Backdooring Phishing Pages to Scam One Another

Thu, 07 Aug 2008 11:01:50 +0000

There seems to be no such thing as a free phishing page these days, with phishers scamming one another at an alarming rate according to a recently published research entitled "There is No Free Phish:An Analysis of “Free” and Live Phishing Kits".

Cybercriminals attempting to scam other cybercriminals has been happening for years, with old school cases where backdoored malware tools such as crypters and binders are offered for free, or a newly released RAT whose client is in fact infected with a third-party malware. Realizing and definitely not enjoying the fact that the lowered entry barriers into cybercrime are empowering yesterday's script kiddies will malware kits that used to be utilized by a set of people who invested time and money into the process several years ago, this unethical competitive practice is only going to get more common. Backdooring phishing pages is one thing, backdooring entire web malware exploitation kits, next to the possibility to remotely exploit a competitor's command and control server is entirely another :

"Taking a more strategic approach, a cybercriminal wanting to scam another cybercriminal would backdoor a highly expensive web malware exploitation kit, then start distributing it for free, and in fact, there have been numerous cases when such kits have been distributed in such a fraudulent manner. The result is a total outsourcing of the process of coming up with ways to infect hundreds of thousands of users though client side exploits embedded or SQL injected at legitimate sites, and basically collecting the final output - the stolen E-banking data and the botnet itself."

What's to come in the long term? Why just backdoor the phishing page, when you can embedd it with a live exploit URL in an attempt to both, infect the cybercriminal about to use and obtain all of the already stolen virtual assets has has already stolen, and also, have a third-party maintain a blended attack campaign without even knowing it.

Related posts:
Phishing Campaign Spreading Across Facebook
Phishing Pages for Every Bank are a Commodity
RBN's Phishing Activities
Inside a Botnet's Phishing Activities
Large Scale MySpace Phishing Attack
Update on the MySpace Phishing Campaign
MySpace Phishers Now Targeting Facebook
MySpace Hosting MySpace Phishing Profiles
DIY Phishing Kits
DIY Phishing Kit Goes 2.0
PayPal and Ebay Phishing Domains
Average Online Time for Phishing Sites
The Phishing Ecosystem
Assessing a Rock Phish Campaign
Taking Down Phishing Sites - A Business Model?
Take this Malicious Site Down - Processing Order..
209 Host Locked
209.1 Host Locked
66.1 Host Locked
Confirm Your Gullibility
Phishers, Spammers and Malware Authors Clearly Consolidating
The Economics of Phishing

Indictments Against Largest ID Theft Ring Ever

Thu, 07 Aug 2008 08:45:29 +0000

It was really big news yesterday, but I don't think it's that much of a big deal. These crimes are still easy to commit and it's still too hard to catch the criminals. Catching one gang, even a large one, isn't going to make us any safer.

If we want to mitigate identity theft, we have to make it harder for people to get credit, make transactions, and generally do financial business remotely:

The crime involves two very separate issues. The first is the privacy of personal data. Personal privacy is important for many reasons, one of which is impersonation and fraud. As more information about us is collected, correlated, and sold, it becomes easier for criminals to get their hands on the data they need to commit fraud. This is what's been in the news recently: ChoicePoint, LexisNexis, Bank of America, and so on. But data privacy is more than just fraud. Whether it is the books we take out of the library, the websites we visit, or the contents of our text messages, most of us have personal data on third-party computers that we don't want made public. The posting of Paris Hilton's phone book on the Internet is a celebrity example of this.
The second issue is the ease with which a criminal can use personal data to commit fraud. It doesn't take much personal information to apply for a credit card in someone else's name. It doesn't take much to submit fraudulent bank transactions in someone else's name. It's surprisingly easy to get an identification card in someone else's name. Our current culture, where identity is verified simply and sloppily, makes it easier for a criminal to impersonate his victim.

Proposed fixes tend to concentrate on the first issue -- making personal data harder to steal -- whereas the real problem is the second. If we're ever going to manage the risks and effects of electronic impersonation, we must concentrate on preventing and detecting fraudulent transactions.

I am, however, impressed that we managed to pull together the police forces from several countries to prosecute this case.