Image via CrunchBase
As the clouds continues to roll in, (Sorry, I had to…), we are learning of more attacks being successful against organizations such as Google, Facebook, and others. The latest is from a security researcher, Christian Heinrich, located in Australia. He reverse engineered the algorithm Facebook uses to access your personal photos. Since Facebook is a massively distributed application, items such as photos and larger files are placed into a content distribution network (CDN) such as that provided by Amazon, Akamai, and others in order to reduce the load on Facebook’s servers. The thing is, the CDNs don’t integrate into Facebook’s authentication framework since the CDN just stores files and serves them to anyone that requests the proper filename. Guess the filename of the private photos for a person on Facebook, send the request to the CDN, and you get the photo in return.
And that is what led to an arrest and charges for a privacy breach. During his presentation, Heinrich demonstrated this vulnerability at Flickr, Facebook, and MySpace. He demonstrated how we could access the private photos of his fellow researcher, Chris Gatford’s, wife. One example showed a picture of Chris Gatford’s wife and child. The Queensland Police responded to a complaint, although we don’t know who filed the complaint, about Heinrich’s breach of Chris Gatford’s wife’s privacy caused by the demonstration. The Police responded by arresting a reporter for the Sidney Morning Herald, who had interviewed Heinrich about his presentation, and seized the reporter’s iPad.
Is this really Facebook’s or Flickr’s problem or the CDN’s? It most definitely is the content producer’s problem. The CDN network could provide authentication and more advanced security controls but that lowers performance by 30% or more for each transaction.
Ah, the old security versus performance argument. That age old argument is why this little and perhaps unknown arrest in Australia affects your organization whether you are using a CDN or not. When the performance versus security argument comes up during your career, the focus must be on the data type being discussed. Usually, the data type(s) being discussed including different types of data that need to be enhanced for performance to increase. It is likely that as you dive in deeper, many of pieces of data will not be private or confidential, but if they are you must stick to your security guns and only allow authenticated and authorized access to that data. The other data you can push out and optimize all the organization wants.
Your argument back to IT or development about the perceived performance gains they believe they can achieve by optimizing the data is one of analysis. You must ask to analyze the estimated increase in performance of only allowing the non-confidential data to be accessed without security controls. Meeting them halfway by only optimizing the non-confidential data results in them having to accept a 15% or 20% increase in performance, which may be less than what they were estimating, but it is better than no increase at all.
I just released a report for Dark Reading on how to build a multi-enterprise vulnerability management program. If you are dealing with outsourced vendors, or an outsourced supply chain, you should definitely give the article a read.
To summarize the article:
I offer many more details and tips within the article but step #1 is so critical that an entire article should be dedicated to just that!
While most traditional social engineering is used to exploit the vulnerabilities of the HumanOS over phone or online communications, we can’t rule out the possibility that social engineering can be most successful when it is face-to-face (plus it is a heck of a lot of fun!). Even though it puts the social engineer at direct risk, it offers the most reward for their efforts since it gives them direct access to your company’s office and hardware.
For years now, forward-thinking companies have been performing their own social engineering penetration tests to discover bugs in the human hardware. In these cases of face-to-face social engineering at your company office, these techniques can be divided into the following roles:
The Service Technician
The service technician is a social engineer who poses as person with a legitimate reason to enter your office. They usually impersonate a service technician or repairman who has been hired to fix some company hardware, but they may also pose as co-workers, police, bankers, tax authorities, or insurance investigators. This kind of criminal will often take their time to investigate the right thing to say and who to ask for. In some cases, all they need is an authoritative, earnest tone of voice. After all, they only need to be able to fool your receptionist.
The Tailgater
The tailgater is someone who bypasses physical security by allowing others to use their security cards to let them in an office. The tailgater may simply grab the door before it closes as an employee enters the office, or they may casually ask for an employee to hold the door for them. With a nonchalant tone of voice, many employees just assume that they are supposed to be there.
The Aggressor
The aggressor is not really a social engineer, but he does use his tricks while face-to-face with your employees. The aggressor simply attacks one of your employees to steal their security card, and then uses it to casually enter the building. The aggressor will investigate the physical security around an office building to determine where the security cameras are and chose an unseen place to hide.
The Charmer
In 2007, a thief broke into the ABN Amro bank in Antwerp and made off with $21 million in diamonds. This single thief bypassed one of the most hi-tech security systems in the world not with brute force or an Ocean’s 11 level of complexity and organization, but with a stolen passport, a box of chocolates, and personal charm. The charmer, who was never caught, posed as a successful businessman and visited the bank frequently, befriending the staff and gradually winning their confidence. He even brought them chocolates. He ultimately gained VIP access and used his passcard to walk right into the vault he knew contained the uncut diamonds. If this charmer can successfully bypass a $2 million security system, what chance does your company have?
While it does put the social engineer in direct risk, face-to-face social engineering is obviously one of the easiest and most rewarding scams for criminals. If you are implementing social engineering assessments at your organization, make sure they do some face-to-face social engineering!
After seven years of distressing over the issue of P2P leaks of sensitive information, it seems the government is finally gearing up to introduce new legislation to ban P2P file sharing software from government and government contractor computers.
Leading the witch hunt is Representative Edolphus Towns (D-NY), who wants to burn file-sharing programs, like LimeWire, BitTorrent, and Morpheus, at the stake for being “unwilling or unable to ensure user safety.” Adding, “As far as I am concerned, the days of self-regulation should be over for the file-sharing industry.”
Towns is planning to introducing a bill, and he may have the support of his constituency behind him. Sensitive information leaks in the past have included, data on the President’s helicopter Marine One being leaked to Iran, details on the President’s motorcade route, and the locations of the First Family’s safe houses, just to name a few.
Thomas Sydnor, a director at the Progress & Freedom Foundation, demonstrated the dangers of P2P at the hearing by installing the latest version of LimeWire5 on a computer. The program’s default settings very quickly put all 16,798 files in the My Documents folder up for sharing. However, LimeWire Group Chair Mark Gorton, contended that LimeWire does not share user-originated files or Word Documents, pdfs, Excel spreadsheets, and other such presentation documents in its default settings.
Many companies have already taken this step and banned P2P use by their employees. Businesses have their own sensitive data that they must secure, including customer credit card numbers, private emails, etc. By intentionally allowing file sharing, P2P essentially undoes everything IT security is trying to do.
This isn’t the first time the issue was brought before Congress, the House oversight committee has raised concerns about the risks associated with data leaks from the use of P2P software in two previous hearings. However, on this occasion Towns is now stating his intention to introduce a bill, and it’s likely he will follow through.
While I agree with Towns that P2P software obviously presents a risk of leaking sensitive or classified information, I’m not sure I agree with using government regulation to simply ban P2P. As P2P continues to develop it may eventually overcome its security flaws, but with an antiquated law banning their use, we would be unable to utilize the advantages of the software.
I would prefer to see P2P software developers take a stronger approach to securing their products. This push for banning P2P may be the incentive they need to make the necessary changes. But it may be too late.
If you’re unhappy with the current Payment Card Industry Data Security Standard (PCI DSS) then now is your chance to complain. The PCI SSC Council has announced a feedback period where you can have the opportunity to “provide detailed and actionable feedback in an effort to revise future editions of the Council’s standards to improve payment data security.”
You may air your grievances during the phase two of the lifecycle process, between July 1 and November 1. The SSC Council is looking to hear from merchants, processors, financial institutions, and other key stakeholders – and I’m sure they are in for an earful. (Like how the only thing you need to be a QSA in North America is 30k, a Highschool education, and 4 days of training)
Many are unsatisfied with the “checklist” format of PCI compliance. They commonly point out how this switches the goal from overall security and risk management to simply compliance. Some of these standards don’t seem to help security at all, such as configuration management. PCI compliance should not be the goal, but it ought to serve as a jumping off point towards promoting better security practices. But too many organizations either have a purely audit-based mentality while others regard the compliance as a frustrating burden.
Does the recent data breach of Heartland Payment Systems prove PCI is useless? Maybe not, but it isn’t 100% effective either. Of course we know nothing can be in security. But does it even provide reasonable security and assurance?
There are some who call PCI DSS “security theatre.” (Like me!) It makes organizations put on a show of security that makes them feel safe, but doesn’t actually do anything. Many organizations even perform their own self-assessments and there is no incentive for them to report anything less than fully compliant.
If you’ve got a bone to pick with the PCI SSC Council over these issues, then you can use their online feedback tool to “proactively propose and discuss revisions to the next iteration of the Council’s standards.” But if you want to complain in person, you can attend their “Community Meetings” in Las Vegas or Prague.
Not long ago, I reported on the hacking incident at web service provider VAServ. The breach, which was attributed to vulnerabilities in LxLabs’ virtualization administration software, resulted in data loss for more than 100,000 customers and possibly one suicide at LxLabs. Now, it appears as though the breach was not caused by LxLabs’ software at all, but by frequent password reuse – if you believe the comments on “The Inquisitr” that were left by the actual hackers.
After “The Inquisitr” posted the story, an anonymous comment linked to a message presumably left by the hackers. The message denied they exploited vulnerabilities in LxLabs’ Kloxo software, “Z3r0 day in hypervm?? plz u give us too much credit,” and instead put the blame on Rus Foster, director of VAServ.com – “If you really really wanna know how you got wtfpwned bitch it was ur own stupidity and excessive passwd reuse.”
The hackers told Foster that repeated use of the same four passwords made it easy to infiltrate the VPS “thanks to ur mad passwds” – one of which they claim was “f0ster.”
Foster denies that poor password and configuration management led to the hack. He says the hacker comments must be made up since he “doesn’t recognize” any of the passwords revealed in the post.
The assumed hackers said their motive was boredom, “We got bored so we decided to initiate operation rmfication and hypervm was a great t00l to do that since it spared us the time of sshing into all ur 200 boxen just to issue rm -rf.”
Since the catastrophe that deleted the websites of thousands of small businesses, Foster announced VAServ was being taken over by a larger hosting provider known as BlueSquare. Although customers who used managed accounts would have their data recovered since it features an autosave backup.
The hacker message is vague enough that it could have been written by someone who is simply skilled in hacker parlance:
“BTW Rus we still have ur billing system wtfpwned and baqdoored we got ****load of CCz from ur retarded customers thanks a lot buddy. Telling you this cuz we got bored of this ****, it’s just too easy and monotonous so patch ur crap, if your too dumb to secure a simple web server my rate is $100/hour or one night with ur sister hauhaiahiaha.”
I am back from my week of trips, and ready to get back into the blogging routine. While travelling and talking with clients about security audits some thoughts came to me.
If all your security audits are involuntarily performed by external entities and you are simply struggling to survive them for fear of punitive recourse, then you probably don’t have the best attitude when it comes to security. A security audit should help your organization improve and grow – it is not something to be scared of.
I was reminded of the saying that no security is actually better than poor security. This is because with no security, at least you know how secure you are and won’t act in such a way that would put your data at risk. But with poor security, you might be fooled into a false sense of security that can put you in position for staggering losses when a breach does occur.
This is why security audits are so important; they inform you on the current level of your security. This knowledge empowers you to make informed decisions regarding data risk analysis. You should conduct your own security audits often and after implementing new security defenses.
Now I’m often asked if it’s better to conduct internal audits yourself or pay for outside security consultants to conduct external audits. Personally, I feel there are a few more advantages to outsourcing the audit.
1) Security consultants make security audits a core function of their business. They probably have more experience and a wider knowledge base to find more gaps than an internal audit.
2) Internal audits tend to be lax when it comes to identifying gaps. The focus shifts to checking check boxes rather than actively trying to break the system.
3) If something is missed in the security audit and a breach occurs – at least you have someone else to blame. You may even be able to hold your security consultant company accountable depending on the contract.
4) There is no reason you cannot perform an internal audit and then have an external one which you compare for accuracy and team skill set building.
I hope to see more security audits met with welcoming arms than with dread and uncertainty. Just remember, that security is never final and the audit is just a part in the continuous effort to improve your defenses.
I have been following this developing story about VAServ, a small UK hosting company that was infiltrated by hackers who proceeded to delete data on over 100,000 hosted websites. This included thousands of small businesses who spent years developing their websites.
Naturally, VAServ had to deal with more than a few angry phone calls from users. One comment read, “Yeah thanks for ruining my life for the last 2 years i had built up my site spending alot of money and giving up my job for nothing………what am i going to tell the wife?” But VAServ is just a small company using the internet to look big; there were only three employees to deal with the crisis that affected tens of thousands.
The hack is thought to be caused by unpatched vulnerabilities in a virtual machine management software program called Kloxo that VAServ used. Days before the hack, an amazing 24 high risk vulnerabilities in Kloxo were posted on milw0rm. The anonymous poster said that they decided to make the vulnerabilities public after Lxlabs, the creators of Kloxo, did not fix the software after two weeks after the initial notification. He concluded that the ‘vendor appears uninterested’ in the vulnerabilities.
This is the common procedure of a lot of white (or grey) hat hackers. If the software developers or website refuse to acknowledge and correct the vulnerabilities, then they publicize the exploits to inform the users of the danger and put pressure on the developers to take action. Forcing developers to patch their vulnerabilities is sometimes the only way to save software or website users who may be exploited by black hats.
However, in this case, publicizing the vulnerabilities in Kloxo may have had the side effect of tipping off black hats who hacked into VAServ and deleted customer websites.
After the incident, Lxlabs founder and owner, K T Ligesh, was found hung in his apartment in Bangalore. But no one can be sure whether or not this incident was the primary cause of the suicide since Ligesh seemed to have other issues disturbing him.
I think this incident might rekindle discussions about the way some hackers publicize exploits for the good of the users. Was the anonymous milw0rm poster too hasty to post the exploits? I’m interested to hear your thoughts.
You may have heard about the embarrassing security breach a while ago where a file containing the blueprints and avionics package for Marine One(President Obama‘s Helicopter) was found on a computer in Iran. Since then, Congress has surmised that the details regarding President Obama’s helicopter were compromised by a government contractor that was using a peer-to-peer file sharing program.
But just two days earlier, the “Today Show” reported that more than 150,000 tax returns, 25,800 student loan applications and 626,000 credit reports became publicly available due to a similar incident with a file sharing program.
P2P file sharing doesn’t just tie up bandwidth. It’s still a major threat to the security of any commercial, educational, or government enterprise. And thanks to some inadvertent clumsiness it is now a threat to national security. It isn’t just a danger to your home or office computer, entire corporate networks are susceptible to many attacks via P2P.
It’s hard to defend the use of P2P when it goes against the basic principles we advocate about securing a computer. In order to share and access files on a P2P network, you must open a TCP port through the firewall for the P2P software to communicate. This essentially eliminates your defenses against malicious traffic coming through it.
When you willingly share the contents of your computer with an anonymous and unknown user, then all the firewalls and antivirus software in the world can’t help you. Likewise, if you willingly download, install, and run any program of cryptic origin, then there is no telling what you are actually doing to your computer.
Although previously thought to be a safe version of P2P, BitTorrent was used as a vehicle for a massive spyware distribution campaign in 2005. Before that, the only danger found in BitTorrent was just occasional random executables. But now it can evidently be harnessed for money-making campaigns complete with affiliates, distributors, and some big names in adware.
I could list a dozen reasons to ban P2P in the workplace, but I think the argument has enough power. Unless there is a legitimate reason to use P2P they usually just tie up bandwidth, distract employees, and make your computers and network vulnerable.
The reality of the situation is that there is no such thing as a 100% secure place on Earth. IT security professionals can only do what they can to make things as secure as possible. There is no computer security defense that will succeed every time, forever, or as I say when presenting at conferences “You cannot buy your security at the local best Buy”. (NOTE: If you have an indepth udnerstanding of heypots, you can skip this post)
Because of my interaction and association with the Honeynet Project I am frequently asked what benefits honeynets can provide to the normal everyday IT security engineer. Simply put, honeypots provide us with early warning so we can be vigilant and prepare our defenses accordingly.
Additionally, honeypot data is a great way to loosen the purse strings of corporate managers who are hesitant to dip into the company budget. You can make a case for a larger IT security budget by showing them the attack data on the honey pot – who is attacking, how they are attacking, how often, and, most importantly, what damage they could potentially do to the enterprise if the proper defenses are not built. Actual data speaks louder than any verbal argument.
Here’s an analogy to help you understand the importance of honeypots.
Imagine you are tasked with defending your king’s castle from an impending enemy attack. But you don’t know who the enemy is, where they are coming from, how many there are, or what kind of attacks they will use. They may use spears, rifles, or just sharp rocks. They may attack on horseback, with catapults, or maybe with tanks.
So what kind of defenses should you build? A 30 foot tall wall surrounding the castle or a moat? Should you put archers in the towers or build turrets? Maybe you should just pile up a few sandbags and hope for the best. Maybe the real problem is the village idiot on the inside… =)
Without knowing anything about the impending attack, you do not know what an appropriate defense would be. You may dig a futile trench around your castle while the enemy attacks with stealth bombers. Or you may encapsulate your entire castle in an impenetrable crystalline dome while your five attackers sling rocks at it. The latter defense may work, but your king might not be too happy with you for wasting his whole treasury on an unnecessarily robust defense.
A Honeypot is perhaps like a decoy paper version of your castle set up a mile before your actual king’s castle. The paper castle has no value, but you can see what attacks your enemy uses when they attack it, and thus prepare accordingly.
Honeypots allow you to understand what kind of attacks you can expect. With this knowledge you can allocate resources to defenses appropriately, without under or overspending. Now, with all that said not everyone can run out and install a honeypot and solve their problems. Honeypots require a lot of maintenance, watching, and i fnot properly installed you can actually decrease the security of your network.
If you don’t want to take the chance of hurting your own security posture, there are services that will configure and run honeypots for you and provide you with their data. Symantec and McAfee offer such services.
