Why Denial of Service is the Dumbest "Hack"

Large chunks of Web 2.0 are not working this morning, apparently because of one or more denial of service attacks. Users of Twitter, Facebook--and many apps and blogs which rely on those services for authorization credentials--are feeling understandably frustrated, yours truly included.

While reports that this DoS event is DefCon-related appear to be mere rumor at this point, it bears repeating: Denial of Service is the Dumbest Hack!

Since the first computer was plugged in, anyone with opposable thumbs has been able to execute a denial of service attack. DoS attacks are like the boiled egg of hacking. The fact that computers connected into a network can be disrupted is old news. Proving it with a DoS attack proves nothing new. So what is the point? Do we want the world to sit up and say "Gosh! All this stuff is connected, and if one part goes down many others are also affected."

Yawn! That is known, proven, accepted, it's history. All you gain by executing such an attack is a lot of anger directed at you by the millions of people whose lives you are messing about. You do not win any prizes for figuring out how to do this. The people who lead the field in figuring out how to execute DoS attacks are the kind of folks who do not execute them.

I watched one of those people demonstrate, in 1996, how to take down any web site with a 386 PC and 28Kbps modem. That was not at DefCon but in a tiny lab somewhere. But I did speak at DefCon that year and gained a lot of respect for serious hackers, not because they wrecked things, but because they had figured out how to, yet they refrained from using that knowledge for gain or fame or to piss people off. Would that all hackers followed that code.

Old News? Researchers predict SSNs, crack algorithm

This story is curious to me. About 13 years ago I taught some banking security classes with a chap who could do this in his head. I always assumed the algorithm was widely known in certain circles.

"Social Security numbers have a predictable pattern, according to researchers at Carnegie Mellon University, who have developed a reliable method of cracking a person's SSN based on data gleaned from multiple sources, including profiles on social networking sites."

Search Security Coverage: Researchers predict SSNs, crack algorithm putting identities at risk

TJX to pay $9.75 million for data breach investigations

As reported by SearchSecurity: "TJX Companies, Inc., which has undergone a barrage of lawsuits as a result of a massive data breach of its systems, agreed to pay $9.75 million, settling a lawsuit brought on by Attorneys Generals from 41 states."

That's on top of many previous costs arising from the fact that "over an 18-month period, hackers exploited a hole in TJX's Wi-Fi network and used a modified sniffer program to monitor and capture data from TJX's transaction systems."

Consider: "In December 2007, TJX settled a lawsuit from dozens of banks, agreeing to pay out $40.9 million to cover costs connected to the retailer's massive data breach."

Better Twitter Signup Could Stall Twitter Woes and Twitter Worms: Why delay the inevitable?

When they say "anyone can get a Twitter account" they mean anyone and anything can get a Twitter account, including malicious 'bots and worms.

I'm all for equality, open access, and ease of access, but I'm not keen to share my social-network-of-choice with machines and anonymous jerks. History tells us that sort of thing eventually leads to spam and worms, both of which threaten to hobble Twitter as they hobbled email. And a lot of the problems now looming with Twitter are preventable, or at least containable, if the folks at Twitter act now, before things get out of hand.

(As for the hobbling of email, make no mistake, email could be very much better than it is right now if it were less prone to abuse. Securing email, which could be done if the large providers would drop their petty greed-based differences, would make it way more useful and productive than the pale shadow it is today--in other words, spammers and worm-writers cost the world billions in lost productivity, on top of the ongoing cost of blocking with their irresponsible crap).

The first step in prevention and protection for Twitter is to require email confirmation for Twitter signup. That would make it harder to do things like this. Right now the Twitter signup process is irresponsibly open, as in "open to abuse" and we are seeing the first Twitter worms right now. Consider what happened recently when I had the pleasure of participating in an elaborate April Fool's caper.

To increase the credibility of our hoax I created a Twitter account in the name of the fake product we launched. I was shocked at how easy this was. Although the Twitter signup process asks for an email address it does not check to make sure the address is real. There is no "confirmation email" such as most forums, bulletin boards, and social networks require. And although Twitter signup uses a captcha, we know captchas can be beaten by any entity who is motivated enough to create fake accounts. (The "fake"account that I created used a valid email address but tests show this is not required--Twitter does try to validate your email address after signup and lets you know if they have a problem with it, but they don't kick you off the system.)

The point is, and I say this with love--because I love to Twitter--the folks at Twitter could do more to prevent abuse. Right now they have a chance to save Twitter from worms and I'm hoping they will learn from the mistakes made by email providers and act now rather than later, when it will be that much harder. I predict email verification will eventually come to Twitter, so why not do it now? The email industry missed several golden opportunities to keep the bad guys and bullies out. Twitter can do better, and I hope it will. I would happily give up the ability to make fake Twitter accounts for April Fool's Day.

Power Grid Hacking Story = New Low for Journalism

Surely April 8 will be flagged as a new low in the history of American journalism. Why? The "power grid may be hacked" story, and I use the word "story" very intentionally. Everything I heard and saw about this yesterday--from CNN to NBC--was, to put it politely: trash. About the only thing I've seen written about this that made sense was former hacker Kevin Poulsen blogging at Wired:

"The unspoken lesson here is obvious: Chinese Superhackers Are Our Superiors. No, wait. That's not it. I know...Only the intelligence agencies are equipped to protect us from foreign cyber attacks."

See: Put NSA in Charge of Cyber Security, Or the Power Grid Gets It | Threat Level from Wired.com

My own theory was that the large power companies, fearful of localized, alternative power generation, were trying to scare people away from "smart grids." This theory is based on the fact that a lot of the "reporting" suggested smart grids would make our power supply more vulnerable. Yeah, like that's why they're called smart. Does nobody out there in mainstream media remember why the Internet was designed like it is?

I recall, nine, maybe ten years ago, when someone on our penetration testing team said "Can I let some water out of the dam, please, that would be so cool?" Because Yes, we had reached the power company's hydro-electric control panel. We said No to that particular demonstration of how far we had penetrated. After all, it was the power company that had hired us to test their security. And the power company fixed the holes we found. AFAIK they've regularly checked for, and fixed, new ones ever since. The grid is not impenetrable, but this whole legend that "Russian and Chinese hackers are all up in our systems and can pull killer moves at the click of a mouse" just seems like scare-mongering. And people normally carry out scare-mongering for a reason.

Did anyone hear any journalist ask "Why?" As in why would people, foreign or domestic, want to mess with the grid? After all, anyone with a backhoe could drive into the field near my house today and cut the prominently labeled Verizon fiber optic trunk that runs through here (here being a place where lots of people own backhoes). But for years people have somehow avoided the temptation to do this (even deranged broadband addicts bummed out on dialup and convinced by voices in their fillings that cutting the cable was a cheap way to get FIOS, the fastest Internet and best TV picture ever).

Sure, there are some gifted hackers in Russia and China, but there is zero doubt in my mind that America could bring both of those countries to their knees in a matter of minutes if any kind of cyber-war were to break out.

So, as far as I can tell no mainstream journalists bothered to ask Why? Or bothered to think about where this story came from and how come it appeared at this time. The grid was no more or less susceptible on April 8, 2009 than it was on April 7, 2009. And I don't know whether to pity or impugn the talking heads they trotted out to comment on this "story."

Please let me know if you heard anyone in the media, besides Mr. Poulsen, raising the possibility that this story was part of the push by NSA to take over cyber-security from DHS (that's NSA as in "Not Safe Agency" that worked with companies like AT&T to suck the Internet into massive servers so they can read our email and blog posts).

And if you have heard anything to suggest that the Obama administration is about to kick some serious cyber-butt and bring sanity to our secret agencies and critical infrastructure protection programs, I'd really appreciate hearing about it, because frankly I'm getting pretty depressed here.

Vast Spy System Loots Computers in 103 Countries

Vast Spy System Loots Computers in 103 Countries - NYTimes.com:
By JOHN MARKOFF, Published: March 28, 2009

"TORONTO — A vast electronic spying operation has infiltrated computers and has stolen documents from hundreds of government and private offices around the world, including those of the Dalai Lama, Canadian researchers have concluded."

5 Years After CAN-SPAM

Larry Seltzer at eWeek: "The other big thing that CAN-SPAM did was to set rules for businesses to follow in order to do mass-mailings. These were the most controversial part of CAN-SPAM because they were opt-out instead of opt-in. This is why critics said, and continue to say, CAN-SPAM 'legalized spam.'"

I think the current state of commercial email is largely determined by market forces exerted via new media. Smart companies have found out that customer relations and marketing outreach goes much better if you don't send people email they don't ask for.

The Internet is not only a uniquely self-documenting phenomenon, is self-reflective and self-monitoring. If GM were to start sending out a mass of unsolicited commercial email asking consumers to support the federal bailout, I bet it would be canceled before it was completed. The feedback loops through Twitter and social networks are instant and effective (see the whole Motrim baby debacle: "Motrin Learns: Hell Hath No Fury Like Baby-Wearing Moms").

And hell hath no furry like consumers spammed. Any spammer with a detectable street address, traceable web site, or list phone number would be in big trouble. Not only because of the spam he or she sent, but as a target on which to vent the pent up anger generated by the thousands of spammers who have no detectable street address, traceable web site, or list phone number.

Did CAN-SPAM help or hurt? Five years on I would say it didn't hurt. And it has probably helped. (It certainly gave me something I could wave at companies who were not getting the message; today they all have the message --"Thou shalt not send unsolicited email"--engraved in their policies).

Underground Data Market Tops $275 Million

The market for buying and selling stolen credit card numbers and access to financial accounts has reached the $276 million mark, according to Symantec (as reported by TechTarget).

"Symantec said the total value of the stolen data has risen sharply in recent years as spam gangs and individual phishers sell credit card information in bulk on Web forums and bulletin boards right in the public eye. The market has become so big that phishers have to fight for credibility in a seedy underground where it's common for cybercriminals to phish other phishers."

So, after we sort out the world financial crisis and the fossil fuel crisis and global warming and international terrorism, we will still have these immoral scumbags to deal with? Great!

A new phish frontier: Domain registrar accounts

A new phish frontier: Phishing of domain registrar accounts--Sophos Report
New and expanded attempted to get personal data via domain names warnings--n0w includes Networks Solutions.

WARNING: Enom Phishing Scam

WARNING: Enom Phishing Scam Domain Name News: "We have received several reports of phishing scam emails that at first glance appear to be coming from domain name registrar Enom.com. The emails warn of a complaint for invalid whois information and ask the user to login. Of course the link that the email directs you to is not a valid Enom domain name. The site is likely harvesting user names and passwords to access legitimate Enom accounts."

These are very nasty messages--I just got a couple and they make your heart race at first read because you are informed someone has bought your domain. A pox on the perpetrators!

Medical Alert: HIPAA gets six figure teeth

Ten years ago I started to alert my clients to the emergence of privacy as the new "driver" of data security. Eight years ago I started to warn them about the specific implications of the Health Insurance Portability and Accountability Act ( HIPAA). In the slide deck that I created for my first HIPAA seminar I made sure my audiences were aware of the penalties built into HIPAA, such as fines up to $250K and/or imprisonment up to 10 years for knowing misuse of individually identifiable health information.

I can't tell you how many doctors and hospital administrators greeted that slide with disbelief. And, given the lingering arrogance so endemic to America's crumbling health care community, some doctors went so far as to suggest I was simply scare-mongering to scrounge up security consulting work. The attitude among many was something like this: "Nobody would dare to levy fines on us because of some esoteric aspect of patient data storage."

Well, here we are in the Summer of 2008 and the penny has finally dropped. In fact, ten million pennes have dropped. because the HHS, the U.S. Department of Health & Human Services, has collected $100,000 from a hospital that allowed unencrypted personal health data to leave the premises, as detailed in this this comprehensive posting by Sara Kraus over on the privacy law blog.

Providence Health & Services, a Seattle-based not-for-profit health system, was forced to paid $100,000 to HHS and enter into a Corrective Action Plan with the government to avoid a “civil monetary penalty.” That three-year plan is like probation and is no cake walk. Failure to comply could result in more penalties and Providence could still face criminal liability.

The immediate trigger fort this HHS action was "five incidents in 2005 and 2006 in which unencrypted electronic protected health information (“ePHI”) of Providence patients was stored on backup tapes, optical disks and laptops that were taken off-site from Providence by members of its workforce, and then misplaced or stolen, potentially compromising the health information of over 386,000 patients."

So if you are in any way responsbile for health care data, I urge you to read the details in the blog post linked above. You do not want to be next on the HHS hit list. Also note that, as I predicted, there is a cumulative effect to the various and diverse privacy legislation passed during the last ten years. The incidents at Providence might have been hushed up but state notification laws required patients be advised of the loss of their information. Further note that there was no evidence that any personal information was wrongfully used as a result of these incidents. When HHS investigated it focused on Providence's failure to implement policies and procedures to safeguard the ePHI. And that failure cost $100,000.

(FYI, the picture is a hippo skull on which the massive teeth of the beast can be clearly seen -- thanks to Wikimedia for the image.)

News Spam Rolls On: First CNN, now MSNBC

The outbreak of spam that pretends to be a news alert from CNN has now morphed into "BREAKING NEWS" from MSNBC, like this message proclaiming that trading in McDonalds has been suspended.

However, the message is not part of a dump-n-pump stock scam, merely a variant of the basic take-me-to-your-Trojan attack. Indeed, another one of these that I received has the strangely amusing headline: "Study reveals bass players 'every bit as dull as golfers.'" What bass playing recipient could resist checking out that story?

This type of attack looks like it will run for some time (I predict Google will be the next patsy). So information security staff might want to send out a generalized alert to employees warning them to

a. disregard [and delete without reading] any news alerts they have not specifically requested,
b. decline to install any new video players.

And so the world grinds on, with each new technology benefit poisoned by selfish, twisted souls. Sigh...

Nasty New Form of Spam: CNN News Alerts

I have received a handful of these in the past few days, messages that look like they could be a CNN news alert that I had signed up for, except I hadn't.

The subject = "Breaking news" and spammers have designed them like this because many of us humans find it hard to resist a breaking news story. This means a lot of people may open these messages before the spam filters and malware detectors are updated and the security staff get out the word to the troops.

The link inside these messages can be quite goofy, like "Titanic sinks again in 2008." But some people will fall for them. And when they click on the story link they will probably find themselves on a web site in Russian or China. They will then get a message saying that, in order to view the video of the news story, they need to download new video player software. A convenient download is provided, but the software it sends you is a Trojan that takes compromises your system. These messages come hot on the heals of the "Daily Top Ten" from CNN that were very convincingly crafted (including an unsubscribe link that actually appeared to work).

There are only two things that will stem the tide of this garbage:

a. Widespread improvement in the general standards of human behavior.
b. Widespread adoption of new email standards.

Sadly both a and b still appear to be a long way off.

Laptops in Peril at the Airport

My brother, Mike, has been busy this week, responding to questions about the latest Ponemom Institute survey, which suggests a heck of a lot of laptops are separated from their owners at airports. He did more than a dozen radio interviews in one day!

I've worked with Larry Ponemon in the past and he does a pretty mean survey. So if he says 3,800 computers go missing each week from Europe's 24 busiest airports, I'm inclined to believe that's the case. An even more shocking finding is that more than half of these laptops are never retrieved. People traveling with their laptops should take note.

One of the first things I do when I get a new laptop is tape my business card to the bottom of it (taking care not to block any ventilation ports).

Travelers' Laptops May Be Detained At Border

If this wasn't in the Washington Post I would think it was a hoax: Travelers' Laptops May Be Detained At Border. More than anything else, this should awaken those who so far have been complacent to the reality of what our government has been doing to our rights these last 7.5 years.

Scobbs Blog on Hiatus

There won't be any new posts here for a while, but you can catch the latest news and views at Cobbsblog.com.

Trust in Banks Declines: UK distrust rises 47% to 71%

Interesting study indicates banks cannot substitute a virtual presence for local branches and a commitment to community.

Nearly three-quarters of UK customers do not trust their retail bank, and the more virtual a bank is, the lower the level of trust, according to a survey by Unisys.,..When Unisys asked the same questions in 2005 and 2006, 47 per cent of customers indicated that they did not trust their retail bank. This year the figure had risen to 71 per cent....the attributes most cited for eroding trust are 'disrespectful attitudes', 'poor privacy', 'weak IT' (such as websites), 'poor corporate governance' and a 'lack of investment in the local community'.

I'm just speculating here, but I'd say the constant drumbeat of security breaches and phishing scams involving online banking are having an erosive effect on trust.

What SMBs Need to Know About Computer Security Threats

I found a handy set of pages by a Victor Ng titled What SMBs Need to Know About Computer Security Threats in a publication called SMBedge which describes itself as "The Pulse of SMBs in Asia Today."

It is basic infosec 101 material that is handy because you can send that link to someone who doesn't know what infosec is--but should--just to get them started. Ng's material is more current than some of the 'intro' articles I had been using for this purpose in the past. You know, when someone says "So, you're a computer security consultant? I got a question. Should I renew that Symantec software that came with the PC I bought last year for inventory? I heard there are zombies out there." What do you tell them? Ask for their email address and send them a link.

Of course, this may be someone to whom you have just paid money for services rendered at the rate of $1 a minute and they are now inviting you to donate about $20 of your time given them a basic education (although they probably won't see it like that). As a CISSP, I always try to strike a balance between politely doing my civic duty and giving them that 10 minute intro and telling them to just go buy a book (valuing my time at $2 per hour minimum).

Usually it takes less than 5 minutes talking to the SMB to figure out if it is in more immediate danger than the rest of us, i.e. doing something really dumb with their systems. If they are, I am obliged, I think, to advise them to call in a professional. If I have the time I might be the professional and do a 10 minute fix for free, but then you start to encounter others issues, like: the problem you are fixing is just the tip of the iceberg; they have no budget; and what about liability if there is no formal contract?

TJX Discovering Cost of Security Failure

Here is a pretty good reason to make sure your company is doing a good job of protecting customer data: TJX: Data breach damage $25 million and counting.

That's right, according to SearchSecurity, the bottom line for TJX Companies Inc. took a big hit in the first quarter of 2007, thanks to a $12 million charge tied to the security breach that exposed at least 45.7 million credit and debit card holders to identity fraud. In total, the breach has cost the company about $25 million to date. And that doesn't include the cost of customers who decided to shop elsewhere.

TJX executives better hope that they can document the security policies and practices they had in place to prevent the hacking that took place. If a judge deems them to be up to par, they may avoid censure even though they were hacked. An active and well-documented security program is a good defense against charges of negligence or failure to meet the standard of due care.

As Predicted: Lawsuits up the security stakes

As predicted, by myself and numerous other information security experts, lawsuits are becoming an increasingly common response to a security breach. The latest example: The American Federation of Government Employees is suing the Transportation Security Administration after the TSA lost a hard drive containing employment records for some 100,000 individuals, including names, social security numbers, dates of birth, payroll information and bank account routing information,

The drive went missing from the TSA Headquarters Office of Human Capital. The names included various personnel and even U.S. Sky Marshals. The law suit is AFGE, et al v. Kip Hawley and TSA (AFGE = American Federation of Government Employees and Kip Hawley is the TSA Administrator). The AFGE claims, that by failing to establish safeguards to ensure the security and confidentiality of personnel records, the TSA violated both the Aviation and Transportation Security Act and the Privacy Act of 1974.

The Aviation and Transportation Security Act (ATSA) requires the TSA administrator "to ensure the adequacy of security measures at airports." The 1974 Privacy Act requires every federal agency to have in place security measures to prevent unauthorized release of personal records. Losing a hard drive containing employment records for some 100,000 individuals constitutes unauthorized release. Stay tuned for progress in the suit.

TSA web site dedicated to this incident.

Penn College Students Win Award for Computer-Security Video

A reported in PCToday, Penn College Students Win Award for Computer-Security Video. This is REALLY encouraging. Congratulations guys!

I am a big believer in awareness programs. Check out the free podcast of tips on developing successful security awareness programs over at Cobb Associates.

Public Wi-Fi Often Wide Open, But Who Cares?

Nice article by David Colker of the LA Times, republished here in the Chicago Tribune: Public Wi-Fi may turn your life into an open notebook. He vividly reminds us that surfing with your notebook at Starbucks can be a less than private experience. There is quite a bit of personal irony in this for me.

Wi-Fi at Starbucks is served by T-Mobile which made a big noise in October of 2004 about offering secure Wi-Fi at all its hot spots: T-Mobile Rolls Out Strong Security at Wi-Fi Hot Spots. I am personally aware of this because back then I was Chief Security Executive at STSN, now iBAHN, which provides Internet service to thousands of hotels, hotel lobbies, restaurants, and conferences around the world. At the time, iBAHN was close to completing its own roll-out of secure Wi-Fi and was under the impression it would be the first such major provider to offer this level of security at all its locations. Naturally, T-Mobile's announcement stung, partly because it garnered headlines while being ambiguous. Consider this "reporting" which is close to the wording of T-Mobile's press release:

T-Mobile is introducing strong, 802.1x-based authentication and encryption across its network of 4,700 hot spots. The move, which appears to be the first use of advanced 802.1x-based security by a national mobile carrier in U.S. hot spots leverages the existing 802.1x infrastructure used to authenticate GSM (Global System for Mobile Communications)/GPRS (General Packet Radio Service) cell-phone users. "CIOs across the country have been asking for enhanced security, and we're the first U.S. wireless carrier to deliver it.

But T-Mobile was not the first to deliver strong, 802.1x-based authentication and encryption. iBAHN was already doing that, but had not talked about it publicly because the roll-out was not complete. T-Mobile decided to claim the glory by talking about their own roll-out before it was complete. I know because, at the time of the announcement, I was in downtown Chicago and I walked many blocks to test several Starbucks locations to see if 802.1x authentication was indeed available. The results were mixed, some consolation to my boss, Brett Molen, iBAHN's CTO, and CEO David Garrison.

Despite the fact that Brett and David were two of the best bosses I have ever had, I decided to leave iBAHN in 2005 and take a break from the corporate world. For a while I lost track of the secure hotspot debate. But now I am back "on the road again," so to speak, I have had occasion to try the Wi-Fi at Starbucks in several locations around the world over the last six months and have noticed that the logon had changed considerably. It's a lot less complicated, with a lot less warning about potential security problems, than it was in 2004, and 802.1x-based authentication was apparently not offered.

Which suggests that there is considerable truth to what some of us security experts have been saying ever since computers escaped from Fortress Data Center in the eighties: Unless security is really simple and seamless, users won't use it. About the only exception to this is the user who has been educated about the risks. That is why iBAHN spent a lot of time educating its chosen market place (hotels and conferences) about those risks. And that is why iBAHN makes money selling secure connectivity at a premium.

Spector CNE and HTTP Traffic Cops

Remember when SPECTOR stood for Special Executive for Counter-Intelligence, Revenge and Extortion?** Now comes Spector CNE - one of a group of products I've been sniffing around in response to this question: What's to stop employees from copying and pasting confidential company data into blogs and Google App documents?

I've been putting this question to clients lately and not getting very good answers (where 'good'='good for their information security'). I don't feel comfortable sharing specifics on a public web page, but I think this is a big problem for some big companies. I also think this could become yet another front in the endless arms race between the good guys and the bad guys (where 'bad guys'='everyone from ruthless corporate spies to weak-willed individuals under stress, or merely under-trained.) So, if anyone knows of a good http traffic cop, or any other solution to this problem, I'd love to get your comments on it.

**If you already knew what SPECTOR stood for, then you already know the name of its on-screen nemesis. But do you know the make and model of the weapon said nemesis is brandishing in the famous black tie promotional 'shots' for the second movie in the genre? I will email an electronic copy of my privacy book to the first person who sends the right answer to scobb at scobb dot net.

Image Vulnerability: Is anyone looking at the outbound threat?

Remember last summer when the warnings about a surge in image spam started to appear? (Image spam being defined as unsolicited commercial email in which the message is presented as an image rather than text.) Then we saw spam volume drastically increase towards the end of 2007 with much hand-wringing over the difficulties of detecting of image-based spam.

Well, I wonder how many companies have started to worry about the outbound-image threat? A certain percentage of companies do monitor outbound Internet traffic for trade secrets and inappropriate content. Some just monitor email. At least a few monitor web traffic. But I am fairly sure most of this is filtering based on text. Even so, I don't know how many would actually spot an employee typing company secrets into a password-protected blog hosted outside the company.

But what if the employee scans images of confidential company documents and uploads the JPEG files to a blog? Would that trigger a response from information security? Scanning the content of a JPEG for sensitive text is not impossible, but it is certainly processor intensive and in some ways it is not unlike the problem of detecting image-based spam.

Of course, one way of reducing the amount of image-based spam coming into an enterprise is to use the Turntide anti-spam technology that chokes off spam without a filter, instead using a behavior-based approach (now available as the Symantec Mail Security 8100 Series Appliance). Not sure if this would work the other way round. I know there was some discussion of using it to prevent enterprise networks from sending spam. If someone tried to send out 90,000 scanned pages, one after another, as JPEGs, would it show up as an anomaly and trigger some alarms?

BTW, the 90,000 number is not entirely random. In 1992 about twenty cases of confidential documents belonging to General Motors were physically shipped to Volkswagen headquarters in Wolfsburg (many of them allegedly transported aboard a Volkswagen corporate jet, via the Spanish residence of J. Ignacio Lopez de Arriortua, then Vice President at GM in charge of Worldwide Purchasing, later hired by VW). The number of purloined pages was put at 90,000.

BBTW, this piece of infosec trivia was my excuse for featuring Ron Patrick's amazing street legal VW (Beetle) Jet.

White Hat Hacking for Rainy Day Fun: Weak search forms still revealing too much data

What better way to spend a rainy April day than white hat hacking? Experience the thrill of hacking with none of the guilt. I highly recommend this for anyone who has difficulty understanding why hackers do what they do (and you are NEVER going to be a really good information security professional unless you DO understand what hacking is about).

Allow me to swap my white hat for my linguist cap for a moment (B.A. Honours, School of English, University of Leeds--one year behind guitar virtuoso Mark Knopler but way ahead of the wonderfully talented Corinne Bailey Rae--and would you believe I can't even carry a tune, but I digress). It has to be said that hacking is one of the most hotly contested words of the information age. In justifiable homage to the original good-hearted hackers many infosec professionals use the qualifier "criminal hackers" to distinguish the bad guys from the good guys (that's gender-neutral colloquial 'guys' by-the-way). The good guys, who don't break laws, can be referred to as white-hat hackers, the bad guys being black hat. I am actually leaning towards 'bad actors' as a preferred term for the bad guys (with apologies to my thespian readers).

So, one rainy April afternoon I was wearing "my film producer hat" and working the web to promote the film's appearance at two overlapping film festivals, one in Winston-Salem and the other in Columbus, Ohio. Neither the director nor myself could afford to attend these events in person and we were worried that turnout would be low. I decided to surf the web sites of colleges in the target areas and to identify faculty with an academic interest in civil rights history (and thereby interested in the film enough to tell their students about it). In the process I found a classic example of weak web design that was hackable.

After using standard search tools to identify the people I wanted to contact, I looked for their email addresses. Many organizations like schools and hospitals have a directory of staff phone numbers and email addresses. However, to prevent a variety of problems, such as spam, these and other details are not displayed wholesale in a list, but one at a time in response to a name search. In other words, a form on a web page enables users to search a database of people (in infosec terms, this database can be referred to as an asset). The premise is that you have to know the person's name to find their information.

I used this sort of directory to email several professors at several schools. However, I also found something interesting. These forms usually consist of two fields, for Last Name and First name, together with a Submit button. The way it's supposed to work is that you, perhaps an aspiring Physics major, enter Einstein in one field, Albert in the other, click Submit, and get the phone number and email address for Prof. Einstein. However, such forms can be a pain for users who can't recall the professor's full name, so the form might allow you to enter Einstein for the last name and the letter 'A' for the first name. And herein lies a dilemma that can become a problem. How 'vague' to make the search. For example, if I can enter 'D' in the last name field and 'J' in the first name field, I can all Jane and John Does in the database. What you need is a fairly clever set of rules built into the form to control the results of any conceivable form input.

You see, in terms of information security, one can reliably predict that someone (referred to as an agent) will at some point click the Submit button without entering any characters at all in either field. If the result of this action is to reveal all of the records in the database (what we might call a means), one can reliably predict, based on past history, that this method will eventually be used to make a copy of all the records in the database (asset).

Thus, by failing to properly code the handling of form input from this search page, the folks who put up the page have created a vulnerability. This becomes a means of attack and a threat exists if someone figures out how to exploit it to gain unauthorized access to the asset. (This same problem crops up with student directories as well, where you are even less likely to want to grant access to the full list.)

This example nicely displays all of the elements of an information security threat (asset, agent, means). I have seen this type of problem on local government web sites where the effect was enable the attacker to find all the data required to steal a person's identity, or even find all of the special training taken by former military personnel in the area.

As a white hat hacker it is your responsibility to inform the site manager of the problem. You avoid, as I have here, revealing specifics of the problem (e.g. the address of web site where I found this example). Hopefully, they will correct the problem. As for me, I will admit that, wearing my producer hat, I did use some of the email addresses that I found. I did not spam anyone. I sent them personal notes. And maybe it worked. At the Ohio festival Dare Not Walk Alone won the audience award for best film.
.

Photocopier FUD? Americans copying billions of tax docs don't have time to think

So, you've filed your tax return and put away your tax papers until next year, but how much of the very personal information on those tax papers is still out there, accessible to other people (besides you and the IRS)?

The answer could be "a surprisingly large amount," particularly if you used a digital photocopier to make copies of things like your 1040, W2, 1099s, K-1 and so on. We're not talking about leaving your originals in the photocopier, a common enough mistake, but about the fact some digital copiers retain images of those pages until they are over-written by successive copy jobs, a fact highlighted in an AP article last month. This is not a case of unfounded 'fear, uncertainty, and doubt.' The vulnerability highlighted here is real enough to warrant serious attention, particularly in some quarters.

The underlying fact is that many office photocopiers now contain hard drives to which scans of the pages being copied are written before paper copies are printed and those scans are not always erased after the copy job is completed. Steal one of those hard drives and you could get access to some very personal information (and we're not just talking about tax returns and after-hours butt-scans).

The extent to which this 'feature' of digital copiers poses a threat to your privacy depends upon many factors, like who you are and what kind of enemies have you have got. Personally, I'm not too worried. But if I was a key player in a large company in a hotly contested market I would be paying attention to this particular vulnerability.

Note that the possibility someone could read your personal data off the hard drive of a machine you used to copy personal documents is not a threat it is vulnerability--it becomes a threat when a threat agent is willing and able to exploit the vulnerability.

As to exploitation of the vulnerability by a threat agent, the following scenario is entirely plausible: as a key person in your organization you and your spouse are under surveillance by the opposition. They've searched your trash but found nothing useful. Then one of you is seen entering the local copy-shop and spending some time on machine number 9. After you leave, a generic service person enters said copy-shop muttering something about a maintenance flag on copier number 9. He opens the machine, removes the hard drive and mutters something about a spare in the van. Off he goes with a digital copy of whatever papers you ran through that machine.

Variations on this theme are numerous and include the janitor stealing or mirroring office copier hard drives on the night shift (a great way to get a copy of that competitive bid you had to submit in triplicate). Defenses include being more thoughtful about where you do your photocopying, what access you give to the copier, and what copying hardware you use (some digital copiers offer 'safety' features--of which more later).

However, the first thing that struck me when I read the AP article was a sense of deja vu. Hard drives have been built into a lot of large copiers and printers for some time. It was at least 7 years ago that the penetration testing team at my company figured they could run a publicly accessible web site from the hard drive of such a machine located on the internal network of a large public school district (which we had been hired to test, I hasten to add). That tells you a lot about how much thought the folks who design such machines were giving to their potential for abuse.

In other words, many 'new' or 'emerging' information security threats are not so much new as newly realized or newly rediscovered. And this 'newness' is not simply a function of vulnerabilities found or re-found, but also changes in the means and motives of threat agents prepared to exploit them.

Sidebar/postscript: When you read the AP article referenced above you get the distinct impression that it was prompted by copier-maker Sharp and if I were to swap my infosec hat for my entrepreneur hat I'd have to doff it to the folks at Sharp (or Sharp's PR agency) who were behind this. I know from experience it is very difficult to get someone like AP to write a story that comes from your particular perspective. Sharp's perspective is that of a company which has gone to the trouble to makes photocopiers that are more secure (as you can read here). I think this is a good thing and this article was a good fit between education and marketing.
.

Windows & Office Barf Again! Microsoft's recommended Automatic Updates trash data

If you are using Windows and value your time, do this:

1. Go to the Control Panel for Automatic Updates

2. Change the setting from "Automatic (Recommended)" to something like "Download updates for me, but let me choose when to install them."

If you don't do this, you may be set to lose a lot of time and money. Why? Whenever there is a patch Tuesday and the patch requires a reboot, like the one this week, the recommended setting means Microsoft will reboot your system for you, unless you happen to be sitting there at the keyboard to prevent it. Here's a typical scenario:

You spend several hours researching a topic on the web. You have about ten browser tabs open displaying your research results and you are cutting and pasting said results into a Microsoft Word document. The door bell chimes and you rush to answer it. You are a savvy user so even as you head to the door you make a mental note that the two apps you are using have auto-save. Word auto-saves documents. Firefox auto-saves session data. But as you stand at the door signing for a package you hear the "chime of death" from your office, signalling that your Windows machine has restarted. Not only has it restarted, it has, under the control of Microsoft's Automatic update, has trashed your Word documents.

That's right, it has not even created the temporary files that allow you to restore documents when something crashes Word. This is because Microsoft, in its current state of engorged hubris, which can only be described as galactic in scope, does not consider an unapproved system restart of its choosing to be a crash. So it only gives you the last user-saved version of the docs that you have spent an hour compiling.

Let's face it, in the year 2007, twenty years into an OS, twenty five years into an application, this is bad behavior of the worst and mist unforgivable kind. The vendor recommended mode of operation is literally data destructive.

Of course, some readers may say that, "if you are using Windows and value your time," you should switch to a Mac. But Apple has its own share of hubris and I have thousands of dollars invested in software that won't run on a Mac. Come to think of it, I have invested thousands of dollars and hundreds of man-hours creating a computer system that pretty much does what I want it to do, except when the historical recipient of many of thousands of my dollars decides to use its software and ignorance to trash my data.
.

Security Means Availability: Google and others need to address this ASAP in SaaS

As enterprises explore Software as a Service, security experts like David Brussin are keeping a watchful eye. Clearly there are serious security implications whenever data is allowed to live beyond the--hopefully, strongly defended--perimeter of the enterprise fortress. Typically those implications are first thought of in terms of confidentiality and integrity: Will our data be safe from prying eyes and unauthorized access? But the third pillar of security, availability, should not be neglected. How much does strong protection against unauthorized access matter if authorized access is impaired?

Google must be pondering this question right now as news of outages spreads: "Little over a month after introducing Google Apps' Premier version, which includes a 99.99 percent uptime commitment, Google is failing to meet that service level agreement (SLA) for an undetermined number of customers." PC World article highlighted in this succintly titled posting by Ann All on the Straight to the Source blog at IT Business Edge: It's the SLAs Stupid.

This is timely data for me as I have just spent a week over in Europe meeting with executives of a VLO to discuss information security strategy in the context of a possible shift to SaaS as an alternative to out-sourcing (VLO = Very Large Organization).

Actually, I see not one but two availability question marks with SaaS. The first is supplier-side: Will the SaaS vendor's infrastructure keep up with demand. This seems to be the very problem Google is wrestling with right now.

Second is the user-side connectivity question: What use is Google Mail if the user can't get on the Internet? This is such a basic question that I am almost embarrassed to raise it, but I feel I must. Failure to question underlying assumptions is a shortcoming sadly endemic in technology adoption (the classic is probably "Sure, it's safe to handle this stuff" --Madame Curie).

SaaS seems to be predicated upon universal high-speed connectivity, a wonderful thing, but not yet a real thing, and not--perhaps ever--a cheap thing. Try to keep working on an online document as you move from office to train to plane to hotel to client to airport and back to the office. How successful you are will depend upon, among other things: where your home is; what hotel you stay at; what your client's connectivity policies and facilities are like; and your budget. This last item may be even more critical when you consider "working securely on an online document as you move..."

As for enterprise SaaS solely at the office, there will still be two SLAs to consider: Your SaaS vendor SLA and your ISP SLA.

Security Appliances Come to Dodge: So where are the horse thieves being hung?

This article, Security Appliances Come to Dodge, by Drew Robb, reminded me of a train of thought I have been following for a while. Here's the opening paragraph:

Sometimes with the Internet it seems like you are living out on the frontier. But unlike the "wild West," which settled down after a few years, computer security threats have continued to rise and show no signs of abating any time soon.

I generally avoid picking apart analogies, but there is a flaw in this one. The Wild West took more than a few years to settle down. Which is why the basic Wild West analogy is actually apt. Cyber-space today is like the Wild West, a virtual Deadwood upon Dodge upon Laramie. People of low morals are trying anything they think they can get away with, and often they are. There's easy money ripping off them there virtual wagon trains and consumer pioneers.

What we haven't seen yet is the equivalent of hangings for horse theft, swift and decisive justice for those whose immoral and illegal acts strike at the infrastructure of the information age. We have flirted with the idea. When I spoke at The Global Internet Project special workshop on Internet spam in June of 2002, the chairman asked the audience what should be done about spammers and the suggestion [not from me] that there should be some hangings was widely applauded.

But when I see some of the puny sentences handed out for computer crimes, I wonder if it might be time to make a few examples. Yes, I know that is a dangerous path and there is an inherent risk of fallout from unfairness. Yet think about this: What is more corrosive to the future of our culture and economy: Selling a few ounces of pot or stealing a few million credit card records? From sentencing patterns it would appear that dealing drugs is considered way more immoral than either using drugs or ripping off consumers. America jails more people than any other country. But very few people who commit fraud and deceptions detrimental to commercial trust seem to do serious jail time (it will be interesting to see how much time the likes of Fastow and Ebbers actually serve).

Another one to watch is Brian Salcedo, who got "the longest prison term ever handed down in a computer crime case in the United States" for trying to steal customer credit card data from Lowe's. Not surprisingly, the publications like Wired that still think there is something cool about messing with people's lives [as long as you do it with a computer and not a baseball bat] termed Salcedo's 9 year sentence "Crazy" (see Crazy-Long Hacker Sentence Upheld).

Keen observers will note that story was written by Kevin Poulsen who was himself sentenced, in 1991, to 51 months for various criminal hacking offenses committed in the 1980s. At the time it was said to be the longest ever sentence for hacking. Maybe a sentence of 20 years back then, instead four and a quarter, might have had a more powerful deterrent effect.

Would Your Competitors Do This? Oracle's suit against SAP a timely lesson

Referring to my previous post about the threat of spying as a "driver" in information system security, this just in:

Oracle recently found their biggest competitor has been hacking their systems and stealing their data. on a scale that may best be described as "massive."

SAP allegedly employed the usernames and passwords of customers that the firm had lured away from Oracle to download a variety of technical materials. SAP employees used the log-in IDs of multiple customers, combined with phony user log-in information, to gain access to Oracle's system under false pretexts...

Witches Brew: Cheap domains, DDoS, and man-in-the-middle eBay scams

A rash of recent reports seem to revolve around the great ease and small cost of registering domains. Perhaps it is time to revert to some of the original limitations on domain name registration. Consider that before April 1, 1998, the fee for registering domain names at InterNIC (operated by Network Solutions) was US $100.00 for a two year registration and there was a limit on how many names one person could register. On April 1 the fee went down to US $70.00 for a two-year period, and renewals were decreased to $35.00 from $50.00. Despite that, the number of domains registered was already close to 2 million.

According to research from McAfee cheap or free registration of new domain names drives the growth in Web sites used for spamming or hosting malicious software.

One of the biggest names in domain name registration, GoDaddy, was hit with significant and sustained distributed denial-of-service attacks Sunday, resulting in four to five hours of intermittent service disruptions, including hosting and e-mail.

Symantec has uncovered an unusually sophisticated email scam, targeting eBay users with a combination of legitimate eBay auctions and a Windows Trojan that intercepts a user's web traffic. The "advanced" malware involved, called Trojan.Bayrob, sets up a man-in-the-middle attack, Symantec said in a blog last week.

"While we have previously seen Infostealers that try to steal your username and password, a threat attempting a man in the middle attack on eBay is very unusual," wrote Symantec's Liam O'Murchu. "Man-in-the-middle attacks are very powerful, but are also difficult to code correctly."

Fascinating differences in levels of risk around te world have been mapped by McAfee. For example, "a consumer is almost 12 times more likely to encounter a drive-by-download while surfing Russian domains as Columbian ones."