A different view of Stuxnet

Over at Forbes.com Jeffrey Carr has an interesting article on the now-infamous stuxnet worm that takes a contrary view to the more common USA/Israel angle on the likely culprits.

The original whitepaper is here [pdf]

Now you know...

incident

(courtesy of xkcd)

'Twas the CISO Before Christmas

Orignally from The Impervia Sercurity blog here

Twas the night before Christmas, when all through the Net
Every hacker was stirring, engaging in cyber threat.
SQL statements were injected with care,
In hopes that credit card numbers soon would appear.

Security auditors were nestled all snug in their beds,
While visions of audit logs danced in their heads.
And the CISO in his ‘kerchief, and I in my cap,
Had just settled our brains for a cross site scripting attack.

When out from the cubicles there arose an Insider,
I sprang from the computer to see what was the matter.
Away to the database I flew like a flash,
Tore open the log files worried about lost corporate cash.

The dim office lights shined on a new iPad
Giving access to sensitive data, turning a good employee bad.
Then, before my eyes, data began to disappear,
Instantly killing holiday cheer.

With access to a file server—a breach!
I knew in a moment no trip to the beach.
The Insider downloading files faster than a bunch of geeks,
We’d be front page New York Times and featured on Wikileaks.

"Now Auditor! Now, CISO! Now, DBA and Network Security Team!
Get on, fast! It’s a Christmas Data theft.  I wanted to scream!
To the database! To the IT room at the end of the hall!
Now audit away! Audit away! Audit away all!"

As dry leaves that before the wild hurricane fly,
When they meet with an obstacle, mount to the sky.
So up to the house-top the sensitive files flew,
In an iPad full of files heading to Julian Assange—we’re so screwed.

And then I heard something, I thought it was a goof
Prancing and pawing, perhaps it came from the roof?
But no, as I drew in my head, and was turning around,
Down the hall the CISO came with a bound.

Dressed for cyber defense, from head to foot,
His clothes were all sweaty, but he stayed put.
A bundle of security tricks he had flung on his back,
He looked like a soldier, ready to counter attack.

His eyes-how they twinkled! His pocket protector, how merry!
His cheeks were like roses, his nose like a cherry!
His droll little mouth was drawn up like a bow,
His face showed he had that data security mojo.

A cell phone he held tight in his fist,
Ready to call the CEO who was going to be pissed.
He had chubby face and a little round belly,
That shook at every cross site request forgery!

He was stout and plump, a right jolly old security pro,
And I trembled when I saw him, feeling like Homer, “Doh”!
A wink of his eye and a twist of his head,
I realized I had nothing to dread.

He spoke not a word, but went straight to his work,

He pulled a plug and blocked access to the network.
And laying his finger aside of his nose,
Way way way up the corporate latter he rose.

He sprang to his office, to his team gave a whistle,

And away he flew down the hall like a missile.
But I heard him exclaim, before he turned out the light,
"Merry Christmas to all, and to all a secure-night!"

CISM

Well the CISM exam is now done, just need to wait for the results!

For anyone wondering what the exam is like compared to the CISSP, I'd say it was less broad in it's focus, but deeper in the knowledge requirements.

The CISM is heavily focused on developing and maintaining an Information Security program within an orgnization, so is much more specific in it's content than the more general CISSP.

Storm clouds

The great Wikileaks scandal that is currently occupying the media's attention has brought to light some interesting food for thought beyond the actual leaked documents and the ultimate insider threat scenario.

Wikileaks has been under denial of service attack for a number of days now, allegedly caused by a 'hacktivist' called 'th3j35t3r' (The jester). The attack has ramped up from the 2-4Gbps that forced the site from it's original host to the Amazon EC2 Cloud Service, where it intensified to a 10Gbps+ attack. Amazon then subsequently dropped hosting of the site, succumbing to both political pressure along with the ongoing DDOS attack.

Does this add an extra wrinkle to the 'put it all in the cloud' future promoted by some organizations or individuals? It does bring up concerns about how a cloud provider would react if your organization came under sustained denial of service attack. The allegations that the attacks were the actions of a single hacker using new software called XerXes that requires no zombie network or botnet to be effective is also extremely concerning.

Howling at the Moon

Just a quick plug for a friend's new blog focused on Desktop Management, Microsoft Operating Systems and all things System Center.

Check it out!

Hardening VMWare

Foundstone (who produce a bunch of great free tools) have released VDigger; a new VMWare hardening tool. I haven't had a chance to check it out yet.

Tripwire also have a free product called ConfigCheck that has been out for quite a while now, which I have used and can recommend.

I previously mentioned the VMWare hardening guide here.

Home grown hacker

An aussie hacker who was arrested back in July for infecting @2500 computers with a virus to steal banking and credit card information has plead guilty but asked for a reduced sentence as his actions wee 'youthful curiosity' and he 'was interested in becoming an internet security consultant'.

Are there any hackers who got arrested who didn't pledge to go straight and become an IT Security consultant? Now there's not alot of detail in the news articles about exacly what he did (did he write his own code, is he a script kiddie running something like Zeus, etc), but regardless, asking for a more lenient sentence after you commited a crime so you can become a security consultant - is that not something like being arrested for stealing cars because you want to be a mechanic or robbing a bank because you wanted to be a security guard?


I know there is a great precedent of those who were on the wrong side of the law, who reformed and have become security consutlants or security celebrities (eg: Kevin Mitnick, Kevin Poulsen), and it is a subject that has been well debated before. Would you hire a 'reformed' blackhat? Does it always "take a thief to catch a thief"? I'm not so sure...

The interesting thing about this case from an Australian point of view is that:

"The judge was told there had been no similar cases across Australia to guide him when imposing a penalty."
It will be worth watching closely to see what kind of sentence is handed out, and to compare it against  other parts of the world where these types of prosecutions have been more common.

Once more unto the Breach...

I attended the AISA national seminar day earlier this week (which was a great day), and one of the panel discussions touched on whether there was a need for greater regulation or government intervention in IT Security. The prevailing view was that over-regulation would stifle innovation and government mandated minimum requirements would lead to businesses doing the bare minimum and no more.

I don't disagree with those points, but I do believe that Australia is stll behind the US/Europe in understanding Information Risk in the boardroom and one of the ways to make sure it gets on the radar and stays there is mandatory breach notification.

My view was somewhat echoed in a recent itnews story that made the good point that individual data breaches may be too small for authorities to really investigate but the implementation of a IC3-style centralized reporting body could assist in aggregating many small breaches into a large one and show a pattern of behaviour or negligence by an organization.

On a similar note I (re)discovered a link to a useful document that I had used in a Uni assignment last year that compares Data Breach Notification Laws around the world [pdf]. Although a little out-of-date (2009), it's still a great little summary.

On data breaches, there is of course Wikileaks. Wow. Infosec Island has a nice piece on how the forthcoming "megaleak" from a major US bank will be 'Enron-esque' in the fallout (if you haven't seen it, I recommend Enron:The Smartest Guys in the Room).

If it is as big as promised, it will be interesting to see the effect on corporate security (and is probably a great time to be a salesman with a good DLP solution...)

The future of storage?

Now this [pdf] is cool. Data encoded into DNA in bacteria by a team from Hong Kong University - according to their slides they could encode 900TB of data in 1 gram (wet weight) of E.Coli bacteria! It even proposes an encryption scheme by shuffling DNA (a genetic caesar cipher?).

Doomed!

The ACMA are warning us that 30,000 Australian PCs infected every day. I wonder, are they unique infections? If so then if 78% of households have a computer and there are 7,600,000 households (roughly - 2006 figure) then every household should have one infected PC by 5th August 2011! (oops forgot to minus the 80,000 pre-infected machines, so that would actually be 2nd August 2011).

Are we really all that doomed?

Securi-crats

This is interesting. While I can understand the US Government feels the need to 'do something' (a feeling common to politicians of all nationalities and sides), I'm not sure if a Government-mandated set of compliance rules is the best solution. Companies that have spend millions on SOX and PCI-DSS compliance have proven far from invulnerable to cyberattack or data breach. It not like the DHS can keep their own house in order as it is (although they have apparently been improving).

They could always ask the EPA for help!

Of course if this does pass into law in the US, it will only be a matter of time before it being discussed here in Australia...

WarGames: The Dead Code

Did you know they made a sequel to the all-time hacking classic WarGames?
Neither did I! Having recently watched this straight-to-DVD 2008 sequel, there's a good reason you haven't heard of it...

In brief, the Government has developed a supercomputer called 'RIPLEY' that...wait for it...runs an online game that is designed to identify terrorists as only terrorists would be good at a game where slaughtering people in a city with biological weapons was the goal. Hijinks ensue when the main character (a mom's basement-dwelling hacking whizkid who commits credit card fraud for fun and can penetrate the US Government's most top secret network from any wireless access point) plays the game and is mistaken for a terrorist. In a shocking twist, RIPLEY goes haywire and decides to nuke Philidelphia but only the intervention of the reactivated WOPR - who teaches RIPLEY 'tic-tac-toe' and the concept of 'Mutually Assured Destruction' can save the day. Or something. My attention was really fading by that point...

In one amazing show of skill, the whizkid hacker plays (the now cancelled) Stargate Worlds MMO. The ability to play unfinshed cancelled games? Now that's some super-hacking! (I'd insert a Duke Nukem Forever gag here but, you know)

The classic WarGames quote: "A strange game. The only winning move is not to play" (re-used in this film) could be rephased "A strange film. The only winning move is not to watch".

I really hope the new TRON sequel is alot better...

SANS Sydney 2010

I attended the SANS 504 Hacker Techniques, Exploits & Incident Handling here in Sydney last week, the first time I have attended a SANS/GIAC course and must say I was very impressed by both the course content and the skill of the presenter Bryce Galbraith, who was assisted by Chris Mohan.

I found the course to be a terriffic eye-opener and introduction to the ethical hacking/penetration test side of the industry with a focus on the countermeasures that can be implemented and incident investigation. The 'capture the flag' on the final day was also alot of fun and really helped tie together some of the techniques and thinking we had learned during the first 5 days.

I'm looking forward to playing with the tools and getting a better understanding of the techniques over the christmas break and hope to sit the GIAC GCIH exam in January (but for now the focus remains on the looming CISM exam that is quickly approaching!)

If you are considering doing a SANS course, I'd have to recommend it. While there is a lot to learn in a small amount of time, the hands-on nature and expertiese of the presenter make it well worthwhile (and far superior to the 'instructor reading the textbook to you' style training I have suffered in the past).

Google Hacking

Remember Johnny Long's Google Hacking database?

Well it's back


The team at Exploit Database have recently resurrected the GHDB to help you harness the power of google to do reconnisance or just be nosey. Use it to check out your webservers or network and your users before the bad guys do!

Sadness...is a lost laptop

Oh dear. This is just depressing...

If the UK MoD can't get something this basic right, is there any hope for those of us tasked with educating uninterested corporate users?

The Toshiba Satellite A30 is an older laptop so was probably running XP rather then the bitlocker-capable Vista or Windows 7, but still.....


I hope the Taliban/Al Quaeda/Threat of the Month don't use eBay!

"The Great Cyberheist"

The New York Times have an interesting article up on Albert Gonzalez the hacker-turned informer-turned double agent who a key part of the Shadow Crew who comitted (amongst other things) the intrustion at Heartland Payments / TJ Maxx that netted over 94,000,000 credit cards.

Although it doesn't go into technical details, it is worth a read for an interesting insider view.

Fashion sense?

A friend passed along a link to the must-have accessory for the aspiring data smuggler this year: USB Flashdrive cufflinks!

Of course hidden USB drives is nothing new, from USB drive Barbie, a chap stick, chewing Gum or cigarette lighter to the 'hiding in plain sight' USB Bowling ball drive!

I hope it holds more than 64MB!

If they're all too big you can go for a MicroSD card hidden inside a coin instead (just don't spend it by accident!).

The point of bringing up these amusing and imaginative storage devices is that it's trivially easy to transfer large quantities of data in a non-obvious fashion (well except that bowling ball...). The best way to protect aganist them all is to have your defences on the data and if you allow the use of unfettered USB storage and are protecting portable confidential information, have some kind of host-based DLP strategy.

As for the USB cufflinks, I don't claim to know much about fashion, but they're ugly enough that a strictly enforced dress code might protect you...

The stealth cloud

IT world have an interesting article on what they're calling the 'stealth cloud'. It's not an exactly new concept - mostly bigger companies have had to deal with the 'shadow IT' problem for some time now.

How to spot a Shadow IT user...

However the recent proliferation of cloud service providers has the potential to greatly exacerbate the problem. As organizations already struggle with governance and meeting requirements such as SOX, PCI-DSS, Privacy Laws and industry regulation; having business units run out and sign up to external SaaS/Cloud services to fast track projects sounds like a disaster (if not a lawsuit or breach fine) waiting to happen...

Many of these services are pitched at consumers, who use them and enjoy the benefits of the likes of cloud file storage or a personal online knowledge base and these same consumers come to the office and want the same services at work.

So how do you combat the problem? There's no easy answer (like just about everything in Security!) but a combination of education/communication - ensure the managers of the business units understand why storing confidential corporate documents via dropbox is risky - and being prepared to be able to formally evaluate the security and risks of the SaaS/Cloud providers to allow resulting decision made out in the open may go a long way to easing the headache.

It's been said before but is worth saying again, most business computer users have no understanding of security. In a recent conversation an office worker was somewhat shocked to hear that email was not 'secure' or even particulary 'private'. Education and communication are the keys and probably the best way to combat those pesky Shadow IT ninja or Stealth Cloud Shinobi! (since they won't let me bring a katana to work...)

The OS that would not die!

Halloween is not a big deal down under. Certainly when I was a kid, nobody celebrated halloween, but these days it is starting to pop up more and more. What does Halloween have to do with security you ask? Well it seemed quite apt that on Halloween night I saw this article from computerworld on how 48% of surveyed companies plan to run XP post Microsoft end-of-support in 2014.

Now if that isn't scary I don't know what is! While I can understand the pain in the need to to test applictions, run a pilot group, train users in a new interface and finally roll out a new desktop OS, I suspect it pales in comparison to getting your desktop fleet pwned by the first never-to-be-patched-in-your-OS vulnerability on April 9th 2014.

Don't get me wrong. I liked XP. It did what was needed and was a solid OS. It was rock solid enough to make it's successor, Vista, look like crap. I still have it running on one machine at home. But Windows 7 is no Vista. IMO it's worth the switch. Anyway by 2014 I doubt I'll even still be using Windows 7, (with plans for Windows 8 in 2012) let alone a 13 year old OS!

I don't care how much you 'like it', continuing to use WinXP post april 2014 for your desktops is just asking for trouble. Think about it.... a 13 year old OS. That's akin to using Windows 95 in 2008. Or continuing to use Windows 98 until next year.

Now that's scary!

Unisys Security Index

Unisys have released their latest security index reports which also have a break out section for Australia. While this report covers far moer than InfoSec (it includes items such as terrorism/national defence, health and financial security) there are sections on Internet Security, shopping & banking online and computer security (viruses and spam).

From their summary:

  • Six out of 10 (58%) Australians never secure their mobiles, PDAs or smartphones by using, and regularly changing, a password or PIN. Only 18% say they always secured their mobile device
  • Young Australians are protecting their identities online by limiting the information they post on social networking sites with 70% of 18-34 year olds saying they do it always, compared with only 44% of those aged 50+
  • The top two areas of concern for Australians are ID theft related: Unauthorised access to/misuse of personal information (56%) and other people obtaining/using credit card/debit card details (55%)
Australians are ending the year more relaxed than they started. The overall level of concern on key security issues, tracked by the Unisys Security Index, stands at 115 out of 300, down 8 points compared to April 2010. This reflects a drop in concern for all four areas of security with the biggest fall recorded for national security which has an index of 110 down 11 points since April.

What's interesting is the state-by-state comparion, with people in WA, NSW and VIC more worried (+7%) about internet security than those in SA and QLD.


Those over in WA seemed to be the most worried overall, topping the lists for all four sections: national security, financial security, internet security and personal security.

Still here!

Things have been quiet here at the Circus, as work and Uni have been in high gear alongside preparing for the CISM exam.

I will hopefully be back on a regular blogging schedule soon, in the meantime here is a gem from reddit.com:
Oh dear.

"Scary Internet Stuff"

Symantec Education have posted some pretty good videos to help explain internet nasties to non-technical people:

#1 Phishing
#2 Botnets
#3 Cybercrime Underground
#4 Drive-By Downloads
#5 Misleading Applications
#6 Denial of Service Attacks
#7 Pests on your PC
#8 Losing your Data
#9 Net Threats

They're quick and easy to watch without being too heavy on the marketing.

Password Reuse

Richard pointed out that the ever-amusing xkcd has a cartoon today that relates to the point I was making in an earlier post (except the bit about google turning evil...didn't that happen already?)

Hack is Whack is hacked yo!

Oh the irony...

HackisWhack...hacked!

'nuff said.

Hack is Whack yo!

It's been a busy time under the Security Circus Big Top of late which has led to a distinct lack of blogging.

But what busy time it has been in the InfoSec world! What with Intel buying McAfee for almost $8 billion and Snoop Dog declaring "Hack is Whack!" (which is how the cool kids, in this case Symantec Norton and Snoop, say "please don't commit cybercrimes").

It's been a tumultuous time here down under, with a deadlocked parliment after a recent Federal Election meaning we're in Governmental limbo which must somehow be the cause of the recent week of system outages amongst financial institutions such as the Commonwealth Bank, ANZ Bank and not to be outdone, Westpac. I can only assume the National Australia Bank (or 'NAB' as they prefer to be called these days) will have an outage tomorrow, as the 'big four' banks like to do everything together*. Not to be left out, the Australian Tax Office (ATO) also has a minor outage today. Whatever happened to testing patches? Hmmm.

Time fo' me to bounce off to my crib with my homeys and bust some phat cyphers to win that grand prize and meet Snoop!

Waitaminute.... "2 tickets to Snoop concert, meet his mgmt/agent, Toshiba Laptop"

Meet his mgmt/agent?

Weak? fo'shizzle!

*for the non-Australians, these four major banks have been accused of interest rate collusion in the past...

Pizza, passwords and octopus!

I've been meaning to post this for a little while, ever since I read about the data breach that occurred 'across the ditch' at the popular 'Hell Pizza'.

The cause of the breach was some spectacularly bad development work that had the flash font-end making effectively unrestricted SQL calls to the back-end database. The database contained customer name and address details, their order history and their unencrypted password for the site.

But it's only a pizza website? Who cares!

The problem is that many people use the same password (or a variation thereof) or a wide variety of websites, pizza websites included. When the pizza website gets hacked for usernames, email addresses and passwords, you can bet that someone will try to use those same credentials (or a variation) against other sites, such as webmail, social networking and internet banking. That 'lowly' pizza website and it's abysmal security may have just trumped your higher security internet banking or webmail site.

It's the same old problem we always have with passwords, that people simply have to remember too many passwords. A Microsoft study [pdf] from back in 2007 found that: "the average user has 6.5 passwords, each of which is shared across 3.9 different sites. Each user has about 25 accounts that require passwords, and types an average of 8 passwords per day".
From informal discussions I've had with friends and family, I'm surprised the number is 6.5 passwords as the feedback I've received is that the number is closer to 3-4 different passwords.

Unfortunately password-based authentication isn't going anywhere anytime soon, so the advice I give to non-IT people (on top of using complex, non-dictionary, unrelated passwords) is to set themselves with some different 'levels' of passwords.
The bottom level is a 'throwaway' password that you can use for anything that really doesn't matter - your pizza website, one-off registrations to download documents or software or other sites you rarely ever frequent or suspect of low security standards (like internet forums).
The next level of password is for your more frequently used sites with generally better security, like social networking or webmail sites. (While I'd advise to keep social networking and webmail passwords separate, I'm working on the 3-4 password theory...).
The next level of password is your 'online shopping' passwords, such as Amazon or eBay. This is for the types of sites where a password breach could run up a serious bill on your credit cards.
Finally the last password level is your 'high security' password, solely used for internet banking. The important part about the high security password is not only that it is strong, but it is not used anywhere else.

While i admit the above is far from perfect, neither are passwords or people! At least following that advice your average internet user might be somewhat better protected that using the same password everywhere.....

Onto another tasty subject, octopus! (in fact octopi! Or is it octopuses?)

Octopus #1:
A hacker in Japan has been arrested for releasing a virus that overwrites files on your PC with manga pictures of Octopuses and Squid. The funny part? It's the second time he's been arrested for this. Two years ago he was arrested for the same thing and charged with copyright infringement as he used copyrighted manga images. To show that Mrs Nakatsuji raised no fool, this time he used images he drew himself so he couldn't be charged with copyright infringement again! While I hope Japan has revised their computer crime laws since his first arrest, you have to admire his logic!

Octopus #2: The Octopus card is a common smart payment card in use in Hong Kong that is used in the MTR subway, convenience stores and fast food restaurants like McDonalds. Everyone I know in Hong Kong has one, and as a frequent visitor over there I have one in my wallet right now. Well it seems that the card issuer had sold the personal data of nearly 2 million customers to six business partners for HK$44 million over the past four years, the exposure of which has led to the resignation of their Chief Executive. For all the good work we security people may do in protecting our corporate data from the 'bad guys', it is all for nought if the bad guys are in the boardroom....

Now all this talk of Octopus and pizza has made me hungry! I wonder if Hell Pizza deliver to Australia?

Social Engineering CTF

Social engineering is back! Did it go away? Not really, but it's back in the mainstream news. One of the competitions at DefCon this year has been a 'social engineering contest', where contestants were given a list of information they have to obtain and a target company that they have to obtain it from.
They were given a limited amount of time to get as much of the information as they could. And the the result? Not good.
We've touch upon Social engineering before and unless (or even if) you're a super-secret organization with highly trained personnel it is something that is damn near impossible to stop. I would imagine it is easier to do against larger companies (such as those targetted in the contest; the likes of Apple, Microsoft, Cisco, Ford, Coke and BP) , especially those with areas that routinely deal with the public and whose staff are encouraged and trained to be helpful and friendly.

Only 3 out of the 50+ employees contacted by the competitors were skeptical enough to hang up without providing information (and all three were women....so much for the skeptical male stereotype!). Apparently:

"People went as far as opening up their e-mail clients, Adobe Reader, versions of Microsoft Word, and clicking on 'Help/About' and giving the exact version numbers of their software," said Aharoni. "For an attacker, the exact version number would provide a much higher level of success," allowing an attack to be tailored to exploit a vulnerability in that exact program.

The contest was sponsored by social-engineer.org who seek to "Exploit the HumanOS".

While I can see the validity of the contest, I hope the details of those called is not released to avoid any punishment or ridicule from their employers or fellow workers. The urge to be helpful is part of human nature and it is a sad fact that there are those who will exploit and manipulate that nature for their own ends.

Time to go and review your Security Awareness training...

Cloudy Weather

The Cloud. These days it seems all-encompassing and unescapable. Perhaps we should have called it 'fog computing' as it seems to have the ability to bamboozle and confuse non-techie types with promises of milk and honey for little or no effort. While it certainly has it's merits, a lack of true definition and standards show it's immaturity at present.

But even in world of magical clouds there's a darkside, for with a greater availability in cheap computing power comes the opportunity for shady-types or in this case, researchers, to use the 'power of the cloud' to crack WPA encryption. WPACracker allows you to run a 285 million word dictionary-based attack to crack WPA-PSK and ZIP file encryption. Purely for research purposes of course!

Using Clouds or 'cloud-like' constructs for crime is nothing new, shown by the prevelance of botnets such as the massive Conficker botnet (estimated at 10-15 million hosts) or the spam spewing Cutwail botnet that could blast out 74,000,000,000 spam messages a day (that's 51,000,000 a minute!).

While I'm on Cloud matters, I spotted a recent interesting little tidbit about personal cloud storage provider Evernote. It seems for their customers, security is an add-on extra that is only available to premium subscribers....

Apparently 'excellent security' means encrypting authentication information only with the remainder sent in the clear. Are we past the age of better security being basically a good idea or advertised as a lure for customers and it turning into a premium extra charge? I hope not.

(thanks for some of the info in the post above to a Circus contributor who must remain anonymous - you know who you are!)

autopwn

Microsoft have recently released an advisory "Microsoft Security Advisory (2286198)Vulnerability in Windows Shell Could Allow Remote Code Execution" for a new 0-day that is currently being exploited.

While it can be exploited via network or webdav shares, it is removable drives that are the most likely vector for exploitation. A big part of that is our old friend, autorun, that has been the cause of problems before.

If you haven't yet disabled autorun in your organization, I strongly suggest you look into it. Microsoft have some details on how to accomplish this here:

Also I recently stumbled across this little gem from ex-MS (now Amazon) Security guru Steve Riley:

Well, it turns out that Windows will override this setting if you insert a USB drive that your computer has already seen. I received an email from Susan Bradley that links to an article on Nick Brown's blog, "Memory sitck worms." Nick mentions the MountPoints2 registry key, which keeps track of all USB drives your computer has ever seen. I'll admit, I didn't know this existed! I'm glad Nick wrote about it, though.

Nick also includes a little hack that effectively disables all files named "autorun.inf." Interesting, but something in me prefers to make Windows just plain forget about all the drives it's seen. So now I will amend my instructions. In addition to what I wrote earlier, you should also write a small script, and execute it through group policy, that deletes the following key:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2

I hadn't seen that registry key mentioned before, but it looks well worth investigating...

Extreme Pentest

I recently came across this blog entry from the SNOsoft research team (aka NetraGard) describing in some detail a rather extensive penetration test for a 'mid-sized' bank.

The pentest was undertaken to not to identify all points of risk, but instead was to identify how deeply the pentesters could penetrate. The unusual approach and the use of social networking reconnaissance and social engineering that caught my eye:

In addition to FaceBook, we focused on websites like Monster, Dice, Hot Jobs, LinkedIn, etc. We identified a few interesting IT related job openings that disclosed interesting and useful technical information about the bank. That information included but was not limited to what Intrusion Detection technologies had been deployed, what their primary Operating Systems were for Desktops and Servers, and that they were a Cisco shop.

Naturally, we thought that it was also a good idea to apply for the job to see what else we could learn. To do that, we created a fake resume that was designed to be the “perfect fit” for a “Sr. IT Security Position” (one of the opportunities available). Within one day of submission of our fake resume, we had a telephone screening call scheduled.

We started the screening call with the standard meet and greet, and an explanation of why we were interested in the opportunity. Once we felt that the conversation was flowing smoothly, we began to dig in a bit and start asking various technology questions. In doing so, we learned what Anti-Virus technologies were in use and we also learned what the policies were for controlling outbound network traffic.

From there they were able to identify key employees and eventually email a dodgy trojan pdf that could evade the companies AV and eventually capture the DCs. Game Over.

I doubt many companies would have an external party go to this extreme to test their defences, even banks. I wonder how many companies would have sufficient defences to resist this type of assault?

They also have an interesting blog post entitled “FaceBook from the hackers perspective“ that is worth a read.

Twitter Trouble

While playing with my new ipad, I can across an interesting article on The Last Watchdog about the US Federal Trade Commission's complaint against Twitter.

I'd read about twitter's security breach in April last year where an employee's personal email account was hacked and provided admin passwords to the social networking site, but had somehow missed the earlier breach where apparently nothng more complicated than a brute force attack revealed the site's weak, lower case, common dictionary word administrative password!

From the article some of the major points from the FTC's complaint are Twtter's failure to:

  • Requiring employees to use hard-to-guess administrative passwords that are not used for other programs, websites, or networks
  • Prohibiting employees from storing administrative passwords in plain text within their personal e-mail accounts
  • Suspending or disabling administrative passwords after a reasonable number of unsuccessful login attempts
  • Providing an administrative login webpage that is made known only to authorized persons and is separate from the login page for users
  • Enforcing periodic changes of administrative passwords by, for example, setting them to expire every 90 days
  • Restricting access to administrative controls to employees whose jobs required it
  • Imposing other reasonable restrictions on administrative access, such as by restricting access to specified IP addresses
Additonally Twitter are "barred for 20 years from misleading consumers about the extent to which it protects the security, privacy, and confidentiality of nonpublic consumer information, including the measures it takes to prevent unauthorized access to nonpublic information and honor the privacy choices made by consumers. The company also must establish and maintain a comprehensive information security program, which will be assessed by an independent auditor every other year for 10 years".

Hackers, Fraudsters and Politicians.

The House Standing Committee on Communications have released the results of their findings into Cybercrime in a report entitled Hackers, Fraudsters and Botnets: Tackling the Problem of Cyber Crime.

I haven't had a chance to digest the near 300-page document yet, but news.com.au has reported some interesting excerpts from it:

Among its final 34 recommendations were:

— The creation of an around-the-clock cyber crime helpline.

— Changes to the law to make unauthorised installation of software illegal.

— Companies who release IT products with security vulnerabilities should be open to claims for compensation by consumers.

That last point seems to be the most potentially controversial and problematic, but I'll hold judgement until I've had a chance to read the entire report...

BYO Forensic Lab

After recently reading and learing about the requirements for setting up a Forensic laboratory, I did a little more research into the subject and came across a fairly recent article on csoonline.com entitled "How to Build Your Own Digital Forensics Lab - for Cheap". While the article is fairly brief and doesn't go into issues such as chain of custody or the capture of volatile data, the author does provide some cool tips on making a usb device read only and points to some free tools for imaging a suspects disk.

The article also has a link to the handy little "Secret Service's Best Practices For Seizing Electronic Evidence, Pocket Guide for First Responders" [pdf] which has tips such as photographing the screen before powering off a suspect machine and performing the power-down by yanking the power cord (and where appropriate removing the battery). For servers in a business it recommends not yanking out the power cord, but calling a pro and restricting access to avoid damaging the system, disrupting legitimate business and (of course!) reducing the potential for officer and department liability.

It's a cool little guide and an intersting insight into law enforcement procedures.

Top 10 Hollywood Stupid Hackers

News.com.au has a fun little gallery on the "Top 10 Hollywood Stupid Hackers" covering films from 'the Net' and 'Firewall' to 'Tron' and 'Jurassic Park'.

They did miss 'Swordfish', which showed that hacking was all about how quickly you can mash the keyboard...

Best quote of the lot: "I shouldn't have written all of those tank programs" by Kevin Flynn (Jeff Bridges) in TRON.

Wii Forensics

A recent article on Networkworld.com mentions how difficult it can be to recover information from smartphones and game consoles.

I can imagine smartphones are particularly difficult, given the constantly changing nature of the hardware in use and the proliferation of mobile operating systems such as Windows Mobile 7, Android, iphone OS, WebOS and BlackBerry OS. The modified or custom file systems can also be challenging as I've read that the xbox360 uses FATX and that the PS3 uses a proprietary version of ext2.

However a particular quote from the article that caught my eye was ""You can take a Wii onto the Internet and it doesn't save sites or browser history....If you type in a Web address and surf, 10 minutes later there's no record of it." Intrigued by this comment, a bit more digging came up with this paper [pdf] on Wii Forensics.

Dr Turnbull highlights the lack of internal storage (excluding the 256MB flash memory) and proprietary file system as being some of the difficulties in Wii Forensic analysis. The paper makes for interesting reading.

Shout outs

A couple of plugs for blogs of friends:

Fellow AISA member Steven Atcheson has recently started his own Information Security related blog blog called 'Keeping it Simple'.

Another friend, Tim Davoren of ENSTOR also has a blog largely based around storage, backup and disaster recovery called Dav's Disorder.

CSIRT

ENISA (The Europrean Network and Information Security Agency) have freely released alot of materials on setting up a CSIRT or CERT.

The step-by-step guide [pdf] seems like a great starting point and they even include exercise materials.

They also have a section on CSIRT-related tools which lists useful tools for every stage of an investigation.

National Cyber Security Awareness Week

It's National Cyber Security Awareness week this week (6–11 June)

From the website:

National Cyber Security Awareness Week is an annual initiative of the Australian Government held in partnership with industry, community and consumer groups and state and territory governments.

It is designed to raise awareness among Australians of cyber security risks and simple steps they can take to protect their personal and financial information online.

National Cyber Security Awareness Week 2010 is from 6 to 11 June. It will promote six easy tips for better online security:

1. Install security software and update it regularly.
2. Turn on automatic updates so that all your software receives the latest fixes.
3. Get a stronger password and change it at least twice a year.
4. Stop and think before you click on links or attachments.
5. Stop and think before you share any personal or financial information about yourself or your friends and family.
6. Know what your children are doing online. Make sure they know to stay safe and encourage them to report anything suspicious.

Forensics & Virtual Machines

I'm a big fan of virtualization, and have seen first-hand how much of a 'game changer' it has been when it comes to infrastructure. With my recent studies of Digital Forensics I wondered how does virtualization 'change the game' when it comes to forensics?

In my so-far brief researching, there seems to have been a bit written about the use of virtualization in forensic analysis. The paper entitled 'Virtual Forensics' [pdf] from ForensicsFocus.com is an interesting start, discussing VMs as a target and the use of VMs to make analysis easier. This presentation from 2005 is boldy titled "Virtual Machines: The Ultimate Tool for Computer Forensics" while this paper [pdf] claimed that "the environment created by VMWare differs considerably from the original computer system, and because of that VMWare by itself is very unlikely to produce court admissible evidence" and suggests that a hybrid approach of using a standard forensic image along with a VM for analysis is the best approach.

There also seem to be plenty of ready to run virtual machine images or appliances to assist the forensics practitioner, but what happens when the target machine is a VM?

This article from cio.com mentions one of the potential problems is that VMFS (VMWare's file system used to store the 'guest' virtual machine images) is not well understood. A virtual machine is simply files on a disk, but when you want to capture a forensic image of a VM do you simply capture the 'disk files' (eg: vmdk file, NVRAM file, etc) or do you need the underlying host storage volume (the VMFS partition) to capture metadata (such as the last accessed time etc)?

The sheer size of the VMFS partition may also cause problems (think multi-terabyte LUNs), along with the fact that vmfs partitions may be shared amongst many guest VMs, which may cause problems if a forensic investigator is only authorized to investigate a single machine.

With continuing explosive growth of server virtualization and now the increase in interest in desktop virtualization it will be interesting to see what changes (if any) will be required for digital forensic investigators in the near future.

Crooks & Crypto

"Criminals are a superstitious cowardly lot" said none other than the caped crusader, Batman. But it seems they're a lazy lot too. The Register has an article on how 'belief that they won't get caught' and laziness has meant that the feared widespread use of cryptography by criminals has not come about.

It was this fear that has lead governments (most notably the US) to float the idea of criminalizing the use of encryption software or requiring the Government hold a key in escrow (such as with the Clipper chip).

A few years go the UK passed a law ("RIPA section 49")requiring suspects to hand over encryption keys when requested or face fines and up to two years jail. They have since charged suspects under it.

A great piece on the controversy of whether encryption is harmful or not is also available here.

Cryptography is a tool and can be used for good or for ill. Personally I don't believe in a system where the Government holds keys in escrow without unprecedented transperancy around who is accessing keys (and why!) and don't believe such a system would ever be workable. Make Cryptography illegal? Well the 'bad guys' are already breaking the law and only law-abiding citizens would be disadvantaged.

Oh, and I'm more than happy for criminals to remain a lazy, overconfident and superstitious cowardly lot!

HDD decryption

Forensics Focus had an article about some software that "Decrypts TrueCrypt Hard Disks in Minutes". A pretty impressive & scary claim! Wondering how it works? I was too, so a quick visit to the manufacturers website gives some details on how the software works for HDD decryption:

Passware Kit scans the physical memory image file (acquired while the encrypted BitLocker or TrueCrypt disk was mounted, even if the target computer was locked), extracts all the encryption keys, and decrypts the given volume. Such memory images can be acquired using Passware FireWire Memory Imager (included in Passware Kit Forensic), or third-party tools, such as ManTech Physical Memory Dump Utility or win32dd.

Overall Steps

* Acquire a memory image of the seized computer
* Create an encrypted disk image (required for BitLocker only)
* Run Passware Kit to recover the encryption keys and decrypt the hard disk

So there is no gaping hole in the full disk encryption of bitlocker or truecrypt, the software extracts the keys from the forensically captured physical memory while the encrypted volume is mounted. This just further highlights the importance of being able to perform a live acquisition of the physical memory when the use of encryption is suspected...

Hacking a hacker?

While doing some recent reading on Digital Foerensics I came across a particularly interesting older case where a Russian hacker was caught by the FBI and charged with computer intrusion and fraud. While this doesn't sound like anything too out of the ordinary what caught my attention was some of the details.

The FBI alleged that Ivanov and other international hackers gained unauthorized access into computers at CTS Network Services (an ISP) and used them to attack other e-commerce companies, including two credit card processors, where he stole customer financial information and used this information in the usual fraud schemes. Nothing too out of the ordinary so far.

Once the FBI had identified their culprit, in order to make the arrest they lured him and an accomplice to the US on the premise of offering a job as an IT security consultant. When the pair arrived, the FBI had them remotely connect to their machines back in Russia as a demonstration of their skills for the new prospective employer. But not all was as it seemed, as the FBI were keylogging the machines the Russians used in the US and used these captured credentials to connect to the Russian computers and extract the evidence they needed (without a search warrant) to prosecute Ivanov and his accomplice.

Do the ends justify the means? The Russian Federal Security Service, or FSB, didn't think so, started criminal proceedings against the FBI Agents for unauthorized access to computer information. Meanwhile back in the States, the Agents involved were awarded the director’s award for excellence as the case was the first in bureau’s history to “utilize the technique of extra-territorial seizure.”

The assistant US District attorney commented that he "wouldn't call it hacking" when discussing the Agent's actions and a federal judge agreed, rejecting motions filed that sought to suppress the evidence obtained from the computers with Ivanov eventually being sentenced to three years in prison.

Do, in this case, the ends justify the means? Or is it simply the beginning of a slipperly slope allowing state-sanctioned hacking in the name of justice?

This case is wan older one and was 'pre-9/11', so I wonder what effect the PATRIOT act has had in the intervening years...

Secure Search

Google have released a beta of their SSL-enabled search page. An interesting concept in that while it protects the end user while performing searches, any ssl protection is lost when the searcher clicks on a link and goes directly to the desired page.

An important point is: "...Google will still maintain search data to improve your search quality and to provide better service. Searching over SSL doesn’t reduce the data sent to Google — it only hides that data from third parties who seek it."

Personally i'd prefer a version of their search engine that didn't maintain my search data, but given some of Google's other recent actions and CEO Eric Schmidt's views on privacy, I'm guessing it isn't coming soon....

On the other hand they are making the recent awesome interactive 'pac man' google logo a permanent feature! (although not everyone thinks it was a good idea...)

Last Accessed Timestamps

I was speaking with Microsoft Tech Support recently about some disk performance issues and an interesting point came up. On large NTFS volumes, the Enhanced Write Filter performance can be sped up by making a registry change to disable the last access date/time stamps. This disables the last access information written to each file as it is accessed, resulting in faster disk read-access:

In the Registry, create HKLM\System\CurrentControlSet\Control\FileSystem\Disablelastaccess and set to 1.

(you can also run an fsutil command in Windows 7/2008: fsutil behavior set disablelastaccess 1)

Microsoft like this idea so much, that the default setting in Windows 7 and Windows Server 2008 is to have the last access disabled (something I have verified on my Windows 7 laptop and in a Windows Server 2008 Standard VM).

This has interesting repercussions for security and computer forensics personnel. If nothing else, if left with the default settings, it removes a tool from the investigation arsenal.

Windows Computer Investigation Guide

During my current Digital Forensics study I recently stumbled across a guide from Microsoft entitled the “Fundamental Computer Investigation Guide for Windows" which is a download containing the basic Microsoft guide, a sample Internal Investigation Report, a sample Chain of Custody document and a sample Impact Analysis document.

Although at 55 pages the guide isn't going to make you a Forensics guru, as a free starters guide it hits all the main points we've learnt so far - initially assessing the situation, obtaining authorization, reviewing any policies or legal restrictions, bieng thourough and methodical in the assessment, acquisition of data, analysis of the data and reporting on the findings. It also contains an applied scenario to tie together all the points previously discussed (set at the Woodgrove Bank - an organization, along with Tailspin Toys and Contoso, that will be all too familar to those who've done a few Microsoft exams).

The tools referenced in the guide are generally all included in the OS or free sysinternals tools, such as filemon, portmon, process explorer, etc, although EnCase and FTK are mentioned for performing a bit-wise acquisition.

While Microsoft do get bashed about alot of things (and security in particular), I am always surprised about the sheer amount of material they generate and freely distribute. If you deal with Windows and aren't familiar with the sysinternals tools, I recommend checking them out.

IBM Distributes Malware

Probably not the best place to go distributing malware.

(hmmm... these posts seem to be getting shorter... maybe tomorrow...)

Facebook Privacy

Alot has been said about Facebook privacy (or lack thereof). A friend passed along this fascinating link that graphically illustrates the evolution of privacy on facebook (or should that be devolution?)

Social networking contains all kind of dangers, from the typical social engineering and scamming to getting fired for 'chucking a sickie' and things far, far worse.

Of course, facebook, myspace or linkedin aren't responsible for the crimes that may be committed by users of their service, but sites like facebook they aren't helping matters by proclaiming 'privacy is dead' and purposely making more information public.

It has been said before, but bears repeating: don't put anything on the internet that you wouldn't want everyone to know. While I don't agree with mark Zuckerburg that 'privacy is dead', I do agree that for all intensive purposes, 'privacy is dead on the internet'.

And finally if you are a facebook user, here are 10 Privacy Settings Every Facebook User Should Know, or if you're tired of the whole social netowrking thing, how to delete your facebook profile in 5 minutes (and by the way, apparently you're not alone).

vSphere Hardening Guide

VMWare have recently released their vSphere Hardening guide. The blog post about it is here, and the guide can be downloaded directly from here [pdf].

From an inital runthrough, it seems quite comprehensive.

InfoSec Legal Risks II

Back in Feb I mentioned a Book I'd come across: Information Security: Managing the Legal Risks by Nick Gifford.

Recently Nick gave a great presentation at the AISA Risk Management Special Interest Group (RMSIG) in Sydney.

Some of the points that came out of his presentation** that I found rather interesting follow:

  • Most InfoSec-related cases are brought under the tort of negligence
  • Damages cannot be recovered under negligence for pure economic loss
  • No cases have yet been tried in Australia for under the tort of Negligence for InfoSec breaches ~ although cases have been settled before going to court
  • The highest privacy breach payout in Australia is around $8000 ~ leaving privacy breaches more damaging to reputation than financially (barring lost revenue from reputational damage of course!)
  • The Trade Practices Act Section 52 is the key area to pay attention to for Australian InfoSec professionals when verifying legal liability ~ it has less hurdles that proving negligence and can be 'creatively' applied by the courts.
  • The ALRC has recommended a new tort of "serious invasion of privacy" and recommended compulsory disclosure laws in Australia.
Nick also referenced an intersting quote from the FTC paper on Identity Theft [pdf]:
The Rule specifies that what is “reasonable” will depend on the size and complexity of the business, the nature and scope of its activities, and the sensitivity of the information at issue. This standard recognizes that there cannot be “perfect” security, and that data breaches can occur despite the maintenance of reasonable precautions to prevent them
The formal acknowledgement that "perfect" security cannot exist from someone outside of IT is interesting to see.

Nick gave a great talk, and I do recommend his book.

**Any errors or omission of information in this post are my fault and not Nick's. I am no lawyer! So go seek your legal advice from someone who is!

Security the Amex way

While there are arguments against the effectiveness of PCI-DSS (Payment Card industry Data Security Standards) compliance, it's going nowhere soon.

With that in mind, a recent article caught my eye about how one of the big credit card companies handles it's own Information Security.

Some gems from the Amex response:

I would like to inform you that our website has a 128 bit encryption. With this base, passwords that comprise only of letters and alphabets create an algorithm that is difficult to crack.
This is one I've encountered before where transport-layer security is confused with authentication security. Their website could have 128,000 bit encryption, it won't help them when I guess your password is 123456.
We discourage the use of special characters because hacking softwares can recognize them very easily.
More easily than non-special characters? Wow.

The length of the password is limited to 8 characters to reduce keyboard contact. Some softwares can decipher a password based on the information of "most common keys pressed".

Therefore, lesser keys punched in a given frame of time lessen the possibility of the password being cracked.

Would that not mean a single character password was even more secure?
Scary. Although a friend did comment "Well at least they have a password policy!"

COFEE vs DECAF

I'm currently studying Digital Forensics and a recent bit of google-inspired research lead me to one of the big stories of late last year (which I vaguely remembered) where a Microsoft forensic tool designed for use by law enforcement called COFEE (Computer Online Forensic Evidence Extractor) was leaked on the internet.

Given the prevelance of computer-based crime and the level of skill required to perform proper forensic analysis, it makes sense for Microsoft (or someone else) to develop a simple-to-use wrapper for what apparently was a number of common forensic tools available elsewhere on the internet.

The reaction to the leak seems to have been mixed, with Microsoft claiming they weren't bothered by the release of the software, although noting it is licenced for use by Law enforcement only, to someone developing a counter-forensic tool called (of course..) DECAF. What was the thinking in creating this counter to COFEE? One of the developers said:

"We saw Microsoft released COFEE and that it got leaked, and we checked it out," the man said. "And just like any kid's first day at the fair, when you walk up to that cotton-candy machine and it smells so good and you see it, it's all fluffy – just so good. You get up there and you grab it and you bite into it, it's nothing in your mouth.

"That's the same thing we did with COFEE. So, knowing that and knowing that forensics is a pretty important factor, and that a lot of other pretty good forensic tools are getting overlooked, we decided to put a stop to COFEE."

This arguement seems fairly disingenuous as COFEE seems to hardly have been aimed to replace any existing tools, but to simply make them easier for a less-well trained law enforcement operator to use in order gather crucial forensic evidence. The fact the tool was released by Microsoft probably had more to do with creating a counter-tool than noble thoughts of 'better tools being overlooked'.

No matter what the task, there is almost always a 'better tool', whose use might not be desirable because of cost, complexity or the expert knowledge required to operate it. Much of the history of software innovation has been designed around making complex tasks easier so more people can perform them, Windows being the prime example as it took desktop computers from the realm of geeky hobbyists to mainstream use in businesses and in homes. While simplifying (or as some may call it 'dumbing down') tasks may grate the nerves of the some, it is an inevitable and in many ways, desirable end goal.

Following the Road Rules

It struck me this evening while driving home that there is a nice analogy to be made between information security and road safety. All that maintains our roads in the organised state of chaos that they are, rather than total anarchy, is a set of conventions that ensure that we drive on the left (in Australia), stop at stop signs and give way to the right at round abouts.

I would imagine, though I have nothing to back this up with, that a large proportion of car accidents happen in situations where it is unclear what is expected of the driver. As a case in point, as I drive home there is a place where two lanes merge into one, however, there is nothing to indicate which lane is ending. This lack of direction causes the occasional irritated honk of the horn or shake of the fist from drivers who believe they have been wronged and, if it hasn't happened already, at some stage a minor collision is inevitable.

The same applies for information security, whether browsing the internet, opening an email from an unknown source or disposing of sensitive documents, where a well known course of action exists the decision is easy, it is when users are presented with the unfamiliar that trouble strikes (scammers are well aware of this and utilise the familiar to make targets feel comfortable). Ensuring that users know the correct course of action requires an ongoing education program coupled with a strong set of policies to guide users on the right course of action.

I have this picture in my head of the users of a network, be it a corporate network or the internet, as drivers in vehicles of all different sorts, some in Abrams tanks, others on mopeds (the ones in the Abrams are likely Mac users blindly driving around opening files without regard to the consequences).

Other parallels exist too, particularly in corporate networks where user activity is much more heavily regulated, particularly the use of incentives both positive and negative to ensure compliance with the rules. When drivers don't comply with the regulations they may be fined and if caught infringing enough times may lose privileges or be compelled to take remedial training. In much the same way users of a corporate network may be more inclined to comply with and contribute to information security endeavours where it is assessed as part of their job performance and tied back to bonuses, pay increases and advancement within the company. A points system similar to that used with Australian drivers licenses may actually work quite well to identify users requiring remedial training. More on incentives in a later post.

Some credit for the ideas in this post has to be given to the paper I am currently reading from he Internet Security Alliance (ISA) and the American National Standards Institute (ANSI)

Photocopier peril

Affinity Health in the US has had to notify @400,000 customers and staff of a potential data breach. A firm suffering a data breach? "Nothing new there!" you say.

In this case though, the method the data was lost is a little more unusual (as was the method of discovery). You see, CBS was investigating the ticking "digital time bomb" of office photocopiers and purchased 4 copiers. Upon removing the hard drives and running a forensic tool over them they found confidential police data on 2 machines, construction plans and payroll data on a third and on the fourth - patient information from Affinity Health.

A quick search on datalossdb shows a few entries for fax machine breaches (mostly by sending a fax to the wrong number), but only one entry for copiers - the Affinity Health breach.

The CBS article asks, "Has the industry failed..to inform the general public of the potential risks involved with a copier?" to which the President of Sharp Imaging says "yes".

They do point out all the major manufacturers offer 'encryption options' or security packages, but without providing any information on what percentage of buyers are willing to pay the extra dollars.

Here's a thought - include it by default! Make it impossible to buy a digital photocopier without encryption or secure deletion!

I think it was in the Mitnick book "Stealing the Network" (or perhaps it was in "The Art of Intrusion") that a hacker stealthily entered a network and took control of a digital copier.

In the meantime, what does you organization do with it's old copiers when the lease ends or they end-of-life?

Security Incidents in Australia & New Zealand

One of the difficulties of working in the infosec space in Australia can be the lack of region-specific information available. I blogged recently about a Ponemon institute study that was Australian-based and have recently come discovered Chris Gatford of hacklabs.com had started maintaining a record of security incidents in Australia and New Zealand.

This is a nice addition to some of the existing resouces available, such as datalossdb.org (which records all different kinds of data loss) and zone-h.org which keeps a good record of website defacements.

The enemy of my enemy is my.....enemy?

Oh McAfee what have you done? Last week McAfee released an update for their antivirus software that crippled Windows XP SP3 machines. This is not the first time McAfee have had this problem, having crippled machines last year with a bad update as well.

Of course, the 'bad guys' have immediately jumped on the bandwagon as well, flooding google with links scareware sites promising to fix the problem.

What to do? Well I'm not here to bash McAfee (they have enough angry customers right now to do that), and all the big vendors make mistakes, but this does expose a serious problem in the quality control of another big AV vendor.

Last year I sat through a presentation by McAfee where they talked about the massive rise in malware and viruses, a comment that was echoed by Symantec in a presentation around the same time. The Sophos 2010 Security Threat Report [pdf] states that "Sophos’s global network of labs received around 50,000 new malware samples every day during 2009".

Combine that with the constant need to beat the competitors to market with the latest protection and it's no wonder a mistake like McAfee's recent one was made. It seems almost inevitable it will happen again.

But what can be done to protect your servers and desktops? Do AV updates need to be treated like patches and be run through a testing regime before deployment? Is this even feasible in an era of daily (or multiple times daily) signature updates?

I'm no developer and not in the AV business, but it would seem to me having a 'whitelist' of known good items (such as critical windows components) might be a way to stop something like this occurring again...

powered by Blogger | WordPress by Newwpthemes | Converted by BloggerTheme