There’s a really interesting story making the round today about the arrest of Dan Egerstad, a Swedish security consultant who claims to have compromised a private data network used by embassies around the world earlier this year. Swedish police apparently braced Egerstad outside his apartment yesterday, confiscated a bunch of his PCs and other hardware and dragged him in for two hours of questioning. In a story in the Sydney Morning Herald newspaper, Egerstad says that “the police ‘played every trick in the book, good cop, bad cop and crazy mysterious guy in the corner not wanting to tell his name and just staring at me. Well, if they want to try to manipulate, I can play that game too. [I] gave every known body signal there is telling of lies … covered my mouth, scratched my elbow, looked away and so on.'”
What’s really interesting about this is that even though Egerstad’s exploits were widely publicized and he went so far as to post on his web site account information for some of the unsecured email accounts he found, the police let him walk without even charging him. Egerstad has claimed all along that didn’t break any laws and got the account information by installing Tor on a few servers and monitoring the traffic. But the Swedish police apparently weren’t buying that and felt they had enough evidence to impound his computers and subject him to several hours of questioning. It could have been a simple fishing expedition on their part, but Egerstad should probably count himself very lucky that he’s a Swede. Had he been living in Germany or the UK or even the U.S. when he pulled his stunt, he likely would still be sitting in an interrogation room drinking warm Fresca.
The other interesting note here is that Egerstad now says he thinks the people sending the messages from the email accounts he was monitoring were not the accounts’ owners, but hackers who had compromised them and were using Tor to hide their activities. I’m not sure that helps his case at all, but it’s a good indication that these embassies, NGOs and other organizations need to take a look around their networks and see what’s happening.
Secunia has released advisories for security holes in IBM DB2 and HP OpenView. In both cases, the vendors have issues patches.
Secunia advisory SA27667 describes three vulnerabilities in IBM DB2, some of which have unknown impacts, and another that can be exploited by malicious, local users to gain escalated privileges or perform certain actions with escalated privileges. According to IBM’s advisory, the problems affect DB2 for Linux, Unix and Windows. The solution is to apply Fixpak 4.
Secunia advisory SA27635 describes a vulnerability and a security issue in HP OpenView Operations attackers could exploit to bypass certain security restrictions or to cause a denial of service. This affects HP OpenView Operations (OVO) 7.1X and 8.X running on HP-UX B.11.11, B.11.23, B.11.31, and Solaris. Users can go to this HP Web page for patching instructions.
In his StoreFrontBacktalk blog, Evan Schuman offers another historical nugget about how Visa knew as far back as 2005 that TJX’s security posture was not even close to upright.
According to more court documents, he writes, Visa knew of TJX’s security shortcomings but still decided to give the retail giant until Dec. 31, 2008 to get its PCI DSS house in order.
Visa fraud control VP Joseph Majka wrote the following in a letter to Diana Greenshaw, an official with TJX’s credit card processor, Fifth Third Bank: “Visa will suspend fines until Dec. 31, 2008, provided your merchant continues to diligently pursue remediation efforts. This suspension hinges upon Visa’s receipt of an update by June 30, 2006, confirming completion of stated milestones.”
Of course, we now know that Visa was less than satisfied with TJX’s dilligance in pursuing those remediation efforts, since Visa hit Fifth Third bank with $880,000 in fines over the TJX security breach this past summer.
A security consultant based in L.A. has pleaded guilty to leading a double life as a bot herder, infecting 250,000 computers and stealing thousands of identities in the process.
John Schiefer pleaded guilty to four counts of fraud and wiretap charges that could saddle him with a $1.75 million fine and 60 years in prison, according to the Los Angeles U.S. Attorney’s office.
Prosecutors accused Schiefer and some unidentified co-conspirators of installing malware that acted as a wiretap on hijacked machines, intercepting messages to Paypal and other Web sites.
According to Reuters, he collected user names and passwords and used them to break into bank accounts.
What’s chilling about all this is that Schiefer worked by day as an information security consultant people trusted to help them secure their systems. The lesson here is that sometimes you can’t even trust the good guys.
By Neil Roiter
Garth Bruen is on a mission–to bring spammers down. His KnujOn project, (“no junk” backwards, pronounced “noo-jon”) hit a milestone this week, claiming 50,000 spam sites put out of business.
“Filtering and blocking tactics are failing,” says Bruen. “It’s actually making the problem worse. Even if 90 percent of the messages are being filtered, the small percentage that aren’t keeps them in business.”
For example, a Consumer Reports survey published in September estimated that 650,000 people had purchased products or services offered via spam in a single month.
KnujOn analyzes messages sent by individual subscribers (for a $25 fee) and works through ISPs and businesses whose sites are being counterfeited to close down the spammers. It takes grunt work that most people aren’t willing or have the time to do, and most businesses aren’t inclined to be proactive, Bruen says, because they still aren’t sufficiently alarmed at the threat to their brand.
“We fill out lots and lots of paperwork,” Bruen says. “Most of these sites are violating laws and agreements. If you push the right buttons, they’ll take it down.”
Businesses generally see losses from spam-based crime as a cost of doing businesses, much as have with more conventional crime, like shoplifting. That will change as the losses mount.
“The amount of money is growing and will affect a company’s bottom line in more serious ways,” he says.
His subscribers see a significant drop in spam, he says, as spammers regard them as problems. “We make so much trouble for the people pushing junk, that they block the clients from their lists.
He has presented at a number of cybercrime conferences, but spam isn’t a priority for law enforcement. Local officials aren’t in a position to deal with it; the feds are focused on gut issues like child pornography and reluctant to get heavily involved in spam because of concern over privacy issues.
KnujOn, Bruen says, is part of a long-term solution to a long-term problem. Meanwhile is even 50,000 sites making a dent? Is this another example of playing cyber-Whack-a Mole? Yes, he says, because spammers need a permanent home in domains that register and pay for, and invest a lot in their sites. Besides…..
“Well, you know, you can cheat at Whack-a-Mole. If you get down to eye level, you can see them before they pop up.”
Here’s another reason for IT shops to block employees from visiting MySpace pages on company machines:
Roger Thompson, chief technology officer at Exploit Prevention Labs, keeps discovering MySpace pages laced with malicious content.
“We keep finding MySpace pages that have had some sort of image-background link injected, that are reaching out to a different site in China that is both throwing exploits and using social engineering to install rootkits and (probably) DNS-changers,” he writes in the Exploit Prevention Labs blog.
The latest example of malicious behavior is the hacking of the Alicia Keys MySpace page. He says rather than using an iframe for an automatic embed, as the bad guys usually do, they’ve added some sort of image background href, with a large size — 8000 by 1000 pixels — with the effect that a click that slightly misses a control or link on the page ends up going to the exploit site.
“The fact that this site is media-rich, with lots of sound and videos means that the fake Codec trick will be much more effective,” he says. “The click-er is probably expecting to see a or hear a song, and is quite likely to think he genuinely needs to install something extra.”
This is the kind of trouble Thompson warned about when I interviewed him a couple weeks ago.
On the surface, this doesn’t look like a problem for corporate IT environments. But it is.
Employees are increasingly using their work computers to browse Web pages of personal interest, and MySpace is a prime example. If they’re visiting a rigged MySpace page, chances are that work machine is going to be whacked.
I am just getting back into the swing of things after returning from our Information Security Decisions conference, which was held in Chicago Monday and Tuesday. I’ve always liked this conference more than just about any other on the annual schedule (I even attended it before I worked for TechTarget), mainly because the attendees are all security professionals who deal with the topics we cover every day and it’s a tremendous opportunity to learn from them and see what they’re dealing with at the moment. The speaker lineup was pretty amazing, including Chris Hoff, Dave Dittrich, Joel Snyder, David Litchfield and a dozen others. I also had the privilege of moderating a panel on the future of security that featured Bruce Schneier, Howard Schmidt and Eugene Spafford. As at many conferences, some of the best conversations happen after hours and away from the sessions themselves. Here’s a list of some of the things I learned from those conversations:
- Dave Litchfield is not only one of the top database security experts in the world, he also is an absolute savant when it comes to history. Despite being Scottish, Litchfield knows more about American history than anyone this side of Will Hunting. He quickly settled a barroom disagreement over how many U.S. presidents have been assassinated by not only naming the four unfortunate chief executives, but also the others who had had assassination attempts against them.
- Hoff has more energy than any one man should. In addition to giving a great talk on disruptive technologies in security and running the security show at Unisys, he somehow finds time to write 1,500 words a day on his excellent Rational Security blog.
- The security industry as it stands right now is on the endangered species list. Schneier and Schmidt both said during our panel discussion that a few years down the road, the industry will either be absorbed into the general technology industry and security will be part of the fabric of whatever products we buy (Schneier), or will collapse into a handful of large players (Schmidt).
- The threat of fines for failing to comply with regulations such as HIPAA and PCI DSS is no threat at all. The tiny number and amount of fines levied against violators is not motivating CSOs to comply.
- More and more CSOs and CISOs are moving–either voluntarily or otherwise–out of the IT department and into a variety of other business units, including risk management, legal or compliance.
There was a major development on the PCI DSS front this week, and it’s good news for anyone who has to swipe a credit card at the cashier counter or punch in a credit card number during online purchases. In other words, it’s good news for just about everyone.
To force more security into the payment application development process, the Payment Card Industry Security Standards Council announced Wednesday that it’s adding a new provision to the PCI Data Security Standard (PCI DSS) called the Payment Application Data Security Standard (PA-DSS) — based on Visa’s Payment Application Best Practices (PABP).
The standard is meant to pressure software vendors and others into developing secure payment applications that do not store such prohibited data as the full magnetic stripe, CVV2 and PIN data.
Reaction in the blogosphere is largely positive, with industry practitioners agreeing better application security is a necessity.
Tyler Hannan writes in his Reflections on Emergent Commerce and Technology blog that the news represents a major change in how data is protected when processed via software applications.
“If I read correctly, this means that all applications MUST be PA-DSS compliant in just over two years,” he writes. “As such, the time is now for software companies (and their merchants) to start making decisions about how to improve their application, and associated processes, to meet PA-DSS compliance.”
In his PCI DSS Compliance Demystified blog, Michael Dahn writes that by turning the best practice document into a standard and then enforcing it with hard deadlines for compliance, the industry is delivering a one-two punch to the insecure systems, helping eliminate fraud in the smaller merchant arena.
“It is important to focus on this area as it shows a strong push towards the security of smaller merchants,” he writes. “It is widely known that many small merchant use similar point of sale (POS) technology and that the greatest risk to those merchants is from the compromise of those systems that store sensitive authentication information.”
Everything that’s come from my reporting in recent months tells me these guys are on the mark. There are two factors that make it clear that the council’s move if necessary.
First, point-of-sale technology is one of the weak links in the retail security chain. Many of the systems we use to swipe credit cards at the checkout counter are storing too much transaction data, and that’s what the bad guys are after. Several IT administrators have told me that they’ve had to upgrade their point-of-sale systems as part of their PCI DSS compliance for that very reason.
Second, we’ve seen that business applications in general are in a sorry state because security is at the bottom of the priority list for developers.
The only way to change the situation is to train developers to be more security conscious, and the only way they will get that training is if their bosses are pressured into offering it. The need for more security in the application development process has been a major theme at the Computer Security Institute (CSI) 2007 conference in Arlington, Va., which I attended earlier this week.
That it was a major CSI theme speaks to just how big a security issue payment application security has become.
It’s good to see the PCI Security Standards Council is taking it seriously.
About Security Blog Log: Senior News Writer Bill Brenner peruses security blogs each day to see what’s got the information security community buzzing. In this column he lists the weekly highlights. If you’d like to comment on the column or bring new security blogs to his attention, contact him at email@example.com.
Social networking sites like Facebook and MySpace aren’t very popular in the corporate world, according to a study by Barracuda Networks.
Analyzing data from businesses using its Web filtering appliance, the company found that 44 percent block MySpace while 26 percent block Facebook. More than 50 percent block one of those sites or both.
“It was interesting to us to see such a significant backlash in the corporate environment, with 50 percent blocking the social networking sites. And that number will go higher,” Dean Drako, Barracuda president and CEO, said in an interview. “Customers that weren’t blocking but were monitoring social networking sites … a significant percentage expect they’ll be blocking those sites soon.”
Customers said they were concerned about the sites being a productivity drain, Drako said. They also were worried about offensive content on MySpace.
A separate survey of 228 IT professionals by Barracuda showed that the top reason businesses restrict employee Web surfing overall is to block viruses or spyware. Productivity was the second biggest reason.
It’s been awhile since I’ve heard anyone talk about Windows CardSpace, the Microsoft client software Bill Gates has pushed as the best way to do away with passwords. But at the CSI 2007 conference in Arlington, Va., Tuesday, attendees got an in-depth look at what CardSpace is about from none other than Kim Cameron, the software giant’s chief privacy guru.
Windows CardSpace allows users to provide their digital identity to online services in what Microsoft calls a “simple, secure and trusted way” and is what Cameron calls an identity selector.
The Microsoft Web page on CardSpace explains: “When a user needs to authenticate to a Web site or a Web service, CardSpace pops up a special security-hardened UI with a set of “information cards” for the user to choose from, he explained. Each card has some identity data associated with it — though this is not actually stored in the card — that has either been given to the user by an identity provider such as their bank, employer or government or created by the user themselves.”
Cameron offered CSI attendees a very detailed breakdown of the concept and ended by declaring, “We need an ID metasystem that’s open, inclusive and protects the user’s privacy.” CardSpace is the answer, he said.
The crowd seemed receptive to his argument and I’m not surprised. In all my reporting about identity and access management, the common complaint among IT administrators has been that passwords are a very weak link in the security chain.
The CardSpace concept is a solid one, most seem to agree, but those who have to manage the technology have expressed concern over Microsoft’s ultimate execution. My colleague Mike Mimoso captured that concern at the RSA conference back in February, writing that while some security managers accept the notion that, at a high level, Gates’ vision is solid, execution may be another matter.
“We’re seeing the need for everything he talked about, but executing and converting it all to reality; that’s the difficult part,” David Porubovic, security engineer with Marriott International, told Mimoso at the time. “It’s the right direction, provided that it can be implemented, it’s cost effective, transparent to the user and easy to manage. That’s the big headache.”
The pros and cons of CardSpace is something I plan to write more about in the next couple weeks, and I’m looking for some IT administrators to share their experiences on the matter. Offer some initial thoughts in the comment section of this blog and we can go from there.