June 2009 Archives

It never ceases to amaze me how security budgets usually get cut in proportion to other organizational budget cuts at a time when more money should be put towards protecting a company's assets and resources. Let's follow the logic:

A down economy usually forces Company A to buy less; less spending by Company A means lower revenues for Company B; lower revenues cause Company B to cut expenses to maintain fiscal objectives; Company B typically cuts costs by a given percentage across the board, including security. As a result, Company B at best maintains their security defenses and more often than not, that security erodes over time. Because of this, attacks that would normally be defended against start to penetrate company B's defenses, and eventually the attacker gains access to Company B's assets and either steals data critical to Company B's business or causes disruption to their day-to-day operations. Company B now has to spend additional money to repair the damage, repair customer confidence, pay fines, settle lawsuits, and implement better security controls to prevent those types of attacks from happening in the future. Add to this scenario that often in a down economy the number of attacks increase as people turn to illegal activities to survive and there you have the paradox.

At a time when organizations should be investing in improved security because of the increase and sophistication of threats, they lower security spend. What companies need to do and manage to risk and not simply to budgets. Of course budgets drive most aspects of business life, but making decisions about spend without taking into consideration the risk associated with budget reductions can result in devastating consequences. And, in the long run, cost the organization much, much more.

The Spring of 2009 issue of the 2600 Hacker Quarterly posts an article by "Sigma" that talks about using Java Script Injections to change the price posted for an item posted by a department store for

Andreas Wuchner of IT RISK Space writes about the difficulties in the adherence to Privacy Laws while doing business internationally. In it, he describes some general definitions which I have listed below verbatum:

Personal Data
Means any information relating to an identified or identifiable natural person (name, birthday, etc.) or material information (income etc.) of a natural person

Special Categories of Personal Data (Sensitive Data)
EU: e.g. data concerning health or sex life, ...
US: e.g. Social Security Number or credit card data

Key-coded Data (Pseudonymized Data)
Identify a person indirectly by references to an identification number (e.g. Patient Identifier in clinical trials)

De-identified Data (Anonymized Data) is not covered by privacy laws

Full Article: IT Risk Space

Green Dam is China's initiative to install censorware on every Windows PC purchased after July 1st. There has been over 7 million downloads of the software, schools and universities already have it running on their systems. This extends the national-level filtering system to the endpoints of each system. A blacklist of sites will be downloaded to the Green Dam client and users may add their banned sites to the application.
Dell as of June 8th is determining whether it will include the Green Dam software in it's
distribution.

Researchers at the University of Michigan published a paper on remotely-exploitable vulnerabilities in the Green Dam software. They sited programming errors in SurfGd.dll that allows for a buffer overflow that would allow the browser to download malware.
China has acknowledge this flaws and is expecting to release a patch.

The Wall Street Journal has reported that Solid Oak software Inc... said that it has found pieces of it's "Cybersitter" software embedded in the "Green Dam" software.

The Chinese Daily reported that the General Manager, Bryan Zhang, of Jinhui Computer System Engineering Company, the author of Green Dam said that, "It is not responsible to crack somebody's software and publish the details, which are commercial secrets."
He also denied that the software contained any theft of the "Cybersitter" code. But said the two did maintain a similar list of blacklisted porn websites.

Every country including the U.S. and Australia have been struggling with privacy rights over internet content. The U.S has the Children's Internet Protection Act HR4577 and Australia has plans to test the implementation of a nation wide content filter with an opt-out feature.

In the U.S. HR 2271: Global Online Freedom Act of 2009 is an act that is in committee that prevent any U.S. business from cooperating with repressive governments in transforming the Internet into a tool of censorship and surveillance, to promote freedom of expression on the internet.

Links:

Analysis of the Green Dam Censorware System
OpenNet Initiative on Green Dam

Cybersitter and Green Dam

People's Daily Online

The Sydney Morning Herald - Web Censorship plan heads to dead end

The Malaysian Ministry of Science and Technology announced that within the next few months it will provide an Emergency Assistance Service for Internet users experiencing Cybersecurity issues. By next year the service is expected to provide the expertise of 1,500 IT Security Specialists. The Deputy Minister of Science, Technology and Innovation, Datuk Fadillah Yuso said "Businesses cannot merely rely on the use of traditional aspects of security i.e., firewalls intrusion detection systems and virus scans because they are no longer enough to protect an organisation from threats and breaches."

He said the Hacker Halted Asia Pacific 2009 event which will be held from November 10 to 13 will expose the latest flaws in information security that affect the global community.

The Malaysian Insider

According to Microsoft Security Bulletin MS09-021 - Update for Microsoft Excel , an attacker could then install programs, view, change, or delete data; or create new accounts with full user rights.

This update contains support for several vulnerabilities because the modifications that are required to address these issues are located in related files. Instead of having to install several updates that are almost the same, customers need to install this update only.

Fortinet - "All three vulnerabilities lie in 'excel.exe', which is used when processing an Excel file. A maliciously crafted document may contain a malformed 1) BRAI (0x1051) record or 2) Object (0x5d) record or 3) Formula record (0x06) that, when processed, will result in memory corruption and allow a remote attacker to arbitrarily execute code on the victim's machine."

Telus Security Labs - "A buffer overflow vulnerability exists in Microsoft Office Excel products. The vulnerability is due to improper parsing of an Excel file that includes a malformed set of records. Remote attackers can exploit this vulnerability by enticing target users to open a malicious Excel file, potentially causing arbitrary code to be injected and executed in the security context of the current user."

Acknowledgments:

Microsoft thanks the following for working with us to help protect customers:

Bing Liu of Fortinet's FortiGuard Global Security Research Team for reporting the Pointer Corruption Vulnerability (CVE-2009-0549), the Object Record Corruption Vulnerability (CVE-2009-0557), and the the Field Sanitization Memory Corruption Vulnerability (CVE-2009-0560).

Carsten H. Eiram of Secunia for reporting the Array Indexing Memory Corruption Vulnerability (CVE-2009-0558) and the Record Integer Overflow Vulnerability (CVE-2009-0561).

Sean Larsson and Joshua Drake of VeriSign iDefense Labs for reporting the Record Integer Overflow Vulnerability (CVE-2009-0561).

TELUS Security Labs Vulnerability Research Team for reporting the String Copy Stack-Based Overrun Vulnerability (CVE-2009-0559).

TippingPoint and the Zero Day Initiative, for reporting the Record Pointer Corruption Vulnerability (CVE-2009-1134)

If you're finding that protecting your organization's network and data is becoming increasingly challenging, you may want to consider outsourcing your security. Managed Security Service Providers (MSSPs) can offer a cost effective alternative to trying to manage the security yourself. There are four primary reasons to consider using a MSSP:

1) MSSPs have the security expertise that many companies lack. MSSPs can provide guidance on what types of defenses you need and how those defenses should be deployed. Not only are they security experts, but in may cases they can also provide assistance with any regulatory mandate that you may be trying to comply with.

2) MSSPs can be less expensive than trying to bring all your security needs in-house. MSSPs achieve economies of scale that smaller organizations simply cannot reach.

3) MSSPs offer 24/7 monitoring of your network.

4) In the event there is some type of security incident, the MSSP can provide forensic help determining how the attack happened, what was compromised and how to avoid being attacked in the future.

So if your company's security is keeping you up nights, consider using an MSSP and let them be the ones losing sleep. That's what they're good at.

Trendmicro Labs warns of this new highly distributable autorun worm.

Stealth technique used by malware is considered a core characteristic which has been developed, improved, redesigned, and reused. Michael Tants, Threat Researcher at Regional TrendLabs in Europe, has notified us of a worm that has a unique way of hiding: on infection, WORM_AUTORUN.JFZ writes a copy of itself in every ZIP-compressed file it finds on a system.

This worm may be downloaded from remote sites by other malware. It may also be downloaded unknowingly by a user when visiting malicious web sites.

It drops various files on the affected system, including a copy of itself. It creates and modifies registry entries as part of its installation routine.

When WORM_AUTORUN.JFZ places a copy of itself in an archive, it uses double extension by adding .GIF and .SCR.

The .GIF extension is used as its social engineering factor. Curious users who still have their default configurations set in Windows Explorer (where the extension of known file types is hidden) may have an unpleasant experience once they double-click on the purported image file. The .SCR extension, on the other hand, makes it an executable file.

Writing in data files is not the only way this worm assures its existence on a system. It also makes use of traditional spreading methods like dropping a copy of itself (which is kkk.exe) in tandem with autorun.inf into all available physical, removable, and shared drives.

More Links:
WORM_AUTORUN.JFZ

Autorun-worm-invades-zip

Harry Waldon's Corporate IT Security Blog

The Food and Drug Administration recently announced that the Office of the National Coordinator for Health Information Technology is launching the Sentinel Initiative with the ultimate goal of creating and implementing the Sentinel System - a national, integrated, electronic system for monitoring medical product safety.

The Sentinel System, which will be developed and implemented in stages will ultimately enable us to access the capabilities of multiple, existing data systems (e.g., electronic health record systems, medical claims databases) to augment the agency's current capability.

The goal is an understanding of adverse events resulting from treatment creating new methods of signal detection, data mining, and analysis, enabling researchers to generate hypotheses about, and confirm the existence and causal factors, of safety problems in the populations using the products.

Currently the focus has been to integrate data from various large populated databases, from MedSun ( Medical Product Product Safety Network), KIDnet (a postmarket database of pediatric ICU's and Neonatal ICU's), Heartnet (data gathered from electrophysiology laboratories), Labnet (data collected from hospital laboratories), SightNet (a collection of data from the use of ophthalmic devices), and HomeNet (a collection of data from home use devices). The FDA signed agreements with the Veterans Health Administration ( VHA) to build tools and infrastructures for evaluating the safety of drugs, biologics, and medical devices as well as the Department of Defense (DoD) for automated signal generation and data mining tools with the DoD's ALTHA electronic medical record system as well as identify influenza vaccine safety.

At the core of this collaboration is Information Technology, the (CCHIT) The Certification Commission for Healthcare Information Technology provides processes that provide interoperability for Electronic Healthcare Records (EHR). The Healthcare Information Technology Standards Panel (HITSP) provides interoperability specifications (HITSP C 32, 35, 36) to exchange patient data between Community Heath Centers they share ( HIE's or Health Care Information Exchange).

The Nationalwide Health Information Network (HHIN) is being developed to provide a national, secure and interoperable network. The network of networks will connect diverse entities at the state and regional (HIE's) that need to exchange health care information. The FDA is planning on using the HHIN existing framework to provide Sentinel access to diverse networks to retrieve data from a number of healthcare resources.

Healthcare IT services now interconnect patient health care medical devices that are local and remote to the health facility to Medical Device Data Systems (MDSS) that collect and store status and performance data from medical devices. The MDSS systems interconnect with EHR systems that connect to the Healthcare network (HIE) and the (HHIN) "network of networks" grid. The Holland & Hart Healthcare Law Blog article on Internet Medicine points out the challenges to the interoperability of medical devices to electronic health record systems and the proliferation of internet worms (Conflicker). Robert Nadler's article from RDN Consulting on Medical Devices provides a diagram and shows protocols used for the interoperability of connecting Medical Devices to the Health Care Network.

In another article from Ph.D. Rex Gantenbein from the University of Wyoming displays the Federated model of the HIE and its advantages.

Monitoring the efficiency and effectiveness of the control environment of HIE connections as well as the back end infrastructure to EHR systems and their trust relationships with medical data systems and connections to patient medical devices will require a strong information security program that is integrated within the IT Medical framework and the Medical Business supply chain. Prevention of Intrusions and Data Breaches will be an on-going lesson learned as data is liberated from applications and becomes more liquid and data silos are taken down. Medical data is valuable information for those that depend on it for survival. Imagine botnets that are able to infiltrate healthcare medical devices or has the ability to turn off medical monitoring equipment.

Links:
Health Information Technology (HealthIT).
Nationwide Privacy and Security Framework for Electronic Exchange of Individually Identifiable Health Information
The FDA Sentinel Initiative.
Common Framework for Networked Personal Health Information

Below are select areas I highlighted from the 76 page Whitehouse Cyberspace Policy Review document. Throughout the document, the review shows that it is clearly in favor of a national awareness programs and special consideration for the development of information security specialists and information technology specialists. In 2007 at the Gartner Risk Conference when CISO's and CIO's were asked where they would like to spend additional funding, the primary answer was on information security education and awareness programs.

There was a mutual feeling among many specialists in the Information Security field that the suggestions on creating a cyberspace official did not quite go far enough to resolving complex problems in the public, private, and government space, there were a lot of people that had hoped this office would report directly to the President and were disappointed in the recommendations regarding this.

The Whitehouse Cyberspace Policy review documents can be found here:
White House Cyber Space Policy Review

Cyber Review Documents

The December 2008 report by the Commission on Cybersecurity for the 44th Presidency states the challenge plainly: "America's failure to protect cyberspace is one of the most urgent national security problems facing the new administration. The Present had ordered a "clean slate" review to asses U.S. polices and structures for cybersecurity. What is cyberspace according to the Presidential Directive 23 (NSPD-54/HSPD-23) defines cyberspace as the interdependent network of information technology includes, the internet, telecommunication networks, computer systems, embedded processors and controllers in critical issues."

The report estimates that in 2008 systemic loss of U.S. Economic value due to intellectual property data theft was nearly 1 trillion dollars.

"The President should consider appointing a cybersecurity policy official.
The cybersecurity policy official should not have operational responsibility or authority, nor the authority to make policy unilaterally."

"Many advisory bodies touch on cybersecurity-related issues, including the National Security and Telecommunications Advisory Committee (NSTAC), the
National Infrastructure Advisory Council (NIAC), the Critical Infrastructure Partnership Advisory Council (CIPAC), and the Information Security and Privacy Advisory Board (ISPAB). The cybersecurity policy official should review the responsibilities of these bodies and propose changes as necessary to optimize advice and eliminate unnecessary duplication."

"The cybersecurity policy official--in consultation with NSC, OMB, NEC, and OSTP--would define the milestones and success criteria and raise the visibility of cybersecurity within all agency budgets."

"The Nation should implement, for high-value activities (e.g., the Smart Grid), an opt-in array of interoperable identity management systems to build trust for online transactions and to enhance privacy. The public and private sectors' interests are intertwined with a shared responsibility for ensuring a secure, reliable infrastructure upon which businesses and government services depend."

"The Federal government, the private sector, and other stakeholders together should define technology-neutral performance and security objectives for future infrastructure, both to meet its own requirements as a consumer as well as in its capacity as a steward of the public interest."

"The Defense Advanced Research Project Agency (DARPA) describes defense of current Internet Protocol-based networks as a losing proposition and calls for an independent examination of alternate architectures."

Reference - DARPA Assurable Global Networking

Reference - Intrinsically Assurable mobile ad-hoc network (IAMANET)

"The Federal government--in collaboration with industry and the civil liberties and privacy communities--should build a cybersecurity-based identity management vision and strategy for the Nation that considers an array of approaches, including privacy-enhancing technologies. The Federal government must interact with citizens through myriad information, services, and benefit programs and thus has an interest in the protection of the public's private information as well. Increased use of on-line transactions involving financial, health, and commerce require a basis for building trust between the parties to a transaction."

Near Term Action Plan:

1. "Appoint a cybersecurity policy official responsible for coordinating the Nation's cybersecurity policies and activities; establish a strong NSC directorate, under the direction of the cybersecurity policy official dual-hatted to the NSC and the NEC, to coordinate interagency development of cybersecurity-related strategy and policy."

2. "Prepare for the President's approval an updated national strategy to secure the information and communications infrastructure. This strategy should include continued evaluation of CNCI activities and, where appropriate, build on its successes."

3. "Designate cybersecurity as one of the President's key management priorities and establish performance metrics."

4. "Designate a privacy and civil liberties official to the NSC cybersecurity directorate."

5. "Convene appropriate interagency mechanisms to conduct interagency-cleared legal analyses of priority cybersecurity-related issues identified during the policy-development process and formulate coherent unified policy guidance that clarifies roles, responsibilities, and the application of agency authorities for cybersecurity-related activities across the Federal government."

6. "Initiate a national public awareness and education campaign to promote cybersecurity."

7. "Develop U.S. Government positions for an international cybersecurity policy framework and strengthen our international partnerships to create initiatives that address the full range of activities, policies, and opportunities associated with cybersecurity."

8. "Prepare a cybersecurity incident response plan; initiate a dialog to enhance public-private partnerships with an eye toward streamlining, aligning, and providing resources to optimize their contribution and engagement."

9. "In collaboration with other EOP entities, develop a framework for research and development strategies that focus on game-changing technologies that have the potential to enhance the security, reliability, resilience, and trustworthiness of digital infrastructure; provide the research community access to event data to facilitate developing tools, testing theories, and identifying workable solutions."

10. "Build a cybersecurity-based identity management vision and strategy that addresses privacy and civil liberties interests, leveraging privacy-enhancing technologies for the Nation."