The Risk from Insiders

There has been a lot of coverage of the role of a system administrator in the recent release of information about the National Security Administration's intelligence gathering methods. Regardless what you think about the methods that were revealed, information security professionals need to take a hard look at the sorts of exposures that exist due to organizational insiders.

Snowden's position as a system administrator is just the most recent high-profile insider who betrayed his employer's trust. His removal of documents on a thumb drive was viewed as unsuspicious precisely because of his job function.

As long as we have an IT infrastructure, the people who manage it will be in a privileged position. IT professionals recognize the risk; four of five professionals in a recent survey list insiders as the greatest source of risk to the environment.

The same methods that are used elsewhere in the security landscape will help to control and mitigate the risk from insiders. At a high level, there are three steps that need to be taken:

1. Data Classification: Identify the types of data in your environment, and what the confidentiality, integrity and availability requirements are for each type of data. NIST 800-60 can provide some guidance here.
2. Establish Control Standards: For the different types of data, we need to describe the measures that are taken to protect the data.
3. Audit: The controls need to be evaluated for effectiveness, and the organization's compliance with the the controls must be verified on a regular basis.

Controls

There are several publicly available documents outlining control best practices and standards. Here are a few:

• NIST 800-53
• PCI Security Standards

Some common controls include:

• Physical access controls: Things like security guards, mantraps, proximity card systems, and combination locks on doors control physical access to sensitive areas and systems.
• Logical access controls: In general, people should only have the level of access required for their jobs. Access controls should be as granular as possible, and high-level access should require extra levels of approval and scrutiny. Two-factor authentication should be in place for access to sensitive facilities.
• Personnel management: Some common measures include criminal background checks, periodic security awareness training, contractual attestations, and organizational communications.
• Separation of duties: Where possible, access should be limited to particular functions, and functions should be defined to limit access to sensitive data. In general, developers should not have access to production, system administrators don't need database access, application administrators don't need system-level access, and only the people who manage the hardware and network need physical access to the systems.
• Network security: The network should be segmented appropriately, and firewall rules should be in place to restrict traffic between different security zones.
• Workstations and laptops: Hard drives should have robust encryption and strong password policies should be in place. The types of data that are permitted for local storage should be established and monitored. The ability of end users to install applications needs to be restricted. Patches, anti-virus updates, and security workarounds need to be applied regularly.
• Backups and continuity: Data needs to be protected by a combination of archival backups, long-distance replication, and local disk mirroring/RAID-ing.
• Logging and auditing: Logs need to be collected to measure the effectiveness of these controls, and the logs need to be reviewed on a regular basis.

Some controls should get particular attention as directly addressing the issue of insider-led breaches.

It is bad enough that the security training level of such government employees is not monitored by the DHS. (Most parts of the private sector also don't track administrator security training, for that matter). Beyond carelessness or incompetence, employers need to consider the direct risks posed by their most trusted employees.

Medical Devices Insecure

A recent ICS Cert alert and FDA Safety communication have highlighted the lax cybersecurity that is frequently used with medical devices.

For a long time, medical devices were protected by an "air gap" which provided protection as long as the devices were physically separated from the data network. But increasing cost pressures and integration of these devices' capabilities have meant that insecure devices are being exposed to the network.

Common vulnerabilities include things like hard-coded, well-known passwords and even passwordless logins, vulnerability to SQL injection attacks, and a general inattention to security patches and secure configuration guidelines.

Security practices in the medical device industry have lagged most other IT installations. Affected devices include several where a malicious intruder (or buggy malware) could cause patient injury or death.

The Price of Insecurity

A recent article on the SANS web site investigated the costs associated with a security breach at Idaho State University.

John Pescatore reports that a breach at ISU's Pocatello Family Medicine Clinic is likely to cost the university $1 million over a 2-year period.

By comparison, implementing best practices in the infrastructure is likely to have defeated the attack, and would have cost around $75k. Even an aggressive security posture is estimated by Pescatore to have cost about $500k total.

Many organizations look at the costs of security breaches, but few consider the TCO related to avoiding a major breach.

Confirmed Report of Cyberwar Target List

A recent leak provided additional information about the Cyberwar target list maintained by the US government.

The existence of the list had previously been revealed by the administration. They released a high level fact sheet about the policy directive.

Given recent conflict between China and the US over cyber-spying, the release of this information could reduce the moral authority of the US to protest against Chinese attacks.

Sophisticated Android Exploit Spreads

Kaspersky Labs recently reported that it had analyzed a very sophisticated attack against Android devices. Backdoor.AndroidOS.Obad.a, or "Obad" for short, exploits unpublished exploits to install itself, remain undetected, and allow remote attackers to send commands to the device via SMS.

Besides installing itself and allowing remote attackers full access to the device, Obad downloads additional malware to the target device, runs up phone charges by sending SMS messages to premium-rate services, and spreads malicious files to other devices via Wi-Fi or Bluetooth connections.

It appears that the app can only infect devices which have been configured to allow apps to install from third-party sources.

Dan Goodin reports that Google has updated functionality to detect the malware and provide a warning to users when it is downloaded from an app source or browser.

Some security experts have warned of the danger posed by attackers who compromise a trusted developer's credentials and use them to upload malware to trusted download sites.

Fortunately, the attack does not appear to be widespread yet, based on analysis by Kaspersky.

Chinese End Hacking Hiatus

Chinese hackers associated with the PLA (People's Liberation Army) had dialed back their cyberattacks in the wake of US protests. This hiatus appears to have ended.

An embarrassing public exposure of a unit closely associated with the PLA had led to a temporary decrease in attacks. The Chinese government appears to have calculated that the downside of the publicity surrounding the attacks is outweighed by the benefits they are reaping.

This is likely to be a ongoing feature of the online world.

Data Protection Pointers

eWeek recently posted a slideshow describing several suggestions for planning a data protection policy in a Hadoop framework. The pointers apply to other data environments as well:

1. Account for data protection in the planning phase of the project. Take compliance and privacy concerns into account in the initial design and architecture.
2. Identify data elements that need special protection. What compliance or liability concerns apply to those elements?
3. Does the application need access to the complete, raw data set? Can the data be masked, obfuscated, or desensitized?
4. What encryption requirements do you have? What encryption solutions are available? Do they interoperate with the authentication methods in the environment?
5. Establish standards. It will be easier to keep all the data safe if it is kept in standard templates.

CIO Magazine estimates the value of a data breach at $184-$330 million. Given the cost to an organization's recommendation, there is a business imperative in placing adequate resources and thought behind protecting the data in our custody.

ColdFusion Vulnerability Nets Attackers SSNs and DL Numbers

A ColdFusion vulnerability whose patch was released in January 2013 was used by attackers against the Washington State Administrative Office of the Courts (AOC). The attackers compromised 160,000 Social Security Numbers and about a million drivers' license numbers.

Organizations may need to take a close look at their patch philosophies, since many organizations would have difficulty testing and deploying an application server patch in such a relatively short time window. This compromise highlights the importance of defense in depth, and the importance of protecting data with the enterprise architecture, not just the capabilities of a particular product.

Happy Mother's Day!

Federal Government to Default to Open Data

A recent executive order by President Obama mandates government agencies to default to a data policy of being open, publicly-available, and machine-readable.

Exceptions are allowed for information involving privacy, security, or confidentiality. There are obvious concerns that a government agency may not be as careful about privacy-related information as we would like.

Legislation to Track Foreign Hack Attacks

Legislation has been introduced in the US Senate to report on the activities of foreign government-sponsored cyber attacks.

A recent Pentagon report showing significant intrusions sponsored by the Chinese government is a key contributor to the renewed interest in this issue. A recent report by Mandiant definitively tracing attacks to the Chinese PLA's doorstep exposed some of the methods used in these attacks. Experts have also noted an increased pace of attacks that may be linked to other actors such as Iran.

One provision of the bill would restrict imports of technology that is identified as having been stolen as a result of these attacks.

While it is always important to bring out the results of cyberattacks, it may be more effective to focus attention on promoting good information security practices. Current regulations and security audits tend to focus more on paperwork than on the actual effectiveness of controls.

Good examples of best practices recommendations include the SANS 20 Critical Controls and the 31 guidelines recently released by US CERT.

Honeywords

Researchers have proposed that files containing encrypted passwords should include several false encrypted passwords (known as "honeywords") along with the real encrypted password. These should be indistinguishable to someone who has been able to access the file.

When one of the false passwords is entered, it would alert administrators that an attack is underway.

A similar security measure, using bogus accounts (known as "honeypot accounts"), alerts administrators when someone is trying to log into them.

reputation.com Reputation Tarnished by Security Breach

reputation.com, a company that advertises its ability to help manage customers' online reputations, suffered a security compromise of its own. Information stolen includes customers' physical addresses and employment history, both of which could potentially be useful in an identity attack. Some encrypted passwords were also stolen.

Unfortunately, part of the company's damage control efforts included mis-information about the risk posed by the stolen encrypted passwords. Dictionary-based attacks on encrypted passwords only depend on having enough computing power, especially given the poor quality of most passwords. But in an environment where the Internet is swimming in easily hackable powerful computers, computing power is not much of a barrier to entry.

(Since many people use a single password across platforms, a stolen encrypted password for one account could allow an intruder to access a broad range of accounts, including bank accounts and accounts at a target's workplace.)

Drone Maker's Secrets Stolen by Chinese PLA

Chinese hackers tied to the PLA (People's Liberation Army) have had access to secret information from QinetiQ, one of the world's foremost designers of military drones. Investigators have discovered that most, if not all, of the secret information in QinetiQ's computer network was compromised as a result of the breach.

Ironically, QinetiQ won a bid to consult with the Department of Defense on cyber-threats.

Denials by the Chinese government have been less than convincing, given the thoroughness of the report released by security firm Mandiant.

State-sponsored cyberattacks have become more common in recent months. These attacks can be particularly difficult for a company to defend against, since the resources of a state sponsor can swamp an individual security department. Even with that, most attacks can be defended against by following basic security principles like the 20 controls recommended by SANS. The US CERT has released 31 guidelines to protect against a broad range of attacks.

In the case of QinetiQ, for example, two-factor authentication would have protected against the most damaging hacks, if it had been implemented.

UPDATE: The Pentagon has directly accused the Chinese government of cyber-spying. The Chinese response:

Although it is common sense that you cannot determine sources of cyber attacks only through IP addresses, some people in the Pentagon still prefer believing they are from China as they always bear a sense of rivalry. It is an allegation based on presupposition.

Department of Labor Hacked

A Department of Labor sub-site appears to have been hacked, and the affected site distributed malware to the computers of people viewing the web pages. The "Site Exposure Matrices" page redirected viewers to pages which gathered information about the computer viewing the site, attempted to disable common AntiVirus packages, then attempted to run malware associated with the Chinese-linked DeepPanda operation.

The malware attempted to install command and control software on the PCs of people who were not patched to correct the vulnerability in the malware.

The site is used by people who are applying for job-related compensation for workers in the energy field.

UPDATE: People using the IE (Internet Explorer) 8 browser are vulnerable to the exploit on the DOL web site. A module exploiting this bug is available for Metasploit. It is not clear whether this will be patched in the next Microsoft patch round, but a patch is not available as of this writing. IE8 users are urged to update to a current, fully patched version of IE.

UPDATE: The May 13 patch round will include a fix for this vulnerability for IE 8. A temporary work-around has been provided by Microsoft as well.

Cybercrooks Target Small Businesses

The Symantec Internet Security Threat Report for 2013 notes that the number of attacks against small businesses has spiked, rising from 18% of attacks in 2011 to 31% in 2012.

While there are fewer rewards for attacks against a smaller business, attackers view smaller businesses as easier targets.

Ships Inadvertently Broadcast Location on Internet

More than 34,000 ships are potentially able to be tracked over the Internet via their Automated Identification System feed.

This system allows ships to share location information in order to help avoid collisions.

Apache Attack Invisible to Usual Investigative Methods

A new, widespread attack against the Apache web server appears to have infected a large number of systems. The so-called "CDorked" attack is very difficult to detect because it hides its evidence in shared memory rather than on the file system. The only file-system level evidence is obfuscated within the httpd binary.

Eset has released a python script to help administrators verify whether the httpd binary has been affected.

The H Security reports that this particular attack can be detected by looking for the string "open_tty" in the Apache program directory, eg:
grep -r open_tty /usr/local/apache/

The immutable bit is also set on the compromised binaries, which can make it more difficult to fix the problem. For example,
chattr -ai /usr/local/apache/bin/httpd

The only real way to defend against/detect attacks like this would be to run file integrity checking software to look for changing checksums when binaries are altered or replaced.

Phishing Attack Responsible for Market-Impacting @AP Hack

There was a lot of coverage earlier this week about the bogus tweet from @AP claiming that the White House had been bombed and President Obama injured. What I had not realized was that the account appears to have been hacked because of a phishing attack. ars technica reports:

The bogus tweet was sent from one of at least of two compromised Twitter accounts belonging to the Associated Press. Mike Baker, a reporter with the 167-year-old news organization, said the AP's mobile Twitter account was compromised as well. "The @AP hack came less than an hour after some of us received an impressively disguised phishing email," he wrote in a separate Twitter dispatch. In recent days security personnel with the news cooperative discovered malware had infected some of its computers, officials told the New York Times.

Obviously, even sophisticated users need to be more careful about reacting to phishing emails. In general, never click on anything you are sent in an email. Instead, log into the site in question by typing in the address yourself.

Twitter committed to accelerating its program to roll out two-factor authentication, especially for use by people who tweet from mobile devices such as cell phones.

19% of Attacks are State-Sponsored

A recent report by Verizon shows that the frequency of state-sponsored attacks are increasing. Currently, 19% of attacks appear to have been state-sponsored. The profile of these attacks is usually different than those aimed at identity theft or other forms of fraud.

Of the foreign attacks, the largest group of them appear to have come from China.

Verizon also reports that most attacks would be adequately defended by applying the 20 controls recommended by SANS.

UPDATE: The US CERT has released 31 guidelines to protect against a broad range of attacks.

UPDATE: The Pentagon has directly accused the Chinese government of cyber-spying. The Chinese response:

Although it is common sense that you cannot determine sources of cyber attacks only through IP addresses, some people in the Pentagon still prefer believing they are from China as they always bear a sense of rivalry. It is an allegation based on presupposition.

Vulnerabilities in SOHO Wireless Routers

A recent ISE study reveals that the most widely deployed SOHO wireles routers have serious security vulnerabilities.

You should definitely upgrade the firmware on your router and follow secure configuration guidelines. ISE recommended the following steps:

• Make sure your firmware is up to date on a regular basis.
• Make sure remote administration is turned off. (ie Don't allow wireless connections to manage the router.)
• Disable all unused network services.
• Restart your wireless router after performing administrative tasks.
• Log out from the session and clear cookies from your browser after performing administrative tasks.
• Select a non-standard LAN IP address range to protect against generic or automated attacks.
• Verify that https is enabled for administrative functions.
• Use AES encryption. WEP and TKIP have known vulnerabilities.
• Use firmware only from the manufacturer's web site.
• Use a secure administrator password including uppercase/lowercase/numeric/special characters, at least 12 characters in length.
• If possible, restrict access to the wireless router from the firewall or main router.

South Korea Hack Attacks Confirmed to be from North Korea

South Korea reports what we all suspected all along, that the recent attacks launched against their financial services infrastructure are coming from North Korea.

Evidently, the hacker accidentally exposed his or her IP address during one of the attacks, allowing authorities to trace the attacks to their source.

Hacking Airplanes with your Cell Phone: How Not to Think About Security

Hugo Teso recently reported on some pretty serious flaws in the security for airplane flight systems and pilot displays. He reports that using an Android device and some custom-written code, he was able to provoke actions by the flight systems and feed the pilot incorrect information. The Register has a pretty good summary of what Teso discussed.

In an interview with Forbes, Teso reported:

“You can use this system to modify approximately everything related to the navigation of the plane. That includes a lot of nasty things.”

Fortunately, The Register tells us:

Federal Aviation Administration and the European Aviation Safety Administration have both been informed and are working on fixing the issue.

That would seem to be an appropriate response to a flaw like that. You would really hate to think about al Qaeda sending a bunch of wackos with cell phones onto flights. And I don't think the FAA would seriously be able to take away peoples' cell phones on flights. Dealing with Alec Baldwin alone would stretch the resources of most Federal agencies.

Fortunately, the FAA has taken swift action to alleviate any concerns the flying public might have about some new-found sense of competency in that agency. The FAA reports that there is no real problem because the hack did not work when they tested it against a "flight certified" configuration.

The idea of "defense in depth" appears to have soared right past these people. If there is a problem in a component of an overall system, FIX IT.

Here's hoping that the FAA manages to stumble across a clue in between meetings about whether or not to allow people to bring fully-functioning bananas on planes.

Update

The app that Teso used is only effective against simulators. That does not mean that there is not an issue that needs to be resolved. The H Security reports that:

Teso says that the ACARS communication with a plane can be implemented locally via a software-defined radio system or globally via one of the two major ACARS providers, ARINC and SITA. The researcher added that a vulnerability would need to be found with the providers.

The manufacturer, Honeywell, is investigating to see to what extent the vulnerabilities in the PC product used in simulators are also applicable to hardware-based implementations used on planes.

Other media outlets, like Computerworld, are reporting on the differences between the PC simulator hardware and the hardware-based implementations. My opinion remains the same as it was earlier; problems need to be fixed. Working exploits depend on chaining problems together; a good security posture depends on removing as many links from the chain as possible.

Honeypots Reveal Targeted SCADA Attacks

I recently came across an interesting article in SecurityWeek. Researchers set up honepots to see what types of attacks were being launched against SCADA installations.

It will come as no surprise that the largest proportion of attacks came from China (35%). The next largest set came from the US (19%), followed by Laos (12%).

Several attack vectors were detected, from attempting to access secure areas on the site to attacks on SCADA-specific protocols.

SCADA attacks are particularly dangerous because the impact can be outsized, due to the nature of equipment and environments that are managed by SCADA gear.

One possible attack vector for systems not connected to the public network is to target individuals who work with the equipment. This is the attack vector anticipated for vulnerabilities like the one found in Mitsubishi's MX ActiveX control recently.

Recent Attacks Appear Linked to Iran

The New York Times reports that recent attacks against US financial institutions may have been state-sponsored attacks from groups linked to Iran.

The current round of attacks are different from most previous attacks in that they are not aimed at either denial of service or fraud, but at causing permanent damage to the systems under attack.

Financial services companies have paid lip service to computer security for a long time, while avoiding the costs associated with any best practices they could rationalize away. It will be interesting to see if the recent attacks will wake up the financial services companies to take information security seriously.

Book Review: Security Engineering by Anderson

Anderson's update to his classic reference book is a worthwhile addition to the bookshelf of any system administrator or enterprise architect.

The length certainly is intimidating, but every page is packed with information. A lot of so-called "security" books are full of fluff and recycled advice that is freely available on the web. Anderson's book is a well-thought-out encyclopedia of information that you will need to design dependable, resilient, secure systems.

As an author, I can tell you that it is easy to tell the difference between a book that someone has rushed to press and one that is a carefully constructed reference. Anderson took the time to do his book right.

Take the time to read the book; don't hurry through it. Then come back to the book again in a year--I can guarantee that you will learn as much the second time through as you did the first.

Hijacked Management Server Implicated in South Korea Attack

The Register is reporting that the recent cyber attacks in South Korea may have used the patch server as the attack vector.

This is a good illustration of why defense in depth is important. Sophos reports that the signatures for the malware were well-known and should have been caught by updated malware detection software.

If you missed it, Wired Magazine had a pretty good write-up in the initial aftermath of the attack.