Security Watch | Matt Hines | March 2007

MORE ENTRIES

March 2007

March 30, 2007 | Comments: (0)

GAO raps IRS on information security (again)

With tax day fast approaching, tens of millions of U.S. residents are preparing to send reams of sensitive personal financial data to the Internal Revenue Service as part of their annual tax filing. That simple fact makes the systems that store that data the worlds fattest target for identity theft.

The big question is: how secure are the IRS's systems for storing taxpayer data.

Not very, according to a report by the Government Accountability Office (GAO). In a report released Friday, GAO s said that IRS has made only "limited progress toward correcting or mitigating previously reported information security weaknesses" at two of its data processing sites, and that 66 percent of the information security weaknesses discovered by previous GAO audits still exist.

In particular, "Significant weaknesses in access controls and other information security controls continue to threaten the confidentiality, integrity, and availability of IRS’s financial and tax processing systems and information," GAO found in its report.

And it gets worse...

"IRS has not consistently implemented effective access controls to prevent, limit, or detect unauthorized access to computing resources from within its internal network. These access controls include those related to user identification and authentication, authorization, cryptography, audit and monitoring, and physical security. In addition, IRS faces risks to its financial and sensitive taxpayer information due to weaknesses in configuration management, segregation of duties, media destruction and disposal, and personnel security controls."

Lack of planning is at the root of IRS's infosecurity problems, according to GAO.

"(IRS) has not yet fully implemented its agency wide information security program to ensure that controls are effectively established and maintained," the report says. "As a result, weaknesses in information security controls over its key financial and tax processing systems could impair IRS’s ability to perform vital functions and could increase the risk of unauthorized disclosure, modification, or destruction of financial and sensitive taxpayer information."

GAO says that it will make recommendations to the Commissioner of Internal Revenue to encourage the agency to implement an information security program and, in a dire sounding disclosure, GAO said that it was also "making recommendations to the commissioner in a separate report with limited distribution. These recommendations consist of actions to be taken to correct the specific information security weaknesses related to user identification and authentication, authorization, cryptography, audit and monitoring, physical security, configuration management, segregation of duties, media destruction and disposal, and personnel security."

Posted by Paul Roberts on March 30, 2007 11:56 AM

March 28, 2007 | Comments: (0)

OLPC security guru fires back

Ivan Krstić, director of security architecture for the nonprofit One Laptop per Child program, wasn't too happy with my recent coverage of a panel he sat on at the ShmooCon hacker show on March 25.

Much like the jabs that researchers at the confab leveled at the security implications of the project's plan to distribute tens of millions of the laptop devices to impoverished children, he thought the tone of my reporting was far too alarmist.

At the show, Krstić presented a litany of security upgrades made to the latest iteration of the OLPC devices, offering a convincing argument that the computers would be significantly safer than previous models based on the alterations, and perhaps in some ways even better protected from attacks than more traditional mobile computers.

However, the point of the panel was to allow the security pundits to take some shots at the project after Krstić's speech, and fire away they did.

Researchers Sean Coyne, Jason Scott and Scott Roberts offered praise for OLPC's work, but theorized that the project's laptops could be attacked for purposes ranging from creating a massive botnet to trying to kidnap children carrying the devices.

Were the theories offered alarmist? Probably.

Were those ideas truly far-fetched? In some cases maybe, yes, but overall it didn't seem so.

Krstić clearly felt that the researchers' ideas, and my story, didn't give OLPC enough credit.

"I can't help but feel you're marginalizing the security work that's been done and emphasizing the doomsday scenarios that are pure, made up speculation -- without, at present, any technical credit to them whatsoever," Krstić said in an e-mail to InfoWorld.

Saying that the OLPC devices could be turned into a 10 million node botnet is no fairer than saying that Windows machines could be turned into an 800 million node botnet.

That's probably true, but the fact is we've been trying to alert the world to the massive problem of botnets running on millions of Windows devices for years.

The more impressive aspects of Krstić's diatribe (and his ShmooCon presentation) are actually some of the milestones that OLPC has achieved with its revamped security.

In addition to impressing security researchers and other experts with its Bitfrost security architecture (which he wrote) and other improvements (list is here), Krstić said that security software vendors have been blown away by the quality of the work.

"I spent several hours with the technical head of threat management at one of the largest security vendors in the industry discussing the system in great detail," Krstić wrote. "By the end of the night, he gave up trying to find a hole in the system."

The security architect said further that a group of Harvard computer science professors invited him to present the work at a seminar and did not offer any negative technical feedback on the upgrades.

Personally, I think it's great that OLPC has made such a huge effort to improve security of the devices, because I think they've got a great idea that will help a lot of poor kids around the globe improve their educations.

However, you have to agree with the security researchers that as with any sizeable deployment of new technology, there likely will be security problems.

But Krstić has apparently had enough of the theorizing.

"While I am far from proposing that the system is in any way perfect, the expert consensus is that it will provide much stronger security than normal desktops, and that the doomsday scenarios entertained at today's panel are a problem not specific to OLPC, but potentially brought forth by any sufficiently large computer deployment -- but in our case, made significantly harder for attackers by our dedication to security," he wrote.

"Furthermore, such potential problems are still pure speculation, and no technical mechanisms for their emergence have been proposed. In my mind, this hardly makes them any more noteworthy than the equally silly conspiracy theories floating around the OLPC project."

In my defense, all I can say is that I was at the ShmooCon event to cover the panel's conclusions, not to smear OLPC.

Krstić seems like a good guy who is merely frustrated with all the OLPC security doom-speak.

Only time will tell whether or not he is justified to feel so slighted.

Posted by Matt Hines on March 28, 2007 12:20 PM

March 27, 2007 | Comments: (0)

Metasploit Project updates framework

The Metasploit Project released the latest iteration of its software platform, which is designed for use by developers of penetration testing tools and other security applications, and by people creating vulnerability exploits.

Metasploit -- founded by researcher H.D. Moore in 2003 and best known for its month-long explorations into different categories of common software vulnerabilities, such as in its Month of Browser Bugs and Month of Kernel Bugs projects -- reports that the new version 3.0 release of the development framework contains 177 individual exploits, 104 payloads, 17 encoders, and 3 NOP modules for users to play around with.

The updated Metasploit Framework also includes a number of other new tools for use on tasks including host discovery, protocol fuzzing, and denial of service testing, according to the group's stat sheet for the 3.0 release.

Metasploit organizers describe the framework as suited for use by IT administrators carrying out pen testing and patch installation verification, and product makers testing the security limitations of their technologies, along with its core audience of researchers.

The release is labeled as a "from-scratch re-write" of the project's previous platform, using the Ruby programming language that took two years to complete and resulted in over 100,000 lines of software code.

Moore said in an e-mail that the re-write will benefit the various classes of Metasploit users in different ways.

"The best feature really depends on the user," he said. "Metasploit 3.0 is much faster and stable for Windows users, compared to the Cygwin-based 2.7. Penetration testers will benefit from the new Meterpreter and automation features."

"Researchers will benefit from the open-source Rex API and the new auxiliary module format, which allows the framework to be used as a generic security tool development platform."

Among the significant improvement promised through the revamp is the availability of a single process extension, an upgraded Metasploit API, direct access to the framewoek's Ruby internals at runtime, and new exploit payload relay capabilities.

Other changes include wider database support, a new evasion user option that helps allow for the bypass of IDS and IPS systems, an event subscription system that promises the ability for exploit modules and plugins to wait for specific events and automatically perform different actions.

Moore writes that one new piece of the framework in particular is proving to be a hit.

"The popular gimmick feature is the db_autopwn command; this command (accessible after loading a database plugin), allows the user to import Nessus and Nmap output files into the framework, and then automatically cross-reference and exploit hosts based on what modules match the open ports and discovered vulnerabilities," Moore said.

"The BackTrack 2.0 Live CD has "on boot" support for this mode -- you can pop the CD into a machine, reboot it, and it will automatically exploit every system on the local network."

A full list of the framework upgrades is available here.

Posted by Matt Hines on March 27, 2007 11:26 AM

March 25, 2007 | Comments: (0)

Human implant RFID gets owned

Radio frequency identification tags have taken another hit from the security community and Adam Laurie -- an independent security researcher based in the U.K. -- can claim another first.

After setting off a torrent of worldwide media coverage by hacking the U.K.'s new RFID-enabled passports in a project sponsored by and first detailed by the Daily Mail newspaper earlier his month, Laurie used his presentation at the ongoing ShmooCon confab to show off techniques for hacking other RFID tags -- including one implanted inside a live human being.

After cracking the codes for a common RFID identification card and an RFID tag that would be found inside livestock, Laurie called up a volunteer from the audience who had a chip injected under their skin -- and who used the device among other things to unlock his laptop PC.

After a few minutes of wrangling with his RFID cloning device -- the same type of homemade utensil that researchers were planning to show off at the Black Hat DC conference earlier this month before ID card maker HID sufficiently intimidated researchers from IOActive against demonstrating their cloning reader -- Laurie opened the chip-wearing individual's laptop (and displayed his internal pass key to the entire audience, he better hope he can reset it).

In addition to proving further just how easily RFID tags can be hacked, Laurie effectively illustrated evidence of the type of dangers privacy advocates have cited in battling efforts to plant chips in humans (such as in the case of a Calif. School district that wanted to pin RFIDs on all its students).

If someone can hack the data on such chips, he said, it's logical to believe that someone wearing one could be tracked using the same information.

And, as evidenced by his ability to read information from the U.K. passports while the documents were still sealed in their envelopes, it is already possible to gather enough information to clone individual RFID codes without gaining physical access to the chips themselves.

Interestingly, an employee of HID attended the presentation and identified themselves publicly when Laurie asked if anyone from the vendor was present. Laurie did not indicate if the ID card he hacked was made by the vendor, but that had been the plan of IOActive researcher Chris Paget before he scaled back the Black Hat demonstration (see video of the IOActive-HID hack here)

Something tells me that the sound you're hearing is the nascent market for human implantable RFID chips grinding to a halt.

Posted by Matt Hines on March 25, 2007 09:23 AM

March 24, 2007 | Comments: (0)

Hacking the IED Network in Iraq

In a presentation that served as a departure from the regular trade show fare, a security researcher and Naval officer regaled attendees of the ongoing ShmooCon show with a presentation on efforts by the U.S. military to dissect improvised explosive devices (IEDs), and the network of people who build them, in Iraq.

Michael Shearer, a contributor to the Church of Wifi security research project and an active-duty Naval flight officer, a lieutenant to be exact, give an overview of the situation that U.S. military technicians are faced with in disarming the huge number of IEDs on the ground in Iraq -- which have become arguably the greatest source of danger for coalition fighters in the region.

Much as security researchers must use a multitude of techniques to take apart malware programs and track down the people responsible for writing and distributing the code, bomb experts are working to dismantle not only the explosive devices themselves but the network of people who are financing and building the bombs, Shearer said.

One of the most significant problems with the devices, much as with popular malware formats, is that there is no shortage of components handy for piecing them together. On the ground in Iraq, he said, attackers have tapped into caches of old explosives previously maintained by the Iraqi military, and stolen bomb-making materials such as detonation technologies from people trying to rebuild the country's infrastructure.

And much like the complex networks of site operators, adware distributors, fraudsters and malware writers responsible for many online attacks, the teams of military bomb experts are fighting a broad range of individuals believed to be responsible for the IEDs -- from those who finance the bombs to those who build and place the weapons.

In addition to traditional methods of detection, the military is finding some new ways to sniff out the IEDs before they can be detonated, Shearer said. Among the cutting-edge techniques being employed to that end are systems that attempt to find unintended radio transmissions being emanated by the bombs, and so-called hyperspectral sensors which are used in planes to find recent changes in topography that may indicate where IEDs have been placed.

Posted by Matt Hines on March 24, 2007 03:37 PM

March 23, 2007 | Comments: (0)

Microsoft security report card: passing grade for Vista

Microsoft researchers have published a new report which maintains that the company's Windows Vista software has proven more secure than other operating systems over the first 90 days of its availability, including open source products and Apple's Mac OS X.

Jeff Jones, security strategy director in Microsoft's Trustworthy Computing group, authored the report -- which is posted on his blog -- that compares Vista's relatively short security track record to the early performance of other desktop and thin-client platforms including Mac OS X 10.4, Novell's SUSE Linux enterprise Desktop 10, Red Hat Enterprise Linux 4 WS and Ubuntu 6.06 LTS.

The report also compares the number of vulnerabilities reported in Vista to security patches issued for Microsoft's own Windows XP software.

According to the missive, Microsoft only observed five individual security issues in Vista over the first 90 day of its life, and only one that has been addressed by the company in a security bulletin -- ironically related to a glitch in the software's new anti-malware engine.

The four additional problems have been isolated by security researchers, but not yet patched. Only one of those, related to an error in Vista's CSRSS/MessageBox feature, has been rated high-risk by the software giant.

In 2001, when Microsoft first shipped XP, there were three holes in its IE browser that the firm had already patched. The company fixed a total of 14 vulnerabilities over the first 90 days of its availability, and was aware of at least 4 additional issues that it had not yet addressed.

By comparison, when released in May 2005, Mac OS X 10.4 aka Tiger, had 10 vulnerabilities, with only four covered by patches from Apple during the initial 90 days of its life span, according to Jones' estimates. In all, he said that Apple fixed 20 vulnerabilities over the timeframe, with knowledge of an additional 17 that remained un-patched.

"Apple advertising conveys the message that Mac OS X does not have the same security issues that face other operating systems, but upon examining the first 90 days of their most recent release Tiger -- the data just doesn't support their marketing," Jones writes.

As for the open source crowd, the researcher highlighted Red Hat Enterprise Linux 4 WS, among others, which had 86 vulnerabilities disclosed prior to its general availability, with patches for 34 of those at the time of shipment. Over the first 90 days, Red Hat addressed 137 vulnerabilities in the platform and it still had another 64 publicly disclosed issues that it had yet to fix, Jones said.

Industry pundits are sure to find fault with some aspect of Jones' methodology and take the position that Microsoft tilted the tables in its favor to come up with attractive results, but the fact of the matter remains there have not been many vulnerabilities discovered in Vista.

Yet.

Posted by Matt Hines on March 23, 2007 08:22 AM

March 22, 2007 | Comments: (0)

Oracle's SAP claims highlight more corporate spying

racle's newly-filed lawsuit against rival SAP is only the latest in a slew of recent allegations that make it seem that business leaders are still willing to seek out ways to circumvent technological security systems.

In its suit -- which accuses enterprise applications giant SAP of fraud legislation, unfair competition, and civil conspiracy, and charges the German company of "corporate theft on a grand scale" -- Oracle claims that SAP workers illegally accessed its own computerized customer support systems and stole "thousands of proprietary, copyrighted software products," as well as other confidential materials.

SAP could then study the data and use the knowledge to offer low-budget customer service to Oracle's customers, and convince said end users to move over to its own products, according to the lawsuit.

While far from being substantiated in court as of yet, the accusations follow a string of other instances where corporate leaders -- who often purport themselves to be the staunchest advocates of information and IT security -- have intentionally bypassed systems meant to protect sensitive data.

The most high-profile example of this behavior is the controversy that befell industry giant Hewlett-Packard in 2006 when it was exposed that company executives had approved an investigation into boardroom leaks that eventually involved the use of pretexting, an illegal process used to gain access to individuals' phone records.

In addition to pretexting -- through which third party investigators allegedly posed as the people whom they were spying on to see the individuals' calling records, the company was also accused of secretly tracing e-mailing conversations meant to out its boardroom leak.

After pleading that she had no direct knowledge of the tactics, judges dropped related charges of fraudulent wire communications, wrongful use of computer data, identity theft and conspiracy that were brought against HP Chairman Patricia Dunn, but only after she stepped down from her position.

HP shelled out $14.5 million in civil settlements in the case and three other defendants from the company avoided jail time by pleading no contest to related misdemeanors.

In another recent case of corporate espionage, Italian law enforcement officials arrested four Telecom Italia employees in January 2007 for carrying out an intricate spying scheme, including the company's current and former heads of information security.

Using Trojan malware program, the Telcom Italia workers reputedly spied on the head of a publishing company that ran critical newspaper stories about the firm, and stole important documents such as his company's business plan. After telling the publisher that his sensitive documents were available all over the Internet, the involved parties offered to take over IT security operations for the company, the Rizzoli Corriere della Sera (RCS) publishing group.

In another interesting spin on the security issue, identity card vendor HID essentially quashed a presentation planned by researchers for the Black Hat DC conference earlier this month that would have shown how easy its products are to hack.

Security industry analysts and software vendors have been plugging data leakage prevention (DLP) applications as the next big thing in their market space, as the tools promise to protect sensitive information from being accessed or stolen.

Based on the purported actions of people at some of the world's top companies, it appears they might be correct.

Posted by Matt Hines on March 22, 2007 01:44 PM

March 20, 2007 | Comments: (0)

Trend's Chen on HijackThis, Chinese malware

Trend Micro CEO Eva Chen stopped into Boston on her latest trip across the United States and offered up some additional details of her company's recently-announced deal to buy HijackThis, an anti-spyware utility.

Snapped-up from a Dutch student-developer named Merijn Bellekom, HijackThis will become an important part of the anti-virus company's worldwide database of threats and vulnerabilities, said Chen, even though the product is currently given away for free, a la McAfee's SiteAdvisor.

The firm is constantly looking for new sources of outbreak data to feed into its products, and HijackThis can offer a unique view into the world of spyware, according to the CEO.

Chen also promised not to significantly alter the manner in which the technology works and said the firm will look to outside virus researchers to help to keep the tool ahead of the curve.

"We bought HijackThis because of its huge database of Web threats and because it compliments all the time we've spent building our own back end tracking systems," Chen said. "We're not going to use freeware to up-sell our products, but we see it as an important part of the business; we're really hoping to get tagging users to continue to contribute, as this will help us identify new attacks as they appear."

In a post to his Web site, Bellekom said that he decided to sell the tool because he had hit a wall in completing a new update of the product as he struggled to balance time between development and his university classes. Trend has also taken ownership of another anti-spyware technology built by Bellekom, dubbed CWShredder, which he had sold to InterMute, which was subsequently purchased by Trend.

Trend is currently creating a new version of HijackThis meant to run on Microsoft technologies including IE 7.

The anti-virus company is following in the steps of McAfee and others by adding so-called Web reputation services to its cadre of technologies, and announced a beta version of its TrendProtect technology last week. Much like SiteAdvisor, the browser plug-in is meant to help end users identify potentially dangerous URLs by giving a safety rating to web pages and search results.

Chen also offered her own take on research which points to increased cooperation between Chinese malware writers an those in the Western world.

Last week, Chris Boyd, aka Paper Ghost, a research expert at FaceTime Communications, told me that he's recently seen evidence of this type of partnership between the international malware community and Chinese hackers on several underground forums.

While Boyd contends that this development is rather new, with Chinese malware writers using the advice they've garnered to up the ante in the social engineering aspects of their threats (and prevent tipping their hands by sending potential victims to overly busy, spam-like Asian-style Web sites), Chen said the work has probably been going on for a long time.

"I don't think this is anything new, it's been going on for years, you have to remember that the original Michelangelo virus originated in Taiwan," Chen said. "But I'm not sure that Chinese hackers are sharing information with outsiders so much as they might be learning by watching."

Chen said that Chinese hackers are particularly adept with driver-based threats, perhaps base on the volume of device and component manufacturing that goes on in the massive nation.

Based on the unique characteristics of some Chinese malware programs, Chen said that Trend uses special "China patterns" to help sniff out attacks that emanate from the region.

Posted by Matt Hines on March 20, 2007 10:12 AM

March 15, 2007 | Comments: (0)

Second Lifers getting locked out at work

It looks like those people who can't get enough virtual living done in their free time may be losing the chance to play the popular Second Life online video game on the job.

Security software vendor Sophos announced that on March 22 it will release an updated version of its flagship anti-virus package that offers tools designed specifically to help IT administrators keep the game off limits to users on their networks.

SL, as the cool kids call it, already claims to have well over 4 million registered users, and much media coverage has been devoted in the last few months to people who have made careers out of playing the game. One such person is virtual real estate agent Ailin Graef, who has reportedly generated $1 million in assets developing parcels of land in the simulated world.

While some people believe that the often devoted users of the game need to get real lives, Sophos claims the problem of players logging on at work is growing. In addition to hurting productivity -- which isn't too newsworthy since video games were invented for the purpose of wasting time -- the vendor points to what it claims as a growing risk of identity theft related to logging onto the virtual world.

However, only one such incident related to the game has been reported publicly, when hackers made off with a Second Life database that held the password and log-in data of about 650,000 gamers in Sept. 2006. In another security incident, players were blocked from accessing the game by a virus in Nov. '06.

In addition to those types of schemes, the security company claims that participants of such games -- in which users create much of the content, and sometimes referred to as Web 2.0 applications -- are "creating new avenues for cyber-criminals seeking the easiest point of entry to the network."

Sophos said that in a recent online poll it sponsored of more than 450 system administrators, 90.4 percent of respondents told the company that they wanted the ability to block games.

"Second Life practically provides criminals an open invitation to do as they please with minimal effort, and that is scary," Sophos Analyst Ron O’Brien said in a statement. "Organizations must set certain policies that ensure that employees are contributing to the success of the business, rather than jeopardizing it."

The update will be made available for free to users of Sophos AV 6.0 products.

Looks like it's time to start working from home Second Lifers. No, not that home, your real home.

Posted by Matt Hines on March 15, 2007 01:15 PM

March 12, 2007 | Comments: (0)

ICANN discusses DNS Root Server Denial of Service Attack

I'm sure you've been wondering what really happened during the DNS DDoS attack last February. The ICANN has put out an easy to read document on what they think happened to the DNS infrastructure during this event.

It's a straightforward document that talks about the Anycast system that was designed to minimize an attack of this kind (along with the reason we have 13 DNS root servers), and most interestingly, how this attack may have occurred and what country /region this attack may have originated from.

Last but not least are recommendations to fortify the DNS system moving forward.

Posted by Victor R. Garza on March 12, 2007 01:41 PM

March 11, 2007 | Comments: (0)

Microsoft drops ball on DST for Exchange 2000

What about all of you still running Exchange 2000 / Exchange 5.5 and not willing to fork out $4K for the DST update?

I know there are a lot of you out there. How many of you there really are I can't be sure, but I know not everyone is either using Exchange 2003 or the latest iteration of the email server.

What I can tell you is that way too many people are emailing the DST fix for these versions of Exchange to each other rather than pay Microsoft the $4K. I know it's been happening for quite some time.

Not to interject any paranoia into your already busy lives today, but what if that supposedly official (or even unofficial) fix actually has a trojan or other malicious code riding shotgun?

First off, I personally don't think that MS should be charging for this update, but hey, that's just me (and please don't email me about your thoughts on premium hotfix support or extended support contracts). Second, if MS is going to be charging, they should at least be aware that this issue presents itself as a ripe opportunity for hackers to use yet another vector to insert themselves into organizations.

Of course there are also issues with the way forensics and Security Event Management products will deal with the time change, along with other issues, like how organizations deal with connection (or disconnection) to Stratum clocks, but those are issues for another day (pun intended).

I'd ask for your thoughts on this issue but I assume that many of you are taking a vacation this weekend in preparation for any calls that are coming your way tomorrow, and those of you not off during the weekend are manning the phones and datacenters and might be too busy to read this...

Posted by Victor R. Garza on March 11, 2007 08:32 AM

March 09, 2007 | Comments: (0)

Symantec buys more risk management

Security software market leader Symantec appears to have added another piece to its growing data security business with the acquisition of compliance services provider 4FrontSecurity.

While Symantec doesn't appear to have issued a formal announcement on the buyout, media outlets including the Washington Post are reporting that Reston, Va.-based 4Front -- described as a six-person consulting shop -- is the security giant's latest buyout.

Symantec has been actively pushing its transformation from a security specialist to a provider of risk management software and services over the last year.

4Front lists data governance, risk management and regulatory compliance expertise among its primary areas of business.

On March 8, Symantec announced that it has received antitrust approval from the FTC for its $830 million buyout of asset management specialists Altiris, which was announced in January and is expected to close sometime during the second quarter of 2007.

Posted by Matt Hines on March 9, 2007 07:40 AM

March 08, 2007 | Comments: (0)

No March security patches from Microsoft

Microsoft Corp. said that, YES! They've got no patches. No patches for the month of March!

The company typically releases security updates on the second Tuesday of the month. More recently, Microsoft has issued guidance to customers on the Thursday before that release about how many updates are coming. This time around, the answer is "none."

This is the first time since September, 2005, that the company has gone a month without issuing a single security update -- which shows a dubious kind of consistency, I suppose.

According to this post on the Microsoft Security Response Center blog, the company won't issue a single security patch for March, though there will be high priority non-security patches that will be pushed out through Windows Update and SUS.

No patches doesn't necessarily mean that the security coast is clear in Redmond. Indeed, an e-mail message from Microsoft's public relations firm about the dearth of security updates suggests that the company is taking longer than expected to test the patches it does have.

"Microsoft continues to investigate potential and existing vulnerabilities in an effort to help protect our customers," a company spokesman wrote. "Creating security updates that effectively and comprehensively fix vulnerabilities is an extensive process involving a series of sequential steps. All updates need to meet testing standards in order to be released. This ensures that our customers can confidently install these updates in their environment."

Posted by Paul Roberts on March 8, 2007 02:38 PM

March 08, 2007 | Comments: (0)

Another strike for RFID security

There's been quite a bit of controversy brewing over the use of radio frequency identification (RFID) technologies of late, with security researchers isolating weak points in applications of the chips in everything from building access cards to new-fangled passports.

In most cases, people are primarily objecting to the use of RFID as a form of identification, or as an access technology, for humans -- as no one but myself seems as peeved over their utilization in industrial applications such as retail merchandising.

(For the record, I keep forgetting to snip the tags off new clothes and I'm sick of getting jabbed in the gut by their sharp edges)

Last week, a firestorm of debate on the topic was ignited at the Black Hat DC 2007 conference when access card maker HID quashed a planned presentation by researchers from IOActive that would have instructed attendees of the security conference how to build a so-called "cloning device" that purportedly would allow you to intercept people's HID card security codes -- which are not encrypted -- for the purpose of recreating their credentials.

HID officials contend that IOActive was merely trying to make a name for itself by pointing out how their proximity cards -- which are used by millions of people (including myself) and considered very basic RFID transmitters -- could be defeated, a problem they said the company has not dealt with in the real world.

Of course, if people knew of the loophole and were using it to break into offices at night and steal laptops and/or data, they probably wouldn't admit it publicly.

Now, a U.K.-based security researcher has demonstrated for journalists in that country how he can hack information on Great Britain's new passports, which use RFID chips as a secondary form of authentication. U.K. officials have maintained that the more technologically-advanced documents would help cut down on illegal immigration, a growing problem in the nation.

Even worse, in the exercise orchestrated by the U.K.'s Daily Mail newspaper and detailed in a subsequent story, an independent security consultant proved that he could not only intercept data transmitted by the passport's RFID chips -- and read the personal details of whoever they belonged to -- but that he could also skim the information from the passports while they were inside the envelopes in which they're being mailed to their holders.

In essence, the flaw makes the new passports less secure than the old ones, as before if someone wanted to try and steal your credentials -- or copy them -- they needed some form of physical access. Now someone could conceivably just stand by the mailbox and grab details of any passport that happens to be there.

Yikes.

Thankfully for those of us in the U.S., the federal government has already scrapped earlier plans to use RFID chips in such documents, at least until security of the devices can be improved. The Department of Homeland Security bagged a pilot program last year through which the technology was being used in documents given to frequent travelers across several of the nation's largest land borders, based on security and privacy concerns.

RFID advocates say that when used properly the chips can be adequately secured for such purposes. HID recommends that anyone concerned with the security of its proximity cards should upgrade to its more expensive smart cards, which promise to provide better safeguards for the data they transmit.

But to me, it sounds like it's becoming painfully clear that the tags aren't ready for primetime use in IDs, at least not for anything as sensitive as a passport.

(As for use in clothing, can't they just give them rounded edges?)

Posted by Matt Hines on March 8, 2007 09:35 AM

March 07, 2007 | Comments: (0)

Less porn, more stolen IDs

Two pieces of seemingly unrelated research published in the last two days combine to provide further evidence of the ongoing shift in IT security from crude attacks to financially-driven crimeware.

In Symantec's latest State of Spam report (PDF), researchers observe that adult-related spam e-mail has reached an all-time low, at least in terms of volume, accounting for only 3 percent of all unwanted messages during Feb. 2007.

Despite the drop-off in the time-honored spam category, the security software maker reported that spam levels remained fairly consistent with previous months, accounting for roughly 70 percent of all e-mail last month.

In a nod to sophistication of some campaigns, newly-found instances of image-based spam unearthed by the firm -- a breed that is much more likely to find its way around e-mail filters -- use previously unseen file obfuscation techniques to cloak themselves.

Meanwhile, researchers at Gartner report that some 15 million U.S. residents were victims of some form of identity-theft during a yearlong stretch ending in mid-2006. The figure represent a better than 50 percent gain in ID theft since 2003, when compared to FTC statistics.

Gartner surveyed 5,000 adults online in August 2006, and said that the average loss of those who fell prey to the schemes was $3,257 in 2006, compared to $1,408 in 2005.

Alarmingly, Gartner also reported that the percentage of funds those consumers were able to recover fell to 61 percent in '06, compared to 87 percent in '05.

Coincidentally, or maybe not, the Gartner analyst who spearheaded the report is speaking at an event on Thursday in Washington hosted by Visa and Harvard Business School. She told me that there will be a lot of interesting debate at the meetings with plenty of grousing planned by companies who have had data incidents.

One issue that's talked over at the show will be whether or not the press sensationalizes or misrepresents the scandals -- but more interestingly, that some retailers and data aggregators feel they are being dealt an unfair hand in regards to ID theft.

James Van Dyke of Javelin is also speaking at the conference, and he recently published a report that contends that even with the mounting pile of data events, identity theft led to fewer related losses in 2006 ($49.3 billion) than in 2005 ($55.7 billion).

Regardless, everyone at the conference seems to agree that ID theft-related fraud is the biggest problem that needs to be dealt with in the electronic domain, and that the attacks which result in it are among the most cunning.

So the long way around it all is -- stupid bad porn spam that you can't believe anyone ever opened is finally going away -- finally -- and the smart people who really know how to rip you off are still in business making serious money.

Same story: different research.

Posted by Matt Hines on March 7, 2007 03:02 PM

March 06, 2007 | Comments: (0)

Gonna throw out that drive? Did you wipe it first?

I've been looking for an easy to use piece of software to deal with old machines I get from my clients for disposal or donation.

Around April of '06 I saw Fujitsu's answer to the problem of having drives with sensitive data leave the corporate grounds. Wipe out the whole drive using their Mag EraSURE degausser. I think it's okay to say now that the FBI uses Fujitsu's product to remove data from hard disks and tapes in under 60 seconds. The Fujitsu degaussers (stand-alone or tabletop version) works with Type II media and hard disks up to 3.5 inches in height and can be left unattended to do their business.

Okay, that works, but what if I just want to remove sensitive data left in financial, insurance or medical applications while leaving the OS intact? What if the client wants to re-purpose the drive without imaging the whole thing? (Yes, unfortunately, this happens.)

I recently heard about Max Secure Software's Max File Shredder that was released about two weeks ago. I gave it a it a try on a few machines and it seemed to work adequately.

Max Secure uses Department of Defense (US) standard 5200.28-STD (7) to wipe files, portions of the disk or the disk's unused space with a digital pattern overwrite with 7 passes. On the laptops I used it on it shredded files, folders, empty drive space, the recycle bin and has an automatic scheduler to shred that info at regular intervals. I haven't had a chance to go back with Guidance Software's Encase or a low level disk utility to see how good a job it did just yet, but overall the software seems to work without a problem and Shredder is pretty fast.

The software also has a privacy guard feature which erases your footprints on the Internet, including IE history caches, auto-completes, cookies, recently used documents, address bar info, temporary files, Microsoft Office applications, and other information.

Unfortunately, I could only use the software on one machine at a time and would have liked to have been able to have it work from an admin console on multiple machines simultaneously, but I hear that Max Secure is working on that functionality.

I know that there are a bunch of tools out there that have similar functionality and would be interested to hear your thoughts on the matter. Drop me a line and let me know how far you go to destroy data on your old and unused equipment.

Max Secure software is also offering it's Anti-Spyware product free to all K-12 schools in the US

Max Spyware Detector 2.0 is being offered to K-12 schools as a result of Teacher Julie Amero’s Case of Pornographic Material Getting on Her School Computer Via Spyware.

As of Mar. 8, 2007, Max Secure Software will offer Max Spyware Detector 2.0, free for the next six months to K-12 schools to ensure teachers, administrators, volunteers and students are not affected by unwanted and malicious spyware. Max Spyware Detector 2.0 originally retails for $29.95 per license and is reported to have the fastest repetitive spyware scanner available on the market.

“The Julie Amero case highlights the dangers of spywares on schools’ personal computers and their effects on students and teachers when not protected by a reputable anti-spyware solution,” said Sanjay Pradhan, CEO of Max Secure Software. “Public schools’ IT departments have limited funds so we decided to step up and offer a free professional anti-spyware solution that will not only save schools money but also help them prevent spywares from infecting their computers.”

Retail cost for one license of Max Spyware Detector 2.0 is US $29.95 for a one year subscription, which includes a no questions asked, 30 day money back guarantee. Max Spyware Detector supports the following operating systems: Windows 98 SE, 2000, Me, XP and Vista. The following URL will take you to the download area.

Caveat - While Spyware Detector 2.0 software didn't fare so well according to one reviewer, at least the software will provide a nominal piece of protection in this sort of environment. Being an instructor at multiple locations I tend to bring my own arsenal along with me, but understand the monetary and personnel constraints in many educational environments.

Posted by Victor R. Garza on March 6, 2007 02:41 PM

March 05, 2007 | Comments: (0)

30% of companies lost their IP in last 12 months?

Loss or theft of intellectual property may have affected one in three companies in the last year, according to the results of a small scale survey by Enterprise Strategy Group. The survey of 112 IT administrators and executives, which was sponsored by IT security vendor Reconnex, found that %32 percent of those surveyed said their company had lost Intellectual Property at some point in the last 12 months, while %57 percent said it hadn't.

Of course, the sample size on this survey is small, and its sponsor, Reconnex, sells data leak prevention technology. (Translation: take all this with a pinch of salt). But it's also true that you only know what you know -- and that many companies may not be aware of data leaks that had occurred, especially the roughly ten percent of respondents who either don't know how they'd find a leak if one existed, or worry that one may have occurred, but can't prove it.

Some other interesting tidbits from the ESG survey: Malicious or clueless (err "negligent") insiders both bested the loosely defined "hackers" as the biggest perceived threat to intellectual property at companies participating in the survey.

As for the biggest conduit for leaked information: laptops topped the list (32% of respondents thought they were the biggest threat), followed by corporate and Web mail (%23 and %13 respectively).

The biggest stores of IP within enterprises: application databases (SAP, Oracle, and SQL) as well as file systems containing Word documents, spreadsheets and other tasty tidbits.

"It's unbelievable how much dsits in unstructured data," Enterprise Strategy Group analyst Eric Ogren told InfoWorld. If you ask CEOs, given Sarbanes Oxley and such, how they control access to spreadsheets and unstructured data, they'll say that it's hard to find. Looking for a social security number is easy. Anyone can do that -- but customer lists and financial info?"

Posted by Paul Roberts on March 5, 2007 10:09 AM

March 05, 2007 | Comments: (0)

Microsoft Ships Daylight Savings Patch for CRM

Microsoft released the latest of its Daylight Savings Time patches, issuing a fix for its
Dynamics CRM 3.0 business software meant to help the applications recognize the early start to this year's DST season.

Like many other software systems, Microsoft said that the customer relationship management package won't be able to figure out the three-weeks-early start to springtime -- a shift mandated by Congress in 2005 to help extend daylight hours and save energy.

For anyone who hasn't already heard of the calendar transition -- which is touching off a situation some have likened to a mini-Y2K scenario -- DST will start three weeks earlier than usual next Sunday at 2:00 A.M., and will end one week later than usual at the same time on Nov. 4.

To avoid having their computers' clocks off tempo for the new DST timeframe, Microsoft said that Dynamics CRM software users should make sure that both their Windows OS and calendar programs have been patched. It has created an online resource for handling DST-related issues here:

http://www.microsoft.com/dst2007

According to the software maker, most of the records in the CRM system include date and time stamps based on older DST rules, which will cause everything scheduled in the product's calendars to show up an hour early in unpatched.

IT industry watchdogs have issued public warnings that a wide range of software systems and devices could be susceptible to timing hiccups if they are not reset to deal with the DST rollback.

The nonprofit IT Information Sharing and Analysis Center (IT-SAC) published a list of systems (pdf here) that could potentially be affected by the shift that includes:

Databases
Mail servers and NTP servers
Firewalls
Switches
Backup and storage systems
Printers, copiers and fax machines
PBX systems
Voice mail and interactive voice response (IVR) systems
Cell phones and PDA devices

While running a CRM system with the wrong calendar data probably won't help users win over too many customers, the greatest concerns with the DST mandate deal primarily with critical infrastructure, a la Y2K, with worries about transportation, communications and transactional systems running smoothly.

As someone who is scheduled to be flying next Sunday, for the record, I hope everyone gets it right.

Posted by Matt Hines on March 5, 2007 07:57 AM

March 04, 2007 | Comments: (0)

What's with all these desktop agents?

I was over at a client's office yesterday upgrading them to McAfee's Anti-Virus agent 8.1i and it came to me (actually, it came to me this morning). Why do we have so many desktop agents?

Yeah, I know, that's the same AV version that missed two viruses in the wild when used on Vista. But, hey, I'm not using Vista. Heck, I'm not even near recommending it to any of my clients yet either...

Anyway, why is it we have so many agents? Anti-Virus, Network Access/Admission Control (wired and wireless), Forensics, VPN, Firewall, HIPS, Spyware... Why don't we have an agent framework that everybody just plugs into? I know the easiest route is to go single vendor, whether that be McAfee, Symantec, Cisco or whoever. But what if you've got Cisco VPN and McAfee AV and Symantec NAC or some other combination?

I'm I too late to the party? Has this problem already been solved? Or do we just go on and deal with incompatibilities until the vendors make agreements that they're going to co-exist peacefully with each other. Of course Microsoft should have stepped up with this one a while back and delivered a solution - but I guess I'm just doing some wishful thinking again.

Let me know if you've got problems with misbehaving agents leaving your desktops potentially vulnerable. Or if you've gone with a single vendor or found some other solution altogether.

Posted by Victor R. Garza on March 4, 2007 01:43 PM

March 01, 2007 | Comments: (0)

Peanut Butter and hard disk drive failures

March 1st is National Peanut Butter Lovers Day. Did you know that? I was just about to spread some peanut butter on my bagel and got to wondering just how long peanut butter could sit in my cupboard before it could potentially kill me.

There are two reasons I thought about this: One, that peanut butter jar really has been there for quite a while and two, because of Sam and Ella.

What's this have to do with disk drives? Well, a client just happened to call up with a newly squealing drive (annoyingly high-pitched I might add) and asked what they should do with their machine as I was finishing off the first half of the bagel and reading about peanut butter shelf life. I suggested turning it off and cooling the drive (if it had to be used again), asked about recent backups and told them about DriveSavers data recovery.

I'd recommended DriveSavers to private, commercial and military clients and co-workers over the past few years but a few weeks ago I spent some time over at their Novato, CA office and got to see their operation first hand (even got a recording for a podcast, but I've still got to edit that). Of course they wouldn't let me take any pictures of drive saving as it was happening, but the whole op was pretty impressive. I was also surprised to find that the Apple based recovery operation was as large as it was.

Seems that DriveSavers still deals with 40,000 MTBF on an ongoing basis. What's 40K MTBF? It's Mean Time Between Failure and the 40K is the number of hours you've got. Around four years. Are your drives that old or older? You might want to make sure your backups are good, and up-to-date, just in case.

An interesting tidbit I from the guys out there is that RAID drives crash during the rebuild process. So if you've go one drive in an array go down and you're rebuilding the array the chances that another drive will go south is incredibly high. Why? Two reasons - One, disk activity is enormously high during a rebuild and two, most drives in an array go into the array all at the same time. So, mix up the drives with drives from other arrays when you get a new array in. This will reduce the chance that multiple drives from the same array will fail at or around the same time.

And what is it with famous people crashing disks? On every wall of the DriveSavers office there was a picture of a famous person being glad that DriveSavers was around.

BTW, you should check out the peanut butter link, it really does have some interesting stats on peanut butter.

Posted by Victor R. Garza on March 1, 2007 10:09 AM

ZERO DAY PODCAST

Listen to the latest podcast:

MP3 •