Paranoid Prose

Jul 14

hiding in plain sight… or not

By alberg hacks, online security Comments Off

Sometimes, the best place to hide things is in plain sight...

One of the revelations from the recent capture of a number of deep cover Russian spies here in the US was that they used steganography (the concealment of data within innocuous looking files) in order to hide and transmit secret documents and messages to their handlers. Steganography is one of those techniques which get talked about a lot a security conferences, but has not seemed to play a major role in news of security breaches. This seems a bit odd to me – stego seems like a great way to exfiltrate information in plain sight. By embedding ill gotten data in vacation pictures posted to Flickr or Facebook, spies (corporate or otherwise) can create very low risk electronic dead drops with a few mouse clicks. Unlike encryption, stego does not leave suspicious encrypted files to exfiltrate, just innocent looking pictures or songs. The software needed to create stego protected files is available on the Net. So why (other than some articles about Al Qaeda reportedly using stego to embed secret information in internet images) do we not hear more about this technique? I have a couple of hypotheses here:

Attackers are using stego, but they are not getting caught. Detection of files with steganographically hidden content is very difficult, requiring very specialized knowledge and tools which most enterprises and forensic examiners don’t have access to.

Attackers don’t need to use stego because they don’t need to. There are so many organizations out there who do not have a handle on what information is leaving their networks, that they don’t feel the need to go to the trouble of hiding the information they are swiping. Or they are using really low tech methods to get the data out of the organization, like printing, or fax, or this.

Is stego a real threat to the enterprise? I am not sure. But the availability of stego underlines the need to build a security culture in your organization and use both technology and non tech means to detect potential problems. Stego seems to be a tool which insiders would be predisposed to use – detecting insider threats takes both technology and plain old vigilance. There is some excellent information on detecting insider threats available from the CERT team – this should be on your reading list.

This post was inspired by Kai Axford’s (Accretive Solutions) great presentation at today’s New York Metro InfraGard meeting.

Jul 11

giving away the plans to the fort?

By alberg deep thoughts, hacks, online security 1 Comment »

Is Microsoft a cyber-Benedict Arnold?

OK, call me a cold war relic, but I find the recent revelation that Microsoft has provided the source code for Windows, SQL Server, and Office to the Russian FSB (the spies formerly known as the KGB) as well as to the Chinese government quite disturbing. As recent events prove, Russia is still actively engaged in espionage against the US public and private sectors. We know that the Chinese People’s Liberation Army is actively building an offensive cyber capability and that they use technology to suppress free expression in their country. Microsoft’s disclosures have been going on since 2002, as part of a program under which Microsoft has supplied source code for its products to a number of countries as well as NATO.

It does not take too much imagination to conjure up visions of Russian or Chinese government security researchers finding zero-day exploits to allow their paymasters to craft undetectable malware which is then placed on US government and private sector computers. Such an attack would be a cost effective, low risk way to gather more information in a day than the recently unmasked spy ring was able to collect over a decade. It takes even less imagination to envision the Chinese government using their access to Windows source code to build more efficient tools to monitor and muzzle those who dare to speak out against the Communist Party.

This incident raises a number of interesting questions.

Is Microsoft (a company born in America, whose success was built on the US market, and which benefits from tax breaks funded by US taxpayers) right to provide access to source code of products which are the underpinnings of all sorts of critical infrastructure to nations which are actively engaged in espionage against the US and whom we may meet on the cyber battlefield of the future? It seems to me that this is sort of like hiring a company to build a fort and then allowing them sell the plans to your adversaries.

Should Microsoft’s products have some sort of special status which recognizes them as part of the US critical infrastructure? After all, Microsoft has been allowed to gain what is basically a monopoly in the US market for operating systems and other key software. Does this engender a responsibility on their part to act in accordance with US national interests? I think it does.

Microsoft hasn’t done anything illegal here. It would be nice if they felt a need to protect the critical infrastructure of their country, but as a private entity with no laws or regulations to prevent their actions, they made the logical business decision to share the source code in order to gain better access to the Russian and Chinese markets. However, their choice is a bum deal for the rest of us, who will have to deal with the repercussions of this decision while Microsoft reaps the profits. We need to tell our legislators that it is time to take a fresh look at what we ask of companies like Microsoft and Cisco, whom we have allowed to develop monopolies on key parts of the nation’s critical infrastructure. In the conflicts yet to come, cyberspace will play a key role – and Microsoft has sold the plans for the fort to potential adversaries.

Jul 10

enterprise risk management seminar in nyc 7/14

By alberg best practices, useful stuff Comments Off

lock up those bits!

Interested in Enterprise Rights Management? In the New York City metro area? Free on July 14th? New York Metro InfraGard is putting on an ERM seminar which looks really worthwhile. I think that ERM is going to be a key tool for security professionals over the next year or two as new mobile devices, as well as devices owned by employees and business partners become more and more integrated with our businesses. I’m planning to be there and look forward to meeting some readers!

Jul 10

skype crypto reverse engineered – world continues rotating

By alberg hacks, online security Comments Off

something new for the po-po to listen to?

Here’s an interesting story that bears some watching… security researcher Sean O’Neill claims to have reverse engineered the proprietary encryption which Skype uses to protect voice, video and IM communications on its network. This work, while impressive, does not mean that Skype’s encryption has been broken, since knowing the details of an encryption algorithm does not allow you to decrypt data unless you can also derive the keys used to encrypt the data. However, there are some reports that the O’Neill’s code has been used to launch spam attacks on Skype users. I am sure that intelligence and law enforcement agencies all over the world are quite interested in how this all turns out, as they have complained in the past that Skype provides criminals, terrorists and other n’er do wells with un-wiretap-able communications. O’Neill plans to provide more information on his work at the Chaos Computer Congress in December.

In the mean time, I plan to continue using Skype without too much worry. Of course, I’ll think twice about using it for coordinating the global tentacles of my evil plan for world domination, but I see no reason to avoid Skype for personal and business communications right now. Stay tuned.

Jul 10

who’s watching the watchers? in this case, nobody

By alberg CSO, worst practices Comments Off

Friday’s Wall Street Journal featured a page 1 article (unfortunately behind a subscription paywall – less detailed but free coverage here, but you can get the full WSJ article by searching Google News for “HSBC data theft”) on a massive theft of private banking client data from HSBC. The thief was… wait for it… an HSBC infosec employee whose job it was to improve the security of the systems and databases holding that data. Said employee then shopped the data around to a number of European tax authorities as well as to competing banks. When the French police raided his parents’ home in France as part of the investigation into the theft, the data was turned over to the French tax people, resulting in collection of 1 billion euros from les tax evadeurs. Now the French tax people are sharing this treasure trove of data with their colleagues in other countries, who also expect to collect lots of back taxes.

Of course, the guy at the center of this claims he was not in it for the money – he wanted to point out flaws in HSBC security or help catch tax evaders or was working for intelligence services. (He can’t seem to decide on which story to go with…) In any event, he denies any illegal activity and stated that he copied the data to his personal computers and offsite servers as part of his normal work. HSBC states that it is against company policy to copy such data to non HSBC computers.

The story is quite interesting and raises a number of questions for security pros, organizations and law enforcement (as well as folks who like to stash their cash out of sight of the tax man).

Is France’s use of the ill gotten data and it’s further distribution of what is in effect stolen property a legitimate tool for government authorities? While there is a social good in collecting these taxes from the rich tax evaders, is this benefit outweighed by the message it sends vis a vis the rule of law?

Why was this very sensitive data not protected by some sort of DLP solution or even just old fashioned auditing and log review on the database server? Someone looking at a log and seeing this guy perform SELECT * on a sensitive database was all that would have been needed to detect this crime.

Why did this employee even have access to this data? I can’t see how his job function (in a properly designed technical and procedural environment) required the ability to view and copy database information. Changes and testing of security for that database should have been done in a separate QA environment using test data and then staged to production by another party.

My final question is one for the security community… Where does our fiduciary duty to our employers end and our responsibility as citizens start? In this case, I think that the HSBC employee was clearly in the wrong. HSBC was offering a service to it’s clients which is perfectly legal under Swiss law. The users of the service had a responsibility to report their income to their taxation authorities under the current regime. If the employee had a problem with the world of private banking, he should have gotten into a new line of work rather than resorting to theft. As for his claimed pure motives, I would have a lot less trouble believing him had he not shopped the data to competing banks. I’d also point out that it would have been reasonable for him to expect some sort of renumeration from the tax authorities for his “aid” in collecting lost revenue. His stories just don’t seem to add up.

It is important to note that this is not a problem unique to HSBC – the lapses that led to this data theft are extremely common across all industries. Heck, even the US military has data stolen through loopholes in data protection policies (and Lady Gaga).

This case is a great learning opportunity for security and risk professionals – organizations need to remember that security personnel are human and need to have appropriate controls placed on their systems access as well. In most organizations, the Internal Audit group can provide this oversight. Smaller organizations may need to resort to periodic reviews of internal security by an external consultant. In any case, make sure someone is watching the watchers!

Update 2010-07-10 2010 – Just noticed that US tax authorities are “ramping up” their investigation into whether HSBC marketed tax evasion services to US clients. Now, if they did engage in this activity, shame on them. However, if the allegations are found to be true, it still does not transform a data theft by a person in a position of trust. Had the employee involved simply contacted authorities with his concerns, the data could have been gotten by the authorities. And his shopping the data to competitors still sticks in my craw.

Jul 08

robin sage ain’t your friend…

By alberg best practices, online security, worst practices Comments Off

Wanna be friends?

You can never have too many friends – or CAN you? (Hint: you can). A recent social engineering experiment conducted by Thomas Martin of Provide Security showed the dangers of blindly accepting connection requests from people on social networks. Martin set up multiple social network profiles for a fictitious person named Robin Sage who supposedly worked in US military intelligence circles. “Robin” then sent connection requests to a variety of people in the security and intel communities (people who should know better, in other words). The result? In an interview with CSO Magazine, he stated that:

By the end of the 28-day experiment, Robin finished the month having accumulated hundreds of connections through various social networking sites. Contacts included executives at government entities such as the NSA, DOD and Military Intelligence groups. Other friends came from Global 500 corporations. Throughout the experiment Robin was offered gifts, government and corporate jobs, and options to speak at a variety of security conferences, said Ryan.

More alarmingly, according to an article from DarkReading,

Robin actually duped an Army Ranger into friending her. The Ranger then inadvertently exposed information about his coordinates in Afghanistan to Robin with his uploaded photos from the field that contained GeoIP data from the camera.

Can you spell “bad operational security?”

Martin will be revealing all of his findings from the Robin Sage experiment in a talk at Black Hat later this month – should be quite entertaining for most and deeply embarrassing for a few.

There are some lessons learned to be learned from this incident for those of us who are not part of the military:

If you get a friend/connection request from someone you don’t know, don’t blindly accept it. When you bring someone into your online network, you are also granting them access to information about you (contact information, status updates, photos, etc.) as well as your organization (in the case of professional networking sites like LinkedIn)

Just because a “new friend” is already connected to some of your current friends does not mean that you should connect to them. All it takes is one careless connection to start an “avalanche of (misplaced) trust” and give an evildoer lots of information about yourself and your organization. Trust me – I have seen this happen. You know who you are.

Review the privacy settings for your social networking accounts and be sure that you are aware of and comfortable with the information that is shared with the public at large and with your “friends.” The privacy settings in Facebook and Linked In are rather complex. I recommend using a privacy scanner tool to keep an eye on who can see what on your profiles… I really like one called Privacy Defender for Facebook, which allows you to easily see and modify who can and cannot see your info. For LinkedIn, it seems like the only way to manage your privacy is manually via the Settings menu; it is sort of a pain, but the explanations provided by the site are pretty good.

And Robin Sage ain’t your friend.

PS – “Robin Sage” is the code name for the last training exercise that Army Rangers must complete before they are truly “Green Berets” – and none of the military folks (including at least one Ranger) caught on. Sigh…

Jul 05

porn and malware redux

By alberg best practices, online security Comments Off

Did they have it all wrong?

A few weeks back, I blogged about some research on the economics and potential malware risks posed by Internet pornography. Well, a *new* study from Avast Software finds that non pornographic sites serving up malware outnumber pornographic sites serving malware by a factor of almost 100 to one. Furthermore, Avast contends that there are more malware infected domains containing the word “London” than there are containing the word “sex.” Not sure what this says about London. I guess the morals of the story are: for every study claiming fact x, there will be one claiming fact y and that the internet is as dangerous a place for the vituous as it is for the naughty. Have you updated your antivirus and plugins lately?

Jul 05

photo kiosks dispense prints and extra bonus virii

By alberg best practices, worst practices Comments Off

Watch where you stick your thumb (drive)

From Risky.Biz… Customers at some convenience stores got a bit more than they bargained for when they used photo printing kiosks. It seems that some kiosks at “Big W” stores run Windows. And they don’t run anti virus. And everyone and their brother brings their USB sticks (some infected with virii) to the stores to print. You can see where this is going… the infected Fuji kiosks have been dispensing viruses to the USB sticks of customers. The company is aware of the issue and is “currently testing” installing anti virus on the kiosks. Hel-ll0 – the 1980s called and asked for their security policy back!

If you are partaking of the photo printing goodness of any of such kiosks, or sticking your USB drive into strange ports (I don’t judge…), make sure that you are running the very latest anti malware software on any of your own computers where you use said storage peripheral.

Jun 30

truecrypt (and good passwords) 1, fbi 0

By alberg Paranoid Peeps, best practices, hacks, useful stuff Comments Off

Daniel Dantas did...

Looks like open source disk encryption software TrueCrypt has shown its mettle in a cybercrime case out of Brazil. The Brazilian police seized 500 TrueCrypt protected drives from the apartment of Daniel Dantas, a Rio banker accused of financial crimes. In Brazil, there is no law compelling defendants to reveal passwords to encrypted evidence, so the Brazilian crime lab attempted to break the encryption for five months with no success. They then turned to the US FBI, who ran dictionary attacks against the encryption for another year. No joy. As a result of the banker’s good password practices, the 500 drives with potential evidence were reduced to really ugly paperweights.

While this was a loss for the good guys, it does provide security professionals with some valuable information. First, choosing a strong (long non dictionary word with special characters, numbers and the like) password is still an integral part of good basic meat and potatos security practice. Second, if the FBI is unable to crack a TrueCrypt protected drive without the user having chosen a boneheaded password, it seems like the program is a good and cost effective choice for protecting personal data as well as in small business environments. The only thing missing for bigger business is some sort of key management and recovery scheme… sounds like an opportunity for an entrepeneurial crypto programmer.

Jun 29

babies – can’t trust them

By alberg worst practices Comments Off

Got my nose? Well give it back, punk!

Anyone who knows me knows that I am not a “kid person.” To me, all babies (except for YOURS, of course) look like the offspring of Winston Churchill and a lizard. And they all (except YOURS) seem to emit a plethora of unpleasant sounds, odors, and substances. My wife reminds me every once in a while, that I, too entered the world as a baby, but I am becoming more and more convinced of the impossibility of this.

Well, it seems that my antipathy towards babies has been vindicated, folks – it turns out that today’s babies could grow up to be next generation of terrorists! According to Rep. Louie Gohmert (R, TX), those wily terrorists have been sending women to the US in order to have babies, which are then whisked back to Al Qaeda run Gymborees (complete with US citizenship) where they would be trained to wreak terroristic havoc on their (legal) return to the US in oh, 20 years and destroy our way of life. I knew it! I’m glad that there are courageous Americans like Rep. Gohmert who understand where the real threat to our nation lies – in cribs!

Previous Entries Next Entries

Free WordPress Themes

FYI

Everything you read here has been written by Al Berg, who, by day, is in charge of Security and Risk Management for the best darn Institutional Equity marketplace on this planet. The opinions expressed in this blog are mine and do not represent those of my employer or anyone else.

Housekeeping

Subscribe in a reader

Subscribe by Email

Tools

recent paranoia links

Scam preys on required TweetDeck update 2010/09/06
Russian Trojan blamed for credit card losses at US diner 2010/09/06
Privacy in iTunes Ping 2010/09/06

Links

Wired: Threat Level

Twitter

back on the bike after too long away... 45 mins and 11.7 milesSeptember 6, 2010 10:04
testing, 1, 2, 3, oopsie! http://is.gd/eXG6ySeptember 6, 2010 4:07
damn... since I left tokyo the other day, i'll miss the parade... http://bit.ly/a9dSYRAugust 29, 2010 9:40
ceo, cfo, pants on fire? http://is.gd/eJ1vmAugust 29, 2010 12:42
@carlohartelucci Since I am in Tokyo at the moment, had to subcontract to the yakuzaAugust 27, 2010 1:50

FYI

Housekeeping

Tools

Links

Social Links