While reading through the blog post that discusses how Sony’s Playstation network was breached, was I the only one that noticed that playstation network usernames AND passwords were stolen. Perhaps they left out the specifics but, why were the passwords stored using encryption thereby increasing the amount of time and effort required to decrypt the passwords?

Nevertheless, this breach is rather interesting in that the blog post states “While there is no evidence at this time that credit card data was taken, we cannot rule out the possibility.” One point of doing proper log management and risk assessments is to be able to see how far the rabbit hole goes when a breach occurs. The ability to know that only a portion of records were affected during a breach can save thousands of even hundreds of thousands of dollars.

Related articles

• PlayStation Network Hack Leaves Credit Card Info at Risk (wired.com)
• Playstation Network Breach: It’s Really, Really Bad (technologizer.com)

Image via Wikipedia

You don’t need a 6th sense to detect when a fellow IT security pro is engaged in a hot project, like implementing a defense in depth strategy, DLP tool or a PenTest project, when for 10 hours a day they can role play as a nefarious, ethical hacker. They spring out of bed without an alarm, their ipod rocks as they think of their project on the way to work, and usually work while others sleep. And as they sense the success of their project is in reach, there is a gleam in their eye like Melvin Purvis knowing Dillinger will be at the Biograph theatre that night. Yes, that’s you. The details are different, but you act with the same focused purpose when you are engaged with a hot project.

Unfortunately, “productive you” has been dulled by the recession. You look at the clock. It’s 9:03- Your hot project lost budget. 9:07- You start to feel like you’re just hanging out at the office, daydreaming about the receptionist or what you’re going to do this weekend. 9:13- “Will I be the next budget cut?” Or maybe you’re forced into endless, mindless, maintenance and you begin to feel like the same worthless, infinite loop that “victim you” is attempting to debug. Maybe you’ve become a cash cow and you’ve lost touch with the leading edge you once steered like a snowboard. If you resent, but resemble this description, STOP. It’s time to wake up the “pro-active you”.

Learn and Grow. It even sounds healthy and positive, like water and sunlight to a plant. I’m not going to try and talk you out of investing in night school, but you don’t need money, homework and someone else’s schedule to learn. There’s a lot of negativity about our current economy. Want a silver lining? There has never been a time when you and I could take advantage of the plethora of free information for educational purposes as we can today. Think about it. “How would you like your free industry knowledge, miss? For here (seminar)? To go (white paper)? or delivered into cyberspace (webinar)?”

Complimentary subject matter expertise and contributing back to the community are key foundational components of the Savid Technologies business model. In my Security Practice Manager role, I am deep into developing an immense library of IT security and compliance literature. It’s already pretty solid. Savid’s Marketing team, in conjunction with our Web Development team, has created an easy and efficient self service system for your convenience. Just check it out at www.savidtech.com. Look for new, relevant and insightful information every month on technology, methodology and industry metrics. On our website, you can also view the upcoming complimentary, educational events, or download our informative whitepapers. If what you are looking for is not there yet, just contact Kelly or Angela in Marketing (877-307-0444). They’ll hook you up with free industry knowledge, for here, to go, or delivered into cyberspace. I will also make time to discuss IT security with you. If I don’t know it, I will connect you with the right resources.

One last note. Consider attending our monthly Chicago IT Security Meetup. Next meeting’s topic and registration can be found at: http://www.meetup.com/The-IT-Security-Group-of-Chicago/. I gotta go now and finish my week’s work; I’ve got a long list of research topics for Saturday morning.

Image via CrunchBase

I attended the RSA conference this year, as I always do, and spent most of the time talking with attendees and clients about what they were learning and trends they were seeing.  Here is a summary of what we discussed.

Mobile Security

Although mobile security concerns seems to be a theme, I tried to dig deeper, and it seems that more than a few people are concerned about the upcoming changes to Facebook’s currency model. Facebook plans to force all users to use “Facebook Credits”. The worry is that since Facebook is on virtually every smartphone in the world, the digital wallet may come to the consumer faster than expected via facebook. The Facebook credits system is similar to PayPal or Google Checkout; however, since mobile phones don’t normally contain identity information they haven’t really been targeted. Once faceobok account can store credits, like a bank account, having a mobile virus or Trojan that steals your facebook login/password will be akin to stealing your bank account username and password. I think we have heard this story before…

Cloud

The cloud is always a hot topic but it seems as if nothing has changed. It is all about cost savings and whatever cost to security. As Dave, CSO from eBay put it. Vivek Kundra, whitehouse CIO, plans to save over 20billion by moving to the cloud and when you are saving 20 billion, who lets security get in the way?

Other people were more realistic and have conceded that the cloud will happen and they need to have data classification and risk management processes in place to ensure the *right* date moves to the cloud. A couple cloud vendors mentioned that they will need to educate their customers on how to do risk management and data management so that their customers can securely move to the cloud. This is a departure from the “We don’t talk or tell you about our security processes” stance the cloud vendors had last year.

Also, Symantec is making a big splash with their .cloud initative which is a marketing rebranding of all their cloud offerings including cloud based endpoint protection, cloud email encryption and filter, and cloud based web filtering. While the moniker may be funny and many have laughed at it, it is simple and effective. AV.cloud sounds much better than “cloud based anti-virus”. Marketing changes aside, not much has changed in terms of the technology behind the solution but Symantec is committed to heavily investing into .cloud and becoming the premier cloud security services provider in the world.

As I met with attendees and vendors, I asked if CIOs were adding cloud security services into their ROI analysis when moving their data to the cloud, almost everyone said no. Is this an indicator that cloud services don’t apply to the enterprise or perhaps the security CIOs want is ”real security controls” on the platforms, operating systems, and databases in the cloud rather than just moving their security tools from on-premise to the cloud? It seems to me the only people looking at cloud security services is the SMB.

I just released a report for Dark Reading on how to build a multi-enterprise vulnerability management program. If you are dealing with outsourced vendors, or an outsourced supply chain, you should definitely give the article a read.

To summarize the article:

1. Get your legal contracts in order. So many firms don’t put what they need from their partners into a contract. How do you expect to get what you need then?
2. Establish Communication channels that work for everyone. If you don’t get the right people on the “phone”, nothing will get done – including your security processes
3. Find the person with authority at your partner and ensure they are involved, otherwise your efforts will be useless.

I offer many more details and tips within the article but step #1 is so critical that an entire article should be dedicated to just that!

According to the Wall Street Journal:

A 24-year-old living with his mother in France was arrested for ‘hacking’ into Obama’s twitter accounts in April 2009. Apparently he guesses the answer to a question related to password recovery in order to break into the accounts of famous people; he has no computer science training or financial motive. He posted screenshots to a few online forums and twitter found out within a few hours, either from a tip or from noticing when someone from France logs onto twitter as the President of the United States. (He did not actually tweet as POTUS, but just wanted to show he could break into the account.)

Now, this is news in and of itself but the interesting part is that the following academic paper, released about three weeks ago, told how easy this hack really is to implement. In this paper, Joseph Bonneau of the University of Cambridge and two colleagues from the University of Edinburgh show how hackers stand a 1 in 80 chance of guessing common security questions such as someone’s mother’s maiden name or their first school within three attempts.

According to the blog post announcing the paper’s release, Joseph Bonneau states:

There’s finally been a surge of academic research into the area in the last five years. It’s been shown, for example, that these questions are easy to look up online, often found in public records, and easy for friends and acquaintances to guess.

This is probably what happened to President Obama’s account. It would be interesting to know what the answer was to Obama’s secret question is, but it is very difficult to find the screenshots referenced in the WSJ article. The academic paper continues:

It turns out the majority of personal knowledge questions ask for proper names of people, pets, and places, and the rest are trivially insecure (eg “What is my favourite day of the week?”).

Which is why your system should never ask for things like that. Companies are starting to try and solve this problem. At RSA there was a new company, RavenWhite, which seemed to have a unique new approach which you can learn about at http://www.ravenwhite.com/iforgotmypassword.html

People really need to rethink the way they implement security to the end user. There is no way any automated technology could have prevented Obama’s account from being attacked simply because they were using the system in the perfectly intended way. It is what the user did afterword that differentiated the attacker from an actual twitter user.

Verizon Business Christian Moldes as a great post about Plane Crashes and Security Breaches and how they are very similar. He hits it right on the head! During our engagement wrap-up meetings where we explain the various potential scenarios an attacker can use to break into a client’s network we are always asked to put a specific ranking on a specific risk. I argue that that almost doesn’t matter because normally the big breaches are not from a single vulnerability but many chained together.

Christian quotes Malcom Gladwell, and says:

The typical [plane] accident involves seven consecutive human errors.

When we work with clients we normally see that breaches are caused by a chaining of at least three errors: exploitation of a vulnerability, then a mis-configuration is used to find a privileged account user name and password, and then data is found on the network somewhere it wasn’t supposed to be that the privileged account has access too.

Even with many controls in place you cannot always prevent a security breach. This is the exact reason why we recommend that incident response policies and processes (Which should be tested like you test your Disaster Recovery processes!) should be the FIRST THING you implement when building a security program at an organization followed by detective controls such as logging to detect a breach as soon as possible.

Although I think DDoS extortion is declining due to the rising lucrative ransomware and scareware tactics, DDoS extortion remains interesting to me due to its sheer supervillainary. (plus the stories sound cool when you tell them). I was giving the example to a CSO I met today and after telling the story he asked, “How do I survive a DDoS Extortion Attack”, so here is how:

Businesses hit with these attacks have almost no reprisal to fight back and even have a disincentive to alert authorities who could work to defend against them.

DDoS, distributed denial of service, extortion occurs when a hacker threatens to utilize a vast botnet of many infected computers to bombard a single target online. By using up the target’s resources to accommodate the botnet traffic, legitimate traffic is unable to access the site, causing a denial of service. This prevents businesses from using their website, which may be integral to their business operations.

Before the DDoS attack, the extortionist will contact the site webmaster and offer to spare them from the attack for a payment. If the payment is not made by the given date, then the attack begins and the price usually increases.

Companies have three ways to retaliate: pay the attacker, use DDoS protection, or go to the authorities. Unfortunately, most companies choose to simply pay the attacker since it is the easiest and least expensive way to fix the problem. This only emboldens these kinds of attacks, causing more extortion on other companies.

It is possible to use DDoS protection to block bots, but in the extortionist will warn that if such an attempt is made then they will only increase the number of bots attacking the website, making it much more expensive to deal with.

Going to the authorities can be so ineffective that extortionists will not even discourage their target from doing so. Extortion attacks usually come from other countries, usually Eastern Europe, where the FBI has little recourse. Furthermore, businesses are afraid of reporting the crime because it could damage their brand if it got out that they were helpless against extortionists. This makes it harder for any countermeasures to be developed since it is impossible to tell how often extortion occurs, how much money is extorted, and who are the targets of extortionists. According to experts, every online gambling site is paying an extortion, usually around $40,000.

For these, reasons too often companies will simply remain quiet about the extortion and pay their fee. The ransom is much less than the costs incurred from a denial of service attack. Sometimes, the extortionist even gives their victim the opportunity to pay for an attack on a competitor. Why not? It gives the victim a chance to level the playing field and the extortionist a chance to make even more money.

The best way to combat attacks like these is for businesses to put aside competitive differences and share their information regarding security and cyberattacks with industry peers and law enforcement authorities. But that’s never going to happen and businesses are likely to continue to fight an every-man-for-themselves battle.

Until then, it’s up to companies to build up internal protections and beef up their security to protect against botnet attacks. Also, if this ever starts to happen to your business you can always contact me and I can see how I can help!

I received an email from John Zurawski at Authentify that I thought was worth posting. I personally am tired of bailing out the banks and continuing to spend tax payer money so I want to ask Congress to Step Up, start using our money for things that matter, and start to protect the end user’s by requiring the banks that don’t properly implement security controls to pay. John asked in his email for me to repost his email and ask others for help. Read below and if you are heading to RSA stop by the booth and sign the petition if you agree.

I’m emailing to ask for your help in something that can make a difference at the RSA Conference.  In recent months it’s become apparent that many smaller banks, credit unions and ultimately small businesses are being victimized by organized cyber criminals.  We at Authentify, along with many others, believe it’s time to stop the bleeding.  The regulatory oversight of the financial services industry has plenty of “guidance”, but few actual requirements to protect their customers from sophisticated online criminals.  The breaking point has come with a bank suing it’s customer for being a “cyber-victim” and asking the courts to declare its security procedures as “commercially reasonable”.  The technologies exist to prevent most malware inflicted financial losses.  It’s time to get Congress to get involved.  Just as the federal government is making funds available to healthcare to get health records digitized and online, it’s time to use TARP funds or other sources – to REQUIRE that financial services firms protect their customers.

Authentify will be seeking signatures on a petition to Congress in its booth at the RSA Conference next week.  We have put this effort ahead of our new product introductions and other RSA promotions.   Please stop by Booth #732 on the Expo floor if you believe it’s never commercially reasonable to let a bank’s customer’s be victimized by malware.

Honeypots are a lot of fun for security professionals. We get to trick the tricksters who try to trick security systems. These opportunities give us whitehats a chance to be a little devious for once and get in the heads of those we are protecting against.

So Microsoft conducted a little honeypot of their own to collect some data on the kinds of automated password attacks hackers are using to break into user accounts. They created a fake FTP server and allowed hackers to go to town trying to crack the password for about a year. The FTP logged and processed the information gathered by login attempts.

The honeypot gathered hundreds of user names and tens of thousands of password that have been used in automated attacks. The data told us a few things we already knew, basically that the most common password hack attempts resemble the most commonly used passwords. But the data told us one new thing that we did not already know about password cracking. That is, simply having a long password isn’t good enough anymore if it is still dictionary-based. The honeypot attackers routinely used passwords 8-10 characters in length and would even try passwords 10, 15, or 20 characters long. Also, hackers are persistent, even for using automated systems. One tenacious attacker attempted 400,000 passwords to crack the fake FTP.

The emphasis on password strengthening is now more relevant than ever with the reemergence of “L0phtCrack” – a password auditing software. L0phtCrack attempts to crack passwords at swift speeds by scanning through a dictionary of words and forming probable password guesses. Basically, it does the exact same thing as the automated password crackers the hackers use, but for whitehat purposes. Of course, critics are worried that L0phtCrack is a double-edged sword since it could be used for that very purpose.

Passwords are actually the easiest security measure to ensure protection. As long as your password follows the basic password strengthening guidelines – length, alphanumerical, case variance, special characters, etc – it should never be cracked. At least, not by an automated tool.

We bid for some FISMA work at NASA so I thought I would share with everyone what NASA hasn’t been doing properly….You might think that out of all U.S. federal agencies, NASA would be among the top ranking in cybersecurity defense. But according to a report issued by the Government Accountability Office, the National Aeronautics and Space Administration has been hit with 1,120 security incidents in 2007 and 2008.

It seems at NASA, malware installations, data breaches, stolen laptops, and botnet infections are commonplace. Among the stolen information were unencrypted data on a prototype hypersonic jet and plans for a lunar orbiter space telescope. Some time ago, 82 NASA computers were found to be part of a Ukranian botnet and 86 computers were infected by the Zoneback Trojan.

Since then, NASA was told to plug up its security holes, but the new report by the GAO says NASA has not done enough. Apparently, it isn’t difficult for intruders to infiltrate NASA networks and steal, delete, or modify mission critical information.

As the report states, “NASA’s high profile and cutting edge technology makes the agency an attractive target for hackers seeking recognition, or for nation-state sponsored cyber spying.” NASA’s security gaps make the administration susceptible to stolen data by competing space programs or private sector networks who wish to gain a competitive advantage. At the same time, terrorist groups may use cyber attacks to disrupt or destroy NASA missions. Still, attacks could come from identity thieves who could access sensitive employee information on NASA’s nearly 20,000 employees.

I believe the security gaps at NASA put our national interests at risk and weaken the strategic technological advantage of the US. But, simply the existence of these security holes creates an embarrassing situation which may embolden hackers to increase their attacks on other government agencies. After all, if security is so poor at NASA then how much better could it be at crucial military organizations?