[SecurityRatty] tag: disconnect

RSA Offers new Insights into Security and Innovation

Tue, 30 Sep 2008 20:00:00 +0000

Today RSA, The Security Division of EMC, released the latest research and insights from IDC and the Security for Business Innovation Council on the relationship – and disconnect – between security and business innovation. The IDC report centers on the fact that 80 percent of organizations worldwide confirm that security fears are indeed responsible for stifling business innovation.

IDC also found that although 80 percent of CEOs believe their security teams are being held formally accountable for their contributions to business growth and innovation, only 44 percent of security leaders believe they are being measured on their contributions to innovation. This finding points to a surprising lack of alignment between the expectations of C-level management and the priorities of security professionals...

Anti-theft Protocols

Wed, 03 Sep 2008 12:18:14 +0000

At last Friday’s Security Group meeting, we talked about security protocols that are intended to deter or reduce the consquences of theft, and how they go wrong.

Examples include:

GSM mobile phones have an identifier for the phone (separate from the identifier for the user) that can be blacklisted when the phone is stolen.
Some car radios will stop working when the battery is disconnected, and only start working again when a numeric code is entered. This is intended to deter theft of the radio.
In Windows Vista, Bitlocker can be used to encrypt files. One of the intended applications for this is that if someone steals your laptop, it will be difficult for them to gain access to your encrypted files.

Ross told a story of what happened when he needed to disconnect the battery on his car: the radio stopped working, and the code he had been given to reactivate it didn’t work - it was the wrong code.
Ross argues that these reactivation codes are unecessary, because other measures taken by the car manufacturers - such as making radios non-standard sizes, and hence not refittable in other car models - have made them redundant.

I described how the motherboard on a laptop had needed to be replaced recently. The motherboard contains the TPM chip, which contains the encryption keys needed to decrypt files protected with Bitlocker. If you replace the motherboard, the files on your hard disk will become unreadable, even if the disk is physically OK. Domain-joined Vista machines can be configured so that a sysadmin somewhere within your organization is able to recover the keys when this happens.

Both of these situations suffer from classic usability problems: the recovery procedures are invoked rarely (so users may not know what they’re supposed to do), and, if your system is configured incorrectly, you only find out when it is too late: you key in the code to your radio and it remains a doorstop; the admin you hoped was escrowing your keys turns out not to have the private key corresponding to the public key you were encrypting under (or, more subtly: the person with the authority to ask for your laptop’s key to be recovered is not you, because the appropriate admin has the wrong name for the laptop’s owner in their database).

I also described what happens when an XBox 360 is stolen. When you buy XBox downloadable content, you buy two licenses: one that’s valid on any XBox, as long as you’re logged in to XBox live; and one that’s valid on just your XBox, regardless of who’s logged in. If a burglar steals your Xbox, and you buy a new one, you need to get another license of the second type (for all the other people in your household who make use of it). The software makes this awkward, because it knows that you already have a license of the first type, and assumes that you couldn’t possibly want to buy it again. The work-around is to get a new email address, a new Microsoft Live Account, and a new Gamer Tag, and use these to repurchase the license. You can’t just change the gamertag, because XBox live doesn’t let the same Microsoft Live account have two gamertags. And yes, I know, your buddies in the MMORPG you were playing know you by your gamertag, so you don’t want to change it.

Government Sent Home with a C on FISMA Report Card

Tue, 05 Aug 2008 09:43:51 +0000

Too bad there is no Kaplan Test Prep equivalent for FISMA.

For the third year in a row, the government’s overall FISMA grade improved. But don’t get too excited; the grade only improved from a C- to a C this year. (And D+ in 2005).

But there’s a lot to hide in an “average grade”. Turns out that the reality is a split between overachievers and underachievers.

The agencies/departments with a grade of A-, A or A+:

Department of Justice
US AID
EPA
NSF
SSA
HUD
OPM (I would hope so)

And, sadly the ones that got an F:

Department of the Interior
Department of Treasury
Nuclear Regulatory Commission
Department of Veterans Affairs
Department of Agriculture

FISMA (Federal Information Security Management Act) became a federal law back in 2002 as part of the E-Government Act. Six years later, there has been improvement, but there’s still clearly a long way to go.

So what’s the disconnect? Speaking from a vendor perspective, we’ve had first-hand experience with the lack of actionable, concrete guidelines around FISMA – for processes, monitoring and check-list assessment items. We even contacted NIST directly to get more guidance on how their very broad guidelines should be translated to actual features and reporting in something like our monitoring solution. The end goal, after all, is to help our government customers not only meet the FISMA requirements but also to be seen/assessed as meeting those requirements. As we do for other compliance/governance requirements like Sarbanes-Oxley, the more that EM7 can automate and report on, the better.

But that leads to the second issue here. How accurate is the FISMA scorecard? SC Magazine writes, “Many have seen organizations get an A when they believe they should have received an F, and vice versa” and some experts “blame this on the lack of a standardized evaluation, as well as censorship among auditors.” There’s talk about language ambiguities and opinions that the scorecard is not “one size fits all” – that small agencies face different IT security challenges than the big guys.

So what’s right about FISMA? We can point to a heightened awareness about the importance of security and the “security picture” in each federal agency. Certainly, from our own survey at FOSE, we saw the difference just from last year to this one:

91% surveyed said FISMA was important (up from 66% last year)
Over 50% had solutions installed to help with FISMA (up from only 14% last year)

Based on these numbers, we’re not surprised to see the FISMA average grade go up, but we expected it to be even higher. So what will it take to get the government on the honor roll? From Rep. Tom Davis, “We need to seriously consider incentives for agency success and funding penalties and personnel reforms for agencies that don’t measure up…We need a bill with teeth, and we need agencies to understand the goal is to keep information safe, not to check a statutory box.”

ShareThis

Easy Google Income

Tue, 29 Jul 2008 13:58:49 +0000

Here's an interesting piece of spam trying to cash in on the Google name that could wind up being quite costly for anyone willing to take a chance and see what it's all about. This was sent to one of my friends:

Click to Enlarge

Is it a good thing or a bad thing that the office is based in the West Indies and to unsubscribe your email goes to Romania? At any rate, they don't seem to want my patronage - unfortunately, I'm not particularly interested in free iPods or a Nintendo Wii so a few clicks later and I'm where I should be:

Click to Enlarge

At the bottom of the page, it says "Google does not sponsor, endorse, and is no way affiliated with Easy Net Income or this promotion."

Well, they could have fooled me what with all the Google material they've splashed across the site. The quote in the box is interesting, too: "Riches range from a few hundred dollars a month to $50,000 or more a year".

Go hunting on USA Today though, and the quote doesn't have anything to do with something called "Easy Google Income" - it's to do with Adsense. Bits missing have been reinserted and bolded:

"Tales of AdSense riches range from a few hundred dollars a month to $50,000 or more a year, though high-dollar paydays are rare. They require a Web site with tons of traffic and the ability to put in 18-hour days working the system.

I think the missing parts are kind of important, don't you? Of course, the CD title clearly makes you think you're going to get some mysterious money magnet, but stops short of telling you whether it would be a program, ebook or magical leprechaun.

In fact, what happens is you apparently sign up for the CD at the cost of subscribing yourself to some kind of "free trial" - at the end of which, you have to pay $39.90 a month for access to training courses to "Internet Wealth University" (I swear I'm not making this up). There's also an "activation fee" charged immediately to the card you subscribe with, though I'm guessing you only enter your details once you've entered your name / address and moved onto the second page (which I'm not about to do, in case you were wondering).

Internet Wealth University must have an awful lot of poor students, going by the problems people are having unsubscribing.

"When you try to call the company, you get an automated answering system that tells you all representatives are busy and then puts you on hold-forever, or they disconnect you after 5 minutes!"

Indeed, there's quite a lot of people wondering what this is all about, including the inevitable concern over billing issues.

Our advice? Steer well clear. There is a lot of money up for grabs here, but it's all being netted by the people running these websites. Their customers don't appear to be so lucky...

E-Discovery's Great 'Urban Myth' - And Why You Shouldn't Believe It

Thu, 01 May 2008 13:59:45 +0000

I'm in the process of reviewing the first 150 court cases using the revised Federal Rules of Civil Procedure (FRCP) for electronic discovery (e-discovery), which went into effect on 1 December 2006. Now, I know what you're thinking - but it's not nearly as glamorous as it sounds. The decisions average 40 single-spaced pages in length, they're painfully detailed, and the writing is as dense as only a lawyer can make it. It takes several cups of strong black coffee just to get through one case, and believe me, it's not something you want to try doing late in the afternoon.

Some of these cases are making serious progress toward closing the gap between the requirements of public policy mandates and the market-driven power of technology. But far too many of them are tangled up in two fundamentally opposed, but equally dangerous, fallacies: 1) the "urban myth" that it's impossible to erase an e-mail or other piece of digital information; and 2) the idea that the only smart practice is to keep nothing.

Where e-discovery and especially e-mail are concerned, most enterprises find themselves at a critical juncture at which public policy is failing to keep pace with the evolution of technology. I call this situation "Star Wars technology with Gutenberg laws." Just how bad is the business/technology/policy disconnect? Well, when I graduated from college in 1975, I got a job with United Press International (UPI), which had just implemented a rudimentary form of computer-based "e-mail" to replace the telex (TWIX) messaging system. The messages we sent were available on the computer for 24 hours, not a second more. If we needed a copy of one, we had no choice but to print it out. That's the way e-mail was originally conceived - as the technological equivalent of a Kleenex tissue - to be used once and thrown away. But that's not the way most enterprises are using e-mail now.

The fact is, for many enterprises, e-mail is now the primary workflow tool, the primary collaboration tool, the personal archive and, in some cases, the institutional archive. If there's any e-mail product that was designed with those uses in mind - and with the robust features and functionality to support them - I'm not aware of it. And that's where the business/technology/policy gap comes from. We have tools deployed that were originally designed for ephemeral communications, which are now expected to be eternal repositories of the truth. And, of course, to compound that problem, the world is full of litigators who are happy to win cases on mechanics, rather than merits - all because somebody didn't get e-discovery exactly right.

The bottom line: Don't accept the urban myth that you'll never be able to erase an e-mail, and don't believe that the only smart practice is to keep nothing at all. The trick is to understand what you need to keep, to know where it is, and to make sure that you can get at it when you need it. It's not simple, and it's not easy, but it is absolutely critical.

Microsoft Has Developed Windows Forensic Analysis Tool for Police

Wed, 30 Apr 2008 09:54:37 +0000

Really :

The COFEE, which stands for Computer Online Forensic Evidence Extractor, is a USB "thumb drive" that was quietly distributed to a handful of law-enforcement agencies last June. Microsoft General Counsel Brad Smith described its use to the 350 law-enforcement experts attending a company conference Monday.
The device contains 150 commands that can dramatically cut the time it takes to gather digital evidence, which is becoming more important in real-world crime, as well as cybercrime. It can decrypt passwords and analyze a computer's Internet activity, as well as data stored in the computer.

It also eliminates the need to seize a computer itself, which typically involves disconnecting from a network, turning off the power and potentially losing data. Instead, the investigator can scan for evidence on site.

More news here. Commentary here.

How long before this device is in the hands of the hacker community? Days? Months? They had it before it was released?

EDITED TO ADD (4/30): Seems that these are not Microsoft-developed tools:

COFEE, according to forensic folk who have used it, is simply a suite of 150 bundled off-the-shelf forensic tools that run from a script. None of the tools are new or were created by Microsoft. Microsoft simply combined existing programs into a portable tool that can be used in the field before agents bring a computer back to their forensic lab.
Microsoft wouldn't disclose which tools are in the suite other than that they're all publicly available, but a forensic expert told me that when he tested the product last year it included standard forensic products like Windows Forensic Toolchest (WFT) and RootkitRevealer.

With COFEE, a forensic agent can select, through the interface, which of the 150 investigative tools he wants to run on a targeted machine. COFEE creates a script and copies it to the USB device which is then plugged into the targeted machine. The advantage is that instead of having to run each tool separately, a forensic investigator can run them all through the script much more quickly and can also grab information (such as data temporarily stored in RAM or network connection information) that might otherwise be lost if he had to disconnect a machine and drag it to a forensics lab before he could examine it.

And it's certainly not a back door, as TechDirt claims.

But given that a Federal court has ruled that border guards can search laptop computers without cause, this tool might see wider use than Microsoft anticipated.

Cross Site Printing: Printer Spamming

Wed, 09 Jan 2008 19:16:31 +0000

Many network printers listen on port 9100 for a print job (RAW Printing or Direct IP printing). You can telnet directly to the printer port and enter text. Once you disconnect from the printer it will...

S&K Menswear two-phased attack

Thu, 03 Jan 2008 07:40:36 +0000

Technorati Tag: Security Breach

Date Reported:
12/10/07 (backdated from 1/3/08)

Organization:
S&K Famous Brands (S&K)

Contractor/Consultant/Branch:
None

Victims:
Online customers of www.skmenswear.com

Number Affected:
Unknown*

*25 reported New Hampshire residents

Types of Data:
Names, addresses, email addresses, credit card numbers, and expiration dates.

Breach Description:
According to the breach notification letter sent to the New Hampshire Attorney General, on or about October 24th, 2007 personal information belonging to S&K online customers was accessed without proper authorization. S&K became aware of the unauthorized access after reports of fictitious spear phishing emails began circulating in which the attacker requested the CVV2 codes to match the credit card numbers. It is unknown how many customers were duped by the second phase of the attack.

Reference URL:
New Hampshire Attorney General Breach Notification

Report Credit:
New Hampshire State Attorney General

Response:
From the official breach notification and letter to customers:

This letter is to inform you that S&K Menswear has discovered that you personal information--including your name, address, credit card number, and expiration date--may have been accessed on or about October 24, 2007 without proper authorization.

stored in one of our databases has been retrieved by external sources

S&K was notified of a suspicious e-mail addressed to its customers on Wednesday, October 24th at approximately 3:00 p.m. The e-mail was sent from a fictitious S&K e-mail address. The body of the e-mail appeared to contain an S&K order number and the last four digits of the credit card number used by the customer to whom it was addressed. The e-mail requested that the customer provide a credit card identification number.
[Evan] The "suspicious e-mail" is the second phase of the attack. The credit card number, cardholder name, and expiration date were already obtained in the first phase. This spear phishing attack now aims to get the CVV2 code, which makes this much more valuable to the attacker. I am curious about how many people actually fell for this second phase.

Once notified, S&K immediately assembled a response team to assess the situation.

a decision was made at 3:30 p.m. the same day to disconnect the online store and disable remote access to S&K's network. Further to these actions, S&K:

Notified credit card issuers
Purged or masked credit card data on its servers
Changed all user names and passwords on the system
Hired a leading provider of information security to conduct a full forensic security audit as required by the major credit card issuers
Notified various law enforcement agencies including the FBI and Secret Service

[Evan] These all seem like prudent steps in response to an incident. Timing is critical and the response took ~30 minutes, which is good. The response to customers however was not quite as good. Judging from the date on the sample customer letter, it took 47 days to send notification to customers.

S&K's investigation of this incident is ongoing.

We want to stress, however, that no social security number, CVV2 data or track 2 magnetic stripe data was compromised at all.
[Evan] This isn't true, unless S&K can say with certainty that NONE of the customers fell victim to the second phase of this attack.

We sincerely apologize to you for this situation and want to assure you that protecting the security and privacy of your information remains a top priority. We have made and will continue to make significant investments in security software, systems and procedures, and will remain vigilant about protecting you.

We want to answer any questions and address any concerns that you may have about this matter. For more information, including a list of Frequently Asked Question (FAQs), please go to www.skmenswear.com\security\faq.htm or contact us at 1 (800) 690-4996
[Evan] I think the "\" in the URL is supposed to be "/". The first FAQ in the list of FAQs bugged me a little; "Q: Is this a major breach? A: No, our credit card security manager classifies this as minor."

Commentary:
At the top of the customer letter it states:
You do not need to make any changes to your S&K menswear accounts or to change the way you do business with us.

I am going to guess that S&K would be classified as a VISA Level 3 Merchant. Is it safe to assume that S&K is PCI DSS compliant? It sounds like they don't store prohibited data (CVV2, Full Magnetic Stripe, or PIN / PIN Block), but only 55% of Level 3 Merchants are PCI DSS validated as of 9/30/07. It should be easier for customers to find the status of an organization's compliance and information security practices rather than having to guess. Although now that I think about it, compliance doesn't really ensure security does it?

Anyway, I get the feeling that S&K would have liked to keep this breach quiet and minimize it as much as possible.

Past Breaches:
Unknown