tag:blogger.com,1999:blog-2740097441456736402024-02-19T05:29:58.383-05:00Thoughts on SecurityScottCromarhttp://www.blogger.com/profile/02344384388503793470noreply@blogger.comBlogger42125tag:blogger.com,1999:blog-274009744145673640.post-11287286768156622752014-03-09T00:50:00.000-05:002014-03-09T00:50:29.476-05:00Pre-Installed Phone MalwareSome new Samsung, Motorola, Asus, and LG phones are reported to have <a href="http://www.net-security.org/malware_news.php?id=2724">come with malware installed</a>. <a href="http://www.computerworld.com/s/article/9246764/Pre_installed_malware_found_on_new_Android_phones?taxonomyId=17&pageNumber=2">Samsung reports</a> that the malware, which appears to be an altered version of a Netflix app, was not installed at the factory. It is thought most likely that the malware was installed at some point in the supply chain.
<p>
The malware in question was <a href="http://www.net-security.org/malware_news.php?id=2724">harvesting passwords and financial information</a>, and relaying that information to a server in Russia.
<p>
<iframe src="http://rcm.amazon.com/e/cm?t=solaristroubl-20&o=1&p=8&l=as1&asins=1430259329&ref=tf_til&fc1=000000&IS2=1<1=_blank&m=amazon&lc1=0000FF&bc1=000000&bg1=FFFFFF&f=ifr" style="width:120px;height:240px;" scrolling="no" marginwidth="0" marginheight="0" frameborder="0"></iframe>
<iframe src="http://rcm.amazon.com/e/cm?t=solaristroubl-20&o=1&p=8&l=as1&asins=1463512414&ref=tf_til&fc1=000000&IS2=1<1=_blank&m=amazon&lc1=0000FF&bc1=000000&bg1=FFFFFF&f=ifr" style="width:120px;height:240px;" scrolling="no" marginwidth="0" marginheight="0" frameborder="0"></iframe>ScottCromarhttp://www.blogger.com/profile/02344384388503793470noreply@blogger.com0tag:blogger.com,1999:blog-274009744145673640.post-62315228861510040872014-03-01T09:30:00.000-05:002014-03-01T09:34:18.134-05:00Energy Companies Turned Down for Cyber Insurance as Poor RisksEnergy and other physical infrastructure companies have a difficult job to do. The SCADA (Supervisory Control and Data Acquisition) components are <a href="http://en.wikipedia.org/wiki/SCADA#Security_issues">difficult to maintain or secure</a>. They are isolated, frequently have inadequate support, are frequently <a href="http://bluepillar.com/scada-is-scary-part-1/">highly customized for a particular installation</a>, and may be so old that no reasonable support or patches are available for them.
<p>
Unfortunately, some energy companies appear to <a href="http://www.theregister.co.uk/2014/02/27/energy_sector_refused_cyber_insurance/">view insurance as a replacement for (rather than a supplement to)</a> robust information security. Insurance companies who offer cyber security policies are increasingly <a href="http://www.bbc.com/news/technology-26358042">turning down these potentially lucrative contracts</a> due to the risk of a loss.
<p>
The <a href="http://www.csmonitor.com/World/Security-Watch/2014/0225/Exclusive-New-thesis-on-how-Stuxnet-infiltrated-Iran-nuclear-facility">"Olympic Games" hack</a> involving <a href="http://support.automation.siemens.com/WW/llisapi.dll?func=cslib.csinfo&lang=en&objid=43876783&caller=view">Stuxnet</a> showed the <a href="http://news.cnet.com/8301-27080_3-20011159-245.html">danger hackers pose to critical infrastructure</a>. Even though Stuxnet was originally targeted at Iran's secretive nuclear program, the <a href="http://www.computerworld.com/s/article/print/9185419/Siemens_Stuxnet_worm_hit_industrial_systems?taxonomyName=Network+Security&taxonomyId=142">virus escaped into the wild</a> and has been found in unrelated and surprising places.
<p>
Hopefully the refusal of cyber insurance will be a wake up call to energy and other infrastructure companies. Updates need to be applied, <a href="http://www.epiphan.com/solutions_new/?arid=84">security needs to be designed in</a>, and critical components may need to be separated from the network by an air gap.
<p>
<iframe src="http://rcm.amazon.com/e/cm?t=solaristroubl-20&o=1&p=8&l=as1&asins=1430259329&ref=tf_til&fc1=000000&IS2=1<1=_blank&m=amazon&lc1=0000FF&bc1=000000&bg1=FFFFFF&f=ifr" style="width:120px;height:240px;" scrolling="no" marginwidth="0" marginheight="0" frameborder="0"></iframe>
<iframe src="http://rcm.amazon.com/e/cm?t=solaristroubl-20&o=1&p=8&l=as1&asins=1463512414&ref=tf_til&fc1=000000&IS2=1<1=_blank&m=amazon&lc1=0000FF&bc1=000000&bg1=FFFFFF&f=ifr" style="width:120px;height:240px;" scrolling="no" marginwidth="0" marginheight="0" frameborder="0"></iframe>ScottCromarhttp://www.blogger.com/profile/02344384388503793470noreply@blogger.com0tag:blogger.com,1999:blog-274009744145673640.post-75367766477667388342014-03-01T09:23:00.001-05:002014-03-01T09:23:37.925-05:00Mt Gox: Criminal or Careless?In recent days, there have been a lot of contradictory reports about a large theft at the Mt Gox Bitcoin exchange. Their bankruptcy filing reported that <a href="http://news.yahoo.com/tokyo-bitcoin-exchange-files-bankruptcy-102841684--finance.html?soc_src=mediacontentstory">USD $425 million</a> worth of Bitcoins appear to have disappeared. <a href="http://www.marketwatch.com/story/mt-gox-under-investigation-bitcoin-price-rebounds-2014-02-25?mod=wsj_share_tweet">Mt Gox has done nothing to clear up the confusion</a>, which has led to ever more speculation about exactly what happened.
<p>
Much of the information that is being reported has been sourced to <a href="http://two-bit-idiot.tumblr.com/post/77760399932/update-on-mt-gox-this-document-appears-to-be">a document that has been published on the Internet</a>. At this point, Mt Gox has not validated the document, but many reports believe it to be genuine.
<p>
Reports have centered around a <a href="http://www.reuters.com/article/2014/02/28/us-bitcoin-mtgox-insight-idUSBREA1R06C20140228">known weakness in the Bitcoin infrastructure, known as "malleability."</a> In attacks based on malleability, hackers slightly vary the information in packets about legitimate transactions and <a href="http://www.wired.com/wiredenterprise/2014/02/bitcoins-mt-gox-implodes/">flood the exchange with fraudulent information</a>. The exchanges then need to validate every transaction to see which transactions are valid. <a href="http://money.cnn.com/2014/02/12/technology/security/bitcoin-attack/index.html?iid=EL">Most exchanges have built in safeguards to deal with attacks based on malleability.</a>
<p>
Serious allegations are being raised that fraud within Mt Gox may itself have been responsible for at least some of the loss. In <a href="http://i.cdn.turner.com/money/2014/images/02/25/Transparency_august.pdf?iid=EL">2012, Mt Gox reported about USD $380k in revenue</a>. But in 2013, the company had to pay out a <a href="http://money.cnn.com/2014/02/25/technology/security/bitcoin-mtgox/index.html">USD $5 million fine</a>. Financial reporters are not clear on how Mt Gox was able to keep its doors open after this fine, but there are <a href="http://www.reuters.com/article/2014/02/28/us-bitcoin-mtgox-insight-idUSBREA1R06C20140228">several reports of slow payments after the fine was paid</a>. Financial <a href="http://money.cnn.com/2014/02/25/technology/security/bitcoin-mtgox/index.html">reporters have noted</a> that some consider this to be an early warning of a company doing business on a fraudulent basis.
<p>
At the very least, it appears clear that Mt Gox continued to do business even after discovering that it was vulnerable to a hacking attack.
<p>
<iframe src="http://rcm.amazon.com/e/cm?t=solaristroubl-20&o=1&p=8&l=as1&asins=1430259329&ref=tf_til&fc1=000000&IS2=1<1=_blank&m=amazon&lc1=0000FF&bc1=000000&bg1=FFFFFF&f=ifr" style="width:120px;height:240px;" scrolling="no" marginwidth="0" marginheight="0" frameborder="0"></iframe>
<iframe src="http://rcm.amazon.com/e/cm?t=solaristroubl-20&o=1&p=8&l=as1&asins=1463512414&ref=tf_til&fc1=000000&IS2=1<1=_blank&m=amazon&lc1=0000FF&bc1=000000&bg1=FFFFFF&f=ifr" style="width:120px;height:240px;" scrolling="no" marginwidth="0" marginheight="0" frameborder="0"></iframe>ScottCromarhttp://www.blogger.com/profile/02344384388503793470noreply@blogger.com0tag:blogger.com,1999:blog-274009744145673640.post-61776184592922434542014-02-28T19:00:00.000-05:002014-03-01T08:10:51.020-05:00WiFi Virus CreatedSecurity researchers have designed a <a href="http://www.forbes.com/sites/bridaineparnell/2014/02/26/new-virus-spreads-like-the-common-cold-via-wifi/">virus that spreads silently through WiFi networks</a>. The <a href="http://www.v3.co.uk/v3-uk/news/2331294/security-researchers-warn-of-airborne-wifi-virus-that-spreads-like-a-cold">"Chameleon" virus replaces access point firmware and masquerades</a> the settings and administrative credentials, which <a href="http://jis.eurasipjournals.com/content/2013/1/2">makes it very difficult to detect this virus</a>.
<p>
Fortunately, the <a href="http://www.cnet.com.au/researchers-create-a-virus-that-can-spread-via-wi-fi-339346763.htm">virus can be blocked by following good WiFi security practices</a>. Unfortunately, many WiFi networks are not set up in a secure way.
<p>
Fortunately, the <a href="http://howto.cnet.com/8301-11310_39-57580527-285/home-networking-explained-part-6-keep-your-network-secure/">steps to secure a home WiFi network are not particularly difficult</a>:
<ul>
<li><a href="http://networking.answers.com/wifi/aes-vs-tkip-a-networking-overview">Use AES encryption</a>. WEP encryption and TKIP encryption have <a href="http://www.cs.sjsu.edu/faculty/stamp/CS265/projects/Spr05/ppt/TKIP.ppt">known weaknesses that are easily exploited</a>. (Depending on your router, you would choose WPA2 or WPA encryption and select AES as the standard.)</li>
<li>Use a password that is hard to break. It <a href="http://wifinetnews.com/archives/2003/11/weakness_in_passphrase_choice_in_wpa_interface.html">should have more than 20 characters</a>, and should include a mix of upper and lower case letters, numbers, special characters, and even spaces. Entire sentences may be appropriate, if they are not publicly known.</li>
<li>Change default administrative password and IP address. A <a href="http://www.slate.com/articles/technology/webhead/2004/11/how_to_steal_wifi.html">surprising number of home installations still use the defaults</a>. </li>
<li>Turn off remote administration features. Administration should be required to be done over a wired connection.</li>
<li>Verify that your <a href="http://krebsonsecurity.com/2014/02/time-to-harden-your-hardware/">firmware is updated</a>. There are a <a href="http://arstechnica.com/security/2014/02/dear-asus-router-user-youve-been-pwned-thanks-to-easily-exploited-flaw/">number of bugs</a> that <a href="http://www.theregister.co.uk/2014/02/20/belkin_on_wemo_bug_get_the_patch/">have been reported</a> against <a href="https://isc.sans.edu/diary/Linksys+Worm+%22TheMoon%22+Summary%3A+What+we+know+so+far/17633">WiFi</a> router<a href="http://kb.linksys.com/Linksys/ukp.aspx?pid=80&vw=1&articleid=4030"> firmware.</a></li>
<li>Log out of your administrative sessions when you are done.</li>
</ul>
<p>
Beyond securing your own routers, you need to keep in mind that public routers may also have been infected. There are some steps you can take to <a href="http://howto.cnet.com/8301-11310_39-20034899-285/6-ways-to-use-public-wi-fi-hot-spots-safely/">protect yourself when connecting to public WiFi routers</a>. Be aware that public networks are by definition insecure, whether WiFi or wired. There is little or nothing to stop a miscreant from trying to snoop your connection.
<ul>
<li>Enable built-in firewall features on your computer, especially software firewalls. Deny all incoming connections.</li>
<li>Make sure file sharing is turned off.</li>
<li>Be aware that passwords may be sniffed by keyboard loggers, pulled from your computer's registry, or simply observed over your shoulder. By using a tool like <a href="http://download.cnet.com/1772-20_4-0.html?query=lastpass&platform=Windows%2CMac%2CiOS%2CAndroid%2CWebware%2CMobile&searchtype=downloads">LastPass</a> or <a href="http://sourceforge.net/projects/passwordsafe/">Password Safe</a>, you can avoid having to type passwords while storing them in a secure, encrypted location.</li>
<li>Use a VPN if possible.</li>
<li>Use https (HTTP over SSL) to connect to vendor sites wherever possible.</li>
</ul>
<p>
<iframe src="http://rcm.amazon.com/e/cm?t=solaristroubl-20&o=1&p=8&l=as1&asins=1430259329&ref=tf_til&fc1=000000&IS2=1<1=_blank&m=amazon&lc1=0000FF&bc1=000000&bg1=FFFFFF&f=ifr" style="width:120px;height:240px;" scrolling="no" marginwidth="0" marginheight="0" frameborder="0"></iframe>
<iframe src="http://rcm.amazon.com/e/cm?t=solaristroubl-20&o=1&p=8&l=as1&asins=1463512414&ref=tf_til&fc1=000000&IS2=1<1=_blank&m=amazon&lc1=0000FF&bc1=000000&bg1=FFFFFF&f=ifr" style="width:120px;height:240px;" scrolling="no" marginwidth="0" marginheight="0" frameborder="0"></iframe>ScottCromarhttp://www.blogger.com/profile/02344384388503793470noreply@blogger.com0tag:blogger.com,1999:blog-274009744145673640.post-63147870061051842712014-02-23T20:29:00.001-05:002014-02-23T20:32:00.082-05:00Windows Crash Reports and Intrusion Detection<a href="http://www.websense.com/content/websense-crash-apt-report.aspx">Websense recently published a whitepaper</a> discussing how to use Windows crash reports to identify intrusions. They took their analysis one extra step past detecting known attack signatures to <a href="http://www.websense.com/content/websense-crash-apt-report.aspx">look for new, unknown attacks.</a>
<p>
While researching the whitepaper, Websense used their methodology to identify a <a href="http://www.websense.com/content/websense-crash-apt-report.aspx">new targeted attack against a mobile network provider and a government agency,</a> and a <a href="http://www.infosecurity-magazine.com/view/37010/using-windows-error-reports-to-detect-unknown-breaches/">new Zeus-based POS (Point of Sale terminal) attack.</a>
<p>
<iframe src="http://rcm.amazon.com/e/cm?t=solaristroubl-20&o=1&p=8&l=as1&asins=1430259329&ref=tf_til&fc1=000000&IS2=1<1=_blank&m=amazon&lc1=0000FF&bc1=000000&bg1=FFFFFF&f=ifr" style="width:120px;height:240px;" scrolling="no" marginwidth="0" marginheight="0" frameborder="0"></iframe>
<iframe src="http://rcm.amazon.com/e/cm?t=solaristroubl-20&o=1&p=8&l=as1&asins=1463512414&ref=tf_til&fc1=000000&IS2=1<1=_blank&m=amazon&lc1=0000FF&bc1=000000&bg1=FFFFFF&f=ifr" style="width:120px;height:240px;" scrolling="no" marginwidth="0" marginheight="0" frameborder="0"></iframe>ScottCromarhttp://www.blogger.com/profile/02344384388503793470noreply@blogger.com0tag:blogger.com,1999:blog-274009744145673640.post-30869865908250701202014-02-11T22:00:00.002-05:002014-02-11T22:00:45.135-05:00CryptoLocker, Ransomware, and the Importance of Good Backups<a href="https://www.us-cert.gov/ncas/alerts/TA13-309A">CryptoLocker attacks</a> have become more frequent and public. <a href="http://www.snopes.com/computer/virus/cryptolocker.asp">CryptoLocker</a> is a type of <a href="http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/ransomware-a-growing-menace.pdf">ransomware</a> that stealthily encrypts all available files on the infected computer or attached shares or devices. Then the computer user is warned that the files can only be decrypted with a key that must be bought and installed within 100 hours.
<p>
Of course this is extortion. But Symantec estimates that <a href="http://www.snopes.com/computer/virus/cryptolocker.asp">3% of victims</a> pay up, which is enough to <a href="http://www.connectamarillo.com/news/story.aspx?id=1005134#.Uvq4icKYZ2s">net the extortionists millions of dollars per month</a>.
<p>
Recently, a <a href="http://www.computerworlduk.com/news/security/3501150/cryptolocker-scambles-us-law-firms-entire-cache-of-legal-files/">law firm's entire store of legal files</a> was encrypted and unable to be decrypted. Consider the potential implications of being legally responsible for these documents and being responsible for their destruction through negligence.
<p>
<a href="http://www.pcworld.com/article/243818/how_to_remove_malware_from_your_windows_pc.html?page=0">Removing the infection from the computer</a> is relatively straightforward. There are free tools, such as <a href="http://www.sophos.com/en-us/products/free-tools/virus-removal-tool.aspx">this tool from Sophos</a>. Alternatively, you can roll your system back using <a href="http://www.pcworld.com/article/221114/how_to_repair_your_windows_pc_with_system_restore.html">Windows System Restore</a>, if you had enabled that feature before you were infected. <a href="http://www.pcworld.com/article/2084002/how-to-rescue-your-pc-from-ransomware.html">Other, more intrusive methods may be needed</a>, if these do not work. These tools can remove the infection, but decrypting the encrypted user files is not likely to be possible.
<p>
If your files have been encrypted, you are going to need to recover from backup. Once your PC has been disinfected, you can attempt to recover files from Shadow Volume Copies (which is part of <a href="http://www.pcworld.com/article/221114/how_to_repair_your_windows_pc_with_system_restore.html">Windows' System Restore</a>). But you are most likely to be successful if you have been backing up to a system that did not allow the infected PC to overwrite your backups.
<p>
<iframe src="http://rcm.amazon.com/e/cm?t=solaristroubl-20&o=1&p=8&l=as1&asins=1430259329&ref=tf_til&fc1=000000&IS2=1<1=_blank&m=amazon&lc1=0000FF&bc1=000000&bg1=FFFFFF&f=ifr" style="width:120px;height:240px;" scrolling="no" marginwidth="0" marginheight="0" frameborder="0"></iframe>
<iframe src="http://rcm.amazon.com/e/cm?t=solaristroubl-20&o=1&p=8&l=as1&asins=1463512414&ref=tf_til&fc1=000000&IS2=1<1=_blank&m=amazon&lc1=0000FF&bc1=000000&bg1=FFFFFF&f=ifr" style="width:120px;height:240px;" scrolling="no" marginwidth="0" marginheight="0" frameborder="0"></iframe>
ScottCromarhttp://www.blogger.com/profile/02344384388503793470noreply@blogger.com0tag:blogger.com,1999:blog-274009744145673640.post-43155205834298132802014-02-07T19:39:00.001-05:002014-02-07T19:43:52.239-05:00Outsourcing, Lax Authentication, and the Target HackIt turns out that the hackers who broke into <a href="http://thoughtsonsecurity.blogspot.com/2014/01/details-of-target-hack-revealed.html">Target's POS terminals</a> used <a href="http://www.computerworld.com/s/article/9246074/Target_breach_happened_because_of_a_basic_network_segmentation_error?taxonomyId=17">credentials from Target's HVAC vendor</a>.
<p>
<a href="http://faziomechanical.com/Target-Breach-Statement.pdf">Fazio Mechanical</a>, Target's HVAC vendor, had access to Target's network in order to monitor the temperatures in the stores and the health of the HVAC equipment. It is less clear why access was allowed with <a href="http://en.wikipedia.org/wiki/2-factor_authentication">weak authentication,</a> and why there was <a href="http://www.computerworld.com/s/article/9246074/Target_breach_happened_because_of_a_basic_network_segmentation_error?taxonomyId=17">no network segmentation</a> between the HVAC units and the POS terminals.
<p>
The only really sophisticated part of the attack was the <a href="http://thoughtsonsecurity.blogspot.com/2014/01/scraping-memory.html">memory-scraping software</a> actually used in the POS terminals. The rest appears to have been a <a href="http://arstechnica.com/security/2014/01/point-of-sale-malware-infecting-target-found-hiding-in-plain-sight/">combination of standard attack methods.</a>
<p>
One of the key user accounts used to consolidate and move data around Target's network was the <a href="http://krebsonsecurity.com/2014/01/new-clues-in-the-target-breach/">"best1_user" account</a>, which is an account name usually associated with the <a href="http://discovery.bmc.com/confluence/display/Configipedia/BMC+Performance+Assurance+Agent">Performance Assurance for Microsoft Servers</a> agent of <a href="http://arstechnica.com/security/2014/01/target-hackers-may-have-exploited-backdoor-in-widely-used-server-software/">BMC Software's Patrol product</a>.
<p>
It appears that a <a href="http://www.informationweek.com/security/attacks-and-breaches/target-hackers-tapped-vendor-credentials/d/d-id/1113641">SQL injection attack</a> was a <a href="http://info.malcovery.com/target-hacker-tools-provide-breach-insight?utm_source=Special+Report%3A+Target&utm_campaign=Special+Report%3A+Target&utm_medium=email">key part of compromising servers</a> to place the malware and recover the stolen data.
<p>
Target has stated that it intends to <a href="http://money.cnn.com/2014/02/06/technology/security/target-breach-hvac/index.html">invest heavily in chip card technology.</a> This would help with "card present" attacks (ie attacks based on cloning a physical card), but <a href="http://www.govinfosecurity.com/finger-pointing-at-breach-hearing-a-6468">would not do much for "card absent" attacks</a> (where a purchase is made from a remote location).
<p>
<iframe src="http://rcm.amazon.com/e/cm?t=solaristroubl-20&o=1&p=8&l=as1&asins=1430259329&ref=tf_til&fc1=000000&IS2=1<1=_blank&m=amazon&lc1=0000FF&bc1=000000&bg1=FFFFFF&f=ifr" style="width:120px;height:240px;" scrolling="no" marginwidth="0" marginheight="0" frameborder="0"></iframe>
<iframe src="http://rcm.amazon.com/e/cm?t=solaristroubl-20&o=1&p=8&l=as1&asins=1463512414&ref=tf_til&fc1=000000&IS2=1<1=_blank&m=amazon&lc1=0000FF&bc1=000000&bg1=FFFFFF&f=ifr" style="width:120px;height:240px;" scrolling="no" marginwidth="0" marginheight="0" frameborder="0"></iframe>
ScottCromarhttp://www.blogger.com/profile/02344384388503793470noreply@blogger.com0tag:blogger.com,1999:blog-274009744145673640.post-17324277903987837092014-02-06T23:20:00.002-05:002014-02-06T23:20:45.790-05:00Cybersquatting Takes an Unhealthy TurnCybersquatters <a href="http://www.bbc.co.uk/news/technology-26016802">made the news recently,</a> after they noticed some typos in URLs on the British National Health Service's (NHS) web site. But in this case, they were not looking to extort money from someone wanting to use the URL for legitimate purposes. Instead, they used the new <a href="http://www.v3.co.uk/v3-uk/news/2326540/coding-error-on-hundreds-of-nhs-sites-redirects-users-to-dodgy-pages">URLs to host malware</a> to infect the computers of people following the links from the NHS web site.
<p>
The NHS reports that they have fixed the typos.
<p>
<iframe src="http://rcm.amazon.com/e/cm?t=solaristroubl-20&o=1&p=8&l=as1&asins=1430259329&ref=tf_til&fc1=000000&IS2=1<1=_blank&m=amazon&lc1=0000FF&bc1=000000&bg1=FFFFFF&f=ifr" style="width:120px;height:240px;" scrolling="no" marginwidth="0" marginheight="0" frameborder="0"></iframe>
<iframe src="http://rcm.amazon.com/e/cm?t=solaristroubl-20&o=1&p=8&l=as1&asins=1463512414&ref=tf_til&fc1=000000&IS2=1<1=_blank&m=amazon&lc1=0000FF&bc1=000000&bg1=FFFFFF&f=ifr" style="width:120px;height:240px;" scrolling="no" marginwidth="0" marginheight="0" frameborder="0"></iframe>ScottCromarhttp://www.blogger.com/profile/02344384388503793470noreply@blogger.com0tag:blogger.com,1999:blog-274009744145673640.post-25288833231767015262014-02-02T23:00:00.000-05:002014-02-02T23:00:04.620-05:00Secure Application Deployment in the CloudThe cloud provides a great way for a company to push infrastructure costs to an external vendor. But things that are minor for a locally hosted application could become a huge security hole when hosted externally.
<p>
Some key issues to look at when moving an application to the cloud include:
<ul>
<li>Communication channels to services and systems the software relies on.</li>
<li>Communication channels used for necessary communications to clients.</li>
<li>Encryption standards for data at rest.</li>
<li>Logging, log reviews, and monitoring.</li>
<li>Authentication and access control.</li>
<li>Privacy policies.</li>
</ul>
<p>
A lot of the security scrutiny surrounding a cloud migration focuses on the security of the cloud provider's infrastructure itself. This is important, but the weaknesses that the software platform brings along with itself are almost certainly a bigger problem.
<h2>Communication Channel Security</h2>
The key considerations here have to do with the nature of this communication. Certain types of data should not be transmitted unencrypted across an external network. This includes information protected by the privacy policy and relevant regulations, but it may also include information that would tell someone how the application works.
<p>
There is really very little incentive not to encrypt all traffic. There is a performance hit, but the only responsible way to avoid it would be do perform a close analysis of all data that would not be encrypted. Even when the analysis was complete, you can't guarantee that the program won't change in a few months (even assuming that nothing was missed in the analysis). There are a number of options for forcing encrypted traffic, including built-in capabilities in both Java and .NET to force use of SSL for web interactions.
<p>
Where programs have incorporated hard-coded IP addresses in code, there is some possibility that traffic would be delivered to entirely the wrong place in a hosted environment. This is especially the case for the standard ranges that are commonly used for internal IP addresses.
<p>
But the use of hostnames can also be problematic, since name lookup infrastructure is usually controlled by the outside vendor. (In any case, references to specific names should be contained within configuration files, not in the actual code source.)
<p>
Where possible, client-side SSL certificates can provide an extra layer of security, by providing assurance that the target side of the connection is actually the system that we are trying to contact.
<h2>Data Encryption</h2>
Data at rest can be secured using several technologies, some of which overlap. SQL Server and Oracle both provide Transparent Data Encryption (TDE), and DB2 provides similar functionality. Make sure key sizes are in line with current best practices recommendations.
<p>
Queries to databases can be encrypted during transmission by specifying SSL as the connection protocol in the JDBC driver or .NET connection.
<p>
Keep in mind that existing hard-coded encryption tokens, keys, etc may cause problems during application migration to the cloud. And if the same key is re-used in several contexts, the compromise of a single component can result in a broader compromise through the entire application or environment. It is important that encryption keys, tokens, etc be maintained outside of the code base itself, where they can be changed or updated as needed.
<h2>Logging Considerations</h2>
Logging streams usually do not use connection-oriented protocols. One concern about logging in the cloud is that logging streams are relatively easy to divert or snoop. Debug-level information might be considered an information leak about how the parts of your application communicate, which could provide the information an attacker needs. While we need to allow an adequate level of logging, we may also want to restrict access that would allow too high a level of logging to be enabled.
<p>
At the same time, it is important that logs be maintained and reviewed, just as they should be on an internal network. Given the potentially greater exposure of the data, log review procedures need a careful review as part of any application cloud deployment.
<p>
<iframe src="http://rcm.amazon.com/e/cm?t=solaristroubl-20&o=1&p=8&l=as1&asins=1430259329&ref=tf_til&fc1=000000&IS2=1<1=_blank&m=amazon&lc1=0000FF&bc1=000000&bg1=FFFFFF&f=ifr" style="width:120px;height:240px;" scrolling="no" marginwidth="0" marginheight="0" frameborder="0"></iframe>
<iframe src="http://rcm.amazon.com/e/cm?t=solaristroubl-20&o=1&p=8&l=as1&asins=1463512414&ref=tf_til&fc1=000000&IS2=1<1=_blank&m=amazon&lc1=0000FF&bc1=000000&bg1=FFFFFF&f=ifr" style="width:120px;height:240px;" scrolling="no" marginwidth="0" marginheight="0" frameborder="0"></iframe>ScottCromarhttp://www.blogger.com/profile/02344384388503793470noreply@blogger.com0tag:blogger.com,1999:blog-274009744145673640.post-46521673487000060842014-01-29T04:00:00.000-05:002014-01-29T07:10:23.803-05:00Somebody's Watching YouIt turns out that your Internet-enabled baby monitor may not be very secure after all. A <a href="http://foscam.us/forum/mjpeg-54-firmware-bug-user-logon-bypass-t8442.html">recently reported security flaw</a> may allow an intruder to watch your webcam or its recorded videos simply by clicking through a prompt.
<p>
Evidently, this bug is active if <a href="http://www.pcworld.com/article/2091180/authentication-bypass-bug-exposes-foscam-webcams-to-unauthorized-access.html">not all eight user fields are populated</a> by a configured userid and password. The flaw exists even on fairly recent versions of the webcam firmware.
<p>
<a href="http://foscam.us/blog/foscamipcameras/tips-on-securing-your-foscam-camera/">Foscam,</a> the camera vendor, has <a href="http://krebsonsecurity.com/2014/01/bug-exposes-ip-cameras-baby-monitors/">released a new firmware version</a> and has provided <a href="http://foscam.us/blog/foscamipcameras/tips-on-securing-your-foscam-camera/">common sense tips</a> for securing the webcams. Since a reported <a href="http://www.pcworld.com/article/2033821/widely-used-wireless-ip-cameras-open-to-hijacking-over-the-internet-researchers-say.html">20% of these cameras use the default admin password</a>, common sense tips are not out of place.
<p>
<iframe src="http://rcm.amazon.com/e/cm?t=solaristroubl-20&o=1&p=8&l=as1&asins=1430259329&ref=tf_til&fc1=000000&IS2=1<1=_blank&m=amazon&lc1=0000FF&bc1=000000&bg1=FFFFFF&f=ifr" style="width:120px;height:240px;" scrolling="no" marginwidth="0" marginheight="0" frameborder="0"></iframe>
<iframe src="http://rcm.amazon.com/e/cm?t=solaristroubl-20&o=1&p=8&l=as1&asins=1463512414&ref=tf_til&fc1=000000&IS2=1<1=_blank&m=amazon&lc1=0000FF&bc1=000000&bg1=FFFFFF&f=ifr" style="width:120px;height:240px;" scrolling="no" marginwidth="0" marginheight="0" frameborder="0"></iframe>ScottCromarhttp://www.blogger.com/profile/02344384388503793470noreply@blogger.com0tag:blogger.com,1999:blog-274009744145673640.post-38134201977700761322014-01-24T22:03:00.001-05:002014-01-24T22:03:53.988-05:00NTP Vulnerability Key in DOS AttacksA mis-used <a href="https://isc.sans.edu/forums/diary/NTP+reflection+attack/17300">feature on older versions of the industry-standard NTP</a> (Network Time Protocol) software has resulted in vulnerable systems being used as <a href="http://www.theregister.co.uk/2014/01/21/open_ntp_patching_project/">amplification servers in DOS attacks</a>.
<p>
Because NTP uses UDP as its transport protocol, and because it responds to certain queries with larger amounts of data than is used to perform the query, an amplification attack can tremendously increase the amount of traffic hitting a DOS (Denial of Service) target. TCP-based services require a handshake with the initial sender before replying, and so <a href="http://www.darkreading.com/vulnerability/no-easy-solution-to-stop-amplification-a/240165528">are not easily usable</a> for amplification attacks.
<p>
<a href="http://www.us-cert.gov/ncas/alerts/TA14-013A">US CERT has posted</a> resolution steps for admins of systems with this vulnerability. <a href="http://openntpproject.org/">The Open NTP Project</a> also provides a scanner to help identify vulnerable systems.
<p>
<iframe src="http://rcm.amazon.com/e/cm?t=solaristroubl-20&o=1&p=8&l=as1&asins=1430259329&ref=tf_til&fc1=000000&IS2=1<1=_blank&m=amazon&lc1=0000FF&bc1=000000&bg1=FFFFFF&f=ifr" style="width:120px;height:240px;" scrolling="no" marginwidth="0" marginheight="0" frameborder="0"></iframe>
<iframe src="http://rcm.amazon.com/e/cm?t=solaristroubl-20&o=1&p=8&l=as1&asins=1463512414&ref=tf_til&fc1=000000&IS2=1<1=_blank&m=amazon&lc1=0000FF&bc1=000000&bg1=FFFFFF&f=ifr" style="width:120px;height:240px;" scrolling="no" marginwidth="0" marginheight="0" frameborder="0"></iframe>
ScottCromarhttp://www.blogger.com/profile/02344384388503793470noreply@blogger.com0tag:blogger.com,1999:blog-274009744145673640.post-67008502730959080632014-01-24T03:00:00.000-05:002014-01-24T03:00:05.238-05:00Details of Target Hack RevealedDetails of the Target hack are slowly becoming clear. <a href="http://www.computerworld.com/s/article/9245568/Two_coders_closely_tied_to_Target_related_malware?taxonomyId=17&pageNumber=1">Two coders</a> have been associated with the malware. It appears that initial entry to the Target network was made via standard methods (eg weak passwords), and the target of the attack was the server that processed the card data. From there, the malware was installed on the POS terminals.
<p>
The malware itself <a href="http://thoughtsonsecurity.blogspot.com/2014/01/scraping-memory.html">grabbed the unencrypted data from memory</a> during the period of time that it is unencrypted in order to allow authentication to take place. The data was then stored locally and <a href="http://www.wired.com/threatlevel/2014/01/target-malware-identified/">transmitted to a compromised collection server</a> on a scheduled basis.
<p>
<iframe src="http://rcm.amazon.com/e/cm?t=solaristroubl-20&o=1&p=8&l=as1&asins=1430259329&ref=tf_til&fc1=000000&IS2=1<1=_blank&m=amazon&lc1=0000FF&bc1=000000&bg1=FFFFFF&f=ifr" style="width:120px;height:240px;" scrolling="no" marginwidth="0" marginheight="0" frameborder="0"></iframe>
<iframe src="http://rcm.amazon.com/e/cm?t=solaristroubl-20&o=1&p=8&l=as1&asins=1463512414&ref=tf_til&fc1=000000&IS2=1<1=_blank&m=amazon&lc1=0000FF&bc1=000000&bg1=FFFFFF&f=ifr" style="width:120px;height:240px;" scrolling="no" marginwidth="0" marginheight="0" frameborder="0"></iframe>ScottCromarhttp://www.blogger.com/profile/02344384388503793470noreply@blogger.com0tag:blogger.com,1999:blog-274009744145673640.post-49168094757508711522014-01-14T17:00:00.000-05:002014-01-15T13:08:58.661-05:00Scraping MemoryEarlier this week, we finally found out what sort of attack resulted in <a href="http://www.washingtonpost.com/blogs/the-switch/wp/2014/01/13/this-malware-class-was-reportedly-used-in-the-target-hackings-heres-how-it-works/?wprss=rss_AllWPStoriesandBlogs&Post+generic=%3Ftid%3Dsm_twitter_washingtonpost">security <a href="http://nakedsecurity.sophos.com/2014/01/13/target-admits-there-was-malware-on-our-point-of-sale-registers/">breaches at Target</a> and several other retailers.</a> It appears that a type of software known as a "<a href="http://nakedsecurity.sophos.com/2013/07/16/a-look-at-point-of-sale-ram-scraper-malware-and-how-it-works/">memory scraper</a>," which reads data from live memory. This allows the attacker to view the data before or after it has been decrypted in order for the computer or PoS (Point of Sale) terminal to process it.
<p>
Several security researchers have commented on how vociferously Target had insisted that the data on its hard drives had been encrypted using strong encryption. Memory scrapers are an attack vector that can bypass on-disk encryption techniques.
<p>
<a href="http://www.reuters.com/article/2014/01/12/us-target-databreach-retailers-idUSBREA0B01720140112">Reuters reports</a>:
<blockquote>
<a href="http://usa.visa.com/merchants/risk_management/cisp_alerts.html">Visa Inc issued two alerts</a> last year about a surge in cyber attacks on retailers that <a href="http://usa.visa.com/download/merchants/alert-prevent-grocer-malware-attacks-04112013.pdf">specifically warned about the threat from memory parsing malware</a>.
<br>
...
<br>
It was not clear whether Target's security team had implemented the <a href="http://usa.visa.com/download/merchants/Bulletin__Memory_Parser_Update_082013.pdf">measures that Visa had recommended</a> to mitigate the risks of being attacked.
<p>
Yet a law enforcement source familiar with the breach said that even if the retailer had implemented those steps, the efforts may not have succeeded in stopping the attack.
</blockquote>
<p>
Last week, <a href="http://nakedsecurity.sophos.com/2014/01/11/target-data-breach-much-bigger-than-first-thought-now-more-than-100m-records/">Target admitted</a> that its security breach compromised on the order of 110 million cards, which puts it in the top tier of such security breaches.
<p>
While the people responsible for the Target hack have not been identified, <a href="http://krebsonsecurity.com/2013/12/whos-selling-credit-cards-from-target/">Krebs identified</a> one person who has been selling credit card numbers that were stolen from Target.
<p>
UPDATE: <a href="http://news.cnet.com/8301-1009_3-57617106-83/target-confirms-malware-used-on-point-of-sale-terminals/">CNET has an interesting article</a> where Target describes the reasons for the delay in notification about a breach that was discovered on Dec 15. It amounts to "we were trying to get ready for the storm."
<p>
<iframe src="http://rcm.amazon.com/e/cm?t=solaristroubl-20&o=1&p=8&l=as1&asins=1430259329&ref=tf_til&fc1=000000&IS2=1<1=_blank&m=amazon&lc1=0000FF&bc1=000000&bg1=FFFFFF&f=ifr" style="width:120px;height:240px;" scrolling="no" marginwidth="0" marginheight="0" frameborder="0"></iframe>
<iframe src="http://rcm.amazon.com/e/cm?t=solaristroubl-20&o=1&p=8&l=as1&asins=1463512414&ref=tf_til&fc1=000000&IS2=1<1=_blank&m=amazon&lc1=0000FF&bc1=000000&bg1=FFFFFF&f=ifr" style="width:120px;height:240px;" scrolling="no" marginwidth="0" marginheight="0" frameborder="0"></iframe>ScottCromarhttp://www.blogger.com/profile/02344384388503793470noreply@blogger.com0tag:blogger.com,1999:blog-274009744145673640.post-53341184429331230132014-01-13T17:00:00.000-05:002014-01-13T17:00:00.766-05:00Windows XP Security Essentials CancelledBesides running a lot of last-generation PCs (estimated at <a href="http://www.v3.co.uk/v3-uk/news/2320887/xp-deadline-use-of-ageing-windows-platform-falls-but-not-fast-enough">one third of the global installed base</a>), Windows XP is an important platform for SCADA and other infrastructure integrated systems. Migrating or upgrading those components is likely to be expensive, and many owners of such systems have not planned for a replacement or upgrade path.
<p>
Microsoft announced that <a href="http://arstechnica.com/information-technology/2014/01/security-essentials-for-windows-xp-will-die-when-the-os-does/">Windows XP Security Essentials will also not be available</a> after XP is declared "unsupported" in April.
<p>
If <a href="http://www.v3.co.uk/v3-uk/news/2322034/microsoft-deals-new-blow-to-xp-diehards-by-pulling-malware-protection">Security Essentials is no longer available</a>, other vendors are likely to also drop support for XP product lines. This may include vendors like anti-virus and other security software vendors.
<p>
If XP systems can be upgraded, they should be upgraded immediately. Systems that cannot be upgraded need to be protected by air gaps and firewall rules. Services on these systems should be limited to only those functions that cannot be migrated.
<p>
Even with these measures, there will be a lot of insecure, poorly managed systems in the global IT environment. Black hats are rubbing their hands in anticipation of the feast.
<p>
<iframe src="http://rcm.amazon.com/e/cm?t=solaristroubl-20&o=1&p=8&l=as1&asins=1430259329&ref=tf_til&fc1=000000&IS2=1<1=_blank&m=amazon&lc1=0000FF&bc1=000000&bg1=FFFFFF&f=ifr" style="width:120px;height:240px;" scrolling="no" marginwidth="0" marginheight="0" frameborder="0"></iframe>
<iframe src="http://rcm.amazon.com/e/cm?t=solaristroubl-20&o=1&p=8&l=as1&asins=1463512414&ref=tf_til&fc1=000000&IS2=1<1=_blank&m=amazon&lc1=0000FF&bc1=000000&bg1=FFFFFF&f=ifr" style="width:120px;height:240px;" scrolling="no" marginwidth="0" marginheight="0" frameborder="0"></iframe>ScottCromarhttp://www.blogger.com/profile/02344384388503793470noreply@blogger.com0tag:blogger.com,1999:blog-274009744145673640.post-91302766419185439982014-01-09T17:30:00.000-05:002014-01-09T17:30:01.271-05:00The Promise and Peril of Self-Driving CarsThe <a href="http://bngumassd.org/neatstuff/selfdrive%20cars.pdf">research by Google</a> and <a href="http://www.bbc.co.uk/news/technology-25653253">others</a> into <a href="http://ieeexplore.ieee.org/xpl/login.jsp?tp=&arnumber=4475861&url=http%3A%2F%2Fieeexplore.ieee.org%2Fxpls%2Fabs_all.jsp%3Farnumber%3D4475861">self-driving cars</a> has been intriguing. <a href="http://www.sixwise.com/newsletters/05/07/20/the-6-most-common-causes-of-automobile-crashes.htm">The vast majority of traffic accidents are the fault of drivers</a>, and being able to eliminate human error would be a huge win for traffic safety.
<p>
But if computers are driving cars, we have to take a serious look at information security in the context of a self-driving automobile. Unfortunately, most current automation <a href="http://arstechnica.com/security/2013/07/disabling-a-cars-brakes-and-speed-by-hacking-its-computers-a-new-how-to/">does not have adequate safeguards</a> to protect from malicious inputs.
<p>
In particular, components do not do checking or validation to make sure that commands are being issued from an appropriate source. Security <a href="http://www.today.com/video/today/52609500#52609500">researchers have demonstrated</a> that they are able to issue commands to a Prius to control steering, braking, acceleration, and dashboard displays. They were also able to disable an Escape's brakes at slow speed.
<p>
Ford and Toyota both point out that the researchers were connecting directly to the car's CAN (Controller Area Network), which limits the impact of some of their demonstrations. But keep in mind that <a href="http://www.autosec.org/faq.html">wireless controllers on on-board systems</a> such as Bluetooth controllers on sound systems and telematics units on satellite roadside assistance services may provide an entry point into the automobile. Anywhere a wireless connection allows access to a component connected to a CAN is a possible entry point for malicious code.
<p>
The sorts of security measures we use for other network-connected items would still work inside a car. Provide air gaps between components that don't need to be connected. And provide for validation and authentication of commands from components that do need to be connected.
<p>
I remember discussions about PC security in the early days of the Internet, when most computer viruses were still spread by injudicious insertion of floppy disks. Way back when, we were told that PCs didn't need to have security programmed in from the ground up. I'm hoping we learn from the history of those poor decisions. A Blue Screen of Death is one thing, but a traffic fatality is another.
<p>
<iframe src="http://rcm.amazon.com/e/cm?t=solaristroubl-20&o=1&p=8&l=as1&asins=1430259329&ref=tf_til&fc1=000000&IS2=1<1=_blank&m=amazon&lc1=0000FF&bc1=000000&bg1=FFFFFF&f=ifr" style="width:120px;height:240px;" scrolling="no" marginwidth="0" marginheight="0" frameborder="0"></iframe>
<iframe src="http://rcm.amazon.com/e/cm?t=solaristroubl-20&o=1&p=8&l=as1&asins=1463512414&ref=tf_til&fc1=000000&IS2=1<1=_blank&m=amazon&lc1=0000FF&bc1=000000&bg1=FFFFFF&f=ifr" style="width:120px;height:240px;" scrolling="no" marginwidth="0" marginheight="0" frameborder="0"></iframe>
ScottCromarhttp://www.blogger.com/profile/02344384388503793470noreply@blogger.com0tag:blogger.com,1999:blog-274009744145673640.post-57499094562921326412013-06-20T03:30:00.000-04:002013-06-20T11:08:33.468-04:00The Risk from InsidersThere has been a lot of coverage of the <a href="http://livewire.talkingpointsmemo.com/entry/nsa-chief-says-nsa-has-1-000-system">role of a system administrator</a> in the recent release of information about the National Security Administration's intelligence gathering methods. Regardless what you think about the methods that were revealed, information <a href="http://www.zdnet.com/insider-threats-evolving-still-main-risk-7000003491/">security professionals need to take a hard look</a> at the sorts of <a href="http://www.sei.cmu.edu/reports/06tn041.pdf">exposures that exist</a> due to organizational insiders.
<p>
Snowden's position as a system administrator is just the most recent high-profile insider who betrayed his employer's trust. His removal of documents <a href="http://www.wired.com/threatlevel/2013/06/snowden-thumb-drive/">on a thumb drive</a> was viewed as unsuspicious precisely because of his job function.
<p>
As long as we have an IT infrastructure, the people who manage it will be in a privileged position. IT professionals recognize the risk; four of five professionals in a <a href="http://www.algosec.com/resources/files/Specials/Survey%20files/120404_Survey%20Report.pdf">recent survey</a> list insiders as the greatest source of risk to the environment.
<p>
The same methods that are used elsewhere in the security landscape will help to control and mitigate the risk from insiders. At a high level, there are three steps that need to be taken:<br>
<ol>
<li><b>Data Classification:</b> Identify the types of data in your environment, and what the confidentiality, integrity and availability requirements are for each type of data. <a href="http://csrc.nist.gov/publications/nistpubs/800-60-rev1/SP800-60_Vol1-Rev1.pdf">NIST 800-60</a> can provide some guidance here.</li>
<li><b>Establish Control Standards:</b> For the different types of data, we need to describe the measures that are taken to protect the data.</li>
<li><b>Audit:</b> The controls need to be evaluated for effectiveness, and the organization's compliance with the the controls must be verified on a regular basis.</li>
</ol>
<p>
<h3>Controls</h3>
There are several publicly available documents outlining control best practices and standards. Here are a few:<br>
<ul>
<li><a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">NIST 800-53</a></li>
<li><a href="https://www.pcisecuritystandards.org/security_standards/documents.php">PCI Security Standards</a></li>
</ul>
<p>
Some <a href="http://www.sei.cmu.edu/reports/12tr012.pdf">common controls</a> include:<br>
<ul>
<li><b>Physical access controls:</b> Things like security guards, mantraps, proximity card systems, and combination locks on doors control physical access to sensitive areas and systems.</li>
<li><b>Logical access controls:</b> In general, people should only have the level of access required for their jobs. Access controls should be as granular as possible, and high-level access should require extra levels of approval and scrutiny. Two-factor authentication should be in place for access to sensitive facilities.</li>
<li><b>Personnel management:</b> Some common measures include criminal background checks, periodic security awareness training, contractual attestations, and organizational communications.</li>
<li><b>Separation of duties:</b> Where possible, access should be limited to particular functions, and functions should be defined to limit access to sensitive data. In general, developers should not have access to production, system administrators don't need database access, application administrators don't need system-level access, and only the people who manage the hardware and network need physical access to the systems.</li>
<li><b>Network security:</b> The network should be segmented appropriately, and firewall rules should be in place to restrict traffic between different security zones.</li>
<li><b>Workstations and laptops:</b> Hard drives should have robust encryption and strong password policies should be in place. The types of data that are permitted for local storage should be established and monitored. The ability of end users to install applications needs to be restricted. Patches, anti-virus updates, and security workarounds need to be applied regularly.</li>
<li><b>Backups and continuity:</b> Data needs to be protected by a combination of archival backups, long-distance replication, and local disk mirroring/RAID-ing.</li>
<li><b>Logging and auditing:</b> Logs need to be collected to measure the effectiveness of these controls, and the logs need to be reviewed on a regular basis.</li>
</ul>
<p>
Some controls should get <a href="http://www.gideonrasmussen.com/article-13.html">particular attention</a> as directly addressing the issue of <a href="http://www.raytheon.com/capabilities/rtnwcm/groups/iis/documents/content/rtn_iiswhitepaper-insiderrisk.pdf">insider-led breaches</a>.
<p>
It is bad enough that the <a href="http://www.oig.dhs.gov/assets/Mgmt/2013/OIG_13-95_Jun13.pdf">security training level</a> of such government employees is not monitored by the DHS. (Most parts of the private sector also don't track administrator security training, for that matter). Beyond carelessness or incompetence, employers need to consider the <a href="http://www.techrepublic.com/blog/security/manage-insider-threats-knowing-where-the-risks-are/9077 ">direct risks</a> posed by their most <a href="http://www.cs.ucdavis.edu/~peisert/research/insiderthreat-chapter-final-prepress.pdf">trusted employees</a>.
<p>
<iframe src="http://rcm.amazon.com/e/cm?t=solaristroubl-20&o=1&p=8&l=as1&asins=1430259329&ref=tf_til&fc1=000000&IS2=1<1=_blank&m=amazon&lc1=0000FF&bc1=000000&bg1=FFFFFF&f=ifr" style="width:120px;height:240px;" scrolling="no" marginwidth="0" marginheight="0" frameborder="0"></iframe>
<iframe src="http://rcm.amazon.com/e/cm?t=solaristroubl-20&o=1&p=8&l=as1&asins=1463512414&ref=tf_til&fc1=000000&IS2=1<1=_blank&m=amazon&lc1=0000FF&bc1=000000&bg1=FFFFFF&f=ifr" style="width:120px;height:240px;" scrolling="no" marginwidth="0" marginheight="0" frameborder="0"></iframe>ScottCromarhttp://www.blogger.com/profile/02344384388503793470noreply@blogger.com0tag:blogger.com,1999:blog-274009744145673640.post-86646147308950376002013-06-19T03:30:00.000-04:002013-06-19T03:30:01.247-04:00Medical Devices InsecureA recent <a href="http://ics-cert.us-cert.gov/alerts/ICS-ALERT-13-164-01">ICS Cert alert</a> and <a href="http://www.fda.gov/MedicalDevices/Safety/AlertsandNotices/ucm356423.htm">FDA Safety communication</a> have highlighted the lax cybersecurity that is frequently used with medical devices.
<p>
For a long time, medical devices were protected by an "air gap" which provided protection as long as the devices were physically separated from the data network. But increasing cost pressures and integration of these devices' capabilities have meant that insecure devices are being exposed to the network.
<p>
Common vulnerabilities include things like hard-coded, well-known passwords and even passwordless logins, vulnerability to SQL injection attacks, and a general inattention to security patches and secure configuration guidelines.
<p>
Security practices in the medical device industry <a href="http://arstechnica.com/security/2013/06/vast-array-of-medical-devices-vulnerable-to-serious-hacks-feds-warn/">have lagged most other IT</a> installations. <a href="http://www.theregister.co.uk/2013/06/14/medical_device_security_warning/">Affected devices</a> include several where a malicious intruder (or buggy malware) could cause patient injury or death.
<p>
<iframe src="http://rcm.amazon.com/e/cm?t=solaristroubl-20&o=1&p=8&l=as1&asins=1430259329&ref=tf_til&fc1=000000&IS2=1<1=_blank&m=amazon&lc1=0000FF&bc1=000000&bg1=FFFFFF&f=ifr" style="width:120px;height:240px;" scrolling="no" marginwidth="0" marginheight="0" frameborder="0"></iframe>
<iframe src="http://rcm.amazon.com/e/cm?t=solaristroubl-20&o=1&p=8&l=as1&asins=1463512414&ref=tf_til&fc1=000000&IS2=1<1=_blank&m=amazon&lc1=0000FF&bc1=000000&bg1=FFFFFF&f=ifr" style="width:120px;height:240px;" scrolling="no" marginwidth="0" marginheight="0" frameborder="0"></iframe>ScottCromarhttp://www.blogger.com/profile/02344384388503793470noreply@blogger.com1tag:blogger.com,1999:blog-274009744145673640.post-40858098282548942682013-06-12T18:18:00.002-04:002013-06-12T18:18:47.194-04:00The Price of InsecurityA <a href="http://www.sans.org/security-trends/2013/05/30/analyzing-the-cost-of-a-hipaa-related-breach-through-the-lens-of-the-critical-security-controls">recent article on the SANS web site</a> investigated the costs associated with a security breach at Idaho State University.
<p>
John Pescatore reports that a breach at ISU's Pocatello Family Medicine Clinic is likely to cost the university $1 million over a 2-year period.
<p>
By comparison, implementing best practices in the infrastructure is likely to have defeated the attack, and would have cost around $75k. Even an aggressive security posture is estimated by Pescatore to have cost about $500k total.
<p>
Many organizations look at the costs of security breaches, but few consider the TCO related to avoiding a major breach.
<p>
<iframe src="http://rcm.amazon.com/e/cm?t=solaristroubl-20&o=1&p=8&l=as1&asins=1430259329&ref=tf_til&fc1=000000&IS2=1<1=_blank&m=amazon&lc1=0000FF&bc1=000000&bg1=FFFFFF&f=ifr" style="width:120px;height:240px;" scrolling="no" marginwidth="0" marginheight="0" frameborder="0"></iframe>
<iframe src="http://rcm.amazon.com/e/cm?t=solaristroubl-20&o=1&p=8&l=as1&asins=1463512414&ref=tf_til&fc1=000000&IS2=1<1=_blank&m=amazon&lc1=0000FF&bc1=000000&bg1=FFFFFF&f=ifr" style="width:120px;height:240px;" scrolling="no" marginwidth="0" marginheight="0" frameborder="0"></iframe>ScottCromarhttp://www.blogger.com/profile/02344384388503793470noreply@blogger.com0tag:blogger.com,1999:blog-274009744145673640.post-38707388388471722282013-06-11T20:29:00.001-04:002013-06-11T20:32:11.585-04:00Confirmed Report of Cyberwar Target List<a href="http://www.theatlanticwire.com/politics/2013/06/obamas-cyberwar-target-list-china-xi/66022/#.Ube_Q5ucXCw.blogger">A recent leak</a> provided <a href="http://www.guardian.co.uk/world/interactive/2013/jun/07/obama-cyber-directive-full-text">additional information about the Cyberwar target list</a> maintained by the US government.
<p>
The existence of the list had previously been revealed by the administration. They released a <a href="http://epic.org/privacy/cybersecurity/Pres-Policy-Dir-20-FactSheet.pdf">high level fact sheet</a> about the policy directive.<br />
<p>Given recent <a href="http://thoughtsonsecurity.blogspot.com/2013/05/chinese-end-hacking-hiatus.html">conflict between China and the US</a> over cyber-spying, the release of this information could reduce the moral authority of the US to protest against <a href="http://thoughtsonsecurity.blogspot.com/2013/05/drone-makers-secrets-stolen-by-chinese.html">Chinese attacks</a>.
<p>
<iframe src="http://rcm.amazon.com/e/cm?t=solaristroubl-20&o=1&p=8&l=as1&asins=1430259329&ref=tf_til&fc1=000000&IS2=1<1=_blank&m=amazon&lc1=0000FF&bc1=000000&bg1=FFFFFF&f=ifr" style="width:120px;height:240px;" scrolling="no" marginwidth="0" marginheight="0" frameborder="0"></iframe>
<iframe src="http://rcm.amazon.com/e/cm?t=solaristroubl-20&o=1&p=8&l=as1&asins=1463512414&ref=tf_til&fc1=000000&IS2=1<1=_blank&m=amazon&lc1=0000FF&bc1=000000&bg1=FFFFFF&f=ifr" style="width:120px;height:240px;" scrolling="no" marginwidth="0" marginheight="0" frameborder="0"></iframe>ScottCromarhttp://www.blogger.com/profile/02344384388503793470noreply@blogger.com0tag:blogger.com,1999:blog-274009744145673640.post-83580290845277833442013-06-11T20:17:00.002-04:002013-06-11T20:29:44.273-04:00Sophisticated Android Exploit Spreads<a href="https://www.securelist.com/en/blog/8106/The_most_sophisticated_Android_Trojan">Kaspersky Labs recently reported</a> that it had analyzed a very sophisticated attack against Android devices. Backdoor.AndroidOS.Obad.a, or "Obad" for short, exploits <a href="http://arstechnica.com/security/2013/06/behold-the-worlds-most-sophisticated-android-trojan/">unpublished exploits</a> to install itself, remain undetected, and allow remote attackers to send commands to the device via SMS.
<p>
Besides installing itself and allowing remote attackers full access to the device, Obad <a href="http://www.scmagazine.com/researchers-claim-theyve-discovered-the-most-advanced-android-trojan-yet/article/296703/">downloads additional malware to the target device, runs up phone charges by sending SMS messages to premium-rate services, and spreads malicious files to other devices</a> via Wi-Fi or Bluetooth connections.
<p>
It appears that the app can only infect devices which have been configured to allow <a href="http://arstechnica.com/security/2013/06/behold-the-worlds-most-sophisticated-android-trojan/">apps to install from third-party sources.</a>
<p>
<a href="http://arstechnica.com/security/2013/06/behold-the-worlds-most-sophisticated-android-trojan/">Dan Goodin reports</a> that Google has updated functionality to detect the malware and provide a warning to users when it is downloaded from an app source or browser.
<p>
Some <a href="http://www.scmagazine.com/researchers-claim-theyve-discovered-the-most-advanced-android-trojan-yet/article/296703/">security experts have warned</a> of the danger posed by attackers who compromise a trusted developer's credentials and use them to upload malware to trusted download sites.
<p>
Fortunately, the attack does not appear to be widespread yet, <a href="http://www.theregister.co.uk/2013/06/07/android_obad_trojan/">based on analysis by Kaspersky.</a>
<p>
<iframe src="http://rcm.amazon.com/e/cm?t=solaristroubl-20&o=1&p=8&l=as1&asins=1430259329&ref=tf_til&fc1=000000&IS2=1<1=_blank&m=amazon&lc1=0000FF&bc1=000000&bg1=FFFFFF&f=ifr" style="width:120px;height:240px;" scrolling="no" marginwidth="0" marginheight="0" frameborder="0"></iframe>
<iframe src="http://rcm.amazon.com/e/cm?t=solaristroubl-20&o=1&p=8&l=as1&asins=1463512414&ref=tf_til&fc1=000000&IS2=1<1=_blank&m=amazon&lc1=0000FF&bc1=000000&bg1=FFFFFF&f=ifr" style="width:120px;height:240px;" scrolling="no" marginwidth="0" marginheight="0" frameborder="0"></iframe>ScottCromarhttp://www.blogger.com/profile/02344384388503793470noreply@blogger.com0tag:blogger.com,1999:blog-274009744145673640.post-34452259285907369882013-05-20T23:27:00.000-04:002013-06-11T20:32:50.772-04:00Chinese End Hacking HiatusChinese hackers associated with the PLA (People's Liberation Army) <a href="http://www.nytimes.com/2013/05/20/world/asia/chinese-hackers-resume-attacks-on-us-targets.html?smid=pl-share">had dialed back their cyberattacks</a> in the wake of <a href="http://thoughtsonsecurity.blogspot.com/2013/05/legislation-to-track-foreign-hack.html">US protests.</a> This hiatus <a href="http://www.theregister.co.uk/2013/05/21/china_restarts_hacking_us/">appears to have ended.</a>
<p>
An <a href="http://intelreport.mandiant.com/">embarrassing public exposure</a> of a unit closely associated with the PLA had led to a temporary decrease in attacks. The Chinese government appears to have calculated that the downside of the <a href="http://thoughtsonsecurity.blogspot.com/2013/05/drone-makers-secrets-stolen-by-chinese.html">publicity surrounding the attacks</a> is outweighed by the benefits they are reaping.
<p>
This is likely to be a <a href="http://www.theregister.co.uk/2013/05/21/china_restarts_hacking_us/">ongoing feature</a> of the online world.
<p>
<iframe src="http://rcm.amazon.com/e/cm?t=solaristroubl-20&o=1&p=8&l=as1&asins=1430259329&ref=tf_til&fc1=000000&IS2=1<1=_blank&m=amazon&lc1=0000FF&bc1=000000&bg1=FFFFFF&f=ifr" style="width:120px;height:240px;" scrolling="no" marginwidth="0" marginheight="0" frameborder="0"></iframe>
<iframe src="http://rcm.amazon.com/e/cm?t=solaristroubl-20&o=1&p=8&l=as1&asins=1463512414&ref=tf_til&fc1=000000&IS2=1<1=_blank&m=amazon&lc1=0000FF&bc1=000000&bg1=FFFFFF&f=ifr" style="width:120px;height:240px;" scrolling="no" marginwidth="0" marginheight="0" frameborder="0"></iframe>ScottCromarhttp://www.blogger.com/profile/02344384388503793470noreply@blogger.com0tag:blogger.com,1999:blog-274009744145673640.post-20694141613347607112013-05-16T03:30:00.000-04:002013-05-16T03:30:04.197-04:00Data Protection Pointers<a href="http://soa.li/e3e4FiW">eWeek recently posted</a> a slideshow describing several suggestions for planning a data protection policy in a Hadoop framework. The pointers apply to other data environments as well:
<ol>
<li>Account for data protection in the planning phase of the project. Take compliance and privacy concerns into account in the initial design and architecture.</li>
<li>Identify data elements that need special protection. What compliance or liability concerns apply to those elements?</li>
<li>Does the application need access to the complete, raw data set? Can the data be masked, obfuscated, or desensitized?</li>
<li>What encryption requirements do you have? What encryption solutions are available? Do they interoperate with the authentication methods in the environment?</li>
<li>Establish standards. It will be easier to keep all the data safe if it is kept in standard templates.</li>
</ol>
<p>
<a href=http://soa.li/Cd2IiEI">CIO Magazine estimates</a> the value of a data breach at $184-$330 million. Given the cost to an organization's recommendation, there is a business imperative in placing adequate resources and thought behind protecting the data in our custody.
<p>
<iframe src="http://rcm.amazon.com/e/cm?t=solaristroubl-20&o=1&p=8&l=as1&asins=1430259329&ref=tf_til&fc1=000000&IS2=1<1=_blank&m=amazon&lc1=0000FF&bc1=000000&bg1=FFFFFF&f=ifr" style="width:120px;height:240px;" scrolling="no" marginwidth="0" marginheight="0" frameborder="0"></iframe>
<iframe src="http://rcm.amazon.com/e/cm?t=solaristroubl-20&o=1&p=8&l=as1&asins=1463512414&ref=tf_til&fc1=000000&IS2=1<1=_blank&m=amazon&lc1=0000FF&bc1=000000&bg1=FFFFFF&f=ifr" style="width:120px;height:240px;" scrolling="no" marginwidth="0" marginheight="0" frameborder="0"></iframe>ScottCromarhttp://www.blogger.com/profile/02344384388503793470noreply@blogger.com0tag:blogger.com,1999:blog-274009744145673640.post-34565747181358277152013-05-14T20:42:00.001-04:002013-06-11T20:30:06.481-04:00ColdFusion Vulnerability Nets Attackers SSNs and DL NumbersA <a href="http://www.adobe.com/support/security/bulletins/apsb13-03.html">ColdFusion vulnerability</a> whose patch was released in January 2013 was <a href="http://www.scmagazine.com/weakness-in-adobe-coldfusion-allowed-court-hackers-access-to-160k-ssns/article/292906/">used by attackers</a> against the Washington State Administrative Office of the Courts (AOC). The attackers compromised 160,000 Social Security Numbers and about a million drivers' license numbers.
<p>
Organizations may need to take a close look at their patch philosophies, since many organizations would have difficulty testing and deploying an application server patch in such a relatively short time window. This compromise highlights the importance of defense in depth, and the importance of protecting data with the enterprise architecture, not just the capabilities of a particular product.
<p>
<iframe src="http://rcm.amazon.com/e/cm?t=solaristroubl-20&o=1&p=8&l=as1&asins=1430259329&ref=tf_til&fc1=000000&IS2=1<1=_blank&m=amazon&lc1=0000FF&bc1=000000&bg1=FFFFFF&f=ifr" style="width:120px;height:240px;" scrolling="no" marginwidth="0" marginheight="0" frameborder="0"></iframe>
<iframe src="http://rcm.amazon.com/e/cm?t=solaristroubl-20&o=1&p=8&l=as1&asins=1463512414&ref=tf_til&fc1=000000&IS2=1<1=_blank&m=amazon&lc1=0000FF&bc1=000000&bg1=FFFFFF&f=ifr" style="width:120px;height:240px;" scrolling="no" marginwidth="0" marginheight="0" frameborder="0"></iframe>ScottCromarhttp://www.blogger.com/profile/02344384388503793470noreply@blogger.com0tag:blogger.com,1999:blog-274009744145673640.post-61300913293456355392013-05-12T20:28:00.002-04:002013-05-12T20:28:51.982-04:00Happy Mother's Day!<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhAfaQqaCbwperAOqwfgaZA0Hr56Kk4b9O86fvmwuJrYBS6BiBym3nxWwUFvLbNSGoG3PKM3fcP7TUGOW6Nj8jGRziMvEawUqp0dAdNPpm6J79f4-oCHo-bgA1S8Xo7vdnsn1lOpDB36WXM/s1600/20130512-MothersDayFlowers.jpg" imageanchor="1" ><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhAfaQqaCbwperAOqwfgaZA0Hr56Kk4b9O86fvmwuJrYBS6BiBym3nxWwUFvLbNSGoG3PKM3fcP7TUGOW6Nj8jGRziMvEawUqp0dAdNPpm6J79f4-oCHo-bgA1S8Xo7vdnsn1lOpDB36WXM/s320/20130512-MothersDayFlowers.jpg" /></a>ScottCromarhttp://www.blogger.com/profile/02344384388503793470noreply@blogger.com0tag:blogger.com,1999:blog-274009744145673640.post-47143787161462223182013-05-12T05:32:00.000-04:002013-05-12T05:32:12.472-04:00Federal Government to Default to Open DataA <a href="http://cdn.govexec.com/media/gbc/docs/pdfs_edit/050913jm1.pdf">recent executive order</a> by President Obama mandates government agencies to default to a data policy of being <a href="http://www.nextgov.com/big-data/2013/05/white-house-orders-agencies-follow-new-open-data-standards/63068/?oref=ng-HPtopstory">open, publicly-available, and machine-readable</a>.
<p>
Exceptions are allowed for information involving privacy, security, or confidentiality. There are obvious concerns that a government agency may not be as careful about privacy-related information as we would like.
<p>
<iframe src="http://rcm.amazon.com/e/cm?t=solaristroubl-20&o=1&p=8&l=as1&asins=1430259329&ref=tf_til&fc1=000000&IS2=1<1=_blank&m=amazon&lc1=0000FF&bc1=000000&bg1=FFFFFF&f=ifr" style="width:120px;height:240px;" scrolling="no" marginwidth="0" marginheight="0" frameborder="0"></iframe>
<iframe src="http://rcm.amazon.com/e/cm?t=solaristroubl-20&o=1&p=8&l=as1&asins=1463512414&ref=tf_til&fc1=000000&IS2=1<1=_blank&m=amazon&lc1=0000FF&bc1=000000&bg1=FFFFFF&f=ifr" style="width:120px;height:240px;" scrolling="no" marginwidth="0" marginheight="0" frameborder="0"></iframe>ScottCromarhttp://www.blogger.com/profile/02344384388503793470noreply@blogger.com0