Thursday, April 27, 2006

A comparison of US and European Privacy Practices

A new study on "US and European Corporate Privacy Practices" was released two days ago, and as I constantly monitor the topic knowing EU's stricter information sharing and privacy violations laws comparing to the U.S, thought you might find this useful. To sum up the findings :

"European companies are much more likely to have privacy practices that restrict or limit the sharing of customer or employees' sensitive personal information and are also more likely to provide employees with choice or consent on how information is used or shared," said David Bender, head of White & Case's Global Privacy practice." still at the "sharing sensitive information is bad" promotional stage, I feel the research reasonable points out the lack of a systematic technical approach, bureaucracy can also be an issue, but with so many CERTs in Europe there's potential for lots of developments I think. Established in 2004, ENISA is the current body overseeing and guiding the Community towards data protection practices -- slowly, but steadily gaining grounds.

"But the research also revealed that US companies are engaging in more security and control-oriented compliance activities than their European counterparts. As a result, US corporations scored higher in five of the eight areas of corporate privacy practice." - structured implementation on a technical level, that is people auditing networks and being accountable in case of not doing so, and privacy policies by default. A little something bringing more insight from the Safe Harbor framework :

"The United States uses a sectoral approach that relies on a mix of legislation, regulation, and self regulation. The European Union, however, relies on comprehensive legislation that, for example, requires creation of government data protection agencies, registration of data bases with those agencies, and in some instances prior approval before personal data processing may begin."

Of course there are differences and there should always be as they provoke constructive discussions, but among the many well-developed survey questions, some made me a quick impression :

"Is there a process for communicating the privacy policy to all customers and consumers?" Europe - 33% United States - 69%

"Is privacy training mandatory for key employees (those who handle, manage or control personal information)?" Europe - 22% United States - 62%

"Do you use technologies to prevent unauthorized or illegal movement or transfer of data or documents?" Europe - 17% Unites States - 45%

"Will the company notify individuals when their personal information is lost or stolen?" Europe 33% United States - 62%

Perimer based defenses naturally dominate as a perception of being secure, still, I feel that the growing infosec market and IT infrastructures in both the U.S and Europe would continue to fuel the growth of new technologies and also result in more informed decision makers -- at the bottom line it's always about a common goal and better information sharing.

DIY Marketing Culture

Problem - big name advertising agencies, and self forgotten copywriters easily turn into an obstacle for a newly born startup, the way marketing researchers can easily base your entire service/product development efforts on a single survey's results. Generating content, thinking content is the king, trying to sense and understand your customers' needs or where the market is heading to for the sake of responding with profitable propositions, I think is a self-centered, in-the-box mode of thinking that would cease to exist with customers becoming more informed.

Solution - Don't get too "product-concept" centered, instead solve a problem profitably and retain their satisfaction for as long as possible. Let your customers dictate the rules, and perhaps even generate your entire marketing promotional efforts themselves -- literally. Did you know you could get yourself custom printed MM's? I recently found out I can, and I'm already expecting the packs.

Or how the successfully positioned as a secure alternative to IE, FireFox browser actually invested pennies in spreading the word about it? Moreover, a $5000 bounty can indeed promote creativity, given they are comfortable with the idea, and with the 280 user-generated ads generated at FireFox Flicks I think they did it again, no wait, their users did it. Take your time to go through the flicks, it's worthwhile.

Question the concepts, rethink them, and disrupt with whatever the outcome.

Wednesday, April 26, 2006

In between the lines of personal and sensitive information

In a previous post, "Give it back!" I mentioned the ongoing re-classification of declassified information and featured some publicly known sources for information on government secrecy. Today I came across to a news item relating to the topic in another way, "States Removing Personal Data from Official Web Sites", more from the article :

"At least six states use redaction software, which digitally erases information. It can be tailored to excise nine-digit entries such as SSNs. Chips Shore, circuit court clerk for Florida's Manatee County, removed SSNs and bank account numbers from 3 million public records on the Web site. Another 2.5 million court records were redacted before going online."

That's an interesting way to fight the problem from the top of it, namely personal data security breaches that never stop growing, but I wish they came up with the practice either by default years ago, or understand today's dynamics of the threat. Even if they start implementing this on a wide scale, it doesn't mean identity theft would stop occuring, or that phishing attacks wouldn't trick them into giving the complete details. Having implemented a process for securely storing, accessing and trasfering such sensitive customers' bank data, often results in complexities, but using "redaction software" when you can actually take advantage of a risk management solution, isn't the smartest move here -- yet again that's the effect of today's dynamics and ever-changing attack vectors. What's the point of putting so much efforts into sanitizing the data before going online with it, when an outsourcer, or an employee whose responsibilities include working with it will somehow expose it? Wait, forgot the naive customer who's still taking all the phishing emails received "personally". Don't think SSNs and bank accounts "redaction", but insiders and storage/database security.

In respect to removing sensitive information from the Web, I feel the unability of successfully classifying information and balancing the accountability in front of society to a certain extend, generates contradictive responses. If you try to take down a document that has been somehow listed on the Internet or available in digital format, what you're doing is actually inspiring people to disseminate it, that include news agencies as well, so make sure it doesn't appear there at the first place. Recent cases such as these :

"DOD removes missile defense system report from Web site"
"NORAD orders Web deletion of transcript"
"Air Force One data removed from Web Site revealed details of security measures on president's jets"
"Leaks of Military Files Resume"

bring more insights on the issue. It is well known that the entire Chinese information warfare doctrine is backed up by the NCW visions of U.S's military -- they still have Sun Tzu's legacy though -- and that Al Qaeda's manuals actually quote U.S military's documents. If you know what exactly you're looking for, you will find it one way or another, just make sure information-sharing doesn't end up as an information leakage event.

Going beyond achieving the balance between usability, accountability, and secrecy, I also feel that disinformation and deception are reasonably taking place as well, given the reader is actually identified and consequently influenced.

Tuesday, April 25, 2006

Wild Wild Underground

Where's the real underground these days, behind the shadows of the ShadowCrew, the revenge of the now, for-profit script kiddies, or in the slowly shaping real Mafia's online ambitions? Moreover, is all this activity going on behind the Dark Web, or the WWW itself? Go through this fresh overview, emphasizing on today's script kiddies, 0days as a commodity, malware and DDoS on demand on the WWW itself, and perhaps a little bit of vendors' tolerated FUD.

In a previous post, I mentioned on the existence of the International Exploits Shop, the Xshop, basically a web module where 0days, and service support in terms of videos, PHP-based configuration etc. are provided to anyone willing to get hold of a 0day/zero-day vulnerability -- scary stuff, yet truly realistic concept that's directly bypassing today's infomediaries that purchase vulnerabilities.

I must admit I didn't do homework well enough to figure out that the Hack Shop has been changing quite some places for the last two years and having offered many other vulnerabilities, going beyond what I came across to two months ago -- the Internet offers a much wider set of potential buyers than from the three informediaries for the time being. As a reader gave me a hint, in the future images would protect that type of pages from crawling activities, and it's interesting to note that previous versions of the shop were doing exactly the same, while the last one I got tipped about, was using text on its pages. What's also important to mention is that these are the public propositions, ones placed on the WWW, and not the Dark Web, the one behind closed doors.

Last month, Sophos mentioned on the existence of a multi-exploit kit for an unbelievably cheap price :

"A Russian website is selling a spyware kit for $15. The website promises an easy-to-deploy spyware that only requires users to trick their victims into visiting a malicious website. The website even offers technical support. Carole Theriault, senior security consultant at Sophos, says such websites invite script kiddies and other unskilled would-be hackers into the world of cybercrime for profit."

Rather interesting, WebSense Security Labs looked further, came up with the screenshots from the site itself, cut the last screenshot you can clearly see here (Disable adobe acrobat web capture, Disable opera user, Kill frame, Location lock, Referrer lock) but again spread the rumour of multi-exploit kit for sale at $15, of course for entering the for-profit cyber crime business -- a little bit of FUD, sure, but the sellers aren't still that very desperate I think.

So, I decided to look even further and now can easily conclude -- it depends where you're buying it from, I mean even the official site sells it at a price that way too high for an average script kiddie to get hold of multi-exploits pack -- whether outdated or not can be questioned as well. So, the kit officially goes for $300 and, $25 for updates, I also came across it for $95, but I bet they are a lot of people looking for naive wannabe exploiters out there. As you can see on these screenshots, it has the ability to encrypt HTML pages, parts of the page, and take precautions for curious folks trying to figure out more about the page in question, and it makes me wonder on how well would malicious HTML detection would perform here, if it does?

What's the outcome -- script kiddies with attitude are basically compiling toolsets of old exploits and building all-in-one malware kits. As you can even see, they are lazy enough not to keep an eye on its detection status, a sign of "growing" business for sure, yet the "underground" seems to Ph34r going to the Opera , so take your note.

I recently came across to a great article "The Return of the Web Mob" you can find more details on the topic as well, such as :

"I saw one case where an undetectable Trojan was offered for sale and the buyers were debating whether it was worth the price. They were doing competitive testing to ensure it actually worked as advertised," said Jim Melnick, a member of Dunham's team."

"In November 2005, Mashevsky discovered an attempt to hijack a botnet. [The] network of infected computers changed hands three times in one day. Criminals have realized that it is much simpler to obtain already-infected resources than to maintain their own botnets, or to spend money on buying parts of botnets which are already in use," he said."

"Dunham, who frequently briefs upper levels of federal cyber-security authorities on emerging threats, said there have been cases in Russia where mafia-style physical torture has been used to recruit hackers. If you become a known hacker and you start to cut into their profits, they'll come to your house, take you away and beat you to a pulp until you back off or join them. There have been documented cases of this," Dunham said."

While doing a recent research across the Russian and the Chinese domain, I came to the conclusion that every local scene has it's own underground, and that those that go as publicly as some do at the bottom line, make the headlines. However, Chinese users being collectivists, are still at the heroic stage of cyber dissidents slowly turning into wannabe hackers, and they have a chain of command, so to speak, that I can argue is more powerful than thought to be "well organized" like the ones in Russia, being individualists. There are even marketing campaigns going on in the form of surveys, trying to measure the bargaining point for 0day vulnerabilities I guess. This one says :

How much would you be willing to pay for an exploit?

$100-300
$300-500
$500-1000
over $1000
we write our own exploits :D
I get them for free

and offers trying to even add value to the purchase by offering a SMS flooder for free if you purchase the exploit. I mean, if you start thinking logically, bypassing the current intermediaries and their moody programs compared to one-to-one communication model with a possible buyer -- the entire idea behind disintermediation is the method of choice. Have 0days turned into an uncontrolled commodity that has to be somehow, at least, coordinated?!

In my recent Future trends of malware research, I mentioned how open-source malware would inevitably dominate, and how the concept will put even more pressure on AV vendors to figure out how to protect from unknown malicious code -- proactively. What I came across to was, customer-centric malware propositions, special features increase or decrease the final price, botnet sources for free download/purchase if modifications are made, free advices coming with the purchase, on demand vulnerabilities, spamming or spam harvesting services on demand, price comparison for malware samples, rootkits-enabled pieces of malware indeed show an increase of growth, DDoS on demand services are usually proposed with 30 mins of service "demo". Bot's sources are also annoyingly available at the click of a button, as I verified over 20 working links with archives averaging 75MB. Popular ones :

urxbot, spybot, sdbot, rxbot, rbot, phatbot, litmus, gtbot, forbot, evilbot, darkirc, agobot, jbot, microbot, blueyebot, icebot, q8bot, happybot, htmlinfectbot, gsys, epicbot, darkbot, r00fuz, panicattack

Who's to blame? It's not Russia for sure, and if it was it would mostly have to do with enforcement of current laws, yet the global media tends to stereotype to efficiently meet deadlines, instead of figuring out what is going on at the bottom line. When the U.S sees attacks coming from Chinese networks, it doesn't mean it's Chinese hackers attacking the U.S, but could be that sick North Korean ones are trying to increase tensions by spoofing their identities. Moreover, as I've mentioned it is logical to conclude that there are "undergrounds" on a national level, for instance for the last couple of years there's been a steady growth of defacements and phishing attackers from Brazil, Turkey, and of course China, I rarely come across anything else but "mention Russia and get over it" attitude.

In respect to the Chinese "underground", according a report not to be disclosed, and so I'm not as it's fully loaded with impressive information, the Chinese underground back in 2002 used to aggressively attack U.S government's and military targets while drinking Coke from McDonald's themed Coke glass :) courtesy of the China Eagle Union themselves. Their actions in coordination with the Honker Union of China, for instance, played a crucial role in active hacktivism and continue playing it even today. Like it or not, the average script kiddie, or can we say sophisticated Generation Y teenagers, are well too informed, and obviously sellers of malicious services such as DDoS and malware on demand, than it used to be years ago. I feel it's not their knowledge that's increasing, but the number of connected computers with security illiterate users aiming to put themselves in a "stealth mode" while online in order not to get hacked, or as a friend put it, running in root mode and hiding behind firewalls - ah, the end user.

You can digitally fingerprint a malicious code when you have it, that's normal, but what happens when you don't, can you fight the concepts themselves? Ken Dunham comments on "mafia-style physical torture" are the reflection of people naming their malware MyDoom and begging for botnets if you take your time to go through the quotes from Ancheta's case.

Don't ph34r the teenagers, ph34r their immaturity, and ongoing recruitment practices by the Mafia itself.

Monday, April 24, 2006

25 ways to distinguish yourself -- and be happy?

Totally out of the security world, yet very relevant inspirational tips for all readers feeling down, or looking for more sources of self-esteem. I've always believed that among the most important key factors for leadership is the ability to know yourself, and to understand the time dimensions of failure -- it's just a temporary event whenever it happens to occur. I also often debate on the pros and cons of corporate citizenship with friends, and try to emphasize on the mobility of today's workforce -- at least the way I see it. Is there any use of such an approach these days, and how should an enterprise go when attracting and retaining it's most valuable HR assets? Does the individual really count at the bottom line?

I think assets with attitude are the most valuable ones, given they never stop self-developing themselves. Going back to this very positive "manifesto" "You don't have to motivate me, just stop demotivating me" type of attitude is what you can greatly enjoy in these tips. Extremely well written key points, especially that "being part of the commodity crowd erodes your value", so true. These get updated all the time, so add them to your own unique ways of distinguishing yourself -- and being happy? :)

01. Care as if it's your own
02. Do your daily work with passion
03. Build strong relationships
04. Dream big!
05. Set the right expectations
06. Ask for help
07. Celebrate small victories
08. Set higher standards
09. Know your values
10. Pursue right memberships
11. Help people help themselves
12. Be a reader
13. Plan by outcomes
14. Think long-term
15. Embrace uncertainty with ease
16. Ask the right questions
17. Engage with a coach
18. Re relevant
19. Get back on your feet fast!
20. Lead a volunteer effort
21. Balance innovation and continuous improvement
22. Learn to sell -- your skills, not your soul or at least not on parts
23. Learn systems thinking
24. Walk away from free
25. Influence the influencers

Why's that radar screen not blinking over there?

Two days ago, the Russian News & Information Agency - Novosti, reported on how "Russian bombers flew undetected across Arctic" more from the article :

"Russian military planes flew undetected through the U.S. zone of the Arctic Ocean to Canada during recent military exercises, a senior Air Force commander said Saturday. The commander of the country's long-range strategic bombers, Lieutenant General Igor Khvorov, said the U.S. Air Force is now investigating why its military was unable to detect the Russian bombers. They were unable to detect the planes either with radars or visually," he said."

SpaceWar.com, and several other sites/agencies also picked up the story, still its truthfulness, excluding the lack of coverage, can always be questioned, as "by the end of the year, two more Tu-160s will be commissioned for the long-range strategic bomber fleet, Khorov said." So, while I agree with him on the visual confirmation issue, such an achievement is hell of an incentive for commissioning more planes, isn't it? Moreover, should the what used to be, the world's largest radar - The Over-The-Horizon Backscatter Radar have been scrapped given Iran's (and not only) nuclear ambitions, or the ongoing space warfare doctrine would be the logical successor in here?

Let's for instance assume it actually happened, and take the reverse approach -- it actually happened in Russia too, back in 1987, and it wasn't a senior air force commander that did it, if he did, but 19 years old Mathias Rust who landed on the Red Square itself.

More details will follow for sure, so stay tuned, meanwhile take a look at Google Earth's Community spot link on Mathias's landing.

UPDATE
Nice article on the topic, and a great quote as well "Scanning containers full of sneakers for a 'nuke in a box' is not a really thoughtful thing."

Technorati tags:
, ,

Thursday, April 20, 2006

The anti virus industry's panacea - a virus recovery button

Just when I thought I've seen everything when it comes to malware, I was wrong as a PC vendor is trying to desperately position itself as one offering a feeling of security with the idea to strip its product and lower the customer price. The other day I came across to a fancy ad featuring Lenovo's ThinkVantage Virus Recovery Button, and promoting its usefulness even when there's no AV solution in place :

"Rescue and Recovery is a one button recovery and restore solution that includes a set of self recovery tools to help users diagnose, get help and recover from a virus or other system crashes quickly, even if the primary operating system will not boot and you are remote from your support team."

The video ad is indeed fascinating, and while their Embedded Security Subsystem 2.0 "locks your sensitive data behind hardware-based encryption", you'd better take advantage of their utilities options and try to avoid such a weak positioning in respect to malware. The Virus Recovery Button seems to be directly targeting the masses and totaly removing the complexity issue by introducing a button-based solution to malware -- dangerous as backups and their idea could have proven useful during the first generations of malware.

Anti virus signatures, response time, and various other proactive malware prevention approaches such as, IPS, buffer overflow protection are among today's most widely discussed approaches when dealing with malware, and of course, the principle of least privilege to user accounts. But why the anti virus button when it can be an anti-hacker one? I feel they'd better stick to their OEM agreements and find other ways to achieve competive advantage in pricing than providing a false sense of security.

In my recent "Malware - future trends" research I mentioned on the fully realistic scenario of having your security solution turn into a security problem itself. While this is nothing new, in this case we have a misjudged security proposition, as recovering to a pre-infection state doesn't necessariry mean confidentiality of sensitive personal/financial information wouldn't be breached by the time the user is aware of the infection, if it ever happens of course.

Moreover, Lenovo was recently under scrutiny as "The U.S.-China Economic Security Review Commission (USCC) argues that a foreign intelligence like that of the Communist Party of China (CPC) can use its power to get Lenovo to equip its machines with espionage devices. Lenovo has strongly declined that it is involved in any such activities", and while they eventually reached a consensus on using the machines on unclassified systems only, it doesn't mean they aren't exposed to a wide variety of threats going beyond China backdooring them, such as Zotob over border-screening systems at airports.

As a matter of fact, the rival PC/notebook propositions might still be owned by U.S companies, but are mostly assembled in China these days -- too much hype for nothing.

UPDATE - Sites that picked up the post

LinuxSecurity.com
MalwareHelp.org

Technorati tags:
, , , ,

Digital forensics - efficient data acquisition devices

Digital forensics have always been a hot market segment, whereas the need for a reliable network based forensics model given main Internet's insecurities such as source address spoofing and the lack of commonly accepted security events reporting practices is constantly growing as well. Information acqusition, analysis and interpretation in the most reliable and efficient way is often among the desired outcome -- and of course figure out what has been happenning at a given historical moment in time or in real-time if applicable.

In a previous post related to "Detecting intruders and where to look for" I mentioned lots of resources regarding the topic, and tools to take advantage of, if in need. In respect to cell phones and various related privacy issues, excluding the physical forensic analysis that could be successfully performed, there's a growing discussing on whether a "suspect's" physical location should be revealed though a mobile-phone carrier -- segmented requests are the most efficient and socially-conscious ones I think.

Today I came across to "Logicube CellDEK" a portable handset data extraction kit :

"The portable CellDEK® acquires data from over 160 of the most popular cell phones and PDA's. Built to perform in the field (not just in the lab), investigators can immediately gain acces to vital information. This saves days of waiting for crucial data to come back from a crime lab. The CellDEK software automatically performs forensic extraction of the following data: Handset Time and Date, Serial Numbers (IMEI, IMSI), Dialed Calls, Received Calls, Phonebook (both handset and SIM), SMS (both handset and SIM), Deleted SMS from SIM, Calendar, Memos, To Do Lists, Pictures, Video, and Audio."

Nothing surprising as there are many other freeware applications/ways to do cell phone forensics (full list can be found at Sergio Hernando's blog), but what made me an impression was its usefulness by covering over 160 models, portability due to its size and capabilities, and that up to 40 adapters may be stored in the system’s built-in rack. Some challenges I see to today's forensic investigators are the sophistication of publicly available encryption/steganographic tools, the Internet acting as a online HDD opening opportunities for dead-drop places, and communications that went over covert channels.

On my wislist however, has always been the company's Forensic MD5, as it basically "swallows" data in a timely manner -- a bad toy in the hands of a insider going beyond average types of removable media, and in moments where minutes count. As a matter of fact, a forensic investigator's sophistication and expertise doesn't really count when the Mafia is still catching up on how to encrypt. Still, I'm convinced how some of his "operatives" are into far more sophisticated methods of communication than he is.

Check out some more resources, and case studies on the topic as well :

How to Become a Cyber-Investigator
SANS Reading Room - Forensics
Digital Forensics Tool Testing Images
Computer Forensics for Lawyers
Forensic Analysis of the Windows Registry
Forensic Computing from a Computer Security perspective
Guidelines on PDA Forensics
Forensic Examination of a RIM (BlackBerry) Wireless Device
WebMail Forensics
iPod Forensics
Digital Music Device Forensics
Forensics and the GSM mobile telephone system
List of Printers Which Do or Don't Print Tracking Dots
Metasploit Anti-forensics homepage

UPDATE - Sites that picked up the story

LinuxSecurity.com

Technorati tags:
, , ,

Tuesday, April 18, 2006

Spotting valuable investments in the information security market

Back in January I mentioned the possible acqusition of SiteAdvisor in my "Look who's gonna cash for evaluating the maliciousness of the Web?" post and it seems McAfee have realized the potential of this social-networking powered concept on a wide scale, and recently acquired SiteAdvisor -- this was meant to happen one way or another and with risk of being over-enthusiastic I feel I successfully spotted this one.

Next to SiteAdvisor's pros and cons that I commented on, I also provided a resourceful overview of some of the current malware crawling projects out there, to recently find out that WebRoot finally went public with the Phileas spyware crawler, and that Microsoft's Strider Crawler came up with the Typo-Control project -- great idea as a matter of fact. What are some of the current/future trends in the information security industry? Are the recent flood of acquisitions the result of cheaper hardware and the utilization of open-source software, thus cutting costs to the minimum while the idea still makes it to the market? Have both, entry and exit barriers totally vanished so that anyone could get aspired of becoming a vendor without the brand at the first place? Excluding the big picture, it is amazing how uninformed both, end and corporate users are, yet another lack of incentive for security vendors to reach another level of solutions -- if it ain't broken, don't improve it.

Moreover, what would the effect be of achieving the utopian 100% security on both, the market and the world's economy? On one hand we have "the worst year" of cybercrime, whereas spending and salaries are booming, and they should be as the not knowing how much security is enough, but trying to achieve the most secured state is a driving factor for decades to come. The bottom line is, the more insecurities, the more security spending, the higher the spending, the higher the growth, and with increasing purchasing power, corporate R&D, and government initiatives you have a fully working economic model -- going to war, or seeing terrorists everywhere is today's driving force for military/intelligence spending compared to the "Reds are everywhere" propaganda from both camps of course, back in the Cold War period. Fighting with inspired bureaucrats is always an issue as well.

The Ansoff's Product/Market Matrix often acts as the de-facto standard for developing business opportunities, that is, of course, if you're not lead by a visionary aim, promote an internal "everyday startup" atmosphere to stimulate creativity, or benchmark against competitors. On the majority of occassions a security vendor is looking for ways to diversify its solutions' portfolio, thus taking advantage of re-introduced product life cycles and new sources for revenues. While there should be nothing wrong with that given a vendor is actually providing a reliable solution and support with it, I often argue on how marketable propositions centric business model is not good for the long-term competitiveness of the company in question.

It's the judgement and competitors myopia that I'm talking about. In respect to the current information security market trends, or let's pick up the anti virus solutions segment, that means loosing sight of the big picture with the help of the mainstream media -- cross refferenced malware names, "yet another" malware in the wild, or supposed to be Russian hacker selling his soul for E-gold(cut the stereotypes here and go through the majority of recent statistics to see where all that phishing, spam and malware is coming from), is a common weakness of a possible decision-maker looking for acquisitions. Focusing on both, current trends, and current competitions is the myopia that would prevent you from sensing the emerging ones, the ones that would improve your competitiveness at any time of execution of course.

The way we have been witnessing an overal shift towards a services based world economy in comparisson to a goods based one, in the informaiton security market services or solutions will inevitably profiliate in the upcoming future. When was the last time you heart someone saying "I don't need an anti-virus scanner, but an anti-virus solution, what's yours and how is it differentiated from the others I'm aware of"? Un-informed decisions, quick and cheap way to get away with the "security problem", or being totally brainwashed by a vendor's salesforce would result in enormous long-term TCO(total cost of ownership) problems, given someone actually figures a way to make the connection in here.

Some time ago, I came across a great article at CSOOnline.com "2 Vendor Megatrends and What They Mean to You" giving insight on two trends, namely, consolidation of security providers and convergence -- the interception between IT and physical security. And while it's great in respect to covering these current trends, I feel the article hasn't mentioned the 3rd one - Diversification. An excerpt :

"One trend is consolidation. "We're seeing the bigger players buying out many of the smaller companies. And I think the largest of the security firms are looking to provide a full range of enterprise services," says C. Warren Axelrod, director of global information security at Pershing, a Bank of New York Securities Group company. "The larger firms, like Internet Security Systems, Symantec and Computer Associates, are buying in many areas to complement what they have. They're basically vying for control of the security space." Axelrod is dead on, and consolidation is just as rampant among physical security vendors as it is in the IT world."

I feel consolidation is happening mainly because different market segments are constantly getting crowded and mainly because it's very, very hard to get a name in the information security market these days, so instead of run for your own IPO, compete against market players whose minor modification may ruin your entire idea, you'd better get acquired one way or another. @stake is an example of how skilled HR runs away from the acquirer, at least for me counting the HR as the driving force besides the brand.

More from the article :

"The second trend is convergence—the confluence of IT and physical security systems and vendors—which, in some sense, is another form of consolidation, only it's happening across the line that historically divided those two worlds."

Tangible security is often favored by investors as it targets the masses, and the most visible example besides perimeter based defenses are the hardware appliances themselves. These days, there isn't a single anti virus, anti spam or anti spyware solution provider without a hardware appliance, but what's to note is how their OEM agreements are still working and fully applicable, it's all about greed, or let's avoid the cliche and say profit maximization -- whatever the market requires the vendors deliver!

Very in-depth article, while I can argue that vendors are so desperate to "consolidate bids" on a national level, as they usually try to get as big part of the pie as possible. What's else to note is that the higher the market transparency, the more competitive the environment, thus greater competition which is always useful for the final user. In respect to heterogenity and homogenity of security solutions, and all-in-one propositions, the trade-offs are plain simple, cut total TCO by using a single vendor, get your entire infrastructure breached into by an attacker that would sooner or later find a vulnerability in it -- find the balance and try to avoid the myth that complexity results in insecurities, as it's a unique situation every time.

What we're witnessing acquisition-to-solution turn-around periods of several months in response to an emerging market - the IM one, mobile anti-virus scanners seem to be the "next big thing", whereas it would take quite some time for this segment to develop, still you'd better be among the first to respond to the interest and the fact that there are more mobile phones capable of getting infected with a virus, than PCs out there -- 3G, 4G, mobile banking would fuel the growth even more, and these are just among the few issues to keep in mind. In a previous post, I also mentioned on a creative use of security intelligence information in Sophos's Zombie Alert service, and a product-line extensions, namely McAfee's bot killing system. What no one pictured would happen is emerging these days - vulnerabilities turning into IP and the overal commercialization of the security vulnerabilities market, and getting paid for getting hacked is a growing trend as well -- much more's to come for sure.

The secrets to successful acquisitions?

- retain the HR that came with it, and better put something on the table at the first place
- don't try to cannibalize the culture there, Flickr is the perfect example out of the security market
- go beyond the mainstream media sources, and PR releases, use open source competitive intelligence tools in order not to miss an opportunity
- attend as much cons as possible to keep track of who's who and where's the industry heading to
- cost-effectively keep in touch with researchers, and an eye on their blogs, you never know who would be your early warning system for business development ideas

Try to stay on the top of security, not in line with it.

Technorati tags:
, , , , , , ,

Would somebody please buy this Titan 1 ICBM Missile Base?

I feel that no matter how much you try to bypass the intermediary, it would continue to remain the place for anything auction - 0day vulnerabilities, Enigma encryption machines, and now a Titan 1 ICBM Missile Base, is for sale at Ebay for the N time. Bari Hotchkiss listed the characteristics of the underground fortress as :

- Hardened buildings built to withstand One megaton nuclear blast within three thousand feet
- Wall thicknesses up to fourteen feet
- Thousands of feet of connecting tunnels
- Paved roads. Security fencing

Trying to auction it again, as he seems to own the facility, it beats The Bunker in respect to a wide range of physical/electronic attack based security possibilities, and has the potential to turn into the perfect data center with enough space for war rooms on every level.

As Gene Spafford once put it :

"The only truly secure system is one that is powered off, cast in a block of concrete and sealed in a lead-lined room with armed guards - and even then I have my doubts."

and you would probably need a network connection of some kind to make use if it -- that means insecurities posed out of open and hard to control external networks.

I've once mentioned how nuclear weapons aren't the type of central military thinking problem the way they used to be during the Cold War's arms race, as there are many more emerging threats to consider, such as EMP, and Space warfare, but that's hell of an offer for a post-ColdWar underground complex, isn't it?

Some resources worth taking a look at :

19 Ways to Build Physical Security into a Data Center
Data Center : Securing Server Farms - Solution Reference Network Design
Data Center Security Associate Certificate Recommended Reading

Technorati tags:
, , ,

Friday, April 14, 2006

Fighting Internet's email junk through licensing

Just came across this story at Slashdot, interesting approach :

"China has introduced regulations that make it illegal to run an email server without a licence. The new rules, which came into force two weeks ago, mean that most companies running their own email servers in China are now breaking the law. The new email licensing clause is just a small part of a new anti-spam law formulated by China's Ministry of Information Industry (MII)."

While the commitment is a remarkable event given China's booming Internet population -- among the main reasons Google had to somehow enter China's search market and take market share from Baidu.com -- you don't need a mail server to disseminate spam and phishing attacks like it used to be in the old days. You need botnets, namely, going through CME's List, you would see how the majority of today's malware is loaded with build-in SMTP engine, even offline/in-transit/web email harvesting modules.

You can often find China on the top of every recently released spam/phishing/botnet trends summary, which doesn't mean Chinese Internet users are insecure -- just unaware. What you can do is educate the masses to secure the entire population, and stimulate the growth of the local security market that everyone is so desperately trying to tap into. Moreover, I doubt you can regulate the type of Internet users still trying to freely access information, again with the wrong attitude in respect to security :

"..prohibiting use of email to discuss certain vaguely defined subjects related to 'network security' and ' information security', and also reiterate that emails which contain content contrary to existing laws must not be copied or forwarded. Wide-ranging laws of this nature have been used against political and religous dissenters in the past."

It's like legally justifying the country's censorship practices through introducing the law, whereas I feel "network security" and "information security" attacks outside the homeland get favored, compared to internal ones, don't you?

Forbidden fruits turn into dangerous desires on the majority of occasions, and you just can't control that, what's left to censor it.

Technorati tags:
, , , ,

Thursday, April 13, 2006

Distributed cracking of a utopian mystery code

If you have missed the opportunity to buy yourself a portable Enigma encryption machine, or didn't know you could devote some of your CPU power while trying to crack unbroken Nazi Enigma ciphers, now is the time to consider another distributed computing cracking initiative I just came across to - "Assault on the Thirteenth Labour", part of the utopian Perplex City alternate reality game. More on the story itself :

"The story centers on a fictional metropolis known as Perplex City. The Receda Cube, a priceless scientific and spiritual artefact, has been stolen and buried somewhere on Earth, and the game offers a real-life $200,000 reward to whoever can find it."

As a matter of fact, ever heard of Hive7? This is where the future is going, as I think virtual worlds intrigues result in a more quality real life, don't they? Still, it can also result in security problems with stolen virtual goods. The trend, given the popularity of these, will continue to emerge -- people, both rich and poor are putting hard cash into virtual properties and DoS attacks and phishing practices are already gaining popularity as well.

Technorati tags:
, , , , ,

On the Insecurities of the Internet

Among the most popular stereotypes related to Cyberterrorism, is that of terrorists shutting down the Internet, or to put it in another way, denying access to the desperse and decentralized Internet infrastructure by attacking the Internet's root servers the way it happened back in 2002 -- knowing Slashdot's IP in such a situation will come as a handy nerd's habit for sure. Outages like these would eventually result in a butterfly effect, such as direct monetary losses and confidence in the today's E-commerce world.

In my previous "How to secure the Internet" I commented on the U.S's National Strategy to Security Cyberspace, moreover, I pointed out some issues to consider in respect to the monoculture that's affecting the entire population. While today's threatscape is constantly changing, it still points out key points points such as :

- Improve the Security and Resilience of Key Internet Protocols
"The Internet is currently based on Internet Protocol version 4 (IPv4). Some organizations and countries are moving to an updated version of the protocol, version 6 (IPv6). IPv6 offers several advantages over IPv4. In addition to offering a vast amount of addresses, it provides for improved security features, including attribution and native IP security (IPSEC), as well as enabling new applications and capabilities. Some countries are moving aggressively to adopt IPv6. Japan has committed to a fully IPv6 based infrastructure by 2005. The European Union has initiated steps to move to IPv6. China is also considering early adoption of the protocol."

In my previous "The current state of IP Spoofing" post, I mentioned that if you can spoof there's no accoutability, and you can even get DDoSed by gary7.nsa.gov. But until then we would have to live with the current situation, or keep building awareness on the issue of course.

- Secure the Domain Name System
"DNS serves as the central database that helps route information throughout the Internet. The ability to route information can be disrupted when the databases cannot be accessed or updated or when they have been corrupted. Attackers can disrupt the DNS by flooding the system with information or requests or by gaining access to the system and corrupting or destroying the information that it contains."

During March, Randal Vaughn and Gadi Evron released a practical study entitled "DNS Amplification Attacks" pointing out that :

"Our study is based on packet captures and logs from attacks reported to have a volume of 2.8Gbps. We study this data in order to further understand the basics of the reported recursive name server amplification attacks which are also known as DNS amplification or DNS reflector attacks. One of the networks under attack, Sharktech, indicated some attacks have reached as high as 10Gbps and used as many as 140,000 exploited name servers. In addition to the increase in the response packet size, the large UDP packets create IP protocol fragments. Several other responses also contribute to the overall effectiveness of these attacks."

It feels like a deja vu moment compared to Mixter's release of his award-winning "Protecting against the unknown" research and the emergence of DDoS attacks(read the complete story, and keep in mind that it's wasn't iDefense, but PacketStormSecurity offering $10k rewards back in 2000). VeriSign indeed detailed massive denial-of service attack, and Slashdot also picked up the story. Most importantly, the event also attracted the U.S government's attention, but what you should also keep in mind is that :

"In order to create an 8Gbps attack using carefully crafted zones, you need no more than 200 home PCs on basic DSL lines," Joffe said. That math assumes about 200 bots eating up a full 512Kbps connection with lots of 60-byte DNS queries, each of which is amplified 70x into a 4,200-byte reply against the attacker's target. To put that in perspective, Russian hacking crews advertise that they will place the malware of your choice on 1,000 bots for a mere $25, according to the Internet Storm Center."

No 0day necessary, but DDoS on demand/hire, and renting botnets are the practices worth mentioning the way I pointed them out in my Future trends of malware research.

-Border Gateway Protocol
"Of the many routing protocols in use within the Internet, the Border Gateway Protocol (BGP) is at greatest risk of being the target of attacks designed to disrupt or degrade service on a large scale. BGP is used to interconnect the thousands of networks that make up the Internet. It allows routing information to be exchanged between networks that may have separate administrators, administrative policies, or protocols."

Interdomain routing communications are like empowering assembly line workers with the ability to stop the line at anytime, or have a claim on it, a tricky option sometimes. A recently released research(2005) "A Survey of BGP Security" points out the bottom line these days :

"We centrally note that no current solution has yet found an adequate balance between comprehensive security and deployment cost." Still, IETF's Routing Protocol Security Requirements (rpsec) are worth the read.

What I truly hope, is that any of these guidelines wouldn't end up on a paper tiger's desk for years to come, namely they would eventually get implemented and Internet2 would end up dealing with a more advanced set of security problems compared to the current ones. My point is that, while only the paranoid survive, seeing ghosts here and there is like totally missing the big picture -- Richard Clarke for instance once said that "If there's a major devastating cyberspace security attack, the Congress will slam regulation on the industry faster than anything you can imagine. So, it's in the industry's best interest to get the job done right before something happens." But when, and how it would affect the commercial side of the question, that is how visionary are the vendors themselves to anticipate the future in here?

No one would want to shut down the Internet as terrorists are actively using it for propaganda, communication, and open source intelligence. Still, the deceptive PSYOPS initiated by terrorist sympathizers or wannabe such is what will continue to hit the deadlines -- just don't miss the big picture!

UPDATE : The post just appeared at LinuxSecurity.com "On the Insecurities of the Internet"

Technorati tags:
, , , , , , ,

Wednesday, April 12, 2006

Catching up on how to lawfully intercept in the digital era

In one of my previous posts "A top level espionage case in Greece" I blogged about two cases of unlawful interception -- good old espionage practices in modern environment. What's also worth mentioning is the rush for lawful interception in the post 9/11 world, that is free spirits get detained for singing or being nerds, activities you can hardly datamine at the bottom line, and then again, so what?

Last month, Australia extended its phone-tap laws to e-mails and SMS, OMG, good morning Vietnam. An excerpt from the news item :

"Australia has passed new laws that would allow police to intercept phone calls, e-mails, and text messages of people who are just suspected of a crime. Attorney-General Philip Ruddock says the new laws account for challenges posed by technology; in December 2005, Middle Eastern and white supremacist youth used SMS messages to coordinate during race riots. However, civil liberties groups warn that the laws could allow police to target the privileged conversations of lawyers and journalists or to target innocent people for investigation. Australia has been tightening security laws since the September 11, 2001, terrorist attacks in the US."

Whether compliance, or new revenue sources from a telecom/network giant's point of view, lawful interception has always been happening. A single vendor's box can easily monitor over 30,000 DSL connections, and while the problem still remains processing power and decentralized/encrypted communications, steganography as a concept has always been the biggest downsize of any approach from my point of view.

At the bottom line it would eventually provide the ECHELON's community with more information to take hold of, whereas retaining or trying to data mine it still remains an abstract concept whose only justification has been the contradictive Able Danger scenario. It is my opinion that erasing terrabytes of intelligence information on a terrorist group is a pure science-fiction scenario, they way there's a desperate need for a clear ROI in respect to CCTV cameras.

Don't over-empower the watchers for the sake of your Security, or you'll end up with a false feeling of it.

More resources on surveillance and lawful interception worth going through are :

International Campaign Against Mass Surveillance
Development of surveillance technology and risk of abuse of economic information
Legal Analysis of the NSA Domestic Surveillance Program
Wiretapping, FISA, and the NSA
Can the government track your cell phone's location without probable cause?
Attack Detection Methods for All-Optical Networks
2006 = 1984?
Privacy issues related to mobile and wireless Internet access
Lawful Interception of the Internet
Using MAC Addresses in the Lawful Interception of IP Traffic
Open Source Intelligence (OSINT)
Making Intelligence Accountable: Legal Standards and Best Practice for Oversight of Intelligence Agencies
What is Project ECHELON?
Surveillance and Society Journal
Cybercrime in New Network Ecosystem: vulnerabilities and new forensic capabilities
Strategies for Lawful Intercept
Summary - Lawful Interception plugtest
Whistle-Blower Outs NSA Spy Room

Technorati tags:
, , , , ,

"IM me" a strike order

In my previous post "What's the potential of the IM security market? Symantec thinks big" I commented on various IM market security trends, namely Symantec's acquisition of IMLogic. It's also worth mentioning how a market leader security vendor was able to quickly capitalize on the growing IM market, and turn the acquisition into a valuable solution on the giant's portfolio of solutions. What's also worth mentioning is the military interest in instant communications in today's network centric warfare powered battlefield. Today I across an interesting recent development, namely that :

"The US Army, Navy, and Air Force have deployed protected interoperable instant messaging (IM) systems among the threebranches. Army Knowledge Online, Navy Knowledge Online, and theAir Force’s Knowledge Management Portal built the IM systems for 3.5 million users from Bantu's Inter-domain Messaging (IDM)gateway, a policy-driven with role-based access controls. The system will carry messages over sensitive and secret networks, and can populate a user's contact list with appropriate officials in the chain of command. Intelligence agencies will hook into the system to work with the military, and the Department of Homeland Security is also interested in the IM system."

Flexible military communications have always been of great importance, and flexibility here stands for securely communicating over insecure channels -- IP based communications. While you might have not heard of Bantu before, to me their real-time network for interagency communication sounds more like a security through obscurity approach -- temporary gain and possible long term disaster.

Could the instant communication finally solve the Intelligence Community's information sharing troubles? In a relatively recent report I came across, "a survey was hosted on the Secret Internet Protocol Router Network (SIPRNET) so that personnel could respond to the survey from the convenience and privacy of their own workstations." in order to measure the communication requirements of various staff members, some of the findings worth mentioning :

MS Chat was used by at least 50% of all command groups
- 100% of Afloat Staffs, 86% of Carriers, 78% of Cruisers & Destroyers, 50% of Support
XIRCON was used by 28% - 50% of command groups
- 50% of Support, 41% of Carriers, 32% of Cruisers & Destroyers, 28% of Afloat Staffs
Lotus Sametime was used by 0 – 44% of command groups
- 44% of Afloat Staffs, 16% of Cruisers & Destroyers, 10% of Carriers, 0% of Support
mIRC was used by 13 – 33% of command groups
- 33% of Support, 23% of Carriers, 22% of Cruisers & Destroyers, 13% of Afloat Staffs

Lotus Sametime and mIRC seem to be only survirors, still the implications of using the above in respect to the powerful execution of various network centric warfare events, would definitely raise not just my eyebrows for sure. Two years ago, led by IMLogic a consortium on IM threats was established, the IM Threat Center, an indispensable early warning system for anything related to IM malware.

Would age-old IM threats re-introduce themselves on military networks like never before? Whatever the outcome, information overload wouldn't necessarily be solved through instant communications, but in a combination with powerful visualization concepts as well.

The post recently appeared at LinuxSecurity.com "IM me" a strike order"

Technorati tags:
, , , , ,

Wednesday, April 05, 2006

Heading in the opposite direction

Just one day before April 1st 2006 I came across this article :

"German retail banker Postbank will begin using electronic signatures on e-mails to its customers to help protect them from phishing attacks."

Catching up with the phishers seems to be a very worrisome future strategy. Electronic Signatures by themselves are rarely checked by anyone, and many more attack vectors are making the idea of this totally irrelevant. Moreover, a great research "Why phishing works" was recently released and it basically outlines basic facts such as how end users doesn't pay attention to security checks, if there's a definition of such given the attack vectors phishers have started using recently. In some of my previous posts "Security threats to consider when doing E-Banking", and "Anti Phishing toolbars - can you trust them?" I mentioned many other problems related to this bigger than it seems problem, what you should also keep an eye on is the good old ATM scam I hope you are aware of.

Postbank is often targeted by phishers, still, the best protection is the level of security awareness stated in here :

"Phishing attacks have led 80% of Germans to distrust banking related e-mails, according to TNS Infratest." Moreover, "Postbank's electronic signature service isn't possible with web-based e-mail services provided by local Internet service providers such as GMX GmbH and Freenet.de AG, according to Ebert. One exception is Web.de"

Thankfully, but that's when you are going in exactly the opposite direction than your customers are, while trying to estalibish reputable bank2customer relationship over email. Listen your customers first, and follow the trends, and do not try to use the most popular dissemination vector as a future communication one.

Something else in respect to recent phishing statistics is the key summary points of the recently released, AntiPhishingGroup's Report for January, 2006 report :

• Number of unique phishing reports received in January: 17,877
• Number of unique phishing sites received in January: 9715
• Number of brands hijacked by phishing campaigns in January: 101
• Number of brands comprising the top 80% of phishing campaigns in January: 6
• Country hosting the most phishing websites in January: United States
• Contain some form of target name in URL: 45 %
• No hostname just IP address: 30 %
• Percentage of sites not using port 80: 8 %
• Average time online for site: 5.0 days
• Longest time online for site: 31 days


I feel there's a lot more to expect than trying to re-establish the communication over a broken channel, as far as E-banking is concerned.

More resources you might be interested in taking a look at are :
Vulnerability of First-Generation Digital Certificates and Potential for Phishing Attacks
Netcraft: More than 450 Phishing Attacks Used SSL in 2005
SSL's Credibility as Phishing Defense Is Tested
Rootkit Pharming
The future of Phishing
Something is Phishy here...
Phishing Site Using Valid SSL Certificates
Thoughts on Using SSL/TLS Certificates as the Solution to Phishing

Technotati tags:
, , ,

Securing political investments through censorship

I try to extensively blog on various privacy and Internet censorship related issues affecting different parts of the world, or provide comments on the big picture they way I see it.

Spending millions -- 6 million euro here, and I guess you also wouldn't let someone spread the word whether the cover is fancy enough for a vote or not -- on political campaigns to directly or indirectly influence the outcome of an election, is a common practice these days. Whereas, trying to build a wall around a government's practices is like having a tidal wave of comments smashing it. I recently came across the following article : "

"Singapore has reminded its citizens that web users who post commentary on upcoming elections could face prosecution. Election commentary is tightly controlled under Singaporean law; independent bloggers may comment on the election, but must register their site with the Media Development Authority (MDA)."

I'm so not into politics -- and try not to -- but threatening with prosecution on commentary, registering users, while not first "introducing yourself" as "During the November 2001 elections, Singapore's political parties limited their use of the Internet to posting schedules and candidate backgrounds." isn't the smartest long-term political strategy ever, don't you think?

More resources on the state of censorship in Singapore worth checking out are :

Internet Filtering in Singapore in 2004- 2005: A Country Study
EFF "Censorship - Singapore" Archive
Censorship in Singapore
To Net or Not to Net: Singapore’s Regulation of the Internet
Censorship Review Committee 2002/2003
The Internet and Political Control in Singapore

Technorati tags:
,

Insider fined $870

Insiders still remain an unresolved issue, where the biggest trade-off is the loss of productivity and trust in the organizational culture. According to the Sydney Morning Herald :

"A court in Guangzhou, capital of the southern Chinese province of Guangdong, has upheld a lower court's guilty verdict against Yan Yifan for selling stolen passwords and virtual goods related to the online game "Da Xihua Xiyou.The court upheld a $870 US fine, arguing that victimized players had spent time, energy, and money to obtain the digital items Yan sold. Yan stole the players' information while an employee for NetEase.com, the company behind the game."

So, it's not just 0days, Ebay/PayPal accounts, and spyware market entry positions for sale -- but virtual world goods as well.

While it's not a top espionage case, or one compared to the recent arrest of "two men, identified as Lee and Chang, on charges of industrial espionage for downloading advanced mobile phone designs from employer Samsung for sale to a major telecommunications firm in Kazakhstan", insiders still represent a growing trend that according to the most recent FBI's 2005 Computer Crime Survey, cost businesess $6,856,450. Then again, failing to adequatly quantify the costs may either fail to assess the situation, or twist the results based on unmateliazed, but expected sales, as according to the company, "Samsung could have suffered losses of $1.3 billion US had the sale been completed." Trust is vital, and so is the confidence in Samsung's business case.

Technorati tags:
, ,