Swipe Your Own Card!

Here is an excellent video for inclusion in my Security Awareness materials list.

You want to see how fast and easy it is to have your credit or debit card pwn3d? (stolen)  Check out this Fox news story.

The gas stations attendant swipes the card twice, right in front of the victim, and he never even notices.  Think about it.  Swipe your own card, and shield that PIN pad from view of others, and cameras.  Of course, if the PIN pad is rigged with a modern skimmer, you’re fubar anyway since it records the PIN as well as the magstripe data, but ’ems the breaks…

FBI Cyber Division Official Suggests New Internet Needed

YAHOO!  I am NOT the only crackpot out there that thinks that you can Trust No One, and that we should chuck that dirty baby out with the filthy bath water like it was on fire.  According to an article on GCN, Steven Chabinsky, Deputy Assistant Director of the FBI’s Cyber Division, thinks so too.  He suggested that what is needed is an alternate network architecture that provides greater visibility and less privacy.  You go Steve!  I will be controversial with ya.

On systems using sensitive information or controlling physical processes in critical infrastructure, it is MOST important to know exactly who is on the network and to be able to see exactly what they are doing, rather than protect the right to privacy.  You want privacy?  Hang out with those other dirty babies on the public Internet tub.

Then they had to go and talk about how the SCADA systems were protected from the Internet by an air gap.  Good concept.  Bad example.  I believe that gap disappeared the moment Homer got a job at the plant.  Still, so nice to have company out on the edge.  Anyone else care to join me?  Would you support an authenticated Internet if it was offered in parallel to the percieved anonymous one?

VMware Buys Shavlik

VMware has acquired Shavlik Technologies, a provider of IT management solutions for small and midsize businesses (SMBs). Terms of the deal were not disclosed, and it is expected to close later this quarter.  Following this acquisition, VMware will be offering SMBs a full portfolio for managing, monitoring and securing IT environments, including the cloud.  One more nice and timely pairing.

NASA Server Hacked By “WhiteHat”

I have a problem with self-proclaimed “whitehat hackers” penetrating a security perimeter without permission and bragging about their little adventures.  In my humble opinion, these rodeo clowns are not the white hats as they would have us all believe.  If some ID-10-T picked my front door lock, or even pushed it open because I had left it unlocked by stupidity or oversight, he would be greeted by the largest, heaviest or pointiest object that I had on hand at the time.  I would not thank him for pointing out my mistake, or invite him in to help me find my wallet.  I would not give him an ounce of respect if once he made me aware, he went and posted a picture of my address, entry hall, and the methods he used to gain access as evidence of his prowess for all of his colorful hat wearing friends to see either.

TinKode, a Romanian “white hat” hacker claims to have broken into a NASA FTP server, and published a screenshot of the compromised server on his website.  White hat hackers are “researchers” who break into computer systems.  This pursuit is purportedly for the sake of exposing security flaws, rather than exploiting them for maliscious purposes.

In my books, white hat hackers of this ilk are just cowboys.  They project themselves in a silver light, but if you stand real close, you can see where they peed.  They should get permission first, and if they don’t get permission, they don’t hack!  There is nothing “white hat” or heroic at all about gaining unauthorized access to someone else’s network.  We are now supposed to just take the word of an anonymous dude with questionable ethics and no moral compass, that he did nothing to the server, nothing to the data on the server, and nothing to the systems connected to that server?  Yyyyyyeahhhh…  Now where is that wallet…

“I don’t do bad things.  I only find and make public the infoAfterwards I send an email to them to fix the holes.  It’s like an security audit, but for free,” TinKode said in an interview posted on NetworkWorld.

Breaking into someone else’s property _IS_ a bad thing, mate.  Check your ethics, son.  It is nothing like an audit for free.  It is like a security breach, a black eye, and a shot of reputational damage to wash it all down with.  REAL white hat hacking takes place in a lab, or with permission, by real professionals, with real names.  Results are provided to the owners in these things called reports.  “TinKode” is all hat and no cattle.  I don’t mean that he can’t hack, I mean that he needs to pull his head out of the shady spot, and grow into that hat a little bit.

Just my 2¢, be the first on your block to collect the whole dollar.  Yippee Kiyay, git along little doggie…

Database Security Still Failing

I may have to rename this blog to DarkReading Coles Notes or something.  They’ve got all the good content!

According to an article contributed by Ericka Chickowski, a survey conducted by Unisphere Research on behalf of Application Security Inc, questioned 214 Sybase administrators from the International Sybase User Group (ISUG) about their database security practices.  Most organizations lacked controls to keep database information protected across the enterprise.

“Many DBAs and general IT decision-makers admit they know little about critical database security issues such as change control, patch management, and auditing.”

The survey found that 37% of respondents weren’t sure how long it takes to detect and correct unauthorized changes to a database.  About 35% said that they rarely apply security patches or didn’t know how often they were applied.  Just under two-thirds do not have automated database configuration management or patch management tools.  And yet, well over half of respondents said they don’t think they are likely to experience a breach in the next year.  What The….??  Hello, is this thing on?

The results of this survey echo the findings of previous surveys of Oracle DBAs, and to me are indicative of a major vulnerability just waiting to be exploited.  Oh pardon me, it probably IS being exploited…

In my opinion, I can’t blame the DBAs, it is an executive decision to accept risks.  There really is no excuse.  Yes, patching databases is difficult.  Yes, patching may interrupt business for a period of time.  Yes, it may cause some breakage, but come on, if this is truly critical or sensitive information it is being served up by a redundant cluster, and there simply is no acceptable excuse for bringing this much risk into an organization.  I’ll bet the big boss doesn’t know, or doesn’t understand those risks.  Yet.  If he does, well, tsk, tsk, tsk.  He or she will find out soon enough what the impacts of not patching are.

The risk of doing nothing far outweighs the risk of doing the right thing.  PATCH!!!  And if you really can’t patch quickly, PLAN!!!  Otherwise it will only get worse.

Understanding Crimeware’s Installation Life Cycle

Wow.  A good day to be perusing DarkReading again.  Check out this article and paper from Gunter Ollmann, regarding the evolution of “crimeware” and its installation life cycle.  It is true that those involved with the malware fight day in and day out tend to get caught up in the “hypnotic allure of malware dissections and high-profile breaches” and may miss the subtle nuances that can also provide additional indicators to monitor for.

For a “detailed dissection of the threat (as it stands today), I’ve released a new whitepaper — “Behind Today’s Crimeware Installation Lifecycle” — covering how advanced malware morphs to remain stealthy and persistent. Understanding your opponent remains at the heart of a sound defensive strategy. In this case, though, your “opponent” shouldn’t be thought of in a singular sense, but rather an increasingly well-oiled federated cybercrime ecosystem.”

Standardizing System Event Formats

I agree whole heartedly with the views and ideas expressed by Richard Mackey in his report for DarkReading and InformationWeek.  In most organizations that are capable, event monitoring exists as a set of “disjointed data streams” that the security team is responsible for reviewing.  There is little if any coordination of monitoring activities between departments, platforms or applications, never mind across competitive organizations.  This is polar opposite to the way that the criminals are operating today, and believe me, you and your competitors are in the same boat, facing the same sharks.

As Richard states, the complexity of security itself remains its greatest challenge. Even when companies collect detailed streams of data, there is little correlation of events across systems and platforms, and very little chance that those responsible for detecting attacks will recognize them before, or as, an incident transpires.  The deluge of data is often to great to distill actionable intelligence from in a timely manner.  We need what the bad guys have: a growing, coordinated, intelligence network.

Standardization is required for:

  • The kinds of log information being captured.
  • The mechanisms used to consolidate events.
  • The methods used to analyze and report the output.

Continue reading