bmonday.com

Dramatic Spike in URL Shortening by Scammers

2009-07-09T14:54:14Z

Back in May I wrote "Dirty URL Tricks" about the increasing risk presented by the rise of URL shortening services like Bit.ly and TinyURL, driven largely by short messaging services like Twitter. I closed the article by predicting that scammers were going to start aggressively exploiting these services as a means of masking their malicious URLs.

Judging by the dramatic spike in URL shortening service usage by spammers and phishers the following month, I'd say that the entire scamming community must be reading my blog. However, since I'm quite in tune with the number of readers I have, and I'm fairly confident that spammers number well above those single digits, I can't really back that up with figures.

But, regardless of the trigger, there is little doubt that spammers and phishers have had the inevitable epiphany, and are now very aggressively utilizing these free shortening services in an attempt to further obfuscate the malicious nature of links they are sending via email.

Consider the following graph, which illustrates the rise of URL shortening techniques in spam, courtesy of the folks at MessageLabs:

Over 90% of all email is spam. It's more critical now than ever for end users to warily consider clicking on any links they cannot practically verify prior to going to the target website. URL Lengthening services, such as LongURLPlease and shortText, are emerging in an attempt to fill the need here, but the long-term fix is for users to appreciate the dangers of blindly clicking on links sent to them in email and other comm methods.

Back Online

2009-07-08T02:28:26Z

Took longer than I expected for ComCast to bring my business-class Internet connection into the house, but I'm back online as of tonight.

Oh, and for the record, my Chrysler transfered my data at the rate of 230Kb/s. It would have been faster, but the 98mph speeding ticket I got on the way through Colorado spooked me for the rest of the trip. I spent the rest of the drive going about 5mph over the speed limit.

Going dark for a few days

2009-06-26T08:33:01Z

The blog will be dark for a few days while I transport my server and accoutrements from Oklahoma to Seattle, and get it set back up. I'll calculate and publish the data transfer rate of my Chrysler 300C upon my arrival (yeah, it's got a Hemi).

Ten Habits of Highly Effective InfoSec Leaders

2009-06-02T19:19:38Z

I have been doing a lot of thinking lately, given the state of the economy and some of the discussion I've had with many of my colleagues. What I've come to realize is that I have taken a different approach than many of my colleagues when it comes to leadership and Information Security. It's well past time to reinvent the information security field, and reverse the impression that we are the Ministry of No, and the buzzkills that are constantly looking to shut down everyone's chat. Our role is so much more than that. Too often we paint ourselves into that corner because we are unwilling or unable to engage the organization at a higher level, or learn how to make the business function better.

Given the landscape of the past and the changes due to economics, a successful infosec leader must do the following things, and do them well, to cultivate a healthy information security program that will support and align with the business:

Communicate to the business about the business

When we started, years ago, we most often looked for the most technical person in the room for senior [information security] positions, and now we're finding that we're replacing those technical execs with execs that truly understand, and can take a holistic approach to, risk. What we're finding in the jobs that we're filling, not just at the C-level, but at many levels, is that they're asking us for folks that really understand how to communicate effectively to the board. -Joyce Brocaglia, Alta Associates, RSA 2009

Risk is the language of business, and if you cannot communicate risk to the powers-that-be in your organization, your infosec program (and career) will never evolve. You will never be invited to the table if you cannot demonstrate that you belong there by helping them make critical business decisions.

Businesses manage risk, day in and day out. What is the risk of investing in a new product line? What is the risk of leaving out Feature X until Version 2? What is the risk that the $10,000 investment in the new marketing campaign won't result in an uptick in new business?

If you learn how to quantify risk, you will never be accused of trying to scare the business into buying needless security widgets (the Chicken Little syndrome), and you will be able to justify the investments that make sense for the business.

Never let "it's a best practice" be a justification for a security initiative
"Best practice" is an excuse, not a justification. Best Practices are what you resort to when you don't know what the right thing for your business is. The company isn't in the business of aligning its security program with industry best practices. The company is in the business of selling widgets. How many more widgets will the company sell if they implement your suggestion? Is some significant risk reduced by implementing the suggestion? These are the arguments that will allow the business to say Yes.

Never say "No"
No is rarely an acceptable response to someone communicating a requirement. Someone's secretary wants to access Facebook during lunch? "No" isn't going to get you anywhere. How about "Sure, we can do that, but given the various threats coming from Facebook lately (demonstrate some), we'd be wise to implement some additional protections around that traffic." I bet you can leverage that secretary's lunch desires to reduce her rights on the system, which kills 2 birds with one stone. Or, if the organization isn't willing to spend the money on the necessary controls. you can go back to the secretary and let her know that you went to bat for her but failed. Either way, you're the guy that tried to help, not the bad guy who just said "No". Chances are, she'll come back to you the next time she wants to do something risky.

No doesn't make you friends. "So what, I'm not here to make friends, I'm here to secure the enterprise," I hear some of you say. Well, your job will be orders of magnitudes harder if you are viewed as an obstacle that must be overcome, rather than a friend of the business. How many groups will invite you to the conversation when all you do is burden them with costly and time-consuming controls and processes? Which brings me to...

Be approachable
Encourage dialog. Reach out to end users. Introduce yourself to business owners, solicit their opinion on things, and ask them what their challenges are, how they work, and their perspective on information security. Learning what the end users really think rather than what you assume builds a relationship of shared ownership. The result are allies that will enable you to sell future initiatives with their help.

Don't let the first contact with your end users or business owners be only after you have discovered a problem. Integrate yourself into the onboarding process. 5 minutes spent in a new hire orientation, introducing the infosec organization, and going over basic guidelines will make a night-and-day difference in the attitude end users will have of you and your program. Sharing with them why security is integral to the business and making it personal will give them motivation to support information security on an ongoing basis.

Conduct brown-bag sessions on security topics. Make them short. 15 minutes is my target, with questions for however long they need. Record them, if you can, so you can distribute them via intranet to people at other sites or who couldn't make it to the live show.

Speaking of which...

Learn to talk like a human being
If you have a conversation with 99.999% of the population on this planet, and you toss out words like "AES256" or "Diffie-Hellman", you will not connect with your audience. All you are doing is confusing your audience, at best, and probably alienating them. End users don't need to know how the sausage is made, only that they have ready access to sausage and that It's A Good Thing(tm). You can go into a little more detail during Brown Bags, but be clear about the level of technical depth of the talk, so you will hopefully get an appropriate audience. But I would argue then that you should be spending time on topics that will reach a larger portion of your user population.

What you *can* do, however, is...

Blow your end users' minds from time to time
End users get complacent about their computer usage habits. Always have a small collection of ready-to-roll, and easily demonstrated exploits in your bag of tricks, even if they have been long since fixed. Maybe it's a virtualized image of a poorly patched Windows box that you can bring up at a moment's notice. Doesn't matter. Demonstrating the sneakiness of attackers is often an eye-opening experience for your end users. I once orchestrated a demonstration of a chromeless window exploit to a group of system admins, and their mouths all dropped. Demonstrations like that tend to re-engage your users, and remind them that they are critical part of the company's security posture. That's a win for you.

Cultivate your reputation
Develop a reputation for protecting the business. Understand the risks of the changes you are proposing and work diligently to reduce them. Even if the company doesn't have an official change management program, you should. Even if it's just yourself. I can count on my hand the number of times a security control under my purview has negatively impacted the business' ability to operate. Availability trumps security every single time, and those security controls will get ripped out if they impact the business' ability to operate.

Develop a reputation for being a straight shooter. The business needs to know it can count on your for a fair and accurate assessment of risk, countermeasures, controls and technology. Also ensure that you include ancillary costs (personnel, OS licenses, etc) associated with solutions you propose, to minimize having to go back to the well for more funding than what the business owners originally approved. The business needs to trust that the solution you've proposed can be realized with the financial outlay you've indicated.

Develop a reputation as a problem solver. You want business units to approach you with problems, and ask for help solving them, rather than route around you with a solution they know is poorly considered. See above guidance regarding "no". You need to be seen as a business enabler, not an obstacle that must be continually overcome.

Develop a reputation for being pragmatic. Don't blindly follow the industry. Reevaluate your beliefs, frequently. If the password policies don't make sense, change them. Ignore best practices if they don't fit the realities of the business, even if it means bucking an auditor in the process. Mold the information security program to the needs of the business.

Understand that robust security begets compliance, not vice versa
If you have a solid information security program, you will not have to worry about audits or regulatory compliance exceptions, because you are 99% there on most compliance obligations your company is likely to have. That does not mean implementing every suggestion from NIST or similar bodies of infosec standards. Remember, "best practices" are recommendations for what to do if you don't otherwise know what's best for your business. If you blindly implement controls and processes to satisfy your PCI audit, for instance, it doesn't mean your business is secure. Secure your business, and compliance will be trivial.

Befriend your auditors
If you have an adversarial relationship with your auditors, internal or external, you're doing it wrong. Your auditors are partners. They help you measure (and demonstrate) improvements you are making to the business, and help you justify investments in additional areas. If you have a healthy relationship with your auditors, your audits will go more smoothly and they'll be out of your hair quicker. An adversarial relationship with your auditors will only result in them looking harder and longer for cracks in your program, and every hour they spend doing so costs your business money. Once the auditors develop confidence in your program, and understand that they can't run up the bill generating finding after finding, they'll be motivated to complete their report and move on to the next engagement. Reducing your company's annual audit bill is a fantastic way information security can contribute to the company's bottom line.

Contribute to the InfoSec Body of Knowledge
The information security profession relies heavily, perhaps more than most other fields, on information sharing and peer review. You should be writing; be it articles, blog postings, or contributing answers to questions posted in online forums. A good infosec leader should be continually contributing to the InfoSec Body of Knowledge, even if the contributions sometimes seem trivial.

Show up at local infosec events, and speak at one at least once a year. One thing you should take away from the other habits listed above is that your communication skills are critical to being successful in the information security field. Hone them, exercise them. If you are not an effective communicator, you will not be an effective information security leader.

In conclusion
This isn't the same business many of us were introduced to when we started our infosec careers. For example, the CISO role didn't even exist when I entered the business, and it is being redefined constantly. Hard economic times have put increased pressures on all business units within a given company to innovate and bring new ideas to the table about how to make the business run better. By aligning yourself with the organization's larger goals, and adopting the strategies outlined here, you will help Information Security transcend the stereotypical roles and evolve into a business unit that has true and measurable impact on the success of the business. And that's a win for everyone.

InfoSec in the Courts

2009-06-02T23:42:02Z

Some interesting infosec cases coming up in court cases recently.

Last month, the Supreme Court agreed to hear a case challenging the constitutionality of the Sarbanes-Oxley Act of 2002 (aka SOX).

More recently, Wired reports that Merrick Bank is suing PCI QSA Savvis for giving Card Systems a passing grade on a PCI audit just 3 months prior to Card Systems getting hacked and ultimately exposing 40 million credit cards to the intruders. The breach cost Merrick nearly $18M to fend off the resulting fraud, settle claims, and replace compromised cards.

While SOX has been a driver of security investments in the years since it was enacted, it is clearly overburdensome for most companies, and misses its goals in a number of areas. There is general consensus, even in the security industry, that it should go.

The jury is still out on the Merrick/Savvis PCI case, however. If Merrick is successful in its bid to attach fault to Savvis for giving Card Systems an improper passing grade on its PCI audit, that will send a chill down the spine of most security staffs. PCI audits are onerous enough already, and I'd hate to think how much time and expense we're going to have to expend on them after the QSAs figure out they can be sued if they miss the tiniest detail. And it's still a point-in-time certification. Just because an org is PCI-compliant today, doesn't mean they won't silently fall out of compliance tomorrow. Are QSAs going to demand recurring audits of the environment throughout the year to satisfy their own legal teams that the client is still worthy of a passing grade? It's a slippery slope, to be sure. I don't like the direction we're headed on this one.

Prevention eventually fails. What's your plan?

2009-05-14T19:54:51Z

A recent study conducted by British Telecom claims that 94% of the companies they polled expected to suffer a compromise sometime in 2009.

I guess companies are finally acknowledging one of Information Security's most sacred truths: Prevention eventually fails. I first heard this truism while reading Richard Bejtlich's fantastic book The Tao of Network Security Monitoring. In it, he claims that preventive controls are doomed to eventual failure due to 2 factors: Some intruders are smarter than the people securing the systems, and intruders are unpredictable.

These sobering facts recently prompted InfoSec pioneer Dan Greer to comment in an interview:

[...]the world we live in now is one where the rate of change is so great it is hard to develop a skilled craft because by the time you do, the problem set has moved on.

I think information security is quite possibly the most intellectually challenging profession on the planet. For that reason that what was true yesterday may not be tomorrow. In information security in particular, the rising fraction of R & D that is done by the opposition, and is funded by the opposition by its own revenue, is quite fascinating and makes things very difficult. At the same time, have we made progress? Sure. But the challenging aspect to this continues to be this rate of change and the degree to which you need to be on your toes all the time.

So, given that you will, eventually, suffer a breach, what's your plan? You *do* have an incident response plan, don't you? If you thought you had a 94% chance of getting into a car accident, you'd plan for that eventuality, wouldn't you?

If you don't have an Incident Response Plan, NIST's 800-61 publication, originally published in 2004 and refreshed last year, is a great place to start, and considered required reading by most InfoSec practitioners who have accepted the reality that prevention eventually fails.

Dirty URL Tricks

2009-05-14T19:02:58Z

I've preached for years the need for users to scrutinize heavily any URLs in emails they receive, especially in emails from financial institutions. As applications and operating systems get more and more secure, hackers are increasingly relying on tricking the end users into clicking on a hostile link or otherwise actively enable the compromise of their own system.

Traditionally, one of the mechanisms you can use to determine that an email is a phishing attempt is to scrutinize the link or button the email wants you to click.

For instance, you can hover your mouse over this http://www.Visa.com link, and determine pretty easily that it actually takes you to www.ClickHereToGetOwned.com. Right? Just say "Right!" for me.

But what if the link looks like this? tinyurl.com/ozn4lm. Clicking that link will also take you to the Click-Here-To-Get-Owned site, but it passes our usual sniff test because the redirection to the malicious site happens on TinyURL's end.

For those unfamiliar with TinyURL (go ahead and click, it's OK), it's a free service that allows anyone to shrink an obnoxiously-long link to something shorter so that it survives emails and other communication mechanisms that do unkind things to links that exceed one line in length. The explosion of Twitter, which has a hard cap on the number of characters you can send in a single message, has dramatically increased the use of URL shrinkers.

But it also enables a phisher to obfuscate the true destination of a given link in a way that is not mitigated by the guidance we've been giving people for years. The popularity of TinyURL, in particular, has become nearly ubiquitous, leading to complacency when a potentially hostile TinyURL link arrives in email or Twitter.

Thankfully, TinyURL does allow users to preview the location of a given URL to allow users to see where they will end up if they click it. If you allow cookies, you can even set TinyURL to *always* bring up the preview of the URL before it takes you to the destination. Good on them.

But there are other URL shrinking services that don't offer such protections.

Besides, what if your URL looks like this:

Don't laugh, it's a URL in the style of an Aztec barcode, and if you have a handheld device, like an iPhone, chances are you can consume it using your device's camera and send your device's browser to only-god-knows-where (in this case, the Wikipedia page for Aztec barcodes). Airlines are using them increasingly to send check-in information to airline passengers' mobile phones.

Or how about this one:

This is a format currently being pushed by Microsoft, called HCCB, or Microsoft Tag.

As URLs continue the trend towards machine-readible, and away from human-readible, their potential for abuse by phishers and other malicious actors will only increase. It's up to the users to scrutinze inbound communications they receive, including the context, and only click on URLs that they can realisticaly trust.

Verizon Data Breach Report for 2008, Part 1

2009-04-26T15:47:02Z

Verizon's first report of 2009 is the 4th such report published publicly by Verizon (they have performed 28 such analyses to-date, but only recently decided to go public with them). Verizon's goal is to release these reports on a roughly quarterly basis going forward.

The report largely focuses on breaches occurring in the 2008 calendar year, but does reference data gathered from prior years. The 2008 year saw an unprecidented number of records compromised. Verizon alone responded to breaches representing 285 million records, more than all prior years (2004-2007) combined, and those are the focus of this report.

The Actors
I think we can finally put to rest the “80% insider” myth that has been erroneously thrown about for the last decade or longer. Verizon's investigations, in fact, showed that nearly 80% of the intrusions were from external sources. Only 11% of the intrusions were the result of an insider acting alone (an additional 9% of cases involved insiders duped by an external actor into aiding an attack).

A more concerning statistic is the number of breaches that come from partner networks. While the number dropped somewhat in 2008, more than a third of all breaches were traced by to trusted supplier connections.

Of the 90 breaches analyzed by this report, 22 of them were conducted from Eastern Europe (an increase of 9% over 2007), followed closely by East Asia with 18 incidents (up 15%). North America was the 3rd-most common source, at 15 incidents. It is clear that organized crime is continually frequent driver for these kinds of breaches, particularly in the Eastern Europe region, and Verizon, in concert with appropriate law enforcement organizations, was able to verify organized crime links in 19 of the 90 cases, and arrests were made in at least 15 of those, to date.

In the cases involving partners, it was nearly always a case where the partner network had been compromised by an external actor who was then able to leverage a trusted connection to extend their attack to the ultimate victim network. Verizon makes the point, accurately, that organizations continue to struggle with the management of partner connections, and are often ill equipped to monitor or audit the security posture of those trusted networks. This is a huge opportunity for improvement in most organizations. Partner connections should be scrutinized heavily, and reconfigured for least privilege and least access.

It's interesting to note, before we leave the subject of 3rd party culpability, that in none of the cases were the systems actually hosted at the partner's site. It was largely the case where administrative work had been outsourced, particularly in the food-and-beverage and retail segments, where outsourcing of POS system management is common.

The Victims
I was initially skeptical that the dataset analyzed in the report would skew heavily towards the large corporations. I mean, who calls a major telco for help with a security incident but the deep pocketed corporations? Well, turns out, everyone seems to. Verizon was called in to investigate breaches at companies as small as 1-10 employees, and as large as 100,000+. In fact, full 50% of the breaches addressed in this report occurred in companies with 1000 or fewer employees, with fully 1/3 coming from companies with fewer than 100 employees.

There is one area where the data is heavily skewed though, and that is the industries represented by the victim companies. 93% of the records compromised occurred at companies in the financial services space. Which really isn't much of a surprise, given that's where the bulk of valuable credit card data is being managed.

This does not mean that the financial services industry was the most frequently attacked, however. In fact, the retail industry was attacked slightly more frequently. But the financial sector seemed to attract the most determined, motivated, and skilled attackers, and gave up the vast majority of compromised records as a result.

The Attacks
Let's talk about the nature of the attacks for a minute. In terms of percent of records exposed, 94% of those involved hacking, closely followed by malware at 90%. These two methods were by far the most popular, with deceit coming in a distant 3rd with 6%, and Misuse and Physical attacks bringing up the rear at 2% each.

However, there is a mitigating element here that is important to consider. Error (misconfiguration, etc) is a contributing factor in 67% of the cases.

Given this, you can see the traditional attack methodology that we're all too familiar with: Vulnerability identified and exploited by hacker, malware placed in victim network to enable further attacks.

A particularly worrisome methodology that Verizon has been tracking is the harvesting of data in the server's RAM. Most application vendors do not encrypt data residing in RAM, even if they do encrypt data on the disk storage subsystem. This is proving a rich source of unencrypted data, and hackers are starting to go after it.

There is another important factor to highlight here, while we're discussing the attacks themselves. 85% of the records breached were harvested using malware customized for the target. As a result, most malware used for these attacks is not detectable by modern antivirus systems.

I'll cover the contents of the 2nd half of the report in a followup post.

ToorCamp 09 - I'm SO There

2009-03-13T23:34:56Z

What do you get when you mix a bunch of techno-miscreants and a decommissioned Titan-1 Ballistic Missile Silo? ToorCamp 2009, that's what.

ToorCamp is the United State's first ever full-scale hacker camp. Modelled after the camps in Holland and Germany, ToorCamp will focus on all of the technology topics that ToorCon has become famous for but will expand out into other areas of society. ToorCamp will offer 2 days of talks on many different topics -- Security, Internet, Emerging Technologies, Hardware Hacking, and Privacy are just some of the areas we will be covering. ToorCamp will also feature 2 days of hands-on workshops on a multitude of different skills that you may have never found yourself interested in learning about before. Blacksmithing, Lock Picking, Orienteering, Logic Design, Archery -- these are just a few of the topics you can expect.

ToorCamp is run by the same group that runs ToorCon and will also be heavily supported by many other hacker conferences in the US. ToorCamp will be organized as a bunch of different campsites which will be fully run by autonomous groups. We will provide the power and internet -- you provide the rest. We're heavily encouraging groups to build structures, setup art projects, throw parties, and generally do things that will show to the world that US hackers can throw a kickass hacker camp too!

Oh, and did we mention it'll be at a Titan-1 Missile Silo? We've managed to find one of the best locations in the northwest to throw this event. We've partnered with a group of people who are currently retrofitting the Silo into an ultra-secure datacenter so internet connectivity won't be a problem. ToorCamp will be situated in central Washington roughly 3 hours driving distance from Seattle and within 15 minutes drive of a private international airport. Don't miss this once in a lifetime opportunity to make history with us and help launch the first public US hacker camp!

Of Cameras and Goodbye Parties

2009-03-13T21:56:35Z

My soon-to-be coworkers recently threw me a goodbye party during my current visit to Seattle, as is the tradition among my people.

At some point during the festivities, someone brought me an entirely too small pink tanktop and directed me to strip down and don it. Having known these people for some time now, I knew refusal would get me nowhere, so I complied. Naturally a camera was quickly unholstered to record the event for posterity. I'm sure the pic was on various MySpace pages within the hour.

As the pic made it rounds in the office the next day, my coworkers attempted to use it to cultivate various feelings of embarrassment and shame, but I stymied them all by shrugging it off as no big deal.

You see, once you've been busted in public in a pink bunny suit wearing assless (and crotchless!) chaps, it takes a little more than wearing a simple pink wife-beater to make one blush...