Tuesday, December 15, 2009

Network Auditing Article on TechTarget

Just a quick post to help folks find the recent article on network auditing on TechTarget's SearchSecurity.
Think of it like this: There's at least a 50/50 chance you have one or more significant network security problems, and an audit is good way to find them. In fact, 43% of survey respondents felt their organizations should audit their networks more frequently...Read more...

Thursday, August 06, 2009

Why Denial of Service is the Dumbest "Hack"

Large chunks of Web 2.0 are not working this morning, apparently because of one or more denial of service attacks. Users of Twitter, Facebook--and many apps and blogs which rely on those services for authorization credentials--are feeling understandably frustrated, yours truly included.

While reports that this DoS event is DefCon-related appear to be mere rumor at this point, it bears repeating: Denial of Service is the Dumbest Hack!

Since the first computer was plugged in, anyone with opposable thumbs has been able to execute a denial of service attack. DoS attacks are like the boiled egg of hacking. The fact that computers connected into a network can be disrupted is old news. Proving it with a DoS attack proves nothing new. So what is the point? Do we want the world to sit up and say "Gosh! All this stuff is connected, and if one part goes down many others are also affected."

Yawn! That is known, proven, accepted, it's history. All you gain by executing such an attack is a lot of anger directed at you by the millions of people whose lives you are messing about. You do not win any prizes for figuring out how to do this. The people who lead the field in figuring out how to execute DoS attacks are the kind of folks who do not execute them.

I watched one of those people demonstrate, in 1996, how to take down any web site with a 386 PC and 28Kbps modem. That was not at DefCon but in a tiny lab somewhere. But I did speak at DefCon that year and gained a lot of respect for serious hackers, not because they wrecked things, but because they had figured out how to, yet they refrained from using that knowledge for gain or fame or to piss people off. Would that all hackers followed that code.

Wednesday, July 08, 2009

Old News? Researchers predict SSNs, crack algorithm

This story is curious to me. About 13 years ago I taught some banking security classes with a chap who could do this in his head. I always assumed the algorithm was widely known in certain circles.

"Social Security numbers have a predictable pattern, according to researchers at Carnegie Mellon University, who have developed a reliable method of cracking a person's SSN based on data gleaned from multiple sources, including profiles on social networking sites."

Search Security Coverage: Researchers predict SSNs, crack algorithm putting identities at risk

Thursday, July 02, 2009

TJX to pay $9.75 million for data breach investigations

As reported by SearchSecurity: "TJX Companies, Inc., which has undergone a barrage of lawsuits as a result of a massive data breach of its systems, agreed to pay $9.75 million, settling a lawsuit brought on by Attorneys Generals from 41 states."

That's on top of many previous costs arising from the fact that "over an 18-month period, hackers exploited a hole in TJX's Wi-Fi network and used a modified sniffer program to monitor and capture data from TJX's transaction systems."

Consider: "In December 2007, TJX settled a lawsuit from dozens of banks, agreeing to pay out $40.9 million to cover costs connected to the retailer's massive data breach."

Monday, April 13, 2009

Better Twitter Signup Could Stall Twitter Woes and Twitter Worms: Why delay the inevitable?

When they say "anyone can get a Twitter account" they mean anyone and anything can get a Twitter account, including malicious 'bots and worms.

I'm all for equality, open access, and ease of access, but I'm not keen to share my social-network-of-choice with machines and anonymous jerks. History tells us that sort of thing eventually leads to spam and worms, both of which threaten to hobble Twitter as they hobbled email. And a lot of the problems now looming with Twitter are preventable, or at least containable, if the folks at Twitter act now, before things get out of hand.

(As for the hobbling of email, make no mistake, email could be very much better than it is right now if it were less prone to abuse. Securing email, which could be done if the large providers would drop their petty greed-based differences, would make it way more useful and productive than the pale shadow it is today--in other words, spammers and worm-writers cost the world billions in lost productivity, on top of the ongoing cost of blocking with their irresponsible crap).

The first step in prevention and protection for Twitter is to require email confirmation for Twitter signup. That would make it harder to do things like this. Right now the Twitter signup process is irresponsibly open, as in "open to abuse" and we are seeing the first Twitter worms right now. Consider what happened recently when I had the pleasure of participating in an elaborate April Fool's caper.

To increase the credibility of our hoax I created a Twitter account in the name of the fake product we launched. I was shocked at how easy this was. Although the Twitter signup process asks for an email address it does not check to make sure the address is real. There is no "confirmation email" such as most forums, bulletin boards, and social networks require. And although Twitter signup uses a captcha, we know captchas can be beaten by any entity who is motivated enough to create fake accounts. (The "fake"account that I created used a valid email address but tests show this is not required--Twitter does try to validate your email address after signup and lets you know if they have a problem with it, but they don't kick you off the system.)

The point is, and I say this with love--because I love to Twitter--the folks at Twitter could do more to prevent abuse. Right now they have a chance to save Twitter from worms and I'm hoping they will learn from the mistakes made by email providers and act now rather than later, when it will be that much harder. I predict email verification will eventually come to Twitter, so why not do it now? The email industry missed several golden opportunities to keep the bad guys and bullies out. Twitter can do better, and I hope it will. I would happily give up the ability to make fake Twitter accounts for April Fool's Day.

Thursday, April 09, 2009

Power Grid Hacking Story = New Low for Journalism

Surely April 8 will be flagged as a new low in the history of American journalism. Why? The "power grid may be hacked" story, and I use the word "story" very intentionally. Everything I heard and saw about this yesterday--from CNN to NBC--was, to put it politely: trash. About the only thing I've seen written about this that made sense was former hacker Kevin Poulsen blogging at Wired:

"The unspoken lesson here is obvious: Chinese Superhackers Are Our Superiors. No, wait. That's not it. I know...Only the intelligence agencies are equipped to protect us from foreign cyber attacks."

See: Put NSA in Charge of Cyber Security, Or the Power Grid Gets It | Threat Level from Wired.com

My own theory was that the large power companies, fearful of localized, alternative power generation, were trying to scare people away from "smart grids." This theory is based on the fact that a lot of the "reporting" suggested smart grids would make our power supply more vulnerable. Yeah, like that's why they're called smart. Does nobody out there in mainstream media remember why the Internet was designed like it is?

I recall, nine, maybe ten years ago, when someone on our penetration testing team said "Can I let some water out of the dam, please, that would be so cool?" Because Yes, we had reached the power company's hydro-electric control panel. We said No to that particular demonstration of how far we had penetrated. After all, it was the power company that had hired us to test their security. And the power company fixed the holes we found. AFAIK they've regularly checked for, and fixed, new ones ever since. The grid is not impenetrable, but this whole legend that "Russian and Chinese hackers are all up in our systems and can pull killer moves at the click of a mouse" just seems like scare-mongering. And people normally carry out scare-mongering for a reason.

Did anyone hear any journalist ask "Why?" As in why would people, foreign or domestic, want to mess with the grid? After all, anyone with a backhoe could drive into the field near my house today and cut the prominently labeled Verizon fiber optic trunk that runs through here (here being a place where lots of people own backhoes). But for years people have somehow avoided the temptation to do this (even deranged broadband addicts bummed out on dialup and convinced by voices in their fillings that cutting the cable was a cheap way to get FIOS, the fastest Internet and best TV picture ever).

Sure, there are some gifted hackers in Russia and China, but there is zero doubt in my mind that America could bring both of those countries to their knees in a matter of minutes if any kind of cyber-war were to break out.

So, as far as I can tell no mainstream journalists bothered to ask Why? Or bothered to think about where this story came from and how come it appeared at this time. The grid was no more or less susceptible on April 8, 2009 than it was on April 7, 2009. And I don't know whether to pity or impugn the talking heads they trotted out to comment on this "story."

Please let me know if you heard anyone in the media, besides Mr. Poulsen, raising the possibility that this story was part of the push by NSA to take over cyber-security from DHS (that's NSA as in "Not Safe Agency" that worked with companies like AT&T to suck the Internet into massive servers so they can read our email and blog posts).

And if you have heard anything to suggest that the Obama administration is about to kick some serious cyber-butt and bring sanity to our secret agencies and critical infrastructure protection programs, I'd really appreciate hearing about it, because frankly I'm getting pretty depressed here.

Saturday, March 28, 2009

Vast Spy System Loots Computers in 103 Countries

Vast Spy System Loots Computers in 103 Countries - NYTimes.com:
By JOHN MARKOFF, Published: March 28, 2009

"TORONTO — A vast electronic spying operation has infiltrated computers and has stolen documents from hundreds of government and private offices around the world, including those of the Dalai Lama, Canadian researchers have concluded."