Saturday, November 28, 2009

Common-sense security at $0

Craig and I were privileged to be invited by the fine folks at New Hampshire Local Government Information Network (NHLoGIN) to speak at New Hampshire Local Government Center's Annual Conference on Nov 19.

Special thanks to John Barker of the City of Nashua for recommending us to NHLoGIN. John made a great presentation on accepting credit cards for City Hall business.

We talked about things a non-profit, or a town or city hall can do with a very meager or non-existent information security budget. The first recommendation was policy, followed by training, and then slowly clibming the maturity curve.

Because you are getting this without us speaking, we feel it is necessary to add a disclaimer: Of course, just because something does not need money to buy does not mean it falls ready-made on your desk some day--it takes time to develop policies, or to deliver (and attend) even free training.

Check out the presentation: Budgeting for Common-Sense Computer Security in Financially Tight Times, and don't forget to use some of the great videos we linked.

Thursday, November 5, 2009

Vista Comment

From Rob Slade, CISSP:
If you play the Windows Vista installation CD backwards, you hear, and may be affected by, Satanic messages.

This is, of course, preferable to playing it forwards.

Tuesday, October 27, 2009

How to prepare for Denial of Service attacks against E-commerce sites

[This is from a response I sent to someone on a mailing list earlier today]

The first thing you should know: unless you are Google or Amazon or some entity of that size and have money to burn, you really should not rely 100% on an on-premise solution against DOS attacks; let your bandwidth or hosting providers be the first defense against it.

You can (and should) have your own solution, but without the protection beginning before your perimeter, the attack will block users from ever reaching you and thus become a successful attack.

Here is why:
The general principle of a DOS attack against an e-commerce site is to send a flood of HTTP requests. Most other types of DOS attack against some known problems with various TCP stacks have been fixed a while ago (or can be handled by various on-premise solutions)

TopLayer, Tipping Point, Arbor or SourceFire (and others) makes excellent intrusion prevention systems (IPS) that can block vanilla DOS attacks launched by 1 or 10 computers. But they are not effective against distributed denial of service attacks that go after your bandwidth.

If 20,000 computers hit your website at the same time, your bandwidth is going to be saturated (unless you have a grow-on-demand pipe).

For example, I just measured the front page for Images, stylesheet and everything else combines for about 77.6 KB. Let's say (for this argument's sake) that Amazon's bandwidth is 100 MBps. So that pipe can serve roughly 13,195 page requests per second for that 77.6K page before becoming 100% saturated (100 x 1024 kbps / 77.6 kb/page). I am not even counting the webserver's CPU/Memory utilization, since that is inside the perimeter.

It won't matter what IPS they have on-premise; if the pipe is full, legitimate requests are going to be denied or delayed, resulting in a successful Denial of Service attack. This is exactly what happened to Amazon, Yahoo, E-Trade, CNN and some others in Feb 2000.

The bad guys do have thousands of machines with spyware installed at their disposal for this. Some groups reportedly have millions. It is a fact that they rent them out by the hour in blocks of hundreds or thousands for as little as $200 for 10,000 bots. They are mostly used to send out spam, but it is just as easy to launch a Distributed DOS attack.

So a belts and suspenders approach would be:
- Have a good IPS--you need that any way
- If using Linux servers, look at Netfilter so you can tar-pit the attacks
- If you are in a co-lo, talk to your bandwidth providers (you should have more than 1) about DDOS protection.
- If you are on a hosted server, pick a vendor like RackSpace that provides DoS Mitigation.

I know Cable & Wireless, ATT and Verizon all offer DDOS mitigation. They route away the bad packets away from you, and even the RBN does not have enough bots to saturate those bandwidths.

Tuesday, October 13, 2009

Wal-Mart breach in 2005-6: a lesson on things not to do

In 2006, a group of hackers targeted some Wal-Mart developers and stole source code to the Point-of-Sale (POS) system. Wired is reporting that the stolen source code ended up being sent to a server in Minsk, Belarus, in the former Soviet Union.
The Wal-Mart intrusion began unraveling on Nov. 5, 2006, when the company’s IT security group was brought in to investigate the server crash.

Wal-Mart has thousands of servers nationwide, and any one of them crashing would ordinarily be a routine event. But this one raised a red flag. Someone had installed L0phtcrack, a password-cracking tool, onto the system, which crashed the server when the intruder tried to launch the program.

Investigators found that the tool had been installed remotely by someone using a generic network administrator account. The intruder had reached the machine through a VPN account assigned to a former Wal-Mart worker in Canada, which administrators had failed to close after the worker left the company. The day the server crashed, the intruder had been connected to Wal-Mart’s network for about seven hours, originating from an IP address in Minsk, the documents show.

The security team disabled the compromised VPN account, but the intruder, who should have realized the jig was up, came back in through another account belonging to a different Canadian employee. When that VPN account was closed, the intruder grabbed yet a third account while Wal-Mart workers were still scrambling to get a fix on the scope of the breach.

When Wal-Mart reviewed its VPN logs, it found that the activity had begun at least as early as June 2005, according to memos written by Wal-Mart employees during the initial stage of the investigation. The company’s server logs recorded only unsuccessful log-in attempts, not successful ones, frustrating a detailed analysis.

Wired is also reporting that Wal-Mart had 4 years worth of unencrypted customer and credit card data at the time, but it was not breached. So they did not have to disclose it until now.
Wal-Mart had a number of security vulnerabilities at the time of the attack, according to internal security assessments seen by, and acknowledged as genuine by Wal-Mart. For example, at least four years’ worth of customer purchasing data, including names, card numbers and expiration dates, were housed on company networks in unencrypted form. Wal-Mart says it was in the process of dramatically improving the security of its transaction data, and in 2006 began encrypting the credit card numbers and other customer information, and making other important security changes.

Wal-Mart's external IT/PCI auditor, CyberTrust, found some astonishing breach of common-sense security (this blog abhors the term "Security Best Practices"):
The assessment lasted six days, during which CyberTrust found numerous problems. Each of the five stores, for example, housed complete backup copies of transaction logs on network-connected UNIX servers, which included at least four years’ worth of unencrypted credit card numbers, cardholder names and expiration dates from purchases at the stores.

The auditors also discovered that servers, transaction processing systems, and other network-connected devices handling sensitive information used the same usernames and passwords across every Wal-Mart store nationwide. In some cases, the passwords could be easily guessed. A hacker or malicious insider who compromised a point-of-sale controller or in-store card processor at one store, could “access the same device at every Wal-Mart store nationwide,” CyberTrust wrote.

And ofcourse, the intrusion could be traced back to the VPN account of a system administrator who had left the company but his account was not shut down (the report does not implicate the employee)

Wal-Mart now claims that they have identified every single finding and are now PCI compliant. Fat lot of good being PCI-compliant did Hannaford.

These companies either forget, or do not understand (we suspect over strenuous objection of their security people) that being PCI complaint is only the lowest common denominator--they can, and should, do much more.

Thursday, October 8, 2009

The Thursday Maxim of Security

A gem from Dr. Roger Johnston at Argonne National Lab.

Thursday Maxim: Organizations and security managers will tend to automatically invoke irrational or fanciful reasons for claiming that they are immune to any postulated or demonstrated attack.

Comments: So named because if the attack or vulnerability was demonstrated on a Tuesday, it won’t be viewed as applicable on Thursday. Our favorite example of this maxim is when we made a video showing how to use GPS spoofing to hijack a truck that uses GPS tracking. In that video, the GPS antenna was shown attached to the side of the truck so that it could be easily seen on the video. After viewing the video, one security manager said it was all very interesting, but not relevant for their operations because their trucks had the antenna on the roof.

Wednesday, October 7, 2009

Ignore email archiving / public record laws at your own peril

The saga of the deleted emails continues, with now the AG getting involved.

Prior to that, the Secretary of State stated that he was unhappy with the City Hall's continued failure to comply:
Galvin expressed frustration Tuesday over what he described as the city's failure to fully cooperate with investigators. He told the Globe he was considering taking further action against the Menino administration. Under state law, he could turn the case over to Coakley for possible prosecution.

Now state Attorney General Martha Coakley (who is running for Ted Kennedy's senate seat BTW) states that she is "involved."
Coakley said in a statement issued this afternoon that Secretary of State William F. Galvin's office has been working to ensure that public records are preserved and "to determine whether there have been any violations of the public records law by City officials."

"We are now involved in that review," Coakley said.

She said her office would continue to work with Galvin's office going forward in the effort to find mayoral aide Michael Kineavy's e-mails and "we remain prepared to conduct a full investigation and take all necessary steps to guarantee the preservation of evidence and full compliance with the law."

Apart from jokes about the Chicken being 'involved' and the Pig being 'committed' in the making of Ham and Eggs, what does that word mean, anyway?

I personally know that there are Encase-certified digital forensics experts working for Coakley's office. Since City Hall is 'cooperating', it would be trivial to have the AGs office take a look at the hard disk instead of paying an outside consultant, right?

Marketing, Uncertainty and Doubt: Information Security and Cloud Computing

What is the minimum security due diligence that a company needs to do before putting it's data in the cloud?

Since 2007, Amazon has been telling us they are ".. working with a public accounting firm to ... attain certifications such as SAS70 Type II"  but these have not happened in 2+ years.

On one side of the cloud security issue we have the marketing people, who hype up the existing security and gloss over the non-existing. On the other side we have security services vendors, who hawk their wares by hyping up the lack of security. And there are also Chicken Littles who are running around crying that the sky is falling.

The truth is, there is a class of data for every cloud out there, and there is also someone who will suffer a data breach because they did not secure it properly.

Can you put the New York Times on a cloud server? Of course, provided certain basic security measures are taken. After all, the Times is designed to be accessible to people (forget the stupid PayWall experiment they tried a few years ago)

On the other hand, you should not leave your customer's credit card data on Amazon EC2--they specifically suggest you don't do that.

Another problem is, people are still not sure what "cloud" is. I saw a cartoon recently: "I fell down the stairs and something white is sticking out of my arms, and it hurts like hell. Is it swine flu?"

Most cloud security questions feel like that to me, so I have been accused of ranting in a presentation I did in September. Enjoy.

Tuesday, October 6, 2009

Tangled web woven at Boston City Hall

The saga continues at Boston City Hall. Readers of this blog will remember that in response to public record requests, it came out that the Boston Mayor's right-hand man was deleting emails in a way that they were not getting backed up. So the Secretary of State got involved and ordered the City Hall to change the practice and also to retrieve the emails.

Today it came out that our international man of mystery actually complained in April 2009 that his computer was running too slow and as a result, received a new computer. But gosh darn, he plum forgot! And he still does not remember getting a new computer.
City corporation counsel William F. Sinnott said in an interview yesterday that he had been relying on what Kineavy had told him and that Kineavy, the mayor’s chief policy aide and key political strategist, still does not remember getting a new computer.
Fortunately for people who like sunshine on their government affairs, and possibly unfortunately for Mr. Kineavy, that computer's hard disk was not wiped clean and reissued to another user--it was just sitting in another room. Now it has gone to the forensics firm hired by the City, and presumably the emails (or their remnants from temp files) will be recovered.

Ironically, I bet that this particular PC was not recycled because the user was a powerful man, and IT suspected/feared that he will ask for some old file from the hard disk that was not accurately transferred to the new PC.

Now to the cost of recovery. The most well-known commercial software used for digital forensics, Encase (there are others), will suck out anything relevant form that disk in a few hours and nicely categorize them in emails, word documents, etc.

One might even call the work technologically trivial. If StoneTurn group is really asking for 250K for a single hard disk examination, they are either smoking weed, or abusing a single-source, no-bid contract. I know many highly reputable forensics consultants who will do this for under $10,000, probably for as low as $5,000.

There are some good lessons here.
  • Mr. Kineavy is every information security officer's dream. That man knows how to protect against information leakage
  • Mr. Kineavy is every compliance officer's nightmare. That man is costing the City Hall time, money and prestige
  • Not having a good decommissioning policy is hurting Mr. Kiveavy but may help make the City Hall become compliant with the public records law (or at least get away with a slap on the wrist and the hundreds of thousands of dollars in forensics expense)
Bottom line: the wheels of justice grinds slowly, but once caught in its maw, there is often no escape

Saturday, September 26, 2009

Bank invents silver bullet to delete personal records from Google's evil grasp

Serendipity. There is no other word to describe Rocky Mountain Bank's latest discovery. But before explaining this modern miracle, let me ask you if you are worried about Google's pervasive presence and how much they know about you?

Are you worried about Google Street View knowing where you live? Are you worried about Google combing through your Gmail account and sending you ads? Are you worried about the Biggest Brother (TM) technology patented by Google that lets them track your every search you perform on

Then fear not! Rocky Mountain Bank (RMB) just struck a blow for freedom-loving people everywhere. And the sheer simplicity of it is pure genius. Of course, they were aided by an idiot judge, but every discovery has one such sidekick.

Lets go to the report:
On Aug. 12, the bank mistakenly sent names, addresses, social security numbers and loan information of more than 1,300 customers to a Gmail address. When the bank realized the problem, it sent a message to that same address asking the recipient to contact the bank and destroy the file without opening it. No one responded, so the bank contacted Google to ask for information about the account holder.

In keeping with its privacy policy, Google told the bank it would have to get a court order to obtain such data. The bank then filed papers asking a court to order Google to disclose the information and deactivate the account.

The bank attempted to file its papers under seal, but U.S. District Court Judge Ronald Whyte denied that request. Earlier this week, the case was transferred to Ware from Whyte.

Some lawyers say the Ware's order is problematic because it affects the Gmail account holder's First Amendment rights to communicate online, as well as his or her privacy rights.

"It's outrageous that the bank asked for this, and it's outrageous that the court granted it," says John Morris, general counsel at the Center for Democracy & Technology. "What right does the bank have and go suspend the email account of a completely innocent person?"

He adds: "At the end of the day, the bank obviously screwed up. But it should not be bringing a lawsuit against two completely innocent parties and disrupting one of the innocent party's email contact to the world."

Oh no Mr. Morris--you could not be more wrong. Don't you see RMB actually found the silver bullet to slay the behemoth that is Google? One by one, they will send emails to Gmail users. Then they will file lawsuits to shut down those accounts. Google will be forced to disclose the name of the account holder. Given the lack of privacy, very soon, people will stop using Gmail. Google's resources will be spent on lawyers. And Rockey Mountain Bank would emerge victorious, having finally crushed Google.


Saturday, September 19, 2009

Swayze-baited Malware

Google searchers for news on Patrick Swayze's funeral may come across links that are loaded with malware.

Watch where you are going and what you are clicking on. More from SecurityFocus/F-Secure.

Friday, September 18, 2009

Fool me once...

Hmm.. looks like this is not the first brush of data breach at Akron Children's Hospital. In our last post we wrote about how a misdirected spyware was installed on a computer there, and subsequently leaked financial and medical information.

In 2006, an intruder broke into their network and compromised a database. Here is what the FAQ says:
Akron Children's Hospital recently identified that during an expansion of its computer systems, there were unauthorized entries (breaches) into two separate computer databases. The first database contained personal information of our patients, and of the parents or guardians who provide their health insurance. This personal information included names, addresses, social security numbers and patient birth dates. We have found no evidence that any medical or financial patient information was exposed.

The second breach involved a server containing information about individuals who have made donations to the hospital. This breach may have exposed personal financial information, specifically some unencrypted bank account and routing numbers. Social security numbers were not included in this database, and credit card information was protected through the highest level of encryption.
There is a report from the local NBC affiliate that says pretty much the same thing, but adds that the intruders came in via a number of intermediate hops.

Typically, it takes a security breach to wake up a company--it is their "come to Jesus" moment. If after that 2006 breach they did not include simple things like educating employees to not open attachments and blocking outside email access, they were not doing a very good job.

Spyware causes HIPAA violation at Ohio Hospital

Man emails spyware to ex girlfriend's Yahoo account. What could go wrong?

The woman happens to work at a hospital. She opened it at a work computer, and the spyware happily emailed out billing and healthcare information for 65 patients. As other people used that computer, it also emailed out their email and financial information (presumably they looked at their online accounts from there)

CIO Magazine reports:
He allegedly sent the spyware to the woman's Yahoo e-mail address, hoping that it would give him a way to monitor what she was doing on her PC. But instead, she opened the spyware on a computer in the hospital's pediatric cardiac surgery department, creating a regulatory nightmare for the hospital.

The complaint does not explain how Graham managed to convince the woman to install the program, but clever attackers often trick their victims into clicking on files by saying that they are interesting videos or some kind of useful software.

Between March 19 and March 28 the spyware sent more than 1,000 screen captures to Graham via e-mail.
 The hospital is also to blame. It is unclear if they provided any training to employees about not opening attachments from emails, but it is absolutely clear that they were not blocking 3rd party email access from work.

The article is also unclear about if the girlfriend is still employed at work or not.

Wednesday, September 16, 2009

In Oregon, a manual on Public Records is NOT Public

We just wrote about how some Boston City Hall employees were deleting emails so they would not be subject to Public Record Laws. But in Oregon, Public Record laws are taking an interesting turn.

The state attorney general publishes a manual for dealing with public record requests, and sell it for $25. He (not personally, his office) also claims copyright over this (public) manual

Oh, the irony.

But lets look at the mundane issue first. He claims the $25 is the cost of publishing the hard-copy version of the manual. Yeah? Hasn't he head of PDF files, and "click here to download"? I know Oregon has lots of trees, but shouldn't he at least pretend to care?

Next: if he can not claim an exemption from the public records law, then he is required to provide this to, hey presto, THE PUBLIC. How can he (or his office) claim copyright to something created with public funds?

So a professor at University of Oregon has challenged him by posting a scanned copy of the manual on his blog.

Every 2 years the Oregon DOJ publishes the "Oregon Attorney General's Public Records and Meetings Manual", a very useful guide to public records law. It's essential reading for people trying to use their right to get public records from Oregon government agencies. The DOJ has been trying to keep me from redistributing this manual, on the grounds that they own the copyright to it. Trying to use copyright law to keep the public from getting information about how to get public records strikes me as wrong, so I've posted the manual online at my official UO faculty website. As the email below explains, I am posting this despite the fact that the AG's office has explicitly warned me not to redistribute this manual. Here are the links. (now fixed)

Any bets on when the attorney general will blink? I am predicting around 4:55 PM local time in oregon on Friday, 18th September 2009.

Sunday, September 13, 2009

Records retention in local government, and Boston City Hall

I have a city-hall as my client. Last month I was teaching an awareness class there, and when I mentioned that they should not have any expectation of privacy when using their computers, there was not a single raised eyebrow. Being the employees of a city government, they all knew about public record laws and freedom of information act requests.

This is different from a private enterprise, where there is always someone who will argue that point.

(as an aside, I had to throw away most of my examples of what is "confidential". Individual's salary figures? Not confidential. Next year's budget numbers? Not confidential. Agh).

Looks like the City of Boston's senior management knew all about the "no expectation of privacy" too:
The acknowledgement came after the Globe filed several requests for e-mails sent and received by Menino’s Cabinet chief of policy and planning, Michael J. Kineavy. He is one of Menino’s most powerful and trusted advisers, intimately involved in nearly everything at City Hall, but a search of city computers found just 18 e-mails he had sent or received between Oct. 1, 2008, and March 31 of this year.

The unusually low figure prompted administration officials to question him about what happened to the rest of the e-mails he was presumably sending and receiving during that period. Kineavy, who is also one of the mayor’s chief political advisers and a strategist on Menino’s reelection campaigns since 1993, told them that he deletes all his e-mails on a daily basis, in such a way that they are not saved on city backup computers, administration officials said.

There are indications that Kineavy was not the only city employee who may have violated the law. In June, the Globe filed requests for copies of six months’ worth of e-mails sent or received by five other employees, including Transportation Commissioner Thomas Tinlin. City officials said that a search for Tinlin’s e-mails turned up only those he had received, none he had sent.