Interesting post from security and cyberwarfare blog Digital Dao on how changes in Russian law will make it more difficult for foreign firms and investigators to track down the owners of .ru domains used for nefarious purposes. Not a positive development.
Here is a textbook description of what companies should NOT do when someone privately reports a security vulnerability in their publicly available web site which is chock full of PII…
SC Magazine:
Security Researcher Threatened with Vulnerability Repair Bill
A couple of observations about the article…
The guy who found and reported the vulnerability was a customer of the firm in question and seems to have done everything in an above board manner.
It sounds like the vulnerability involved changing a single parameter in a URL in order to access another customer’s account. Whoever designed/wrote that application needs some serious re-edumacation at the very least. Maybe these are the folks who should be paying to fix the vulnerability.
I’m not sure why they are demanding the researcher’s computer. The nature of the vulnerability would make it extremely easy to make sure he did not access additional PII by simply reading the web server logs.
I’ll bet that plenty of people at this organization are wishing that this incident never hit the news. Had they simply thanked the researcher and fixed the bug, their customers and business would have been protected and they would not have gotten such a public flogging. If I were a customer of theirs, I’d be wondering about the rest of their information security right about now.
So, to sum things up… WTF!
Heeeeeere's malware!
The latest edition of Microsoft’s Security Intelligence Report provides some interesting analysis as to how computers get infected with malware. Microsoft’s dataset is pretty large, comprising some 600 million computers equipped with Microsoft’s Malicious Software Removal Tool (MSRT) which reports details of malware infections back to the mother ship in Redmond. The numbers hold some important lessons for security professionals.
Don’t get your knickers in a twist about zero day exploits. While the press loves a good zero day story, only 0.12% of the infections seen by Microsoft used unpatched vulnerabilities. Zero day vulnerabilities are valuable commodities which attackers will not waste on run of the mill cyberattacks. Don’t center your anti malware program on the latest zero day vulnerability of the week.
Vulnerabilities are sooo last year – your users are the weakest link. Only about 6% of malware infections seen by Microsoft were the result of vulnerability exploitation. In contrast, almost half of all malware infections in the study required the user to take an action (clicking a link, running a program, opening an attachment, etc.) in order for the infection to be successful. In most cases, no vulnerability was used – the user simply gave the malware permission to run. Spending some time and effort edumacating your users to be skeptical and think before they click that link or open that attachment has the potential to significantly reduce your malware attack surface.
You still need to keep software up to date. Testing and installing patches from Microsoft and other vendors will protect your systems from the 7% of attacks which use exploits to worm their way in (get it?) to your systems. This is a small portion of the malware threat, but once you get patching and updating to be part of your normal automated business processes, it is a low touch, low cost addition to your malware defenses.
Filtering and monitoring your outbound web traffic is a must – if malware is unable to download code, connect to command and control servers or exfiltrate data, the threat it poses is greatly reduced. Keep your filter lists up to date with the latest known malware URLs – the subscription fees are a small price to pay for preventing access to the malweb in the first place.
Monitoring your network traffic, proxy logs, and changes to the services running on your hosts for strange patterns can pay off big time. Since we can’t count on signatures to find every type of malware you may encounter, look for strange behavior for the early warning signs.
I found Microsoft’s analysis of the malware problem to be pretty interesting and I am looking forward to reviewing the rest of the Security Intelligence Report for nuggets of wisdom – I’ll post more soon!
The latest in anti censorship tech
When I read about Telex, a research project aimed at making it easier to get past Internet censorship, my “split personality” – lover of freedom and justice versus corporate security guy kicked in right away. You see, if widely implemented, Telex would make it much easier and safer for people living under repressive regimes to get past said regimes’ censorship of the Internets. Built on client software, some clever crypto in packet headers and servers hosted by friendly ISPs, Telex would turn the idea of a proxy server inside out, effectively making the entire Internet (it’s a series of tubes, you know) one big proxy.
This would be really great – I would love to see the US government as well as non profit organizations host Telex servers to allow people in China, the middle east, and other places where freedom of expression is curtailed… however, Telex would also make my job as a security professional that much more difficult. By installing a Telex client, the users on my corporate network might be able to bypass the web filtering we have put in place. While some of that filtering is aimed at keeping people away from “non work appropriate sites,” there are other reasons to filter Internet access in the workplace as well. For example, we block access to sites known to host malware. We block access to sites which would put us in violation of various legal and regulatory mandates. These are all legitimate things to do in a corporate environment, and our employees have unfettered access to the Internet outside of the office. Employees using a system like Telex would put our company at risk.
Telex is stil in the proof of concept stage and there needs to be a lot more software and infrastructure development done before it can be a reality on a large scale. As I said, I am 1000% pro Telex as a tool for people to bypass repressive regimes’ Internet censorship. But I think that corporate Internet censorship (hate that word) is another kettle of fish altogether and we security professionals need to keep an eye on Telex and similar technologies. I feel like I should be dressing like these guys after writing this…
Over the past few days, a lot of folks at work have been sending me links to this really excellent XKCD cartoon:
I think this really hits the password problem on the head. With the advent of inexpensive GPU assisted password cracking, as well as more intelligence on the part of the (human) password crackers, the old school password rules of “must have a capital letter, a small letter, a number, and (maybe) a special character” are becoming woefully outdated. And yes, they are hard to remember. And most importantly, they make users hate the InfoSec people. Do they ever bring us home baked brownies as a reward for our password rules? Nope.
As I tend to always take advice from comic strips when making important decisions, I really like the four dictionary word idea. The math seems to work and it certainly seems to be easier on the user. However, the infrastructure for implementing such a scheme in the systems where it would count (primarily Microsoft Active Directory) would have to exist in order for this to be workable. I hope that Microsoft and others who did better than me in math take a long hard look at this as a potential solution to password problems.
It’s not often that I disagree with Bruce Schneier, one of the leading lights of the security world… however, I do have a teensy weensy bone to pick with him regarding one of his recent blog postings. A recent test conducted by the Department of Homeland Security on its employees found (to no one’s surprise) that people are prone to pick up unidentified USB drives and pop them into their computers with abandon, providing nefarious personages the ability to infect their systems with malware. Schneier took issue with the following quote from a security expert regarding the study:
Mark Rasch, director of network security and privacy consulting for Falls Church, Virginia-based Computer Sciences Corp., told Bloomberg: “There’s no device known to mankind that will prevent people from being idiots.”
In Schneier’s view, the idiocy really rests with operating system manufacturers who allow their products to access untrusted USB devices with providing the user with any protection and that the users are simply doing the best that they can under the circumstances. This is where I disagree.
While OS manufacturers should be doing a better job of securing their products against unknown USB devices, in the current situation users need to exercise extreme caution in what they stick into their computers’ USB ports. Until we have better tools to mitigate this risk, users have to play an active role in protecting themselves and their organizations from USB borne threats. There has been a lot of news coverage (and at least at my organization, security awareness training) to let people know about the risks of USB devices of uncertain provenance. I happen to think that the people in my organization are smart (and good looking) enough to remember a few very basic security messages and behaviors needed to protect our systems and networks:
Yes, I know that application of these rules will not provide 100% protection from malware, but following them will definitely mitigate the risks involved, which is really the best we can hope for at this time.
So, Bruce, you are still my hero, but I think we need to hold our colleagues to a slightly higher standard in terms of their role in protecting our computers and networks.
Oh, and as for Mr. Rasch’s “idiot” comment, I think he was a bit rough on users in terms of his choice of language. I would have said “boneheaded” or “Homer Simpson-like” instead. This is why I am beloved at my workplace.
…at least according to this interesting blog post from OpenDNS’ Allison Rhodes. It makes sense to me… in the AM, we are all going through our emails, getting ready for the day to come and in a hurry to get caught up with the latest news. I saw this post as a result of being on OpenDNS’ site from here at the Agahozo Shalom Youth Village, where we are using OpenDNS to provide web filtering to keep the students away from some of the, um, racier sites on the Net. OpenDNS seems to be a really good, easy to use solution for web filtering in the cloud. If you have young web surfers at home, you might want to check it out.
Sharing is for weenies. (This is why it is good that I have no kids)
From the department of things that should be common sense, but are not… it is not safe to put confidential data on cloud based file sharing sites like RapidShare, FileFactory and Easyshare. Some researchers in Belgium did some poking around on these sites and the results are yet another that security through obscurity just doesn’t cut it.
The National Security Agency isn’t all about listening in on other people’s conversations or being the object of insanely paranoid fantasies. The NSA also has an Information Assurance mission, protecting guvmint computers from hackers, spies, and this guy. Now taxpayers can take advantage of the billions of dollars they have paid in to keep the NSA running… the agency has released a pretty good guide to securing home computers (PDF file) with information for Windows and Mac users. Unfortunately, it is a little bit on the techie side – you can’t just email it grandma and assume she’s good to go, but it does provide a great checklist to help you (and your colleagues) batten down those cyber-hatches. Worth a read.
Cloud storage provider DropBox provides a great example of some of the security issues that individuals and companies face when entrusting sensitive data to the cloud. Over the past few weeks, DropBox has made the news twice regarding its security and we all know that making the news is generally not a good thing when it comes to security.
Dropbox’s first issue came up in early April, when a security researcher named Derek Newton discovered a significant weakness in the service’s authentication mechanism. One of the primary benefits of DropBox is that it allows the user to set up synchronized file systems across multiple devices. When files are added to, modified on or deleted from any DropBox enabled computer, iPhone, iPad or other device, the changes are automatically replicated to all of the other devices associated with the user’s account. This is a really useful feature for many people. In order for this file synchronization to work properly, you need to install a piece of software on each device used to access your account. Newton found that the Windows DropBox client stores the information needed to access the DropBox server in a configuration file which contains a “host ID” used to authenticate to DropBox. Simply by copying this file to another computer with the DropBox software installed on it, an attacker would have full read/write access to the files in the DropBox account.
This opens up a whole range of possibilities for attackers. For instance, it would be possible to write malware which specifically looks for the DropBox configuration file and sends it back to the attacker. Once an attacker has the configuration file, they would have continued access to the compromised DropBox account even after the malware was removed from the user’s computer. The user would have to remove their own computer from the list of devices allowed to access their DropBox account and reinstall the software to close the door on the attacker.
As of today, the vulnerability still exists… DropBox plans to rollout a software update which would make the configuration file useless on a second machine, but has not provided a timeline for remediation. I would recommend not using DropBox until such a fix is made.
DropBox also made the news for a change in their terms of service. The original terms of service assured users that since their files were stored in encrypted form on the DropBox servers, DropBox employees could not peek into their data. Well, it turns out that this is not exactly the case. A “limited number” of DropBox employees do, in fact, have the ability to decrypt user files in order to comply with law enforcement requests for data in connection with an investigation. Now, I understand that DropBox wants to be a good corporate citizen, but there is a significant distinction between “our employees can’t read your data” and “only some of our employees can read your data.” I applaud DropBox for making their terms of service clearer (and more accurate), but this incident (and the reaction from DropBox users) is an example of one of the major problems facing users and organizations when they make the decision to move their data to the cloud.
The problem is two fold… customers don’t know the right questions to ask and vendors just don’t seem to understand that users require security for their cloud data, even if they cannot exactly describe what security measures they are looking for. A recent Ponemon survey on cloud computing providers’ views of the security of their services showed that among survey respondents (who we can assume are amongst the more security aware providers), vendors had the least confidence regarding some important security features of their services, such as
It is clear to me that many individuals and business are rushing in to take advantage of the cost advantages and convenience of cloud computing without knowing how safe or unsafe their information is while it rests in the cloud. The efforts of organizations like the Cloud Security Alliance to develop baseline language, best practices and assessment tools are a step in the right direction, but the road to cloud security is still foggy and treacherous.
Social Links