January, 2009

WOOT! Zombies in Texas

Sometimes you just have to laugh. Hackers edited roadside signs in Texas

I am willing to bet that the padlock was flimsy and the password even flimsier (IF it had one). Nice of them not to use naughty words and REALLY embarrass the Public Works Department. And when was the last time that password was changed? (Oops, I must remember I’m talking about Texas.)

The head of Public Works got all huffy, but really should have been considering what the sign might have said, and thanking his lucky stars he got off so lightly. Check out the KXAN spoofings of the Zombie alert.

It goes to show you that the low-tech attack on high-tech trumps fancy attack code every time.

More on the Heartland Breach

Some interesting information is coming forward about the break in at Heartland Payment Systems. The Secret Service has identified an overseas suspect, according to StoreFront BackTalk.

What’s more interesting (to me, at least) is that the sniffer software installed on Heartland’s systems was deactivated when it was found. This can mean any number of things, including that it might not be the malware that accompanied the data theft, was waiting to be re-activated, or turned off because the thieves knew they had been spotted.

From an audit perspective, this makes me return to the challenge of how we monitor changes to our systems. How do we know when something has been installed or deleted? There are a number of software packages that purport to be able to monitor and report on changes (Tripwire comes to mind), but as an engineer I know that changes happen on a server architecture all the time.

Do we simply monitor traffic to and from the systems? I can’t imagine that this would be feasible with payment systems that have 100 million transactions a month, like Heartland.

Do we look for anomalies in the traffic? Even tougher and more CPU intensive. We can watch outbound firewall traffic to block lists of known malware servers, but that list would change constantly.

Ideas? Suggestions? I’m shaking my head.

When a Patch is Not a Fix - We Have the Downadup Worm

If you haven’t heard by now, the “downadup” worm (renamed various other things by competing vendors) is propagating itself like crazy across the Internet. Various software vendors have added some artificial hype about how fast it is spreading, but I didn’t get sweaty palms until I read that US_CERT is now saying that the patch/Technote Microsoft released to address the issue doesn’t work.

Here’s how it’s going so far - the worm installs itself via the “autorun” feature that is enabled whenever removable device is connected to a computer. This includes, but is not limited to, inserting a CD or DVD, connecting a USB or FireWire device, or mapping a network drive. This connection can result in code execution without any additional user interaction.

So Microsoft issued an out-of-cycle patch that wasn’t really a patch or a fix - just a workaround. The patch/fix/workaround involves disabling the autorun function inside the Windows registry. The instructions in the Technet article 91525 were incorrect, and did not disable autorun.

So if you’ve done this on your network, and think you are safe…..you’re not.

A newer Microsoft Technet article is available here.

At first I was confused, because the article provides instructions for a way to disable autorun as a “workaround” against the worm propagating itself. The information does not address the vulnerability the worm is actually designed to exploit.

After some more digging, the actual vulnerability we should be concerned about is that the worm employs an attack against the “server” service listed as a Bulletin in October 2008. The exact details from the Security Bulletin MS08-067 are as follows:

“This is a remote code execution vulnerability. An attacker who successfully exploited this vulnerability could take complete control of an affected system remotely. On Microsoft Windows 2000-based, Windows XP-based, and Windows Server 2003-based systems, an attacker could exploit this vulnerability over RPC without authentication and could run arbitrary code. If an exploit attempt fails, this could also lead to a crash in Svchost.exe. If the crash in Svchost.exe occurs, the Server service will be affected. The Server service provides file, print, and named pipe sharing over the network. The vulnerability is caused by the Server service, which does not correctly handle specially crafted RPC requests.”

It seems the only “solution” we are offered from Microsoft for users of anything other than Server 2008 is a manual fix to try and stop propagation.

Where’s the real fix? Not the workaround (which didn’t work). Am I missing something? “Where’s the beef?”

Hannaford Redux - Another Break-in From the Inside

The sixth largest US credit card payment processor Heartland Payment Systems, has just acknowledged that their payment systems have been breached. The discovery of malware by forensic auditors on the system last week has led to this announcement.

Credit card payment processors have to jump through enormous requirements to keep their systems secure. Their systems and their applications must be compliant with Payment Card Industry data security standards. They must have an external compliance audit every year.

According to the CFO, the forensic teams found that hackers “were grabbing numbers with sniffer malware as it went over our processing platform.” I immediately thought of Hannaford and the same issue of sniffer capture.

Heartland processes over 100 million credit card transactions a year. That’s far more than the 2 million processed by Hannaford. The FBI and Secret Service are involved. The discovery was brought about not by Heartland finding it, but by the folks at Visa who noted a pattern of suspicious activity that could be traced back to Heartland as the common denominator.

This is really not surprising. There is obviously a group of talented coders who have figured out how to drop this code on critical servers to capture data as it “goes by.”

I’m sure the Payment Card Consortium does not want to have to add “encrypt all your data streams, inside and out, on your network,” to the PCI standard, but I believe it’s inevitable. Internal networks are no longer inviolate, where significant data can travel unencrypted.

Most Dangerous Programming Errors from SANS/MITRE

Appropro of A previous post on poor software programming practices, a “Top 25 Programming Errors” was released THIS WEEK by SANS and MITRE.

The main goal for the Top 25 list is to stop vulnerabilities at the source by educating programmers on how to eliminate all-too-common mistakes before software is even shipped. The list will be a tool for education and awareness that will help programmers to prevent the kinds of vulnerabilities that plague the software industry. Software consumers could use the same list to help them to ask for more secure software. Finally, software managers and CIOs can use the Top 25 list as a measuring stick of progress in their efforts to secure their software to “stop vulnerabilities at the source by educating programmers on how to eliminate all-too-common mistakes software is even shipped.”

In a nutshell:

The Top 25 is organized into three high-level categories that contain multiple CWE entries.
Insecure Interaction Between Components
These weaknesses are related to insecure ways in which data is sent and received between separate components, modules, programs, processes, threads, or systems.

* CWE-20: Improper Input Validation
* CWE-116: Improper Encoding or Escaping of Output
* CWE-89: Failure to Preserve SQL Query Structure (aka ‘SQL Injection’)
* CWE-79: Failure to Preserve Web Page Structure (aka ‘Cross-site Scripting’)
* CWE-78: Failure to Preserve OS Command Structure (aka ‘OS Command Injection’)
* CWE-319: Cleartext Transmission of Sensitive Information
* CWE-352: Cross-Site Request Forgery (CSRF)
* CWE-362: Race Condition
* CWE-209: Error Message Information Leak

Risky Resource Management
The weaknesses in this category are related to ways in which software does not properly manage the creation, usage, transfer, or destruction of important system resources.

* CWE-119: Failure to Constrain Operations within the Bounds of a Memory Buffer
* CWE-642: External Control of Critical State Data
* CWE-73: External Control of File Name or Path
* CWE-426: Untrusted Search Path
* CWE-94: Failure to Control Generation of Code (aka ‘Code Injection’)
* CWE-494: Download of Code Without Integrity Check
* CWE-404: Improper Resource Shutdown or Release
* CWE-665: Improper Initialization
* CWE-682: Incorrect Calculation

Porous Defenses
The weaknesses in this category are related to defensive techniques that are often misused, abused, or just plain ignored.

* CWE-285: Improper Access Control (Authorization)
* CWE-327: Use of a Broken or Risky Cryptographic Algorithm
* CWE-259: Hard-Coded Password
* CWE-732: Insecure Permission Assignment for Critical Resource
* CWE-330: Use of Insufficiently Random Values
* CWE-250: Execution with Unnecessary Privileges
* CWE-602: Client-Side Enforcement of Server-Side Security

You can read the entire document from the SANS website or at MITRE. Also on that page they have correlated related attack patterns for each error. It’s a sobering read, and considering how elemental some of these errors are, it’s dismaying to see them still so high on the list.

I’ve seen at least five of these errors in audit exams this year, and more than once. The most common one I see is CWE-250 - Execution with Unnecessary Privileges.

The Purpose of Audit

Bruce Schneier’s last cryptogram contained a discussion about the purpose of audit. He was commenting on the fact that Barack Obama’s phone records, passport file and aunt’s immigration status was inappropriately accessed by employees of the State Department, Immigration and Verizon employees.

Because of good audit controls, the State Department electronic monitoring alerted supervisors when information was inappropriately accessed. Verizon fared less well, and Immigration has no idea who accessed the information.

“Audit helps ensure that people don’t abuse positions of trust.” Too bad Countrywide didn’t have such alarms in place to catch the guy siphoning off information to sell. Or the guy who walked out the building with hundreds of thousands of dollars of hardware over the course of 10 years.

With hard statistics this year that insiders, either by ignorance or malfeasance, have been a large source of data breaches, having good audit trails and controls in place makes more and more sense.

With so many large databases out there holding such private information, how can we continue to pretend that it only happens to other businesses? And complaints about the cost of security just aren’t cutting it anymore. The incredible COST of a data breach just keeps rising.

Pointing fingers and saying the other guy should be responsible for security doesn’t work either. Ultimately, responsibility rests with those who have the data to safeguard the data - no matter what form it takes: inside a database, on a backup tape, on a laptop, on a web server.

If we’re going to use personal information to make money for our business, we’d better be prepared to protect that information - from ourselves and other employees.

First GROAN of the New Year

I was doing an audit today (I know, the term “audit” should only be used in connection with a financial exam, but everybody but Public Accountants use it this way) and examining the users inside a SQL database that holds one heck of a lot. I wish more IT Auditors would start looking inside databases.

Every single application ID was “dbowner” in it’s database. Every single one. All these different application functions, with “dbowner” rights. Why bother to have a dozen IDs? Just to fool the client? Guess so. Yes, the application does respond based on Windows user ID - but the application ID, which accesses the database for the application, has total rights over the database. It makes everything work just hunky-dory (dating myself, I know) but there’s six ways to Sunday to utilize that kind of power inside the database.

Developers do it this way because it’s fast and easy. But combine this with a badly configured web server and you have a break-in waiting to happen. That’s exactly what I’m looking at today, and it really makes me wonder when business is going to wake up and secure their software.

KPMP is saying that breaches are going to increase in 2009, and I can’t help but agree.

Encrypting Company Laptops

It is amazing to me that businesses are still issuing laptops to employees that do not have encryption. That being said, what do we mean when we say “the laptop is encrypted?”

There are three scenarios for encrypting portable computers:

1. Windows File Encryption
2. Third-party file, directory encryption software
3. Third-party whole disk encryption software

When you are making a decision on products to use, consider the following:

1. What level of encryption is the vendor stating? If the documentation says the algorithm is “proprietary,” throw it in the trash.

2. If the laptop is stolen, and there is a public announcement, is it going to sound better to say: “The whole disk was encrypted,” or, “They could get into the laptop because just some files were encrypted.” Consider your reputation risk.

3. If only files are encrypted, if I crack the password and get in as the user, does it automatically decrypt the files for me? Better check.

4. Can the software encrypt other items, like USB drives? Even better, if it does it automatically.

Don’t fall for the argument that disk encryption software is “too expensive.” What’s your reputation worth? Not only that, Trucrypt makes a GREAT free encryption product. For small business environments with 2 or 3 laptops, send them a donation and get going; it’s a great product.

Picture This….with a Free Virus!

From Slashdot comes the painfully unsurprising news about digital picture frames. The software installation CD comes with a virus, W32.Sality.AE worm.

WalMart and Amazon sold these items during the Christmas season this year. Although Mercury and Samsung are the brands listed, all digital frames have left my Christmas list.

A little further digging reveals a Trojan product affecting a wide variety of digital frames that has been attached to numerous software installation products made in China. Given that 2.26 million digital frames were sold in 2007, according to the Consumer Electronics Association, and it expected sales to grow to 3.26 million in 2008, this issue really ought to be getting a lot more press.

The Trojan recognizes over 100 different brands of anti-virus software. I’d be reformatting my disk right about now, because it is very hard to locate and remove.

This was a known issue in February of 2008 - why didn’t Amazon and Walmart vet the software with the frames before selling them this Christmas?