online security

Jul 14

hiding in plain sight… or not

By alberg hacks, online security Comments Off

Sometimes, the best place to hide things is in plain sight...

One of the revelations from the recent capture of a number of deep cover Russian spies here in the US was that they used steganography (the concealment of data within innocuous looking files) in order to hide and transmit secret documents and messages to their handlers. Steganography is one of those techniques which get talked about a lot a security conferences, but has not seemed to play a major role in news of security breaches. This seems a bit odd to me – stego seems like a great way to exfiltrate information in plain sight. By embedding ill gotten data in vacation pictures posted to Flickr or Facebook, spies (corporate or otherwise) can create very low risk electronic dead drops with a few mouse clicks. Unlike encryption, stego does not leave suspicious encrypted files to exfiltrate, just innocent looking pictures or songs. The software needed to create stego protected files is available on the Net. So why (other than some articles about Al Qaeda reportedly using stego to embed secret information in internet images) do we not hear more about this technique? I have a couple of hypotheses here:

Attackers are using stego, but they are not getting caught. Detection of files with steganographically hidden content is very difficult, requiring very specialized knowledge and tools which most enterprises and forensic examiners don’t have access to.

Attackers don’t need to use stego because they don’t need to. There are so many organizations out there who do not have a handle on what information is leaving their networks, that they don’t feel the need to go to the trouble of hiding the information they are swiping. Or they are using really low tech methods to get the data out of the organization, like printing, or fax, or this.

Is stego a real threat to the enterprise? I am not sure. But the availability of stego underlines the need to build a security culture in your organization and use both technology and non tech means to detect potential problems. Stego seems to be a tool which insiders would be predisposed to use – detecting insider threats takes both technology and plain old vigilance. There is some excellent information on detecting insider threats available from the CERT team – this should be on your reading list.

This post was inspired by Kai Axford’s (Accretive Solutions) great presentation at today’s New York Metro InfraGard meeting.

Jul 11

giving away the plans to the fort?

By alberg deep thoughts, hacks, online security 1 Comment »

Is Microsoft a cyber-Benedict Arnold?

OK, call me a cold war relic, but I find the recent revelation that Microsoft has provided the source code for Windows, SQL Server, and Office to the Russian FSB (the spies formerly known as the KGB) as well as to the Chinese government quite disturbing. As recent events prove, Russia is still actively engaged in espionage against the US public and private sectors. We know that the Chinese People’s Liberation Army is actively building an offensive cyber capability and that they use technology to suppress free expression in their country. Microsoft’s disclosures have been going on since 2002, as part of a program under which Microsoft has supplied source code for its products to a number of countries as well as NATO.

It does not take too much imagination to conjure up visions of Russian or Chinese government security researchers finding zero-day exploits to allow their paymasters to craft undetectable malware which is then placed on US government and private sector computers. Such an attack would be a cost effective, low risk way to gather more information in a day than the recently unmasked spy ring was able to collect over a decade. It takes even less imagination to envision the Chinese government using their access to Windows source code to build more efficient tools to monitor and muzzle those who dare to speak out against the Communist Party.

This incident raises a number of interesting questions.

Is Microsoft (a company born in America, whose success was built on the US market, and which benefits from tax breaks funded by US taxpayers) right to provide access to source code of products which are the underpinnings of all sorts of critical infrastructure to nations which are actively engaged in espionage against the US and whom we may meet on the cyber battlefield of the future? It seems to me that this is sort of like hiring a company to build a fort and then allowing them sell the plans to your adversaries.

Should Microsoft’s products have some sort of special status which recognizes them as part of the US critical infrastructure? After all, Microsoft has been allowed to gain what is basically a monopoly in the US market for operating systems and other key software. Does this engender a responsibility on their part to act in accordance with US national interests? I think it does.

Microsoft hasn’t done anything illegal here. It would be nice if they felt a need to protect the critical infrastructure of their country, but as a private entity with no laws or regulations to prevent their actions, they made the logical business decision to share the source code in order to gain better access to the Russian and Chinese markets. However, their choice is a bum deal for the rest of us, who will have to deal with the repercussions of this decision while Microsoft reaps the profits. We need to tell our legislators that it is time to take a fresh look at what we ask of companies like Microsoft and Cisco, whom we have allowed to develop monopolies on key parts of the nation’s critical infrastructure. In the conflicts yet to come, cyberspace will play a key role – and Microsoft has sold the plans for the fort to potential adversaries.

Jul 10

skype crypto reverse engineered – world continues rotating

By alberg hacks, online security Comments Off

something new for the po-po to listen to?

Here’s an interesting story that bears some watching… security researcher Sean O’Neill claims to have reverse engineered the proprietary encryption which Skype uses to protect voice, video and IM communications on its network. This work, while impressive, does not mean that Skype’s encryption has been broken, since knowing the details of an encryption algorithm does not allow you to decrypt data unless you can also derive the keys used to encrypt the data. However, there are some reports that the O’Neill’s code has been used to launch spam attacks on Skype users. I am sure that intelligence and law enforcement agencies all over the world are quite interested in how this all turns out, as they have complained in the past that Skype provides criminals, terrorists and other n’er do wells with un-wiretap-able communications. O’Neill plans to provide more information on his work at the Chaos Computer Congress in December.

In the mean time, I plan to continue using Skype without too much worry. Of course, I’ll think twice about using it for coordinating the global tentacles of my evil plan for world domination, but I see no reason to avoid Skype for personal and business communications right now. Stay tuned.

Jul 08

robin sage ain’t your friend…

By alberg best practices, online security, worst practices Comments Off

Wanna be friends?

You can never have too many friends – or CAN you? (Hint: you can). A recent social engineering experiment conducted by Thomas Martin of Provide Security showed the dangers of blindly accepting connection requests from people on social networks. Martin set up multiple social network profiles for a fictitious person named Robin Sage who supposedly worked in US military intelligence circles. “Robin” then sent connection requests to a variety of people in the security and intel communities (people who should know better, in other words). The result? In an interview with CSO Magazine, he stated that:

By the end of the 28-day experiment, Robin finished the month having accumulated hundreds of connections through various social networking sites. Contacts included executives at government entities such as the NSA, DOD and Military Intelligence groups. Other friends came from Global 500 corporations. Throughout the experiment Robin was offered gifts, government and corporate jobs, and options to speak at a variety of security conferences, said Ryan.

More alarmingly, according to an article from DarkReading,

Robin actually duped an Army Ranger into friending her. The Ranger then inadvertently exposed information about his coordinates in Afghanistan to Robin with his uploaded photos from the field that contained GeoIP data from the camera.

Can you spell “bad operational security?”

Martin will be revealing all of his findings from the Robin Sage experiment in a talk at Black Hat later this month – should be quite entertaining for most and deeply embarrassing for a few.

There are some lessons learned to be learned from this incident for those of us who are not part of the military:

If you get a friend/connection request from someone you don’t know, don’t blindly accept it. When you bring someone into your online network, you are also granting them access to information about you (contact information, status updates, photos, etc.) as well as your organization (in the case of professional networking sites like LinkedIn)

Just because a “new friend” is already connected to some of your current friends does not mean that you should connect to them. All it takes is one careless connection to start an “avalanche of (misplaced) trust” and give an evildoer lots of information about yourself and your organization. Trust me – I have seen this happen. You know who you are.

Review the privacy settings for your social networking accounts and be sure that you are aware of and comfortable with the information that is shared with the public at large and with your “friends.” The privacy settings in Facebook and Linked In are rather complex. I recommend using a privacy scanner tool to keep an eye on who can see what on your profiles… I really like one called Privacy Defender for Facebook, which allows you to easily see and modify who can and cannot see your info. For LinkedIn, it seems like the only way to manage your privacy is manually via the Settings menu; it is sort of a pain, but the explanations provided by the site are pretty good.

And Robin Sage ain’t your friend.

PS – “Robin Sage” is the code name for the last training exercise that Army Rangers must complete before they are truly “Green Berets” – and none of the military folks (including at least one Ranger) caught on. Sigh…

Jul 05

porn and malware redux

By alberg best practices, online security Comments Off

Did they have it all wrong?

A few weeks back, I blogged about some research on the economics and potential malware risks posed by Internet pornography. Well, a *new* study from Avast Software finds that non pornographic sites serving up malware outnumber pornographic sites serving malware by a factor of almost 100 to one. Furthermore, Avast contends that there are more malware infected domains containing the word “London” than there are containing the word “sex.” Not sure what this says about London. I guess the morals of the story are: for every study claiming fact x, there will be one claiming fact y and that the internet is as dangerous a place for the vituous as it is for the naughty. Have you updated your antivirus and plugins lately?

Jun 28

slicing the salami in the 21st century

By alberg hacks, online security Comments Off

Lotsa slices = a big salami According to an interesting story at Wired’s Danger Room blog, the FTC has filed a lawsuit against a number of “John Doe” defendants who stole more than $10 million dollars from 1.3 million credit card holders since 2006. Using a variety of shell companies and money mules recruited via online advertising for work at home jobs, the unidentified defendants made small (20 cents to 10 dollar) charges to victims’ credit cards. Each card was charged only once, but at 1.3 million cards, we’re talking some serious coin here. In addition to being evil, this scheme was pretty smart – since the charges were so small, most people (90% in this case) never bothered to dispute them – after all, how much time are you willing to spend disputing a charge for a couple of bucks? While the FTC has identified some of the mules, the ringleaders remain unknown.

In the old days, this type of scam was called “salami slicing” – stealing just a little bit (one slice of salami) from a lot of people adds up to a big salami. Mmmmmm…. salami….

This is a really hard type of fraud to fight… since so few of the charges were contested, it took 4 years for and credit card issuers and feds to find a pattern. In the mean time, all of the victims suffered very small losses. The ringleaders got their millions and are still on the lam (eating salami and caviar sandwiches, I assume).

Jun 13

porn, economics, and security (but mostly porn)

By alberg online security Comments Off

As we all know, the Internet is a series of tubes invented by Al Gore to allow us to exchange cute cat pictures and pornography. This past week, a paper presented at the Ninth Workshop on the Economics of Information Security provided some really interesting insight into both the economics of the Internet pornography industry and more importantly, how those economics translate into security considerations.

The research in question was conducted by a team of researchers from the Technical University of Vienna, Institute Eurecom, and UC Santa Barbara. A brief digression here… if I had been informed that conducting studies of Internet porn was an option, I definitely would have finished college and gone into academia. We should let kids know about this so that they stay in school!

May 31

is your browser going to rat you out?

By alberg online security, worst practices Comments Off

Your browser is a dirty stinkin rat. There… I said it. According to research conducted by the Electronic Frontier Foundation (EFF), most browsers have telltale fingerprints which can be used by web site owners to uniquely identify visitors to their sites even if cookies are disabled, or the visitor is coming from behind a NATting firewall.

The Panopticlick software developed by the EFF researchers looks at a wide variety of information which a web site can gather from any visiting client. By combining a number of these seemingly innocuous pieces of information, a client fingerprint can be calculated:

Browser and plugin versions

Configuration options

ACCEPT headers

Screen resolution

Fonts

Time Zones

MIME types

The EFF collected its data via a website which it set up and publicized, so we can assume that the data they collected came from people who are interested in their privacy. Despite this self selected sample, the findings do not bode well for privacy on the Internet:

Overall, the browsers of 83.6% of all visitors to the test site had unique fingerprints.

If a browser has Adobe Flash or the Java Virtual Machine enabled, there was a 94.2% chance that its fingerprint was unique.

Since the fingerprints are based on browser configuration settings, they can change rapidly. However, the researchers were able to detect changed fingerprints and tie them back to the original fingerprint in 99.1% of cases via an algorithm.

Some good news for mobile device users – iPhone and Android based browsers had more uniform fingerprints and were harder to differentiate from one another due to the lack of plugins and options available. However, as mobile browsers become more sophisticated, this technique may become applicable to these browsers on the go. Also, it is important to note that the mobile browsers do not have good ways to control cookies, leaving them open to cookie based fingerprinting.

In related work, researchers from an Australian university have found that they were able to identify by name many users of Xing, a social networking site in Germany. The researchers first collected information on 6500 groups and their 1.8 million members. By simply analyzing the overlaps in group memberships, they were able to discern the identities of 42% of the users. They next created a web site which, when visited, examined the browser history of the visitor. Of the 26 test subjects they enlisted, the identities of 15% were revealed simply by visiting the site. Xing has updated their software to protect against these types of attacks, but other sites may still be vulnerable.

So… what does this all mean? Well, first of all, marketers and site owners have a new tool to track visitors, including those who have disabled cookies (in order to avoid such tracking). Second of all, these techniques provide scammers and malware authors with a way to track their victims’ web activity without leaving telltale traces. On the bright side, these fingerprinting techniques could also be used for good purposes, such as providing an additional level of authentication for banking and other sensitive web sites (and there is evidence that this is already being done, although mostly using cookies). Law enforcement could use these techniques during investigations, although given the politics of many nations, this could be a really bad thing as well. The EFF wants policymakers to expand their definition of personnally identifiable information to include fingerprintable records – I think that this is a topic worthy of discussion. I also think that browser designers need to work on this problem from a technical point of view.

Want to cover your tracks? Well, you could block Javascript – this provides pretty good protection against the techniques EFF used, but at a cost in terms of web site usability and functionality. You could start using TorButton to route your web traffic via anonymizing proxies. You could use your iPhone or Android phone to do all your web surfing. None of these solutions is ideal.

So… another nail in the coffin of privacy…

May 30

terabits (and risks) under the sea

By alberg online security Comments Off

Satellites get all the glamor with their showy rocket liftoffs and space shuttle missions, but in reality, over 99% of intercontinental data traffic travels via undersea cables which crisscross the planet’s briny depths. These vital telephone and Internet links are exposed to a number of dangers ranging from seismic activity to misplaced ships’ anchors and fishing gear, to pirates and cable thieves, and when one of these links is broken, the effects can span countries or continents. Upping the risk level is the fact than a large number of cables converge at a small number of geographic choke points such as the Suez Canal, and the Malacca and Luzon Straits. When cables in these areas are damaged, there is a domino effect as traffic has to be rerouted to avoid the break.

In April of this year, the SeaMeWe-4 cable, which carries 89% of the traffic between the Middle East and Europe, was cut, severly impacting Internet and telephone communications between the two areas. In 2008, a series of cable cuts in the Middle East disrupted network access and spawned a number of conspiracy theories due to the fact that neither Iraq or Israel were affected. Back in 2006, a major earthquake cut the APCN2 cable connecting China, Hong Kong and other Asian countries bringing online commerce to a halt for days and resulting in network performance disruptions for months.

The good news is that notice is being taken – the IEEE held a “Global Summit on the Reliability of Global Underseas Communication Cable Infrstructure“ (ROGUCCI for those in the know) in Dubai in October 2009 where experts came from all over the world to discuss how to keep our undersea cables safe and secure. I took a look at the report from this conference and learned some other interesting facts about undersea cables:

Undersea cables are one of the rare places here on Earth that we get to see the effects of the speed of light. As data or voice traffic takes its journey through cables, there can be a delay of up to a tenth of a second, which can be heard by humans and interfere with time sensitive data communications. Satellite latency is even larger – this is one reason why all that intercontinental traffic can’t be rerouted via the heavens.

Every second, the planet’s undersea cables carry 30 terabytes of information from continent to continent – and more data is added to this torrent every day. (I think that 28T of that traffic is porn…)

When there is a cable failure, traffic must be rerouted by other cables, making the path taken by the data much longer, increasing latency and adding traffic to links which may already be congested. There is no Plan B for the undersea cable network.

Cable ships and their crews are a shared resource – the number of simultaneous repairs that can be performed is limited. Time to repair is also extended due to some countries’ bureaucratic permit processes which the repair ships must complete before entering their territorial waters to get to work. Cable ships are also a potential target for pirates – cable operators worry that pirates could take over a cable ship and demand a hefty ransom for its release, delaying repairs further. Pirates have already caused problems for cable laying off the coast of Africa.

Threats to cables are on the rise; they are strategic targets in times of war and are also threatened by the increasing mining of the ocean’s floor. However, the importance of undersea cables was acknowledged as far back as 1884, when the major powers of the time signed the International Convention for the Protection of Submarine Cables in Paris. Today, the International Cable Protection Committee lobbies internationally (hence the name) to keep our undersea cables safe and secure.

Undersea cable security needs to be on all of our agendas… the Internet links that allow me to post this blog entry from my hotel room in London are also the ones which major financial institutions use for moving money around the world and which an increasing amount of commerce depends on. Governernments need to safeguard cables and cable repair ships and most importantly, build the redundant links which will allow our planetary nervous system to recover from damage.

May 20

it’s (not always) nice to share…

By alberg best practices, online security Comments Off

Now that Facebook has made their privacy settings just a bit less complex than, say, the US Tax Code or particle physics, now would be a really good time to check your privacy settings and make sure that you are not sharing more personal information with the world (or at least to the Internet connected portion thereof) than you intended to.

The new settings default to sharing quite a bit of information – you may be (unpleasantly) surprised about what Facebook is telling the world about you.

This website provides a browser bookmarklet which will scan your privacy settings and let you know what you might want to change. Take five minutes to protect your online privacy…

Previous Entries

Free WordPress Themes

FYI

Everything you read here has been written by Al Berg, who, by day, is in charge of Security and Risk Management for the best darn Institutional Equity marketplace on this planet. The opinions expressed in this blog are mine and do not represent those of my employer or anyone else.

Housekeeping

Subscribe in a reader

Subscribe by Email

Tools

recent paranoia links

Microsoft to release LNK patch on Monday - The H Security: News and Features 2010/07/30
Over 1m Android Users' Details Were Compromised Thanks to a Malicious App 2010/07/29
Dell warns of malware on server motherboards 2010/07/21

Links

Wired: Threat Level

Twitter

what happens in vegas happens without me http://is.gd/dQJzeJuly 29, 2010 1:10
Never got to read this... Did civilization end? http://bit.ly/b6F1NdJuly 25, 2010 10:32
never gonna complain bout my ambulance again... http://bit.ly/aXTBtJJuly 21, 2010 11:33
playing in the sandbox for security http://is.gd/dA97JJuly 21, 2010 2:26
siemens to scada users - don't change that default password - yikes! http://is.gd/dzQZRJuly 20, 2010 9:04

FYI

Housekeeping

Tools

Links

Social Links