NoticeBored blog

The drip-feed of news about the Terry Childs case continues. [Quick recap: Childs held the City Government of San Francisco to ransom by refusing to divulge the city's network admin passwords that were under his sole control.] The Washington Post tells us:

"Childs compromised more than 1,100 devices and created unauthorized network doorways, allowing him unfettered and undetectable access. He collected pages of user names and passwords, including his supervisor's, to use their network log-ons. And he downloaded thousands of gigabytes of city data -- possibly privileged information, such as police reports and e-mails -- to a personal encrypted storage device. Experts still aren't sure what data the device contains."

'Thousands of gigabytes'? That's an impressive capacity for a personal storage device.
The Post also says Childs had a criminal record:

"Childs, as it turns out, carried a list of convictions, including aggravated burglary, aggravated robbery and theft, according to court documents. He also served four years in the Kansas state prison. Childs kept this from his employment application, court documents note. Vinson said San Francisco will probably expand its employee background checks to cross state lines."

Good idea!
Still, I agree with the thrust of the article that SF management's failings extend well beyond checking Childs' references. Childs was a privileged insider placed in a position of great responsibility and trust by management. It appears that management recognized the risk but failed to address it adequately. Dawn Capelli's comments about the insider threat are very apt. I'd call this a governance failure.

September update: San Francisco city's Department of Telecommunications and Information Services (DTIS) has spent just under $200k already, investigating what Childs has done to the network and hunting for a terminal server providing him a back-door.  The full cost is estimated to be around $1m.

Labels: Authentication, Confidentiality, Governance, Network, Risk, Trust

Mike Blakley wrote a fine piece in EDPACS on using SQL queries to interrogate a database system for audit purposes.

Abstract:

"Organizations, both large and small, are increasingly reliant on database systems for their operational support needs. This is due to the adoption of accounting systems ranging from large enterprise resource planning systems, down to departmental or even desktop-based database systems. The traditional audit approach used to account for data stored in databases has relied on information technology or other support staff to extract data for audit, which was then tested by others, often technical specialists. An alternative approach, which also provides greater audit independence, is to increase the knowledge level and skills of audit staff so they can obtain this data directly and perform their audit tests independently. This article may have relevance to other IT system audits."

In the same issue, Fred Cohen discusses the specification of control requirements for [real-time process] control systems and SCADA, an area that relatively few information security managers and IT auditors have experienced. I have had some exposure to this at power generation and engineering companies but admit I know next to nothing about it. Having seen conference presentations on "exploring" SCADA networks and Building Management Systems, I'm sure these are targets for curious hackers who relish the challenge of understanding obscure comms protocols and exploiting inadequate security controls. Fred's comments about the ever-deepening Internet connectedness of such networks and the historical lack of attention to security ring very true. I often wonder what fun would lay in store for hackers with access to the networks and devices, perhaps exploiting the numerous wireless command and control systems out there. Let's hope they are responsible enough to use their powers for good not evil.

All in all, another excellent issue. [The fact that I'm one of many on the EDPACS editorial board is purely coincidental, of course!]

Labels: Audit, Database, Hacking, Infosec, Network

ICANN's Security and Stability Committee has released a 12-page advisory on 'registrar impersonation phishing attacks' - in other words, phishing attacks targeting domain name owners ("registrants" in ICANN-speak). Owners' contact details are usually published and can be interrogated for free through WHOIS. Putting the target person's contact details together with the fact that they have registered a domain name provides the phishing hook. Owners are invited to 'login and update their contact details', whereupon the phisher steals the login credentials and, presumably, manipulates the DNS entries for their own nefarious purposes.

Labels: Authentication, Fraud, ID theft, Network

Middle-Eastern Internet services have been severely disrupted by the failure of an undersea cable linking Egypt to Italy. There are backup connections, of course, including satellite and other cable connections but their capacity is limited, hence Internet traffic in some countries in the region is experiencing delays and probably failed connections due to timeouts.

Thanks to packet switching technology and multiple routes, the Internet as a whole is highly resilient. Undersea cables can often be repaired within days or weeks. But imagine what would happen if the Internet went down, and stayed down. Not 'stayed down for a few minutes' or hours or even days, but for an extended period perhaps indefinitely.

There are various horrific scenarios that could cause this to happen e.g.:
- Widespread technology failure, disrupting the packet switching backbone;
- Deliberate action by one or more nation states in wartime, severing critical connections and/or injecting massive amounts of spurious traffic at multiple points to disrupt;
- Natural events such as solar flares/X-ray emissions from the sun, storms etc. damaging critical equipment and links;
- Cyberterrorist attacks on the Domain Name Systems or other critical elements of the Internet, perhaps combined with conventional terrorist attacks on key nodes, cables and satellite ground stations;
- Worms or other malware, in other words, software agents swamping or damaging the network;
- "Something else" - the classic contingency planning scenario. We don't know exactly what might happen. It could be something completely novel and unanticipated or a chance combination of more than one type of event, known as 'bad luck'. For true contingency planning purposes, the exact cause and nature of the incident is irrelevant: we need to be ready to cope with whatever actually happens.

With a moment's thought, the horrendous consequences of such an incident start to become clear. The developed nations are highly reliant on the Internet and would suffer economic and social consequences very quickly. Developing nations are also actively using the Internet for eCommerce and communications with the rest of the world. The Internet has penetrated even the least developed third-world countries, and disruption to first world aide programs would have consequences there too.

We're hardly on the same scale as Google, eBay and Amazon but at a local level, our own small business would suffer within days if the Internet went down. We use the Internet for marketing and promotion, sales and delivery, research and communications. There are fallback delivery mechanisms - sending CD-ROMs in the post or direct dial-up access - both of which are limited, wouldn't work very reliably and would increase our costs. We could resort to old-fashioned research methods but would miss the ready, free access to up-to-date information security news from around the globe. Our marketing and sales would suffer the most as conventional print, TV and radio advertising is far more expensive and limited in scope. That, in a nutshell, is our own risk assessment.

Larger e-enabled businesses (such as the entire financial services industry) would su=ffer immediate problems, others might hardly notice at first, at least until their suppliers, partners and/or customers started to fail. Government departments and utilities would suffer quite quckly, causing knock-on effects as the national infrastructures started to unravel. If petrol companies and airlines were disrupted, well we'd have to get used to walking or cycling to work, if indeed work existed. Civil disruption could have serious consequences for personal safety and security.

We're just a few paragraphs into this very brief overview but the 'worst case scenario' is shaping up badly. This is starting to sound like one of those science fiction doomsday stories.

On the upside, TV, radio and print media would be severely disrupted too so we might not get to hear too much about the civil disruption outside our barricaded front doors. Some of us will retreat to our caves.

What kind of contingency plans would or could you make for "the Internet is down"? Some of the more obvious things might be to retain or stockpile ordinary modems (assuming that the telephone networks are running ... but, oh dear, they are using VOIP and, no doubt, sharing a lot of the Internet technologies and links) and generally retain (or rather rebuild) the ability for non-electronic commerce and communications.

More resourceful organizations might build their own private networks to run in parallel with the Internet - such as the financial services, military and other special purpose networks. These are expensive but the greater concern is to ensure they are adequately isolated from the Internet in fact. Supposedly private bank ATM networks have been known to crash due to Internet worms so finding and closing those worm-holes must be a priority. That's definitely something we can do today.

What else would you suggest in the way of contingency measures? Any ideas you'd like to share? Just post a comment ... while your Internet connection is still running, please.

Labels: DCP, Incidents, Network, Risk

If your CCTV security camera system uses IP transport to cut costs, don't forget to factor the cost of network and device security into the mix. It has long been known that many IP-enabled CCTV cameras are pumping live video onto the Web with no encryption or access control. It now appears that exploiting security vulnerabilities in the camera controllers may allow hackers (or bank robbers) to manipulate the video stream, for example replacing it with a 'blank scene' while they crack the vault.

Labels: Network, Physical

Someone appears to have posted a load of personal data including credit card numbers on an eBay discussion forum, paradoxically one on trust and safety. Around 1,200 eBay users' details may have been compromised.

Why anyone would do this remains a mystery. Is it just some sort of publicity stunt, or a hacker's brag?

eBay shut down the forum and pulled the pages about an hour after being informed of the incident. There's more about the incident on an eBay blog.

"eBay spokesperson Nichola Sharpe said Tuesday afternoon that posts made on the Trust & Safety board early this morning contained name and contact information for 1,200 eBay members and called the person posting the information a "malicious fraudster." She said the incident was not the result of a security breach from eBay and could have been obtained as part of an account takeover."

It's possoble that a merchant's account may have been compromised, I guess.

Labels: Incidents, Network, Privacy

Details of audits of US Army websites and blogs run by soldiers, disclosed under the Freedom of Information Act, reveals that far more security policy breaches occur on official Department of Defense websites than on blogs. The audits were conducted by the Army Web Risk Assessment Cell, a special unit with a remit (evidently) to minimize unauthorized disclosure of sensitive military information via the Web.

It seems to me the Army was absolutely right to highlight the information security risks relating to blogging. I believe the audit results reflect the outcome of a highly successful security awareness program. If this issue had not been addressed so effectively, I'm convinced there would have been far more noncompliance issues, in other words this is a lesson to us all.

In respect of security awareness programs and policy compliance, 'the military' have a significant advantage over most of us in that the workforce is specifically trained to respect authority and follow orders - or at least, that is the classical view. In fact, I understand modern soldiers are increasingly being taught to think for themselves and operate autonomously, albeit within a highly structured (literally 'regimented') operating framework and, when necessary, at gunpoint. The traditional approach to the blogging security issue would presumably have been to send out an order banning blogging. What actually happened was more subtle: Army bloggers were instructed to register their blogs with commanding officers and pre-clear what they publish. 'Blog responsibly' is a rather softer message but the audit results seem to indicate its effectiveness in this situation.

Labels: Audit, Awareness, Confidentiality, Governance, Incidents, Infosec, Network, Risk, Trade secrets

In its usual tongue-in-cheek fashion, The Register describes the Black Hat world through ten features:
1. The Black Hats form a well integrated community that shares knowledge effectively
2. Becoming a Black Hat is a career option even for those who are not super geeks.
3. There are even specialist virus tools designed to circumvent specific AV products.
4. There are SDKs for the more advanced hackers.
5. There's a market for your data.
6. There are botnets to rent.
7. Some rogue websites are very subtly managed.
8. Good hackers know how to stay safe (they stay abroad)
9. The banking system has its channels
10. Not all businessmen are entirely averse to the odd hack (on a competitor)

In the sense of "know your enemy", the article presents an interesting perspective.

Labels: Fraud, Hacking, ID theft, Incidents, Malware, Network, Risk

Net Crimes & Misdemeanors - Outmaneuvering Web spammers, stalkers, and con artists
explores the dangers of the online world covering a broad assortment of Internet security issues, with useful descriptions and helpful advice for all Web users. This is a good security awareness book for anyone who is relatively new to the net, combining realistic threat descriptions with pragmatic security advice.

Labels: Awareness, Network

A well-written article discussing the potential threat of wideband noise sources to Wi-Fi networks concludes that it is not as easy as some people assume to jam Wi-Fi. The use of frequency-hopping and spread-spectrum techniques (which are different, by the way) in the microwave bands makes Wi-Fi substantially less vulnerable (though admittedly not totally immune) to interference than it might appear.

The article systematically dismantles naive claims that a "simple 100W broadband noise generator" would knock out Wi-Fi networks within a couple of miles. The main argument is that the 100W of energy would be spread across 0-2.4GHz if the noise generator were truly simple (i.e. presumably untuned), resulting in a low energy density in the Wi-Fi band/s. In practice, I suspect a jammer would probably design his system to produce most of the 100W in the specific microwave frequencies used by Wi-Fi.

A 'proof of concept' noise generator should not be too difficult to construct although getting 100W at microwave frequencies is a technical challenge unless you have the $$$ to buy commercial microwave amplifiers ... or the technical nouse perhaps to adapt a Klystron from, say, a microwave oven.

Don't try this at home folks. High power microwaves are used in ovens because they cook things - your cornea, retina and brain, for example.

Labels: Network

Disappearance of the network boundary is a 28-page ISF Digest (report of a special interest group) from the Information Security Forum about the increasing Internet connectivity of today's typical corporation. As the traditional fortress wall/network perimeter is dissolved, the boundary security controls can expand to somehow incorporate untrusted devices Out There in webInterland or contract to protect devices In Here from all other devices [this is a false dichotomy if changes may take place in both directions at once]. The report recommends gradual evolution of current security controls in the short term and investigation of other options in the longer term.

Labels: Network

Hot on the tail of the shocking massacre at VA Tech comes news of spammers and probably other scamsters using the incident as a lure for their evil deeds. According to a message on SANS Internet Storm Center today, spammers have sent emails inviting recipients to follow a link for video of the shooting ...

By the way, the SANS ISC makes a good default home page if, like us, you want to keep up with infosec news.

UPDATE: Wired has a piece on this too.

More network security links

Labels: Email, Network

An article in the New York Times on spam and botnets quotes some ballpark figures:
- 11% of the 650 million computers on-line contain botnet code
- 250,00 new systems get botted every day
- 80% of all spam originates from botnets

That little snippet of news came from Support Intelligence, a commercial company that is monitoring the Internet for spam, botnets etc., analyzing the origins and publishing some of the more interesting details in their blog (as well as selling the data to their clients). Many big-name companies are named and shamed, in other words spammers have evidently infitrated major corporate networks, setting up botnets that spew forth spam through the corporate email systems, some of which run mainstream antispam software such as Ironport (perhaps it is configured only to spam-check inbound email?).

More network security links

Labels: Email, Network

Penetration Testing with Confidence: 10 Keys
to Success is a SANS webinar on Tuesday, April 17th at 1PM EDT (17:00 UTC). According to the blurb:

Penetration testing is fast becoming essential for IS professionals
seeking to comply with security mandates, assess defensive IT
infrastructure, and assure customers of privacy protections. At the
same time, a poorly planned or executed penetration test can turn
into a costly liability. Whether you're an experienced pen tester
or a first-timer, this webcast will give you the insight you need to
approach all pen tests with confidence.

More network security links

Labels: Network

The National Institute of Justice is publishing a series of guides for those engaged in responding to, investigating and presenting evidence in US courts about high-technology crimes. In 137 pages, Investigations Involving the Internet and Computer Networks, the latest publication, covers investigations involving email and websites, Instant Mesage, chat rooms and IRC, file sharing networks, network intrusion and denial of service, listservs and newsgroups. It provides basic advice on technology and legal issues, with a brief nod to IT forensics. The guide a little outdated in places but us a useful introduction to the requirements.

More network security resources

Labels: Incidents, Law, Network

A bug in Windows' handling of animated cursor files is being actively exploited by The Dark Side. Those of us on the Light Side are advised to deploy an emergency patch just released by Microsoft ... or consider moving to an alternative, less bug-ridden operating system sharpish, assuming such a beast exists.

More network security resources

Labels: Bugs, Malware, Network

Microsoft acknowledges that a recent Internet Explorer security patch fixed IE6 but not the latest IE7. Exploit code is apparently 'in the wild'. Perhaps now is a good time to consider changing to Firefox or one of the other non-M$ browsers?

Another advisory concerns a security flaw in Windows' handling of animated cursor files, which is also being actively exploited 'in the wild'. Time to take a look at Linux, maybe?

More network security links

Labels: Network

We've released an updated and extended awareness module on network security for April 2007, incorporating materials on securing wireless networks, Web browsing and a variety of other networking security issues.

See the network security links collection here

Labels: Awareness, Network

Sun Microsystems warns that a worm exploiting a security flaw in their Telnet daemon is 'in the wild' i.e. currently infecting Sun systems. Sun has evidently issued a patch but a better solution is, um, not to use Telnet, especially across the Internet. SSH is a simple, much more secure replacement in most situations, using SSL to encrypt the network traffic.

More network security links to follow next month

Labels: Malware, Network

Google Hacking for Penetration Testers by Johnny Long is a terrifying book if you are a slightly paranoid information security professional at a major corporation. You'll soon be avidly turning the pages with a growing look of shock and fear on your face, gripped by the unfolding horror story. Google Hacking puts the spotlight firmly on those dark places that many security managers fear to tread: firewall, IDS and IPS configurations, security patching practices, web application security ... need I say more?

Read this book if you dare.

Labels: Hacking, Network

NIST SP 800-45 Guidelines on Electronic Mail Security advises on the installation, configuration and maintenance of secure email servers and clients. It presents recommendations to secure mail server operating systems and applications, protect mail servers, administer mail servers securely plus advice on protecting individual emails and securing mailbox access. The email security standard is a revised version of the original 2002 standard. Other newly-released NIST standards cover intrusion detection and prevention (SP 800-94), and securing 802.11i wireless networks (SP 800-97).

More email security, web/network security and wireless network security links

Labels: Email, Network

A congressional aide has admitted asking two jokers at Attrition.org to hack into his college's network and adjust his college grades. The jokers (who he evidently believed to be l33t hax0rs, except that he would have not the foggiest idea what those words mean) led him into believing they would do what he wanted, and in the course of the incident, got him to reveal his Social Security Number and other personal information to make their hacking job easier. The email exchange is very amusing: the victim had no clue that he was being taken for a ride, even providing photographs of a [secret] squirrel at one point to validate his location. Be sure to read the news piece on Network World that revealed the victim's details and printed his admission and apology for making a big mistake ... and led to him being fired ... but his 15 minutes of fame now include a Wikipedia entry.

More social engineering, hacking and accountability resources

Labels: Accountability, Email, Hacking, Incidents, Network, Social engineering

Core Security Technologies is offering a webcast on "client-side attacks" at 2pm EDT on December 19th and December 21st. The press release is not entirely clear about what they mean by "client-side attacks" but two examples are quoted: opening a malicious Word, Excel or PowerPoint document sent via e-mail, or browsing malicious web sites that exploit vulnerable client-side code.
According to the PR, "During this 45 minute webcast you learn how:
* to assess how vulnerable your information assets are to spear phishing attacks targeted at end users;
* Outlook, IE and other applications can provide an attacker an easy path into your organizations;
* a social engineering attack can be successfully deployed against your network; and,
* to better protect your organization’s critical assets."
I presume they will promote technical security control measures but I hope they will also promote security awareness to address the human vulnerabilities at the root of such attacks. We'll see.
More social engineering resources
[I have no connection with Core Security Technologies, apart from our common interests in social engineering and information security]

Labels: Awareness, Network, Social engineering

A classic social engineering attack on a bank, as described by the boss of a penetration testing company, is just as scary as the case studies in Ira Winkler's Spies Among Us. The perpetrator gains access to the bank network simply by posing as a photocopier technician. It's scary because the story rings true. It's a typical Security Manager's nightmare scenario. The customer service ethic of the front line bank staff trumped any security awareness they might have had. The inadequate technical security controls on the bank LAN are entirely credible. [Thanks to my friend Alisdair for sharing this link.]
More social engineering resources

Labels: Awareness, Network, Social engineering

A piece apparently due to be published in Computer Weekly next Tuesday outlines a range of network security issues relating to mis-configuration of IT equipment, and then (almost as an afterthought) ends with the following:

"... security needs to be a mix of people, process and technology. The best security comes from having well-trained and motivated staff, who will not click on dodgy e-mail attachments, and will not be lured into spyware-infected websites. And like every other aspect of the security jigsaw, security training and awareness is not a one-off exercise. It needs to be a continuous programme of education, incentive and information."

The fact that IT systems and networks are misconfigured by people surely implies that security awareness programs need to include IT professionals?
More on network security and security awareness

Labels: Awareness, Network

The transition from POTS (Plain Old Telephone System) to VOIP (Voice Over IP) is likened in an article by CSO Magazine to Swedes changing the side of the road on which they drive. It's a dramatic analogy but acts as a worthwhile counterpoint to the usual arguments about VOIP simply replicating POTS security issues. In fact, VOIP/IPtel introduces some novel risks:
- Confidentiality: unauthorized disclosure of information by snooping on calls, copying or redirecting them;
- Integrity: change management; authentication of users and security administration;
- Availability: additional complexity caused by implementing new IT/networking equipment to replace tried-and-trusted PABXs; convergence of voice and network technologies potentially creating new unanticipated technical issues;
- Financial: risks relating to the implementation project's business case;
- Operational: changing pattern of use of phone systems may open up novel working practices and business opportunities with unique security/risk implications (e.g. remote Internet teleworking potentially including offshore, wireless phones).
Analysing the risks on another axis gives a different view:
- Threats: accidental misconfiguration or operator errors causing software/system/network failures; man-in-the-middle attacks on voice calls (manipulating voice traffic in real time to change conversations);
- Vulnerabilities: new technology (compared to POTS); all the usual information or IT security vulnerabilities (e.g. bugs); all eggs in one basket;
- Impacts: simultaneous loss of network data and voice capability causing business disruption; disclosure of confidential information; regulatory or legal implications such as retention of calls.
More web and network security links

Labels: Availability, Infosec, Integrity, Network, Secrecy

Managers seem to expect forensic evidence to appear as if by magic when an employee is caught committing fraud or circulating porn on company IT equipment. The reality is that, while system, network and firewall logs usually record some information, it is unlikely to be sufficient or suitable for forensic purposes unless the logs and controls have been designed and maintained with that potential use in mind. Aristotle has an unusual network usage/content monitoring product that claims to address this kind of controls gap. It is targeted at schools and offices, for example identifying children contemplating suicide or employees stealing corporate data. It retains forensic evidence and provides the reporting tools to use of it.

More incident management links

Labels: Fraud, Incidents, Infosec, Network

ZDnet reported "The Sans Institute says the greatest concern for businesses should be the security of their laptops, as more companies replace desktops with notebooks. The mix of sensitive data being taken out of the organisation and a lack of encryption, coupled with incidences of human error that can see such devices lost or stolen, means companies should make this issue a top priority. The Sans report also said the theft of other mobile devices, such as PDAs and smart phones, will increase because of the value of the data they may contain." I would of course agree that loss or theft of data on laptops is important ... along with the introduction of malware on portable devices, the lack of backups and the use of portable (and especially wireless) devices to remove information illicitly from corporate networks. But, sure, loss or theft of data on laptops is an issue.

More portable IT security and wireless networking links

Labels: Malware, Mobile, Network

Hackers are so desperate to exploit vulnerabilities such as the VML bug, they are becoming quite incoherent in their excitement. Here's the text of an email I just received:

Mail server report.

Our firewall determined the e-mails containing worm copies are being sent from your computer.

Nowadays it happens from many computers, because this is a new virus type (Network Worms).


Using the new bug in the Windows, these viruses infect the computer unnoticeably.
After the penetrating into the computer the virus harvests all the e-mail addresses and sends the copies of itself to these e-mail
addresses

Please install updates for worm elimination and your computer restoring.

Best regards,
Customers support service

Needless to say, I didn't open the attachment (which had already been quarantined by the antivirus software, in any case). Phew, that was a close one!
More Bugs! and malware links

Labels: Awareness, Bugs, Email, Malware, Network

A few organizations that recognize the security issues created by USB thumb drives, hard drives, CD-RWs etc. decide to lock down the USB ports on their systems. The usual way to do this is to buy, test and install additional USB control software. A Microsoft MVP (Most Valuable Professional) has come up with a low cost solution using native Windows functionality - specifically, Group Policy. WindowsDevCenter explains how to define a policy to disable the USB storage driver. A Microsoft Knowledge Base article contains the necessary code. This looks like a viable option if you only want to turn off USB storage devices on your Windows network machines. If you need more fine-grained control such as the ability to allow read not write or to log and report use of the devices, you'll presumably still have to buy, test and install the USB control software though.
More portable IT security links

Labels: Mobile, Network

"The computer sabotage trial of a systems administrator who was found guilty of attacking the network he had been hired to protect at UBS PaineWebber is sending out a sobering message, and one that can't be stressed enough: No matter what network security you have in place, it may not be enough to protect you from one of your own. It's almost a clich, but one that many companies still do not take seriously."

[Good insider threat case study here]

"And O'Malley also says executives need to step it up when it comes to keeping an eye on employees who are full of complaints, or are on a bad streak with the company. "Sure it will happen again," he says. "And in all likelihood it will happen because of an insider They always say, 'Oh, he was a trusted insider.' Bingo! That's the problem. He was a trusted insider."

More information security management and hacking links

Labels: Hacking, Insider, Network

A raft of new or updated security checklists and verification tools have been released by NIST covering: access control; application & database security; DNS; Enclave; .NET framework; network infrastructure; SAN/sharing peripherals across the network; UNIX; VoIP; and Windows 2000, XP and 2003 Server. The combination of comprehensive security checklists recommending specific parameter settings and automated tools to check system configurations against the recommendations makes the security manager's job that bit easier.
More IT Ops & system security links

Labels: Database, Network

If your system gets infiltrated by a rootkit, you might as well just “waste the system entirely,” said a program manager from Microsoft's security solutions group. The point is that rootkits are deliberately constructed to conceal themselves, making it extremely difficult to (a) detect that your system has been rootkitted (compromised with a rootkit), and then (b) remove said rootkit and revert the system to its uninfected state. An active rootkit has full access to your machine. By taking control of the system hardware before the operating system loads, it has the potential to mediate calls to the network and hard drives, and can intercept keyboard and mouse commands. Your have no secrets from a rootkit.
More links on keeping secrets and malware

Labels: Malware, Network

The NSA and CSI’s SNAC security configuration guides comprise a set of security standards for various operating systems (such as Windows, MacOS, Solaris), applications (such as Oracle, SQL Server, Exchange, Office, SMS, BEA Weblogic, IIS, IE and Netscape), network equipment (routers and switches) and more. If your management has endorsed your high-level and information security policies but the supporting technical standards are still ‘work in progress’, then take a look at SNAC.
More IT operations security resources

Labels: Database, Infosec, Network

Following on from the .WMF Windows Meta File zero-day exploit story at the end of 2005, Network World reports that Microsoft has acknowledged another bug in the .WMF code, plus another unconnected bug, and independent researchers have identified a third. The truth is that software bugs are discovered and fixed all the time - this is presumably only newsworthy because of the connection to .WMF and because all three bugs have security implications.
Microsoft has also published advance details of the clutch of bugs to be patched next Patch Tuesday.
More resources on Bugs!

Labels: Bugs, Network

According to a research project reported in Network World, "Vendors are making mistakes when they write programs for Windows". Golly.
More resources on Bugs!

Labels: Network

A SecurityFocus article picks up on the possibility of rootkits in the computer's BIOS. The same principle applies to rootkits in video BIOS and network card BIOS. The thing about these locations is that a reboot won't clear them, nor will a normal complete system rebuild - not even a new hard drive will clear them ... unless, that is, the code in the BIOS is just a stub, a loader for the main payload on disk. Given that the machine BIOS, by its very nature, gives low level access to the hardware, it is conceivable that a stub could load the remainder from another BIOS store, or from a normally inaccessible area on disk (such as a sector marked bad).
More [anti-]hacking resources

Labels: Hacking, Network

Here’s a hacking story with a difference: after investigating a hack perpetrated by a suspected Chinese-government-backed gang of uberhackers, Shawn Carpenter, a network security specialist at Sandia National [nuclear research] Laboratories, got caught up in the FBI investigation. Time Magazine reports that he was dismissed by Sandia when they discovered his out-of-hours hacking, even though Shawn claims to have been encouraged by the FBI to help them track the gang. The FBI has acknowledged their role in the investigation and Shawn subsequently got his security clearance reinstated, so the story seems to hold water.
More [anti-]hacking and cracking resources

Labels: Hacking, Network

NIST is inviting public comments on a new draft Special Publication SP800-40 on Creating a patch and vulnerability management system (1Mb PDF file). Comments are especially welcome in three areas: (1) patching metrics, (2) required duties of the patch and vulnerability management group and (3) the overall patch and vulnerability management process. The summary earns a big thumbs-up from us with the sentence: “Not all vulnerabilities have related patches; thus, system administrators must not only be aware of applicable and available vulnerabilities and patches, but also other methods of remediation (e.g., device or network configuration changes, employee training) that limit the exposure of systems to vulnerabilities.” Other NIST drafts are also open to comment.
More change management resources

Labels: Infosec, Network

The BBC is reporting that cellphone networks in London are coping adequately with higher-than-normal call volumes arising from the bomb incidents at lunchtime today. Cellphones have becomeas much a part of the critical national infrastructure as the "Plain Old Telephone System" (POTS). Wireless networks like their wired ancestors are designed with resilience in mind, including spare capacity, alternate routing and 'intelligent' real-time switching protocols. This is mostly to cope with the diurnal peaks and troughs of demand, partly for continuity through abnormal periods such as bombings, planned maintenance and unanticipated system failures.
More on crisis management and contingency planning

Labels: DCP, Network

Next time you install a new device, load an operating system or install an application, don't forget to change the default installation username and password before you connect it to the network. Over 1700 are published at Virus.Org.
More anti-hacking resources

Labels: Authentication, Hacking, Network

A Florida man has been unauthorized access to a WiFi network. The man admitted using a laptop PC in an SUV parked outside the house to 'steal' WiFi access. The case will presumably center on whether the WiFi network was adequately secured - most aren't.
More wireless networking security and anti-hacking resources

Labels: Hacking, Mobile, Network

US Military experts have proposed the use of 'decoys' (commonly known elsewhere by the term 'honeypots') as a defensive move to protect the Pentagon Network from hackers. Now there's an idea.
More anti-hacking resources

Labels: Hacking, Network

This month, our security awareness materials explain how hackers, crackers, phreaks and other assorted geeks go about their business. Hacking is a serious threat to organizations and individuals who depend on their information assets, and especially those of us connected to the Internet. A number of security surveys have shown however that hacking perpetrated by insiders is a threat even if your organization has no external network connections at all.
More (anti-)hacking resources here

Labels: Awareness, Hacking, Network

Deb Schinder's Computerworld article Preserving Digital Evidence to Bring Hackers and Attackers to Justice is a brief but useful overview of how to deal with a PC that may contain forensic evidence of a breach. The key elements are: don't switch it off, disconnect it from the network; don't run any programs on it; don't open files to examine them; do call on forensic experts; do take bit-level disk and memory copies to another machine. "Pull out the network cable" is a good phrase to teach your IT help desk and information security staff, and should perhaps be splashed across the front of the incident response procedure manual, a bit like "Don't panic" across the Hitchhiker's Guide To The Universe.
More on incident management

Labels: Incidents, Network

The latest AusCERT computer crime and security survey says "Only 35% of respondent organisations experienced electronic attacks that harmed the confidentiality, integrity or availability of network data or systems (compared to 49% in 2004 and 42% in 2003)." ONLY 35%! Am I the only person who finds it perverse to regard a situation in which MORE THAN A THIRD of those surveyed suffered business impacts as a success? 3.5% maybe but not 35. This is an outrageous indictment of the state of information security.

Labels: Availability, Integrity, Network

"Security isn’t only about protecting your network from external threats; it’s also about protecting against threats from within. The first step to security is awareness; therefore, it’s important that all your employees know not only the potential threats but also how to recognize and prevent such threats. Education and awareness empowers each employee with the knowledge of his role in protecting the organization’s network. This, in turn, will go a long way toward mitigating risk." Well said Doug Schweitzer! This week's Processor magazine has several interesting articles on security awareness and policies.
More risk management and security awareness links

Labels: Awareness, Infosec, Network, Risk

"The crash of a critical legacy system at Comair is a classic risk management mistake ... the legacy system failed, bringing down the entire airline, canceling or delaying 3,900 flights, and stranding nearly 200,000 passengers. The network crash cost Comair and its parent company, Delta Air Lines, $20 million, damaged the airline's reputation and prompted an investigation by the Department of Transportation." Executives stalled all attempts to replace the old crew scheduling system until eventually it failed in service. Reading between the lines of the story, however, it is not clear whether the proposed replacements would have represented even greater risks.
More risk management links here

Labels: Infosec, Network, Risk

The latest CSO Mag has a thoughtful article about a 3,000 year old Irish cliff-top fort, drawing various analogies between securing a fort vs. securing a network. Unfortunately, interesting though the analogy might be, a 3,000 year old fort offers minimal protection against modern weapons of war. Increasingly sophisticated adversaries using powerful new technologies remain a serious threat in any age. Oh and don't forget the Peasants' Revolt when the Tower Of London was breached by dint of bribing the gatekeeper. Social engineering has a long history too.

Labels: Network

The US Secret Service uses a network of 4,000 computers for brute-force attacks on encrypted forensic evidence obtained from target systems, using plaintext snippets and information from the user's browsed websites as cribs or clues to possible passwords. The system is reminiscent of the DES cracker built in 1999 by the Electronic Frontier Foundation, but uses spare cycles on desktop PCs like the SETI@home project.
More confidentiality links here

Labels: Network, Privacy, Secrecy

This is a brilliant parody by the New Zealand Herald's Willy Trolove of a typical bank's promotion of Internet banking, complete with get out of jail free clauses. It's a good reminder about the difficulties of balancing the benefits of information security controls against the costs for system users.

More internet security links here

Labels: Network

The SANS Internet Storm Center maintains a watching brief on current network security issues. This is a fairly typical page from the handler's diary discussing a worm targetting PHP bulletin boards, phishing attacks and spyware. Dismiss the thought that these are purely theoretical threats.
More malware links here

Labels: Fraud, Malware, Network

GoToMyPC is a system for users to permit full remote access to their systems through the Internet from a standard browser. The system has clearly been designed with security in mind, incorporating numerous security controls as documented in this paper. However, no system is totally idiot-proof. If the additional two-factor authentication controls and other security mechanisms available in the high-end Corporate version are not used properly, a determined idiot can grant full remote access to anyone. Do you monitor or restrict out/inbound HTTP connections to/from GoToMyPC servers on your network? What about other similar systems? [By the way, the paper itself is a model of clarity. If only all system security designs were so thoroughly thought-out and so clearly and comprehensively documented!]

Labels: Network

Bill Cheswick gave a fabulous presentation at the N.I.T.E.S conference in Dublin on March 1st entitled “My dad’s computer”. Ches’s dad’s PC was unprotected against malware and hence was chock-a-block with viruses, Trojans, spam and other digital detritus. Ches made the point that his dad has virtually no interest in or understanding of the technology and security implications, he simply wants to use his system in peace. Bill’s dad is all around us. Ches went on to describe his approach to securing his own systems with a heavy emphasis on hardening them by removing all unnecessary network services - ideally hard enough that firewalls are unnecessary. Thanks Ches!
More malware links here

Labels: Malware, Network