[SecurityRatty] tag: short

KPIs for ISO 27001? Do Such Things Exist?

Tue, 02 Dec 2008 10:48:41 +0000

On Gary Hinson’s excellent ISO 27001 Google Group, the following question was just posed:

Dear Implementers:
What could be the KPIs by which I, being Management Representative,
can show complete picture in a compiled brief/short report? Your
response would be highly awaited.

Which I think is a great question! Talk about no-nonsense. None of this “high-falutin” nonsense about ISO adoption providing ‘piece of mind’ and ‘common language’ or ’strategic currency’. No this is straight from the hip - tell me right now how I can communicate the value of an ISO implementation to non-security management.

I’m not sure I’ve got a good answer. Do you? You guys (loyal, cool, readers) are really bright and many of you CxSO’s in your own organizations. Leave comments and in our next post I’ll publish the best and brightest (as well as some of my own thoughts).

Rock Phish-ing in December

Tue, 02 Dec 2008 04:12:31 +0000

Nothing can warm up the hearth of a security researcher than a batch of currently active Rock Phish domains, fast-fluxing by using U.S based malware infected hosts as infrastructure provider. What is this assessment of currently active Rock Phish campaign aiming to achieve? In short, prove that the people that were Rock Phish-ing at the beginning of the year, are exactly the same people that continue Rock Phish-ing at the end of the year, thereby pointing out that as long as they're not where they're supposed to be, they are not going to stop innovating and working on a higher average online time for their campaigns.

What's particularly interesting about this campaign, is that compared to previous ones targeting multiple brands, the thousands of malware infected hosts and domains are targeting Alliance & Leicester and Abbey National only.

Active Rock Phish Domains in fast-flux :
stgsfw7sr .com
q06ciwt60 .com
jnlyf96v4 .com
neegzlh35 .com
7azwmrsg5 .com
pn3ekq976 .com
2coxi8sb6 .com
d8ri1iz5d .com

ki7wvgauf .com
5nt5r3keh .com
5nt29884j .com
bgoryomek .com
a725jv8ik .com
fke5nnp8m .com
stgsfw7sr .com
10c0ka49t .com
zp304ju3z .com
j0rykafwn .cn
2j1f .net

confirm-updates .com
paypal.confirm-updates .com
user-data-confirmation .com
paypal.user-data-confirmation .com
capitalone.updating-informations .com

Sample sub-domain structure :
mybank.alliance-leicester.co.uk.7azwmrsg5 .com
mybank.alliance-leicester.co.uk.bgoryomek .com
mybank.aliance-leicester.co.uk.stgsfw7sr .com
mybank.alliance-leicester.co.uk.zp304ju3z .com
mybank.alliance-leicester.co.uk.5nt29884j .com
mybank.aliance-leicester.co.uk.bgoryomek .com
mybank.alliance-leicester.co.uk.bgoryomek .com
mybank.aliance-leicester.co.uk.stgsfw7sr .com
mybank.alliance-leicester.co.uk.stgsfw7sr .com
mybank.aliance-leicester.co.uk.zp304ju3z .com
mybank.alliance-leicester.co.uk.zp304ju3z .com
myonlineaccounts2.abbeynational.co.uk.pn3ekq976 .com
myonlineaccounts1.abeynational.com.pn3ekq976 .com

DNS servers for the campaigns :
ns1.thecherrydns .com
ns2.thecherrydns .com
ns3.thecherrydns .com
ns4.thecherrydns .com
ns5.thecherrydns .com
ns6.thecherrydns .com

ns10.realgoodnameserver .com
ns1.realgoodnameserver .com
rens2.realgoodnameserver .com
rns3.realgoodnameserver .com
ns4.realgoodnameserver .com
ns8.realgoodnameserver .com

ns6.myboomdns .com
ns4.myboomdns .com

Domains registrant :
Name : Pan Wei wei
Organization : Pan Wei wei
Address : BaoChun Rd. 27, No. 3, 1F, Apt. 1903
City : Bejing
Province/State : Beijing
Country : CN
Postal Code : 100176
Phone Number : 010-010-58022118-58022118
Fax : 86-010-58022118-58022118
Email : 127@126.com

These well known Rock Phish campaigners, have been naturally multitasking on several different underground fronts throughout the year. For instance, their 2j1f .net is known to have been hosting money mule company's site, and also, it was used in a previously analyzed phishing campaign that was spreading across Facebook in June. Need more evidence on the consolidation that's been ongoing for over an year and half now? An infamous money mule recruiting company (Cash-Transfers Inc.) was also taking advantage of the fast-flux network offered by the ASProx botnet masters in July.

As a firm believer in that "the whole is greater than the sum of its parts", the popular "sitting duck" cybercrime infrastructure hosting model will be either replaced by a cybercrime infrastructure relying entirely on legitimate services, or one where the average malware infected Internet user would be temporarily used as a hosting provider.

If millions were made by using the "sitting duck" hosting model, how many would be made using the others, given that they would inevitably increase the average online time for a malicious campaign?

Related Rock Phish research :
209 Host Locked
209.1 Host Locked
66.1 Host Locked
Confirm Your Gullibility
Assessing a Rock Phish Campaign

Related fast-flux research :
Fast-Flux Spam and Scams Increasing
Fast Fluxing Yet Another Pharmacy Scam
Storm Worm's Fast Flux Networks
Managed Fast Flux Provider
Managed Fast Flux Provider - Part Two
Obfuscating Fast Fluxed SQL Injected Domains
Storm Worm Hosting Pharmaceutical Scams
Fast-Fluxing SQL injection attacks executed from the Asprox botnet

Rexam Global CIO Paul Martin discusses packing it up

Mon, 01 Dec 2008 21:00:00 +0000

Paul Martin is talking about his plans to head back home to the US when we meet in London on a bright autumn day at Rexam's very smart offices by the Thames on Millbank, just a short walk to the Palace of Westminster in one direction and the Tate Britain art collection in the other.

BlueHat SDL Sessions Wrap-up

Mon, 01 Dec 2008 14:51:00 +0000

Hi everyone, Bryan here. The debut BlueHat SDL Sessions are over, and they were a resounding success: 96% of attendees completing evaluation surveys reported that they will be able to apply knowledge that they learned in the SDL sessions to make their products more secure. This is a great score and I’d like to thank all of our speakers and the BlueHat planning team for their hard work. As for the other 4% of attendees, we’ll just have to work that much harder next year to bring them actionable guidance for dealing with new vulnerabilities.

As promised, we recorded all of the day’s presentations and we’ve published them on TechNet:

Keynote Address by Scott Charney, Corporate VP, Microsoft Trustworthy Computing

Threat Modeling at EMC and Microsoft by Danny Dhillon of EMC and Adam Shostack of the Microsoft SDL team (of course)

Mitigations Unplugged by Matt Miller, Microsoft Security Science team

Concurrency Attacks on Web Applications by Scott Stender and Alex Vidergar of iSEC Partners

Fuzzed Enough? When it’s OK to Put the Shears Down by Jason Shirk, Dave Weinstein and Lars Opstad, Microsoft Security Science team

Real World Code Review – Using the Right Tools in the Right Place at the Right Time by Vinnie Liu of Stach & Liu

In addition to the presentations, we also recorded some short interviews (about 10 minutes long) with each of the speakers. If you’re just looking for a quick summary of a particular talk, these interviews are the place to start:

Threat Modeling at EMC, Danny Dhillon

Threat Modeling at Microsoft, Adam Shostack

Mitigations Unplugged, Matt Miller

Concurrency Attacks on Web Applications, Scott Stender and Alex Vidergar

Fuzzed Enough? Jason Shirk and Dave Weinstein

Real World Code Review, Vinnie Liu

I hope at least 96% of online readers will be able to directly apply this material to their products, just like the show attendees. Please post back and let us know, either way. And let us know what you’d like to see for next year. We have big plans to build on our success and make SDL Sessions 2.0 even bigger and better than the first.

Celebrity's Bodyguard Caught on Camera

Sun, 23 Nov 2008 18:14:00 +0000

Paparazzi seem to draw bodyguards to their cameras like moths to a light bulb.

This recent grapple caught on video was aired on the Fox News show in the "Kelly's Court" segment. Megyn Kelly acted as the judge while two other lawyers debated whether the photographer had a chance of winning a civil suit

The celebrity, John Meyer, appeared to be exiting a restaurant with a friend when a photographer tried to take a picture. Although the clip was relatively short, it appeared as if Mr. Meyer's E.P. agent went over the top in trying to block the photogapher from taking the picture.

From a professional E.P. point of view, the matter could have been handled with much decorum and expertise. Mr. Meyer should have been closely escorted to his vehicle and placed inside out of harm's way. Since there only appeared to be one E.P. agent (who also doubled up as driver), when he went charging at the photographer, he left his Principal unprotected.

For some reason, many of the people employed to protect celebrities seem more preoccupied with making sure that pictures are not taken rather than ensuring the safety of their Principal. What makes it all the more ironic, is the fact that these celebrities are usually out in the public eye and therefore can not realistically expect total privacy.

If you are a Personal Protection Specialist and you find yourself in this position, remember two things. Firstly, always remember your duty to protect your Principal. If you are doing it alone, who will be looking after them when you are rolling around the floor with a photographer?

Secondly, remember that you can be sued civilly - and do not take that literally, there is nothing civil about it. You may or may not be prosecuted criminally, but if you lose a civil suit, it could mean that you'll be spending the rest of your working life paying that photographer who is claiming neck injuires and all kinds of trauma.

A picture may be worth a thousand words, but it is hardly worth ruining your career and life.

Not Your Father's Data Breach

Thu, 20 Nov 2008 06:37:59 +0000

I am surprised this doesn't happen more often, or become public when it does happen, and I suspect it will:

Corporate custodians of confidential medical data should be closely monitoring events connected to a nightmarish computer security breach in the St. Louis region.

Express Scripts is one of the nation’s largest pharmacy benefits managers. The company, with headquarters in St. Louis County, handles approximately 500 million prescriptions per year for 50 million workers at 1,600 American companies. Early in October, it received an extortion letter, the details of which it released on Nov. 6.

The letter included personal information on about 75 Express Scripts clients — Social Security numbers, dates of birth and, in some cases, information about prescription medications. Whoever sent the letter demanded money from the company — the amount has not been disclosed — and threatened to use the Internet to reveal personal and medical information about millions of people if the demands were not met.

...

Beyond the scale of the problem for Express Scripts — and the potential impact on the company is enormous — the issue extends well beyond the mounting concerns about identity theft, a phenomenon with which most people have become at least somewhat familiar.

The greater problem is the unique nature of personal medical records, the importance of moving to computerization of such records to improve health safety and reduce costs and the irreversibility of the damage people can suffer if confidential medical information becomes public. The stakes are so high that a federal law establishes strict standards for maintaining the privacy of medical information and stiff fines for failing to do so.

Medical records of all kinds — paper and, especially, electronic — must be protected with the most sophisticated kinds of security systems available, including backup protections and automatic alerts of security violations. Yet Express Scripts learned of this breach in the “worst way,” as InformationWeek.com security correspondent George Hulme put it in an online report: “via an extortion letter.”

The Express Scripts breach raises many questions for all elements of the health industry: hospitals, clinics and doctors’ practices, benefits management firms, insurance companies, pharmacies, employers and government agencies:
Are they using the most advanced information security technology possible? Do they minimize the amount of data they collect and keep it only as long as necessary? Do they have strict protocols governing access to personal and medical data — and systems to enforce those protocols? If criminals were to hack into their systems, how would the companies know? How soon? And are the systems capable of instantly cutting off illegal access as soon as a breach is discovered?

Confronted with a grave breach of electronic security, Express Scripts has responded by contacting law enforcement, establishing an informational website, offering a substantial reward and hiring a private consulting firm to help clients who have privacy concerns and investigate situations that “appear to be tied to identity theft” and provide “identity restoration services.” There is no question that the company is taking the situation extremely seriously.
Given the ongoing criminal situation, information about how Express Scripts’ data systems were compromised — and whether it could have been avoided — has yet to be disclosed. But the American people have the right to expect that their sensitive personal and medical information is zealously protected and kept secure — not only by Express Scripts but also by every person or company entrusted with it.

The reason I am surprised this doesn't happen more often is that many Fortune 500 companies have oceans and oceans of personal data. Almost the only companies that have even tried to get to a medium level assurance are financial companies, yet many of the other companies have as much or even more data, with lower assurance. All that was lacking in the mix was an incentive and a bit of creativity and risk taking by the bad guys.

I posted this to the security metrics list and Andy Jaquith quoted it in his great book Security Metrics:

"Customers and customer relationships...have tangible measurable value to businesses, and their value is much easier to communicate to those who fund projects. So in an enterprise risk management scenartio, their vlaue informs the risk management process...[For example, consider] a farmer deciding which crop to grow. A farmer interested in short term profits may grow the same high yield crop every year, but over time this would burn the fields out. The long term focused farmer would rotate the crops and invest in things that build the value of the farm and soil over time. Investing in security on behalf of your customers is like this. The investment made in securing your customer's data build current and future value for them. Measuring the value of the customer and relationships helps to target where to allocate security resources."

Of course this is the opposite of how most organizations do risk management and security architecture, and now, the fields have turned brown.

(Thanks to Chris for pointing me to this story)

Mamma.com: Insider trading and XSS

Tue, 18 Nov 2008 06:55:00 +0000

Mamma.com's got issues other than Mark Cuban's insider trading allegations. As a point of reference for this conversation, Mamma.com is ranked 4064 on Alexa as of today.
I won't profess to following Mr. Cuban's public life and the occasional antics. Obviously, he's a colorful and popular figure; certainly in Dallas, if not nationally.
What follows is not a judgment of Mr. Cuban or his pending legal challenges. I'm sure the process will play itself out accordingly.
A quick summary and some reference material:
The SEC has filed insider trading charges against Mr. Cuban. "According to the SEC, Cuban dumped 600,000 shares, or all of his 6.3% stake, in the search engine Mamma.com (The Mother of All Search Engines), in June 2004 after learning about private financing that the company was proposing. By selling, he avoided losing $750,000, the SEC alleges."
The whole issue for Mr. Cuban was PIPE financing because it's "dilutive to existing shareholders’ stakes."
That's the long and the short of the current issue, and again, not my real interest here, with the exception of the bet I made with myself regarding the probable web application security posture of mamma.com.
All this talk about a popular site immediately sets off the little bell in my head (I hear it a lot).
"What's wrong with the site?" is always the first question I ask myself.

I was not disappointed.

Mamma.com exhibits the following issues:
1) XSS vulnerability in the utfout variable.

2) XSS vulnerability in the qtype variable.

3) XSS vulnerability in their Mammajobs site at the pid variable. This one's weirder still; if you drop an IFRAME in, it simply redirects to any URL you include in the IFRAME string.

4) The prospect of CSRF (rather pointless here given that its just a search engine, but but still defies best practices) appears likely given that mamma.com blindly accepts updates via GET and POST with no sign of a formkey (canary) in sight.

I figured it best to stop there, and have submitted all these to Copernic (the Momma parent company).
I am however truly disappointed that an enterprise as ambitious and motivated as Momma/Copernic seems to have thrown the baby out with the bath water when it comes to web application security.
With regard to Mark Cuban dumping his shares: maybe he was afraid of getting pwned. ;-) All kidding aside, it's a shame that the whimsical and pessimistic thoughts regarding web site security that bounce around in my head inevitably bear themselves out.

del.icio.us | digg | Submit to Slashdot

The Neuroscience of Cons

Tue, 18 Nov 2008 03:32:42 +0000

Fascinating:

The key to a con is not that you trust the conman, but that he shows he trusts you. Conmen ply their trade by appearing fragile or needing help, by seeming vulnerable. Because of THOMAS [The Human Oxytocin Mediated Attachment System], the human brain makes us feel good when we help others--this is the basis for attachment to family and friends and cooperation with strangers. "I need your help" is a potent stimulus for action.

This is interesting. They say that all cons rely on the mark's greed to work. But this short essay implies that greed is only a secondary factor.

A late look at Interop NY 2008

Mon, 17 Nov 2008 18:41:11 +0000

Boy, time flies when you’re having fun. I’ve just gotten my first opportunity to look back at the statistics from Interop NY 2008. Of all the statistics, the ticketing ones have proven to be the most interesting - especially when you compare them to the Las Vegas show earlier in the year. If you look back at the details of that ticketing review the stats clearly showed that most tickets were opened due to user error. In NY, while “user error” dominated the other categories, “facilities” came a close second. The InteropNet Help Desk opened a total of 94 tickets during Interop NY. Of these tickets, 42 turned out to be user error. Coming in second, with 17 tickets were issues with the facilities, with the most common issue being cabling that had gotten damaged between installation and the time the exhibitor was trying to use it. In Las Vegas, despite the show being significantly larger, we only saw 6 tickets of that type. I guess you can chalk that up as yet another reason that doing shows at The Javits Center is so much fun! (Don’t ask Julia about dealing with the Javits Center. She’ll talk your ear off.)

After Interop Las Vegas you may have seen our analysis of the data that we collected and delivered in our NOC view. I thought I’d recreate the same data for NY and do a short comparison.

1) Like in Vegas, uptime for the network 100%. This is no small feat considering that we introduced a new wrinkle in NY, taking down the primary NOC while the education portion of the show was still going on. This was a forced failover to the backup systems, and it went flawlessly. I’d like to give a little credit to EM7 on the 100% uptime as it caught a failover to battery power that allowed AC to be restored before a series of critical equipment would have gone down.

2) Again like Vegas, the average monitored device in the show network didn’t even hit 10% CPU utilization. Still lots of computing overhead availabe in the show network.

3) The NY show network wasn’t nearly as busy as in Las Vegas, sustaining an average of only 27Mbps of usage (versus 56 Mbps) in Vegas.

4) Power consumption for the network and NOC in NY clocked in at 445kwh per day, about 25% less than the Las Vegas show. This wasn’t because the equipment was any more power efficient, but instead because the show was smaller and therefore there was less network gear.

5) Finally, a stat we didn’t track too carefully in Las Vegas, but that I find interesting. During show hours the wireless network average 1,100 users attached. That’s a lot of people and a lot of wireless devices.

The good news is there was nothing too unexpected in the data, overall the smaller show led to a smaller number of tickets and smaller consumption of resources across the board. We hope to have the opportunity to work with the InteropNet team again next year and take a look at this data year-over-year for each show.

Rational Risk Management, Angry Italians, and Irrational Security Analysts

Mon, 17 Nov 2008 13:43:15 +0000

Hope you all had a great weekend. I had meant to point you earlier to a FAIR analysis that Chris Hayes did over at his Blog. But I’ve been a little busy, and before I could mention it, Stuart King put up a kind of angry response on his ComputerWorld blog. Snark aside, there are a couple of other really troubling aspects of Stuart’s reaction to Chris’ analysis that I thought we could talk about this morning.

The problem is that (Chris’ analysis is) completely impractical. I’ll take a recent, and fairly typical situation as an example. I was taking issue with the manner in which remote access was being provisioned for a third party vendor to connect to a system hosted by one of our European business units. To cut a long story short, it was not only a breach of policy but highly insecure. I wanted the access to be disconnected, the business unit director wanted my risk assessment. And he didn’t want to wait for it.

To quote Chris Hayes, spending time on working out the expected effectiveness of controls, over a given timeframe, as measured against a baseline level of force was not going to pacify an angry Italian fearful that my decision was going to cost him money. He wanted my explanation of the risk and more importantly, what I was going to offer as a solution to keep his business functioning

As Chris is someone who actually does this for a living in a large company, and this is typical of his actual day job, I really find Stuart’s “impractical” comment to be, um, misinformed.

Also, I think Stuart mistakes the purpose of a risk analysis. The purpose of the risk analysis is not to force someone to be “secure”, but to provide knowledge for decision making. Using it as a “hammer” to knock in the nail of your personal risk tolerance impairs efficiency and in the long run retards “security” as it creates political resentment. Seriously, who cares if something might violate policy or not in a pre-implementation discussion? Policies are not stone tablets handed down from on high, they are state-in-time codification of the data owners risk tolerance. This risk tolerance changes sometimes, and that’s OK.

To that extent, I appreciate (and I’m sure Chris does, as well) that risk analysis does not create rationality in the data owner. Someone who sees you as a speedbump on the route to progress they may not be ready to appreciate your point of view even if it is stated in the most rational manner possible. But it’s worth noting (and Stuart’s example is indicative of this point) that risk analysis does not create rationality in the analyst, either. If one is being so “security minded” as to ignore the risk tolerance of the business owner - we’re bound to get a reaction similar to that Stuart encountered. In fact, a practical risk analysis like Chris performed on his blog, done in 30 minutes, should identify the critical point of disagreement between Stuart and the data owner (again, Stuart doesn’t own the data, the agitated Italian does).

But let’s stay rational and open to alternatives to what Chris offers. Stuart states his approach to risk analysis as:

When I need to document a risk assessment I use a very simple form: list the threats, state the level of vulnerability, list the associated operational costs and potential revenue hits. High, medium, or low risk? Describe the controls and options. Write up who needs to do what, and how much of their time it’s going to take. Job done.

At first glance, I don’t think what Chris has done is any less efficient, and it provides greater insight (using Frequency and Capability instead of just ‘listing the threats’). But what is key here is that Chris’ approach is consistent and defensible. Less generous risk geeks and CSO’s I know would have no little difficulty with Stuart’s approach. But to particularly answer Stuart’s main objection (impracticality) I would offer that with practice, Chris’ work is probably quicker and easier than Stuart’s described process as it eliminates much of the ambiguity an immature risk analysis creates - reducing the need for further discussion and arguments with data owners (regardless of disposition or nationality).

Finally the irony of Stuart’s post is that the reason he had this confrontation may in fact be because he was incapable of bringing a salient model for risk to the table, one that identified the factors that create risk and developed a defensible belief statement concerning risk. We’ll never know if one would have helped him in this isolated instance, but I can tell you that in organizations like Chris’, good risk models and strong risk anlayses create operational efficiencies, reduce costs, and streamlines intra-departmental communications.