Tearing My Hair Out

When a “Fix” is Not a Fix - The Fix is In

In my previous post, I discussed the Time Warner/SMC modem enormous security flaw.

Lo and behold, I am visited and left a comment by “Adam Wood” defending SMC, and telling me/us what a wonderful job SMC is doing about this issue.

(That’s got to be a really crappy job for a lowly PR flack; surfing the Internet for comments on the SMC modem, and uploading a canned positive comment wherever he can.)

Despite “Mr. Wood’s” comments about how SMC is fixing the problem in an absolutely wonderful way, I admit to some slight cynicism. Especially after reading more from David Chen, the guy who found it in the first place.

According to Mr. Chen, Time-Warner claimed to have pushed out a “temporary fix.” But here is his latest conclusion:

UPDATE: Finally figured out what the “patch” Time Warner deployed was. If a user tries to login with the user/user account, it simply kicks them back to the login page with javascript. All routers are still open to the internet and all still have the same default admin password.

It seems that a fix from Time-Warner or SMC seems to consist almost entirely of PR.

Using Time-Warner as Your Internet Provider? Check Your Modem QUICKLY

As lf 10/20/09, a software maven has written of a major security hole (one you can drive a TRUCK through) in the wifi/cable modem models issued to customers who don’t want to use their own equipment.

Here’s the link, in all its’ details, by David Chen, writing up the vulnerability, which HAS been confirmed by Time-Warner. As of this writing, Time-Warner has no plans to change or resolve the vulnerability.

Here’s the quick version:

The modem: SMC8014 series cable modem/wifi router combination

Issue 1 : Time-Warner/SMC has the modem locked down in a default mode which is not accessible to the average user. The default configuration has a default username/password and has locked WEP as the wifi encryption with a standard SSID. (You might as well make the SSID: HACK_ME_I’M_EASY)

Issue 2: Admin access to the modem is disabled via Javascript. When David Chen disabled Javascript in his browser, he could see all the admin features, including something called “Backup Configuration File.”

Issue 3: The backup configuration file comes in a plain text file, which includes the admin ID and password. In plain text.

Issue 4: By default, the web admin interface is accessible from ANYWHERE on the internet. By running a simple port scan of Time Warner IP addresses, David Chen easily found dozens of these routers, open to attack.

So you KNOW that this since this has been picked up by Wired every knucklehead out there will be looking for these routers to play with.

The resolution to this mind-boggling issue that Time-Warner says they can’t do anything about?

Replace the modem - ASAP. And, complain, complain, complain.

Encrypt Your Laptops NOW

SC Magazine has reported that a laptop belonging to the State of Oklahoma was stolen, with 1 million names, Social Security numbers, birth dates and home addresses of Oklahoma’s Human Services’ clients receiving benefits from programs such as Medicaid, child care assistance, nutrition aid and disability benefits.

All this was secured with a password. The State of OK seems to think that is adequate protection - has nobody there heard of a Linux boot disk? It will ( and probably already has) taken a cracker ten minutes or less to gather the SAM database, and probably not much time to crack the password.

No excuses! Get it done. The cost of losing a laptop is now estimated at $50,000, after the cost of corporate security efforts, bad publicity, and lawsuits. No one is too small to get sued.

The Emperor Has No Clothes

Visa is in a difficult position: it has said that merchants must be compliant, and the ultimate threat is to pull processing permissions from non-compliant merchants.

But if one of the merchants turns out to be a payment processor that generates huge profits for Visa, do they cut off their nose to spite their face? Evidently not. They just make them non-compliant. Sort of.

According to StorefrontBacktalk.com, Visa has declared that Heartland is no longer on the list of “PCI-compliant” vendors. Rather, Heartland is in a probationary period, with increased oversight, audits, etc.

But wait! In response to this announcement, Heartland declares that it had been compliant in 2008, is undergoing its 2009 assessment, and fully expects to be declared compliant.

(If you go to Heartland’s web site, they have quite a set of web pages on what it “means” to be PCI-compliant. The web page is entitled, “Ensuring You are PCI-Compliant.” They must take this literally, since THEY are not compliant (at least for the moment). Does anyone else besides me find this way too ironic?)

Are you confused yet? I sure am, and I’m the one who is supposed to be the auditor.

In a final expression of revisionist history, Visa is now declaring that “As of today, no compromised entity has been found to be compliant at the time of the breach.” So, temporarily, Heartland is not compliant, so no one who was compliant was…….I’m lost.

When is compliant not compliant? The message is, when Visa says it is. Or not.

PCI - Pay Cash Instead.

I Need a Really Big Stick

The Ponemon Institute (I keep wanting to say Pokemon, don’t you?) is about to release it’s fourth annual study on data breach activity.

What differentiates this report from the study provided by McAfee? Well, for starters, it’s not a security company telling us we should buy more security products. I have learned to tune out reports from vendors over the years; there’s just a little too much self-interest at play.

The other interesting thing is that the Ponemon study looks at the activities of companies that have admitted a data breach. So their study uses harder data and is based on corporate activity (or lack of it, as it turns out) in response to a breach.

Here’s a couple of quotes that rocked me:

More than 84 percent of all cases examined by Ponemon were repeat data breach offenders.

Hello? When did losing data become repeatable? And acceptable? And what about responding to the breach? Here’s the other statement:

Only 49 percent of respondents are creating additional manual procedures and control processes

So the other 51% are doing the same things they did that got them hacked in the first place. No wonder there are repeat offenders.

It is time to acknowledge that these breaches are not isolated incidents that happen by chance, but more likely a pattern of poor controls.

Where’s a really big stick when I need one?

When a Patch is Not a Fix - We Have the Downadup Worm

If you haven’t heard by now, the “downadup” worm (renamed various other things by competing vendors) is propagating itself like crazy across the Internet. Various software vendors have added some artificial hype about how fast it is spreading, but I didn’t get sweaty palms until I read that US_CERT is now saying that the patch/Technote Microsoft released to address the issue doesn’t work.

Here’s how it’s going so far - the worm installs itself via the “autorun” feature that is enabled whenever removable device is connected to a computer. This includes, but is not limited to, inserting a CD or DVD, connecting a USB or FireWire device, or mapping a network drive. This connection can result in code execution without any additional user interaction.

So Microsoft issued an out-of-cycle patch that wasn’t really a patch or a fix - just a workaround. The patch/fix/workaround involves disabling the autorun function inside the Windows registry. The instructions in the Technet article 91525 were incorrect, and did not disable autorun.

So if you’ve done this on your network, and think you are safe…..you’re not.

A newer Microsoft Technet article is available here.

At first I was confused, because the article provides instructions for a way to disable autorun as a “workaround” against the worm propagating itself. The information does not address the vulnerability the worm is actually designed to exploit.

After some more digging, the actual vulnerability we should be concerned about is that the worm employs an attack against the “server” service listed as a Bulletin in October 2008. The exact details from the Security Bulletin MS08-067 are as follows:

“This is a remote code execution vulnerability. An attacker who successfully exploited this vulnerability could take complete control of an affected system remotely. On Microsoft Windows 2000-based, Windows XP-based, and Windows Server 2003-based systems, an attacker could exploit this vulnerability over RPC without authentication and could run arbitrary code. If an exploit attempt fails, this could also lead to a crash in Svchost.exe. If the crash in Svchost.exe occurs, the Server service will be affected. The Server service provides file, print, and named pipe sharing over the network. The vulnerability is caused by the Server service, which does not correctly handle specially crafted RPC requests.”

It seems the only “solution” we are offered from Microsoft for users of anything other than Server 2008 is a manual fix to try and stop propagation.

Where’s the real fix? Not the workaround (which didn’t work). Am I missing something? “Where’s the beef?”

First GROAN of the New Year

I was doing an audit today (I know, the term “audit” should only be used in connection with a financial exam, but everybody but Public Accountants use it this way) and examining the users inside a SQL database that holds one heck of a lot. I wish more IT Auditors would start looking inside databases.

Every single application ID was “dbowner” in it’s database. Every single one. All these different application functions, with “dbowner” rights. Why bother to have a dozen IDs? Just to fool the client? Guess so. Yes, the application does respond based on Windows user ID - but the application ID, which accesses the database for the application, has total rights over the database. It makes everything work just hunky-dory (dating myself, I know) but there’s six ways to Sunday to utilize that kind of power inside the database.

Developers do it this way because it’s fast and easy. But combine this with a badly configured web server and you have a break-in waiting to happen. That’s exactly what I’m looking at today, and it really makes me wonder when business is going to wake up and secure their software.

KPMP is saying that breaches are going to increase in 2009, and I can’t help but agree.

Picture This….with a Free Virus!

From Slashdot comes the painfully unsurprising news about digital picture frames. The software installation CD comes with a virus, W32.Sality.AE worm.

WalMart and Amazon sold these items during the Christmas season this year. Although Mercury and Samsung are the brands listed, all digital frames have left my Christmas list.

A little further digging reveals a Trojan product affecting a wide variety of digital frames that has been attached to numerous software installation products made in China. Given that 2.26 million digital frames were sold in 2007, according to the Consumer Electronics Association, and it expected sales to grow to 3.26 million in 2008, this issue really ought to be getting a lot more press.

The Trojan recognizes over 100 different brands of anti-virus software. I’d be reformatting my disk right about now, because it is very hard to locate and remove.

This was a known issue in February of 2008 - why didn’t Amazon and Walmart vet the software with the frames before selling them this Christmas?

Getting What You Pay For…..2008

In my travels as an auditor this year, I’ve visited 15 states and seen approximately 20 different networks, both LAN and WAN. I’ve audited hospitals, lotteries, racetracks, banks, small businesses, large online retailers, metal fabricators, telco service bureaus and health care service bureaus.

I continue to see networks that are not patched. “It might break our custom code,” is the most common excuse, followed by, “Gee, we just didn’t get around to it.”

Software coding continues to be a security disaster in the making. Developers continue to open up databases by giving too many rights to users and application IDs. I still find individual developer IDs inside production databases.

Management continues to be unwilling to invest the money in a secure architecture. In the last three years, I can count on the fingers of one hand the organizations I’ve seen that follow secure best practices. And not use all the fingers.

I still hear people try to tell me that they don’t need a firewall because they have really good routers. And then they don’t update the IOS on the routers and/or leave the default SNMP strings in place.

If you are paying for these services, and you are getting the above, there is a problem waiting to happen on your network. If you don’t know what’s going on in your databases, time to find out before another Countrywide happens in your back yard.

Have a safe holiday. And remember: who is responsible for good security? You are. I am. Let’s keep trying to do it right.

Thank you, Federal Trade Commission…

For saying the blindingly obvious:

“Companies and schools should find new ways to authenticate the identities of customers, employees and students that do not involve social security numbers, a U.S. consumer protection agency said on Wednesday as part of recommendations to fight identity theft.”

Now here is the real challenge: could the FTC, a government agency, please communicate this point with Medicare? You, know, the government agency that puts the social security number on the medical benefits card it requires members to carry? The report addresses the use in the “private sector,” but medical use of social security numbers is a huge factor in medical identity theft, synthetic identity theft, and plain ol’ identity theft.

The FTC released the report on December 17, 2008, and you can read it here. All 21 pages of it in double space.

The “Social Security Number” was created in 1936 for the purpose of tracking workers’ earnings for benefits purposes. Not as a universal identifier. Any good DBA will tell you that only using one “identifier” predicates a high risk of false positives. Newer techniques, such as full name, address, date of birth, place of birth, etc, as a group predicate a much more accurate positive response (”Yes, this is the right person”).

But this additional data is “out there” as well, along with social security numbers. The genie IS out of the bottle.

The report worries about social security numbers data already being out of control. Given how many databases are out there (public and private) with ALL of the above information in storage, I think it is already way out of control, and the other identifying data along with it. Daily reports from the “Breach Blog” saturate my email box. Reading Pogo Was Right only confirms my opinion.

The FTC report seems to be an exercise in “too little, too late.”