Archive for January, 2009

Data Security Podcast Episode 37 – Jan 26 2009

Posted in darkweb, Podcast, Vulnerabilities with tags , , on January 25, 2009 by datasecurityblog

The Data Security Podcast is the place for 30 minutes of news every week on data security, privacy, and the law.

This weeks program: Heartland Processing breach impacts over 100 million, what went wrong? Two new MAC threats. And, this week’s news.

–> Stream, subscribe or download Episode 37 – Listen or subscribe to the feed to automatically get the latest episode sent to you to your Google, Yahoo, iTunes, or other popular sites.

–>Tune into the show directly on iTunes, you can also subscribe to the program on iTunes.

This week’s show is sponsored by The Engate Hosted eMail Security System.

Program Notes for Episode 37

-From The News: Medial ID Theft Final Report, part of Congress’ new efforts to appropriate funds for Federally-mandated, centralized electronic medical records.

-From The News: In a story related to our coverage of the Conficker worm, and the Congressional medical data base story, The Register is reporting, “Conficker seizes city’s hospital network.” Comment from Ira: “This story illustrates that Conficker is exposing much larger security issues on corporate networks, as I discussed in last week’s conversation I had with Randy Abrams, of ESET Anti-Virus.”  See Data Security Podcast Eposide 36 for that conversation.

- Tales From The Dark Web: Ira speaks with David Hoelzer, about the 100 million credit card breach at Hearthland Processing. Heartland claims they are PCI-DSS compliant. So, how can this happen? Read David’s blog posting on the topic at the IT and Security Auditing Resources from the SANS Institute.

-MAC Attacks:  New MAC attacks that are harder to uncover.

Cleaning Up Conficker / Downadup Mess, and Reducing the Odds of Getting Stung

Posted in darkweb, Vulnerabilities with tags , on January 23, 2009 by datasecurityblog

As of this writing, the Conficker/ Downadup continues to spread. Latest reports are that there are over 9 million systems infected so far. This posting will provide more details on the attack, how to know if you have been hit, and suggestions for clean-up if you think you are a victim.  There will be more coverage of Conficker/Downadup in Episode 37 of the Data Security Podcast that will post Sunday Night.

First, some important background.

According to anti-virus experts, there are a number of factors that make this attack different than other recent malware attacks. First, there are three methods of infection:

1. USB devices, thumb drives, photo frames, MP3 players, PDAs, plug-in “chip” readers, OR
2. System accounts not protected by very strong passwords, OR
3. One system on a network not having the latest patch, either by poor planning, OR, by the malware turning off updates without an administrator’s knowledge

Second, the attack appears to have a high degree of morphing, making it very difficult to locate and kill. If just one un-patched laptop connects to your network, or just one wrong USB device is plugged in, you could get hit.

Third, according to the AV experts, the attack itself may be a precursor to a larger attack. Reports are that the worm is designed to send data to remote servers, using hundreds of possible domains, with new domains being created at a high rate.

With such a complex attack, you want to make sure that ALL Win2k, XP, and WIN2k3 systems have the patch “MS08-067” from Microsoft applied. For many, Windows Update will apply this patch. But, there are reports that the worm will quietly shut this service down. So, you want to double-check to make sure you are patched.

There are two ways to do that. You can use a patch checking tool. Secunia makes free tools that van be used by business networks and home users. Just visit this link: http://secunia.com/vulnerability_scanning . There is a bonus for using a tool like Secunia: Many systems have out of data third party applications, like Adobe Flash, Java, or iTunes, and attackers are counting on systems missing these critical patches to launch attacks. This would be an excellent time to update all software, not just Windows.

Or, you can launch Micosoft Internet Explorer -> Tools -> Windows Update -> Review your update history -> go back through you patches and look for : KB958644 in your update history. Many systems were updated before January, and you may need to go back to October or November’s patches, depending on your system. If you see the KB958644, you are patched.

Since the worm spreads via removable media (USB, CD, Firewire), I suggest that you get DeviceLock security software to control all removable media. Many reports I have read on this attack are overly focused on disabling Windows autorun on USBs to stop part of attack. But that won’t protect certain versions of this attack that, according to reports, trick users into executing (“clicking on”) the malware when the USB dialog box appears when a device is plugged into a Windows computer. While this attack is called a worm, in reality, it appears to be a blended threat, with behaviors of both worms and viruses, according to reports. Disclosure: DeviceLock has been an advertiser on the Data Security Podcast in the past. I recommended the software for a long time, actually, long before the invention of Podcasting. Why? DeviceLock has granular controls, excellent logging, key logging detection, native to group policy, and supports open source encryption. And, it’s very inexpensive.

The worm also attacks weak passwords. You want to “upgrade” all passwords on your network to strong passwords. With current computing technologies, that now means, 15 characters or more (20+ is better), with upper and lower case letters, numbers and punctuation. Think pass phrase, rather than password. People resist doing this, and the bad guys are counting on it.

Let’s move on to the indications, according to Microsoft, that your systems have been hit by Conficker/Downadup:

“If your computer is infected with this worm, you may not experience any symptoms, or you may experience any of the following symptoms:

* Account lockout policies are being tripped.

* Automatic Updates, Background Intelligent Transfer Service (BITS),   Windows Defender, and Error Reporting Services are disabled.

* Domain controllers respond slowly to client requests.

* The network is congested.

* Various security-related Web sites cannot be accessed.”

And more from Redmond on how to clean up the mess once you have been hit: “The Microsoft Malware Protection Center has updated the Malicious Software Removal tool (MSRT). This is a stand-alone binary that is useful in the removal of prevalent malicious software, and it can help remove the Win32/Conficker malware family.

You can download the MSRT from either of the following Microsoft Web sites:

http://www.update.microsoft.com

http://support.microsoft.com/kb/890830

As I have talked about in previous postings on this topic, if you are worried about being vulnerable to this attack, you probably have much larger security issues.

When was your organization’s last security audit?

Are you running intrusion prevention AND anti-virus at the gateway? I have found many network administrators that say YES to that, but upon audit, they are only running intrusion prevention at the gateway, and they are depending on one AV vendor that protects both servers and desktops. The bad guys are counting on that!  A multi-vendor, multi-layered IPS and AV approach is what many networks need.

Are you running data loss prevention (DLP) hardware to detect outbound data loss? Firewalls protect from inbound connections, what measures do you have in place to detect outbound data transfers on all ports (mail, http, https, ftp, and other ports)? If you don’t know what DLP is, find out fast.

Are you encrypting laptop hard drives? TrueCrypt has an excellent, free open source solution. Are you logging all events on a dedicated logging server? Are you encrypting your backups and storing them off-site? Are you deploying virtual machines with security as a focus, not an afterthought?

This is just a partial list. The point is, now is the time to look at your security posture again. The Conficker/ Downadup is just an indicator of how much work remains to be done to secure our information assets.

According the Randy Abrams, at ESET Anti-Virus, the really scary attacks don’t usually make the headlines as they are growing. You may only know long after the data is gone. Just ask the people at Heartland Processing, who just announced the breach of over 100 million transactions. But that incident is for another posting, or for a podcast.

Data Security Podcast Episode 36 – Jan 19 2009

Posted in Breach, darkweb, Podcast, Vulnerabilities with tags , , , , , on January 18, 2009 by datasecurityblog

The Data Security Podcast is the place for 30 minutes of news every week on data security, privacy, and the law.

This weeks program: WPA WiFi encryption might not be so secure as ElcomSoft shows off a new WPA audit tool.  Will the Conficker worm be the worst worm ever? Some don’t think so. And, this week’s news.

–> Stream, subscribe or download Episode 36 – Listen or subscribe to the feed to automatically get the latest episode sent to you to your Google, Yahoo, iTunes, or other popular sites.

–>Tune into the show directly on iTunes, you can also subscribe to the program on iTunes.

This week’s show is sponsored by The Engate Hosted eMail Security System.

Program Notes for Episode 36

-From The News: The Daily Background blog outlines possible integrity attacks by Belkin. In a related posting, The Reputation Advisor Blog speculates about how members of the Dark Web will spike reputations in concerted integrity attacks.

-Also from The News: Seagate recalls hard drive firmware. Read more on the Seagate site, and where to email them and request a patch. More about the related class action lawsuit regarding these failures, from the law firm of Kabatek, Brown and Kellner LLP.

- Tales From The Dark Web: Elcomsoft Wireless Security Auditor can be used to audit and crack WPA WiFi encryption using off-the-shelf video cards. WARNING: Do not use ANY audit or cracking tool to access a network without the authorization, in writing, of the owner of that network. Then, just before you run the tool, have the owner give you approval a second time. Or, if you are not prepared to get approval do use this tool on someone else’s network, buy your own WPA Wi-Fi access point, and hook it up to your own network to test this tool. There might be a good deal at Circuit City for a cheap testing-only access points. Remember, the cheap, consumer access points usually don’t have the ability to turn off wireless administration, so it’s not smart to use them in production or live environments.

- Will the Conficker worm be “the worst worm ever?” Some members of mainstream media seem to think so. Randy Abrams from ESET (the maker’s of NOD32 anti-virus), thinks that Conficker will not be the worst worm ever, and we talk about strategies to counter this attack, and other more serious attacks. The mainstream media is focused on Conficker, while the members of the Dark Web could be attacking you where you might not expect. Read Randy’s related blog posting, Confused about Conficker?

Want to Clean Conficker/Downadup Worm? You May Need To Start Where You Are NOT Looking

Posted in Breach, darkweb, Vulnerabilities with tags , , on January 18, 2009 by datasecurityblog

I just finished up a discussion with Randy Abrams from ESET about the Conficker/Downadup Worm . The interview will post in a few hours on Data Security Podcast, Episode #36. Randy is a smart security guy, I want to dive into this topic a bit more than I was able to do in the discussion with Randy on the Data Security Podcast.

The focus of many postings I have read on this worm is typically in one of three areas:

1. “This is the biggest worm EVER!” “The sky is falling!” “The end is near!”

2. Apply the following tools to help clean the worm

3. Disable AutoRun on USB ports

The real story here is that the Conficker/Downadup Worm appears to be a small-grade attack, that appears to be focused on selling fake anti-virus software. The attack punches holes in networks, that in many cases, already have very serious security vulnerabilities.

In a previous posting I warned that the Conficker/Downadup Worm is a wake-up call for those that don’ t have any controls on removable media (you know who you are). If ANYONE on the network can plug in a thumb drive, or iPod, or a USB photo frame, including the CEO, CFO, HR, VP of Sales, Admins, then you have a much bigger threat than the Conficker/Downadup Worm.

Many times I hear CIOs tell me that he has shut down USB access. I respond, “For EVERYONE?” And, if the CIO is being honest, he says, “Well, we had to make an exception for the following departments/users ___, ____, and _____, as they must have access to some devices.”

Those exceptions, without compensating controls, breaks the security principal of total mediation – only allowing one way in and out of a system. It is this lack of total mediation that is helping spread the Conficker/Downadup Worm. The good news is that there is great software that can control these physical ports, limit access, provide for access control rules for those that need access, log activities and files, and even encrypt data. My favorite tool for all of that is DeviceLock (disclosure: They have been a sponsor of some episodes of the Data Security Podcast).

Beyond USB, the Conficker/Downadup Worm is a wake up call that now is the time to request the budget for a security audit. The Conficker/Downadup Worm demonstrates that too many organizations have poor patching, poor password management, and poor anti-malware protection. And, in my experience, these organizations do not have adequate layers of security in other areas.

In these tight budget times, I am aware that is is difficult to get budget to do anything “new.” This is a hard sell if you have not had a recent security audit and vulnerability assessment. At the very least, I recommend that you memo the right people i the organization about these risks, and if they reject an audit, then the decision was on their watch. If you don’t inform them, and a far more serious attack or breach than the Conficker/Downadup Worm hits you, you will get the blame.

As Randy Abrams points out, there a throngs of “hackers” attacking areas of your network with attacks that don’t have famous names, and don’t get a headline in the paper. Those are the one’s to be really scared about.

We Want Information!

Posted in Annoucements with tags , , , on January 18, 2009 by datasecurityblog

It is with much sadness that I came to learn that Patrick McGoohan died last week. Patrick was the creator, director, producer, and in many cases, the writer, for The Prisoner Television series in the 1960s. McGoohan was 80 years old.

The Prisoner story line: a secret agent (played by McGoohan) quits his job with the British government. He drives a Lotus 7 in the opening scenes, always a fun segment for fans of fast, light cars.

As he is packing for a far-away trip to a warm island, his house fills with knock-out gas. McGoohan wakes up in a totalitarian town, (“The Village”) where the leadership has total control. McGoohan no longer has a name. He, and everyone else in The Village, is a number. McGoohan in Number 6. There are cameras everywhere, even in the bathrooms. Advanced technologies are used to try control every part of McGoohan’s life, and mind, in The Village.

The leadership wants “information” from McGoohan, and each episode is an attempt to get that information from him, by hook or by crook. McGoohan’s famous line, “I am not a number, I am a FREE MAN!” is in every episode.

One of the best episodes is “Free For All.” It is McGoohan’s take on modern elections. It’s worth a look, as you will discover how timeless the ideas in this program truly are.  If you are interested in data security, privacy and the law, this program will have you thinking long after the episode is over. Below is a segment (as I recall ) from Free For All:

Data Security Podcast Episode 35 – Jan 12 2009

Posted in Breach, darkweb, Podcast, Vulnerabilities with tags , , , , , , on January 11, 2009 by datasecurityblog

The Data Security Podcast is the place for 30 minutes of news every week on data security, privacy, and the law.

This weeks program: There’s a store front on main street that might be a haven for cybercriminals.  Google searches that help spread malware. Plus, this week’s data security news.

–> Stream, subscribe or download Episode 35 – Listen or subscribe to the feed to automatically get the latest episode sent to you to your Google, Yahoo, iTunes, or other popular sites.

–>Tune into the show directly on iTunes, you can also subscribe to the program on iTunes.

This week’s show is sponsored by The Engate Hosted eMail Security System.

Program Notes for Episode 35

- GAO finds IRS still vulnerable to significant data breaches

- Tales From The Dark Web:  Google Code Project Abused by Malware Attackers

Google Search could zap you with malware

Google Site could zap you with malware

Conversation: Ira talks with Ryan Sherstobitoff, Chief Corporate Evangelist of Panda Security. Ira apologizes for not stating Ryan’s family name in the interview. To obtain a free copy of the report on remittance security from Panda Security please contact CriticalAlert@us.pandasecurity.com . Be sure to mention the recent study on remittance security.  Also mentioned in the conversation, Western Union, Vodafone team on mobile money transfer.

Viscous Malware Prevention- Downadup/Conflicker Worm

Posted in Breach, Vulnerabilities with tags , on January 11, 2009 by datasecurityblog

There have been numerous reports about a hard to clean worm hitting networks. The attacks were first hitting overseas networks, and now I am seeing reports  here in the US. There was an extensive eye-witness account on the SANS Advisory Board mailing list (disclosure, I am a member of the SANS Advisory Board). I also have reports from collogues on how difficult it is to remove the Downadup/Conflicker Worm, due, in part to it’s morphing behaviour.

One of my collogues believes that one successful attack orginated from a USB thumb drive that was infected, and then brought into the corporate network. I have talked about the issues of removable media security on the Data Security Podcast.

If you have not already considered security software that protects, controls, audits, logs and encrypts thumb drives – NOW IS THE TIME. The time and labor costs to repair the damage from one attack more than outweighs the cost of security. I also recommend preparing some tools and procedures in the event you do get hit, unless you already have a good incident response plan.

Follow

Get every new post delivered to your Inbox.

Join 1,140 other followers