Sunday, March 25, 2007

Security Appliances Come to Dodge: So where are the horse thieves being hung?

This article, Security Appliances Come to Dodge, by Drew Robb, reminded me of a train of thought I have been following for a while. Here's the opening paragraph:
Sometimes with the Internet it seems like you are living out on the frontier. But unlike the "wild West," which settled down after a few years, computer security threats have continued to rise and show no signs of abating any time soon.
I generally avoid picking apart analogies, but there is a flaw in this one. The Wild West took more than a few years to settle down. Which is why the basic Wild West analogy is actually apt. Cyber-space today is like the Wild West, a virtual Deadwood upon Dodge upon Laramie. People of low morals are trying anything they think they can get away with, and often they are. There's easy money ripping off them there virtual wagon trains and consumer pioneers.

What we haven't seen yet is the equivalent of hangings for horse theft, swift and decisive justice for those whose immoral and illegal acts strike at the infrastructure of the information age. We have flirted with the idea. When I spoke at The Global Internet Project special workshop on Internet spam in June of 2002, the chairman asked the audience what should be done about spammers and the suggestion [not from me] that there should be some hangings was widely applauded.

But when I see some of the puny sentences handed out for computer crimes, I wonder if it might be time to make a few examples. Yes, I know that is a dangerous path and there is an inherent risk of fallout from unfairness. Yet think about this: What is more corrosive to the future of our culture and economy: Selling a few ounces of pot or stealing a few million credit card records? From sentencing patterns it would appear that dealing drugs is considered way more immoral than either using drugs or ripping off consumers. America jails more people than any other country. But very few people who commit fraud and deceptions detrimental to commercial trust seem to do serious jail time (it will be interesting to see how much time the likes of Fastow and Ebbers actually serve).

Another one to watch is Brian Salcedo, who got "the longest prison term ever handed down in a computer crime case in the United States" for trying to steal customer credit card data from Lowe's. Not surprisingly, the publications like Wired that still think there is something cool about messing with people's lives [as long as you do it with a computer and not a baseball bat] termed Salcedo's 9 year sentence "Crazy" (see Crazy-Long Hacker Sentence Upheld).

Keen observers will note that story was written by Kevin Poulsen who was himself sentenced, in 1991, to 51 months for various criminal hacking offenses committed in the 1980s. At the time it was said to be the longest ever sentence for hacking. Maybe a sentence of 20 years back then, instead four and a quarter, might have had a more powerful deterrent effect.

Saturday, March 24, 2007

Would Your Competitors Do This? Oracle's suit against SAP a timely lesson

Referring to my previous post about the threat of spying as a "driver" in information system security, this just in:
Oracle recently found their biggest competitor has been hacking their systems and stealing their data. on a scale that may best be described as "massive."

SAP allegedly employed the usernames and passwords of customers that the firm had lured away from Oracle to download a variety of technical materials. SAP employees used the log-in IDs of multiple customers, combined with phony user log-in information, to gain access to Oracle's system under false pretexts...

Thursday, March 15, 2007

Witches Brew: Cheap domains, DDoS, and man-in-the-middle eBay scams

A rash of recent reports seem to revolve around the great ease and small cost of registering domains. Perhaps it is time to revert to some of the original limitations on domain name registration. Consider that before April 1, 1998, the fee for registering domain names at InterNIC (operated by Network Solutions) was US $100.00 for a two year registration and there was a limit on how many names one person could register. On April 1 the fee went down to US $70.00 for a two-year period, and renewals were decreased to $35.00 from $50.00. Despite that, the number of domains registered was already close to 2 million.

According to research from McAfee cheap or free registration of new domain names drives the growth in Web sites used for spamming or hosting malicious software.

One of the biggest names in domain name registration, GoDaddy, was hit with significant and sustained distributed denial-of-service attacks Sunday, resulting in four to five hours of intermittent service disruptions, including hosting and e-mail.

Symantec has uncovered an unusually sophisticated email scam, targeting eBay users with a combination of legitimate eBay auctions and a Windows Trojan that intercepts a user's web traffic. The "advanced" malware involved, called Trojan.Bayrob, sets up a man-in-the-middle attack, Symantec said in a blog last week.

"While we have previously seen Infostealers that try to steal your username and password, a threat attempting a man in the middle attack on eBay is very unusual," wrote Symantec's Liam O'Murchu. "Man-in-the-middle attacks are very powerful, but are also difficult to code correctly."

Fascinating differences in levels of risk around te world have been mapped by McAfee. For example, "a consumer is almost 12 times more likely to encounter a drive-by-download while surfing Russian domains as Columbian ones."

The Threat of Spies: Often overlooked, often under-estimated, inside and out

I love it when people ask questions about security that cannot be answered definitively, questions like: "What are the three most serious emerging threats?" Indeed, I ask questions like that myself, of others, and of myslef. Why? Because it gets brains working, and the output can be very valuable.
I have been pondering emerging threats quite a bit this year as a result of preparing my keynote for an enterprise security conference in Malaysia last month. But lately I have been asking myself "What are the most persistent threats?" and also "What are the most under-estimated threats?"

And I think I might have a winner, or at least a threat that is a finalist in both categories: industrial espionage (iconically represented by a patent application drawing).

Clearly industrial espionage has been around for a long time (and I'm talking centuries before the late eighties when British Airways started stealing Virgin Atlantic passengers with lies and bribes and a little database hacking on the side--leading to some pretty messy headlines for BA, not to mention some hefty financial settlements in favor of Virgin and its owner, Richard Branson).

VW did it to GM. Boeing did it to Lockheed. WestJet did it to Air Canada (allegedly). Not only has industrial espionage been around for a while, it has always been, quite consistently in my experience, under-rated as a security threat. As with many areas of information security knowledge there are few hard facts to back up my assertion. But my impression, when dealing with clients, when making presentations at conferences, and when teaching seminars, has always been that most people in business don't think--or maybe prefer not to think--that their competitors would break the law to gain advantage. It is not unusual for senior people to come up to me after a presentation that touches on industrial espionage, or criminal hacking in general, and say something like "Do people really do that?"

Perhaps line managers and executives are so busy worrying about all the other critical stuff--like supply, demand, deadlines, sales targets, profit margins--they just don't want to ponder questions like: Are my competitors prowling my network? Sitting outside our offices with a listening van? Going through our garbage? Bribing our employees?

But chances are, they are. Indeed, I would say that if your company is doing more than $100 million in annual revenue then it is unlikely that your competitors are not performing aggressive competitive intelligence ops against you. And of course, the many, many ways in which our "going digital" has made information easier to copy and move now come into play (in the early nineties VW took 90,000 pages worth of documents from GM in hard to hide boxes--today that stuff would fit on a $30 flash memory card you can buy on the High Street and slip into your sock as you walk it through the metal detector undetected).

While the methodology of competitive intelligence (open source, public documents, general and specific observation) is generally legal, it is very easy for such activities to slide into "aggressive competitive intelligence ops" which are illegal. Bear in mind that a lot of spying is done without direct management approval or endorsement. Sometimes employees take it upon themselves.

And thus we arrive at the hidden, two-edged sword of industrial espionage. You are likely to be wounded if you fail to guard against spying from competitors; you may also be wounded by your own staff if you fail to rein them in and they take competitive intelligence too far (and get caught).

Here are a couple of cases to ponder just from the auto parts industry:

Selling secrets to the [Chinese] competition
Selling secrets to the competition

Note that the second link is to article summaries at the New York Times which gives 66 hits on espionage under "Automobiles" alone.

Stay tuned for more on this topic.

P.S. This article by Prof. Mich Kabay, well-respected friend and colleague, gives some examples to get you thinking (but don't think that the examples are not relevant because they are a few years old--I doubt anyone would claim the world is more moral today than it was a decade ago, and it is certainly easier to steal a gigabyte of data in the age of the SD card and USB thumb drive than it was in the age of the floppy and Zip disc).
Nice article here from Sandra Rossi of Computerworld (Australia) on the cost of security breaches: Data leaks equal 8 percent drop in revenue.
"Organisations that experience publicly reported data breaches suffer an eight percent loss of revenue. Compounding the revenue and customer losses are additional expenses averaging $100 per lost or stolen customer record to notify customers and restore data, according to the compliance group which is made up of members from the Computer Security Institute, the Institute of Internal Auditors, Protiviti and Symantec."
While it is hard to arrive at firm numbers to describe security problems (or security solutions) these numbers jibe well with some past assessments. While I have not done a study of revenue impact from security breaches, I did look closely at stock price impact about six tears ago and that worked out to about 12-14% if memory serves (hey, this is a just a blog, so memory will have to serve for now--I will dig up the actual data when I get a chance). In other words, if you were to suffer a serious and publicized security hit, your stock price would go down from 12 to 14 percent.

And Larry Ponemon did a fairly recent and pretty rigorous study which showed the cost of a security breach was about $182 per lost record (you can read about the survey here). In other words, lose 6,000 records and you have surpassed $1 million in negative impact. These numbers should help security managers convince company executives to take security seriously. (Don't forget to stress "opportunity cost" as in "Even if recovery after a security breach goes well, the money spent on recovery is money not spent on a new product launch, new ad campaign, bonuses, etc.")

Note that the study cited in the Computerworld article above found that: "The primary channels through which data is lost, in order of risk, includes PC's, laptops and mobile devices, e-mail, Instant Messaging, applications and databases."

Tuesday, March 06, 2007

Hard Lessons About Hard Drives: Time to get a drive grinder?

The Times Union of Jacksonville carried an interesting story about hard drives a few days ago. Seems a local businessman had taken his computer to a Best Buy store for repairs.
When told the old hard drive was being replaced--a hard drive that contained information about his clients--he was stunned to learn he wouldn't get it back. The retailer said it would destroy the drive so no one else could get access, but that didn't sit well with Wemhoff. It took a series of calls up the corporate chain of command to get the old drive returned. Best Buy said its policy in this case was to follow the manufacturer's warranty, which often calls for the old hard drive to be sent to the maker, even if it is loaded with personal information.
This led me to send the following letter to the paper, commending the reporter on highlighting this problem and adding some thoughts of my own. I mentioned the grinding or "chipping" of hard drives that spy agencies do but it seems Georgia Tech is working on a less messy alternative: a powerful degausser, seen here (click photo for article).

This approach has a lot to recommend it. Using a less powerful degausser can require the hard drive platters to be removed from the casing. This requires a fair amount of effort (I just opened up a dead drive recently and brute force was involved). However, despite assurances that degaussing makes the data go away for good, I bet there will still be people in three-letter agencies who opt for physical destruction. It's just so, tangible, so very verifiable. Anyway, here's the letter that the Times-Union published today:

"Kudos to Times-Union reporter David Bauerlein for Friday's Metro article drawing attention to the security issues involved in hard drive repair and replacement. As a 25-year veteran of the computer security business I have to say this is one vulnerability that simply refuses to go away. It seems that each new generation of computer users has to learn the hard way (pun intended) that the convenience of hard drive storage comes at a price.

Businesses and individuals not only need to back up their hard drives on a regular basis to pre-empt data loss due to drive failure, they also need to take appropriate steps to keep that data under their control at all times. As your reporter correctly points out, a hard drive sent out for repair is not under your control. The same is true of hard drives on leased machines that are returned and older machines that are given away. Standard policy should be for all data to be stripped from hard drives before they are handed over to anyone else.

The steps you take to remove data from drives should be determined by the sensitivity of the data. A simple format of the drive is not enough to hide the remnants of the data from even a mildly curious hacker. Drives that have stored sensitive personal or business data should be wiped with a so-called scrubber or shredder program which over-writes each sector multiple times.

However, even that may not be enough to totally destroy the data. If the drive falls into the hands of a well-funded adversary, some data might still be recoverable. That's why America's spy agencies routinely grind their old hard drives into powder; not a huge price to pay when state secrets are at risk. Given the negative impact of a security breach on company profits, stock price, and reputation, it could prove to be a cost-effective course of action for many businesses as well. "