January 2009 Archives

On Jan. 23rd News Factor.com reported that Heartland Payment Systems Inc., through some put in place malcode, 100M credit card permanent account numbers may have been compromised. The last public announcement from Heartland was that they did not know when the malcode might have been put in place.

Back in December I wrote about 21 Million German Bank Account for sale correlated with other customer information, and at the time, I thought this was a interesting feat to accumulate 21 million bank account numbers associated with other personal information. But then with the MS08-67 vulnerability followed by Botnet worms that reported infecting over 8 million PC's, I am beginning to think that it is probably very doable to obtain other personal information

A few years ago when monitoring the traffic on a German ISP networks for a firewall implementation, I remember being amazed at the number of hits per/second from other users infected with some sort of malware right within the same ISP's address range -- and that it was just taken as a matter of fact attitide - nothing could be done. It's the same in the US if your infected with something. It is your own individual problem and possibly a family issue on the usability of network computer resources and computing policies.

I'm not blaming the MS08-67 Vulnerability for all this trouble as this has been going on for a very long time - if it's not Microsoft Worms, it's Macintosh Worms, then it's Unix Worms. It's just that there are a lot of really frightening people out there who realized years ago that connecting billions of people together instantaneously in a medium that they really did not understand the basic fundamentals of, offered them the greatest opportunity ever for non-violent crime. Where else could you get a captive audience of billions of people besides Television or the Radio which was not interactive?

The bottom line is it's all software. Whether it is the code that runs the nation's infrastructure, stores all of your bank account information, your retirement plan, keeping track of how much milk you buy at the grocery store or managing the telephone connections or conversations, there is a commonality within all of it that goes through and below Application and Operating System layers. Despite all the ways that we come up with to mitigate risks to the exposure of this commonality we still seem to fail at it. This is not only a concern from the perspective of individual loss but is a concern of governments on the security and stability of its infrastructure.

Just as a side note that the release of this largest Data Breach of Permanent Account numbers was released on Inauguration Day.

People generally don't like Risk Assessments they think that it is the reason that decisions are made based on dark thoughts.

There is an interesting Diary entry published this weekend called How to Suck at Information Security by Lenny Zeltser Security Consulting - Savvis, Inc. It's a high level list but has a lot of relevance. I would recommend reading and adding a comment or two.

One comment refers to deploying IDS/IPS and SIM solutions for the sake of having them without ever managing them. There is a lot to be said about that. ust getting monthly status reports from your SIM and not proactively using it for investigation, correlation, notification, integration into your Help Desk processes, Asset Management, Network Management Monitoring, Vulnerability Assessment, Operating System Events, Application Events and Business Processes you may be missing valuable information. While performing monthly status reports may provide some usability, using SIM technology pro-actively can assist you in deploying or jump starting your Information Security Program for managing a sustainable environment.

Greetz and tip of the hat to e.keighron (eak)

- Bill

Cisco Security recommends changing the default behavior of the IOS CA to use SHA-1 hashing instead of the default MD5 hashing for certificates. Although the ASA CA may not be vulnerable to attacks as is the IOS CA, Cisco still recognizes the weakness in MD5 and plans to change the default behavior for the generation of end Certificates.
Cisco Security Response: MD5 Hashes May Allow for Certificate Spoofing

Verisign has stated that it fixed their CA's and even their Rapid SSL CA from using MD5. Versign's Blog on MD5 attacks as you can see from the comments users are concerned about the certificates online that were generated with a MD5 Hash.

MD5 considered harmful today in this publication released in Berlin on Dec. 31st 2008 by Alexander Sotirov, Arjen Lenstra, Dave Molnar, Dag Arne Osvik, Benne de Wegner. Their attack takes advantage of what was a theoretical scenario known as MD5 Collisions which is a weakness in the cryptology of the hash function.
attack.bmp They recommend stronger encryption offered by SHA1 and SHA2 to help prevent a Rogue CA server from being from being the authority of trust.

There maybe other concerns besides just the browser and the web server such as code signing certificates or emai certificates.

Last year we wrote about the possibility of the Conflicker and Downloadup.a back door worm variants that could be delivered via Botnets becoming an issue if the majority of users avoided updating their Windows Operating System. Well looks like this year things got really heated up when these were unleashed and the variants had extra features added to their arsenal that allowed them to spread faster. Computer World and Symantec reported on Jan. 12th that 3 Million Users were infected. On January 14th Computer World reported that 1.1 Million Windows PC's were infected in 24 hours. Panda software raised their Global Threat watch to Orange and F-Secure is now reporting over 8 Million users today according to F-Secure Blog

So despite all the alerts and alarms from Microsoft about this issue some users thought that they might be protected even though Microsoft warned that it does not require any authentication to perform a network attack on the PC.

The bad part about this is that the initial worm spreading is only the beginning of what stuff is being downloaded, compiled and what stuff is being uploaded to be analyzed by an attacker. This might cause you some anxiety as you are fighting one thing over another, and new adventures maybe happening now on your other Operating Systems, through your internal VPNs, and maybe attacking your partners and suppliers. Whether you have a small business or a large business, this may mean you're already restoring boxes with last weeks backups that maybe still infected.

When these massive outbreaks occur, you not only feel bad for the data owners but also for the people who have to put out the fires because they could not get the buy-in from the data owners to mitigate the risk.

Sometimes during these outbreaks suddenly there is an immediate need to upgrade, as the system maybe taken offline at the switch you can hear the cry from down the call "but I just patched my system" - across the cubicles "and I ran an antivirus! It was clean, I should be ok now." But no. As the hard drive sound is heard, as you get closer and closer and the applications are now doing all kinds of nice things by themselves, the antivirus program is probably not the antivirus program any more. We probably can't even count the number of infections you have on the PC, but judging by the IDS, DLP, and Firewalls it's more than one I'm sure.

This is when the data the backup and recovery administrators get a bit testy or their faces are as white as snow -- because they know the task at hand.

Last year everyone was saying that all the worms and viruses seemed to have dropped off and "I have XP SP2 firewall enabled what could happen?" And then one day you and your co-workers are enjoying a nice wormy day and....!!

To all my friends and family, hope your not having a nice wormy day and that you had upgraded weeks ago.

- Bill Le Roy

The United States National Vulnerability Threat Level is Elevated. National Threat Advisory The National Threat Level of the airline Industry is now Orange or High. "There is no credible, specific intelligence suggesting an imminent threat that would affect the 56th Presidential Inaugural on Tuesday, January 20. The Inaugural is designated as a National Special Security Event." I just wanted to note that just as there are physical attacks against the national security there can be electronic, or cyber attacks that can have significant impact on national security and prosperity. Attackers often wait until there is a significant change that takes place that allows them a window of opportunity to take advantage. Whether there is a change at the high level internet routers or DNS servers or simply a large holiday where everyone is celebrating or on holiday.