My friend, Lance Spitzner, founder of the Honeynet Project, has launched a new blog on securing the human. Lance focuses on providing quality cutting edge security awareness programs to private companies.

Lance does fantastic work. Go read his blog!

So I was talking with a client last week and they mentioned that they haven’t seen any new blog posts from me in a while. I said that was weird because I had just posted yesterday.When i get back to the office, I go online to this site from another PC and low and behold, no blog post.

Apparently, I was logging into and using our beta site because I had my hosts file specifically pointed to a different server that hosted our beta site. So…there are a bunch of blog posts that you will see coming that were actually posted months ago!

Bruce Scheiner is talking about a great post at the Boston Review about the new age of cyber-warfare, and how cyber-warfare is greatly exaggerated. I couldn’t agree more. Granted, the US government has a cyber-warfare problem. All governments do, however, the bigger problem that is more real today is cyber-crime. I spoke at the Federal Reserve last week on this exact topic.

Small businesses are now being targeted because they have more money in their accounts and it is easier to transfer larger sums of money out of their accounts without fraud detection going off at banks.

A quote from the review sums it all up:

So why is there so much concern about “cyber-terrorism”? Answering a question with a question: who frames the debate? Much of the data are gathered by ultra-secretive government agencies—which need to justify their own existence—and cyber-security companies—which derive commercial benefits from popular anxiety. Journalists do not help. Gloomy scenarios and speculations about cyber-Armaggedon draw attention, even if they are relatively short on facts.

I try very hard not to do what they describe when I speak but it can be difficult especially to those that are not familiar with the problem.Cyber-crime is the death by a thousands cuts type of problem. $3,000 here, $5,000 there, but it all adds up pretty quickly. Cyber-warfare is much bigger and easier to point at than these small little fraud issues.

If you have 10 minutes of time, read the Boston Review article and give me some feedback. Are we in a situation where we as citizens have to be concerned about cyber-warfare like we were concerned about nukes in years past?

There is a bill, S.773, floating around the Senate that will require cybersecurity professionals in the future to be licensed, similar to how a general contractor, electrician etc is licensed. Furthermore, according to CNET News, “[the bill] appears to permit the president to seize temporary control of private-sector networks during a so-called cybersecurity emergency.”

Will this bill pass? Or even more important, is it a good idea?

I don’t think we will see a license requirement anytime soon. When I was at Blackhat I saw Booz, Northrup, and the like executing a massive recruiting effort. The government is trying to hire thousands of cybersecurity professionals. Requiring licensing will delay this by years as those in the field get licensed. With the various security certifications we have now, who will be the governing body to determine what data goes into the certification? Most of the certifications in my view are worthless and I would take a guy (or girl) that has been “on the front lines” before I take a person with 4 certifications and little experience.

What about the ability to take control of private networks in an emergency? From my experiance, there is no way in hell I want the government touching my private network. most government networks are LESS secure than their private counterparts! Furthermore, there has been a massive brain drain from government to the private sector for cyber security positions so who will have the best skilled people available in case of an emergency? Perhaps we should let the private sector take control of government networks during a crisis?

Interested in reading the 55 page excerpt?

A new lawsuit by the Free Enterprise Fund going to the Supreme Court soon challenges the constitutional validity of a certain provision in the Sarbanes-Oxley Act.

The lawsuit claims the Sarbanes-Oxley Act violates constitutional requirements since it gives the Public Company Accounting Oversight Board regulatory powers over the accounting industry, and yet its members are not appointed by the President. They argue that this is a violation of the separation of powers specified in the constitution that leaves the President with insufficient control over what could be considered an executive function.

But to me it sounds like a technicality; pointed at those clamoring for the downfall of SOX. Since SOX lacks a severability clause, if the lawsuit prevails then the entire Act would be thrown out, not just the part about PCAOB appointees. This is probably what the Free Enterprise Fund is planning on.

Opponents of Sarbanes-Oxley are many and they’d love to see SOX thrown out. Ron Paul, to name one, argues that SOX compliance gives U.S. corporations a competitive disadvantage with foreign markets. Both foreign an U.S. firms that do not wish to endure the intrusive compliance regulations of SOX are deregistering from the U.S. stock exchange. This is understandable since the costs SOX imposes have averaged at $5.1 million in compliance costs. The year after it became law, the number of companies de-registering from the stock exchange tripled.

The Act also seems to discourage the initial public offering market from growing. Startups can hardly afford the SOX compliance costs in order to quality for stock market registration. But without investors these companies don’t have much of a chance to grow.

On the other hand, many of these companies fleeing from stock exchange registration because of SOX may have something to hide. In those cases, SOX is doing its job of preventing companies that employ crooked accounting practices from swindling mom and pop investors.

It remains to be seen how the Supreme Court will rule on the lawsuit and, if the lawsuit prevails, how it will end up reforming all aspects of the Sarbanes-Oxley Act.

Sorry for the lack of posts the past two weeks, I was in Vegas for  BlackHat and Defcon, took a couple day break, and then Boston but now I am back in action! More posts to come in the next few days.

You have read the book, now meet the author, and receive a complimentary signed copy of the upcoming Hacking Exposed: Malware and Rootkits. Meet me, Michael A. Davis, author of Hacking Exposed, 5th Edition, and the upcoming Hacking Exposed: Malware and Rootkits for drinks and security conversation at the Blackhat Security Conference.

I would like to offer you an invitation to meet me and talk about the latest threats and risks at The Playboy Club at the Palms Hotel and register for a complimentary signed copy of my book Hacking Exposed: Malware and Rootkits when it is released the first week of September. Complimentary Drinks and Cocktails will be served at The Playboy Club at the Palms Hotel on Thursday, July 30th at 8:30PM

Come meet me and we can discuss topics one on one such as:

• Latest threats seen in the wild
• Real world examples of how to protect your organization
• What works in getting your management to understand the threats
• Advanced rootkits techniques that the latest threats are using to stay on your systems longer

If you would like to attend, please Register to attend the event.

Missouri has become the 45th state to enact data breach notification legislation, leaving 5 states left. Governor Jay Nixon signed House Bill 62 into law on July 9, 2009. The new law goes into effect on August 28, 2009. Of course, the legislation has an “encrypted get out of jail free card” like many others, but the law contains a rather broad definition of personal information including certain uses of first and last name with other standard PII such as SSN and account numbers. Some other interesting points are that if an entity must notify more than 1000 residents, it must notify the Missouri Attorney General’s office and the nationwide consumer reporting agencies of the breach and Civil penalties for violating the statute may reach up to $150,000 per breach of the security of the system.

$150k isn’t much.

Not long ago, I reported on the hacking incident at web service provider VAServ. The breach, which was attributed to vulnerabilities in LxLabs’ virtualization administration software, resulted in data loss for more than 100,000 customers and possibly one suicide at LxLabs. Now, it appears as though the breach was not caused by LxLabs’ software at all, but by frequent password reuse – if you believe the comments on “The Inquisitr” that were left by the actual hackers.

After “The Inquisitr” posted the story, an anonymous comment linked to a message presumably left by the hackers. The message denied they exploited vulnerabilities in LxLabs’ Kloxo software, “Z3r0 day in hypervm?? plz u give us too much credit,” and instead put the blame on Rus Foster, director of VAServ.com – “If you really really wanna know how you got wtfpwned bitch it was ur own stupidity and excessive passwd reuse.”

The hackers told Foster that repeated use of the same four passwords made it easy to infiltrate the VPS “thanks to ur mad passwds” – one of which they claim was “f0ster.”

Foster denies that poor password and configuration management led to the hack. He says the hacker comments must be made up since he “doesn’t recognize” any of the passwords revealed in the post.

The assumed hackers said their motive was boredom, “We got bored so we decided to initiate operation rmfication and hypervm was a great t00l to do that since it spared us the time of sshing into all ur 200 boxen just to issue rm -rf.”

Since the catastrophe that deleted the websites of thousands of small businesses, Foster announced VAServ was being taken over by a larger hosting provider known as BlueSquare. Although customers who used managed accounts would have their data recovered since it features an autosave backup.

The hacker message is vague enough that it could have been written by someone who is simply skilled in hacker parlance:

“BTW Rus we still have ur billing system wtfpwned and baqdoored we got ****load of CCz from ur retarded customers thanks a lot buddy. Telling you this cuz we got bored of this ****, it’s just too easy and monotonous so patch ur crap, if your too dumb to secure a simple web server my rate is $100/hour or one night with ur sister hauhaiahiaha.”

A new report suggests that with your date of birth and state of birth I can accurately predict what your Social Security Number will be. Will this decrease the value of a SSN in the hacker black market?

The researchers from Carnegie Mellon University used pattern analysis to statistically “guess” what your social security number should be.  They analyzed the social security numbers of those that have died to determine what numbers could be available in the future and then used their pattern analysis data to determine what possible combinations can be furhter removed from the dataset based on your state of birth and date of birth.

The researchers identified in a single attempt the first five Social Security digits for 44 percent of the records of the people listed as dead from 1989 to 2003 and the complete Social Security numbers in fewer than 1,000 attempts for 8.5 percent of those records.

“Extrapolating to the U.S. living population, this would imply the potential identification of millions of SSNs for individuals whose birth data were available,” the report states.

What makes the report very worth reading is that toward the end of the report, the researchers use a scenario involving a botnet being used to apply for fraudulent credit cards based on guessing an 18 year old’s SSN. Although the report makes use of a couple assumptions including how easy it is to find birth date data for US residents, the general idea of predicting SSNs for fraudulent use is an interesting one.

The algorithm used to extrapolate and create credit cards numbers have been available for years and many credit card scam artists will use the algorithms to ensure the credit card number they have are legitimate. I expect the same to now occur in the next few years for SSNs. Data quality will be a problem that many botnet and identity theft attackers will be concerned with.