A different view of Stuxnet

Over at Forbes.com Jeffrey Carr has an interesting article on the now-infamous stuxnet worm that takes a contrary view to the more common USA/Israel angle on the likely culprits.

The original whitepaper is here [pdf]

Now you know...


(courtesy of xkcd)

'Twas the CISO Before Christmas

Orignally from The Impervia Sercurity blog here

Twas the night before Christmas, when all through the Net
Every hacker was stirring, engaging in cyber threat.
SQL statements were injected with care,
In hopes that credit card numbers soon would appear.

Security auditors were nestled all snug in their beds,
While visions of audit logs danced in their heads.
And the CISO in his ‘kerchief, and I in my cap,
Had just settled our brains for a cross site scripting attack.

When out from the cubicles there arose an Insider,
I sprang from the computer to see what was the matter.
Away to the database I flew like a flash,
Tore open the log files worried about lost corporate cash.

The dim office lights shined on a new iPad
Giving access to sensitive data, turning a good employee bad.
Then, before my eyes, data began to disappear,
Instantly killing holiday cheer.

With access to a file server—a breach!
I knew in a moment no trip to the beach.
The Insider downloading files faster than a bunch of geeks,
We’d be front page New York Times and featured on Wikileaks.

"Now Auditor! Now, CISO! Now, DBA and Network Security Team!
Get on, fast! It’s a Christmas Data theft.  I wanted to scream!
To the database! To the IT room at the end of the hall!
Now audit away! Audit away! Audit away all!"

As dry leaves that before the wild hurricane fly,
When they meet with an obstacle, mount to the sky.
So up to the house-top the sensitive files flew,
In an iPad full of files heading to Julian Assange—we’re so screwed.

And then I heard something, I thought it was a goof
Prancing and pawing, perhaps it came from the roof?
But no, as I drew in my head, and was turning around,
Down the hall the CISO came with a bound.

Dressed for cyber defense, from head to foot,
His clothes were all sweaty, but he stayed put.
A bundle of security tricks he had flung on his back,
He looked like a soldier, ready to counter attack.

His eyes-how they twinkled! His pocket protector, how merry!
His cheeks were like roses, his nose like a cherry!
His droll little mouth was drawn up like a bow,
His face showed he had that data security mojo.

A cell phone he held tight in his fist,
Ready to call the CEO who was going to be pissed.
He had chubby face and a little round belly,
That shook at every cross site request forgery!

He was stout and plump, a right jolly old security pro,
And I trembled when I saw him, feeling like Homer, “Doh”!
A wink of his eye and a twist of his head,
I realized I had nothing to dread.

He spoke not a word, but went straight to his work,

He pulled a plug and blocked access to the network.
And laying his finger aside of his nose,
Way way way up the corporate latter he rose.

He sprang to his office, to his team gave a whistle,

And away he flew down the hall like a missile.
But I heard him exclaim, before he turned out the light,
"Merry Christmas to all, and to all a secure-night!"


Well the CISM exam is now done, just need to wait for the results!

For anyone wondering what the exam is like compared to the CISSP, I'd say it was less broad in it's focus, but deeper in the knowledge requirements.

The CISM is heavily focused on developing and maintaining an Information Security program within an orgnization, so is much more specific in it's content than the more general CISSP.

Storm clouds

The great Wikileaks scandal that is currently occupying the media's attention has brought to light some interesting food for thought beyond the actual leaked documents and the ultimate insider threat scenario.

Wikileaks has been under denial of service attack for a number of days now, allegedly caused by a 'hacktivist' called 'th3j35t3r' (The jester). The attack has ramped up from the 2-4Gbps that forced the site from it's original host to the Amazon EC2 Cloud Service, where it intensified to a 10Gbps+ attack. Amazon then subsequently dropped hosting of the site, succumbing to both political pressure along with the ongoing DDOS attack.

Does this add an extra wrinkle to the 'put it all in the cloud' future promoted by some organizations or individuals? It does bring up concerns about how a cloud provider would react if your organization came under sustained denial of service attack. The allegations that the attacks were the actions of a single hacker using new software called XerXes that requires no zombie network or botnet to be effective is also extremely concerning.

Howling at the Moon

Just a quick plug for a friend's new blog focused on Desktop Management, Microsoft Operating Systems and all things System Center.

Check it out!

Hardening VMWare

Foundstone (who produce a bunch of great free tools) have released VDigger; a new VMWare hardening tool. I haven't had a chance to check it out yet.

Tripwire also have a free product called ConfigCheck that has been out for quite a while now, which I have used and can recommend.

I previously mentioned the VMWare hardening guide here.

Home grown hacker

An aussie hacker who was arrested back in July for infecting @2500 computers with a virus to steal banking and credit card information has plead guilty but asked for a reduced sentence as his actions wee 'youthful curiosity' and he 'was interested in becoming an internet security consultant'.

Are there any hackers who got arrested who didn't pledge to go straight and become an IT Security consultant? Now there's not alot of detail in the news articles about exacly what he did (did he write his own code, is he a script kiddie running something like Zeus, etc), but regardless, asking for a more lenient sentence after you commited a crime so you can become a security consultant - is that not something like being arrested for stealing cars because you want to be a mechanic or robbing a bank because you wanted to be a security guard?

I know there is a great precedent of those who were on the wrong side of the law, who reformed and have become security consutlants or security celebrities (eg: Kevin Mitnick, Kevin Poulsen), and it is a subject that has been well debated before. Would you hire a 'reformed' blackhat? Does it always "take a thief to catch a thief"? I'm not so sure...

The interesting thing about this case from an Australian point of view is that:

"The judge was told there had been no similar cases across Australia to guide him when imposing a penalty."
It will be worth watching closely to see what kind of sentence is handed out, and to compare it against  other parts of the world where these types of prosecutions have been more common.

Once more unto the Breach...

I attended the AISA national seminar day earlier this week (which was a great day), and one of the panel discussions touched on whether there was a need for greater regulation or government intervention in IT Security. The prevailing view was that over-regulation would stifle innovation and government mandated minimum requirements would lead to businesses doing the bare minimum and no more.

I don't disagree with those points, but I do believe that Australia is stll behind the US/Europe in understanding Information Risk in the boardroom and one of the ways to make sure it gets on the radar and stays there is mandatory breach notification.

My view was somewhat echoed in a recent itnews story that made the good point that individual data breaches may be too small for authorities to really investigate but the implementation of a IC3-style centralized reporting body could assist in aggregating many small breaches into a large one and show a pattern of behaviour or negligence by an organization.

On a similar note I (re)discovered a link to a useful document that I had used in a Uni assignment last year that compares Data Breach Notification Laws around the world [pdf]. Although a little out-of-date (2009), it's still a great little summary.

On data breaches, there is of course Wikileaks. Wow. Infosec Island has a nice piece on how the forthcoming "megaleak" from a major US bank will be 'Enron-esque' in the fallout (if you haven't seen it, I recommend Enron:The Smartest Guys in the Room).

If it is as big as promised, it will be interesting to see the effect on corporate security (and is probably a great time to be a salesman with a good DLP solution...)

powered by Blogger | WordPress by Newwpthemes | Converted by BloggerTheme