Logout
I’ve worked at various companies for many years now where the notion of “test, detect and quarantine” is a reality. During my time at StillSecure we had a NAC product that would do just that. You didn’t have to quarantine an infected or out of policy machine, but you definitely could. My job before that, Visionael Corporation, we had a vulnerability assessment tool that was headed in the direction of a NAC product and we spoke to many potential NAC customers that loved the idea of quarantine.
Scott Charney, Microsoft’s Corporate VP for Trustworthy Computing gave a speech last week at the 2010 RSA conference and talked about the possibility of quarantining infected machines on the ISP’s side in order to stop from spreading these infections. He compared it to rules the EPA has put in place regarding smoking in public places. Chaney said “Then, of course, the EPA comes out with secondhand smoke. Suddenly, smoking is banned everywhere. You have a right to infect and give yourself illness, you don’t have the right to infect your neighbor. Well, the computers are the same way.”
Now I agree with him to some degree. My neighbor that’s on the same ISP as me, or the guy sitting next to me at Starbucks while we’re both on the wireless doesn’t have the right to infect me, but is quarantining really the answer?
I’ve met with hundreds of customers while at StillSecure that were quarantining people or wanted to in the near future. I personally think it’s a great concept, but in my mind it’s not much more than a concept at this point. What’s my issue with quarantining you may ask? Well what do you do with machines once they’re quarantined? That’s my problem.
Look at the average user that would be quarantined. It’s most likely not many of us reading this blog, but maybe our parents or friend’s that aren’t as computer and security savvy. It’s the people that click “ok” when asked to download the latest “Microsoft Security Patch” which links them to www.youjustgotscrewed.com. So given the fact that these people aren’t exactly technology experts, what do we expect to do with them when presented with remediation instructions? I’ve seen some fairly good automated remediation before, but a lot of it still requires turning off a service, installing patches in certain order, knowing which software you have installed on your machine already, on and on and on. That’s just not a realistic option in my view. The most likely outcome would just generate thousands of support calls when people can’t get to the website they were originally trying to go to.
So what’s the answer? Is there a play here for a product company that focuses on “ISP level remediation while in quarantine” or maybe a service company that focuses on “ISP level remediation support”? Maybe, but until then, let’s just allow everyone to continue spreading their technical diseases to everyone else.
…josh
Josh Karp
<risque>You’ve been warned – Rating PG</risque>
There’s nothing worse than meeting a nice girl at a club and discovering she’s a Fembot! Sure, we’re savvy, mighty warrior men on the prowl… We won’t be deceived by the common transvestite or guy masquerading as a woman! But this is going to far – I mean, what if the chick has no appendage, if you get my meaning?
As technology experts and mighty cyberninjas (my apologies to the pirates), we’re used to checking for malware on our smartphones. We won’t get fooled by that phishing e-mail. Evil Twin hotspots? No problem, we setup a proxy SSL tunnel and could care less who’s eavesdropping.
But a new security threat for mobile networks is on the horizon – the rogue femtocell. (I like the sound of that word for some reason… I spent all my $1 bills at the femtocell last night!) According Dr. Björn Rupp, Managing Director of Gesellschaft für Sichere Mobile Kommunikation (GSMK) CryptoPhone mbH, (God bless you, do you need a tissue?) advances in technology have enabled criminal gangs to deploy low-cost tools to create rogue cell phone systems to conduct industrial espionage, identity theft, etc. Where it once took $50,000 in hardware, now a Linux workstation can run software to emulate the GSM cells. Decrypting GSM encryption algorithms by exploiting the latest cryptographic advances, while not trivial, is possible using a code book. This exploit was first published in December by Karsten Nohl at the Chaos Communication Congress in Berlin. In addition research published from Rutgers University demonstrates how to turn devices into “remotely-activated bugging or tracking systems.”
The good news is that GSM is an older technology (2G networks) and most femtocells today are 3G, which require two-way authentication between the handset and the network. 2G networks only authenticate in one direction – the SIM sends the ID to the network, real or fake. So are hacked cellular codes really something to worry about? My guess is probably not…
But your phone has WiFI, right? And you automatically connect at your carrier’s hot spot? Most phones do this automatically to help you cut down on cellular minutes or other costs. You may not even know you’re on a WiFi network. Get your Twitter feed updates automatically? How about that Facebook photo you just uploaded? If these automatic WiFi connections are unencrypted your passwords are being shot through the airwaves and anyone with Kismet or another tool can sniff the airwaves. Like most people, you probably use the same password in multiple locations and could be putting more than just your online accounts at risk. This isn’t hypothetical. I’ve had friends who have had this happen to them.
As smartphones transition from being phones to full fledged mobile computers, the compromise vectors will continue to grow. And the Fear, Uncertainty and Doubt (FUD) will continue to be splashed about by the media. I wish the media would focus on the real threats and not the sensational ones.
In the mean time, you can find me hanging out at the local femtocell, with wads of $1 bills in my pocket, ready to tuck into a Fembot’s g-string.
Moonraker069
As any longtime blogger will tell you, sometimes you write articles and wonder “is there anyone besides my Mom who is reading this?’” If what you write is geeky about security, you even doubt that your Mom will read it. So it is refreshing when what you do is noticed and appreciated by your friends and peers. This is even more important when you decide to dive in and start blogging. A little pat on the back and encouragement goes a long way. For that reason I was really happy for all of my CISO Group partners who are starting to get noticed by the security blogosphere.
First last week it was Josh Karp, that Mike Rothman mentioned as inspiration in one of his incites on “What is your Plan B“. This week we welcomed our CISO Group partner, Bobby Dominguez to the blogging fold. Bobby wrote a few articles that appeared both here on Security.exe and on Bobby’s own personal security blog, DrekkinVorn.
In the Friday Summary that Adrian Lane does on the Securosis blog every week, besides talking about each of the Securosis team members favorite Securosis posts, they also point out favorite outside posts and top news stories. Rich Mogul picked Bobby’s post about the Google/Italy fiasco as his favorite outside post this week. Then Bobby’s expose on the inherent conflict by being a consultant and auditor at the same time was chosen as a top news of the week story.
That is just hitting it out of the park in your first at bat as far as I am concerned. Great work Bobby! An interesting note on the consultant as auditor story is that Parker Yates, another one of my partners at The CISO Group, actually wrote a similar story on this a few weeks ago asking, “Are QSA’s going to suffer the same fate as Arthur Anderson?“. Parker and I go back a long ways and we remember what happens when the auditors also start consulting. It is only a matter of time before history repeats itself here I am afraid.
On a similar note and not to blow my own horn too much, my comment on the great RSA guide the Securosis team put out was chosen as the comment of the week . Had I known it was going to be the comment of the week, I would have taken the time to clean up the grammar and make sure I didn’t leave a word out here or there 
As comment of the week, the Securosis team makes a 25 dollar contribution to Hackers For Charity on my behalf. The CISO Group has made a matching contribution to Hackers For Charity in recognition as well. Thanks to the Securois team for showing us that at least someone besides our loved ones are reading!
When we first started putting The CISO Group together I told people that I was going out and trying to find the smartest people I knew to work with, but still make sure we had fun. It is refreshing and rewarding to see that the rest of the world is recognizing what a great bunch of folks we are putting together here. Congrats to all of my partners at The CISO Group!
alan
I just read a press release from Trustwave where they announced their newest offering: a data loss prevention application that scans and discovers content risk for data at rest. I have used Trustwave since they were first Ambiron as a QSA for PCI DSS since about 2004. Today they are arguably the leading QSA for PCI DSS and provide a pretty good service.
Looking at their web site, I see that they offer a variety of complimentary compliance and consulting services. But I have to ask… When do auditing and the consulting services become a conflict of interests? Sure, they offer services that would be great to help you manage your compliance needs – from discovery tools to the latest “DLP” tool. (Aside: I think the term DLP is used way too much to describe a variety of technologies.)
Discovery tools seem to be in line with Trustwave’s mission. But technologies that actually secure then environment, such as encryption, log management, intrusion detection and prevention, and unified threat management seem to cross that line. These are technologies that should be audited for their effectiveness in accordance with the standard. If you’re providing those services, you should not be auditing them!
To be fair, Trustwave is not the only company doing this. PWC, KPMG, and others are also guilty. I wonder if it will take another Enron-like incident for the PCI Council to jump in and draw the line between the consultants and the auditors. And I wonder which of these big companies will be the next Arthur Andersen?
Moonraker069
What ever happened to common sense?
The blogosphere is buzzing about the conviction of three Google executives on privacy violations. A judge in Milan convicted 3 of the 4 defendants for failure to comply with the Italian privacy code. All 4 were found not guilty of criminal defamation. The outrage is that this ruling means that employees of sites that host web content are criminally responsible for the content that users upload.The story begins in 2006 when students at a school in Turin, Italy filmed and uploaded a video to Google Video that showed them bullying a schoolmate with Down’s syndrome. The offensive video was removed within a few hours after Google was notified by the Italian police and they cooperated with the investigation and helped identify the person responsible for the upload. The girl who uploaded it and the other classmates involved were sentenced to 10 months community service and expelled from their school.
You’d think that the guilty were punished and the story ends. However, a prosecutor decided to indict the the 4 Google employees even though they had nothing to do with the video – they didn’t appear in it, film it, upload it, review it or know the people involved. They were not even aware of the video’s existence until after it was removed.
Prosecutors argued that Google broke Italian privacy law by not seeking the consent of all the parties involved before allowing it to go online. The public prosecutor, Alfredo Robledo said, “A company’s rights cannot prevail over a person’s dignity.” He claimed that the executives did not do enough to keep the offensive video off its site. Say what? They cooperated to have the video removed as soon as they were informed! They did not post the video! Those that made it and posted it were convicted. Does every C-level executive need to sit in front of a monitor and scan the content that they host?
Having personally been involved with a company (where I was a major stock holder and co-owner) that faced a similar situation, I fail to see how a content or service provider, and especially the executives, are responsible for the actions of others. The responsible parties were caught and convicted. If the prosecutor was compelled to go after other culpable individuals, why not prosecute the parents of the kids who did this? Why not go after the phone company or ISP that carried the signal to make the connection to Google Video? They carried the content, didn’t they?
Since the WWW began, there has been a debate over who is responsible for content posted to the Internet. If you take this decision to the absurd point to where attorneys will probably take it, there is unlimited liability to not only any company that hosts content, but to its employees also. Taking this to the next level, why wouldn’t the phone company be liable for prank calls (especially those you hear on the radio all of the time) that offend someone on the other end. Why isn’t the post office held responsible for the anthrax envelopes that killed innocents back in 2001? The Post Master General should have been opening every letter and inspecting it for content! And what about spam? Shouldn’t my ISP stop that? And why is AT&T or British Telecom (or whatever carrier) not held responsible for allowing a virus or a botnet to propagate on their networks? (That makes me wonder if I should get my company to sue their carrier for damages the next time we get a malware breakout!)
I won’t get on a soap box about the absurd privacy laws in the European Union and especially in Italy. (Did you know that your IP address is considered private information there?) But I will suggest that a successful criminal prosecution is a great stage for a civil case that could involve millions of Euros in a settlement. I am not saying that the “victims” in this case are doing any such thing or that they even had anything to do with encouraging this prosecution. But it *is* something to consider. This case has done nothing to validate the efficacy of privacy laws. Instead, it has just shown how broadly they can be applied and abused.
The simple fact is that no company can police every piece of content in real time. The cost would be prohibitive. The most you can hope for is prompt removal once notified. EU privacy laws specifically give hosting providers a safe harbor from liability so long as they remove illegal content once they are notified of its existence. So what to do…? what do to? Should Google fight back and stop offering services to anyone in Italy? Will that teach them? Probably not.
I can only hope that somewhere in the system, common sense will prevail. Google will appeal and the ruling will probably be overturned. If not, the whole concept of the Internet is at risk.
NB: I don’t endorse the reprehensible behavior of the students who did this. I also do not condone the posting of illegal content. And I sure as hell don’t support heavy handed government intervention.
Moonraker069
It never ceases to amaze me how naïve people can be when it comes to the Internet and their privacy. On February 17, 2010, the group For The Hack, a self-proclaimed “concept and idea factory,” published their first “hack” called Please Rob Me. The concept is simple… They scan social networking sites for people who indicate that they are not home and they post a link to the blog or twit – pun intended. While they do not directly have or publish the actual location of these potential victims’ homes, with a little bit of investigative work, it is possible to track them down. I personally like this concept. I am not sure that it will do much to modify behavior in such a way as to get people to think about their privacy and protect their personal information.
Let’s face it, we live in a world technology outpaces social behavior. But in that same vein, it shapes it too. The “older” generation is cautious about the web, yet they find themselves requiring computers to function in today’s society. (For instance, some banks and credit card companies will charge you extra now to receive a paper monthly statement rather than opting in for a “green” e-statement.) This generation, that would never think of publishing intimate details of their private life in any public forum, gets online to conduct their business and they end up with their identity stolen because the free anti-virus subscription that came with their PC expired. They’ve never been trained to secure their computer. Sure they see the media hype and commercials about online protection, but they simply do not understand how to apply it for themselves. The technology for protection is there, but they do not understand what they need or how to employ it.
I know, because I am my family’s IT department. I am frequently at my parent’s home, patching Adobe or Office or some other vulnerable component. I am answering phone calls about the frequent pop-ups from Zone Alarm. And if I cannot answer right away, they’ll just click “Allow” and go about their business. (They used to click “Deny,” but that just made things not work anymore.)
The “younger” generation seems to understand the technology. That is, they can download songs, keep their iPod and iPhone updated, and play movies on their laptop that is hooked up on a wireless network. They grew up with technology and are accustomed to it. They also see the warnings about what happens to people who put too much information on social networking sites, yet they don’t think that saying, “I’m heading off to Starbucks now…” is a potential security or privacy issue. Taken as an isolated statement, there is little risk. But when you combine this with the other information out there that they have posted, or that the government has posted as part of the freedom of information, you can build a pretty elaborate profile on social habits and personal data.
Part of the solution is building awareness and you see that today with warnings and news stories. The problem is that while people may be aware of the issues, they may not understand how it impacts them. They do not personalize the risks. And more importantly, they do not know exactly how to turn that awareness into actions which result in their protection. The government can’t mandate awareness (although they try with all of these breach notification laws). And we cannot expect people to learn how to protect themselves from the technology like an IT security expert. Nor should we.
Another part of the solution is the technology itself. As it shapes our society, so too should our society shape how it is used and how it evolves to properly protect its users. This is a natural progression that has happened with other technologies. Automobiles have become much safer than they ever were in the early 1900’s. They evolved into the seat belted, air-bagged, and radar controlled anti-collision breaking systems that we have today.
I don’t believe there is a simple solution. Awareness, improved technology, and more government mandates (ugh!) and industry self-regulation are parts of the answer. Ultimately, the simple truth is that all technologies bring risks. The Internet is not now and never will be a place where there should be an expectation of privacy. The government is not going to protect you! They talk the talk, but violate privacy rights in the name of “security for the general good.” Industry is not going to protect you! They walk the compliance walk, but violate privacy rights in the name of a better product and better profits. If you’re going to use the Internet or the interconnected technologies of today, expect this ethereal right to privacy to continue to be a fading reality. Get over it, deal with it. <irony>Now, excuse me while I go Twitter about my upcoming trip to the RSA security conference.</irony>
Moonraker069
I know most of us have become numb to the almost constant barrage of news reports about credit card data breaches. The latest one comes from Helsinki, Finland where an unnamed merchant decided it was OK to store “several years” worth of credit card data on a poorly secured server. Of course thieves found a way into the machine and made off with 100,000+ plus accounts information. The “good news” is only about 10,000 contained all of the card data and so far only a few of the cards numbers have actually been used so far. Well thank God for good news like that!
Obviously, the fact that the police are saying the information was kept on a poorly secured server and full card information was stored would lead one to believe that the merchant was not PCI compliant. But whether or not they were PCI compliant is more than an exercise in good security practices. It is about liability and the liability here could extend beyond the merchant.
You see in many cases now the card brands have put the burden of ensuring PCI compliance on the merchant processors. They in turn have put the burden on the merchant services companies. Now when a merchant is not PCI compliant and an incident such as this happens it is bad news all around.
For the consumer/card holder it is a big inconvenience. They might have to have new cards issued, credit watch put in effect and fraudulent charges reversed. But at the end of the day their financial responsibility is limited. For the merchant and now their merchant services provider that is not the case.
If the merchant was not PCI compliant, had not even filled out their self-assessment questionnaire, they can bear the brunt of the financial losses here. If the merchant services company had the obligation of making sure the merchant was in compliance, they could share in this liability as well. And lets be clear here. The liability in a case like this could be substantial. Even 10,000 cards with full data could equal millions of dollars worth of fraudulent purchases. It could easily bankrupt this merchant as well as merchant services and processors up the line.
So the message is clear. Do not become comfortably numb in hearing about all of the credit card breaches. If you are a merchant or involved in the merchant services industry the burden is being moved to you to make sure that at the very minimum the PCI DSS regulations are followed with every single merchant.
alan
One of the most popular retorts we hear from customers goes something like this, “I don’t understand how that could have gotten on my computer. I always update my AV and don’t visit any porn or other dangerous sites.” Well you would be surprised how easy it actually is go get your machine infected.
One of the most popular vectors used today is Phishing. More social engineering than hacking, phishers lure users to fake, often look-a-like web sites to enter their confidential, personal information. We have all probably seen these kind of emails before. Your bank is going to shut your account if you don’t verify your information and stuff like that.
Recently, with more people on guard about phishing emails, the bad guys have taken it up a notch. Now they will use social media to lure you in. You may receive a twitter or facebook message purporting to be from a friend with a link to something that “you won’t believe” or is “so funny”. Sometimes the URL is obscured by one of the URL shrinker’s like bit.ly or ow.ly. You click on the innocuous looking link and bang! your hooked. Pretty darn easy. In fact too easy.
This type of phish does not get you to enter your personal information. The deliver the payload via the website link. Once you click the link with some of these phishes you don’t have to do anything else. The malware will load in without you doing anything else. Other times it will tell you that your software needs to be updated. In any event, the average person doesn’t even know that his computer is now pOwned. On top of this adding insult to injury. the bad guys will now use your computer to reach others on your network and your friends.
So the lesson is that even if the message is coming from a trusted source, you should not just click on links if you do not know the site they go to. That brings up another twist on the phish. I call it SE-ishing, for search engine phishing. I wrote about SE-ishing on my own personal blog back in December. Using SEO (search engine optimization) techniques the bad guys are using Google, Bing and other search engines against you. They seed web sites that will rank high in certain key words. You do a Google search, click on one of the suggested sites and again you are the victim!
This came up again just the other day. Patrick Walsh covered it over on the Infosecurity-us.com site. Hotmail was down for a while much to the dismay of the many Hotmail users. When one did a Google search about Hotmail being down 8 out of the top 10 results returned dangerous URLs. Either they were sites that deliver a malware payload onto your machine or ask for your credit card information to download the free Hotmail program.
What was amazing to me is that within just minutes of the Hotmail outage the trap was already laid. This kind of stuff makes SE-ishing more like catching fish in a barrel! So next time you think you don’t do anything that would expose you to malware or other bad things, think again. Don’t leave your common sense at the door to the Internet.
alan
February 18th, 2010 in
malware,
phishing |
No Comments
For almost the last 10 years now, I’ve worked for companies that sell Vulnerability Assessment and Management products as part of their portfolio. I’m very familiar with most of the VM products out there and what their capabilities are.
SC Magazine recently did reviews on most of the major VM products. This got me thinking about VM and it’s place in the customer’s network. Is there really value in VM? Is one VM product better than another? Should security administrators be using VM? My answer is yes to all of the above, but with certain conditions.
I remember about 5 or 6 years ago I got a call from a very well known book and music retailer, someone that most of you have probably used before. They were interested in evaluating our VM product up against a few competitors. I worked with this customer for the next 4 months learning about their network and current state of security, why they wanted a VM product, what they wanted out of a VM product, etc. After an evaluation period, the customer chose our product for purchase. This was going to be a huge rollout costing them quite a bit of money, therefore I was asked to take a meeting with some of the higher-level people in this company to explain the benefits and costs of using our VM product. I had been in plenty of these meetings before so I was expecting more of the same. What was about to happen shocked me.
I had my laptop connected to the projector and started off by introducing myself and the company I worked for, giving a little background on the work we had done over the past several months and what the goals of the meeting were. That took about 5 minutes. The next slide I had prepared was a graphical representation of the companies’ external customer network and the critical level vulnerabilities we had found on it. That slide was on the screen for about 1.8 seconds before the CTO literally reached over and yanked the projector cord from my laptop. Everyone just looked at him in shock. He jumped up and said “If we’re made aware of all of these issues on our customer network, we’re now responsible for fixing them!” His lead security guy said “Ummm, yeah. That’s why I was given this project in the first place, to make our customer network more secure.” The CTO stuck to his guns and told everyone else that they wouldn’t be spending ANY money on a product that exposed their liabilities and vulnerabilities. At this point he not so kindly asked me to leave.
Vulnerability Management is a tricky space to sell into and an even trickier product for a customer to get use out of. I can’t tell you how many times I’ve seen a phonebook sized vulnerability report printed out and sitting on some security admin’s desk collecting dust. You can run all the vulnerability scans you want, print out as many reports as possible, create nice executive level reports with tons of pretty graphics and charts, but unless you actually DO something with these results, they’re not helping you much. VM vendors have made pretty good strides in making results more actionable and readable, but they’re still pretty overwhelming for most short staffed companies.
So what is the best way to get value out of a VM product?
Prioritizing vulnerabilities and systems to be scanned is a great start. Don’t scan every system for every vulnerability known to man.
Task different people or groups with different vulnerability groups. For example, break up your scans into categories like “databases”, “web servers”, “desktops”, “network devices”, then assign those scans and results to the corresponding owners.
Tie your results into a ticketing system in order to track results. If you have an existing ticketing system, make sure the VM products you’re looking at can feed in and out of those systems. If you don’t have a ticketing system, make sure the products you’re looking at include one.
The bottom line is that VM has its place in most networks and can add huge value, you just need to learn its place in your network.
…josh
Josh Karp
Ah the wonders of our legal system. Two recent lawsuits highlight that even though banks can have two factor authentication and take what seem like reasonable steps to prevent fraud, they can still be sued if their customers are duped. According to bankinfosecurity.com, a Michigan based company is suing Comerica Bank to recover the 550k in monies stolen out of their account. Comerica claims that its systems were not breached and it had more than reasonable policies and process in place to stop fraud. They should not be responsible for naivety (or is it just plain stupidity) of the plaintiff.
It seems for years Comerica would send out a once a year reminder to their online banking customers to update their information and have a new certificate issued. A few years back the bank upgraded security to use tokens in addition to user names and passwords. But phishers sent out an email asking the company to update their records. The link took them to a look a like site to Comerica. The company entered all of their information into the bogus site. That gave the bad guys everything they needed. Using the credentials and information the unsuspecting company employee supplied, the bad guys pilfered the account in a matter on hours.
The bank says that the bad guys had all the required information, even the token numbers. How can they reasonably know that it was fraudulent activity. Should they be responsible for the actions of their customer? I would think not, absent some other activity or action that should have set off some sort of fraud alarms.
In another similar case reported on bankinfosecurity.com, a bank is preemptively suing a customer, asking the court to declare that it followed reasonable procedures and should not be responsible for the customer falling for another phishing scam. In that cast it looks like using the information obtained by phishing, the bad guys set up a contact email address for the bank account and once that was done, basically had their own way with things. The bank says that the email address was confirmed and they were following reasonable process. Not to mention that all of the illegal activity was international and the company in question never did any business internationally. The court has not ruled on that one yet.
But the bigger question is should your bank be responsible. We have all gotten used to the idea of a stolen credit card or debit card, VISA and MasterCard come in and absolve the card holder of any liability save 50 dollars or so. But that is not the case in bank transfers. The banks are not going to eat it! All the more reason to be extra vigilant whenever dealing with your confidential banking information.
So who does pay the money that VISA and MasterCard absorb in fraud? Someone has to. Usually it is a combination of the processing banks, issuing banks and sometimes even the merchants. But ultimately we all pay for the fraud with higher prices and processing rates.
This is why PCI and similar regulations are important but not just for compliance sake alone. Making every link in the chain more security, makes us all more secure.
alan
