I’m often astounded by how frequently company networks, with otherwise good security practices, completely neglect their network printers. Usually, they are simply installed and, as long as they work, nobody pays any attention to them until its time to reload the paper or replace the toner cartridge. But most of these printers are sitting ducks, ripe for any simple attack by even the most novice hacker.
Gone are the days of just toner and paper, now printers take on computer-like characteristics with internal storage, FTP uploading, SNMP, etc. Heck, some printers are loaded with vulnerable applications. Some have embedded Windows systems that are interfacing with the network. Yet, almost no risk management or oversight is used to protect the printers from attacks. At the very least, hackers can access classified information sent to the printer. At worst, they can be turned into remote-controlled bots and be used as a launching pad for further attacks.
Why am I bringing this up? We broke into a client’s external network through a printer. Yes, full network access because of a single printer.
I’ve seen printers used to catch passwords, change passwords, capture valuable documents, and grab print jobs. I once heard of college students who rerouted an exam print job to their dorm room printer so they could get an advanced copy of the exam. (Why didn’t I think of that!)
Conferences are showing examples of how easy it is to bypass authentication, inject commands at the root level, and create shell code to take over printers. By exploiting the printer’s Internet connection, hackers can use it as a proxy to attack other sources, while concealing their own location. Printers were one of the devices utilized in the Blaster worm that disabled systems at multiple offices at McCormick and Co. in a matter of hours.
Printers have hard drives that store extremely sensitive data about print jobs and who is issuing them so think about your printers like laptops. These hard drives are vulnerable to theft or can be read during a repair. It is recommended to clean hard drives weekly or at least monthly but that is much too frequent for printers. The best route to defend against pritner attacks is to create an image/standard configuration for printers just like you do for servers, workstations, and laptops. Try not to buy the cheapest printer available and go with a more business class or enterprise printer that will have more security features such as proper domain authentication. Lastly, LOG all prints. Yes, use a real print server such as one running Linux or Windows, and log when print jobs are submitted.
Updating passwords, cleaning hard drives, and checking network configurations of printers are among the considerations that should be clearly identified in a security policy and that applies to your pritners too!
As I contemplate purchasing a netbook (the HP Mini 2140 looks awesome) I saw a Computerworld.com article named a “Laptop Losers Hall of Shame” (http://www.computerworld.com.au/article/222142/laptop_losers_hall_shame) detailing the enormous security breaches that ensued when notebook computers were lost or stolen by employees of corporations, government agencies, or colleges. The hall of shame is both hilarious and frightening.
Smartphones are becoming the new laptops. ABI Research expects annual worldwide shipments of smartphones to exceed 334 million units by 2010, up from just more than 42 million units in 2005. With so many millions of devices carrying sensitive company data, it’s not hard to imagine what keeps security analysts up at night.
Mobile phones have evolved to a point where they equal the functionality of older notebook computers. I know that I can do pretty much every daily task I need too from my smartphone including RDPing or SSHing into servers. Like me and probably you, we use these smartphones to house critical information, such as notes, emails, and business contacts. If notebooks became such a huge security risk because they are portable, then smartphones are much worse. Brimming with insecure information, we carry these mobile devices with us at all times. For most of us, losing your mobile phone isn’t a possibility, it’s an inevitability. I have lost 2 phones with one being stolen in Vegas and the other being sucked into the ether somewhere.
Other than having more portability and ubiquity than notebooks, smartphones are also harder to control and manage because they are purchased by individual users and do double duty for work and personal use. Notebooks can be issued and centrally managed by the enterprise, but it cannot do the same for the mobile phones of every employee.
How can IT security professionals create a sound infrastructure to compensate for remote workers who are likely to be the unwitting bearers of major security threats?
As always, include the usage of mobile devices with company data in your security policy and create expectations for your company employees to follow.
One of my favorite activities we perform for clients is Social Engineering so I thought that a recent trend, disinformation, would be an interesting topic to discuss:
In 1943, British Intelligence dressed up a corpse, equipped it with fake operation plans, and floated it out to sea where Axis troops would eventually recover it. The ruse was designed to make the Germans believe that the Allies planned to invade Greece and Sardinia, instead of Sicily, their actual target.
“Operation Mincemeat” was a successful disinformation campaign. Also called “Black Propaganda,” Disinformation is the intention is to spread false or inaccurate information to damage or gain an upper-hand against an opponent. While it was often used in wartime throughout history, the new battleground for disinformation is cyberspace where hackers spread disinformation about a company through their own systems.
According to a study on hacking incidents and trends for the first quarter of 2009, “Disinformation” is now the second most common attack outcome by hacking (losing to “Information Leakage” by only 3%). This is a major jump since Disinformation was not even on the list in the previous study, falling somewhere below Phishing (3%). Defacement, which can be distinguished from Disinformation because it spreads obviously false information, is third on this list.
And if you don’t think Disinformation can cost your company money, just ask Steve Jobs who recently shared sentiments with Mark Twain – “reports of my death have been greatly exaggerated.”
A hacker that broke into the live Mac Rumors Feed to announce – in all capital letters –“STEVE JOBS JUST DIED.” It took three minutes before a retraction was given, “Steve did not die.” In another incident, someone uploaded photos to Wired magazine’s website with a detailed story describing Steve having a cardiac arrest. In this case, it wasn’t even a code flaw that allowed the disinformation to be publicized, but an obvious application design flaw. Wired’s public image viewing utility allows anyone to upload whatever images they wish which are then viewable on their public website.
Harmless pranks? The incidents caused Apple stock to plummet from the disinformation campaign. Considering Steve’s recent health problems made the disinformation so plausible and the same disinformation was used on multiple occasions, you can’t help but wonder if the culprit has a vested interest in seeing Apple stock drop.
Disinformation isn’t going away. Consider the rise of social network trends like Twitter. Social networks are very susceptible to hacking in the first place. Twitter allows news to be sent directly to thousands of users. This makes it a very powerful platform for information or disinformation.
When HIPAA was passed and made federal law by the Clinton administration in 1996, the fear of fines and even jail time sent the medical industry scrambling to beef up their patient data security by the 2003 deadline. However, for years afterwards, HIPAA remained a toothless tiger. Occasionally, it growled and violators were threatened to clean up their act. But it usually did not bite, as prosecutions were rare and usually mild.
Since no serious prosecutions have taken place since HIPAA went into effect in 2003, I and the medical industry have wondered if HIPAA is just a made-up boogeyman meant to frighten them into compliance.
All this changed on February 18 when the U.S. Department of Health and Human Services and the Federal Trade Commission issued a press release stating CVS had to pay $2.25 million to the U.S. government for HIPAA violations.
The HHS Office for Civil Rights (OCR) and the Federal Trade Commission caught the pharmacy chain red-handed disposing of empty pill bottles that contained patient data into dumpsters and trash containers outside select stores. Among other issues, CVS “failed to implement adequate policies and procedures to appropriately safeguard patient information during the disposal process; and failed to adequately train employees on how to dispose of such information properly.”
CVS Caremark Corp., the parent company of the 6,000 store pharmacy chain, must implement a robust corrective action plan that requires Privacy Rule compliant policies and procedures for safeguarding patient information in addition to its fine. CVS must also submit to a biennial audit by a third party to show their compliance.
Is HHS trying to set an example with the steep penalty? Is CVS the sacrificial lamb intended to inspire other delinquent HIPAA violators to clean up their act?
While many medical industry companies may have gambling with HIPAA violations, at least CVS learned it isn’t worth the risk. Besides the possible penalties, compromising personal patient data is a strike against the reputation of a company. And this can be more costly than any fine by the HHS.
This recession has shown many companies just how unprepared they are for internal attacks. Companies are cutting their budgets and laying off employees to save money. But such layoffs can turn faithful, loyal employees into vengeful, ticking time bombs. And as layoffs increase, the problem is only going to get worse.
I’ve seen many companies fret about the big-name external viruses promoted in the media while their internal systems are ripe for internal attack. Remember, 80% of attacks occur inside the network on average. But I’m sure that number is above normal at the moment due to the current economic climate.
Acting out of desperation or anger, employees use their inside access or knowledge about your systems to deface or delete valuable information, or spread information. Like the thief stealing a loaf of bread to feed his starving family, desperate ex-employees facing mortgages or medical bills may embezzle funds or sell trade secrets to competitors.
The key is controlling access. I have seen too many companies without adequate policies and procedure in place that promote swift and thorough security practices during employee termination. Often, I’ve found login access of ex-employees who have not been with the company for years.
You wouldn’t let an employee leave their job without taking away their keys to the company building – your company network shouldn’t be any different. As cruel as it sounds, Iy suggest disabling access before handing out the pink slip just to be safe. Coordination is key. It can take only minutes for an employee with high privileges to cause staggering losses.
What’s worse is cutting loose employees who designed or installed your systems because they know exactly how to dismantle them. IT workers can create logic bombs set to detonate and wipe out your systems long after the ex-employee has fled the scene. Employees in finance know where the money is, and can redistribute or embezzle funds.
You have a responsibility to protect your other employees from the potential damage an ex-employee can cause. Security awareness, with a focus on building employees that detect problems, can help dramatically. And always have a security policy in place with specific procedure to follow when terminating employees.
If your company is concerned about saving money, then understand that letting go of employees can cost you much more than it can save if they decide to take revenge. I always profess that IT security breeds process automation, and this is a good example where an investment in IT security will save you money in the long run.
Time Magazine should know better than to use a website poll to have users determine the most influential person of 2009. Polls are often susceptible to a number of automated attacks or simply a swarm of pranksters with too much time on their hands.
In this case, the poll padding came from the massive imageboard website, 4chan.org. Notorious for generating internet memes and fueling internet subculture, this is not the first internet attack to originate from the unmonitored site.
The voting link to Time’s most influential person poll was a simple URL that was redistributed by 4chan users through legitimate sites and content spamming. By using cross-site request forgery, unwitting and trusting website users clicked the voting link. At the same time, they were able to vote down other entries because the poll did not check if the rank in voting was legal.
Time fought back by adding a salted and hashed key that ensured votes were submitted from its own poll form. But 4chan found the authentication key was on the client by the poll’s flash application and bypassed this protection.
The poll also had anti-automation protection by making a user from the same IP address wait 13 seconds between each vote. 4chan created auto-voting robots that vote for every 13 seconds while voting down competing entries while waiting during the other 12.
All this allowed for “moot” to skyrocket to the top of the poll. But not content to merely take the top place, 4chan hackers continued to manipulate the poll rankings. They reordered the rankings so that the first letter of each name would spell out the acrostic “Marblecake Also the Game.”
If you did not already know, “moot” is supposedly the identity of the mysterious creator of 4chan. Although because of the intentional disorganization on the site, it is impossible to determine any truthful information about the user.
Sprint had their data leaked by an employee. From the letter:
“It appears this employee may have provided customer information to a third party in violation of Sprint policy and state law. We have terminated this employee. The information that may have been compromised includes your name, address, wireless phone number, Sprint account number, the answer to your security question, and the name of the authorized point of contact on your account.”
My question is, why did they even have access to the security question? Why can’t they type it in, and like password verification, have the system tell them if it matches? This would limit the amount of people who this info could be used against to only those that the employee spoke too.
We presented a webinar(it will be online shortly) a couple weeks ago on Secure Software Development Life cycle practices and we talked about OWASP, The Open Web Application Security Project. An attendee asked where they could find the OWASP Top Ten and I thought it would be useful to let everyone know about the OWASP Top Ten.
OWASP has released a draft of their top 10 web application security risks for 2010.(NOTE: large PDF)
This draft will consider public comment and release a final version finished up by the end of the first quarter of 2010.
As you know, web applications are usually the most vulnerable components of a website so OWASP is doing a great service by including these attacks, the risks, and the prevention methods. Two new security risks have replaced last Malicious File Execution and Information Leakage and Improper Error Handling from the previous 2007 list. These new security risks are Security Misconfiguration and Unvalidated Redirects and Forwards. The inclusion of Security Misconfiguration demonstrates how OWAS is now focusing on a risk view instead of just the software development.
But what enterprises will most appreciate about this new list is that it seems to be accessible by not just security professionals but by the company decision-makers. Rather than just discuss the security exploits, the document goes on to explain the technical impacts and business ramifications. OWASP takes on a risk assessment approach with this list, which is a mature viewpoint in terms of providing security.
The 2007 list relied on the frequency associated with each weakness to determine, but now the list ranks each item based on risk. In this way, the list is about the top risks rather than simply the most common weaknesses.
Risks are broken down into attack vector exploitability, security prevalence and detectability, and technical and business impacts. Each part of the risk is ranked in red, orange, or yellow to show the threat.
Attack vectors shown in red are those which are easily exploited by an attacker. For example, Injection attacks are easily exploitable because they only require a simple text-based attack. The prevalence risk shows how often these vulnerabilities occur and the detectability risk shows how easy the vulnerabilities are to detect. Finally, the technical and business impacts discuss how much damage an attacker could cause from the weakness.
This risk assessment approach to security is a very wise step for OWASP and something we have been doing for clients since 2004. It is neither possible nor economically feasible to guarantee 100% security, so security issues must instead be budgeted based on risk. The list allows companies to consider which risks to worry about by considering their frequency, prevention costs, and impact.
Interesting report from Verizon that a friend sent me.
Verizon Business Data Breach Investigations Report – The 2008 Data Breach Investigations Report offers an objective view of data breaches directly from the casebooks of their Investigative Response team. More than 230 million records compromised over the four year period are represented – including about a quarter of publicly disclosed data breaches.
Verizon analyzed thousands of data points from over 500 investigations world wide – including many never publicly reported. Here are just a few of their findings:
* 87% of cases could have been avoided with basic security measures.
* 66% of cases involved a system that the organization did not even know contained sensitive data.
* 39% of the breaches involved business partners.
* Breaches involving partners increased five-fold from 2004.
Data Breaches
* 73% resulted from external sources
* 18% were caused by insiders
* 39% implicated business partners
* 30% involved multiple parties
How the breaches occurred
* 62% were attributed to a significant error
* 59% resulted from hacking and intrusions
* 31% incorporated malicious code
* 22% exploited a vulnerability
* 15% were due to physical threats
What commonalities exist?
What was common?
* 66% involved data the victim did not know was on the system
* 75% of breaches were not discovered by the victim
* 83% of attacks were not highly difficult
* 85% of breaches were the result of opportunistic attacks
* 87% were considered avoidable through reasonable controls
“2004 through 2007, 90% of the vulnerabilities exploited (leading to a breach) had patches available for at least 6 months prior to the incident”
I will be speaking on the professional development trends in malware at the annual NetSecure conference put on by IIT. Hopefully some of the readers can make it out. It is a great event. The info is below:
IT Security and Forensics Conference and Expo
http://www.cpd.iit.edu/netsecure08
Wednesday, March 26, 2008
Illinois Institute of Technology in Wheaton, Illinois
Join us for NETSECURE’08: The 6th Annual IT Security and Forensics Conference and Expo. This multi-track technical conference is attended by 200+ IT professionals and will promote the open exchange of IT security and forensics information. Register now at http://www.cpd.iit.edu/netsecure08
Current Conference Presentations Include:
* “Annual CompTIA security research: Trends and strategies for information security” Carol Balkcom – CompTIA
* “Cellular Wireless Key Managament” Alec Brusilovsky – Alcatel-Lucent
* “Microsoft Security – Growing up and Enterprise Ready” Cordell Crane – Microsoft
* “Microsoft Security – Hands on approach with tools for Threat Modeling, Code Review and Discovery” Ken Anderson – Microsoft
* “Professional Development Trends within Malware” Michael Davis – Savid Technologies
* “Network Security: What You and Your Skills Are Worth” Bob Fanelli – Robert Half Technology
* “Securing Windows – A Monumental Task?” Mike Fekety – Performance Technologies
* “Building a Secure Storage Internet” Chris Gladwin – CleverSafe
* “Do the Work Once: Harmonizing Compliance and Security Objectives” Bonnie Goins
* “The Role of Penetration Testing in Security Audits” Jeff Groman – Akibia
* “Penetration Testing: Let me probe your ports” David Kennedy – SecureState
* “Combating Insider Threats on Databases” Carl Kettler – Application Security, Inc.
* “Computer Security at Fermilab” Frank Nagy and Tim Rupp – Fermi Lab
* “Building a Linux Custom Firewall” Venkat Nandam
* “Security and Control Issues within Relational Databases” David Ogbolumani – SunGard
* “Data: How much is there, and where is it at?” John Pascoe – FBI Regional Computer Forensics Laboratory
* “Best security practices for Voice Wireless LANs” John Poust – IEEE ComSoc
* “Virtualization Security and Best Practices” Rob Randell – VMware
* “Out-Of-Band authentication using a real-time, multi-factor service model” Andy Rolfe – Authentify
* “Fighting Spam: Tools, Tips, and Techniques” Brian Sebby – Argonne National Laboratory
* “SSH” Hemant Shah
* “Multi-Factor Authentication Solutions: An Overview of Regulations, Vulnerabilities, and the Latest and Best Authentication Options” Bob Thompson – Catalyst
* “A New Model for Business Contingency Operations” Raymond Trygstad – Illinois Institute of Technology
* “Identity and Access Management” Kevin Wang – Crowe
Details:
Date – Wednesday, March 26, 2008
Attend – $95 (includes breakfast, lunch, cocktail party, and conference tote bag and materials)
Exhibit – $325 (includes 2 free attendees)
Sponsor – $300-750 (includes 1-2 free attendees)
Register – www.cpd.iit.edu/netsecure08
Location – Illinois Institute of Technology’s Rice Campus in Wheaton, Illinois
Sponsors Include:
High Tech Crime Network (HTCN), Authentify, Inc., Microsoft, onShore Networks / Fortinet, SunGard Availability Services, IBM Rational, Project Leadership Associates, Robert Half Technology, Other World Computing, SecureState, CTH Technologies, Inc., Security Services & Technologies, Catalyst Technology Group, Inc., Equivus, W.W. Grainger, Inc., CIMCO Communications, CIMCOR, Inc., Hegemony Consulting, Neohapsis, Inc., X-Ways Forensics, CompTIA Security+ Certification Program, Savid Technologies, Inc., ChicagoCon / The Ethical Hacker Network, UniForum, IEEE, and CPD.
