Archive for February, 2009

Data Security Podcast Episode 41 – Feb 23 2009

Posted in criminal forensics, darkweb, Podcast, Vulnerabilities with tags , , , , , on February 22, 2009 by datasecurityblog

The Data Security Podcast is the place for 30 minutes of news every week on data security, privacy, and the law.

This weeks program: Confiker Sequel hits hard; Demand for computer forensics training soars, SANS Institute fills the gaps;  Plus, this week’s news.

–> Stream, subscribe or download Episode 41 – Listen or subscribe to the feed to automatically get the latest episode sent to you to your Google, Yahoo, iTunes, or other popular sites.

–>Tune into the show directly on iTunes, you can also subscribe to the program on iTunes.

This week’s show is sponsored by The Engate Hosted eMail Security System. Tell them you heard about them on the Data Security Podcast and get 50% off their service. Offer good until March 31st, 2009. Tales from The Dark Web Sponsored by DeviceLock Removable Media Security Software.

The Show Notes Page for Episode 40

-From The News: Adobe PDF Zero Day. We suggest that you delete Adobe PDF reader, and install a non-Adobe PDF reader. Try PdfReaders.com , and the LostInTechnology.com blog for alternatives to Adobe PDF readers. Read details on the threat at The Shadowserver.org site, including how to disable JavaScipt on Adobe PDF reader. Here is the instructions for a GPO to disable Adobe PDF reader JavaScript.

-From The News: Nigerian 419 scams are more complex than you might think. One example, from the Salt Lake Tribune: Nigerian web scam bilked Utah out of $2.5M.  And, there is this excellent article at 419Eater.com that includes an analysis of some of the variations and motivations of these “poor people who are just trying to get by” when they steal and defraud innocent people of millions of dollars/euros/pounds/yen.

419Eater.com Counter-Scam Site

From 419Eater.com Counter-Scam Site

- Tales From The Dark Web:  Conficker / Downadup strikes back….a newer, stronger variant is out. See details in this blog posting by Ira Victor.

- Conversation: Ira Victor talks with Rob Lee, computer forensics Grand Poobah of The SANS Institute computer forensics program , and the SANS Forensic Blog.

Conficker Worm / Downadup Worm: New Variant By-Passes Some Countermeasures

Posted in darkweb, Vulnerabilities with tags , , on February 22, 2009 by datasecurityblog

From the Spy vs. Spy Department….

There is a new variant of Conficker / Downadup worm on the loose. It has new elements designed to circumvent some of the counter measures to the original attack.

To re-cap, Conficker-infected machines can contain key loggers, launch Denial of Service attacks and can become part of a botnet.  The worm can spread through USB devices and network shares. Latest reports are that millions computers are infected.

Conficker B++, uses new techniques to attack systems, giving its creators more flexibility with compromised systems.  Some admins have minimized the impact of Conficker by carefully controlling DNS and routing, to prevent the Conficker worm from contacting the mother ship.

The new variant appears to skip the need to contact a mother ship. You may read a detailed report of the new variant in this excellent SRI report.  Countermeasures like stronger network passwords, and USB control software are still effective means of mitigating  Conficker B++

Some have opined that it is sufficient to turn off auto-run on USB to stop the spread of the original Conficker. That tactic ignores that fact that there are reports that some variation of Conficker re-enable autorun. Others try to protect USB by disabling the ports through active directory group policy. That solution ignores the reality that an exception list starts to build for those that need access to certain USB ports.

The best solution I have found is to deploy third party software that has granular controls for all removable media ports; shadow copies the files that are moved, for audit purposes; and, that deploys as a group policy object, rather than through a separate control panel.

Data Security Podcast Episode 40 – Feb 16 2009

Posted in Breach, criminal forensics, darkweb, ediscovery, Exclusive, Podcast, Vulnerabilities with tags , , , , , , , , on February 15, 2009 by datasecurityblog

The Data Security Podcast is the place for 30 minutes of news every week on data security, privacy, and the law.

This weeks program: Data leaks at Google Calendar? Are so-called smart electric meters a 4th Amendment violation? Plus, this week’s news.

–> Stream, subscribe or download Episode 40 – Listen or subscribe to the feed to automatically get the latest episode sent to you to your Google, Yahoo, iTunes, or other popular sites.

–>Tune into the show directly on iTunes, you can also subscribe to the program on iTunes.

This week’s show is sponsored by The Engate Hosted eMail Security System. Tell them you heard about them on the Data Security Podcast and get 50% off their service. Offer good until March 31st, 2009. Tales from The Dark Web Sponsored by DeviceLock Removable Media Security Software.

The Show Notes Page for Episode 40

-From The News: Are RFID-enabled Passport PASSCards, and Enhanced Driver’s Licences vulnerable to war driving attacks that threaten personal information? Chris Paget, RSA, students at MIT, Washington Universtity, and many others have reasearched the vulnerabilities in most deployments of RFID. Here is a video of Chris’ $250 “war driving” for PASSCard RFID Passport cards issued by the United States:

-From The News: Meta Data Exposed…read the AP story about the lawsuit.

-From The News: Virut reverse engineering by Nicolas Brulez,  of Websense Security Labs

- Tales From The Dark Web: Google Calendar suffers data ‘leak’

- Conversation: Samantha talks with USC Law Professor Jack Lerner about demand response untility metering, and why law enforcement (and criminals) might be interested in your electric enerty usage. Read more in this Stanford Technology Law Review Article, mentioned in the show.
CLARIFICATION:   Professor Lerner notes that demand response is a very promising technology and that the California Energy Commission and California Public Utilities Commission have engaged in fact finding related to the privacy and security implications of demand response technology.  In addition to the article we referenced in this program, which Professor Lerner wrote with Professor Deirdre Mulligan, Professors Lerner and Mulligan contributed to a study prepared for the California Energy Commission’s Public Interest Energy Research Group titled “Network Security Architecture for Demand Response/Sensor Networks.”

- Wrap Up: Get this… Microsoft is offering a $250,000 reward for information leading to the arrest and conviction of those responsible for the Conficker worm. Hey, Microsoft, how about telling us HOW and WHO to contact with the information, because you didn’t include THAT info in the press release, and we can’t find it anywhere on the web, or on your site!

Maybe MSFT Isn’t Serious About It’s $250k Conficker Reward?

Posted in criminal forensics with tags on February 15, 2009 by datasecurityblog

A few days ago, Microsoft made a big announcement about a $250,000 bounty to help catch the creators the Conficker Worm. We covered that bounty story in Data Security Podcast Episode #40.  The only problem: Microsoft apparently didn’t tell anyone WHO to contact if you are a successful bounty hunter and have information.

According to the Microsoft’s press release, “Microsoft Corp. announced a partnership with technology industry leaders and academia to implement a coordinated, global response to the Conficker (aka Downadup) worm. .. Microsoft also announced a $250,000 reward for information that results in the arrest and conviction of those responsible for illegally launching the Conficker malicious code…”

And the press release talks on about how important it is for the security community to work together to fight these attacks. There quotes from ICANN, and a link to where one can get information about the Conficker worm. There is even a blurb about Microsoft’s past efforts in putting up bounties to catch bad guy. And the world wide tech press has picked up this sexy story, since the bounty is payable to anyone, anywhere, due to international law, and the global scope of this, and other similar, attacks.

The press release even gives links that one can follow to get Microsoft’s suggestions for protection from Conficker, and general “stay safe online” tips. There are even links to geting more information about the big software company based in Redmond, just in case you were wondering who this company Microsoft is or was.

But, here is the rub: There is no contact information provided for the would-be bounty hunter. Not a name, not an email address, not a web site, not even a name for the posse of supporters that have been assembled in the name of catching these malware writing varmints.

What part of customer service does Microsoft not understand?

I did a number of web searches, and read numerous press accounts of this bounty. But not one that I read gives any information on WHERE and HOW a bounty hunter collects his reward. Has journalism become so sloppy that the WHERE and the HOW is no longer asked by a reporter. Doing a story is more than just a press release “cut and paste job.”

I invite any reader of this column to locate the information to help all those would-be bounty hunters. If you find it, let me know the information, and the source of your research results.

Does Google Calendar Posts Your Schedule For The World To See?

Posted in Breach with tags , on February 15, 2009 by datasecurityblog

Reports have come in from the respected Japanese news service,  The Yomiuri Shimbun, that confidential information in certain Google Calendar accounts are viewable by the public, even when the owner intends the information to be kept private.

The issue appears to be related to how Google displays certain options within the calendar. If someone else knows your userID, and certain boxes are mistakenly checked by end users, confidential data can go public.

One doctor has revealed the name of a colostomy patient, a lawyer revealed client information, and one business exposed the “spin” they want employees to use with unhappy customers.

Here is one very revealing quote, “I meant to share the calendar only within our office,” said the lawyer, who works at a law firm in the Tohoku region. “Putting information up on the Net is dangerous.”

Yes, this quote is from a Google Apps user.  So did this lawyer:

1. NOT know that ALL Google Apps are web apps? Did he think Google apps were just like Microsoft Exchange, or Lotus Notes (ie, private servers), but with a different name?

2. Did he know that Google Apps were web apps, but had the common attitude, “I am not the CIA/FBI/KGB/CTU, why would anyone care about my data?”

3. Did he not know, but didn’t care, since he let’s “IT deal with all that computer stuff.”?

I don’t know anything about Japanese law, but I would think that lawyers there need to be responsible to secure client data.

How many people do you know that are using Google Calendar, and have potentially confidential information on that system? We all know people that are using smart phones. Many of those smart phone users are skipping over BlackBerry Enterprise Server (BES) with and using Google Apps to store and access data from the web, smartphone, and the desktop. They often say to me, “Hey it’s free or nearly free, and I don’t really need to bother with the security on something like a BES.”

I have been a long-time advocate of using more secure systems and methods to secure personal information management (PIM) systems. That includes NOT using popular web-based PIMs, as security has never been a priority for these large firms. These large web app firms correctly, or incorrectly, think that most customer don’t care enough about security (see reason #2 above) to make these PIM apps more secure.

Most PIM data should be in a secured environment, within layers of security. Due to its superior security, my mobile device is BlackBerry, connected to a BlackBerry Enterprise Server.  I know many people like to be seen using an iPhone so they can appear hip and cool. Very well, but one should secure it’s access to more secure PIM data with a digital certificate so there is some layer of multi-factor authentication.

It’s time for professionals to take all their data more seriously, and to understand that just because and applications is popular, it doesn’t mean it’s safe, or smart for the to use. Read more details in The Yomiuri Shimbun story. I talked more about this in Data Security Podcast Episode 40.

Data Security Podcast Episode 39 – Feb 9 2009

Posted in Breach, darkweb, Podcast, Vulnerabilities, web server security with tags , , , , , , on February 8, 2009 by datasecurityblog

The Data Security Podcast is the place for 30 minutes of news every week on data security, privacy, and the law.

This weeks program:  Using DNS to neuter Conficker/Downadup; A new, free VPN helps secure RDP and wireless; Evil traffic “cops” give tickets with malware; And, this week’s news.

–> Stream, subscribe or download Episode 39 – Listen or subscribe to the feed to automatically get the latest episode sent to you to your Google, Yahoo, iTunes, or other popular sites.

–>Tune into the show directly on iTunes, you can also subscribe to the program on iTunes.

This week’s show is sponsored by The Engate Hosted eMail Security System. Tell them you heard about them on the Data Security Podcast and get 50% off their service. Offer good until March 31st, 2009. Tales from The Dark Web Sponsored by DeviceLock Removable Media Security Software.

Program Notes for Episode 39

-From The News: Withinwindows.com blogger Rafeal Rivera scores a victory in the battle to lock down UAC

-From The News: Consumer Electronics Company Agrees to Settle Data Security Charges; Breach Compromised Data of Hundreds of Consumers

Evil parking cops spread malware

Evil parking "cops" spread malware

- Tales From The Dark Web: Malware attacks via fake parking tickets.

- Tales From The Dark Web: OpenDNS will block outbound botnet connections to the Conficker/Downadup master. Blocking will work with free unregistered and free registered users.  You can set your computer’s DNS settings, or your router/firewall/UTM DNS settings to these IP addresses to start using OpenDNS right away: 208.67.222.222 , and 208.67.220.220.

- Conversation: Ira Victor speaks with Egeman Tas, the Senior Research Scientist with Comodo Security, about a free VPN application he is working on. This app is a peer to peer application to make VPNs easy, and yes, free. If you are using RDP, WiFi in a public hot spot, or other relevant applications, you need to use a VPN. The software is still in Beta. It’s only for Windows at this time, but Egeman reports that a MAC and LINUX version is in the works.

-Wrap Up: Congressman Twitters an Iraq Security Breach, revealing details of his location in Iraq . Hoekstra’s spokesman Dave Yonkman, said, “We never agreed to anything as far as not discussing it (beforehand) or during…Congressman Hoekstra believes in giving people in West Michigan as much information as possible.”

COMMENTARY: The Implications of the Kaspersky SQL Injection Attacks

Posted in Breach, darkweb, Vulnerabilities, web server security with tags , , , on February 8, 2009 by datasecurityblog

The blogs are abuzz tonight following reports that the Moscow-based anti-virus company Kaspersky has not secured the web application(s) on it’s US servers from SQL Injection attacks.

I have been a fan of Kaspersky because I found their anti-virus software to be effective, and I have often recommended it. If the reports are true, I hope Kaspersky resolves the vulnerability quickly, and puts in place layers of security to protect against similar vulnerabilities in the future. I have not personally attempted to replicate this attack on Kaspersky’s servers. Attempting such penetration tests might constitute a federal felony.

If the report turns out to be accurate, it would be a black-eye on Kaspersky. The blogger that first reported the attack has, so far, withheld the confidential information he was able to gleen from the site.It is not a stretch to assume that members of the Dark Web have tried similar attacks, and they usually will use the confidential information they are able to steal to make money by conducting further information crimes.

There is a reason why the PCI credit card standard mandates running either a Web Application Scanner (WAS) or a Web Application Firewall (WAF). In my day job as a security consultant, I regularly encounter IT managers that say they are compliant with PCI, but in reality they are not. Lack of running a WAS or WAF is one of the most frequent elements missing.

In the face of constant Dark Web attacks, it is prudent for companies to run a WAS, a WAF, and do web application logic and code checks. It’s pruduent to have these layers of security for all entities running web applications, regardless of any PCI mandates.

It seems that many organizations build their web applications based upon the functions they need the site to do, THEN they go back in to add security. I don’t know if this was the case with Kaspersky, but that practice is the norm in my experience. And the consequences are high for putting security at the end of the project. Listen to Episode 39 of the Data Security Podcast to learn how Geeks.com got busted by the FTC for putting security in place AFTER their site was up and running. The FTC case, in part, relyed upon Geeks.com own Privacy Policy.

I don’t know if the FTC will go after Kaspersky, but it seems that the legal theory used to bust Geeks.com might be applicable. Indeed, the Kasperky US web site’s Privacy Policy states: “We have taken security measures, consistent with international information practices, to protect your personal information. These measures include technical and procedural steps to protect your data from misuse, unauthorized access or disclosure, loss, alteration, or destruction.”

Yikes! To borrow a phrase, “Moscow, we (may) have a problem.”

User Host Name and Password for mysql.user

Moscow, we (may) have a problem

Disclosure: The information security company I work for offers Web Application Scanning and Web Application Firewalls as part of it’s information security offerings. That company also offers a variety of anti-virus and anti-malware solutions.

Tip: Kaspersky is often mis-pronounced by Americans. Many say: Kah-PEAR-skee. But if you look closely the name of the company, and the name of the founder is pronounced: Kah-SPARE-skee.

I have not contacted Kaspersky for a comment on this vulnerability. You can read more about this possible vulnerability at The Hacker’s Blog.

Follow

Get every new post delivered to your Inbox.

Join 1,140 other followers