Say this for the unfortunate folks at Her Majesty’s Revenue and Customs: they know how to respond to a data breach. I’m not necessarily talking about the legal response or notification of citizens potentially affected by the HMRC’s loss of two discs containing personally identifiable information for 25 million UK residents. That’s boilerplate at this point. What struck me is the classically British way that the officials involved stepped up and shouldered the blame for the mishap. “This is the biggest privacy disaster by our government,” Jonathan Bamford, assistant information commissioner, told Cnet News. “Clearly on the facts available there appears to be a major contravention of data-protection laws.”
Those are not the kind of statements you see coming from government officials or company executives in the U.S. Here, the company PR operative would have blamed the courier service for losing the discs, then the CEO would have pointed out that they are password protected, so there’s nothing to worry about, and then we’d hear about how it happens to everyone and the criminals are really the ones at fault. Maybe some of the corporate and government CIOs should catch a flight to Heathrow sometime soon to confer with our British cousins on this.
The SANS Institute released its 2007 Top 20 threats list today (They still call it the Top 20, even though there are only 18 items on this year’s list), and the main takeaway is pretty much the same as last year: The bad guys are preying on gullible users and flawed applications such as Web browsers and media players to break into company networks and steal sensitive data.
In the bigger picture, the SANS Institute said it has observed:
— Significant growth in the number of client-side vulnerabilities, including vulnerabilities in browsers, office software, media players and other desktop applications.
— A continuing trend where users practice careless Web-browsing habits on work machines, increasing a company’s overall risk.
— Web application vulnerabilities in open source as well as custom-built applications that account for almost half the total number of vulnerabilities discovered in the past year.
— Default configurations for many operating systems and services continue to be weak and continue to include default passwords.
— Attackers are finding more creative ways to obtain sensitive data from organizations.
During a conference call with reporters this morning, SANS Research Director Alan Paller and Rohit Dhamankar, director of the SANS Top 20 project and senior security research manager at TippingPoint, said the main lesson this year is that companies need to have more vigorous URL blocking and further restrict what users are allowed to do on company computers.
Looking over the details, I’m reminded of the reaction to the 2006 SANS threat report, when some questioned whether it’s still useful to even have these reports when the takeaway doesn’t change much from one year to the next. And so I reached out to several IT security pros this morning for some reaction.
I invite you to weigh in via the comments section in this blog. For now, here are some comments sent to me by email:
Cris V. Ewell, chief security officer of Seattle-based PEMCO Corp.: “In general, the report represents only the technical aspect of security and deals with the vulnerabilities in the applications and OS. This is not new, and while important, I expect the security engineers to deal with these types of issues on an ongoing basis. We have multiple systems to do vulnerability/threat/intrusion checks monthly, and mitigate the issues long before the Top 20 is published. The report is a good reminder of best practices that should be used in the enterprise, but there is nothing new in the report that would force me to change established practices and goals we have set for the company.”
Susan Bradley, a Microsoft MVP and IT administrator at Tamiyasu, Smith, Horn and Braun Accountancy Corp. in Fresno, Calif.: “What this gives is ammo to the administrator to lock down the browsing.”
Jeff Jarzabek, IT director for Oakbrook Terrace, Ill.-based Matocha Associates: “Do any of these specifically hit home at our company? No. Everything on the list except for the last 2 items is taken care of by educating your users. We have always told our users that if they suspect something is up, to notify a member of the IT staff. I think the SANS reports are now used mostly for raising awareness and as a reminder to some, myself included. I feel there is nothing new or shocking that most IT staffs shouldn’t already be doing considering the impact on the company if security is neglected.”
Gadi Evron, security architect for Afilias global registry services: “I believe this report reflects that indeed, client-side attacks are the danger most of us face today to our corporations being compromised, while agreeing that server-side attacks are once again on the rise by the use of web application vulnerabilities.”
Information Security magazine’s Senior Technology Editor Neil Roiter wrote a story about University of Massachusetts at Amherst researchers who developed a way to generate a unique set of random numbers to secure radio frequency identification technology (RFID) tags.
We’ve heard about security researchers cracking RFID chips. Security researcher Adam Laurie has been warning of RFID weaknesses. Laurie explained in a recent interview why he believes RFID vendors are ignoring RFID security and privacy issues. He has demonstrated how easy it is to copy an RFID tag, including those found in some passports.
Several years ago RFID seemed to have a lot of momentum. Billed to improve supply chain management, retailers, suppliers and manufacturers were lining up to see the benefits. SAP, Oracle and IBM were among the top vendors pushing the benefits and a package of technologies to tag, collect and analyze RFID data. Walmart helped push standards and directed its suppliers to begin tagging. But privacy and security issues, the cost of implementing RFID tagging and the storage requirements for RFID data collection seems to have stalled adoption.
It will be interesting to see if solving the security equation will result in a resurgence of interest in the technology. Stay tuned.
Some security experts are counseling a bit of caution about the recent reports of a potential math error in a commercial microprocessor that could lead to mass compromises. The possible computational error–which is only a theoretical problem at this point–was raised by noted cryptographer Adi Shamir in a note circulated recently in the cryptography community. In short, Shamir, one of the co-authors of the RSA algorithm, posits that there could be an undiscovered mathematical mistake in any one of the microprocessors on the market which could enable skilled attackers to compromise any crypto key on a machine running the flawed processor.
“In this note we show that if some intelligence organization discovers (or secretly plants) even one pair of integers a and b whose product is computed incorrectly (even in a single low order bit) by a popular microprocessor, then ANY key in ANY RSA-based security program running on ANY one of the millions of PC’s that contain this microprocessor can be trivially broken with a single chosen message,” Shamir wrote in his note.
However, as it turns out, many, if not most, of the popular cryptographic libraries in use today already protect against this kind of attack.
“This is a neat extension to an existing attack and a good reason not to implement your own public key crypto, but if you use a mainstream library, you’re already protected,” said Nate Lawson of Root Labs. “It depends on there being a bug in the multiplier section of the CPU and using a poorly implemented crypto library. Luckily all crypto libraries I know of (OpenSSL, crypto++, etc.) guard against this kind of error by checking the signature before outputting it. Also, hardware multipliers are less likely to have bugs than dividers due to the increase in logic complexity for the latter, although I certainly wouldn’t claim they would be bug-free.”
This by no means discounts the seriousness of what Shamir proposed. The fact is, chip designers, like everyone else, make mistakes and those mistakes can lead to major problems. But thankfully, someone else has anticipated those mistakes and taken precautions against them. Shamir makes another point in his note that’s worth mentioning as well. He talks about the increased complexity of the multiplication units in CPUs being the root of these possible attacks. It’s often said that complexity is the enemy of security, and this is yet another example of this maxim.
This news should be unsettling to every family in the UK with kids under 16: The BBC is reporting that two computer discs housing their names, addresses, birth dates, National Insurance numbers and, in some cases, bank details has gone missing.
Chancellor Alistair Darling urged calm, saying there’s no evidence the 25 million affected records are being used for identity fraud. But he did caution people to keep an eye on their bank accounts. He apologized for an “extremely serious failure on the part of HMRC to protect sensitive personal data entrusted to it in breach of its own guidelines.”
The Conservatives decried the disc loss as a “catastrophic” failure.
As serious as this is, it may be a bit on the hyperbolic side to call this a catastrophe. At an (ISC)2 security conference in Quincy, Mass., last week, Seth Berman, managing director and deputy general counsel at Stroz Friedberg LLC, a consulting and technical services firm specializing in such things as computer forensics, cyber-crime response and private investigations, noted how some companies rush to declare a data breach when discs go missing, only to find the discs safe and sound after money has been spent responding to the incident.
In most cases, he said, missing discs stay out of the hands of the bad guys. But he also noted that it’s best for organizations to avoid the appearance of a breach in the first place by making sure all discs are encrypted.
These continue to be risky times for those using Monster.com to search for jobs. You might remember that hackers targeted Monster.com with a massive phishing attack last August, stealing at least 1.6 million bank account records in the process. Now comes word that the bad guys nailed the site with an iframe injection attack Monday.
“It is … not clear how many pages were affected, but it is likely that the attack was the same for all companies on the Web site, which might turn out to be a pretty good set of Fortune 500 [companies],” he wrote, adding that his lab detected the attack as something cooked up using the Neosploit exploit package. “It is fairly well encrypted,” he said.
Fortunately, he said, Monster caught on quickly and yanked the affected pages down.
After writing about the massive security update Apple released for Mac OS X this week, I’ve decided to dive back into the never-ending blog debate over whether the Mac is really more secure than Microsoft Windows, even though I get hate mail whenever I do so.
Critical feedback almost always comes from faithful Mac users clinically unable to acknowledge that their machines are not bulletproof. At the same time, I’ve gotten plenty of emails over time from those who skewer Mac Nation for shouting names at the Windows universe from atop the security high horse.
This week, most of the blog postings I’ve come across tilt toward the latter viewpoint.
Gareth Heyes, a Web application developer who tries to hack his own handiwork in his spare time, writes in the Spanner blog about how he decided to “hack the hell” out of the Safari browser that comes with Mac machines after Apple brushed aside one of his bug warnings. Of course, he writes about finding problems.
“Apple seems to have some sort of security related breakdown because they allow the telnet protocol,” he says. “On top of that they allow it to automatically connect and to any address. Yeah crazy eh?”
To make Safari secure, he says, simply select the Safari icon in applications and drag it to the waste bin.
My view is that as long as Mac Nation lives in a state of security denial, more vulnerability researchers are going to shift from their Windows work in favor of the Apple-oriented hacking Heyes is doing.
That’s not to say Apple doesn’t deserve credit for getting some things right.
One thing I’ve noticed is that the company puts out security updates pretty frequently — more so than Microsoft’s once-a-month patch rollout. The last update fixed some 41 flaws, and that tells me that someone at Apple is taking security seriously. It’s also worth noting that Apple’s security bulletins describe not only the flaw but how it has been fixed. Microsoft only recently started doing so in its security bulletins.
And statistically speaking, no one can argue against the fact that Windows has been attacked a gazillion times while the Mac up to this point has only been targeted with limited malware that hasn’t spread very far.
But those attacks have taught Microsoft to take security more seriously and the software giant has made huge security strides in the last five years.
At the end of the day, it’s futile to debate which operating system is more secure, because no operating system is 100 % immune to attack. Apple may have suffered fewer attacks to date, but that will probably change, especially as hackers set their sights on the iPhone.
Since no operating system is bulletproof, we’re better off keeping the discussion on how users can practice better computing habits and avoid falling for social engineering tricks that so often lead to malware infections and online thievery. We’re also better off assuming that any of us could be hacked someday and that every company needs to hammer out a data breach response plan to mitigate the potential damage.
Two bloggers touch upon these points:
Jim Becker, lead systems engineer at the Urban Institute and a volunteer/director at Encompass U.S., writes in the Encompass U.S. blog that he keeps hearing from people or reading postings where the operating belief seems to be, “I don’t use Windows! I’m invincible!” To that, he says, “Sorry, gang, I don’t buy it.”
No matter which operating system you use, he says, having a securable operating system or application isn’t enough. Careless configuration, poor practices (especially poor change control), indifferent users, and slow incident response can undo any security measures you’ve taken — even if that measure is a switch from Windows to Macs, he says.
“The best way to guarantee you’re not invincible is to think you are,” he concludes.
Phoenix-based security consultant Marcin Wielgoszewski blogs that operating systems are no more secure than than “the idiots using it,” writing, “I’m tired of arguing about the security of Windows vs. Linux vs. OS X. They’re pretty much all the same, and they’re all insecure.”
He says a competent user or sysadmin managing it will limit the number of services running and ports open, install only signed/verified applications, and practice safe browsing. But, he says, this won’t protect you or them from a zero-day.
“Whether your grandma is more secure using one OS over another, again… it’ll only be as secure as she can be,” he concludes. “With more and more vulnerabilities exploiting the browser and targeting the user, no OS is secure.”
They both make sound arguments. Mac Nation would do well to listen.
About Security Blog Log: Senior News Writer Bill Brenner peruses security blogs each day to see what’s got the information security community buzzing. In this column he lists the weekly highlights. If you’d like to comment on the column or bring new security blogs to his attention, contact him at firstname.lastname@example.org.
There’s a really interesting story making the round today about the arrest of Dan Egerstad, a Swedish security consultant who claims to have compromised a private data network used by embassies around the world earlier this year. Swedish police apparently braced Egerstad outside his apartment yesterday, confiscated a bunch of his PCs and other hardware and dragged him in for two hours of questioning. In a story in the Sydney Morning Herald newspaper, Egerstad says that “the police ‘played every trick in the book, good cop, bad cop and crazy mysterious guy in the corner not wanting to tell his name and just staring at me. Well, if they want to try to manipulate, I can play that game too. [I] gave every known body signal there is telling of lies … covered my mouth, scratched my elbow, looked away and so on.'”
What’s really interesting about this is that even though Egerstad’s exploits were widely publicized and he went so far as to post on his web site account information for some of the unsecured email accounts he found, the police let him walk without even charging him. Egerstad has claimed all along that didn’t break any laws and got the account information by installing Tor on a few servers and monitoring the traffic. But the Swedish police apparently weren’t buying that and felt they had enough evidence to impound his computers and subject him to several hours of questioning. It could have been a simple fishing expedition on their part, but Egerstad should probably count himself very lucky that he’s a Swede. Had he been living in Germany or the UK or even the U.S. when he pulled his stunt, he likely would still be sitting in an interrogation room drinking warm Fresca.
The other interesting note here is that Egerstad now says he thinks the people sending the messages from the email accounts he was monitoring were not the accounts’ owners, but hackers who had compromised them and were using Tor to hide their activities. I’m not sure that helps his case at all, but it’s a good indication that these embassies, NGOs and other organizations need to take a look around their networks and see what’s happening.
Secunia has released advisories for security holes in IBM DB2 and HP OpenView. In both cases, the vendors have issues patches.
Secunia advisory SA27667 describes three vulnerabilities in IBM DB2, some of which have unknown impacts, and another that can be exploited by malicious, local users to gain escalated privileges or perform certain actions with escalated privileges. According to IBM’s advisory, the problems affect DB2 for Linux, Unix and Windows. The solution is to apply Fixpak 4.
Secunia advisory SA27635 describes a vulnerability and a security issue in HP OpenView Operations attackers could exploit to bypass certain security restrictions or to cause a denial of service. This affects HP OpenView Operations (OVO) 7.1X and 8.X running on HP-UX B.11.11, B.11.23, B.11.31, and Solaris. Users can go to this HP Web page for patching instructions.
In his StoreFrontBacktalk blog, Evan Schuman offers another historical nugget about how Visa knew as far back as 2005 that TJX’s security posture was not even close to upright.
According to more court documents, he writes, Visa knew of TJX’s security shortcomings but still decided to give the retail giant until Dec. 31, 2008 to get its PCI DSS house in order.
Visa fraud control VP Joseph Majka wrote the following in a letter to Diana Greenshaw, an official with TJX’s credit card processor, Fifth Third Bank: “Visa will suspend fines until Dec. 31, 2008, provided your merchant continues to diligently pursue remediation efforts. This suspension hinges upon Visa’s receipt of an update by June 30, 2006, confirming completion of stated milestones.”
Of course, we now know that Visa was less than satisfied with TJX’s dilligance in pursuing those remediation efforts, since Visa hit Fifth Third bank with $880,000 in fines over the TJX security breach this past summer.