June, 2008

Hack My Coffee - Please

From Craig Wright comes this riveting post:

I have a Jura F90 Coffee maker with the Jura Internet Connection Kit. The idea is to:

Craig goes on to reverse engineer the software, with predictable results: Coding with no security. The details are painful.

The connectivity kit for the coffee machine installs software that uses the connectivity of the PC it is running on to connect the coffee machine to the Internet. This allows a remote coffee machine “engineer” to diagnose any problems and to remotely do a preliminary coffee service. Be still my heart - a remote coffee machine ENGINEER. (A NEW acronym:RCME)

It seems the software allows the “RCME” (can you say “attacker?”) to gain access to the Windows system it is running on at the level of the user. For most of us, that would be administrator.

Compromise by Coffee. Whoo HOO. Can’t wait to see this come up in an audit.

And you can buy it for only $1798.00 at Amazon.

What’s surprising is that this thing has been on the market since September 2006, and it seems to have just now hit the press.

And Jura’s response?

“Jura is well aware of these articles which it clearly qualifies as misinformation. “ So Jura says security researchers are wrong. A coffee maker company knows best! OOOKay.

“The internet Connectivity Kit which can optionally be acquired for only one device (IMPRESSA F90/F9) And this makes insecure software better how?

will at no times connect the coffee machine to the world wide web. Except the software allows a remote coffee machine ENGINEER to access the machine from the web. OOOKay, again, this is secure how?

“Its settings can therefore only be changed by the machine’s rightful owner.” And if a remote coffee machine ENGINEER is allowed to run diagnostics on the machine - is this statement accurate? What else can the remote coffee machine ENGINEER do while he/she is running those diagnostics?

I’m feeling a caffeine buzz already. Is this a high risk vulnerability? No. Is it a good idea? NO.

Four Year Study - Part II - International CyberCrime is Increasing and WHY

The study from Verizon had some interesting (and scary) information about the growing worldwide market for stolen data. For example, attacks from Asia, particularly in China and Vietnam, often involve application exploits leading to data compromise. - Folks over there know about coding, automating attacks and have the motive of acquiring confidential information to use.

Defacements frequently originate from the Middle East - no surprise, given the hotheads there.

Internet protocol (IP) addresses from Eastern Europe and Russia are commonly associated with the compromise of point-of-sale systems. (Can you say “Hannaford?”)
Those folks are in it for the money.

One area not overly referenced in the report is the fact that banking hacks often originate from South America - looking for the really BIG money.

Retail, food and beverage industries account for more than 50% of the cases studied. Small and medium-sized businesses are still struggling to keep up data security- especially with credit card information. Eighty percent of the data stolen was payment card information.

The other source in small companies is theft of employee/client personal information often found in HR/payroll databases and client GL (General Ledger) information. With little or no segregation of duties, providing oversight into who accesses that information is very difficult. The second highest type of data stolen (32%) was PII - personal information.

Which accounts for why so many businesses (70%) had breaches that were discovered by an outside party.

Here’s some of Verizon’s recommendations for the Enterprise:

# Align process with policy. In 59 percent of data breaches, the organization had security policies and procedures established for the system, but these measures were never implemented. Implement, implement, implement.

# Monitor event logs. Evidence of events leading up to 82 percent of data breaches was available to the organization prior to actual compromise. Data logs should be continually and systemically monitored and responded to when events are discovered.

One More Acronym and I am Going to Scream

I know I’m an IT Auditor, and we should eat acronyms for breakfast, but it seems as if the focus on “achieving compliance” has brought out the worst in us. “We’re Compliant!” has become the holy grail of corporate management, and IT has jumped on the bandwagon because they can get funding for security products that way.

Round it off with the security vendors changing their market strategy to mindlessly follow this trend and you have an endlessly generated collection of “marketspeak.” Anton Chuvakin has jumped in to promote “GRC,” Governance, Risk, and Compliance. After that he used “IT GRC,” “Unified GRC,” and who knows what vendor will jump in with another riff off of that.

The latest one? “We have to get DLP.” (Data Leak Prevention) Please. Dr. Chuvakin redeems himself on this one, calling it by it’s true name: “content monitoring and filtering.”

How about “SaaS?” Cute lettering, isn’t it? Can you say: “Thin client?” along with “cost more?” Sigh. Until we can build enterprise software that incorporates security into the development lifecycle and patch our servers yesterday, getting the next new security product is water over the dam. The real thin client/virtual desktop is something I’ve seen in action, and I think it’s a pretty nifty idea. But SaaS is death by nickels and dimes.

Using the phrase “The Cloud” for the Internet is something else I find annoying. It’s incentivizing me, if you get my drift.

And “Web 2.0.” What the heck was Web 1.0 and why do we need 2.0? We can’t even agree on what “2.0″ is.

Or “IPS.” Intrusion “Prevention” that we had to turn off because it was stopping so much legitimate traffic….yup, that was preventing intrusion all right.

I hope I’m not turning into Dvorak (the classic Internet curmudgeon), but I can certainly get cranky with all this nonsense.

Let’s hear YOUR favorites.

Verizon Four Year Study on Data Breaches - Well Worth Reading

A Boston Globe article caught my eye. Although it’s not news to me (or probably you), here is more than anecdotal evidence that many medium and small businesses are still not making inroads into security issues.

The article reports on a study performed by Verizon Communications analyzing 500 data breaches since 2004, with a total of over 230 million compromised records. Also included are five of the biggest breaches ever reported.

63% had at least two months go by before the breach was discovered. In 70 per cent of cases, a third party discovered the breach and contacted the organization. That’s seventy percent of hacked businesses that did not know they had been broken into.

It’s a report that is well worth reading, unlike many vendor-based papers, and it provides some deeply interested points to consider. I’ve added my conclusions in bold face:

“# Most data breaches investigated were caused by external sources. Thirty-nine percent of breaches were attributed to business partners, a number that rose five-fold during the course of the period studied.”
Segment and monitor your vendor and third-party access points.

“# Most breaches resulted from a combination of events rather than a single action. Sixty-two percent of breaches were attributed to significant internal errors that either directly or indirectly contributed to a breach. “
Control and monitor user access rights.

# Of those breaches caused by hacking, 39 percent were aimed at the application or software layer. Attacks to the application, software and services layer were much more commonplace than operating system platform exploits, which made up 23 percent.
Ensure the software your company purchases has a strong security portion of their SDLC (Software Development Life Cycle) and a commitment to test and report/fix OS patches in a timely manner.

# Fewer than 25 percent of attacks took advantage of a known or unknown vulnerability. Significantly, 90 percent of known vulnerabilities exploited had patches available for at least six months prior to the breach.”
(BIG no brainer) Patch your servers, especially those facing the Internet and database servers, quickly.

#Only 18 percent of breaches were attributed to insiders (although when the culprit was an insider, the consequences of the breach were generally greater, exceeding the size of external breaches by ten to one)…In the case of insider attacks, IT administrators were by far the biggest culprits, accounting for 50 percent of attacks.
Monitor your users with administrative access. Insiders still carry the highest risk.

Losing My Identity At the Drugstore Instant Photo Machine

A few days ago I went with my partner to the local drugstore (all the big chains have these machines) to print out a jpeg to send with a card for Father’s Day. The picture was on a thumb drive for easy transport, and I was along to provide technical support (I try to at least appear useful).

Imagine my HORROR when, after plugging in the drive as the machine requested, I saw the machine begin reading everything on the thumb drive, including financial spreadsheets, letters, family photos and lots of confidential stuff. Turns out she was using the same thumb drive she backs up all her critical documents with to transport the photo to the drugstore.

Needless to say, it was too late to recall, and my poor partner could only say, “I didn’t know!” at my yelp of despair. We printed the photo and left, with me mumbling under my breath about what a good column THAT was going to make.

So, how long before some poor minimum wage guy working behind the counter and hacking on weekends says, “Hmmm. Look at all that interesting data along with all those dumb pictures.” There is no warning or indicator on the machines that we should think about what we’re giving away on those thumb drives along with pictures of junior and his new fishing rod. Perhaps they’re assuming we know better. (ROTFL)

More likely, it has not occurred to the designers nor the drugstore management that those machines should only be reading for .jpeg, .tiff, .bmp, .raw and other illustration files, not ALL files. Although the information was not printed, it was acquired. Even if there is no hard drive (which I highly doubt) the files would remain in memory. Where is all that information sitting? Who has access to it? Am I nervous? You betcha.

I can only wonder how long will it be before we get something in the news about these machines.

SAS 70 Reports - Are They Worthwhile?

I noticed a recent post on the boards questioning the value of SAS 70 Reports. Given that I do about 15 a year, I thought I’d venture an answer to that question.

First, it’s important to understand what a SAS 70 is NOT:

It’s not a checklist;

It’s not a certification;

It’s not a security assessment;

In fact, it doesn’t do a thing for your network security, except, perhaps, inadvertently. It does not directly attest to the quality of your network security, either; that’s not its’ function.

And only a certified public accounting firm can do one, because a certified public accountant must sign off on the report.

So what CAN such a report do for your organization, and why? Are your customers constantly asking for one? Are you losing business because you don’t have one?

That’s next.

Identity Theft and Your Tax Returns

Thieves continue to get more and more creative with personal information. Computerworld reports that so far 155 medical students from the University of California at Irvine have experienced fraud from identity theft.

The criminals used their personal information to file fraudulent tax returns and then collect the tax refunds.

(Question: Medical students? I can’t think of a poorer group of people. My medical student niece has a great T-shirt with “Massive Debt” on the front.)

The original loss of information came from United Healthcare, the health provider for UCI students, where over 1,000 identities were stolen. UHC was unaware of the breach. The spokesperson seemed to think it was local to UCI - and nothing further bad was happening….Guess it was not happening to HER.

“Local and federal law-enforcement agencies have been called in to help with the investigation, and they have traced the source of the data breach to United Healthcare, the carrier for the school’s graduate student health-insurance program.”

The way this was discovered was by the students attempting to file tax returns. And what about those tax “rebates?” Gotten yours? Maybe not…..

Eigen’s 2008 InfoSecurity “Rules of Thumb”

Rule #1 - You can pay now, or you can pay later, but if you choose to pay later, you will pay MORE.

Rule #2 - You can outsource function, but you cannot outsource responsibility.

Rule #3 - A classic, shamelessly plagiarized: “Faster, Better, Cheaper. Pick TWO.”

Rule #4 - Make NICE with your auditors, no matter how dumb they are.

Rule # 5 - The volume of company executives screaming about the “cost” of information security is the direct inverse of how little money they’ve put into it in the past.

Rule # 6 - Don’t expect the best audit from the cheapest bidder. You get exactly what you pay for. Unless, of course, that’s exactly what you want. See Rule #1.

Rule # 7 - Compliance with regulations is a Gentleman’s C.

Rule # 8 - If you have “checkbox security,” you will have a box full of checks. Paid to other people.

Rule # 9 - The skills of your IT people directly relate to the training they receive. See Rule #1.

Rule #10 - No more acronyms! PCMCIA.