- How can anyone be sure stolen VA laptop data wasn't taken?
- The guy in charge of cybersecurity for the White House has no experience in computer security
- Worm uses ADS streams and root kit kernel tricks
- New Phil Zimmerman Software
- Malware living in commercial products
- Core Security finds Asterisk vulnerabilities
- Introducing Microsoft Forefront
- Don't repost old exploits as new exploits!
- Ethereal becomes Wireshark
- HIPAA has no teeth
June 29, 2006 | Comments: (0)
How can anyone be sure stolen VA laptop data wasn't taken?
There are dozens of ways that any computer's data can be taken without modifying a single forensic's bit on the original hard drive.
News sources today are announcing that the VA's stolen laptop (with millions of identity records) has been recovered.
Most sources are claiming that the VA and its forensic experts are claiming the data was not touched or extracted. I hope this is an oversimplification, because there are dozens of ways the data could have been read/copied and the data left untouched. How?
Here's two easy ways:
1. Boot on any device except the hard drive (e.g. floppy disk, CD-ROM, DVD, USB device, etc.). Use an NTFS-compatible version of Linux (e.g. Knoppix, Backtrack, Nubuntu, etc.) and steal away.
2. Ghost the hard drive and manipulate the copy
I can come up with a dozen ways in a few minutes.
Every computer security forensic person is required by their job to be able to access other people's hard drives and data without modifying a single original bit. So, while common thieves wouldn't know how, there's probably tens of thousands of computer professionals that do.
So, I'm hoping the VA and the news sources are oversimplifying the case. A better opinion would have been, "We have found no evidence to indicate the data was not read or copied." not "After examining the evidence we are SURE the data was not copied or read."
These are two big different statements.
Posted by Roger Grimes on June 29, 2006 01:45 PM
June 28, 2006 | Comments: (0)
The guy in charge of cybersecurity for the White House has no experience in computer security
The guy in charge of cyber security for the White House has no experience in computer security, reports say.
"Purdy, a longtime attorney who has held a number of state and federal legal and managerial jobs, has no formal, technical background in computer security."
Purdy has been paid more money than even his boss, Michael Chertoff, and his personal company, that he still works for receives the a large share of its funding from the White House and the division Purdy runs.
Strong ethics means avoiding the appearence of unethical arrangements.
And who needs experience in computer security to run the White House's computer security division? Hey, Mike Brown ran FEMA without EMS experience.
(Thanks to my long time buddy, Steve, for this story.)
Posted by Roger Grimes on June 28, 2006 12:30 PM
June 22, 2006 | Comments: (0)
Worm uses ADS streams and root kit kernel tricks
This worm uses NTFS ADS streams to hide itself attached to the \system32 folder, plus uses root kit kernel mode stealth
http://msmvps.com/blogs/harrywaldron/archive/2006/06/22/102509.aspx
Few worms come along that interest me (e.g. Nimda, Slammer, etc.). This is another interesting malware program in the same vein. Nothing new, just using two interesting tricks at the same time.
Posted by Roger Grimes on June 22, 2006 06:10 AM
June 12, 2006 | Comments: (0)
Does Phil do VoIP better than Skype?
http://www.philzimmermann.com/EN/zfone/zfone.html
Posted by Roger Grimes on June 12, 2006 07:25 PM
June 12, 2006 | Comments: (0)
Malware living in commercial products
HP and Circuit City spreading malware.
I read these two malware notices from SANS http://www.sans.org June 6th NewsBites newsletter:
One of HP's printer drivers was infected with the Funlove virus. According to Stephen Northcutt, this is the third time HP has released a printer driver with the FunLove virus embedded.
City City's web site contained malware that could have infected unpatched IE users for over a month.
While commercial companies accidentally releasing malware to legitimate customers is nothing new, it isn't that common these days. Over a decade ago, it was. Many vendors, including Microsoft, accidentally released viruses with legitimate content and software.
What is so surprising to me is how badly HP and Circuit City's computer security division/outsource team must be to not have noticed the injected malware. Is there no authentication going on? Is there no change control?
When you see symptoms like this, the problems are deep and systematic.
Particularly in HP's case, if this is indeed the third time, will someone be held responsible and fired? First time is a learning experience, second time is no fun. Third time is embarassing.
Posted by Roger Grimes on June 12, 2006 03:38 PM
June 12, 2006 | Comments: (0)
Core Security finds Asterisk vulnerabilities
CoreLabs finds two Asterisk vulnerabilities.
Core Security's CoreLabs found two vulnerabilities (one works server side, both work client-side) in open source PBX software, Asteriskshttp://www.asterisk.org/.
If you haven't heard about Asterisk, it's a pretty cool product. It allows developers and administrators to use open source Asterisk software to create their own PC-based PBX. The software interfaces with many industry standards and PBX-specific cards. An entire cottage industry has popped up around Asterisk, offering great PBX functionality for cheap.
Anyway, Core Security, the makers of the CORE IMPACT http://www.coresecurity.com/products/coreimpact/index.php vulnerability scanner found two new vulnerabilities in Asterisk and the related IAX2 protocol for sending video.
CoreLabs decided to do a manual source code review after running into a few clients that had the Asterisk product. They notified Asterisk and three days later an official patch was released.
Kudos to CoreLabs for doing free open source security code review and kudos to Asterisk for responding quickly to the problem.
If an open source PBX solution sounds interesting, check out Asterisk.
Posted by Roger Grimes on June 12, 2006 03:17 PM
June 12, 2006 | Comments: (0)
Introducing Microsoft Forefront
New brand name for some of Microsoft's security products
Microsoft Forefront includes Sybari Antigen, ISA, and a client side product.
http://www.microsoft.com/forefront/default.mspx
Posted by Roger Grimes on June 12, 2006 02:25 AM
June 11, 2006 | Comments: (0)
Don't repost old exploits as new exploits!
There's been a rash of "new" security posts that are well known security issues raised publicly years (sometimes decades ago), but claiming to be new findings.
Over the last month I've seen over a dozen "new" security findings (e.g. NT Alternative Data Streams, NT screensaver vulnerabilities, PGP bypass, Windows Software Restriction Policy bypass, SSL vulnerabilties, etc. ) published as new findings that are are just re-hashes of old findings that are well known and published years (sometimes over a decade) ago. Even large moderated public mailing lists are re-publishing old findings as new stuff.
Maybe it's because I've been in this field for 20 years now that I recognize them. But please, if you're going to publish your "new" finding, spend at least a few minutes googling past history first before you post your finding. Moderators do the same.
Example of responsible disclosure: A friend of mine discovered he could enumerate normally undisclosed private IP addresses disquised by a NAT device by malforming email headers. He wrote to tell me of his discovery and asked if I knew about it. I reviewed the material and said that I didn't know if it had already been discovered, but I felt that it was unlikely that the finding hadn't already been discussed. He googled a bit and found out that it had been discovered and disclosed over 10 years ago.
A little research will prevent a lot of egg on the face.
What concerns me more, is how security list moderators and readers are letting these "discoveries" pass without noting that they aren't new discoveries.
Or maybe that begs a bigger issue, which is how can anyone really be sure their discovery is unique and unpublished? That's a good question I can't answer.
Posted by Roger Grimes on June 11, 2006 07:36 AM
June 11, 2006 | Comments: (0)
Ethereal gets renamed and moved to Wireshark
Ethereal's creator has moved the project to Wireshark and renamed it in the process.
Posted by Roger Grimes on June 11, 2006 07:15 AM
June 05, 2006 | Comments: (0)
Even though over 19,420 HIPAA complaints/violations have been officially lodged since HIPAA went into effect, it has resulted in zero fines.
http://www.msnbc.msn.com/id/13137354/
This is amazing, but unfortunately, not surprising. Other than two criminal prosecutions on specific individuals, there appears to be no penalties for organizations violating the HIPAA Act. Like the non-successfully prosecutions of SOX violators, it tells corporate America that it's cheaper to not meet the guidelines.
If you add in the fact that only three companies were fined in 2004 for hiring illegal immigrants http://www.cnn.com/2006/US/05/10/dobbs.enforcement/index.html (even though they make up 12 million of our work force), it makes you wonder why we even bother going through with making our various "security" laws?
It's as if Congress passes our financial, security, and privacy laws to make consumers happy, but then behind the scenes promise business that they really won't prosecute violators...so everyone "wins"!
What is frustrating is that with non-enforcement of existing laws it is hard to place the blame on the correct agency. We can't blame Congress since they actually passed the law (unless they under funded the compliance checking). We probably can't blame the enforcers because they are just doing what they are told from their superiors above. So, who gets the blame? All of them?? Us, for putting up with it?
If I was the CIO at one our nation's hospitals, I might actually decrease my HIPAA compliance budget this year. If it's a law without any teeth, why waste the funds when there are so many other competing objectives?
Posted by Roger Grimes on June 5, 2006 05:33 AM
June 03, 2006 | Comments: (0)
Microsoft's OneCare blocks zero-day MS-Word bug
Microsoft provides early protection against latest zero-day bug through OneCare.
The zero-day MS-Word bug referenced in MS Security Advisory 919637 http://www.microsoft.com/technet/security/advisory/919637.mspx
is blocked by Microsoft's OneCare program. This is great news and probably a sign of things to come. I expect more and more vulnerabilities to be blocked in real time by Microsoft and other anti-malware vendors before the official patches are released.
Official patches take time to create, test, and release. Blocking in real-time before the patch occurs is a smart approach, and is not an approach invented by Microsoft. If anything, they are late to the game, but I welcome the new addition in Microsoft's arsenal. I've heard rumors of this sort of mechanism from Microsoft for at least three years from internal sources, and I had wondered what had happened to the project. It's been shoved into OneCare, I guess.
I'm sure I'll have people write to tell me that Microsoft will start to delay the official patch just to sell more OneCare subscriptions, but I don't buy that conspiracy theory. For one, anti-malware companies already routinely offer the same protection, so patching delays would only serve to enrich all vendors and not just Microsoft.
People asking why Microsoft is in the malware business at all in the first place since their software is the software with the vulnerability, ask a more valid question. I know the arguments and responses on both sides, and it isn't a flame war I want to get into...but it is a rationale debate question. I understand both sides.
For now, I'm glad that more vendors are focusing on real-time blocking of zero-day code.
I'm even getting ready to review a new IPS vendor solution that specifically blocks zero-day exploits prior to the patch being released. IPSs have always blocked zero-day exploits before they are patched, but this particular solution focuses primarily on zero-day stuff.
Posted by Roger Grimes on June 3, 2006 07:42 AM
June 02, 2006 | Comments: (0)
When will companies learn to encrypt all portable computers and media by default?
How many millions of lost and stolen records will it take before encryption is turned on by default for all portable computers and media?
EFS is free on Windows. Linux and Unix have open source TrueCrypt. And there are dozens of great commercial solutions. There is no excuse for any professional organization, the least of all auditors, to have portable data unencrypted. It's negligence.
Sadly, a few judges have ruled that many of our national guidelines for data protection stored in private companies don't absolutely require encryption to be used. The guidelines often say that "...customer data needs to be adequately protected...", but doesn't require encryption.
I say when your plaintext data is stolen or lost, it shows the data was not adequately protected!
Does someone have to steal and use all of Congress's personal data for there to be serious data protection laws (instead of all the pointless hearings and counterproductive, competing, watered down leglislation)?
Posted by Roger Grimes on June 2, 2006 04:03 PM
June 02, 2006 | Comments: (0)
Time for Ernest & Young to do a stand down?
If this The Register article is correct, E&Y is responsible for at least 6 major data loss events due to lost laptops.
http://www.theregister.co.uk/2006/06/01/ey_hotels_laptop/
E&Y, time for a stand down review, yet? Repeat after me, I will encrypt all confidential data on portable computers and media....I will encrypt all confidential data on portable computers and media...I will...
Posted by Roger Grimes on June 2, 2006 01:37 PM
June 01, 2006 | Comments: (0)
Look up Ethernet Mac addresses
Cool website to look up the vendors of Ethernet MAC addresses.
http://www.coffer.com/mac_find/
Posted by Roger Grimes on June 1, 2006 03:34 PM
TOP STORIES
Agile mgmnt for small teamsWhy developers avoid Vista
CBS to buy CNET Networks
Icahn's letter to Roy Bostock
Yahoo opens up Search Monkey
AT&T limits iPhone purchases
Silverlight gets put on Linux
IBM boosts BlackBerry access
Intel to develop PC with Alibaba
Cybercriminals can rent a botnet
ADDITIONAL RESOURCES
- Application Security: Threats and How to Counter Them
- Why Linux Threats Mean Business
- Minding the Machines: PC Disaster Recovery for the Enterprise
- Protect Your Data with SSL
- Prevent Your Next Microsoft Exchange Outage
- 11 Myths About Microsoft Exchange Backup & Recovery
