We are hearing more and more rumblings these days about making PCI the default standard for infosec, and a lot more legal rumblings of making their standards enforceable as state laws. Already Minnesota has passed the standards into law and Texas seems to be next.

While I see the PCI standards as a step forward for credit card companies, I am not so sure that enforcing it as law is a good thing. Over legislation has done little to secure the Internet thus far (remember the “Can Spam Act”) and in some cases has caused so much legal confusion that small rebellions have broken out (See the DMCA for this one!). I am not sure that organizations will become compliant just because it is law, as opposed to just being a rule from their card processors. After all, does the amount of “large fines and penalties” really matter? Does it really change behavior? I just don’t believe it does.

Nonetheless, PCI has certainly gained momentum and public recognition. Many of our clients who don’t even process credit cards have begun asking about it, siting it as a standard and asking for gap analysis between their processes and the DSS standards. Many of them believe that in the not too distant future, courts may see PCI DSS as the defacto security baseline that helps them determine the difference between liability and negligence for just about all organizations, not just credit card dependant ones. One thing is certain, now would likely be a good time to become familiar with the PCI rules because your management may be asking you sooner rather than later.

Our HoneyPoint sensors have been picking up quite a large number of scans for open proxies lately. As usual, much of this traffic is originating in China, where open proxies are used for a number of reasons from spam to political activity to simple uncensored Internet access.

Interestingly, we are seeing a pretty decent increase in the number of probes for open web proxies using a site called www.loanscandyloans.com as the target. This site, owned by a person in China and hosted in the US seems to be a front site with the main purpose of simply hosting a set of PHP scripts used to verify open proxies and other connections.

Quick Google searches about LoansCandy reveal a short history of scans, probes and semi-malicious activity. Likely, the site is used simply as a collection point for the data and offers little else in real terms. However, it might be wise for organizations to consider blocking any connections to the site, just in case open relays or proxies might be present in their environment.

HoneyPoint has been an essential part of MSI’s infosec intelligence program and continues to prove itself an amazing tool for threat analysis on Internet or internal networks. We continually monitor several HoneyPoint deployments around the world for interesting activity and attacker trends. Look for us to share more data from our captures in the future.

As I write this, I am sending my final weekly column over to ITWorld.

After more than six years, ITWorld and I decided to make some changes to the column and site and as a part of those changes, I will be moving my writing over to the blog and focusing on it more in the future.

ITWorld and MSI will continue to work together, and I will likely pop in on the security site from time to time with an occasional article, whitepaper or multi-media presentation. We will also continue to work together on other items as well. They are a great team, and we truly enjoy working with them on a regular basis.

Part of these changes are based on a new direction for the ITWorld site, and part of it is to allow me to focus more on new media work, like blogging and creating richer materials and content to further evangelize MSI and HoneyPoint technologies.

Look for more content here on the blog, more coverage and maybe even some site enhancements as I switch my focal point to be more centered on StateOfSecurity.com. In the meantime, thanks for your patience, and if you are just coming over from the traditional column, please let me extend a big WELCOME and to point you to the archives. There are a lot of good topics there, and I can assure you a lot more to come.

As always, thanks for reading, in the past and in all of the days to come! You folks really make all of this possible, so Thank You!!!

I recently came back across a prank that was pulled some years ago against a local news station. Some college students had found out that the school and business tickers that you are probably familiar with, accepted input directly from the news website. All that was required was to sign up, and put in your business, contact, and hours opened/closed. Now one might think that somebody would check these before they go on live TV, but that’s exactly what didn’t happen in this case. The students proceeded to sign up humorous businesses, and have them displayed on live TV. This happened numerous times before someone at the station caught on and disabled the feature.

What I’m getting at here, is that this could have easily been turned into an attack to harm a company’s reputation. They could have easily posted that Joe Shmoe Inc. was doing something illegal, and potentially caused an HR and legal nightmare for that company. Might even be possible to “Denial of Service” the company! Word spreads that there was no work today, nobody shows up, and no work gets done.

The lesson this shows is that user input should never be trusted. When “user input” is described, usually we think about bad characters in input fields, SQL injections, or cross site scripting. But this example goes to show that those issues are not the only things to be considered.

On my way in to work this morning I heard a fairly disturbing news report about criminals using basic social engineering techniques to get family members of US military members, that are deployed to Iraq and Afghanistan, to divulge the servicemen and women’s personal information. Here’s how the attack played out:

Criminal obtains a list of members of a specific unit or command and tracks down the phone numbers of family members of those soldiers. Criminal then calls the family member and states that they are calling from the Red Cross and that their son/daughter/spouse has been injured in the course of performing their duties.  Then the criminal states that in order for the Red Cross to be able to transport the service member to a military hospital in Germany, the Red Cross needs to verify the Social Security Number and date of birth of the injured soldier. While the family member is upset, they quickly give out the information to ensure that their loved one gets the medical attention they need. At this point, the criminal now has all the information they need to begin the identity theft that we hear so much about.

This type of attack, while completely abhorent, has worked numerous times.  I have not been able to find any conclusive data that speaks to how many people have been affected, nor do I think it is important for the purposes of this blog.  What is important though, is to consider a couple of things.

1.) The Red Cross would never contact a military member’s family directly, without going through military channels.

2.) The Red Cross or military would never need to verify that type of information in order to proceed with medical attention.

3.) No person should ever give out that type of information over the phone, especially if you did not initiate the call

What really interests me though, is the creativeness of the attack.  It plays on emotion to be successful. Whether you are for the war or against doesn’t matter, everyone should be able to agree that it is an emotional subject, especially when talking about a loved one.  The lesson to learn from this is simple. Guard your personal identity very closely. This example only strengthens the notion that criminals will do very nasty things to get access to your information. This is a business to them…a very profitable business at that.

We know that the average consumer will always choose the metaphorical “Dancing Bear” when confronted with these types of attacks. At MSI, we have refined our services to include rigorous social engineering exercises for our clients.  While we have seen improvement in the security posture of our client’s user base (at least the one’s who have taken advantage of the service offerings), there is a part of me that believes that those users aren’t taking the knowledge we are giving them and applying it to their personal lives.  For the one’s that are, we commend you and hope you continue to interact with the masses in a secure way.  We would love to not hear any more of these types of stories.  Unfortunately, we truely believe that this current trend of identity theft is only going to continue.  At least until “average Joe” begins to understand the threat.

I received an email the other day from a buddy from my former life in the Marine Corps. The email was basically a mass spam letting all of his friends know that he was planning on having a party in the coming months and had created a website with a forum to track reservations and random conversation. Since it’s an 8 hour drive back out there to Virginia, I only get to visit a couple of times a year and this party sounded like a pretty good excuse to make the trip. So, I went ahead and registered for an account on the website and logged in to make my reservation and see what everyone had to say about the party and what they’ve been up to.

As soon as I logged in, I made my way to the forum links to join the conversations. When I clicked on the very first link, can you guess what I was offered? That’s right, a very juicy error message letting me know that an error had occurred in the application. Now, it’s great that the server informed me that an error had occurred, but i was astonished at all of the information it was giving me…just a normal user. The first thing that I noticed is that the error page showed the average user the complete, full path to the location of the script that had failed. Not only did it give me the full path, it also showed me the exact number of the line in the script that was causing the problem…in addition to 3 lines above and below the faulty line. In those lines I got to see several interesting SQL arguments being passed, complete with tables and fields and object names. If I were specifically attacking this site, this error message would have given me some great information. Since I wasn’t attacking the site, I promptly emailed my buddy and told him about the problem I had just seen and suggested that he customize those error messages so that they don’t give out too much information. Needless to say, he got right to work on identifying the problem and limiting the amount of information that was being divulged.

Now, you might say to me, “why would it matter, it was a fairly useless website with no useable information”. I’d tell you that you are right, in the grand scheme of things. Sure, I probably wouldn’t be able to get my hands on any uber-sensitive information. That’s not what is important. What is important is that my buddy who built the site also creates some fairly powerful custom web applications for the government. If his useless website is configured in such a way, is he making the same mistakes when building applications for the people that want to keep the secrets….well, secret?

By offering up an error message like that, an attacker is able to use the information to refine their attacks. In addition to that, we used to have a saying in the Marine Corps when preparing for a wall locker inspection. “If the presentation of the wall locker is such that the inspector doesn’t want to mess it up to inspect it, you’ll do just fine. If it looks like trash, the inspector is going to start digging into things, ultimately finding more problems.” The same idea holds true for attackers. If you present an application or website that doesn’t give away too much information and appears to be well secured, most attackers will move on to the next site. If simple things like error messages divulging tons of information are found, you can bet that the attacker is going to believe that there are other configuration errors and will begin to dig around. We don’t want them doing that, now do we?

I don’t mean to pick on him about this because he is a very good programmer, security savvy and very smart guy. He and I spent many, many hours in the Marine Corps investigating incidents together and solving problems. I simply wanted to use this real world experience to illustrate how important it can be to make sure that your web applications are configured securely. Even if they appear to be useless websites that no one would be interested in, they can lead to attack escalation and possibly compromise.

Probably the best known types of Malware that can attack your system are computer viruses. Almost everyone has regularly updated anti-virus software on their computers these days, but did you know that there are viruses that this software will not catch? Anti-virus software relies on regularly updated “virus definitions” to detect a virus on your computer. This means that there are lots of people out there in various organizations that look for new virus types on a constant basis, and if they find one, they write a definition of it and include it on the list. If a virus has never been seen or detected before, and no definitions have been produced and added to the list, then your anti-virus software is pretty much useless. So how else can you detect a virus? What happens with your computer system? How does it act? Well, there is no universal play book on this, but what follows are some activities you might notice happening that are pretty good indicators that you have a virus operating on your computer!

1. Your system may show signs of sudden and unusual sluggishness, especially at start up

2. You may see a significant, unexplained decrease in the amount of memory or disc space you have available

3. Your workstation or even servers may show deteriorating responsiveness – sluggish and slow running

4. You may experience sudden anti-virus software alarm activity without resolution

5. Macro viruses can cause your saved documents to open as .dot files

6. Workstations may experience “churning”, which is unexplained and sustained workstation activity levels

7. You may experience unscheduled hardware resets or hardware crashes including program aborts

8. You may receive disc error messages and increased “lost cluster” results when performing disc scans

9. You may experience excessive and unexplained network activity

10. You may experience unexplained freezing of software applications or receive unexpected error messages

11. There may be excessive consumption of active resources on the CPU

12. Software applications (or their icons) may suddenly disappear from your screen or the application may not execute when you click on it

Now I’m sure that all of us have experienced some of these things happening on our computers before. Who hasn’t noticed their computers running sluggishly or had an error message pop up unexpectedly? And most of the time, these are not caused by virus activity. Even so, ignoring such symptoms can be dangerous! There really could be a virus running that is causing these problems. So check these symptoms out or report them to your IT section, especially if you are experiencing several of the indicators listed above. When dealing with information security, safer is always better!

One of the questions I get from clients is how I stay on top of so much stuff all the time. If you read this blog, you know we track emerging threats, identify new vulnerabilities, develop software, oversee our HoneyPoint deployments and run the whole security services company. That can be a lot of detail to manage, but it is doable with a system of methodologies, careful attention to detail and some good tools.

Today, I wanted to talk about a couple of the most useful tools that I use every day. They are very powerful and common, but they combine to be one of the most useful tools in my security management arsenal. Are you ready for the secret?

The big secret weapons are my cell phone (a Treo 650) and Jott.com!

That’s right. My cell phone is a smart phone that is integrated into my management process. I can use it to send and receive email, keep my schedule and to even write blog entries like this one on the go. Often I use it to do quite a bit of writing, from emails to articles. It is a very powerful tool indeed. But, when you combine it with Jott.com – it makes a world of difference.

For those of you not familiar with Jott.com yet, it is a free service that lets you register a cell phone and obtain a number that you can call. When you call the service, you can “Jott” to yourself, or others if you share your address book with the service. (Hint: Read the Privacy Policy carefully before you share your addresses!)  Jotting to yourself or someone else converts your voice message or content to text and then emails both a digital recording of your message AND the associated text to the email you assign to yourself or the member of your shared address book! What makes this so powerful is that the ease of communication and style make it a very useful and rapid way to communicate.

Jotts can be long, short or pretty much anything in between. You can dictate a quick blog post, an email or just an idea to be pursued later. At MSI, we use these tools to quickly write content for WatchDog, the blog and email communications with clients. I use it to rapidly outline agendas for meetings or to establish on the fly scope of work documents that the technical or sales team can use to do business. Overall, used together, these tools really help me communicate and manage ideas, multiple forms of media and my team in a more rapid and easy fashion. Used carefully, (again, read the privacy policy), the tools can be leveraged for some amazing things. Don’t be afraid to give them a try, or to think outside the box for how to apply them to your own tasks.

MSI continues to see increasing scans for vulnerabilities associated with port 4899/TCP. These scans are attempting to identify a particular product and gain access to the system through a known exploit.

Please verify that you have eliminated all traffic from the public Internet destined for this port. The original vulnerability has been around a while, but increasing blocks of IP addresses in EMEA are propogating the malicious traffic.

I have been toying with lock bumping since it became a national hot item a few months back. If you have not heard about it yet, check out the basics here.

OK, so a lot of this is overblown and the hype is pretty high to cause Mom and Pop to panic and buy some new locksmith services and products. I get it. I really do.

I also realize that the actual threat has been around a long time, and that criminals have known the technique for a while. I too have read that there has been little significant increase in break-ins since the lock bumping technique made headlines…

That said, I have been focusing on the long beloved friend of accounting folks everywhere – the venerable locking file cabinet. Best-practices for securing offices and accounting departments have long held that locking a file cabinet or desk drawer was a pretty decent layer of protection for the contents. Unfortunately, lock bumping very much changes that perspective.

I have attempted to bump quite a few file cabinets and desk drawers over the last few months. I am averaging in the 90th percentile in terms of gaining access. In many cases, it takes just about the same time as using the real key and I easily gain access to the contents to do with as I may.

How serious is this? Well, it makes much of the physical security associated with open cubicle environments suspect. Public access to receptionist desks and the like have proven pretty fruitful – including the usual suspects of phone lists, password lists and other generally attacker friendly items. Not to mention the items available for outright theft – often including just plain money…

The old rules of physical access trumping many security mechanisms still exist. Lock bumping techniques are just the newest way to reinforce the lesson. If you have not taken a good look at your file cabinets, desk drawers and the availability they might have to an intruder with a simple bump key – it might be time to at least think about it. Especially sensitive materials like regulatory data, personnel data and the like may have to be given some other special protections if your relying on rows of locked filing cabinets to secure it.