I just released a report for Dark Reading on how to build a multi-enterprise vulnerability management program. If you are dealing with outsourced vendors, or an outsourced supply chain, you should definitely give the article a read.

To summarize the article:

1. Get your legal contracts in order. So many firms don’t put what they need from their partners into a contract. How do you expect to get what you need then?
2. Establish Communication channels that work for everyone. If you don’t get the right people on the “phone”, nothing will get done – including your security processes
3. Find the person with authority at your partner and ensure they are involved, otherwise your efforts will be useless.

I offer many more details and tips within the article but step #1 is so critical that an entire article should be dedicated to just that!

I was chatting about shortened URLs, did some research and found out something I didn’t know was happening.

Here’s a test for you. Let’s say you are linked to eBay from a suspicious source. The page looks identical to ebay.com – all the graphics are the same and even the url in your address bar even reads www.ebаy.com. You’re pretty up to speed on phishing attempts, so what about this page should make you suspicious?

The answer? The “a” in ebay here may not be the Latin “a” you are used to seeing but a Cyrillic “a” that looks identical. However, since this is a different character, ebay.com with a Cyrillic “a” is a completely different website – one that could utilize old phishing scams.

ICANN, the body responsible for regulating the domain name system for web addresses, has moved ahead with this plan to internationalize domain names. While many countries are happy to see their native languages in their address bars, this creates an opportunity for age-old phishing scams to resurface.

This is a problem that we are now presented with now that domain names are now becoming internationalized. Regional top-level domains are including Russian, Chinese, and Arabic characters. As I’ve shown you, this creates an opportunity for phishing attacks that steal usernames and passwords of users of ebay or paypal.

In the past, phishing sites used common misspellings of legitimate sites to fool users. Now they can use the Cyrillic “a,” “B,” “m,” “e,” or the Arabic “l” to confuse even the most phishing-savvy users with identical spoofs. Of course, the scam also works in reverse – substituting Latin letters into Cyrillic addresses. New opportunities present themselves with the proliferation of international web addresses.

At least, so far, this trick has not been used in high frequency. But experts expect cybercriminals to catch on. This will lead to reputation problems for companies like paypal, ebay, yahoo, and other major websites that use look-alike letters in their domains.

According to the Wall Street Journal:

A 24-year-old living with his mother in France was arrested for ‘hacking’ into Obama’s twitter accounts in April 2009. Apparently he guesses the answer to a question related to password recovery in order to break into the accounts of famous people; he has no computer science training or financial motive. He posted screenshots to a few online forums and twitter found out within a few hours, either from a tip or from noticing when someone from France logs onto twitter as the President of the United States. (He did not actually tweet as POTUS, but just wanted to show he could break into the account.)

Now, this is news in and of itself but the interesting part is that the following academic paper, released about three weeks ago, told how easy this hack really is to implement. In this paper, Joseph Bonneau of the University of Cambridge and two colleagues from the University of Edinburgh show how hackers stand a 1 in 80 chance of guessing common security questions such as someone’s mother’s maiden name or their first school within three attempts.

According to the blog post announcing the paper’s release, Joseph Bonneau states:

There’s finally been a surge of academic research into the area in the last five years. It’s been shown, for example, that these questions are easy to look up online, often found in public records, and easy for friends and acquaintances to guess.

This is probably what happened to President Obama’s account. It would be interesting to know what the answer was to Obama’s secret question is, but it is very difficult to find the screenshots referenced in the WSJ article. The academic paper continues:

It turns out the majority of personal knowledge questions ask for proper names of people, pets, and places, and the rest are trivially insecure (eg “What is my favourite day of the week?”).

Which is why your system should never ask for things like that. Companies are starting to try and solve this problem. At RSA there was a new company, RavenWhite, which seemed to have a unique new approach which you can learn about at http://www.ravenwhite.com/iforgotmypassword.html

People really need to rethink the way they implement security to the end user. There is no way any automated technology could have prevented Obama’s account from being attacked simply because they were using the system in the perfectly intended way. It is what the user did afterword that differentiated the attacker from an actual twitter user.

I am helping InformationWeek with their annual Security Survey this year and I need each of you to participate! Here are the details or you can just go take the survey

2010 marks the thirteenth year InformationWeek will track the evolution of security practices through our annual research and trending survey. Please join the 40,000+ security and IT professionals who’ve participated in this landmark study. Later this spring we’ll release the results in our much-anticipated InformationWeek Analytics 2010 Strategic Security report.

The survey runs through April 15 and will take approximately 10 minutes to complete. Responses will be kept confidential and used in aggregate only. As a token of our appreciation, everyone who completes the survey and provides contact information will automatically be entered into our prize drawing for a 55″ LCD flat-panel HDTV valued at $1899.99.

Take the Survey!

Thanks!

Verizon Business Christian Moldes as a great post about Plane Crashes and Security Breaches and how they are very similar. He hits it right on the head! During our engagement wrap-up meetings where we explain the various potential scenarios an attacker can use to break into a client’s network we are always asked to put a specific ranking on a specific risk. I argue that that almost doesn’t matter because normally the big breaches are not from a single vulnerability but many chained together.

Christian quotes Malcom Gladwell, and says:

The typical [plane] accident involves seven consecutive human errors.

When we work with clients we normally see that breaches are caused by a chaining of at least three errors: exploitation of a vulnerability, then a mis-configuration is used to find a privileged account user name and password, and then data is found on the network somewhere it wasn’t supposed to be that the privileged account has access too.

Even with many controls in place you cannot always prevent a security breach. This is the exact reason why we recommend that incident response policies and processes (Which should be tested like you test your Disaster Recovery processes!) should be the FIRST THING you implement when building a security program at an organization followed by detective controls such as logging to detect a breach as soon as possible.

While most traditional social engineering is used to exploit the vulnerabilities of the HumanOS over phone or online communications, we can’t rule out the possibility that social engineering can be most successful when it is face-to-face (plus it is a heck of a lot of fun!). Even though it puts the social engineer at direct risk, it offers the most reward for their efforts since it gives them direct access to your company’s office and hardware.

For years now, forward-thinking companies have been performing their own social engineering penetration tests to discover bugs in the human hardware. In these cases of face-to-face social engineering at your company office, these techniques can be divided into the following roles:

The Service Technician
The service technician is a social engineer who poses as person with a legitimate reason to enter your office. They usually impersonate a service technician or repairman who has been hired to fix some company hardware, but they may also pose as co-workers, police, bankers, tax authorities, or insurance investigators. This kind of criminal will often take their time to investigate the right thing to say and who to ask for. In some cases, all they need is an authoritative, earnest tone of voice. After all, they only need to be able to fool your receptionist.

The Tailgater
The tailgater is someone who bypasses physical security by allowing others to use their security cards to let them in an office. The tailgater may simply grab the door before it closes as an employee enters the office, or they may casually ask for an employee to hold the door for them. With a nonchalant tone of voice, many employees just assume that they are supposed to be there.

The Aggressor
The aggressor is not really a social engineer, but he does use his tricks while face-to-face with your employees. The aggressor simply attacks one of your employees to steal their security card, and then uses it to casually enter the building. The aggressor will investigate the physical security around an office building to determine where the security cameras are and chose an unseen place to hide.

The Charmer
In 2007, a thief broke into the ABN Amro bank in Antwerp and made off with $21 million in diamonds. This single thief bypassed one of the most hi-tech security systems in the world not with brute force or an Ocean’s 11 level of complexity and organization, but with a stolen passport, a box of chocolates, and personal charm. The charmer, who was never caught, posed as a successful businessman and visited the bank frequently, befriending the staff and gradually winning their confidence. He even brought them chocolates. He ultimately gained VIP access and used his passcard to walk right into the vault he knew contained the uncut diamonds. If this charmer can successfully bypass a $2 million security system, what chance does your company have?

While it does put the social engineer in direct risk, face-to-face social engineering is obviously one of the easiest and most rewarding scams for criminals. If you are implementing social engineering assessments at your organization, make sure they do some face-to-face social engineering!

Although I think DDoS extortion is declining due to the rising lucrative ransomware and scareware tactics, DDoS extortion remains interesting to me due to its sheer supervillainary. (plus the stories sound cool when you tell them). I was giving the example to a CSO I met today and after telling the story he asked, “How do I survive a DDoS Extortion Attack”, so here is how:

Businesses hit with these attacks have almost no reprisal to fight back and even have a disincentive to alert authorities who could work to defend against them.

DDoS, distributed denial of service, extortion occurs when a hacker threatens to utilize a vast botnet of many infected computers to bombard a single target online. By using up the target’s resources to accommodate the botnet traffic, legitimate traffic is unable to access the site, causing a denial of service. This prevents businesses from using their website, which may be integral to their business operations.

Before the DDoS attack, the extortionist will contact the site webmaster and offer to spare them from the attack for a payment. If the payment is not made by the given date, then the attack begins and the price usually increases.

Companies have three ways to retaliate: pay the attacker, use DDoS protection, or go to the authorities. Unfortunately, most companies choose to simply pay the attacker since it is the easiest and least expensive way to fix the problem. This only emboldens these kinds of attacks, causing more extortion on other companies.

It is possible to use DDoS protection to block bots, but in the extortionist will warn that if such an attempt is made then they will only increase the number of bots attacking the website, making it much more expensive to deal with.

Going to the authorities can be so ineffective that extortionists will not even discourage their target from doing so. Extortion attacks usually come from other countries, usually Eastern Europe, where the FBI has little recourse. Furthermore, businesses are afraid of reporting the crime because it could damage their brand if it got out that they were helpless against extortionists. This makes it harder for any countermeasures to be developed since it is impossible to tell how often extortion occurs, how much money is extorted, and who are the targets of extortionists. According to experts, every online gambling site is paying an extortion, usually around $40,000.

For these, reasons too often companies will simply remain quiet about the extortion and pay their fee. The ransom is much less than the costs incurred from a denial of service attack. Sometimes, the extortionist even gives their victim the opportunity to pay for an attack on a competitor. Why not? It gives the victim a chance to level the playing field and the extortionist a chance to make even more money.

The best way to combat attacks like these is for businesses to put aside competitive differences and share their information regarding security and cyberattacks with industry peers and law enforcement authorities. But that’s never going to happen and businesses are likely to continue to fight an every-man-for-themselves battle.

Until then, it’s up to companies to build up internal protections and beef up their security to protect against botnet attacks. Also, if this ever starts to happen to your business you can always contact me and I can see how I can help!

I received an email from John Zurawski at Authentify that I thought was worth posting. I personally am tired of bailing out the banks and continuing to spend tax payer money so I want to ask Congress to Step Up, start using our money for things that matter, and start to protect the end user’s by requiring the banks that don’t properly implement security controls to pay. John asked in his email for me to repost his email and ask others for help. Read below and if you are heading to RSA stop by the booth and sign the petition if you agree.

I’m emailing to ask for your help in something that can make a difference at the RSA Conference.  In recent months it’s become apparent that many smaller banks, credit unions and ultimately small businesses are being victimized by organized cyber criminals.  We at Authentify, along with many others, believe it’s time to stop the bleeding.  The regulatory oversight of the financial services industry has plenty of “guidance”, but few actual requirements to protect their customers from sophisticated online criminals.  The breaking point has come with a bank suing it’s customer for being a “cyber-victim” and asking the courts to declare its security procedures as “commercially reasonable”.  The technologies exist to prevent most malware inflicted financial losses.  It’s time to get Congress to get involved.  Just as the federal government is making funds available to healthcare to get health records digitized and online, it’s time to use TARP funds or other sources – to REQUIRE that financial services firms protect their customers.

Authentify will be seeking signatures on a petition to Congress in its booth at the RSA Conference next week.  We have put this effort ahead of our new product introductions and other RSA promotions.   Please stop by Booth #732 on the Expo floor if you believe it’s never commercially reasonable to let a bank’s customer’s be victimized by malware.

Honeypots are a lot of fun for security professionals. We get to trick the tricksters who try to trick security systems. These opportunities give us whitehats a chance to be a little devious for once and get in the heads of those we are protecting against.

So Microsoft conducted a little honeypot of their own to collect some data on the kinds of automated password attacks hackers are using to break into user accounts. They created a fake FTP server and allowed hackers to go to town trying to crack the password for about a year. The FTP logged and processed the information gathered by login attempts.

The honeypot gathered hundreds of user names and tens of thousands of password that have been used in automated attacks. The data told us a few things we already knew, basically that the most common password hack attempts resemble the most commonly used passwords. But the data told us one new thing that we did not already know about password cracking. That is, simply having a long password isn’t good enough anymore if it is still dictionary-based. The honeypot attackers routinely used passwords 8-10 characters in length and would even try passwords 10, 15, or 20 characters long. Also, hackers are persistent, even for using automated systems. One tenacious attacker attempted 400,000 passwords to crack the fake FTP.

The emphasis on password strengthening is now more relevant than ever with the reemergence of “L0phtCrack” – a password auditing software. L0phtCrack attempts to crack passwords at swift speeds by scanning through a dictionary of words and forming probable password guesses. Basically, it does the exact same thing as the automated password crackers the hackers use, but for whitehat purposes. Of course, critics are worried that L0phtCrack is a double-edged sword since it could be used for that very purpose.

Passwords are actually the easiest security measure to ensure protection. As long as your password follows the basic password strengthening guidelines – length, alphanumerical, case variance, special characters, etc – it should never be cracked. At least, not by an automated tool.

We bid for some FISMA work at NASA so I thought I would share with everyone what NASA hasn’t been doing properly….You might think that out of all U.S. federal agencies, NASA would be among the top ranking in cybersecurity defense. But according to a report issued by the Government Accountability Office, the National Aeronautics and Space Administration has been hit with 1,120 security incidents in 2007 and 2008.

It seems at NASA, malware installations, data breaches, stolen laptops, and botnet infections are commonplace. Among the stolen information were unencrypted data on a prototype hypersonic jet and plans for a lunar orbiter space telescope. Some time ago, 82 NASA computers were found to be part of a Ukranian botnet and 86 computers were infected by the Zoneback Trojan.

Since then, NASA was told to plug up its security holes, but the new report by the GAO says NASA has not done enough. Apparently, it isn’t difficult for intruders to infiltrate NASA networks and steal, delete, or modify mission critical information.

As the report states, “NASA’s high profile and cutting edge technology makes the agency an attractive target for hackers seeking recognition, or for nation-state sponsored cyber spying.” NASA’s security gaps make the administration susceptible to stolen data by competing space programs or private sector networks who wish to gain a competitive advantage. At the same time, terrorist groups may use cyber attacks to disrupt or destroy NASA missions. Still, attacks could come from identity thieves who could access sensitive employee information on NASA’s nearly 20,000 employees.

I believe the security gaps at NASA put our national interests at risk and weaken the strategic technological advantage of the US. But, simply the existence of these security holes creates an embarrassing situation which may embolden hackers to increase their attacks on other government agencies. After all, if security is so poor at NASA then how much better could it be at crucial military organizations?