Wednesday, June 22, 2005

Phishing Variants: Popups and Visual Spoofing


Picture credit: http://www.cbc.ca
Excel web sharing - spreadsheet collaboration over the Internet made easy with BadBlueIf you're at all concerned about the rampant epidemic of phishing emails sweeping the Internet, here are a couple of additional approaches to be aware of:

Popup scams: News.com (and the usual security sites) are reporting that most current browsers are susceptible to popup scams. That is, a malicious site uses Javascript to pop-up a window in front of a legitimate web site (say, bankofamerica.com). The pop-up appears to be linked to the legitimate site and challenges the user for credentials (or other sensitive data). A typical user might assume the popup to be legit, since it appears over the backdrop of the real site. Rest assured, it's not: it's a scam. Real sites will authenticate you on the secure page itself.

Visual spoofing: Netcraft reported this scam a year or so ago and it's still something to consider. The basic visual spoof uses Javascript to launch a new browser window without the traditional scroll-bars, menus, toolbars, etc. (the classic example of this is a popup ad banner). The spoof uses images to replace the traditional browser, such that the address bar, navigation buttons, "secure page" lock, and so forth all appear normally as they would on a secure page. Skeptical and want to see an example? Don Park has a good demo of visual spoofing here.

The bad guys are more diabolical than Macgyver on a Starbucks bender. Always be suspicious.
 

The Wikitorial Experiment


Picture credit: http://aphgcaen.free.fr
Excel web sharing - spreadsheet collaboration over the Internet made easy with BadBlueThe LA Times has called a halt to its commendable Wikitorial experiment. The groundbreaking attempt at an interactive, user-edited op-ed piece was defaced repeatedly with obscene photos, according to the New York Times.

Imagine an editorial that anyone can read and modify -- along the lines of the outstanding Wikipedia online encyclopedia -- and you pretty much have the general idea.

Of course, with that sort of openness comes a certain level of risk, as the Times discovered:

...During most of Friday and Saturday, readers thoughtfully altered the editorial. By Friday afternoon, hundreds had weighed in. Some did add profanity but just as quickly a Web master from the paper took it down.

"Nothing bad happened really until after midnight on Saturday," said Michael Newman, deputy editorial page editor...


This is an idea that deserves some refinement and a few more chances. Here are some tactical suggestions for the folks who could back another pass at Wikitorials:

  • Force contributor registration - many newspapers already require that users open a free account. Force Wikitorial editors to open an account. If the user's account ends up abusing the Wikitorial, lock the account out. Since the account registration process takes upwards of a minute or so, editors can make it somewhat painful to deface content. In addition, allow users to rate other users.

  • Ban images - simply don't allow images to be posted or linked. That gets rid of the obscene image issue.

  • Solicit trusted editors - just as Wikipedia relies upon trusted contributors, use the rating system described above to create and nurture a community of trusted editors. Then let the editors worry about cleaning up the content and banning abusive users. It works for Wikipedia... and it can work for Wikitorials.

  • I commend the Times for their experiment. While I usually disagree (vehemently) with much of their op-ed content, this is an idea with stunning potential. Here's hoping they continue to work out the kinks and allow a new idea to germinate.

    N.Y. Times: Postings of Obscene Photos End Free-Form Editorial Experiment
     

    Tuesday, June 21, 2005

    Largest Security Breach Ever Revealed: 295 million identities stolen!


    Picture credit: http://www.howstuffworks.com
    Excel web sharing - spreadsheet collaboration over the Internet made easy with BadBlueThe largest case of identity theft in United States history was reported late yesterday. A conglomerate of large retailers revealed that their wide-ranging consumer databases had been compromised and that all 295,734,134 residents of the United States have had their identities stolen.

    Conglomerate security coordinator Rich Batch stated, "We are still in the process of discovering the nature of the security breach and adding protective measures to prevent this sort of thing from ever occurring again. However, our investigators have discovered that the records of nearly three hundred million U.S. residents have been copied from our systems to external parties."

    Batch went on to describe the fact that social-security numbers, names, addresses, dates-of-birth, credit scores, and a variety of other sensitive fields had been stolen.

    Investigators found that the criminal activities had begun in 2003 and were accidentally discovered when a custodian tripped over a power cord. One of the major bastion servers became unplugged, at which point an unknown person called the data-center. Speaking in a heavy Russian accent, the caller claimed to be the CIO of the organization and demanded that the bastion server "be plugged back into wall, damn you, we are doing much business important work with computer." The custodian became suspicious of the caller and alerted the organization's security staff.

    Reacting swiftly to a swath of fraudulent transactions sweeping the country, the Department of Homeland Security issued the following statement late yesterday:

    Effective September 1, 2005, your old social-security number will be shifted to a randomly selected social-security number (SSN). You will be notified of your new SSN on September 1 and all government systems will be updated on that day to reflect the changes.

    We foresee this becoming an annual anti-fraud effort, given the rampant insecurity of many companies that handle SSNs.


    Continued on page A12

    p.s., This is, quite obviously, satire. But it would be nice to have DHS coordinate a serious attempt to curtail the conventional approaches to identity theft.

    Update: Bruce Schneier weighs in with his take on the CardSystems disclosure. Read the whole thing.

     

    The New James Bond


    Picture credit: http://www.dancewithshadows.com
    Excel web sharing - spreadsheet collaboration over the Internet made easy with BadBlueThe clasically trained British actor Daniel Craig is reported to have won the coveted role of James Bond, replacing Pierce Brosnan. Do we really need another Bond who weighs a buck fifty and would likely take a butt-whooping from my brown-belt niece?

    Photo
    (adorocinema.cidadeinternet.com.br)

    I was thinking more along the lines of Christian Bale. He's got the sophisticated, yet hard-edged, look and even the accent, for goodness' sake.

    Plus, from his devastating tour in American Psycho, we know he can handle all of the requisite weaponry: from 9mm handguns to chain-saws and everything in between.

    Daniel Craig to be new James Bond
     

    Which Science Fiction Writer Are You?



    I am:
    Gregory Benford
    A master literary stylist who is also a working scientist.


    Which science fiction writer are you?



    I took the quiz and ended up with Gregory Benford. I'll have to look him up on Amazon. I was kinda hoping for Robert A. Heinlein. Ah well, dare to dream.
     

    Monday, June 20, 2005

    How SQL Injection Works



    Excel web sharing - spreadsheet collaboration over the Internet made easy with BadBlueIt's true that we don't quite know the attack vector that was used to install trojan(s) on the CardSystems network. In my opinion, the three most likely possibilities are:

  • Social engineering: imagine one day you receive an official looking CD from your company's IT department. It's been snail-mailed to you directly, professionally emblazoned with the company logo and a pompous demand that you install the CD to ensure that your machine's security patches are current. This sort of thing may be what happened in the Israeli corporate espionage case.

  • Inside job: an insider, motivated by money, revenge or other factor, intentionally installed a trojan to expedite delivery of sensitive data to criminal parties.

  • SQL injection: a web application (say, a merchant access system) was compromised through SQL injection and a remote command execution hack (e.g., SQL Server's xp_cmdshell command or similar). Remote command execution offers the possibility of loading a malicious executable from an external FTP site... frightening, eh?

  • If you've ever wondered how SQL injection works... and how best to protect yourself against common web application attacks, this overview from UNIXwiz is one of the best I've seen.

    UNIXwiz: SQL Injection - by Example
     

    More CardSystems Tidbits Emerge


    Picture credit: http://www.massmenus.com
    Excel web sharing - spreadsheet collaboration over the Internet made easy with BadBlueInteresting information on the CardSystems' security breach... carefully gleaned from multiple reports:

    Item 1: MasterCard announced the breach, which had been detected in May, probably to the consternation of CardSystems. What were the reasons for MasterCard's disclosure? Displeasure with CardSystems in general? A requirement to disclose the breach in a timely fashion, since CardSystems had had over a month? Or was it simply MasterCard demonstrating that it -- not CardSystems -- had discovered the intrusion?

    MasterCard traced the breach to CardSystems based on an unusual pattern of fraudulent transactions...

    "I don't have the detail on what type of fraud it was," Antle said. "It wasn't a large amount of fraud, just an abnormal pattern that triggered our system. ... We have tracking systems in place to find the common point of interaction."

    FBI spokeswoman Deb McCarley would not confirm the intrusion was the result of Internet hacking.


    Sketchy reports indicate that, indeed, a trojan was placed on at least one of CardSystems' computers.

    Item 2: CardSystems said that the FBI asked them not to disclose the breach... but the FBI denies that claim, according to this report. What the... ?

    Item 3: According to the New York Times, CardSystems wasn't even supposed to have this data  ! While CardSystems processes the transactions, it isn't supposed to retain any records, per its agreements with MasterCard and Visa. It appears that CardSystems somehow kept all of the data, perhaps for its own "research purposes":

    The chief of the credit card processing company... acknowledged yesterday that the company should not have been retaining those records... He said the data was in a file being stored for "research purposes" to determine why certain transactions had registered as unauthorized or uncompleted.

    ...Under rules established by Visa and MasterCard, processors are not allowed to retain cardholder information including names, account numbers, expiration dates and security codes after a transaction is handled.

    "CardSystems provides services and is supposed to pass that information on to the banks and not keep it," said Joshua Peirez, a MasterCard senior vice president who has been involved with the investigation. "They were keeping it."

    ...Jessica Antle, a MasterCard spokeswoman, said that CardSystems had never demonstrated compliance with MasterCard's standards. "They were in violation of our rules," she said.

    It is not clear whether or when MasterCard intervened with the company in the past to insure compliance, but MasterCard said Friday that it had now given CardSystems "a limited amount of time" to do so.

    ...MasterCard said that it had detected atypical levels of fraudulent charges on its cards as early as mid-April and, joined by Visa and an unspecified bank in mid-May, had requested that CardSystems allow its independent forensics team, Ubizen, to investigate. It was not until May 22 that the security specialists identified the rogue computer program as the source, MasterCard said.

    CardSystems said it contacted the F.B.I. offices in Tucson and Atlanta on May 23. The F.B.I. said Friday that its investigation was continuing.


    How did the intruders enter the system? Perhaps a processors' web application for merchants:

    "They typically have a Web site where merchants sign on with and then the merchants can look at the daily transactions, the balance in their account," Edward Lawrence, a managing associate at the Auriemma Consulting Group in Westbury, N.Y., which advises credit card merchants and processors. "My guess is that a hacker would get into the Web site and somehow find their way past a firewall and through the passwords and encroach onto the programming system."

    Mr. Peirez of MasterCard said that the data inappropriately retained by CardSystems was particularly sensitive because it included cardholders' three- and four-digit security codes, making it more attractive to potential thieves because it can double or triple the black-market value of a cardholder's account. Ms. Litan of Gartner said there was no reason for a processor to store security codes... In addition, the data lost in the CardSystems case was apparently not encrypted. "If it was encrypted, the hacker would have gotten data but would not have known how to read it," said Mr. Lawrence...

     

    Security? What Security?


    Picture credit: http://www.regiononline.com
    Excel web sharing - spreadsheet collaboration over the Internet made easy with BadBlueIT-Director's Robin Bloor has some choice commentary on the news that CardSystems may have exposed some forty million accounts to cyber-crooks:

    ...The secret is out "corporate America is inadequately protected against data theft." I think there's a crisis in the making – in fact, there is. The news is not good for you and I, but it is for the IT security vendors, who have clearly not been selling enough of their fine products to stop the rot.

    On Thursday of last week the US FTC (Federal Trade Commission) pronounced judgment on BJ Wholesale a company that had failed to protect customer data from identity theft. Its judgment was that BJ Wholesale should undergo a security audit every 2 years for the next 20 years. This doesn't sound like much of a penalty, but there can be little doubt that BJ Wholesale is going to have to spend heavily on IT security. It will cost them many green dollars, and woe betide BJ if it fails any of these audits...

    [CardSystems' stolen forty million accounts] ...sounds more like a spirited attempt to get into the Guinness Book of Records than a security breach ("What, ChoicePoint only exposed 140,000 identities? We'll show them").

    The press reports suggest that CardSystems was targeted by hackers, which seems highly likely. However, it is all a little confused as some reports claimed that the vulnerability was caused by a virus attack. Right now the full details may not be known. It was MasterCard that uncovered the problem. In investigating fraudulent transactions, it was able to deduce where the data was being stolen. Hats off to MasterCard. Visa and American Express, who also had millions of customers affected, should thank them.

    MasterCard is, however, deeply unimpressed with CardSystems. It says that CardSystems was storing card holder's account numbers and security codes on its computers in violation of MasterCard rules...


    Robin Bloor: Security? What Security?
     

    From the miscellaneous items department...


    Picture credit: NBA
    Excel web sharing - spreadsheet collaboration over the Internet made easy with BadBlueThe Spurs' Tim Duncan is one of the smartest and classiest players in the NBA. But a recent interview with his coach, Gregg Popovich, provided some unintended mental imagery:

    "He's exactly the same person that I laid on the sand with down in St. Croix when we drafted him," added Spurs coach Gregg Popovich. "He hasn't changed a lick, very honestly..."


    NBA.com: The Quiet Storm
     

    YubNub: A (social) command-line for the web


    Excel web sharing - spreadsheet collaboration over the Internet made easy with BadBlueHere's a really interesting idea, courtesy of John Battelle's Searchblog. YubNub is a "command-line for the web" with a social-networking spin.

    What to do an image search on Google for Anne Bancroft? Type in gim anne bancroft. How about viewing the Wikipedia entry for Bob Knight? Just type in wp bob knight.

    Want to create your own commands? That's where the social-networking aspect comes into play. You can add your own syntax to YubNub.

    Check it out: YubNub
     

    Saturday, June 18, 2005

    CardSystems' missing 40 million records



    Photo
    Two consumers enjoying their privacy (CardSystems)

    The details are sketchy, yet ominous. As many as forty million consumer credit-card records may have been stolen from CardSystems, a major payment-processing house.

    The theft was discovered back on May 22nd. And CardSystems seems none too pleased that MasterCard has disclosed the extent of the breach. Publicly, MasterCard indicated that:

    ...an intruder was able to use security vulnerabilities to infiltrate the CardSystems network and access the cardholder data...


    In addition, MasterCard reported that:

    ...CardSystems Solutions was hit by a computer virus that sucked up card numbers and other customer data...


    Who was behind it? Probably organized crime, at least based upon information in this Boston Globe article:

    ...MasterCard said yesterday that criminals used a computer virus to collect vast amounts of financial data moving through the company's computer network and estimated that 13.9 million of its accounts may have been stolen. Thieves also had access to millions of cards issued by Visa and Discover, as well as some American Express cards...

    ...examination of CardSystems computers found that information had been copied from a database containing 40 million account numbers from a variety of credit card brands. It also found that the CardSystems network had been infected sometime late last year, meaning that the data thieves had been able to collect credit card numbers for several months before the breach was detected.

    The investigators found that some of the stolen card numbers have been used illegally. ''We are aware of some fraud from the data that's been taken," said Jessica Antle, spokeswoman for MasterCard International. She added that the thieves had used very few of the stolen account numbers so far...


    Some expressed surprise that a breach of this scale was possible:

    ...Former federal prosecutor Mark Rasch, chief technical counsel for computer security firm Solutionary Inc., was surprised by the scale of the crime. ''It's not surprising that there's a breach," Rasch said. ''It is surprising that there's this large a breach." Rasch said that the data-stealing computer virus should have been quickly detected if CardSystems ran regular virus scans...


    Was it a virus... or something altogether different? The LA Times, via Slate, says:

    ...a "rogue program" planted in the computer network of CardSystems compromised millions of card numbers...


    The FBI is probably hunting down possibilities of an inside job or an Israeli-style social engineering scam (the recent Israeli corporate espionage debacle included trojans that were snail-mailed to victims as software updates from a corporate IT department).

    Ironically, CardSystems' website boasts of its e-Payment Systems offering:

    ...In today's information age, new technologies... increase the risk of fraud as perpetrators find new ways to infiltrate systems. You need payment solutions that help you grow revenue and maximize efficiencies while mitigating fraud...


    Yes, we do. That's their mission statement, eh? Repeat after me: forty... million... records.

    And now CardSystems' livelihood itself may be at stake. Mastercard has reportedly given CardSystems "an undisclosed deadline to demonstrate that its systems are now secure".

    That ought to be quite a demonstration.

    After reports like this one and the Israeli trojan horse scandal, one is left only to speculate how much cyber-criminal activity remains ongoing and completely undetected.
     

    Friday, June 17, 2005

    PayPal's Comical Anti-Phishing Page


    Picture credit: http://microsoft.com
    Excel web sharing - spreadsheet collaboration over the Internet made easy with BadBlueI have a PayPal account, which I use only sporadically. And I just received an email purporting to be from PayPal itself, which addresses anti-phishing techniques. This should be fun. Let's review PayPal's advice for avoiding phishing scams (which they call spoofing). Entitled "Protect Yourself from Fraudulent Emails", it's actually somewhat comical.

    Here's the first "warning sign" of a bogus email, according to PayPal:

    Generic greetings.
    Many spoof emails begin with a general greeting, such as: "Dear PayPal member."


    In other words, the spammers can't address you by name.

    According to the security page, after you recognize a phishing attempt, you are advised to immediately contact their anti-fraud department:

    Forward the entire email - including the header information - or the site's URL to spoof@paypal.com We investigate every spoof reported. Please note that the automatic response you get from us may not address you by name.


    Talk about an enigma wrapped in a riddle... PayPal advises you to report any bogus email purporting to be from their organization. The first way to recognize a fraudulent email is a generic greeting. And when you send in a report of a phishing attempt, PayPal responds with another email that (using their criteria) also appears to be bogus. For the love of...

    And here's warning #3:

    Fake Links.
    The text in a link may attempt to... send you to a spoof address [sic]... be aware that a fake link may even have the word "PayPal" in it.


    Interesting. First problem: the PayPal anti-fraud page uses a domain name of paypalobjects.com, not paypal.com. What the...? Can't anyone here play this game?

    Yet another interesting aspect to the PayPal anti-fraud message is their attempt to get you to download a "helpful toolbar". Here's more from their security page:

    ...If you use Internet Explorer, download the eBay toolbar. Account Guard helps ensure you are on PayPal or eBay. Download the eBay toolbar now...


    This is almost too easy. My prediction is that phishers will create and pitch a fake eBay toolbar using their typical, massive spamming campaigns. For the phishers, this is an even better deal. Users will install a truly malevolent trojan themselves, all under the guise of increased security.

    You heard it here first.

    In my opinion -- and, for at least the three reasons listed above -- the PayPal anti-phishing page leaves a lot to be desired.

    The only realistic way to deal with the phishing scourge is to use digital signatures and intelligent email clients (preferably web-based) to ensure that the guy who says he sent the file really did so. Yahoo has released a proposed standard called DomainKeys that does exactly that.

    I think I'll wait for DomainKeys, thank you.

    PayPal: Protect Yourself from Fraudulent Emails
     

    Thursday, June 16, 2005

    Fraudsters use iPods to steal company information


    Picture credit: http://www.conversionfury.com
    Excel web sharing - spreadsheet collaboration over the Internet made easy with BadBlueThere are more options for ripping off sensitive data than there are noodles at Johnny Chan's Take-Out joint. All the more reason to ensure that your company's sensitive data is always encrypted at rest.

    Anti-fraud experts warned yesterday that the machines, along with other music players, that boast hard drives with up to 20Gbytes of memory, could become widely used by employees to fool security officials and breach data security rules.

    In one case a recruitment agency found much of its client database had been copied to an iPods's memory and used to defraud the firm.


    Guardian: Fraudsters use iPods to steal company information
     

    Wednesday, June 15, 2005

    The Next Generation of Phishing Tools


    (Picture credit http://www.carrera-uk.com)
    Excel-web sharing of spreadsheetsThe folks at SC Magazine -- or, maybe just Maksym Schipka -- describe the interesting ramifications of program complexity. Windows XP, according to Schipka, consists of a scant 40 million lines of code. A conservative figure of five bugs per KLOC (one thousand lines of code) yields the potential of perhaps 200,000 bugs. Schipka posits that about one-tenth of one percent of that figure will be remote-execution security issues: in other words, about 200 serious remote vulnerabilities.

    Worse, the trend towards blended, polymorphic attacks continues unabated. Recent generations of trojans blatantly scan for vulnerabilities, rip down defensive barriers such as anti-virus protection, and hijack trusted applications and libraries.

    From the phishing perspective, the trend is equally serious:

    ...A recent phishing attack, purporting to be a communication from a major UK bank to its customers, provides a significant pointer to likely future developments in the email banditry arena.

    It works like this: customers receive an email that makes the usual phishing bid to gain personal banking details -- but it also has a more purposeful payload. Before attempting the phish, it first uses an IFRAME exploit to download a trojan installer without the user's knowledge.

    The installer checks a number of parameters on the system -- for example, the versions of Windows and Internet Explorer being used, whether Norton AV updater or McAfee AV updater are running and what version of Java Virtual Machine is in use. Based on the information it collects, the installer chooses one of the four different exploits to perform the trojan executable drop.

    The innovation here is that, not only are different exploits and vulnerabilities used to penetrate the user's computer, but also that a trojan installer is an integral component of the phishing attempt.

    If this new technique proves as successful as its criminal perpetrators surely hope, we can expect to see even greater uses of such convergence in the future. With the prospect of spam messages arriving in your inbox trying to sell you a product while attempting also to obtain your personal banking information -- and planting a trojan on your computer at the same time -- the case for adopting comprehensive email security has surely never been more pressing...


    This conforms pretty much exactly with CounterPane's assessment. Blackhat activities revolve around criminal, not recreational, endeavors. Bruce Schneier:

    Another 2004 trend that we expect to continue in 2005 is crime. Hacking has moved from a hobbyist pursuit with a goal of notoriety to a criminal pursuit with a goal of money. Hackers can sell unknown vulnerabilities -- "zero-day exploits" -- on the black market to criminals who use them to break into computers. Hackers with networks of hacked machines can make money by selling them to spammers or phishers. They can use them to attack networks. We have started seeing criminal extortion over the Internet: hackers with networks of hacked machines threatening to launch DoS attacks against companies. Most of these attacks are against fringe industries -- online gambling, online computer gaming, online pornography -- and against offshore networks. The more these extortions are successful, the more emboldened the criminals will become.

    We expect to see more attacks against financial institutions, as criminals look for new ways to commit fraud. We also expect to see more insider attacks with a criminal profit motive. Already most of the targeted attacks -- as opposed to attacks of opportunity -- originate from inside the attacked organization's network...


    One thing is for certain: endpoint security has never been more critical.

    SC Magazine: The Potential for Bugs
     

    Top Open-Source Security Applications


    Picture credit: http://www.f-secure.de
    Excel web sharing - spreadsheet collaboration over the Internet made easy with BadBlueIf open-source security applications suit your taste (and, frankly, they should), NewsFactor reports on the top 'brands' of the OSS security world:

    OpenSSL: Anthony Nadalin, Chief Security Architect for IBM's software group, recommends Bouncy Castle crypto interfaces and OpenSSL -- an open-source implementation of the secure sockets layer (SSL) and transport layer security (TLS) protocols...

    OpenSSH: OpenSSH is another software package that comes highly recommended. This open-source implementation of the Secure SHell (SSH) session technology is designed to let administrators and users open a command shell on a remote host...

    Nessus: When it comes down to it, no matter what security system you use, you'll need to test for security vulnerabilities in your code. Both Jaquith and Moyle rate Nessus as a top-tier open-source vulnerability scanner...

    Nmap: Moyle and Jaquith recommend the Nmap port scanner, which is designed to interrogate remote hosts to see what services they are running. The open-source application usually can detect the operating system correctly as well... "For example, many companies use it to 'sweep' their networks to see what hosts are there, and to see if any of them are running services that would violate policy."

    IPtables: IPTables and IPFW are host-based firewalls for Linux and BSD, respectively. Both of them do the same thing: They block access to particular server ports using a flexible rule-based-language...

    ClamAV: Barracuda Networks' Levow sees considerable merit in the use of open-source antivirus and antispam tools, and specifically points to ClamAV as the largest and also most widely used open-source antivirus technology...


    NewsFactor: Top Open-Source Security Applications
     

    Frequency Jamming


    Picture credit: http://www.faa.gov
    Excel web sharing - spreadsheet collaboration over the Internet made easy with BadBlueLike handheld lasers pointed at airliners to (presumably) blind pilots, this Washington Times report is somewhat ominous:

    ...Shortly before touching down in Charlotte, the pilot announced to passengers that the landing was being delayed because somebody was "jamming" the plane's communications with the control tower.
    "We have a jamming problem," the lawyer, who asks not to be identified, paraphrased the pilot. "We've gotten word from the tower that our radio frequencies are being jammed."
    Then these words: The problem could "involve national security."

    ..."Unless you find the source, you're not sure if it's inadvertent or on purpose. As you know from reporting on the lasers [being beamed at pilots from the ground], laser incidents go back 10 years. But it wasn't until the September 11th attacks that we have to look at everything through national security lines now."


    Washington Times: Jamming
     

    Now that's a concert


    Picture credit: http://www.espn.com
    Excel web sharing - spreadsheet collaboration over the Internet made easy with BadBlueFrom the miscellaneous items department:

    Suspended Florida State quarterback Wyatt Sexton was doused by pepper spray and taken to a hospital by police after he was found lying in the street, saying he was God...

    ...Police said Sexton's roommates told them he had been at a Dave Matthews Band concert in Tennessee with them earlier Monday...

    ...However, The Dave Matthews Band played in Noblesville, Ind., on Sunday and Monday.


    Enquirer.com: College Football Notebook
     

    Tuesday, June 14, 2005

    Protecting Data At Rest


    Picture credit: http://www.unixwiz.net
    Excel web sharing - spreadsheet collaboration over the Internet made easy with BadBlueOver at RedmondMag, Roberta Bragg notes some good starting points for protecting data at rest. Data 'at rest' means data stored statically on some media: hard disk, tape backup, etc. When sensitive data items -- like SSNs -- are stored in the clear, they're literally sitting ducks for hacking attempts.

    Overall her point is, as mine was a few days ago, that data 'at rest' needs a comprehensive set of data protection standards. Roberta provides a good checklist that IT teams can use to vet their standards against best practices.

    However, I believe she's omitted one quite crucial step in protecting data:

    Sensitive data should be encrypted at the application level. That is, even if you have an encrypted file system, don't trust that it alone will be sufficient to keep blackhats at bay. Go the extra mile and ensure that sensitive fields (SSNs, for instance) are encrypted at the application level. Force your application to securely retrieve decryption keys in order to convert the fields into cleartext data.

    Why? What's the risk?

    One with which I'm familiar is the old favorite, SQL injection. SQL injection permits an intruder to craft their own SQL statements and submit them against your databases. Thus, if SSNs are stored in the clear (at the field level), a SQL injection hack could rip the SSNs straight out of your tables. No muss and no fuss for the intruder.

    Thus, I recommend that all sensitive data is encrypted -- at the application level -- in the tables themselves. At least then, if a rogue process were to compromise your database, they have an extra attack to make against the sensitive fields. Force the bad guys to go the extra mile.

    Redmond: Data at Rest Is a Sitting Duck
     

    Monday, June 13, 2005

    A Phishing Primer


    Picture credit: Stern
    Excel web sharing - spreadsheet collaboration over the Internet made easy with BadBlueI received this email today, related to some earlier blog postings on the epidemic of phishing.

    Not sure what phishing is? Sure you do: it's the plethora of emails you receive asking you to reset your PayPal account information, notifying you that your CitiBank account may have been compromised, and a myriad of variations thereof. All are designed to get you to sign-in to a "false store-front" that appears to be a real financial site. But instead of logging on to a real website, your account and password data are sent directly to the crooks running the scam.

    Back to the email I received. In part, it read:

    We are trying to compose a short but clear guide to email to our customers and put on our site to warn our customers what to look out for - what is the customer information email you have seen? Would be great if you have some examples of the good, bad and ugly.


    Here's a simple summary. The following is a typical phishing email, courtesy of Wikipedia:

    From: eBay Billing Department
    To: xxx@yyy.com
    Subject: Important Notification

    We regret to inform you that your eBay account could be suspended if you don't re-update your account information. To resolve this problems please click here and re-enter your account information. If your problems could not be resolved your account will be suspended for a period of 3-4 days, after this period your account will be terminated.

    For the User Agreement, Section 9, we may immediately issue a warning, temporarily suspend, indefinitely suspend or terminate your membership and refuse to provide our services to you if we believe that your actions may cause financial loss or legal liability for you, our users or us. We may also take these actions if we are unable to verify or authenticate any information you provide to us.

    Due to the suspension of this account, please be advised you are prohibited from using eBay in any way. This includes the registering of a new account. Please note that this suspension does not relieve you of your agreed-upon obligation to pay any fees you may owe to eBay.

    Regards,
    Safeharbor Department
    eBay, Inc

    This is an automatic message. Please do not reply.


    If you ever receive an email purporting to be from a financial website, please follow this simple step:

    Never click on a link in an email to visit a sensitive website. Visit the site directly by using your browser bookmarks or by typing in the address in the browser's address bar.


    That's the easiest way to be a safe surfer in the wonderful world of phishers.
     

    New Scientist on the BlueTooth Vulnerability


    (Picture credit http://www.tomsnetworking.com)
    Excel-web sharing of spreadsheetsI wrote a bit last week on the implications of the recently discovered vulnerabilities in the BlueTooth protocol. The weaknesses, combined with hacking innovations such as the BlueSniper rifle, make it easy to sniff or even co-opt BlueTooth networks at distances in excess of a mile. New firmware, anyone?

    The best description of the vulnerability I've yet read is this excerpt from an article in New Scientist:

    During pairing, two Bluetooth devices establish the 128-bit secret “link key” that they then store and use to encrypt all further communication. The first step requires the legitimate users to type the same secret, four-digit PIN into both devices. The two devices then use this PIN in a complex process to arrive at the common link key.

    Whitehouse showed in 2004 that a hacker could arrive at this link key without knowing the PIN using a piece of equipment called a Bluetooth sniffer. This can record the exchanged messages being used to derive the link key and feed the recordings to software that knows the Bluetooth algorithms and can cycle through all 10,000 possibilities of the PIN. Once a hacker knows the link keys, Whitehouse reasoned they could hijack the device.

    But pairing only occurs the first time two devices communicate. Wool and Shaked have managed to force pairing by pretending to be one of the two devices and sending a message to the other claiming to have forgotten the link key. This prompts the other device to discard the link key and the two then begin a new pairing session, which the hacker can then use.

    In order to send a “forget” message, the hacker must simply spoof one of the devices personal IDs, which can be done because all Bluetooth devices broadcast this automatically to any Bluetooth device within range.

    “Having it done so easily is surprising,” says Schneier. He is also impressed by the fact that Wool and Shaked have actually implemented Whitehouse’s idea in real devices.

    They show that once an attacker has forced two devices to pair, they can work out the link key in just 0.06 seconds on a Pentium IV-enabled computer, and 0.3 seconds on a Pentium-III. “This is not just a theoretical break, it’s practical,” says Schneier.


    New Scientist: New hack cracks 'secure' Bluetooth devices