WebSecure Blog
Pirates target phones
No one can accuse spammers of a lack of innovation!
Check out this entry on the Websense security labs blog (Spam Emails Link to QR Codes) showing how spammers have started using QR codes to get your mobile phone browser to automatically load their spam page.
A QR code is like a fancy (two dimensional) bar code. According to Wikipedia it was developed by a Toyota subsidiary to track cars along their production line: http://en.wikipedia.org/wiki/QR_code. All very nice until somebody takes the automation of it and uses it against you.
Spammers are like the pirates of the 17th Century and it wouldn’t surprise me if a few of them had tacit state protection - just like they did then. They should make laws that allow them to be pursued where ever they reside to be taken home for trial and hanging.
Explorer & Chrome Issue
I wanted to inform you of an issue that some of you may experience with regard to the administration of GTA firewalls using Microsoft’s Internet Explorer 8 & 9. Recently Microsoft issued security software updates to IE 8 & 9, which causes problems when attempting to administer a GTA firewall on GB-OS versions less than GB-OS 6.0.3.
GTA engineers are not sure why Microsoft changed the behavior of Internet Explorer to operate in this new manner but it apparently has something to do with their recent security update. A simple description of the problem is: IE sends an initial packet that contains a single byte of data, which to the GB-OS IPS appears to be a “Slowloris” attack.
GTA have updated their logic to both defend against Slowloris and to work with inefficient SSL implementations. This has been implemented in GB-OS 6.0.3, however since we know there are still customers running GB-OS 5.4.x we will be releasing a GB-OS 5.4.3 patch release to address this problem. The GB-OS 5.4.3 release is targeted for 19 Jan 2012.
This same behaviour occurs in Google Chrome V15 and above.
SYMPTOMS:
Firewall Login Fails and browser will display “Not Implemented”. This is seen in;
- Google Chrome v15 and above.
- Internet Explorer with Microsoft Update KB2585542 installed.
EXPLANATION:
Internet Explorer and Chrome send an incomplete or inefficient commands to the firewall.
RESOLUTION:
1. Upgrade to GB-OS 6.0.3 or GB-OS 5.4.3
2. Use Firefox, Opera or Safari
3. Try removing Microsoft Security Update KB2585542.
Oh - and happy new year everyone!
Steve Jobs 1955-2011
A great visionary has departed from our industry. We make no mistake and acknowledge today is a landmark and a monument. If WebSecure were a country we would fly our flags at half mast in respect and in admiration of what this man has achieved. It is my belief we live in a time that history will not judge kindly and where people of lasting greatness have been few. A generation whose marks are to love self and money above all else and to the expense of all else.
Some say life is a play we get caught up in, forgetting we are merely players and that with or without us the great story goes on. Others say life is a dance where the only marks we leave are wild and dusty foot marks upon a stage of time and those we touch along the way. I say walking through life is like walking towards an ever setting sun, where each moment draws us nearer to the end and that death is a beacon towards the final reality and in whose critical light we must make our stand.
Steve Jobs said, “Remembering that I’ll be dead soon is the most important tool I’ve ever encountered to help me make the big choices in life. Because almost everything–all external expectations, all pride, all fear of embarrassment or failure–these things just fall away in the face of death, leaving only what is truly important.”
There are those who are willing to lift their eyes to that horizon of time, to meet the gaze of a setting sun and to live their lives in the light of it. The courageous few whom history, time and death call, to a thing we call greatness.
Steve Jobs was one of them.
Our thoughts, prayers and condolences go to his family and those with whom he walked and lived and worked.
Technology, meet psychology
It’s probably the biggest unspoken about problem in our industry today, it’s greatest challenge and the most persistent enemy of real security. We’ve all experienced it in some way and, I think, we are struggling to meet the challenge of it.
I talking about psychology, the way people think and react, what they see as important, how they come to their perception of the service they receive and how able they are to receive advise, solutions or even discuss the root of issues. Take a simple example of two perceptions of spam management. On the one hand we have a corporate email gateway receiving 27,000 denial of service attacks, 1500 relay attempts, 63,000 spam connection attempts each day and through that gateway only a few dozen emails are delivered that you could say are unwanted. On the other hand we have a user who received nine emails today, one of which he didn’t want.
Is there a correct way to perceive such a state of affairs?
In mockery of the idea truth does not exist, cannot be known or can’t be absolute (therefore true), is the spam scanner. Which did stop, actually and absolutely exactly what it stopped. Sadly, and regardless of perception, current anti spam technologies cannot stop 100% of unwanted emails and attempts to do so simply result in the blocking of legitimate business emails.
Our problems arise from the fact that in one organisation the unwanted email goes uncommented on but in another generates a helpdesk ticket or complaint. Many times this reaction is ignored as just another irrational end user. Irrational, or course, because the reaction lacks what we might call common sense or context. Maybe the end user has no idea how many emails were successfully blocked or why limits exist for current technology. But more disturbing, and equally possible, the complaint that came from a place of political power within the organisation and therefore must at least be seen to be taken seriously.
Therein lies the rub.
We arrive at an irrational place I call ‘perception and politics are reality’. If left unchecked perception and politics replace reality and decisions are made on those foundations. In many places we would probably view such a process as either politics or corruption. It’s an easy trap to fall into because we all love our own opinion above reality. In any event the entire process is corrosive to real security.
Here’s a hack where an SSL certificate provider was hacked because they didn’t have strong passwords, or patched servers - or - even anti virus installed. I wonder how much of their organisation ran on politics and how much was based in reality.
I think the current trend of out sourcing will make this worse in every way. An outsourced problem is an out sourced skill, outsourced skills are outsourced understanding, lack of understanding is loss of context and without context rational thought loses one of it’s foundations. What is left is a weak defence against force of will, personality and superstition.
That might sound a little extreme, but think of it as rust. It’s a corrosive process that left unchecked eats away at real world security.
Mapping Normal
You can’t fix what you can’t see.
It’s a simple but often over looked reality driven home to IT support people every day. We ourselves speak to people who describe symptoms of systems that don’t work but do not have enough visibility to work out the reason why.
My favourite customer quote that illustrates this is the customer who, in frustration, says “but nothing has changed”. Technical joke of course, because of course something major has definitely changed – that’s why they are ringing technical support for help. What they mean to say is they can’t see whatever has changed that’s causing their problem, which is a very valid and frustrating place to be.
This problem of visibility has more than a few faces. Sometimes the log or data exists but it’s hidden in a blizzard of background noise and hard to find or isolate. Other times a system is so hard to use, so poorly designed, that to even create minimum useful logging is a serious challenge in it’s own right. On top of this an organisation can have problems of it’s own in retaining and training the skills required to run the complex systems they own or operate.
Although this truth isn’t new I believe we are traveling towards an inflection point where three trends meet to force change.
1. Increasing technical complexity of systems
I think of this as the slow wave that keeps putting pressure on IT everywhere and in multiple ways. You can argue it’s a major contribution to the recent fashion of outsourcing as organisations attempt to reduce the financial burden or complexity.
2. IP version 6
Whilst we are only starting to see it’s impact the sheer size of it is mind boggling. Fro example, the idea that every single spam email can have a random IP address you can’t track will turn many anti spam technologies on their head. For attackers of every kind IPv6 is going to provide an enormous smoke screen to hide behind. It is possible this will undermine the current trust models we use and trust assumptions we make.
3. Mobile devices
Whether we like it mobile devices are going to take over a good part of the IT world. Already Stewart runs around the market place armed with just a smart phone and iPad. With these two tools he does more than he could ever do with a what we euphemistically called a notebook ten years ago.
When I picture the combined impact of these trends I see in my head the poor IT Manager trying to hold in one hand a hundred ends users on leashes as they stream in a dozen different directions, whilst in the other hand trying to hold the lid on a huge boiling pot of technologies that are exploding. IPv6 and complexity are pushing technologies out of the pot faster than the IT Manager can handle and mobile devices are sending end users off in new directions all the time.
On the good news front, in the last few months I have had the pleasure of seeing the seeds of the future on two fronts. Technology that is going to allow IT Managers to thrive in this new world because they create visibility. From that visibility comes new levels of productivity and control.
Number One - NitroSecurity
Collecting logs is hardly a new idea but this product takes it to a whole new level. Collect, correlate and normalise millions of events from everywhere on your network with one easy to use appliance. Windows event logs, router logs, firewall logs, switch logs, IPS logs, syslogs, database logs - any kind of logs. They already have a vast amount of device support that correctly parses the log information and takes all the hard work out of problem spotting.
With a Nitro box grooming your mountain of data all of a sudden logging makes great sense. The more logs you can get into the view and correlate with other logs the more precise the view is and the more accurate as to what’s important right now. 18 million log entries can be quickly reduced to ten things of interest. It’s quite incredible.
Number Two - TrustSphere
I reckon IPv6 is going to destroy IP trust on the internet. The current paradigm of trusting an IP unless it is blacklisted will become completely unworkable. Stepping into this gap is a company called TrustSphere who have developed google like algorithms that track every single email transaction you make and creates a pattern of trust from it. And it’s a fully automated solution designed to link with your current anti spam solution. Vendor support isn’t very high yet but I can’t help but think that will come as needed because this is very smart way of dealing with spam, threats and phishing problems.
What I found most interesting, which is a total spin off from the technology, is the visual presentation a pattern of organisational email can create. From that pattern alone you can tell what some people do for a living. People who work together closely have strong, thick connecting lines whist people doing marketing have a flower shaped pattern from large numbers of single emails to a huge number of addresses.
Not only does the technology remove the slowly growing problems of false positives in spam detection, but with a tool that automatically builds a map of normal business a foundation of trust can be rebuilt. Spammers suddenly stick out as outsiders and phishing attacks like people who wear fluro-yellow rain suits in a crowd.
We’re working with both these vendors now and have already sold Nitro products into ket accounts. TrustSphere have finished a proof of concept program with us doing integration with MailMarshal and we’re excited about taking the next steps. If you’re interested in the future take a look because it’s quite encouraging.
Just some snippets
It’s been pretty busy lately so I’m just posting a few of the more interesting stories I’ve come across recently.
At the Black Hat conference in Las Vegas on Wednesday, two researchers demonstrated how they were able to send commands via a laptop to unlock the doors of a Subaru Outback – and then, awing the audience, actually start the car. So how far will this go and how long will it tack before the whizzy bluetooth in your car is nothing but a liability?
LINK HERE
What happens when former hackers get the smell of money in their nostrils? Peiter “Mudge” Zatko, famed member of the legendary L0pht hacker group, announced the launch here today of a new program at the Defense Advanced Research Projects Agency (DARPA) aimed at funding hacker spaces and research in cybersecurity. I’m not sure if this is response to constant attention from China and not sure if it’s a good idea either…
LINK HERE
This is one of my favourite beefs – the german police finally say what everyone knows, full body scanners at airports only catch zips, boots and sweaty arm pits! I’d welcome a change of the tide here before we’re all standing around in our undies in the name of security.
LINK HERE
The pussies at Monsanto
Hands up if you like Secunia - ‘cos I love them.
Anyone who helps cut through the blizzard of vulnerabilities we live with every month is tops by me. There is a link of their blog entry here for downloading their half yearly report. What caught my attention in this report is this statement, which I quote from the blog entry;
Security patches are found to be an effective means to escape the arms race, as they remediate the root cause of compromise.
Read that again slowly – there’s wisdom in that.
Look, the bad guys like to weave the story about how they can’t be stopped, the variants morph so fast there is nothing you can do. Or if there something you can do it’s pointless because they move so fast. You may have read how, for example, the hacking group Anonymous has targeted the biotech giant Monsanto. Now read this, which is taken from the Freedom Hub where Anonymous taunts Monsanto;
Over the last 2 months we have pushed the exposure of hundreds of pages of articles detailing Monsanto’s corrupt, unethical, and downright evil business practices.
We’ve created a nice go-to reference guide on piratepad/anonpad (anonpad.org/opmonsanto, backed up elsewhere), where anyone can read up on and add
their own info about MonsantoCo.
We blasted their web infrastructure to shit for 2 days straight, crippling all 3 of their mail servers as well as taking down their main websites world-wide.
We dropped dox on 2500+ employees and associates, including full names, addresses, phone numbers, and exactly where they work ( https://pastee.org/xkg43 ). We are also in the process of setting up a wiki, to try and get all collected information in a more centralized and stable environment. Not bad for 2 months, I’d say.
What’s next? Not sure… it might have something to do with that open 6666 IRC port on their nexus server though ;)
But, of course, it’s at best a half truth. But listen to this media release from Monsanto that followed .
“Last month, Monsanto experienced a disruption to our Web sites which appeared to be organized by a cyber-group,” Tom Helscher, director of corporate affairs, said in a statement provided to CNET. “In addition, this group also recently published publicly available information on approximately 2,500 individuals involved in the broader global agriculture industry. Contrary to initial media reports, only 10 percent of this publicly available information related to Monsanto’s current and former employees. The list also included contact details for media outlets as well as other agricultural companies.”
That’s the best a Ten Billion dollar multinational could muster! With all apologies to the IT and security people at Monsanto, because this probably came from some PR schmuck - BUT WHAT PUSSIES!!!. Poor poor little Monsanto, such a victim of those big bad internet bullies, how will they ever survive? Quick somebody call 911.
Secunia nail the other side of the coin in their half yearly report. It’s a shed load harder to take out a fully patched system, more than 50% harder. Now we can all follow Monsanto’s pathetic lead and “cry victim” or we could quit whining like losers and do some hard yards patching our systems.
Drugs in prisons
Prison guard, Manu Stanley Jensen pleaded guilty to two charges of corruption after he admitted smuggling cannabis to a prisoner in Tongariro-Rangipo prison in New Zealand’s mid North Island.
“I felt sorry for him. He kept on asking me to bring it in. I would tell him, ‘Nah, nah, I’m not doing it,’ but then I got sick of him so I said, ‘OK, I’ll think about it,’ I struck up a friendship with him, more or less … I was seen as an easy target, I guess.”
The full news story here.
There are some places we as a society put a lot of effort into making secure. Banks, courts of law and airports are good examples and even some malls have security people around full time. The stand out is of course prisons because unlike a bank, mall or airport people in prisons are mostly deemed and treated as untrustworthy and risk is always part of the equation. Also unlike most places they are purpose designed from the ground up to be secure. We’ve also a long experience of prisons and securing them over centuries, one would think if we could secure anything it would be a prison.
So this sad story says a lot about the limits of security outside brochures, sales promises and politicians. In the real world all the aspects of this story come into play. The weakest link is always going to be the insider. That’s because when we talk about an insider in this context we mean someone who was trusted. An enormous part of security is simply placing the lines of trust correctly, who/what is trusted and who/what is not. This issue of trust is a foundation of all security and so when what was trusted is proven not be be trustworthy the entire system quickly breaks down, even if it was purposed designed. It’s shows one of the reasons why security is always a trade off. At what point does double checking, triple checking cross checking and checking the checkers for trust become counter productive in terms of moral and cost?
For me, what makes this story sad isn’t just a man who made a mistake in friendship (his prisoner ‘friend’ was the one who ratted him out), it’s that the guard didn’t do it for money, he did it because he felt sorry for him. A misguided but well intentioned thought of mercy. The root weakness and basic limitation of security is starring at you from the mirror every morning. I defer to G.K Chesterton, who, when the British daily newspaper The Times invited several eminent authors of the day to answer the question ‘What’s wrong with the world?’ had the self awareness and humility to reply in a letter;
Dear Sirs, I am. Sincerely yours, G.K. Chesterton.
Which of us has never opened a suspect email, ended up at a site or clicked on a link we perhaps shouldn’t have? This guards humanity and judgement limitations failed to keep him safe and that’s the story of security. History is littered with the betrayed the double crossed and corruption of every kind, security failures every one. So when someone promises you something will solve your security problems always remember - they can’t even keep drugs out of prisons.
Death of the Howard defence
In the year 2001 we were all still basking in the warm glow of the best Olympics ever and John Howard was prime minister of Australia on the cusp a federal election. In the early afternoon of October 6th HMAS Adelaide and a Royal Australian P3-C Orion intercepted a wooden hulled vessel some 100 nautical miles north of Christmas Island in international waters and carrying 223 people, including 56 children.
By the time this incident played out shots had been fired, the ship boarded and forced back out of Australian waters and 14 passengers had jumped overboard and been returned to the vessel. The weather deteriorated and the boat broke down, quite possibly from sabotage from the passengers who did not want to return to Indonesia. Under difficult conditions the boat, under tow from HMAS Adelaide, subsequently sunk and a mass rescue of all passengers took place.
In the wake of this John Howard made public allegations that children had been deliberately thrown into the water as a way to secure entry into Australia. The ‘Children overboard’ incident became a major issue of that election.
In 2004 an Australian Senate inquiry concluded no children were in fact thrown overboard.
In the light of the facts what is of interest is the defence used by John Howard, when he claimed a month later he did not know these facts and was therefore misinformed by the defence department. In short, he was only going on what he had been told.
It seemed to me what Howard ushered into Australian life was a kind of selective hearing designed to create plausible deniability. Subtly different from the already established Oliver North defence where one simply stated ‘I have no recollection of that’. But better I always felt because Oliver North always came across as a village idiot who could hardly remember his own name. Under the Howard defence you could still retain an appearance of intelligence because who can be blamed for being misinformed by a third party?
Cut to the Federal Court ruling on Wednesday against the Centro property group. ASIC had alleged the directors of Centro failed to discharge their duty when they approved a set of accounts that, in the cruel light of the facts, had some billion dollar mistakes in them. The Centro directors used the Howard argument of plausible deniability. They argued they had relied on management and auditors advice, how could they be blamed for being misinformed?
In a death blow to the general spread of the ‘Howard defence’ the court ruled the Directors did have a responsibility to check the facts and make their own informed decisions. In his ruling Justice Middleton said, “A director is an essential part of corporate governance. Each director is placed at the apex of the structure of direction and management of the company. The higher the office that is held by a person, the greater the responsibility that falls upon him or her. The role of a director is significant as their actions may have a profound effect on the community, and not just shareholders, employees and creditors.”
I hope this spells the end of the ‘Howard defence’. It encouraged those in responsibility to seek ways to pass the liability and blame to some other patsy or fall guy. Not that it’s likely, but imagine if the average Australian board was held responsible for their organisational IT decisions!
When is it hacking?
My dictionary is new enough to include this definition of the word hacking; gain unauthorized access to. This is an emotive story where one political party is accusing another of hacking a database of financial donors. Emotive because that seems to be the lot of politics, constructive argument went the way of the dinosaur a long tim ago. The main objective on any blog I have seen that has a politic flavor is to put words in the oppositions mouth, willfully misconstrue any point that is made and attack the person but rarely the ball. The news article can be found on the Dominion Post here whilst the person doing the hacking has a blog that is here For those interested in such details the blogger posted a video showing how he did it.
One side says he hacked their database, the other side claims he only pointed out how poor the security practices were and how the data was indexed at Google. So who is right?
Sadly for the blogger he probably doesn’t have a legal leg to stand on. For him to be in the clear the law would have to be linked somehow to the quality of some one’s security system, that is to say if some one has woefully poor security it is not a crime to access the system. This would be the equivalent of checking car doors in the street and finding any open ones to be woefully inadequate, thereby giving you the right to point out to the owner how poor their security was by taking something from their car.
From our position as an auditor of various security systems it is our opinion that it is illegal to even shop around peoples data ‘checking’ it for security without written permission from that party. Forget taking stuff out of the car - it is clearly illegal to be even trying the doors to begin with.
There seems a prevalent line of thought amongst technical computer folk they have some right to snoop and check stuff. Maybe it comes from the tradition of security researchers finding bugs in various softwares. Or the use of phrases like white hat. Even a sense of community service is in the wings there somewhere. But going onto someones’s web site, downloading their donor listing without authorization then providing the explanation the web site owner is to blame is wrong. This guy is morally confused and breaking the law in New Zealand or Australia.
The noise, the noise
Here is the lamentation of a man mourning the death of the engineer, the one who’s profession is built on the truth. A worthy lament for it’s a principle for all of life, in relationships, in nature and in your own thought life that only the truth can set you free. A lie never can. Lying about your gambling addiction or your drinking problem will entrap you for as long as you choose to listen to those lies. Those unfortunate enough to know the alcoholics anonymous program will know this. Engineering does not escape this principle for poor engineering is laid bare by the truth. His anger seeks out RSA with their forked words, clever half said utterances and explanations laid carefully like a trap for animals. An empty wind of no gain. We still have no idea what actually happened at RSA, what was stolen, what risks are afoot as a result and what prudent steps should be taken. Such is the fruit of darkness and lies.
More targets for anger exist today than anger exists I suggest. Google choose not to quality check programs loaded into their store hiding behind signs of buyer beware. Yet another host of programs were removed this week after professor Xuxian Jiang pointed out they were malicious. One had been there for some two months and downloaded 120,000 times so buyer beware indeed. To rub salt into this wound the technique used in these malicious programs closely mimic the existing holes created because Google refuse to code sign, an attack vector that was found a year ago. Their response to The Register being that “Code signing … does not guarantee an application cannot run untrusted code …”, the seeming equivalent to saying unless a thing has a 100% cast in iron guarantee it is not worth doing. Maybe if all attack vectors cannot be shut down we should abandon the effort to close any.
These two are far from unusual. We seem blighted with a disease called PR, where truth is simply dough to be massaged into a deceiving shape and the only rule being to get away with it. Financial institutions turned it into an art form and bankrupted themselves as their harvest from it. Our own channel partners hold meetings with us to assure us their goal is to ‘walk shoulder to shoulder into customer accounts’ before they sell our customer database to our competition, sell to those accounts direct and halve our sales margins. Who are these people, this cancer of greedy grasping hands that see no wrong and value not truth?
A century ago such practices were labeled propaganda and much was said in the west during the Cold War about it’s harmful effects on those in the east. In the twenty some years since the Berlin Wall came down what was once reprehensible propaganda has become standard corporate practice. Security incidents are no longer engineering challenges they are media events. The management of them is done by media people through media releases, with carefully posed pictures of the managing director smiling in a reassuring way and spouting warm but empty platitudes.
It’s become the music in our ears and the beat by which we walk. As Mr Cringely so pointedly says, ‘There is no excuse for bad engineering’, but the noise of it is so strong and all around that it’s hard to think. Hard to remember a time when it wasn’t this way and engineers simply stated the truth when things went wrong. I’m sick of that noise. Sick of half truth and lies. Life is short and people who believe lies or deception are foundations worth building on are clowns and fools fit only to be pitied.
Secrecy is not Security
Stupidity dressed up as ‘security’ has been a pet hate of mine for some time. In the name of ‘security’ we are radiated or fondled at international airports. Men of middle eastern extraction standing on Sydney harbor bridge with a high visibility vest during business hours was all about ‘security’. The list of URL’s the government would like to ban wasn’t published because of ‘security’ concerns. Software vendors oppose publishing vulnerabilities in their engineering because ‘security’ might be compromised. The list goes on. Security seems the rug of choice under which every kind of theatrical hysteria, public liability and blind prejudice are swept.
There is a reason security draws so many to it’s banner and that magical attraction is secrecy. Many people assume secrecy automatically increases security, as if a thing is secret it must be secure. On the face of it, it even sounds reasonable.
There are at least two major problems with this view. Firstly, secrecy is a two edged sword that can both decrease or increase security depending on the circumstances. Secondly, there are many reasons people have secrets, most of them for reasons other than security and the alluring fragrance of secrecy attracts keepers of secrets like flies on rotting meat.
The story of VPN protocols is a good example of how secrecy didn’t increase security. IPSec is a VPN protocol that was developed in the full and open gaze of the public, many different parties from all over the world examined and tested the code the logic that went into it’s design. Changes were made because of concerns security experts had with various aspects of it. About the same time Microsoft developed their own VPN protocol called PPTP in secret, away from the gaze of anyone else hidden away in their own private coding world. After years of real world use PPTP is now thoroughly hacked and it’s design weaknesses open to public gaze while IPSec marches on. Secrecy didn’t do PPTP any good at all, it simply resulted in poor design, poor execution and a poor engineering solution.
The unfolding story of the RSA hacking shows another use of secrecy into stark relief. Their two factor authentication uses a set of master keys, which for the system to work must be kept secret at all costs. This is an example where secrecy must take place, the engineering can be open to public scrutiny but the key that is used in the real world must never be known if the system is to remain secure. This highlights a weakness of the secret - once it is known the cat can never be put back in the bag. There is now zero security in the RSA system and that cannot now be reversed, the master keys that were obviously lost in the hacking can never become secret again. From this we learn the less secrets a system has to lose the more secure it is, more secrets that can blow a system wide open the less secure the design of that system is.
The downside of incorrect use of secrecy is everywhere around us. Secrecy is used to hide poor quality software engineering and deny risks that exist. Gone are the days of vendors threatening to sue researchers, yet only last month Siemens managed to have the US Department of Homeland Security pressure an NSS researcher to pull release of the details because of security concerns. Left in the dark users of products have no way to accurately assess their own risk and make informed decisions. Fraud is possible because truth is hidden and cannot be verified independently. Commercial liability is hurriedly buried in secrecy with the convenient excuse more secrecy is keeping victims safe while their personal and financial data is bled onto the internet in monstrous proportions.
Secrecy is a necessary part of security, but they are not the same thing. Contrary to popular opinion more secrets decrease the security of a system. When they tell me secrecy is needed to keep a system I remind myself that if their security will collapse due to the slightest critical gaze then it can’t be a very securely designed system, can it.
RSA's worst nightmare
Defense contractor Lockheed Martin is experiencing massive network disruption, see this post from Bob Cringley’s BLOG.
RSA was hacked not so long ago and RSA kept it all very secret as to what exactly was stolen whilst down playing the impact it would have. I moaned about the lack of transparency on this BLOG right here and suggested the attack looked targeted and sophisticated, which never bodes well. RSA chose the “It’s just a PR incident road”, their open letter PR spin still on their web site here RSA.
It is important to note that we do not believe that either customer or employee personally identifiable information was compromised as a result of this incident..
Yeah right, they stole keys to the encrypted kingdom and the big concern is if they got a home phone number… Who writes this stuff?
Lockheed had to shut down all remote access and is now re-issuing tokens and reseting passwords for over 100,000 employees. Ouch! To top the cake Lockheed is a huge US government defence contractor so the question permutations just explode.
What was stolen from Lockheed?
Is Lockheed a back door to defence department networks?
What does RSA think of it’s PR incident now?
If they can get into a defence contractor what use are RSA tokens to us mortals?
With this level of sophistication can it be anything but a nation state behind it?
Will RSA stop hiding behind it’s wall of platitudes and secrecy so the security impact can be evaluated in the light of day?
I’m glad I’m don’t own RSA shares. New York Times article here.
Banks not good enough
At the minor risk of jeopardizing future financing ability I am going to criticize aussie banks. On Thursday Commbank began canceling credit cards due to what is described as ‘suspicious transactions’, the number of cards said to be about 8000. An update today at the Sydney Morning Herald suggests thousands of cards have also been canceled by National Australia Bank, Bendigo Bank, Westpac and St George Banks’.
That card’s are cancelled without warning customers I have no problem with per se. If someone is out there using my credit card I want it cancelled as soon as possible, anything less would seem irresponsible and negligent
What is distasteful is the lack of transparency when banks make mistakes with your data. Thousands of people have had at least their credit card details stolen, this much is known. Commbank stated they discovered suspicious transactions, which sounds quite minor but then promptly cancelled 8000 cards, which doesn’t sound quite so minor. At this point we don’t even know exactly was stolen or how much personal data was taken aside from a credit card number? Have many of these credit cards been used? How long has the theft been going on? If my card hasn’t been cancelled does that guarantee it wasn’t stolen and I’m not at risk?
Commonwealth Bank states in any instance where a customer card has been compromised, the customer will be fully reimbursed and any fees refunded, which is good as far as it goes. What about transactions that were live on my credit card and not done by thieves, will they be cancelled? What if it was my rent or other important payment, does the bank guarantee to negotiate with my creditors who are about to get a rude payment reversal?
We don’t know much at all because banks seems more interested in their legal liability and media image than they do about their customers. A search of the Commbank web site this afternoon and press releases shows nothing, not even as much as is reported on the Sydney Morning Herald.
We know from the Sony hack peoples personal details and credit cards are being used in the real world to open Amazon accounts used in hacking. There is real risk to people who are being kept in the dark by banks who seem uninterested in the fraud risk they are exposing their customers too. In Australia I believe banks have an extra duty of care because they operate in a government controlled banking oligarchy. If you get stiffed by a bank in Australia you can’t start your own, you’re trapped in a closed shop. An Australian banking license is a license to print money and should mean a higher level of responsibility.
This wall of secrecy is not in the best interests of the people who are the victims of bank mistakes. Secrecy is darkness and history shows people do things they ought not to when they think the light will not shine.
The playstation hack
It’s only when the tide goes out that you discover who has been swimming naked. I don’t know who first coined the phrase but it seems rather apt observation to make as we look in detail at the trend behind the Sony playstation hack. At the moment it’s very cool and sexy to place your data ‘in the cloud’. It would be fair to say it’s a trend that’s in full force across almost every segment of our industry. Only the paranoid and those constrained by legal or regulatory means seem immune to it’s allure.
A big part of the cloud are data centers and hosting vendors like Amazon’s very popular EC2. The biggest attraction of cloud hosting is the price argument, often the business goal is to save a load of money. It’s always been seductive to promise more for less and this is no exception. However, price isn’t the only things EC2 offers, it’s also a very robust design and easy to sign up. All you need is a name, a credit card, a password, a phone number, a billing address and credit card information.
What’s interesting in the playstation hack is that’s exactly what hackers did, they rented space at Amazon to hack Sony.
It doesn’t take much imagination to see how this is evolving. Millions of peoples person details are stolen all the time, so much so that when Epsilon was hacked last month, in what was described by the press as a ‘massive and growing breach’ security expert Bruce Schneier wrote on his blog;
I have no idea why the Epsilon hack is getting so much press.
Yes, millions of names and e-mail addresses might have been stolen. Yes, other customer information might have been stolen, too. Yes, this personal information could be used to create more personalized and better targeted phishing attacks.
So what? These sorts of breaches happen all the time, and even more personal information is stolen.
A pragmatic view has been whilst personal information has value as long as credit card details or other financial information isn’t in the mix it’s ‘not so bad’. A quick view of the Amazon requirements show how short sighted that view is, you need more than a credit card alone to rent a server for hacking. Credit card data might be more immediately salable but conversely they are easier to cancel and change. Moving house and changing your legal name seem like extreme and expensive measures in comparison and falsifying your birth date is probably illegal somehow.
At this point in history various hacking groups must be positively swimming in all kinds of personal data and financial information. It seems inevitable they would use those details to rent space at places like Amazon. Maybe it’s a failover strategy for when their own botnets are taken down. Maybe they like that robust design Amazon have. Or possibly it’s just cheaper and easier like the advertising suggests. What can Amazon do about it, they have no way of telling who are the bad guys are.
It’s a elegant twist of irony that Amazon servers were rented to hack Sony’s playstation network, from which credit cards were stolen together with names, birth dates, physical and email address - pretty much everything you need to open an Amazon account.
As hackers of all kinds move into the cloud and nuzzle up to everyone else even the most blasé of cloud users are going to be exposed. As the tide slowly goes out on the sexy place to put your data we’ll start to see who has been swimming without security clothes on.
