Friday, March 31, 2006

March's Security Streams

A quick summary of March's Security Streams ( January, February ). It was an unbelievably busy month, and while I'm multitasking and diversifying on a daily basis, I'm certain you've enjoyed this month's streams, thanks for all the feedback you've been sending, it's a small world if you just let yourself realize it!

1. "DVD of the (past) weekend" The Lawnmower man -- God made him simple, Science made him God!

2. "February's Security Streams" a summary of all the posts during February

3. "Anti Phishing toolbars - can you trust them?" Recent phishing trends and the usefulness of anti-phishing toolbars discussed -- at the bottom line the complexity of the relatively simple concepts seems to ruin the whole effect, but wish phishing was that simple!

4. "Data mining, terrorism and security" Commentary on NSA's data mining interests and the still active Total Information Awareness program. Data mining is a very popular trend towards fighting terrorism -- and too ambitious, whereas storage of someone's life in a digital form is getting even cheaper, making sense of it all in a timely fashion still remains the biggest problem

5. "5 things Microsoft can do to secure the Internet, and why it wouldn't?" That's the second most popular post this month, right after "Where's my Oday, please?". Basically, it gives an overview of key points Microsoft can execute in order to secure the insecure by default Internet, and why it wouldn't. The post isn't biased at all, it's just the fact that their QA procedures open up the most easily exploited windows of vulnerability ever -- client side attacks on the IE browser. As a matter of fact, Fortune's latest issue has interviewed Steve Balmer in their QuestionAuthority column -- important fact MS's investors should keep in mind in respect to the future competitiveness of the company is how Balmer's kids are forbidden from using iPods and Google, which is very sad

6. "The Future of Privacy = don't over-empower the watchers!" We sacrifice our privacy, or have it abused on a daily basis in order to function in today's digital society, whereas there's nothing groundbreaking as a future trend besides giving too much power to the Watchers ensuring our "Security vs Privacy or what's left left from it"

7. "Where's my 0day, please?" Introducing the International Exploits Shop and providing relevant comments on the current state of the market for software vulnerabilities -- I wonder are the informediaries already talking/realizing the potential for an 0bay auction model as given the growing number of both sellers and buyers, such a model would sooner or later emerge. If it does not, you will continue comming across or digging for sites offering fresh 0day exploits that have the capacity to keep the media echo for yet another several weeks. CERT is totally out of the question, end users doesn't know what is going on, and everyone is trying to cash for being a vulnerability digger, not a researcher!

8. "DVD of the Weekend - The Immortals" Forget entertainment and enjoy this visionary adaptation of Enki Bilal's Nikopol Trilogy

9. "Security vs Privacy or what's left from it" Sacrifices drive success to a certain extend, whereas Security shouldn't be sacrifices for Privacy, at any cost!

10. "Old physical security threats still working" The old physical security trick of abusing a CD/DVD's autostart feature by installing malware on the PC seems to be fully working even today, which isn't a big suprise at all. Physical security threats have greatly change on the other hand as employers themselves have realized the possibility for insider abuse. And while you might be a little more secure from threats like these, at the end of they day you'll probably have your boss snooping around to find out where's that abnormal P2P traffic coming from :)

11. "Getting paid for getting hacked" Cyber insurance seems very attractive, and it really is, have your company's databases stolen, you'll get premium for it, receive a DDoS extortion letter, get it paid with a smile on the herder's face. Moreover, considering the big picture, I feel you'd rather have a security vendor take care of the consultation process, with the idea that their revenues will be at least spend on R&D security investments compared to an insurance company, or that's how at least I see it

12."Successful" communication" Dilbert rocks my world, my most important point on commercializing vulnerability research is how it's happening in exactly the worst moment ever. The immature concept of reporting vulnerabilities and the economics of the process itself didn't really need money in between. In the eyes of these vendors, which as a matter of fact go through my posts, I am a naysayer, and I'm not. I'm just trying to keep up a constructive discussion, and the results of it will soon be posted in here

13. "Weekend Vibes - Psychedelic/Goa Trance" My music evolution went through Rainbow, Deep Purple, started getting "hard" with Metallica, Off Spring, Guano Apes, to today's mix of alternative, classic rock and psychedelic/goa trance. No matter how your taste changes, don't forget where you've started from

14. "Is a Space Warfare arms race really coming?" Yes, it is and the more awareness is build on this issue, the higher the public discussion and hopefully, transparency of the activities. I find Secrecy a double-edged sword for an intelligence/military agency, as sometimes you just need to hear an average person's opinion on your megalomaniac ambitions. But given you are sincerelly backed up by a couple of billion dollars budget, your purchasing power becomes a bad habit of yours

15. "The Practical Complexities of Adware Advertising" Advertising players simply cannot periodically evaluate the maliciousness of their members as they will lose the scale necessary to keep the revenues growing. The participants on the other hand, are indeed getting ads and paid for displaying them, and of course, questionable content from time to time. Seaching around the IAB's site however, you wouldn't find any info on the idea of spyware/adware in today's booming online advertising market

16."Privacy issues related to mobile and wireless Internet access" Both end users and companies are "going mobile" and thefore the possibilities for privacy violations/physical security location are getting even more relevant

17."DVD of the Weekend - War Games" A little something on the movie and the recent "yet another Microsoft IE 0day" in the wild case

18."Are cyber criminals or bureaucrats the industry's top performer?" Paper tigers have an unprecedented effect on the loss of productivity and a society's progress -- the worst thing is how much they actually enjoy it! A very resourceful post that covers some important issues to keep in mind

19."Visualization in the Security and New Media world" or why a picture is worth a thousand packets?

UPDATE : Here are the unique and returning visitor graphs for the last several months, the outcome? Learn to understand your readers and how to retain them, thank you all for expressing your comments, contacting me, and keeping the discussion going!







Technorati tags :
,

Visualization in the Security and New Media world

Information visualization seems to be a growing trend in today's knowledge driven, and information-overloaded society. The following represents a URL tree graph of the Security Mind Streams blog -- looks resourceful! Want to freely graph your site/blog? Take advantage of Texone's tree, just make sure you don't forget to press the ESC key at a certain point.

In my first post related to "Visialization, intelligence and the Starlight project" I introduced you a fully realistic and feasible solution to filtering important indicators whatever the reason. Moreover, I also came across a great visualization of malware activity in another post summarizing malware trends around February. What I'm truly enjoying, is the research efforts put in the concept by both, security/IT professionals, and new media companies realizing that the current state of the mature text-based Web.

Ever wanted to see how noisy connect() scans actually are? In early stage of its development, people are already experimenting with the idea, find more about while going through "Passive Visual Fingerprinting of Network Attack Tools" paper. Things are getting much more quantitative and in-depth in another recommended reading on the topic "Real-Time Visualization of Network Attacks on High-Speed Links" whose purpose is to "show that malicious traffic flows such as denial-of-service attacks and various scanning activities can be visualized in an intuitive manner. A simple but novel idea of plotting a packet using its source IP address, destination IP address, and the destination port in a 3-dimensional space graphically reveals ongoing attacks. Leveraging this property, combined with the fact that only three header fields per each packet need to be examined, a fast attack detection and classification algorithm can be devised."

Presented at this year's BlackHat con "Malware Cinema, a Picture is Worth a Thousand Packets" will provide with much more fancy visualization concepts related to malware. Originally presented by Gregory Conti, you can also download the associated resources, and keep an eye on the audio in case you didn't attend the con.

As far as new media is concerned, I'm so impatient to witness more developments given how boring I find any of the browsers I've used so far -- and there're a lot of developments going on as always! Virtual worlds have the potential to change the face of the Web, the text/image based one the way we know it.

Remember how the federal agents were chatting face-in-face with the malicious attacker through the innovative and programmed for the masses browser, in NetForce? Hive7 is the alternative in 2006, and if you spend some with it, you'll be impressed by its potential -- say goodbye to the good old IRC?

UPDATE : LinuxSecurity.com picked up the post "Visualization in the Security and New Media world"

More resources can also be found at :

CAIDA Visualization Tools
NAV - Network Analysis Visualization
Digital Genome Mapping - Advanced Binary Malware Analysis
A Visualization Methodology for Characterization of Network Scans
NVisionIP : An Interactive Network Flow Visualization Tool for Security
Exploring Three-dimensional Visualization of Intrusion Detection Alerts and Network Statistics
Attacking Information Visualization System Usability Overloading and Deceiving the Human
Security Event Visualization and Analysis - courtesy of CoreLabs
A Visualization Paradigm for Network Intrusion Detection
FireViz: A Personal Firewall Visualizing Tool - the FireViz project

Technorati tags:
, , , , ,

Monday, March 27, 2006

Are cyber criminals or bureaucrats the industry's top performer?

Last week, I came across a great article at Forbes.com, "Fighting Hackers, Viruses, Bureaucracy", an excerpt :

"Cyber security largely ends up in the backseat," says Kurtz, who prior to lobbying did stints in the State Department, the National Security Council and as an adviser to President George W. Bush on matters relating to computer security. "Our job is to shine a bright light on it, to help people understand it."

Basically, it provides more info on how bureaucracy tends to dominate, and how security often ends up in the "backseat". Moreover, Paul Kurtz executive director of the Cyber Security Industry Alliance and it's multi-billion market capitalization members can indeed become biased on a certain occasions. Still, he provides his viewpoint on important legislative priorities :

- setting national standards for data breach notification

PrivacyRight's "Chronology of Data Breaches Reported Since the ChoicePoint Incident" keeps growing with the recent Fidelity's loss of laptop. Standards for data breach notification are important, and the trends is growing with more states joining this legal obligation to notify customers in case their personal information is breached into -- given they are actually aware of the breach. Moreover, with companies wondering "To report, or not to report?" and let me add "What is worth reporting?", Uncle Sam has a lot of work to do, that will eventually act as a benchmark for a great number of developed/developing countries. Personal data security breaches are inevitable given the unregulated ways of storing and processing the data, or is it just to many attack vectors malicious identity thieves could take advantage of these days? E-banking is still insecure, and protection against phishing seems too complicated for the "average victim". Compliance means expenses as well, so it better be a long-term one, if one exists given today's challenging threatscape.

- a law on spyware

Do your homework and try to bring some sense into who's liable for what. Claria obviously isn't, and it's not just pocket money we're talking about here. Spyware legislations are a very interesting topic, that I also find quite contradictive, laws and legislations change quite often, but given the Internet's disperse international laws, or the lack of such, a spyware/adware's vendor business practices may actually be legal under specific laws, or the simple absence of these.

- and ratification of the Council of Europe's Convention on Cybercrime

That's important, the Convention on Cybercrime I mean, would they go as far as ratifying Europe's well known stricter compared to the U.S privacy laws? Excluding the data retention legislation, and various other privacy issues to keep in mind, there's this tiny sentence in its privacy policy "Google processes personal information on our servers in the United States of America and in other countries. In some cases, we process personal information on a server outside your own country", makes it so virtually easy to bypass a nation's privacy regulations that I wonder why it hasn't received the necessary attention already. On the other hand, we have Interpol acting as a common cybercrime body, that according to a recent article :

"We need an integrated legal framework to exchange data. A lot of legislation doesn't consider a data stream as evidence, because the evidence is hidden behind 0s and 1s. We have to rethink the legislative framework". There is already such and that's the NSP-SEC - a volunteer incident response mailing list, which coordinates the interaction between ISPs and NSPs in near real-time and tracks exploits and compromised systems as well as mitigates the effects of those exploits on ISP networks. Still, The Internet Storm Center remains the most popular Internet Sensor.

No matter how many security policies you develop and hopefully implement, at the bottom line you either need regulations or insightful security czar in charge. And while the majority of industry players profitable provide perimeter based defenses, going through "2004's Annual Report to Congress on Foreign Economic Collection and Industrial Espionage" a decision-maker will hopefully start perceiving the problem under a different angle. While I find plain-text communications a problem, Bluecoat seems to be actively working in exactly the opposite direction. And while I find measuring the real cost of Cybercrime rather hard, applying a little bit of marginal thinking still comes handy. The future of privacy may indeed seem shady to some, and while data mining is definitely not the answer, sacrificing security for privacy shouldn't be accepted at all. Moreover, do not take a survey's results for granted, mainly because "There's always a self-serving aspect to anything a vendor releases," says Keith Crosley, director of market development with messaging security vendor Proofpoint, which does a few surveys per year" - in NetworkWorld's great article "It's raining IT security surveys".

To sum up, I feel in the security world it's the malicious attacker having the time and financial motivation to "spread ambitions" that outperforms, while in the financial world, it's Symantec that is the top performer - (Google Finance, Yahoo! Finance) with its constant acquisitions and trendy business strategy realizing the current shift towards convergence in the industry. Wish they could also diversify and take some market share of WetPlanet Beverage's Jolt Cola drink :)

Illustration by Mark Zug

UPDATE : This post was recently featured at LinuxSecurity.com "Are cyber criminals or bureaucrats the industry's top performer?"

Technorati tags :
, , , , , , ,

DVD of the Weekend - War Games

Hi folks, as it's been a while since I last posted a quality post, I feel it's about time I catch up with some recent events. What I'm currently working on, is gathering a very knowledgaable bunch of dudes in order to open up a discussion on the emerging market for 0day vulnerabilities, and I'm very happy about the guys that have already showed interest in what I plan to do -- more on that around the week, or the beginning of the next week.

As you're all hopefully aware by now, yet another 0day IE vulnerability is in the wild, so either change your browsing habits for a little while(don't or you lose the battle, as secure surfing is still possible to a certain extend), or consider switching to another alternative -- security through obscurity isn't the panacea of fighting the problem in here, instead it's just a temporary precaution. On the other hand I'm desperately trying to promote my RSS compatible feed URL to make it easier for everyone to keep up to date with posts, whereas the majority of readers seem to enjoy reading the blog directly, I appreciate that!

As always, it's disturbing how "quality" always becomes the excuse for security, in respect to MS delaying patches (or is it just patches only?) whereas WebSense is already aware of over 200 web sites disseminating the exploit code, I wonder are they counting the hundreds of thousands of zombie pcs acting as propagation vectors. In one of my previous posts "5 things Microsoft can do to secure the Internet, and why it wouldn't?" I tried to summarize some of my thoughts on the problem, while on the other hand things definitely change pretty fast as always -- for the good I hope! Was the participants' secrecy in place, in order not to get a "shame on you" look from fellow hackers, whatever the reason, I doubt anyone is going to change their hats soon.

UPDATE :
Déjà Vu as Third Parties Ship IE Patches, and the patches themselves, while on the other hand it's great that anti-virus vendors have as well started detecting malicious sites using it.

Going back this weekend's DVD (check out the previous DVDs and vibes as well) War Games has shaped not just imaginations back in 1983, but acted as an important factor for the rise of another generation -- not wardialers, but wannabe hackers obsessed with command'n'control strategies such as Civilization 1 or Dune II, or at least that's how I remember it. Today's War Games have another dimension and it's called Network-Centric Warfare, or military communications and control over IP, and while there's a little chance an AI would malfunction and cause Doom's day, human factor mistakes will always prevail. As always, SFAM seems to have reviewed the majority of cool movies, so check out the review.

Technorati tags :
, ,

Tuesday, March 21, 2006

Privacy issues related to mobile and wireless Internet access

I just came across a research worth checking out by all the wardrivers and mobile/wireless Internet users out there. While it's written in 2004, "Privacy, Control and Internet Mobility", provides relevant info on an important topic - what kind of information is leaking and how can this be reduced. The abstract describes it as :

"This position paper explores privacy issues created by mo-
bile and wireless Internet access. We consider the information about the users identity, location, and the serviced accessed that is necessarily or unnecessarily revealed observers, including the access network, interme- diaries within the Internet, and the peer endpoints. In particular, we are interested in data that can be collected from packet headers and signaling messages and exploited to control the users access to communications resources and online services. We also suggest some solutions to reduce the amount of information that is leaked.
"

A more in-depth overview on the topic can also be found in "A Framework for Location Privacy in Wireless Networks", an excerpt :

"For example, even if an anonymous routing protocol such as ANODR is used, an attacker can track a user's location through each connection, and associate multiple connections with the same user. When the user arrives at home, she will have left a trail of packet crumbs which can be used to determine her identity. In this paper, we explore some of the possible requirements and designs, and present a toolbox of several techniques that can be used to achieve the required level of privacy protection."

Mobile/Wireless location privacy would inevitable emerge as an important issue given the growth of that type of communication, and the obvious abuses of it.

Technorati tags :
, , , ,

The Practical Complexities of Adware Advertising

A report released by the The Center for Democracy and Technology yesterday, "How Advertising Dollars Encourage Nuisance and Harmful Adware and What Can be Done to Reverse the Trend", outlines the practical complexities of Adware Advertising. It gives a great overview of the parties involved, discusses a case study "CDT egages the advertisers", as well as outlines a possible solution, namely Adoption and Enforcement of Advertising Placement Policies. Here's a excerpt from the research findings :

"At this point, CDT has set a low bar by merely asking a small group of companies to contact us to discuss their advertising policies in the context of nuisance and harmful adware. We are working to increase awareness of the complex business models associated with nuisance and harmful adware, and we are pointing advertisers to policies and criteria that already exist as a step towards creating and enforcing their own policies. It is also imperative that advertising networks engage in self-regulation in order to aid in this endeavor. Initiatives such as the TRUSTe Trusted Download Program can help to set certification standards and provide public criteria for evaluating adware makers. Advertisers must demand strict compliance from their affiliates and refuse to work with blind networks and other networks that cannot commit to following stringent advertising policies. Without advertising dollars, there would be no nuisance or harmful adware. CDT is committed to working with advertisers to stem the tide of this nefarious form of software."

Now, if major advertising platforms start measuring the maliciousness of the Web, namely evaluate the participants' condition on a regular basis, they will loose the scale necessary for generating the billions of dollars necessary to, sort of, live with click-fraud. In respect to future online advertising trends, I feel that cost per performance/action model, would sooner or later emerge, given the successful collective bargaining of all the sites participating -- I really hope so!

How it would influence Google's ability to perform financially, contribute to the growth of Web 2.0, being among the few companies born in, is yet another topic to speculate on. As a matter of fact, Google recently launched Google Finance, still I miss what's all the buzz all about as compared to Yahoo's Finance Google still has a lot of job to do, given they actually want to turn and position themselves as Yahoo! 2.0 in respect to turning into a Internet Portal -- which I doubt as they tend to be rather productive while disrupting.

Great report, so consider going through it. And, in case you're interested in learning more about the different spyware/adware legislations, current and future trends, you can also check Ben Edelman's and Eric Goldman's outstanding research on the topic.

The post recently appeared at Net-Security.org - "The practical complexities of adware advertising"

More resources can also be found at :

Spyware/Adware Podcasts
Top 10 Anti Spyware Apps reviewed
Clean and Infected File Sharing Programs

Technorati tags :
, , , ,

Monday, March 20, 2006

Is a Space Warfare arms race really coming?

In one of my previous posts "Who needs nuclear weapons anymore?" I was emphasizing on another, much more assymentric, still dangerous alternative, EMP weapons. I came across to a recent Boston.com article titled "Pentagon eyeing weapons in space" that's gives a relevant overview of the current state of the U.S's ambitions, an excerpt :

"The Pentagon is asking Congress for hundreds of millions of dollars to test weapons in space, marking the biggest step toward creating a space battlefield since President Reagan's long-defunct ''star wars" project during the Cold War, according to federal budget documents."

as well as some of the projects the request is going to be spent on :

-"One $207 million project by the Missile Defense Agency features experiments on micro-satellites, including using one as a target for missiles. This experiment ''is particularly troublesome," according to the joint report, ''as it would be a de-facto antisatellite test." "

-"A project description says the Air Force would test a variety of powerful laser beams ''for applications including antisatellite weapons."

-"The agency also has asked Congress for $220 million for ''Multiple Kill Vehicles," a program that experts say could be proposed as a space-based missile interceptor."

-"Meanwhile, the Air Force wants $33 million for the Hypersonic Technology Vehicle, envisioned as space vehicle capable of delivering a military payload anywhere on earth within an hour, according to an official project description."

Big government contractors(the majority of and past revenues secured bygovernment contracts) such as Northrop Grumman and Lockhead Martin are more than eager to get hold of implementing these projects and launching them into space.

I highly recommend you to read Space Warfare Foolosophy: Should the United States be the First Country to Weaponize Space? if you want to go through a very good point of view -- it's all about politics and who feels like getting superior. An arms race is slowly emerging, and that's the distrurbing part!

As a matter of fact, SFAM from the CyberpunkReview.com has recently featured a review of one of the best X-files episodes "Kill Switch" where the main characters try to escape an AI playing with leftover Star Wars military orbital lasers .

More resources can also be found at :

Orbital Weaponry
Space Based Weapons
Space Warfare Weapons
SpaceWar.com
Militarization and Weaponization of Space
Space and Electronifc Warfare (ELINT) Lexicon
Gyre's Space Warfare section
Directed Energy Warfare -- Space Age Weapons
Secret Orbiter System Revealed
Military Transformation Uplink: March 2006
Anti-Satellite Weapons
Military Space Programs
Space Weapons For Earth Wars
The Revolution in War (227 pages)
A Political Strategy for Antisatellite Weaponry
Space Weapons - Crossing the U.S Rubicon
Preventing the Weaponization of Space
Space Weapons: The Urgent Debate
Satellite Killers and Space Dominance
The Advent of Space Weapons
US Space Command Vision for 2020
China's Space Capabilities and the Strategic Logic of Anti-Satellite Weapons

U.S. Air Force Plans for Future War in Space - 2004
Space Warfare in Perspective - 1982

Technorati tags :
, , , , , ,

Friday, March 17, 2006

"Successful" communication

You know Dilbert, don't you? I find this cartoon a very good representation of what is going on in the emerging market for software vulnerabilities, and of course, its OTC trade practices -- total miscommunication and different needs and opinions. While different opinions and needs provoke quality discussion and I understand the point that everyone is witnessing that something huge is happening, "so why shouldn't I?", but at the bottom line, it's so obvious that there isn't any sort of mission or social welfare goal to be achieved, that everyone is commercializing what used to be the "information wants to be free" attitude.

Weren't software vulnerabilities supposed to turn into a commodity given the number of people capable and actually discovering them, where "windows of opportunities" get the highest priority as a con? That is, compared to commercializing vulnerability research, empowering researchers to the skies, and turning vulnerabilities into an IP, totally decentralizing the current sources of information, and fueling the growth of underground models, as it's obvious that for the time being vulnerabilities and their early acquirement seems to be where the $ is. What do you think?

Technorati tags :
, , , ,

Getting paid for getting hacked

In the middle of February, Time Magazine ran a great article on Cyberinsurance or "Shock Absorbers", and I feel this future trend deserves a couple of comments, from the article :

"As companies grow more dependent on the Internet to conduct business, they have been driving the growing demand for cyber insurance. Written premiums have climbed from $100 million in 2003 to $200 million in 2005, according to Aon Financial Services Group. The need for cyberinsurance has only increased as hacker move away from general mischief to targeted crimes for profit. Insurers offer two basic types of cyber insurance: first-party coverage will help companies pay for recovery after an attack or even to pay the extortion for threatened attacks, while third-party coverage helps pay legal expenses if someone sues after a security breach. Demand for insurance is also driven by laws in over twenty states that require companies to notify consumers if a breach compromises their personal data. However, prevention is still the top priority for most companies, since loss of critical data to competitors would do damage beyond the payout of any policy."

Cyber insurance seems to be an exciting business with a lot of uncertainty compared to other industries with more detailed ROIs, as I feel the information security one is missing a reliable ROSI model. I once blogged about why we cannot measure the real cost of cybercrime, and commented the same issue with the "FBI's 2005 Computer Crime Survey - what's to consider?". Don't get me wrong, these are reliable sources for various market indicators, still the situation is, of course, even worse. But how do you try to value security at the bottom line?

Bargaining with security, and negotiating its cost is projectable and easy to calculate, but whether security is actually in place or somehow improved, seems to be a second priority -- bad bargaining in the long-term, but marketable one in the short one.

Going back to the article, I hope there aren't any botnet herders reading this, especially the first-party coverage point. To a certain extend, that's a very pointless service, as it fuels the growth of DDoS extortion, as now it's the insurer having to pay for it, meaning there're a lot of revenue streams to be taken by the cybergang. While covering the expenses of extortion attempts is very marketable, it clearly highlights how immature the current state of the concept really is. Something else to consider, is that a lot of companies reasonably take advantage of MSSPs with the idea to forward risk/outsource their security to an experienced provider, and most importantly, budget with their security spending. And while the California's SB 1386 is important factor for growth of the service given the 20 states participating, with the number of stolen databases from both, commercial, educational and military organizations, insurers will start earning a lot of revenues that could have been perhaps spent in security R&D -- which I doubt they would spend them on, would they?

UPDATE:
The post has just appeared at Net-Security.org - "Getting paid for getting hacked", as well as LinuxSecurity.com - "Getting paid for getting hacked"

Related resources :

Cyber-Insurance Revisited
Economics and Security Resource Page
WEIS05 WorkShop on Economics and Information Security - papers and presentations
Valuing Security Products and Patches
The New Economics of Information Security
Safety at a Premium
Cyber Insurance and IT Security Investment Impact on Interdependent Risk
Valuing Security Products and Patches
Network Risks, Exposures and Solutions

Technorati tags :
, , ,

Thursday, March 16, 2006

Old physical security threats still working

In "The Complete Windows Trojans Paper" that I released back in 2003 (you can also update yourself with some recent malware trends!) I briefly mentioned on the following possibility as far as physical security and malware was concerned :

"Another way of infecting while having physical access is the Auto-Starting CD function. You've probably noticed that when you place a CD in your CDROM, it automatically starts with some setup interface; here's an example of the Autorun.inf file that is placed on such CD's:
[autorun]open=setup.exeicon=setup.exe So you can imagine that while running the real setup program a trojan could be run VERY easily, and as most of you probably don't know about this CD function they will get infected and won't understand what happened and how it's been done. Yeah, I know it's convenient to have the setup.exe autostart but security is what really matters here, that's why you should turn off the Auto-Start functionality by doing the following: Start Button -> Settings -> Control Panel ->System -> Device Manager -> CDROM -> Properties -> Settings"


and another interesting point :

"I know of another story regarding this problem. It's about a Gaming Magazine that used to include a CD with free demo versions of the latest games in each new edition. The editors made a contest to find new talents and give the people programming games the chance to popularise their productions by sending them to the Editors. An attacker infected his game with a new and private trojan and sent it to the Magazine. In the next edition the "game" appeared on the CD and you can imagine the chaos that set in."

Things have greatly changed for the last three years, while it may seem that global malware outbreaks are the dominant trend, slow worms, 0day malware and any other "beneath the AVs radar" concepts seem to be the next pattern.

It's "great" to find out that age-old CD trick seems to be fully working, whereas I can't reckon someone was saying "Hello World" to WMF's back then! TechWorld wrote a great article two days ago titled "Workers duped by simple CD ruse", an excerpt :

"To office workers trudging to their cubicles, the promotion looked like a chance at sweet relief from the five-day-a-week grind. By simply running a free CD on their computers, they would have a chance to win a vacation. But the beguiling morning giveaway in London's financial district last month was more nefarious than it appeared. When a user ran the disc, the code on it prompted a browser window that opened a Web site, Chapman said. The site then tried to load an image from another Web site, Chapman said."

While we can argue how vulnerable to security theats and end user is these days, compared to physical security ones, there are lots of cases pointing out the targeted nature of attacks, and the simple diversification of attack methods from what is commontly accepted as current trend. My point is that if you believe the majority of threats are online based ones, someone will exploit this attitude of yours and target you physically.

And while I feel the overall state of physical security in respect to end users and their workstations has greatly improved with initiatives such as ensuring the host's integrity and IPSs, what you should consider taking care of is - who is capable of peeping behind your back and what effect may it have on any of your projects? 3M's Privacy Filters are a necessity these days, and an alternative to the obvious C.H.I.M.P. (monitor mirror). Be aware!

UPDATE - this post recently appeared at LinuxSecurity.com - Old physical security threats still working

More resources on physical security can also be found at :

19 Ways to Build Physical Security into a Data Center
Securing Physical Access and Environmental Services for Datacenters
CISSP Physical Security Exam Notes
Physical Security 101
SANS Reading Room's Physical Security section

Technorati tags :
, ,

Wednesday, March 15, 2006

Security vs Privacy or what's left from it

My latest privacy related posts had to do with "The Future of Privacy = don't over-empower the watchers!" and "Data mining, terrorism and security" in respect to the the still active TIA and the hopes for the effectiveness out of data mining. While these are important topics I feel every decent citizen living in the 21st century should be aware of -- many still "think conspiracies" than real-life scenarios. At the bottom line, privacy violations for the sake of your security and civil liberties are a common event these days!

Today, I came across an article "Google must capitulate to DoJ, says judge" in relation to the DoJ's subpoena trying to get access to random sites and searches in order to justify its statement that anti-porn filters do not protect young children online. The NYtimes is also a running a story on this. What I truly liked is US District Judge James Ware's comment that he was reluctant to give the Justice Department everything it wanted because of the "perception by the public that this is subject to government scrutiny" when they type search terms into Google.com, that's right, but you would be also right to conclude that such requests would turn into a habit given Google's data aggregation power. It's s a complex process to run the world's most popular search engine when everyone wants to take a bite from you, at least they have hell of motto to sort of guide them in future situations like this, but is it?

This time it's a misjudged online porn request that gets approved, next time, it would be Google against the terrorists, again, for the sake of your Security, one backed up by a little bit of glue as on the majority of occasions!

Technorati tags :
, ,

Friday, March 10, 2006

DVD of the Weekend - The Immortals

The Lawnmower Man : Beyond Cyberspace was among the several other classic techno thrillers I was watching and mostly remembering pleasant times from the past. I actually got in touch with SFAM from the CyberpunkReview.com, and intend to contribute with another point of view to his initiative I highly recommend you to keep an eye on.

This weekend, I want to recommend you one of the best European film productions ever, namely Enki Bilal's adaptation of his Nikopol Trilogy - The Immortals.

Here's an excerpt from a review, and another one :

"New York City, year 2095. A floating pyramid has emerged in the skies above, inhabited by ancient Egyptian Gods. They have cast judgment down upon Horus, one of their own. Now he must find a human host body to inhabit, and search for a mate to continue his own life. Below, a beautiful young woman with blue hair, blue tears and a power even unknown to her, wanders the city in search of her identity. Reality in this world has a whole new meaning as bodies, voices and memories converge with Gods, mutants, extra-terrestrials and mortals."

The Matrix did shock, and set a new benchmark by combining Hollywood's passion for entertainment, and Japan's culture, still, European productions such as the 5th Element, and The Immortals, are on my hall of fame for effects and the stories themselves. Enjoy it!

Technorati tags :
, , , , , , ,

Tuesday, March 07, 2006

Where's my 0day, please?

A site I was recently monitoring disappeared these days, so I feel it's about time I blog on this case. I have been talking about the emerging market for software vulnerabilities for quite some time, and it's quite a success to come across that the concept has been happening right there in front of us. Check out the screenshots. The International Exploits Shop I came across to looks like this :

It appears to be down now, while it has simply changed its location to somewhere else. Google no longer has it cached, and the the only info on this wisely registered .in domain, can be found at Koffix Blocker's site.

A lot of people underestimate the power of the over-the-counter(OTC), market for 0day security vulnerabilities. Given that there isn't any vulnerabilities auction in place that would provide a researcher with multiple proposals, and the buyers with a much greater choice or even social networking with the idea to possibly attract skilled HR, the seller is making personal propositions with the idea to get higher exposure from the site's visitors. Whoever is buying the exploit and whatever happens with it doesn't seem to bother the seller in this case.

As there's been already emerging competition between different infomediaries that purchase vulnerabilities information and pay the researchers, researchers themselves are getting more and more interested in hearing from "multiple parties". Turning vulnerability research, and its actual findings into an IP, and offering financial incentives is tricky, and no pioneers are needed in here!

There's been a lot of active discussion among friends, and over the Net. I recently came across a great and very recent research entitled "Vulnerability markets - what is the economic value of a zero-day exploit?", by Rainer Boehme, that's worth the read. Basically, it tries to list all the market models and possible participants, such as :

Bug challenges
- Bug challenges are the simplest and oldest form of vulnerability markets, where the producer offers a monetary reward for reported bugs. There are some real-world examples for bug challenges. Most widely known is Donald E. Knuth’s reward of initially 1.28 USD for each bug in his TEX typesetting system, which grows exponentially with the number of years the program is in use. Other examples include the RSA factoring challenge, or the shady SDMI challenge on digital audio watermarking

Bug auctions
-Bug auctions are theoretical framework for essentially the same concept as bug
challenges. Andy Ozment [9] first formulated bug challenges in the terms of auction theory,
in particular as a reverse Dutch auction, or an open first-price ascending auction. This allowed him to draw on a huge body of literature and thus add a number of eciency enhancements to the original concept. However, the existence of this market type still depends on the initiative of the vendor

Vulnerability brokers
-Vulnerability brokers are often referred to as “vulnerability sharing circles”. These clubs are
built around independent organizations (mostly private companies) who oer money for new vulnerability reports, which they circulate within a closed group of subscribers to their security alert service. In the standard model, only good guys are allowed to join the club

-Cyber Insurance
Cyber-insurance is among the oldest proposals for market mechanisms to overcome the security market failure. The logic that cures the market failure goes as follows: end users demand insurance against financial losses from information security breaches and insurance companies sell this kind of coverage after a security audit. The premium is assumed to be adjusted by the individual risk, which depends on the IT systems in use and the security mechanisms in place.

Let's try define the market's participants, their expectations and value added through their actions, if any, of course.

Buyers
-malicious (E-criminals, malware authors, competitors, political organization/fraction etc.)
-third party, end users, private detectives, military, intelligence personnel
-vendors (either through informediary, or directly themselves, which hasn't actually happened so far)

Sellers
-reputable
-newly born
-questionable
-does it matter at the bottom line?

Intermediaries
-iDefense
-ZeroDayInitiative
-Digital Armaments

Society
-Internet
-CERT model - totally out of the game these days?

As iDefense simply had to restore their position in this emerging market developed mainly by them, an offer for $10,000 was made for a critical vulnerability as defined by Microsoft. I mean, I'm sort of missing the point in here. Obviously, they are aware of the level of quality research that could be sold to them. Still I wonder what exactly are they competing with :

- trying to attract the most talented researchers, instead of having them turn to the dark side? I doubt they are that much socially oriented, but still it's an option?

- ensuring the proactive security of its customers through first notifying them, and them and then the general public? That doesn't necessarily secures the Internet, and sort of provides the clientele with a false feeling of security, "what if" a (malicious) vulnerability researcher doesn't cooperate with iDefense, and instead sells an 0day to a competitor? Would the vendor's IPS protect against a threat like that too?

- fighting against the permanent opportunity of another 0day, gaining only a temporary momentum advantage?

- improving the company's clients list through constant collaboration with leading vendors while communication a vulnerability in their software products?

A lot of research publications reasonably argue that the credit for the highest social-welware return goes to a CERT type of a model. And while this is truly, accountability and providing a researcher with the highest, both tangible, and intangible reward for them is what also can make an impact. As a matter of fact, is blackmailing a nasty option that could easily become reality in here, or I'm just being paranoid?

To conclude, this very same shop is definitely among the many other active out there for sure, so, sooner or later we would either witness the introduction of a reputable Auction based vulnerabilities market model, or continue living with windows of opportunities, clumsy vendors, and 0day mom-and-dad shops :) But mind you, turning vuln research into IP and paying for it would provide enough motiviation for an underground 0bay as well, wouldn't it?

14.03.2006

OSVDB's Blog - Where's my 0day, please?
OSVDB's Blog - Vulnerability Markets

11.03.2006

LinuxSecurity.com - Where's my 0day, please?
FIRST - Where's my 0day, please?

10.03.2006 - Sites that picked up the story :

Net-Security.org - Where's my 0day, please?
MalwareHelp.org- The International Exploits Shop: Where's my 0day, please?
Security.nl - Internationale Exploit Shop levert 0days op bestelling
WhiteDust.net - Where's my 0day, please?
Reseaux-Telecoms.net - Danchev sur l'Achat de failles
Informit Network - 0-Days for Sale

09.03.2006 - Two nice articles related to the issue appeared yesterday as well, "Black market thrives on vulnerability trading", from the article :

"Security giant Symantec claims that anonymous collusion between hackers and criminals is creating a thriving black market for vulnerability trading. As criminals have woken up to the massive reach afforded to their activities thanks to the Internet, hackers too are now able to avoid risking prison sentences by simply selling on their findings. Graeme Pinkney, a manager at Symantec for trend analysis, told us: 'People have suddenly realised that there's now a profit margin and a revenue stream in vulnerabilities... There's an element of anonymous co-operation between the hacker and criminal.'"

and "The value of vulnerabilities", a quote :

“ There are no guarantees, and therefore I think it would be pretty naive to believe that the person reporting the issue is the only one aware of its existence. That in itself is pretty frightening if you think about it. "

Technorati tags:
, , , , , , ,

The Future of Privacy = don't over-empower the watchers!

I blog a lot about privacy, anonymity and censorship, mainly because I feel not just concerned, but obliged to build awareness on the big picture the way I see it. Moreover, I find these interrelated and excluding any of these would result in missing the big picture, at least from my point of view. Some posts I did, worth mentioning are : "Anonymity or Privacy on the Internet?", "China - the biggest black spot on the Internet’s map", "2006 = 1984?", "Still worry about your search history and BigBrother?", "The Feds, Google, MSN's reaction, and how you got "bigbrothered?", "Twisted Reality", "Chinese Internet Censorship efforts and the outbreak", and the most recent one, "Data mining, terrorism and security".

Yesterday, I read a very nice essay by Bruce Schneier "The Future of Privacy" and while I feel it has been written for the general public to understand, you can still update yourself on some of the current trends he's highlighting, mostly the digital storage of our life activities, and how possible it really is. Some comments that made me an impression though :

"The typical person uses 500 cell phone minutes a month; that translates to 5 gigabytes a year to save it all. My iPod can store 12 times that data. A "life recorder" you can wear on your lapel that constantly records is still a few generations off: 200 gigabytes/year for audio and 700 gigabytes/year for video." - scary stuff, but so true!

"Today, personal information about you is not yours; it's owned by the collector." - if you were to question the practices of each and every "collector" you wouldn't be able to properly function in the 21st century.

"The city of Baltimore uses aerial photography to surveil every house, looking for building permit violations." - typical Columbian style, still applicable in here.

"In some ways, this tidal wave of data is the pollution problem of the information age. All information processes produce it. If we ignore the problem, it will stay around forever. And the only way to successfully deal with it isto pass laws regulating its generation, use and eventual disposal."

I agree on regulation, given someone follows and it's actually implemented, still, I feel it's all about balancing the powers of the public and the rulling parties. The more a government is empowered to invade privacy in one way or another, the higher the risk of them abusing their power, or even worse, having their communications infrastructure wiretap-ready for third parties.

UPDATE - this post recently appeared at LinuxSecurity.com - The Future of Privacy = don't over-empower the watchers!

Technorati tags :
, ,

Monday, March 06, 2006

5 things Microsoft can do to secure the Internet, and why it wouldn't?

In my previous post on Internet security, I was just scratching the surface of "How to secure the Internet", and emphasized that plain text communications, insecure by design, and our inability to measure the costs of cybercrime, are among the things to keep in mind.

Now, If I were asked about monocultures, "ship it now, patch it later" attitudes or slow reactive approaches, I would quickly ask is it Microsoft you're talking about? It's a common weakness to blame the most popular or richest companies before rethinking the situation, or even worse, waiting for someone else to secure you, instead of you trying to figure out how to achieve the balance. Is Linux, or, OS X more secure than Microsoft's Windows, or they are just not popular enough to achieve the scale of vulnerabilities, even interest in exploiting their weaknesses?

Important questions arise as always :

- Are Microsoft's products insecure by default, or what is insecure in this case?
- Should Microsoft's number of known vulnerabilities act as a benchmark for commitment towards security, quality of the software, or should this be totally excluded given the tempting target Microsoft's products really are?
- Should a vendor be held liable for not releasing a patch in a timely fashion, and what are the acceptable timeframes, given how quickly malware authors take advantage, and "worm the vulnerability"?

These and many other points led me to the idea of brainstorming on what Microsoft could do to secure the Internet as a whole, and contribute to the social welfare of the society(a $100 laptop powered by a hand crank, is so much better than a smartphone, given it's education, and not entertainment you're looking for! ). This is not an anti-microsoft oriented post, they've got enough anti-trust legislations and Vista issues to deal with, yet, it's a summary of my thoughts while going through Slashdot's chat with Mike Nash VP of security, and some Microsoft's comments on today's state of the market for software vulnerabilities.

1. Think twice before reinventing the security industry

What is the first thing that comes across your mind when you picture Microsoft as a security vendor? A worst case scenario for the Internet as a whole? Just kidding, but still, with such a powerful brand, BETA products, and their legal monopoly from my point of view, is quite a good foundation besides constant acquisitions. Microsoft is a software company, software innovation is among their core competencies. Yet, today’s fast growing information security market opens up many more profitable opportunities. Though, I’d rather they stick to their current OEM licensing agreements by the time they actually come up with something truly unique. Acquiring companies indeed improves competitiveness, but is it just me seeing the irony of entering the security industry without first dealing with the idea internally? The introduction of a OS build-in firewall, and bi-directional and fully working with IPSec for Vista would immediately provide Microsoft with a great opportunity to start serving certain market segments, while it would leave them in experimental mode while MS is gaining the experience.

Why it wouldn’t?

Because the information security market is growing so steadily, that if Microsoft doesn’t take a piece of the pie, it would be a totally flawed business logic. And they want to do it as independently, thus more profitably, as possible. The recent FBI’s 2005 Computer Crime Survey indicated that the majority of security dollars are spent on antivirus, antispyware, and perimeter based security solutions, no one would miss that opportunity. While you can acquire competitive advantage, and actually buy yourself an anti virus vendor, you cannot do the same with core competencies, moreover, I once said "less branding, but higher preferences", and you might end up making the right decision for the time being. Moreover, to operate in today’s anti virus market you need a brand name and if you don’t have it, there’s a great chance you wouldn’t be able to gain any market share, of course if you you don’t somehow capitalize on a niche, and introduce innovative competitive features. The rest is all about OEM agreements and licensing technologies or the opportunity to provide a service, still, it's Microsoft's brand and market development practices to worry about. Passport, Trustworthy Computing, InfoCard it's all under Microsoft's Brand umbrella.

2. Become accountable, first, in front of itself, than, in front of the its stakeholders

What is accountability in this case anyway? Releasing a patch given a vulnerability is known within a predefined timeframe? Set, report and improve its own benchmark on a fast response towards a security threat? Overall commitment as a whole? You cannot simply say “hold on” when the entire world is waiting for you to release a patch, any excuse in such a situation should be considered as lack of responsibility. And given that no vendor has been held liable for not releasing a patch in a timely manner, why would they bother to be the benchmark? I think the problem isn’t the lack of resources, but understanding the importance of it. Microsoft is so huge and powerful that’s its clumsiness is in direct proportion with this fact, isn't it. Can Elephants Indeed Dance in this case? Microsoft’s VP of Security Mike Nash, made a lot of comments for a Slashdot interview that made me an impression, such as :

“Four years ago, I used to have to have frequent conversations with teams who would tell me that they couldn't go through the security review process because they had competitive pressures or had made a commitment to partners to ship at a certain time.” – I can argue that nothing has changed since then, can you?

Why it wouldn’t?

Mainly because of the actual commitment, though I feel Microsoft could evolve if it manages to find the balance between being a software company with ambitions in the security industry. First, the clear benefits should be understood, and they obviously aren’t. I greatly feel that until a customer, or a legal party doesn’t start questioning various practices, this self-regulation is not getting us anywhere. Gratefully, the are independent researchers out there that have a point way faster than the vendor itself. I think exchanging information in a way that satisfies both parties would be the best thing to do. Employees training without successful evaluation of the progress is useless, and while seeking accountability from a programmer has been greatly discussed, I feel that outsourcing the auditing is always an option worth keeping in mind. Would confidentiality of the ultra-secret Microsoft’s code be breached? I doubt so given they implement close activities monitoring and the Manhattan project style operations and cooperation between teams.

Don’t get me wrong, Microsoft’s software will always be blamed for being insecure, but instead I feel its defacto position as an OS turns it into an exciting daily research topic, whereas its anti-trust compliance practices such as sharing technical details so that competitors could – puts them in a very unfavourable $279.83B market capitalization position. Security shouldn’t be something to live with as if it’s normal, instead it should be provoked by means of active testing and proactive solutions. I feel what they are missing is a legal incentive to promptly comply with patch releases, while on the other hand can you picture the outcome of a minor tax deduction in case a milestone in the release of proactive security vulnerabilities is reached, and watch them securing!

3. Reach the proactive level, and avoid the reactive, in respect to software vulnerabilities

Have you even imagined Microsoft releasing proactive patches to fix 0day vulnerabilities it has managed to find out though third-party code auditing practices, or within its internal quality assurance departments? Sounds too good to be true, but reaching the proactive level is an important step, so hold your breath, the did it with Vista already! Still, their practices with dealing with the reactive response are questionable, and as it often happens, the window of opportunity due to their efforts to testing and localizing the patches for all their customers(the entire world) is causing windows of opportunities that I could argue drive the security industry.

Why it wouldn’t?

Resources and commitment, though the first can be successfully outsourced. What I greatly feel the company is missing is a clear strategy towards understanding the benefits, and eventually the commitment to do it. Microsoft isn’t insanely obsessed with the idea to provide bugs free software, but features rich one. And the way MSN is not going to get more allocated budget compared to MS Office, it’s going to take a while by the time they realize the importance and key role they play as being on the majority of PC and servers worldwide. Some comments again :

"I often get asked the question, "who has been fired for shipping insecure code at Microsoft?" My usual answer here is that we are still learning a lot about security at Microsoft and that most of the security issues that we deal with don't come as a result of carelessness or disregard for the process, but rather new vectors of attack that we didn't understand at the time."

4. Introduce an internal security oriented culture, or better utilize its workforce in respect to security

Google’s 70/20/10 rule is an example, and while Microsoft tends to position itself as THE software company, to some it may be competing with other major software vendors, or the Open Source threat, it actually competes on IQ basis. Flame them, talk whatever you want, they are still able to attract the smartest people on Earth to work for them. My point is, that introducing a Google style culture, where engineers and anyone from their employees spend 10% of their time on personal projects, this time towards security, it would inevitable make an impact on finding the balance between usability and security on any of its products. Devoting any percentage of work time towards security related projects and initiatives would

Why it wouldn't?

They pretend they have their own corporate citizenship methods, and moreover, they hate Google with a reason. Or is it about the culture, spending time on security/hacking cons to find out that's driving the industry, or basically stop shipping products with the majority of features turned on by default with the idea to "show off" their features?

5. Rethink its position in the security vulnerabilities market

Would this mean there would be more monopolistic sentiments? I’m just kiddin’ of course though it’s still questionable. Would a Microsoft’s initiative to recruit outstanding vulnerability researchers and actually purchase their research have any effect at all? It would definitely help them I cannot actually imagine Microsoft paying for 0day IE vulnerabilities, but I can literally see them catching up with week delay on the WMF vulnerability. But the usefulness and the potential of this approach are enormous, and the intelligence gathered will provide them with unique business development opportunities, given they actually take advantage of them.

Microsoft has stated numerous time that it doesn’t agree with the practice of buying security vulnerabilities, and while I also don’t agree that commercializing the current state of the process of discovering, exploiting, and patching is the smartest thing to do, picture a $250k bounty for information leading to the arrest of virus writers being spent on secure code auditing, or push/pull software vulnerabilities approach with reputable researchers only – it would make a change for sure.

Why it wouldn't?

Because the biggest problem of a 800 pound gorilla is its EGO with capital letters. We are not interested in pulling intelligence from you, we are interested in pushing you the final results branded with Microsoft’s logo. Is it profitable? It is. Is it realistic in today’s collective intelligence dominated Web? It isn’t, and the whole concept has to go beyond Live.com from my point of view. Until, then, let’s still say a big thanks for playing such a vital role in our society’s progress, but no one seems to tolerate the security trade-offs anymore, that’s a fact.

To conclude, as I’ve said I think it isn’t the lack of resources, but understanding the importance of the issue. What do you think, what else can Microsoft do, and why it wouldn’t? :)

Technorati tags :
,