3 Quick Thoughts and Updates

As we blogged about earlier in the week, core processing systems continue to be a focus for security teams. This week has seen additional new issues in HP-UX, Oracle problems and issues in various other related applications. Please take a moment and look through your patch levels and ensure your core systems are up to snuff.

In other news, PHP vulnerabilities are continuing to soar. Attackers are very focused on PHP problems, new vulnerabilities and exploiting vulnerable systems. PHP-based systems should be reviewed on an ongoing basis with bleeding edge updated tools to help guard against problems. Security issues with PHP have been identified in thousands of PHP applications, PHP language use and even some of the tenets of the language itself. While groups are working to educate users of PHP and harden the underlying code around the language, PHP is likely a risky undertaking for most businesses to be considering today. It is surely powerful, efficient and easy to use, but many organizations have outlawed it, claiming it is simply too insecure for “prime time” web applications.

As an aside, BT Group has announced an acquisition of Counterpane. Congrats go out to Bruce and team for their hard work. BT has gotten a strong visionary out of the deal, and with the likes of Marcus Ranum and other talented folks on staff, look for some great things from them in the future.

Core Processing Systems under Security Stress

Looks like there are quite a few issues emerging with various systems and components that many banks and such use for their core processing. The last few weeks have seen issues in Oracle, MySQL, AIX, of course Windows and various supporting tools and services.

Given the importance of core processing availability to most financial institutions, many are hesitant to patch their production systems associated with these critical functions. However, just the opposite should be true. These systems should be among the first patched to various vulnerabilities – of course – once a patch has been properly tested and vetted in their backup, lab or QA environment (they all have those, right?).

Certainly, increased pressure on patching these systems is coming from legal compliance and regulatory requirements, but financial organizations should ensure that they have an action plan for maintaining the patching and security of these systems – regardless of, and in light of, their criticality to the life of the organization. Taking a “wait and see” or “it’s working so don’t mess with it” approach could be a severely damaging error on the part of IT and management.

Core processing vulnerabilities are going to continue to emerge and present themselves as critical issues. Getting a process for managing them put into place is an excellent idea, the sooner the better.

Approaches to Application Security Testing

I just wanted to post this pointer to another article of mine that ITWorld is running. This one is an explanation of some ideas of different approaches to doing security testing of applications.

If you are considering app testing, and want to get an overview of pent testing, code review and hybrid processes, this is probably a good start. You can then dig deeper into the mechanisms and such via sites like OWASP, SANS, etc.

You can find the article here.

Risk Assessment Key Ideas

My column at security.itworld.com is now running an article I wrote about the key ideas behind risk assessment, and the top three things that organizations need to know when they are considering risk assessments.

You can find it here.

I especially think that more organizations need to remember point number two, which is that the risk assessment must address the business goals of the organization and provide them with a real vision of how to proceed in the future to reduce their risk. So many “risk assessments” I have seen in the last 18 months seem to be little more than vulnerability assessments with some tiny bits of policy review and analysis wrapped around them.

Organizations need to get a better understanding of existing methodologies for risk assessment in order to make smarter selections in terms of vendor offerings. I think too many organizations are making their selection based on price and many times, as in life, “you get what you pay for.”

Make sure when vendors talk to you about risk assessment that you get to see sample reports, that you feel that the assessment is at a high enough level to give you real vision and value and that the results are not just findings, but real-world strategies and tactics for today and tomorrow. Otherwise, you are likely going to get much less value for your investment, and much less return on what can be an exteremely powerful tool for the future of your organization.

Encrypted Drives and Virtual Machine Images

In this day and age, almost anyone can invade your computer system and steal your data. This makes it all the more essential to ensure that beyond your perimeter network security barrier, you have a line of defense inside your system. That line of defense is encryption. Storing data unencrypted on your hard drive isn’t a mortal sin, but it could come back to bite you some day, so today we’re going to discuss that last line of digital defense.

There are two cryptodrive systems which have the biggest market share today: TrueCrypt and PGPDisk. Each has a number of advantages and disadvantages, but both share the quality of keeping your data secret from prying eyes (except when the drive is mounted). Whether you’re just storing your family photos or your customers’ credit card data, using this highly advanced technology is a must in today’s world.

I think TrueCrypt has 6 advantages over PGPDisk: 1) It’s open-source. 2) It’s free. 3) It’s cross-platform. 4) It can contain two volumes, accessed by different passphrases (or keyfiles), or you can have it only contain one “visible” volume. Anyone analyzing the bits of the unmounted drive/file cannot tell if there are one or two volumes, so 4) there is plausible deniability of the hidden volume (which TrueCrypt stores at the end of the big cryptofile.) 5) You can choose from a bunch of encryption and hash algorithms to suit your personal preferences. 6) There are absolutely positively no back-doors built-in (see #1: open-source). On top of all that, installation and use is mind-numbingly simple, especially on Windows machines. It’s hard to deny that TrueCrypt is an amazing technology.

For added security, you could even store PGP-encrypted files INSIDE of your TrueCrypt drive(s), and keep no plain-text files in there. Your mileage and paranoia may vary, but that sort of dual-encryption scheme will eliminate the problem where a mounted encrypted drive can be accessed just like a normal drive. Just because you want 1 file in the encrypted drive doesn’t mean an attacker should be able to get to all the files in there.

PGPDisk is no slacker either though… Even though it isn’t free and it isn’t open-source, its very fast and builds itself into the Windows shell quite seamlessly. It has great options. You can have it mount your encrypted drives at startup if you want, and auto-unmount automatically after however many minutes or at system standby. It can use any number of your existing PGP keys to access the database, so the drive could be accessed by 20 people if you want, and/or you could just use a passphrase not associated with a PGP key. This is possible because the PGP keys and/or passphrase unlock the master-key, and that master-key actually encrypts and decrypts the disk. So when you type in your PGP passphrase you are actually unlocking another master-key that does the dirty work. PGPDisk is for Windows only, so that is definitely one thing to keep in mind when picking which solution you want to go with. Also, it can’t be proven if PGPDisk has a backdoor or not, since it is closed-source, but crypto experts agree it is safe.

Also, it is best to keep your encrypted drive/file on a (1 gigabyte?) USB flash drive, and keep a backup of it on a CD or DVD. When creating your encrypted drive, 640mb is a good size to select since then you can back it up to a CDROM easily and you won’t have to worry about splitting the file onto 2 CDs.

One of the best reasons to use TrueCrypt is it’s cross-platform capability. You could be running a Microsoft Windows machine, and have Ubuntu running in a VMWare image, and both your VMWare and your real machine would be able to get to the data.

Also, on a bit of a side-note, if you’re using Windows it is a really good idea to do all of your web-surfing in the VM image instead of in Windows itself. Then, if you’re surfing along the net with Firefox in the Ubuntu VM image, and you get hit by a zero-day browser exploit, the effects stay trapped in the VM image. Then, since your real data is in the encrypted drive, and your real system is unaffected, its just a matter of getting a fresh VM image and you’re good to go again.

Information security doesn’t stop at the network perimeter, it stops at the bits of juicy data that the attacker wants to steal. Use encryption, use VM images – they are your friend. The digital future is shaping up to be a very hostile place for novices, so educate yourself and your friends now to avoid getting stung later.

~’>{[\|/.:”;,]}<`?

Say what?? Some special characters are better than others for passwords.

When an attacker gets a password hash, they need to pick which charset to use to crack it. Some people say there are only 4 categories: lower alpha, upper alpha, numbers, and special characters. However brute-force password crackers like Cain, and more advanced cracking tools like rainbowtables, distinguish between types of special characters. They ask if you’d only like to include the weaker special characters which are more commonly used: !@#$%^&*()-_+=

…or would you like to include the far less likely to be chosen set of extended special characters? ~’>{[\|/.:”;,]}<`? Since cracking tools distinguish between these sets, you should too, and you should use characters from all 5 groupings. Even a password like Abc123 is more secure as "A,b,c,1.2.3?" - and how much harder is that to remember? It's easier than you think to bulletproof your password against advanced cracking technologies. You could surround your password in "quotes", or with [square brackets]. You could make it something easily memorable like {$19.95!}Ca||-n0\/\/ or "C:\WinNT\$Y5T3M\" or `Ta~0!!' The possibilities are, of course, endless. But the key is to use all 5 sets. Set 1: ABCDEFGHIJKLMNOPQRSTUVWXYZ Set 2: abcdefghijklmnopqrstuvwxyz Set 3: 0123456789 Set 4: !@#$%^&*()-_+= Set 5: ~'>{[\|/.:”;,]}<`? To further throw attackers off the trail, you could refuse to use commonly used characters, such as !, 1, e, 3, E, o, O, 0, 5, S, s, and some others. Then every time a cracker tries a pw with those chars in it, they will fail every time, and you can take comfort in their wasted CPU cycles.

A Day in the Life of a Home PC on the Internet

The BBC finally validated what security teams around the world have been saying for a couple of years – home user machine security counts too. In a recent test by the BBC news team, they used a honeypot to emulate a home user system with a high-speed connection. What they found is likely not surprising to security folks, but it is likely eye opening to the common user and management.

The BBC team set up the honeypot repeatedly over a 24 hour period. During that time, the PC was attacked 53 times from the Internet! The breakdown of the attacks they identified were as follows:

1 attempted buffer overflow
2 port scans
14 worm attacks
36 RPC-type attempts to Trojan the machine

This goes right along with the effects MSI has observed when we have done the same thing with our honeypots. These are real numbers, and in some cases, may even be low. Our common attacks from exposed honeypot systems often show higher levels of attack than this, and include hundreds of spam email probes, repeated worm assaults against web systems, scans for bad PHP and Horde Framework files and all sorts of other noise.

The reality is that attackers and automated assaults like Bots, Trojans and worms have made even the home user network neighborhoods dangerous places to hang out. Without the proper safeguards and security mechanisms, home user systems are in serious danger. Attackers will plunder them for identity data, leverage them to gain access to corporate environments and turn them into components of ever-increasing Bot-nets. Until home users begin to make better security decisions, vendors begin to integrate deeper security into their computing products and consumers begin to care about security in the way they spend their currency, it is very likely that home systems will remain little more than sitting ducks.

Increasing Credit Union Attacks, But Little Added Consumer Risk

For the last several months, news has been coming from the various security vendors that attacker focus has shifted away from banks and other financial institutions to the credit unions. The attackers probably assume that credit unions are an easier target than the banks. In our experience this is simply not true. Though credit unions do have risks, they do not seem to be larger than banks and other financial organizations.

Primarily, credit unions face three key areas of risk by attackers today, in terms of information security. These risks are discussed below:

1) Network, application or database compromises – This is the most common form of attack when we think of information security in relation to computer data. The fears here are that an attacker could exploit a weakness in our computer systems, networks or applications and steal important member/customer data that they could use for fraud or identity theft. Common attacks include penetration of the Internet exposed network, application security issues like SQL injection or the introduction of malware/spyware into the the user’s systems to gain illicit access. To defend against these attacks credit unions should be performing ongoing security testing, using detection and prevention technologies like firewalls, IDS/IPS, honeypots, etc. They should also have strong security policies, hardy authentication, great anti-virus/malware tools and excellent patching mechanisms. These are the primary steps for protecting the electronic systems of a credit union against compromise.

2) Physical security compromises – These are the often forgotten security issues, but a breech of physical security is often among the most devastating of attacks. Items like unshredded member data, identify information, loan applications, checks or the like making their way into dumpsters is a common cause. Attackers using combinations of physical attacks and social engineering to install hardware devices on the network, gain access to sensitive areas or other forms of attack are also common. Credit unions are used to protecting themselves from outright robbery and theft, but the subtle methods of cyber-attackers leveraging the physical realm is often beyond their existing vision of security. The keys here are to have good processes for managing physical assets in the computing environment, having good employee awareness of security procedures and performing assessments to know where your weak points lie so that you can address them. Awareness is the primary tool here, as employee of the credit union must have good procedures and remain ever vigilant against breeches of these procedures and protocols. They must understand what data is confidential, and how it is to be handled, stored and discarded. Often, a risk assessment is an excellent tool for identifying issues around physical security and document handling. Credit unions would be wise to pursue a risk assessment as soon as possible, as it is has also recently become regulatory requirement.

3) Social engineering compromises – Social engineering attacks are probably the most common form of attack credit unions face. Social engineers often use trickery, deceit and trust to gain access to information that, at the time, may seem small or insignificant, but may lead to compromise on a wide scale. Social engineers may be overt, asking tellers for identify information or using phone calls to ask for passwords, or they may be subtle – like leaving CDs and USB keys in the parking lot that Trojan machines when used. No matter what form of social engineering the attacker chooses, the best defense is employee policies and awareness. Credit unions must make sure that each and every employee is aware of their security policies and the processes used to protect the environment from compromise. They must understand the risks, the current techniques in use by attackers and have a means of comfortably reporting suspicious behaviors. Only then will credit unions be well protected against social engineering.

Credit unions may be getting more scans against their firewalls and IDS/IPS systems now than banks, but the majority of credit unions are fairly well secured against Internet attacks thanks to the years of media attention and regulatory requirements. Obviously, some improvements could be made – but that is true for almost all organizations. Credit unions taking information security seriously should examine their current security posture, ensure that, at a minimum, they are performing the above tasks and then work toward identifying a means to improve. Attackers will follow money, and as such they will remain focused on credit unions, banks and other financial institutions for some time to come.

Overall, though, credit union members have no reason to feel that they are at increased risk just because they belong to a credit union. In our opinion, the risks to the average consumer show little difference between using a bank or a credit union. The average consumer risks far more by shopping using their credit cards or not using a shredder for their home trash than by choosing to do business with either financial institution, be it bank or credit union.

Smart New Use for HoneyPoint Security Server

I just heard from a client, one Mr. BW, we shall call him, that he has a smart new use for HoneyPoint Security Server in his organization. In addition to using it as designed, to capture emerging internal threats, Mr. BW has found a way to make use of HoneyPoint’s emulated web server to catch and capture malware and spyware inside his organization!

He came up with the idea of using HPSS, in conjunction with the Bleeding Snort Rule Set for Malware. He extracted the appropriate black hole DNS records and placed them on his internal DNS server. But this simply black holed the systems, and broke the connections – but did not give him the information of what the malware was seeking, passing or otherwise communicating. Thus, he changed the black hole DNS entries to point to a HoneyPoint emulated web server!

Now, when known malware triggers a bad DNS entry, the malware is redirected to the HoneyPoint. This not only alerts Mr. BW to the presence of the malware and the location of the infected PC – but – it also gives him insight into exactly what the malware is doing, what information is being transmitted and how extensive the damage may be.

Mr. BW says this gives him a unique capability to communicate the overall risks of the malware and a new tool in helping to protect his organization.

Our thanks to Mr. BW for his feedback and insight! Congrats on the forward thinking and on the adaptation of the tool to your needs!