Recently in Thoughts Category

Here's an interesting story about the second worm detected for Apple's iPhone platform. While the worm itself seems rather limited in its target audience (Dutch banking customers with a "jailbroken" iPhone running SSH with the default password), there are 2 interesting points here:

The first is that this worm enables the infected devices to act as a botnet. PC-based botnets have long been a problem on the Internet, but I am not aware of any other major platform to support a botnet until now.

The other point is that the popularity of the iPhone is making it a more desirable target for malware. I am not going to use this opportunity to take sides in the quasi-religious debate about the inherent security of Windows v. Mac v. Linux, but it does give some credence to the argument that Windows is not less secure than other operating systems but is simply targeted more due to its ubiquitous deployment.

To what degree does malware follow a platform's popularity? Time will tell.

Image via Wikipedia

The National Interest online's article by Richard Clarke outlines the difficulties in of countries in protecting their economies from disruption of processing data that manages the controls of the nations power grid, fuel supply, or food supply chains, etc... or the ability for private commerce to perform business.

Although the article concentrates on the United States economy, it is a concern world wide that the electronic infrastructure that controls physical and logical stability of nations is fragile and vulnerable and that our systems are complex and perhaps too overly complex.

There is real concern that between nations that having the superiority to disable the other nations ability to perform commerce or defend it's controls on infrastructure that supplies services to it's citizens in times of political or resource conflict is way too much of an advantage, and then there is as Richard Clarke points out the "who dun it" piece.

Although I don't necessarily think that this is limited to cyber warfare, certainly in conventional warfare through covert activities groups have tried to blame conflicts on others not involved to escalate hostility between factions already at odds with each other.

As in the recent denial of service attacks in July, was it really who we thought it was or was it some one else trying to make it look like that. It is always not the recent notification or alert that may allow you to traverse an incident but being able to perform historical correlation on transactions that were allowed through trust environments.

The other point is although not discussed, usually, where are all the electronics made? Who makes all the components inside the equipment?

Richard Clarke -
"The major differences between cyber war and conventional war--one that makes the battlefield more perilous--is what cyber warriors call "the attribution problem." Put more simply, it is a matter of whodunit. In cyberspace, attackers can hide their identity, cover their tracks. Worse, they may be able to mislead, placing blame on others by spoofing the source."

"The "critical infrastructure" of the transportation, finance, energy and communications sectors are owned and operated by nongovernmental entities, corporations that have proven highly resistant to regulation. The Federal Energy Regulatory Commission (FERC) issued new cybersecurity guidelines to U.S. power companies in January 2008, requiring greater separation of the operations systems from the public Internet."

Richard Clarke was special adviser to the president for cybersecurity in the George W. Bush administration. He is now chairman of Good Harbor Consulting. His book Cyber War, coauthored with Robert Knake, will be published by HarperCollins in the spring.

National Interest Article on War from Cyber Space

It is amazing and rather disturbing that a US federal judge has recently ordered Google to lock a gmail user out his own account despite the fact that he has done nothing wrong.

It seems that a bank accidentally sent this user a file containing sensitive information. They asked the user to destroy it without reading it, but didn't receive an answer. At that point the bank sought legal action.

Again, I am left with questions and thoughts:

- How did this happen? Did someone intend to send this sensitive file via email to a different address and simply mistyped? If so, was the sender not aware of the inherent risks in sending unencrypted email?

- Does the bank have a policy regarding sending unencrypted sensitive information over the Internet using an insecure protocol like SMTP? If so, do they have any tools to enforce it?

- How did the bank discover this mistake? Did the sender realize his or her mistake and informed the compliance / security group, or was some automated detection system in place?

- What legal responsibility does the innocent email recipient have? Sure the data is sensitive, but it was freely given to him. Can't he do what he pleases with it (short of committing crime, such as theft)?

- As much as I would like to see the prevention of information leakage, I am still disturbed by the legal precedent set here. What if they send it to a corporate email system next time? Does the government have similar authority to disrupt the business of a private organization by forcing a shut down of their Internet connection?

The onus of correcting this problem should fall 100% on the bank. They should have to compensate the affected customers. They should have to compensate the email recipient for any harm they cause him. And most importantly, they should learn their lesson and prevent this type of leak from happening again.

Here's an interesting story making the rounds today about an Ohio man who used a commercial spyware program on an (ex?) girlfriend. He expected it to track her activities on her home computer, but instead ended up getting an ongoing screenshot feed from a computer in a hospital pediatric cardiac surgery department, where she works. He sent the file to her Yahoo! Mail account. She opened it and unknowingly installed the software on a work computer.

Needless to say, instead of getting juicy details on her online activities a la Joey Greco, he ended up with a feed of sensitive data, including PII and ePHI. While this was indeed an unintended result, he is still on the hook for big fines and possible jail time.

There is a lot of blame to spread around here for sure. There are also many questions (some rhetorical) that popped into my head as I read this:

- How did he convince her to run the installer and infect the PC? Obviously, he had an advantage over a random malware spreader since she knew the sender. Still, it must have required at least a small amount of social engineering skill. She didn't even know she had infected the system (or didn't think it wise to tell anyone).

- Does the hospital have a webmail policy? Do they have the tools to enforce it? Blocking access to Yahoo! Mail at the gateway would have nipped this problem in the bud, at least for the hospital.

- Did the PC in question have adequate anti-malware protection? By the looks of things, whatever they were using was insufficient.

- What else could the hospital have done to prevent the leak of ePHI in accordance with HIPAA regulations? Of course SIM comes to my mind, but SIM would need to rely on feeds from web gateways, AV servers, DLP systems, firewalls, etc.

- The hospital is actually lucky here in that the person who stole the sensitive information had no nefarious plans for it. They were shown the weakness of their defenses without having to pay for an audit and without the need to pay ransom or experience worse consequences. They should view this incident as a gift and use it to improve their security stance.

- The stalker / boyfriend was clearly in the wrong no matter how you slice things. I imagine it's just as illegal to spy on a private citizen this way as it is to do it to a hospital. To borrow from an old saying: Spyware doesn't steal information - people do.

Here's a good reminder that the security of a system is only as good as its weakest link. In this case, a hacker claims to have broken into numerous accounts belonging to Twitter's CEO Evan Williams.

As Download Squad's Lee Matthew's points out, the fact that the account(s) were initially breached through "password recovery mechanisms" underscores the inherent weakness in using "secret questions" for account security.

If you've created even a few accounts on the Internet, you are familiar with secret question security. The idea is that if you forget the password for a particular account, you can request that the site reset it (and/or send it to an email address) if you can correctly answer a secret question. The question was selected by you when you created the account, and the answer was already provided by you at that time. For example, "What is my mother's maiden name," or "What is the name of the elementary school I attended," etc.

The weakness, of course, is that a hacker might be able to figure out the answer to this question and gain access to your account. This assumes that either the hacker has access to your email account already, or the account password mechanism doesn't rely on email.

But wait, you say - Williams is a public figure. It can be easy to find all kinds of information on public figures and celebrities. Maybe so, but as regular folks like you and I start sharing more of our personal lives on sites like Facebook, LinkedIn, personal blogs, and, yes, even Twitter, it becomes a simple matter for a hacker to find the information necessary to gain access to anyone's online accounts.

Consider how long I would have to search to guess your mother's maiden name by looking through your Facebook friends (surely you must have some maternal relatives there). Do we talk about our kids and our pets on our blogs and tweets? Is it that hard to use Classmates.com to find out who went to what elementary school?

The odds of being specifically targeted in an attack like this are definitely higher for celebrity types. Still, we should all mind the private information we make available to other folks on the Internet, even those who claim to be our friends (Do you know if that Facebook friend really is your long lost BFF from junior high?). And if you must use a secret question to protect an account, try to find one that will be harder to research through public records, or make up a fake answer and make sure you remember it!

Is it too early to declare that nothing has come of the hype around the wildly successful conficker worm's purported April 1st surprise? So far, press reports like this one seem to indicate a lack of any April Fool's Day fireworks.

Experts are quick to point out, however, that whatever the owner of this enormous botnet has planned doesn't necessarily need to be executed today. While that is true enough, I wonder who's side time is on.

Despite their popularity and longevity as a genre of malware, individual botnets tend to have an expiration date. This is natural. The lifecycle curve generally starts with a big push of initial infections (if the writers are lucky), AV updates and platform patches, and then a gradual slope downward as the worm becomes trivial to block or remove. Malware variants are, of course, a problem but can vary in the success of their continued evasion.

So far conficker has done a great job in its initial phases, but its success may precipitate its downfall. The amount of publicity and awareness combined with the widespread availability of removal tools and information are going to gradually reduce the size and value of this particular botnet, perhaps more rapidly than most.

In that case, doesn't it make sense for the botnet owners to strike while the iron is hot? A day or a week won't make too much difference, but I think if we don't see the horsemen of the Internet apocalypse in a week or 2, we can probably get a good night's sleep - the end is not nigh. Of course, this worm and others like it are still a huge issue and need to be continually addressed, but there's something about this whole 4/1/9 conficker scare that smacks of y2k fever.

In what appears to be an interesting security first, a DNS blacklist organization has discovered a botnet that resides on about 100,000 Linux-based routers and DSL modems.

The ultimate problem, it seems, comes down to unpatched router firmware and default passwords. Botnets and most malware take advantage of users who fail to keep things up to date. The twist here, however, is that this code isn't targeting users who forgot to turn on Windows Update, but rather users who are not keeping their router firmware updated and those who don't change the default passwords on these devices.

I guess we shouldn't be surprised. Most users don't take basic security measures on their PCs. Why should we expect them to give a second thought to their routers? Still, the potential for malicious botnet activity from unsecured routers is probably quite substantial. Expect to see a lot more of it in the future.

There is an interesting Diary entry published this weekend called How to Suck at Information Security by Lenny Zeltser Security Consulting - Savvis, Inc. It's a high level list but has a lot of relevance. I would recommend reading and adding a comment or two.

One comment refers to deploying IDS/IPS and SIM solutions for the sake of having them without ever managing them. There is a lot to be said about that. ust getting monthly status reports from your SIM and not proactively using it for investigation, correlation, notification, integration into your Help Desk processes, Asset Management, Network Management Monitoring, Vulnerability Assessment, Operating System Events, Application Events and Business Processes you may be missing valuable information. While performing monthly status reports may provide some usability, using SIM technology pro-actively can assist you in deploying or jump starting your Information Security Program for managing a sustainable environment.

Greetz and tip of the hat to e.keighron (eak)

- Bill

Last year we wrote about the possibility of the Conflicker and Downloadup.a back door worm variants that could be delivered via Botnets becoming an issue if the majority of users avoided updating their Windows Operating System. Well looks like this year things got really heated up when these were unleashed and the variants had extra features added to their arsenal that allowed them to spread faster. Computer World and Symantec reported on Jan. 12th that 3 Million Users were infected. On January 14th Computer World reported that 1.1 Million Windows PC's were infected in 24 hours. Panda software raised their Global Threat watch to Orange and F-Secure is now reporting over 8 Million users today according to F-Secure Blog

So despite all the alerts and alarms from Microsoft about this issue some users thought that they might be protected even though Microsoft warned that it does not require any authentication to perform a network attack on the PC.

The bad part about this is that the initial worm spreading is only the beginning of what stuff is being downloaded, compiled and what stuff is being uploaded to be analyzed by an attacker. This might cause you some anxiety as you are fighting one thing over another, and new adventures maybe happening now on your other Operating Systems, through your internal VPNs, and maybe attacking your partners and suppliers. Whether you have a small business or a large business, this may mean you're already restoring boxes with last weeks backups that maybe still infected.

When these massive outbreaks occur, you not only feel bad for the data owners but also for the people who have to put out the fires because they could not get the buy-in from the data owners to mitigate the risk.

Sometimes during these outbreaks suddenly there is an immediate need to upgrade, as the system maybe taken offline at the switch you can hear the cry from down the call "but I just patched my system" - across the cubicles "and I ran an antivirus! It was clean, I should be ok now." But no. As the hard drive sound is heard, as you get closer and closer and the applications are now doing all kinds of nice things by themselves, the antivirus program is probably not the antivirus program any more. We probably can't even count the number of infections you have on the PC, but judging by the IDS, DLP, and Firewalls it's more than one I'm sure.

This is when the data the backup and recovery administrators get a bit testy or their faces are as white as snow -- because they know the task at hand.

Last year everyone was saying that all the worms and viruses seemed to have dropped off and "I have XP SP2 firewall enabled what could happen?" And then one day you and your co-workers are enjoying a nice wormy day and....!!

To all my friends and family, hope your not having a nice wormy day and that you had upgraded weeks ago.

- Bill Le Roy

WiMAX - LTE and Cloud Computing

This month ABI Research published that new Combo Chips will be released that will cover both WiMAX and LTE communications many of the service providers will be offering both technologies depending on geographic location.

What is WiMAX? An industry standard also known as 802.16 intended for Broadband Wireless Networks Metropolitan Area Networks. Wireless MANS offer an alternative to DSL, Cable Modems Fiber Optic links an effort to link homes and businesses to core telecommunication networks. Wireless MAN MAC offers full quality of Service (QOS). http://wirelessman.org/docs/02/C80216-02_05.pdf.

3GPP LTE - A new radio interface that can use wide radio channels and delivers extremely high throughput rates. 3GPP Release 8 offers the ability to integrate with non-3GPP networks and optimization for all IP service providers. http://www.3gamericas.org
PDFs/EDGE_HSPA_and_LTE_Broadband_Innovation_Rysavy_Sept_2008.pdf.

While both technologies continue to evolve (or will likely merge by 2013), we could see wireless broadband sustained transfer rates well above 100 mbps.

Padmasree Warrior, CTO of Cisco Systems, envisions a content rich MEDIANET with the ability for full content collaboration. "It's not the device or the network, it is the experience." Users will not be discouraged by download speeds or degraded graphics. Users will now to be able to have My Channel, your personal broadcast channel offering rich multimedia content with family, friends, co-workers and business peers, as well as with those in your immediate surroundings. Padmasree Warrior sites that core infrastructure networks will able to support 10 trillion bits/sec - with no difference in the wireless networks from wired networks for end user experience and no Public and Private IPs -- just the Network. Mobilize '08

With the increase in wireless speeds and the availability of Wireless MAN MAC's, this would accelerate the use and need for multimedia resources in Cloud Computing offerings, virtual computing resources, storage and applications available world wide would enhance world experience of collaboration and the need for language translations of world content data.

The growth of wireless devices continues to explode. Padmasree Warrior states that in comparison to the world population growth where there are 4 new babies born every second, the mobile computing world shows 30 new mobile devices are purchased every second. At least for the immediate future, Ms. Warrior sees this to be a sustained growth rate of wireless technology throughout the world, as the rest of the world catches up to the explosion of the availability of information and the ability of end users to participate not only in a one way viewing of content but the ability to publish and manage content.

There have been warnings about development and local computing resources moving away from the end user into the cloud where end users have less control over local computing resources and the security and privacy of their information is a concern. The Pew Internet Study says that a majority of internet users are already using cloud resources of some form (internet mail and storage), and that most users use these applications for the freedom of being available worldwide, the ease of application use, and the ease of sharing information. However 68% of the users said they would be very concerned if their information was analyzed and used to market their online behavior.

There have been other responses concerning local user application and information security. The majority of users find it increasingly difficult to protect their information and to keep up with the security updates for their Network Operating System and Applications.

The Washington Post published an article this month about Judges urging for a standardization on cell phone tracking policies. Depending on the district you are currently located in with your cell phone or GPS enabled device, there are different policies for tracking your activities.

The International Association of Privacy Professionals and Federal Computer Week have both published articles concerning a paper that was publish by the Constitution Project, calling for Electronic Communications Act to be updated to include safeguards for cloud computing. The publication, "Liberty and Security: Recommendations for the Next Administration and Congress", states that privacy information is on a weaker footing if maintained by service providers then when it resides on the local computer. That there is a number of conflicting judicial decisions regarding this has created uncertainty for service providers and law enforcement.

One thing is for certain -- as our networks continue to expand from a polar or bipolar world and as information becomes more easily accessible and published, the custodians of the data and service providers of applications will continue to be the focus of attacks, worldwide end users will continue to be Phished to gain access to the zeta bytes of access privileges, collaboration neighbors and the access to weave in and out through the various provider networks and customer data.

In closing I just wanted to add a reference to global management of information, and real time event reporting in a high transaction world is eventually managed by a global provider, that is to a James Bond movie called "Tomorrow Never Dies" .