Monday, December 19, 2005

Insiders - insights, trends and possible solutions

A recent research of the content monitoring market, and the U.S 2004’s "Annual Report to Congress on Foreign Economic Collection and Industrial Espionage" I've recently read, prompted me to post an updated opinion on this largely unsolved issue.

I have been keeping an eye on the insider problem for quite some time, in fact, I have featured a short article entitled “Insiders at the workplace - trends and practical risk mitigation approaches” in Issue 18 of the monthly security newsletter you can freely subscribe yourself to!

Insider as a definition can be as contradictive as the word “cheater” is :-) Does an individual become an insider even when thinking about it, or turns into such prior to initiating an action defined as insider’s one? The same way, can someone be defined as a “cheater” just for thinking about what’s perceived as cheating, compared to actually doing anything?! :-) When does one become the other, and is this moment of any importance to tackling the problem?

The biggest trade-off as far as the insider’s problem is concerned is between dealing with the problem while ensuring productivity, and that the company’s work environment isn’t damaged -- exactly the opposite. And while productivity is extremely important, the direct, or most often indirect and long-term loss of intellectual property theft is currently resulting in a couple of billion dollar unmaterialized revenues for nations/enterprises across the globe.

Going through 2004's “Annual Report to Congress on Foreign Economic Collection and Industrial Espionage”, a major trend needs to be highlighted as I greatly believe it’s a global one, namely, private enterprises efforts to obtain access to sensitive technologies in unethical way, outpaces a foreign government’s efforts to do the same. Corporations spy more on one another than governments do, but is this truly accurate? I don’t think so! The use of freelancers, among them ex-intelligence officers or experienced detective agencies to conduct national funded economic espionage is a growing trend, and the lines in this area are so blur, we should therefore try to grasp the big picture when it comes to national competitiveness -- both companies and nations directly/indirectly benefit from possible economic/industrial espionage, and you can’t deny it!

Yet another important fact to keep in mind, is the unusually high success of the oldest, and most common sense social engineering attack -- asking!! In certain cases a social engineer will inevitably establish contact with customer-service obsessed personnel taking care of you all your requests! A certain organization’s members may experience troubles differentiating sensitive and secret information, not taking the first one as serious as they should. Even worse -- U.S Secret Service and CERT’s “Insider threat Study : Illicit Cyber Activity in the Banking and Finance sector” reveal that,”83% of the insider threat cases took place physically from within the insider’s organization, and another 70% in all cases, the incidents took place during normal working hours”! No secretaries or CEO’s logging in at 3:00AM, and in this case, the lack of detected security incidents posed by insiders, means they are already happening!

Though, I have always looked at the insider’s issue, from both negative and positive point of view. Can an insider be of any use for the good of a free speech organization or a government? Yes, it can if you take into account the U.S government’s efforts to locate democratically minded individuals living in countries with restrictive regimes, or active Internet censorship efforts.

Now given, you are truly interested in the democratization of this particular region, and not another successful PSYOPS operation, being able to locate, establish, and actually, maintain contact with these individuals will prove crucial in case of a objective picture of what exactly is going on there! Ignoring the local, totally biased news streaming for certain regions, and focusing on locating insiders within rogue states has been a common practice for years.

Is there a market for protecting from intellectual property theft and sensitive information leakage? If so, how does it ensures today’s digital workplace, and road warriors’s flexibility is not sacrificed for the sake of protecting the company’s resources? Mind you, the current solutions scratch only the surface of the issue -- creating digital signatures of data and trying to spot it leaving the network. While a commonly accepted approach, it’s like one way authentication(passwords) when it comes to access control-- the first line of defense, but among the many other!

The insiders’ problem is far more broader one and given the today’s complexity and connectivity, a possible insider’s actions will most often constitute of normal daily activities. But what is the market up to anyway?

Currently, the content monitoring market is steadily growing fueled by the need of ensuring information marked as sensitive, or intellectual property doesn’t leave the company’s premises, or is alerted when someone attempts to transfer it, due to negligance or on purposely!

The main players are : Vontu, Tablus, Reconnex, and Vericept.

Whereas these solutions are a great concept,they all mainly rely on content analysis,and sensitive information signatures,monitoring multiple exit point)(email,web,chats,forums,p2p,ftp, even telnet), namely, reactive protection, while sophisticated insider’s actions may remain hidden due to covert channels or 0day vulnerabilities in the vendor’s product for instance!

Something else to consider, is should a IP(intellectual property) trap be considered as a benchmark for insider tensions?! In other words, should you consider an employee that has been on purposely sent a link containing company information he/she isn’t supposed to have access to, but has clicked to obtain it? Stanford thinks – yes! The University suspended potential candidates for obtaining info on their admission process only by following a link..you are either a one or zero, right?

Honeypots targeting insiders have also been discussed a long time ago by Lance Spitzner, from the Honeynet Project. Another proactive protection would be to look for patterns defined as malicious behavioral based mostly.

From an organization’s point of view, take into consideration the following :
- Clearly communicate the consequences, both individual and career, in case an insider is somehow identified, based on the company’s perception of the problem
- Ensure the momentum of negative attitude towards the organization is minimized to the minimum to ensure the lack of to-be-developed post-effect negative sentiments
- Do no fell victim of the common misunderstanding that technology is the key to the solution. Insiders are the people your technology resources empower to do their daily tasks, technology is as often happens, the faciliator of certain actions
- Does system identification accountability have any actual effect? My point, does as user’s loss of accounting data, resulting in successful attack is anyhow prosecuted/tolerated. If it isn’t, this puts any employee in extremely favorable “it wasn’t my fault” position, where the data could be shared, on purposely exposed, sold, pretended to be stolen etc.
- Building active awareness towards the company’s efforts and commitment to fighting the problem will inevitably discourage the less motivated wannabe insiders, or at least make them try harder!

From a nation’s point of view, the following issues should be taken into consideration :
- In today’s increasingly transparent and based on digital flow of information marketplace, open source intelligence capabilities played a leading role in the development of cost-effective competitive intelligence solutions. Even though, nations or their companies are very interested in exploiting today’s globalized world.
- Ensuring the adequate security level of the private and academic sectors’ infastructure(where research turns into products and services, or exactly the opposite) through legislations, or further incentives, will improve the national competitiveness, while preserving the current R&D innovations, as secret as necessary.
- Outsourcing should be considered as a important factor contributing to information leakage, and the individuals involved, or the company’s screening practices, should be carefully examined.
- A fascinating publication that I recently read is “Quantifying National Information Leakage” describing the implications of the Internet’s distributed nature, namely to what extend, U.S Internet traffick is leaking around the world, where it “passes by”. A nation’s habit or lack of efficient alternative of plain-text communications can prove tricky if successfully exploited. Of course, this doesn’t include conspiracy scenarios of major certificate authorities breached into.

The insiders’ problem will remain an active topic for discussion for years to come given its complexity and severity of implications. Insiders’s metrics are a key indicator for patterns tracking, whereas their creativity shouldn't be underestimated at any cost!

In case you are interested in various recommended reading, statistics, and other people’s point of view, try this research :

Cyberterrorism - don't stereotype and it's there!

I wrote my first article on “Cyberterrorism – an analysis”(in Bulgarian, HiComm Magazine) back in 2003, arguing that Cyberterrorism is a fully realistic scenario, given you don’t picture terrorists melting down nuclear power plants over the Internet, but an organization determined to achieve all of its objectives, and using the digital medium to do so.



My second article "Cyberterrorism and Cyberwars - how real's the threat?"(in Bulgarian, CIO.bg) was greatly extended, and so was my understanding of the concept by the time. I often come across badly structured articles on the topic, even worse, ones starting to discuss the wrong concept -- the biased one! Where terrorists try to attack the critical infrastructure, well, they wouldn’t, they’d rather abuse instead of destroying it!



Merely evaluating a terrorist groups ability to conduct devastating DDoS attacks, or hack into U.S government computers, is the biased wrong concept I just mentioned. If terrorist groups want DDoS power, they wouldn’t rewrite their training manuals, instead, they would simply hire the people to do it, or request on point’n’click interface for their actions. Can this kill a person? If yes, how come, if not, is this Cyberterrorism at all?

Thinking about complex topics always involves dimensional approach, understanding of motives, and implying a little bit of marginal thinking to grasp the big picture. Terrorists killing people over the Internet myth is greatly influenced by the success of any terrorist organization’s “PR” activities – spread fear, and build active propaganda though taking lives, and distributing the freely available media later on. So, if no lives are taken, why call it terrorism? Mainly because, cyberterrorism in my point of view isn’t an entirely new concept as some try to put it, it’s an extension of real life terrorism activities into cyberspace, and its evolution at a later stage.

Starting from the basic premises that terrorists need to communicate with each other, keep themselves up-to-date in today’s OSINT(open-source intelligence world), recruit potential members, and continue their active propaganda taking advantage of Internet’s many joys, in respect to anonymity(given it’s achieved), speed, and a bit of a black humor – interactivity!

Cyberterrorism as a concept from my point of view consists of their need for :

- platform for communication
No other medium can provide better speed, connectivity, and most importantly anonymity, given it’s achieved and understood, and it often is. Plain encryption might seem the obvious answer, but to me it’s steganography, having the potential to fully hide within legitimate (at least looking) data flow. Another possibility is the use secret sharing schemes. A bit of a relevant tool that can be fully utilized by any group of people wanting to ensure their authenticity and perhaps everyone’s pulse, is SSSS - Shamir's Secret Sharing Scheme. And no, I’m not giving tips, just shredding light on the potential in here! The way botnets of malware can use public forums to get commands, in this very same fashion, terrorists could easily hide sensitive communications by mixing it with huge amounts of public data, while still keeping it secret.

- platform for open source intelligence

Undoubtedly, there has never been so much publicly accessible information that could aid in the organizing and plotting terrorist acts. Measure the impact of a certain bombing? – check out the news and figure out what has changed ever since, research and obtain digital photos, even satellite imagery, it’s available. Try to figure out the latest specifications for RFID passports to come, and why it matters to you – keep on reading the specifications..! Transparency is always tricky!

The way a government can successfully identify terrorist sentiments around the Web, even precise sites to be put under close surveillance, terrorists on the other hand keep track of each and every major/minor global change anyhow affecting their goals or ambitions.

- platform for propaganda/recruitment
Now, don’t picture “Outstanding CV, here’s the address of our training camp in Pakistan, please, first introduce the idea to your friends, then share the address. Nuke the planet!” type of conversation :-)

Recruitment over the Internet is a contradictive topic, and many will argue that it’s irrelevant. I can argue too that there are people for all kinds of things, from maintaining mailings lists, to acting as freelancers whenever a resource, like an infected PC for anonymous communication is needed. Believe it or not, terrorists are silently but very actively building a web presence. In fact, these days you could even download execution clips directly from a terrorist’s web site. What’s else to note is the irony of how many terrorists web sites are actually hosted on U.S service provider’s servers, and you keep on looking for them around the world, check your backyard before looking at the neighbors :-)

Another important aspect of recruiting in such a way, is the location of people with obsessive
islamic views, someone actively expressing his/her hate towards the U.S and actually being of any use. For instance, there are cases of terrorist propaganda malware, where the author(a teenager, or sophisticated attacks?!) clearly expresses his/her support towards a “cause”.
This case is like the one I mentioned in my previous post concerning insiders, that is the way U.S government looks for democracy minded individuals in restrictive regime countries(the Win32/Cycle.A.worm), the very same way terrorists could spot similarly minded individuals holding important positions or knowledge on certain topic. Are any of these people screaming for recruitment, and would somebody listen?

- direct attack exploitation possibllities (people eventually die?!)
Is the electronically obtained a major food manufacturer's facility truck schedules of any use to terrorists interested in eventually hijacking and

Someone once mentioned a scenario related to U.S RFID passports, namely a bomb could automatically detonate, given there’re certain number of "broadcasted", note the term, U.S citizens around, that’s scary, but how about the same applies to mobile malware detecting U.S carriers for the same purpose?!

In the last article I wrote on the topic, I made an argument on where’s the line of a 19 year’s old boy shutting down 911 through ingenious technique for the fun of it, and a terrorist organization exploiting vulnerability in the system at a crucial moment in time let’s say?! What if people die out of the teen’s actions, but the terrorists’ attempt is quickly detected? Should cyberterrorism be judged based on the motives, or who’s actually behind it? I think it’s a combination of both!

- indirect attack exploitation possibilities
Should a terrorists’ use of phishing attacks, where the revenues go directly into funding further terrorist activities, both, cyber, real-life actions be considered an option?
Should a terrorist’s actions for hiring a person, directly obtaining certain social numbers, sensitive and detailed financial information, or anything else to assist a successful identity theft, with the idea to impersonate for a real-life terrorist scenario be considered an option? Yes, they both should!
This particular list is endless, the scenarios I can only leave to someone else’s psychological
imagination!

My worst case scenarios,though, consist of terrorists realizing the impact a target/mass directed intellectual property theft, cryptoviral extortion attack targeting the majority of U.S businesses. And as I often say, it’s all a matter of coordination with the idea to increase the impact!

To conclude, Terrorists are not rocket scientists unless we make them feel so!
Consider going through the following research for different point of views, and key facts :

How Modern Terrorism Uses the Internet

Insiders - insights, trends and possible solutions

A recent research of the content monitoring market, and the U.S 2004’s "Annual Report to Congress on Foreign Economic Collection and Industrial Espionage" I've recently read, prompted me to post an updated opinion on this largely unsolved issue.

I have been keeping an eye on the insider problem for quite some time, in fact, I have featured a short article entitled “Insiders at the workplace - trends and practical risk mitigation approaches” in Issue 18 of the monthly security newsletter you can freely subscribe yourself to!

Insider as a definition can be as contradictive as the word “cheater” is :-) Does an individual become an insider even when thinking about it, or turns into such prior to initiating an action defined as insider’s one? The same way, can someone be defined as a “cheater” just for thinking about what’s perceived as cheating, compared to actually doing anything?! :-) When does one become the other, and is this moment of any importance to tackling the problem?

The biggest trade-off as far as the insider’s problem is concerned is between dealing with the problem while ensuring productivity, and that the company’s work environment isn’t damaged -- exactly the opposite. And while productivity is extremely important, the direct, or most often indirect and long-term loss of intellectual property theft is currently resulting in a couple of billion dollar unmaterialized revenues for nations/enterprises across the globe.

Going through 2004's “Annual Report to Congress on Foreign Economic Collection and Industrial Espionage”, a major trend needs to be highlighted as I greatly believe it’s a global one, namely, private enterprises efforts to obtain access to sensitive technologies in unethical way, outpaces a foreign government’s efforts to do the same. Corporations spy more on one another than governments do, but is this truly accurate? I don’t think so! The use of freelancers, among them ex-intelligence officers or experienced detective agencies to conduct national funded economic espionage is a growing trend, and the lines in this area are so blur, we should therefore try to grasp the big picture when it comes to national competitiveness -- both companies and nations directly/indirectly benefit from possible economic/industrial espionage, and you can’t deny it!

Yet another important fact to keep in mind, is the unusually high success of the oldest, and most common sense social engineering attack -- asking!! In certain cases a social engineer will inevitably establish contact with customer-service obsessed personnel taking care of you all your requests! A certain organization’s members may experience troubles differentiating sensitive and secret information, not taking the first one as serious as they should. Even worse -- U.S Secret Service and CERT’s “Insider threat Study : Illicit Cyber Activity in the Banking and Finance sector” reveal that,”83% of the insider threat cases took place physically from within the insider’s organization, and another 70% in all cases, the incidents took place during normal working hours”! No secretaries or CEO’s logging in at 3:00AM, and in this case, the lack of detected security incidents posed by insiders, means they are already happening!

Though, I have always looked at the insider’s issue, from both negative and positive point of view. Can an insider be of any use for the good of a free speech organization or a government? Yes, it can if you take into account the U.S government’s efforts to locate democratically minded individuals living in countries with restrictive regimes, or active Internet censorship efforts.
Now given, you are truly interested in the democratization of this particular region, and not another successful PSYOPS operation, being able to locate, establish, and actually, maintain contact with these individuals will prove crucial in case of a objective picture of what exactly is going on there! Ignoring the local, totally biased news streaming for certain regions, and focusing on locating insiders within rogue states has been a common practice for years.

Is there a market for protecting from intellectual property theft and sensitive information leakage? If so, how does it ensures today’s digital workplace, and road warriors’s flexibility is not sacrificed for the sake of protecting the company’s resources? Mind you, the current solutions scratch only the surface of the issue -- creating digital signatures of data and trying to spot it leaving the network. While a commonly accepted approach, it’s like one way authentication(passwords) when it comes to access control-- the first line of defense, but among the many other!

The insiders’ problem is far more broader one and given the today’s complexity and connectivity, a possible insider’s actions will most often constitute of normal daily activities. But what is the market up to anyway?

Currently, the content monitoring market is steadily growing fueled by the need of ensuring information marked as sensitive, or intellectual property doesn’t leave the company’s premises, or is alerted when someone attempts to transfer it, due to negligance or on purposely!

The main players are : Vontu, Tablus, Reconnex, and Vericept.
Whereas these solutions are a great concept,they all mainly rely on content analysis,and sensitive information signatures,monitoring multiple exit point)(email,web,chats,forums,p2p,ftp, even telnet), namely, reactive protection, while sophisticated insider’s actions may remain hidden due to covert channels or 0day vulnerabilities in the vendor’s product for instance!

Something else to consider, is should a IP(intellectual property) trap be considered as a benchmark for insider tensions?! In other words, should you consider an employee that has been on purposely sent a link containing company information he/she isn’t supposed to have access to, but has clicked to obtain it? Stanford thinks – yes! The University suspended potential candidates for obtaining info on their admission process only by following a link..you are either a one or zero, right?

Honeypots targeting insiders have also been discussed a long time ago by Lance Spitzner, from the Honeynet Project. Another proactive protection would be to look for patterns defined as malicious behavioral based mostly.
From an organization’s point of view, take into consideration the following :
- Clearly communicate the consequences, both individual and career, in case an insider is somehow identified, based on the company’s perception of the problem
- Ensure the momentum of negative attitude towards the organization is minimized to the minimum to ensure the lack of to-be-developed post-effect negative sentiments
- Do no fell victim of the common misunderstanding that technology is the key to the solution. Insiders are the people your technology resources empower to do their daily tasks, technology is as often happens, the faciliator of certain actions
- Does system identification accountability have any actual effect? My point, does as user’s loss of accounting data, resulting in successful attack is anyhow prosecuted/tolerated. If it isn’t, this puts any employee in extremely favorable “it wasn’t my fault” position, where the data could be shared, on purposely exposed, sold, pretended to be stolen etc.
- Building active awareness towards the company’s efforts and commitment to fighting the problem will inevitably discourage the less motivated wannabe insiders, or at least make them try harder!

From a nation’s point of view, the following issues should be taken into consideration :
- In today’s increasingly transparent and based on digital flow of information marketplace, open source intelligence capabilities played a leading role in the development of cost-effective competitive intelligence solutions. Even though, nations or their companies are very interested in exploiting today’s globalized world.
- Ensuring the adequate security level of the private and academic sectors’ infastructure(where research turns into products and services, or exactly the opposite) through legislations, or further incentives, will improve the national competitiveness, while preserving the current R&D innovations, as secret as necessary.
- Outsourcing should be considered as a important factor contributing to information leakage, and the individuals involved, or the company’s screening practices, should be carefully examined.
- A fascinating publication that I recently read is “Quantifying National Information Leakage” describing the implications of the Internet’s distributed nature, namely to what extend, U.S Internet traffick is leaking around the world, where it “passes by”. A nation’s habit or lack of efficient alternative of plain-text communications can prove tricky if successfully exploited. Of course, this doesn’t include conspiracy scenarios of major certificate authorities breached into.

The insiders’ problem will remain an active topic for discussion for years to come given its complexity and severity of implications. Insiders’s metrics are a key indicator for patterns tracking, whereas their creativity shouldn’t be understimated at any cost!

In case you are interested in various recommended reading, statistics, and other people’s point of view, try this research :

Wednesday, December 14, 2005

IP cloaking and competitive intelligence/disinformation

SearchSecurity.com are running a great article entitled "IP cloaking becoming a business necessity", that I simply can't resist to express my opinion on.

Great concept that’s been around since the days of Anonymizer, who were perhaps the first enterprise to start targeting enterprise and government
users looking for ways to hide their online activities, be it unstructured data aggregation, competitive intelligence or simple end users' browsing.

Getting back to SearchSecurity's article, I don’t really consider a company’s SEC fillings or annual reports (found on any corporate web site) a trade secret! In this particular case, I bet it was extraoridinary traffic from known partners that tipped them that there's a sudden interest in the company's business performance. Any organization could easily look for patters on its web server, such as how often certain stakeholders visit it, given they use their associated netblocks, or ones known to be used by them. What to also to note is that, given the stakeholders in this case, employees, stockholders, suppliers, government, the general public or anyone else has a claim on the way the organization operates, it would be hard, pretty much impossible to differentiate intentions of any of these.

Small companies can easily measure their popularity among the big players, again, given these companies use their netblocks, but a large corporation with hundreds of thousands visitors, would have to put extra efforts in measuring, not only what's popular, but who's reading it, and are they on our watchlist.

How to compile these? Even though I'm certain someone out there has taken the time and effort to compile a Fortune 500 IP ranges list the way GovernmentSecurity.org have compiled a Government&Military; IP ranges list. I soon expect to see companies offering segmented service for watchlists like the ones I mentioned, for instance - law firms, financial institutions, non-profit organizations segmented on geographical location, let's say New York or Tokyo based ones. An in-house approach can always be applied by any company, no matter of its size, all you have to do is your homework at RIPE.net for instance :

RSA Security
Symantec
Sophos
Kaspersky
ISS(Internet Security Systems)

An important trend though, is how the transparency that the ICANN wants to build whenever a domain is registered in order to easily prosecure cyber criminals will open up countless opportunities for open source intelligence professionals or wannabe's. A recently released report by the U.S Government Accountability Office, found 2.3M domain names registered with false data, given that's just the result they came up by sampling. Here're also the important findings. Without any doubt, it should be known who's who in the Internet's domain and IP blocks space, but knowing it and complying with this due to regulations, or good will is going to lead to further consequences for your organization.

Let's take anti-virus vendors for instance. I often say that anti virus is a necessary evil - given it's active!! Signatures based defense is futile, windows of opportunities emerge faster, 0day threats contribute, and overall, malware is starting to attack on a segmented based level => less major outbreaks, but the rates of signature updates is still a benchmark the public and some of the vendors like talking about. Email-Worm.Win32.Doombot.b for instance, is a good example of how the malware author is rendering the antivirus software into a useless application, just by blocking it from accessing its(publicly available, easy to find out through sniffin' etc.) update locations.

Even though the author wish he/she could "write" to these locations, that's not necessary, but the temporary advantage of exposing the user/organization to a particular window of opportunity, by making sure access to removal instructions and actual updates is disabled! Doombot's list is short, and a bit of a common sense one compared to others. And as always, the general public, sick of ads, and parasites, have taken the effort to constantly release updated hosts files to tackle their concerns. I wonder when, and how are vendors going to address this important from my point of view issue?

IP cloaking at the corporate level is still in its early stages, but represents a growing market due the following factors, among many others of course :

- governments and intelligence agencies are actively taking advantage of open source intelligence, OSINT, and vendors are already starting to offer relevant services. The Anonymizer among others, has also specially government/enterprise tailored services

- enterprises are getting extremely conscious about what others know of their surfing interests, and what are stakeholders on their watchlist looking at, on any of their extranets or corporate web sites

- citizens from countries with extremely restrictive Internet censorship practices will fuel the market's growth even more

Further reading can be found at :
Protecting Corporations from Internet Counter-Intelligence
Cloaking types

Technorati tags :
,,,

Monday, December 12, 2005

0bay - how realistic is the market for security vulnerabilities?

In Issue 19 (July, 2005) of the Astalavista Security Newsletter that I release on a monthly basis, I wrote an article entitled "Security Researchers and your organization caught in between?" whose aim was to highlight a growing trend, namely the monetization of vulnerability research, who benefits and who doesn't.

A recent, rather significant event at least for me covering and monitoring this issue for quite some time now, was an Ebay listing for a "brand new Microsoft Excel vulnerability". A bit ironical, but I had a chat with Dave Endler, director of security research at TippingPoint, and the issue of their future position as bidders for someone else's research were discussed a week before the Ebay's listing in Issue 23 (November, 2005) of Astalavista's Security Newsletter.


Two of today's most popular, and at least public commercial entities paying hard cash for security vulnerabilities are : iDefense, and the ZeroDayInitiative (TippingPoint).

But what is the need for creating such a market? Who wins and who loses? What are the future global implications for this trends, originally started by iDefense?

In any market, there are sellers and buyers, that's the foundation of trade besides the actual exchange of goods/services and the associated transaction. What happens when buyers increase, is that sellers tend to increase as well, and, of course, exactly the opposite. Going further, every economy, has its black/underground or call it whatever you want variation. And while some will argue a respected researcher will contribute to the the development of even more botnets, who says it has to be respected to come with a vulnerability worth purchasing?! It's a Metasploit world, isn't it?!

Going back to the market's potential. Sellers get smarter, transparency is build given more buyers join seeking to achieve their objectives in this case, provide proactive protection to their clients only, and build an outstanding, hopefully loyal researchers' database. These firms, to which I refer as buyers have happened to envision the fact that there are thousands of skilled vulnerability researchers', who are amazingly capable, but aren't getting a penny out of releasing their vulnerabilities research. Ego is longer important, and getting $ for research on a free will basis is a proven capitalistic approach. What these companies(and I bet many more vendors will open themselves for such a service) didn't take into consideration in my opinion, is that, starting to work with people giving $ as the ultimate incentive will prove tricky in the long-term.

What will happen of the Swiss cheese of software(yet the one that dominates 95% of the OS market today) Microsoft starts bidding for security vulnerabilities in its products? Bankruptcy is not an option, while I doubt they will ever take this into consideration, mainly because it would seriously damage a market sector, the information security one. Imagine, just for a sec. that Microsoft decides to seriously deal with all its vulnerabilities? But today's lack of accountability for software vendors' actions related to vulnerabilities is making it even worse. If MS doesn't get sued for not releasing a patch in any time frame given, why should we, the small compared to MS vendor care?

Howard Schmidt, former White House cybersecurity adviser, once proposed that programmers should be held responsible for releasing vulnerable code. I partly agree with him, you cannot cut costs in order to meet product/marketing deadlines while hiring low skilled programmers who do not take security into consideration, which opens another complex discussion on what should a developer focus on these days - efficiency or security, and where's the trade-off?

I originally commented on this event back then :
The position of Schmidt prompts him to address critical issues and look for very strategic solutions which may not be favored by the majority of the industry as I’m reading through various news comments and blogs. I personally think, he has managed to realize the importance of making a distinction in how to tackle the vulnerabilities problem,who’s involved, and who can be influenced, where the ultimate goal is to achieve less vulnerable and poorly coded software. Software vendors seek profitability, or might actually be in the survival stage of their existence, and as obvious as it may seem, they facts huge costs, and extremely capable coders or employees tend to know their price! 

What’s the mention are the tech industry’s “supposed to be” benchmarks for vulnerabilities management, picture an enterprise with the “IE is the swiss cheese in the software world in terms of vulnerabilities, and yet no one is suing Microsoft over delayed patches” – lack of any incentives, besides moral ones, in case there’re clear signs and knowledge that efficiency is not balanced with security. And that’s still a bit of a gray area in the development world.

Vulnerabilities simply cannot exist, and perhaps the biggest trade-off we should also face is the enormous growth of interactive applications, innovation approaches for disseminating information, with speeds far outpacing the level of attention security gets. Eventually, we all benefit out of it, web application vulnerabilities scanners and consultants get rich, perhaps the (ISC)² should take this into consideration as well :-)

Even though you could still do the following :
- build awareness towards common certifications addressing the issue
- ensure your coders understand the trade-offs between efficiency and security and are able to apply certain marginal thinking, whereas still meet their objectives
- as far as accountability is concerned, do code auditing with security in mind and try figure out who are those that really don’t have a clue about security, train them
- constantly work on improving your patch release practices, or fight the problem from another point of view

But unless, coders, and software vendors aren’t given incentives, or obliged under regulations (that would ultimately result in lack of innovation, or at least a definite slow down), you would again have to live with uncertainly, and outsource the threats posed by this issue. M icrosoft’s “Improving Web Application Security: Threats and Countermeasures” book, still provides a very relevant information.

Slashdot’s discussion


What also bothers me, is how is the virginity of the vulnerability identified? I mean, what if I have already found it, developed an exploit for it, sold it to the underground, and cashed with the industry as well, and no one came across it on his/her :) honeyfarm? The researcher's reputation is a benchmark, but in the long-term, the competitive market that's about to appear, will force the buyers to start working on a mass basis. There's a definitely a lot to happen!

Welcome to the wonderful world of purchasing 0-day security vulnerabilities! Have an enemy, bid for his ownage, have a competitor, own them without having to attract unnecessary attention, I'm just kiddin' of course, although the possibilities are disturbing.

What I really liked about this important moment in vulnerability research, was that it was about time the security researchers wanted to see how valued their research is in terms of the only currency that matters in the process - the hard one. In my point of view, monetizing the vulnerabilities research market wasn't the best strategic approach on fighting 0-day vulnerabilities, in this case, ensure you have the most impressive minds on your side, and that your clients get hold of the latest vulnerabilities before the public does.

So - who's the winner - it's...Symantec who first realized the long-term importance of security vulnerabilities, and where, both researchers and actual vulnerabilities are - Bugtraq/SecurityFocus, by acquiring it for US$75 million in cash, back in 2002, and later one integrating its joys into the DeepSight Analyzer - remarkable. Both from a strategic point of view, and mainly because that, by the time any post on any of the associated mailing lists doesn't get approved, it's Symantec's staff having first look at what's to come for the day of everyone.

SecurityFocus is running a story about the Ebay vulnerability listing, and so is eWeek, Slashdot also picked up the story. It was about time for everyone, given it actually happened during the weekend :-)


 
Technorati tags :

Wednesday, December 07, 2005

How to create better passwords - why bother?!

I have recently came across a practical article on how to create a better passwords, couresy of CSO Magazine. It reminded me of how many times I find myself actually getting into the science of passwords maintenance and creation in order to enforce real-life, cost-effective scenarios, while on the other hand, get myself seriously concerned on how easy it is to have your accounting data abused!

During the years I have written several articles, like this one - Creating and Maintaining Strong Passwords, mainly with the idea to actually provide a pragmatic approach on tackling weak, and prone to be cracked passwords. The result, at least from a sniffing point of view *grin* was that most of my friends lacking security knowledge, were indeed getting concerned by their easy to guess passwords. Later on, they were turning them into entire passphrases with the idea to avoid not having them cracked. That's an example of a "false feeling of security".

And while it was a progress compared to how predictable their passwords really were, strong passwords doesn't address the following issues that I later on covered in another article - Passwords - Common Attacks and Possible Solutions, namely, passwords can be :

- Sniffed
- Recovered
- Unintentionally shared
- Keylogged
- etc.

Recently, both from a CSO's point of view, and the financial industry, two factor authentication, has been gaining a lot of acceptance, in my opinion primary because of its tangibility. It greatly improves the authentication process, given the integrity of the system, and the network itself. And while from an organization's or bank's point of view providing tokens to the entire work force would represent a huge investment, I strongly feel prioritizing in respect to important customers, and executives will play an important role.

On October 12, 2005, the Federal Financial Institutions Examination Council, released its Guidance on Authentication in Internet Banking Environment, thereby enforcing the use of advanced, compared to passwords based only, authentication approaches.

Would it work? I doubt so, but it limits the age-old attacks we are so used to seeing in respect to passwords.

Bruce Schneier has been discussing the dangers of the two factor authenticaion buzz, and as far as online banking is concerned, Candid Wüest has written a very good paper on Today's threats to online banking, namely the techniques discussed fully apply to any type of authentication. Passwords are out of the topic, even two factor authentications has its good and bad sides to it comes to end users' awareness, implementation and configuration.

What are the practical alternatives these days?

Password Safe is a bit unpractical(still works for lots of people out there) in today's interconnected world, namely, a HDD crash for instance would cause a lot of trouble to everyone, let's not mention the "availability" of the data. Just1Key seems to solve this problem to a certain extend. I also recommend you verify the strenght of your passwords by taking advantage of the Password Strenght Meter ComputerWeekly, are also running an article "Security : have passwords had their day?", they sure haven't, at least not on a large scale, the way I've always wanted to see it - One Time Passwords in Everything! Check out RSA's One-Time Password Specifications , the concept in itself has the time frame advantage!

Further reading on the topic can be found at :

Technorati tags :