CounterMeasures - A Security Blog � vulnerability

It’s International Change Your Password Day!

Rik Ferguson — Wed, 01 Feb 2012 14:01:41 +0000

under Creative Commons from Arenamontanus' Flickr

Treat your password like your toothbrush, don’t let anyone else use it and change it every six months. (Clifford Stoll)

What does this mean for you? Well if you’re the type of person who tends to reuse your password across multiple web sites today’s the day to get out there and start changing that password and breaking that habit. Criminals may well already have your email address and common password, they may also have the answers to your security questions, which also tend to get reused.

It is never a good idea to use the same password across multiple web sites, so try to have a unique one for every site you use. While this may sound complex and impossible to remember there is simple process to achieving this.

First, what NOT to do

- Do not use a word from a dictionary

- Do not use names, dates of birth, ages, telephone numbers, pet’s names, football teams or anything related to you.

- Do not use the same password for multiple different purposes.

- Do not share you passwords with anyone else, ever.

Brute forcing tools use dictionary attacks and hybrid dictionary attacks (where dictionary words are automatically modified using the common number/special character substitutions). So it is not sufficient to take a dictionary word and just change a few letters to numbers (Password into P455w0rd! for example) these sorts of password can be cracked in a matter of minutes

Here’s how you do it.

1- Think of a phrase you can easily remember, for example:

“Mötley Crüe and Adam and the Ants were the soundtrack of my youth.”

2- Take the initial letter of each of those words:

MCAAATAWTSOMY

This will be the basis of the password, but we now need to make sure we use upper and lower case characters, numbers and “special characters” like !£$&+ for example, let’s change cases first:

MCaAatAwtSomY

Now change some of those letters for numbers, maybe the letter O to a zero

MCaAatAwtS0mY

Now add the special characters, I’ll change the “and” into + and &

MC+A&tAwtS0mY

As a special point of interest, a great character to include in passwords (if you have a UK keyboard) is the £ symbol, as it is overlooked by many of the mainstream password brute forcing tools, so maybe we could end up with:

Mc+A&tAwTs0mY£

Now you have a secure password, you need to devise a way to differentiate it for each site you use. For example you could put the first and last letters of the web site name at the beginning and end of your complex password, making it unique yet easy to remember

As for those security or password reset questions, this is also one of the most common ways to break into an account. If you are asked to provide answers to “Security questions” consider whether the answers are really secure. Secure means that you are the only person who can answer the question. If the possibility exists to create your own questions, use it. If you are obliged to answer more standard questions such as “First school” or “First pet” remember the answer doesn’t have to be the truth, it only has to be something you can remember!

Guess, I’d better go and change my passwords…

PayPal’s Destructive Dispute Resolution

Rik Ferguson — Wed, 04 Jan 2012 16:31:51 +0000

Destroyed violin image courtesy of Regretsy

While paying a visit to the fantastically disturbing Regretsy site today I couldn’t help but be amazed by the sorry tale that was submitted by a regular visitor to the site.

A lady by the name of Erica relates in her email how she had sold ”an old French violin” (in her words a pre-World War II violin) to a buyer in Canada and accepted payment for the item through PayPal. The payment in question was for the not inconsiderable sum of $2500.

Unfortunately the buyer was not happy with the authenticity of the violin, raising a dispute over the label (the paper sticker inside the violin identifying the luthier that supposedly crafted the instrument). Labels in the violin world are notoriously unreliable and have been faked for centuries, in fact it was a common “marketing” practice in the Victorian era to attach fake Stradivarius labels to contemporary violins because they were “made in the style of”… The consensus of opinion in the murky world of violin sales seems to be that a label is only the starting point for the valuation of an instrument and that for any truly reliable opinion, a specialist instrument valuer should be consulted.

Of course it is the buyer’s prerogative to raise a dispute through the official PayPal process if they feel that they have been deceived into buying counterfeit goods and, not having seen the original advertisement for sale, it would be impossible to form an opinion on that. What really stopped me in my tracks though, were the instructions the buyer received from PayPal in order to qualify for a refund.

Rather than have the violin returned to the seller, PayPal reportedly instructed the buyer that he must destroy the violin and provide evidence of its destruction in order to get his $2500 refunded. This all apparently happened without the involvement of any independent verification and resulted in the photograph you see in this post.

This process is all detailed in the Dispute Resolution terms and conditions on the PayPal site “If you lose a Significantly Not as Described Claim because the item you sold is counterfeit, you will be required to provide a full refund to the buyer and you will not receive the item back (it may be destroyed).” All decisions are at PayPal’s discretion and are final “based on any criteria PayPal deems appropriate“.

One very upset violin seller and a destroyed violin, is only a part of the issue here. PayPal’s dispute resolution process in the format described above leaves itself wide open for abuse. Let’s say I fancy myself a nice designer label watch or handbag (for someone else, you understand) but I can’t afford the real thing, what can I do? Well I could always go and see my friendly street corner counterfeit Rolex or Gucci salesperson and pick one up nice and cheap, then go online and buy the real thing. When it arrives I simply show the counterfeit as proof that I was deceived, provide evidence of its destruction, get my money back and keep my nice shiny new purchase.

When the purchase is only a few pounds, euros or dollars this is of relatively minor importance but when we are talking about antiques or designer goods, the sums involved can rapidly escalate and so can the risk.

With online purchases, it’s not just caveat emptor but caveat venditor as well. If you are selling expensive items online it is advisable to collect as much evidence as you can of the authenticity and condition of the item in question prior to shipment. Make sure you share this evidence with your buyer and keep a record of all communications. On the buyer side, make sure you fully satisfy yourself of the true nature of the item you are purchasing before parting with any cash. Both parties may wish to consider using a reputable escrow service where the cash is held by a trusted third party until both buyer and seller are satisfied.

Obviously the PayPal story as told by Erica is only one side of a two-sided story, there is no mention for example of whether the buyer intially directly asked the seller for a refund, but for PayPal to have chosen to instruct the buyer to destroy the very item that was in dispute seems short-sighted in the extreme and that’s without having to consider the wanton destruction of a beautiful musical instrument.

The best form of defence?

Rik Ferguson — Tue, 03 Jan 2012 16:19:41 +0000

Mutation by woodleywonderworks

A report in the Daily Yomiuri suggests that the Japanese government have commissioned Fujitsu Ltd to create a “defensive virus” and that after 3 years of work and a budget of $2.3 million, the project is nearing completion.

Technical details in the article are necessarily thin on the ground but it appears that the “cyberweapon” is designed to “springboard” from one compromised computer to another, tracing back to the original source of the attack and shutting down malicious processes en route.

Whilst I can see the attractiveness of the principle and have some sympathy for the thinly veiled claims in the article that “everyone else is doing it”, the concept of the “good” computer virus has been the subject of debate for many years and it has never gained widespread support.

Even a “good” virus or worm must execute on a machine without the permission of the owner of that machine. If that “good” virus has the objective of terminating malicious processes and/or patching security holes then, by definition it must modify or delete critical processes, memory content or files. If its design is to spread autonomously then system owners will have no opportunity to test whether its supposedly altruistic activities will have any negative impact on a running system. It will also consume bandwidth, disk space, memory and processor cycles, all adding to the load, just as a malicious worm does effectively creating a Denial of Service condition.

The “good” virus may also be hindered by effective security software, many of the actions it will be carrying out, such as modifying system components and terminating process, will be precisely those which are designed to be recognised and stopped by security programs.

Finally it really wouldn’t take much effort for criminal groups to take these white-hat tools and modify them for more malicious use, blurring the line even more between the “good” and the bad and putting professional grade carrier mechanisms in the hands of criminals.

The Japanese government seem less than coordinated right now on the actual use such a technology would be put to, the article reports them as saying that they are “not considering outside applications for the program as it was developed for more defensive uses, such as identifying which terminal within the Self-Defense Forces was initially targeted in a cyber-attack“. This is hardly surprising, as the creation of malware is currently a violation of Japan’s criminal code.

You have to wonder though, even in that limited scenario, wouldn’t such an automated “sprinkler system” pose a huge risk of destroying valuable forensic evidence in the case of a breach? Wouldn’t effective real-time monitoring of computers and networks, reporting to a centralised SIEM console provide as much intelligence in a less inherently risky way?

Post Script:

In 2004 Cyrus Peikari made a seemingly good case for Fighting Fire with Fire, but I feel that the medical analogy breaks down completely under close examination. In the digital case we are talking about releasing a self-replicating virus into the wild, whereas in the medical case we talk about manual and controlled introduction of an attenuated virus on an individual (and voluntary) basis.

Conficker, Duqu, Stuxnet, Aliens, Confuxnet!

Rik Ferguson — Fri, 02 Dec 2011 14:37:21 +0000

I have just read a Reuters news story where respected “cyber warfare expert” John Bumgarner is reported to claim that Conficker was devised and released to act as a global smokescreen for the surgical attack, using Stuxnet on nuclear facilities in Iran.

Bumgarner claims that initial reconnaissance work was carried out using Duqu in 2007 to identify targets relevant to a later attack by Stuxnet. In November 2008 Conficker was released globally to infect as many machines as possible. When a Conficker infection phoned home, if the victim machine was found to be in a apposite location (Iran) it was flagged as a later target for Stuxnet. He further states that Conficker did no damage to machines outside Iran and that on the infamous April 1st “activation date” (of the third variant from March 2009) it was used to pull down Stuxnet to those machines located in interesting locations in Iran.

Here is the evidence, all of it unsubstantiated as far as I can ascertain, that Bumgarner presents to support his claim:

1- Both Stuxnet and Conficker show evidence of “unprecedented sophistication” leading him to believe that they are related.

2- Both Stuxnet and Conficker use the same vulnerability to infect machines (MS08-67)

3 – Unspecified “key dates” in timestamps of unspecified “different versions” of Conficker and Stuxnet overlap and also “helped him to identify April 1 2009 as the launch date for the attack“.

4 – April 1st 2009 was the 30th anniversary of the declaration of an Islamic Republic in Iran. Other unspecified dates also corresponded with days when “Iranian President Mahmoud Ahmadinejad said his nation would pursue its nuclear program despite international objections, and another with the day that he made a highly controversial appearance at Columbia University in New York“.

As regards the end-game, the eventual infection of machines physically located in the right place inside nuclear facilities, Bumgarner concedes that at this point the malware wasn’t yet “in the target“. So to make that final crucial leap, Stuxnet was designed to infect USB drives, in the hope that someone would later take the same USB drive from a Conficker/Stuxnet infected machine and plug it into a machine located in an air-gapped network in nuclear facility. At that point, Bumgarner states, “it was checkmate“.

Phew, what a ride! You’ll forgive me I hope if I say that this account stretches my credulity to breaking point. Let me list a few reasons why.

1 – If targets outside of Iran were surplus to requirements, why did the first iteration of Conficker only exclude computers based in the Ukraine? Why was that restriction later removed? Why not only infect machines in Iran in the first place? It is also not true to say that machines infected with Conficker were all unharmed, Conficker was used to deliver Fake AV and had a functional relationship with Waledac botnet C&C

2 – The levels of sophistication in Conficker and Stuxnet are in different leagues. The original version of Conficker used a single already patched Windows vulnerability to spread, the second variant added the capability to spread via removable drives and by brute forcing passwords against a list of common password variants, neither method sophisticated. There was a level of sophistication in the scale of pseudo-random domains that were generated by the malware as potential C&C locations, but nothing that wasn’t quickly reverse engineered and understood. In the third variant of Conficker the propagation methods were actually removed, only to reappear again in the fourth significant variant. Stuxnet was a far more sophisticated animal, taking advantage of zero-day vulnerabilities and requiring specialist knowledge of SCADA systems and nuclear facilities.

3 – I would theorise that the creators of Stuxnet chose to also use the MS08-67 vulnerability because its effectiveness is demonstrated by the fact that Conficker is still one of the most prevalent infections in enterprise networks, three years after its initial appearance. Why would you make two pieces of malware that propagate using the same vulnerability and yet rely on one to download the other?

4 – The “activation date” of April 1 was coded into the third variant of Conficker. You don’t need unspecified time-stamps on unspecified files to tell you that.

5 – April 1st is also April Fool’s day in many countries around the world, it’s also the anniversary of the founding of Apple Inc., the founding of the Serious Organised Crime Agency (SOCA) in the UK, the birth of the Republic of Ireland and the land blockade of West Berlin by the East German military. Get my point? As regards President Mahmoud Ahmadinejad saying that his country would continue to pursue it’s nuclear program, well surely, pick a day, pick any day…

Then of course there’s the difficult conclusion, relying on persons unknown to plug a USB device into a Confuxnet infected machine, then unknowingly taking that same USB drive and plugging it into a PLC in a nuclear facility. Given the “unprecedented sophistication” of everything that has gone before, it’s this one just a tiny bit of a shot in the dark? A little bit “hit and hope”?

Sorry Mr. Bumgarner, it could be true, of course it could, and it could be that you have been misreported, but on the evidence you present so far, I just don’t buy it.

If I were a government with this kind of resource at my disposal, wouldn’t it make sense for one of my operatives in the target facility to simply take the USB containing Stuxnet right there for me?

I know, there weren’t any aliens.

Verified by Visa?

Rik Ferguson — Thu, 01 Dec 2011 15:18:43 +0000

used under creative commons from johnsnape's Flickr

In 2001 Visa introduced a security protocol they called 3DS, short for 3 Domain Secure in an attempt to reduce the incidence of credit card fraud in online purchases. 3DS is better known by the names used by the various card issuers when they implement the system “Verified by Visa“, “MasterCard Secure Code“, “J/Secure” (JCB International) and “SafeKey” (American Express). the trouble is that 3DS doesn’t really present any barrier at all, to even the average fraudster, at least in the way that is is implemented by card issuers that I tested.

In the FAQ published by Visa they say “Verified by Visa protects your card against unauthorised transactions, giving you complete confidence when shopping online“. Later in the same FAQ they also state “If you forget your password you can easily reset it” and therein lies the problem. The following relates to implementations by the credit card issuers I was able to test, not necessarily to the entire 3DS system.

The problem stems from a very basic design flaw. If you are making a purchase through a merchant that is subscribed to the program, you will be redirected, during the payment phase, to a 3DS verification page. On this page you confirm the details of the transaction, enter your password and hey presto, the transaction is complete. So far so good, the merchant never sees my password, no transaction with that merchant can be completed without it and I’m protected, but…

What would a criminal do if they access to your card details but not your password? Of course, there’s that handy “I forgot my password” link. Let’s see how well protected that is.

The first step in the password reset procedure is to enter your card number, obviously to ensure you are resetting the password for the correct account. Once that number is entered the system now requires some corroborating data to be sure that you are the legitmate account holder, let’s have a look at that “Identification” phase.

Second step in password reset

Oh noes, this doesn’t look good at all! Three out of four of the items of information used to verify my identity are all contained in the credit card data itself, embossed or printed on the card and contained in the magnetic stripe data. Wouldn’t the criminal already have access to this? So what remains? One piece of information that is not included on the card. Trouble is, it’s information that is not only widely shared on social networks, surveys, sign-up forms and a myriad of other places, but also freely available in public records. We cannot and should not consider our date of birth to be a secret.

Having entered the required information all that remains is to enter a new password of your choosing and your transaction is authorised. Worse still, no email notification is sent to alert the cardholder that their account has been accessed or modified. The cardholder need never know until they check their statements.

So what should be improved? There’s nothing new or amazing here, just some really basic steps that need to be incorporated into the process.

Upon enrolling in the system, cardholders should be requested to set a “Secret question” which will later serve as authentication data for a passsword change.

Instead of simply clicking through to the reset screen, a one time password reset URL should be delivered to a registered email address.

Whever a change to the account details is requested, or is succesful, the registered email address should receive a notification message.

Oh, one more thing, it would be really great if I could use special characters in my password, please.

Security through governmental Obscurity

Rik Ferguson — Mon, 19 Sep 2011 13:08:15 +0000

by permission from dingler1109 Flickr stream

Another object lesson if one is needed that security by obscurity (and fairly transparent obscurity at that) simply doesn’t work.

At the tail end of last week, journalist and historian Bram Talman managed to publish the Dutch National budget for 2012 via Twitter, a document that is not due to go before the Dutch parliament until tomorrow.

While some of the news reports describe the incident as “hacking”, it is nothing complex at all. In Mr. Talman’s own words, he simply made an informed guess at the URL where the document would be hosted, typed it into a browser and there it was in all its glory

“Last year the name of the website was miljoenennota.prinsjesdag2010.nl. I simply replaced 2010 with 2011″

He later tweeted, the following day, that he had uncovered the budget of Utrecht in the same way.

While there are many technologies that can help with securing sensitive data, such as encryption, data leakage prevention, intrusion prevention and web application firewalls just for example; one of the key steps for making sure a confidential document stays that way, would be not_hosting_it_on_a_public_website…

According to the Irish Times, Mr Rutte the Dutch Prime Misister was quoted as saying, “The leak is extremely irritating and unfortunate,” he said. The IT company, Facetbase, said the cause of the embarrassment had been human error, which it very much regretted. Normally, said its head of crisis management, Peter van der Maat, a fake version of the new document would be put online until the real one was ready – but that had not happened.

DigiNotar, Iran, Certificates and YOU

Rik Ferguson — Mon, 05 Sep 2011 11:57:50 +0000

The story that has been slowly breaking over the past few days regarding the compromise at Dutch certificate authority DigiNotar and the subsequent “theft” of many important credentials is one that is of huge importance for internet users, governments and even the trust foundation that underlies the internet in general.

What has happened exactly?

DigiNotar is a trusted authority. That means that they can issue certificates that allow websites offering secure, encrypted communications to prove that they are who they say they are. Think of it as a digital passport. When you browse to your bank, your email provider or any other secure site, in the background these certificates are exchanged before secured communications can begin. Your web browser contains a list of “root authorities” whose certificates can be trusted. If a web site presents a valid certificate then your browser will trust it and begin encrypted communications. When the certificate is valid, this all happens transparently to you, the end user. DigiNotar’s security has been compromised and a large number of fraudulent certificates have been issued. A full list can be found here (CSV file), although it should be stated that this list may yet grow over time.

What is a valid certificate?

A valid certificate is one that matches the name of the site that is using it, that has an expiry date that has not yet been exceeded and critically is signed by a trusted authority. It is this last step that is normally difficult for those with malicious intent to overcome. If I present an faked, expired or otherwise fraufdulent certificate, your browser will alert you and you may well choose not to continue the communication.

So what does this mean?

If I can set up a “man-in-the-middle”, for example a proxy server, between you and your bank it is very simple for me to intercept and read plain old HTTP traffic as it is not encrypted. However HTTPS traffic would be a problem, it is encrypted and I don’t have the keys to decrypt it, the encryption is between you and your bank. If I have a valid certificate that appears to come from your bank I can overcome this problem, my proxy can pretend to be your bank, present the right credentials and I can decrypt and read all your content, before I pass it on to the real final destination.

Who is at risk?

In a normal situation where I am browsing the internet I can connect directly from my computer to my bank I am on a network I trust and I am not at risk. If however all my traffic must pass through a proxy, either at my Internet Service Provider or at state level, which is the case in some more restrictive nations, then I am at risk. The owner of the proxy can make use of fraudulent certificates and act as a man-in-the-middle. There is also a risk on public networks such as wi-fi hotspots, again the hot-spot provider will often make use of a proxy. Under normal circumstances encrypted traffic will simply be passed through untouched, but if I have a shady certificate and malicious intent I can intercept your traffic.

Alternatively I could infect your system with malware that configures your computer to pass all your traffic through a proxy of my choice, wherever you are located. For this to be effective I would need to be able to install code on your system to make these changes. At least one of the fraudulent certificates allows “code signing” meaning it can be used to certify that a program is from a valid publisher so this possibility certainly exists in theory.

Trend Micro’s Feike Hacquebord has uncovered concrete evidence that the fraudulent certificates issued as a result of the DigiNotar compromise have disproportionately and suspiciously affected users based in Iran (link to TrendLabs blog to follow). In Iran, all web traffic must pass through state approved proxies, the perfect man in the middle. In this scenario, the “benefits” of owning fraudulent certificates are clear. All encrypted traffic for affected destinations can now be decrypted at will and the end-user will be entirely unaware. It has been reported that the fraudulent certificates obtained include certs for *.com and *.org, meaning that all traffic for any web site with one of these suffixes can be intercepted.

Is the internet broken?

Does this event undermine the foundations of trusted communication online? Not entirely, although it certainly highlights a weak link in the chain. Authorities that are trusted to certify the identity and validity of web servers have a responsibility to ensure that the security of their systems and networks is second to none; they represent the top of the food chain. Having said that, security should always be designed on the assumption that a breach will occur. The key to successfully responding to such an event lies in the honesty and transparency of an authority that has been the victim of such an attack. Details of any such breach should be made public immediately so that the bad certificates can be revoked and will no longer be accepted by browsers around the world, thus mitigating the effect of such an attack. Unfortunately in the case of DigiNotar the extent of the breach was reported as minimal at the outset and the full details are only now becoming clear, several days later. We now know that 531 bad certificates have been issued, including those for *.*.com and *.*.org, making the certificates for WindowsUpdate look tame by comparison. The compromise at DigiNotar happened in July of this year, at the time of the initial investigation the fraudulent cert for google.com was not discovered, meaning that that one at least was in the wild for over a month.

Trust in all certificates issued by DigiNotar has already been revoked by many browser and operating system manufacturers and the consequences for DigiNotar as a company are likely to be severe, possibly fatal.

5 Security Questions for your SaaS provider

Rik Ferguson — Thu, 04 Aug 2011 12:49:51 +0000

used by permission from ky_olsen's Flickr stream

Software as a Service is seeing sustained growth and sustained adoption in both enterprise and in the home. According to a Gartner release in July 2011, Software as a Service revenue reached $10 billion in 2010 and is still growing. In fact Gartner estimate growth of over 20% 10 $12.1 billion on 2011.

The Gartner definition of Software as a Service is software that is “owned, delivered and managed remotely by one or more providers. The provider delivers an application based on a single set of common code and data definitions, which is consumed in a one-to-many model by all contracted customers anytime on a pay-for-use basis, or as a subscription based on use metrics”. The example that is cited in almost every article and presentation on the subject is Salesforce.com, and while they are a major provider in the SaaS arena it is important to recognise that SaaS comes in many different flavours. Customer Relationship Management, Human Resource Management, Cloud backup, Collaboration platforms, accounting platforms, helpdesk management, managed services and web or email filtering to name but a few.

The economic benefits, to providers and customers alike are relatively obvious to spot, the cost of user provisioning (the SaaS model) when compared to the cost of application acquisition, licensing and rollout (the on-premise model) is extremely attractive. The SaaS provider is able to more quickly and easily update and manage the software and service due to its centralised nature, application improvements are easier to make as a result of the visibility the provider has of customer usage patterns and the scalability and pay-per-use is attractive for both customer and provider. In addition the possibilities for integration and open interfaces are greater, with many SaaS providers already offering social media-like collaboration functions or open interfaces (APIs).

While SaaS may offer a flexible and cost-effective alternative to a traditional application environment, it is not without risk. By moving to a hosted platform, as opposed to in-house, enterprises must necessarily sacrifice a large element of control over parts of their operating environment. With SaaS in particular, almost the only choice you have is whether you upload certain data or not, the rest is largely out of your hands. You do of course retain the legal and regulatory accountability for the security of your data.

The risks in a SaaS environment are many, and largely related to the benefits offered. As I mentioned previously, your provider has access to your usage habits of the platform, normally through some kind of web analytics, they also have the capability of accessing all of your data and this in itself presents the risk of unauthorised access or monitoring by an insider.

The centralised nature of the system and the “one configuration fits many” model of the multi-tenanted environment means that, should a vulnerability affect one customer, there is a strong possibility that other customers will be equally affected. The Epsilon breach is one of the more recent examples and it affected many Fortune 500 companies using the same SaaS provider. The scope for exploits of vulnerabilities is wide. Common protocols and the software stack are used by most SaaS providers (HTTP, XML/SOAP, JSON, CSS and JavaScript) and these are readily and regularly exploited if not correctly engineered, implemented or configured. Additionally, the more scope a platform offers for customisation and external integration (a key selling point for SaaS vendors), the more chance there is that some other customer will introduce a vulnerability from which another may suffer the consequences. Such is the nature of a multi-tenanted environment.

5 Key security questions to ask your SaaS provider:

1 – Penetration testing – How is the environment pen tested, how often and do you have the ability to independently pen test your own part of the environment? Without regular, in-depth pen testing you have no visibility of your current security posture.

2 – Data Security – How is data encrypted in storage and in transit across the shared resources of the SaaS provider data centre? Who has access to the keys? Is separation of duties and separation of keys and data maintained? Can the provider offer you a SAS 70 report?

3 – Multi-tenancy – Is there an option that provides for single tenant hosting? Also explore whether this single tenancy comprises simply the application or also the data storage?

4 –Disaster Recovery – In the event of catastrophic failure, or external intrusion and data loss what backup and recovery procedures are in place? Where is backed up data stored (and encrypted again) and how is it effectively restored?

5 – User Authentication – What is the sign on procedure for the SaaS application? Are multiple factors in use? Is it possible to integrate sign-on with authentication structures already in use by the customer?

What the Hack is going on?

Rik Ferguson — Thu, 16 Jun 2011 14:51:28 +0000

Used under creative commons from brittgow Flickr

With all the recent news stories of successful hacking attacks of some very prominent organisations, this seems like an entirely reasonable question. The litany of victims is impressive including such luminaries as Google, RSA, Visa, MasterCard, Citibank, Epsilon, the US Senate, the UK National Health Service, Fox, Sony (of course) and just last night the CIA website was targeted with what a Distributed Denial of Service Attack. The amount of prime time coverage these various activities are getting is prompting several questions. Is this hacking group stuff something new? Is this cyber-espionage or even cyber warfare? What impact will this have on me and the future of the internet?

The idea of a hacking group is certainly not a new phenomenon, in fact they began to flourish in the early eighties, the early days of home computing, acting as a forum for members to share information, learn and compare skills. Early groups bore names such as Legion of Doom, Cult of the Dead Cow or Masters of Deception and specialised not only in the nascent internet hacking scene and are responsible for the birth of hacktivism, but also in the perhaps dying are of phreaking (abuse of public telecommunications networks). The nineties saw the rise of a different kind of hacking group, L0pht Heavy Industries who operated more as a research organisation, providing software tools for penetration and security testing and issuing advisories. This group also famously testified to the US Congress that they could take down the entire internet in under 30 minutes back in 1998. L0pht later merged with @stake, who were eventually acquired by Symantec.

Now in the noughties we have witnessed the rise of Anonymous, and more recently LulzSec. Anonymous as a collective is something that began on message boards like the infamous 4chan, for the purposes of attacking the Church of Scientology, and has with generous media coverage evolved into a bigger deal. Instead of being a relatively closed group, Anonymous instead actively sought the participation of the general public when they began their actions in support of Wikileaks. Tens of thousands of volunteers are downloading tools which enable them to participate in the global assault on businesses with whom they feel personally aggrieved. The latest versions of this tool includes functionality which means the user can hand of control of their weaponised computer to a central authority (Anonymous) to better direct and control the attacks. Lulz Sec on the other had maintain the tradition of the closed group, and according to their own web site have no motivation but anarchy,

“We’re LulzSec, a small team of lulzy individuals who feel the drabness of the cyber community is a burden on what matters: fun. Considering fun is now restricted to Friday, where we look forward to the weekend, weekend, we have now taken it upon ourselves to spread fun, fun, fun, throughout the entire calendar year“.

Of course similar groups have emerged around the world in places as far flung as Pakistan and India, where there is fierce competition between the groups. In Romania groups such as HackersBlog have hit various companies. In China and Russia, many hackers are believed to act as proxies for their governments.

It’s not all about the hacking for fun and kudos gangs, organised criminal groups have been with us for many years now, and the last 12 months or so has seen a marked increase in the frequency of attacks on online aggregations of information, such as Sony, Epsilon or Citibank for the purposes of theft of information for financial reward. One single attack, if successful can yield such a vast amount of saleable or otherwise abusable personal data, that I’m only surprised the attacks took so long to gather pace.

Another phenomenon that has risen to prominence recently is purported nation-state activity. Again, despite recent press coverage this is also nothing new, the Titan Rain attacks for example date back to 2003 where the finger was firmly pointed at China for the theft of large amounts of information from military and governmental targets, gh0stnet in 2007 was similarly blamed on China, as were the Aurora attacks the following year. This year has already seen similarly motivated attacks on RSA, the European Council, the French Finance Ministry, the Canadian government, Lockheed Martin and of course Stuxnet.

So many technological and cryptographically advances have their roots in the centuries old art of espionage, we should really not be surprised to see national foreign intelligence services making use of cutting edge tools and techniques to further their national or economic interests.

None of this represents a global online meltdown, or the end of the internet economy or national security as we know it. Like everything else in this world we can trace a simple process of evolution at work here. Security companies, individuals and enterprises must evolve to keep pace and just maybe learn some of the lessons that some of these guys have been teaching us for years now. Encrypt your data, develop securely, configure correctly, test your defences effectively, use complex passwords, shield your vulnerabilities and build your systems under the assumption that a breach *will* happen.

70 million customers affected by the Sony breach

Rik Ferguson — Wed, 27 Apr 2011 07:28:18 +0000

The most recent update update from Sony unfortunately confirms the worst fears of many. Between April 17th and 19th an “unauthorised person” gained access to the personal information of Sony’s more than 70 million customers. The information confirmed stolen is as follows:

– Name
– Address
– Email address
– date of birth
– PlayStation Network/QRiocity login name and password and online ID

Information “possibly obtained”:
– Billing address
– Purchase history
– PlayStation Network/Qriocity password security question responses
– all above data for any dependent accounts (your children’s sub-accounts)

Although there is no evidence at this time that payment card information has been accessed, Sony are “unable to rule out this possibility” and are advising their customers accordingly.

What does this mean for you? Well if you’re the type of person who tends to reuse your password across multiple web sites today’s the day to get out there and start changing that password and breaking that habit. Criminals now have your email address and common password, they may also have the answers to your security questions, which also tend to get reused.

It is never a good idea to use the same password across multiple web sites, so try to have a unique one for every site you use. While this may sound complex and impossible to remember there is simple way to acheive this. Create a complex password using upper and lower case letters, numbers and special characters such as $%&!. Devise a way to differentiate your password for each site you use, for example putting the first and last letters of the web site name at the beginning and end of your initial complex password, making it unique yet easy to remember

As for those security or password reset questions, this is also one of the most common ways to break into an account. If you are asked to provide answers to “Security questions” consider whether the answers are really secure. Secure means that you are the only person who can answer the question. If the possibility exists to create your own questions, use it. If you are obliged to answer more standard questions such as “First school”or “First pet” remember the answer doesn’t have to be the truth, it only has to be something you can remember.

Aside from this, given the nature of the warning from Sony keep aeather eye on your bank statements for any unauthorised activity.