I just released a report for Dark Reading on how to build a multi-enterprise vulnerability management program. If you are dealing with outsourced vendors, or an outsourced supply chain, you should definitely give the article a read.

To summarize the article:

1. Get your legal contracts in order. So many firms don’t put what they need from their partners into a contract. How do you expect to get what you need then?
2. Establish Communication channels that work for everyone. If you don’t get the right people on the “phone”, nothing will get done – including your security processes
3. Find the person with authority at your partner and ensure they are involved, otherwise your efforts will be useless.

I offer many more details and tips within the article but step #1 is so critical that an entire article should be dedicated to just that!

According to the Wall Street Journal:

A 24-year-old living with his mother in France was arrested for ‘hacking’ into Obama’s twitter accounts in April 2009. Apparently he guesses the answer to a question related to password recovery in order to break into the accounts of famous people; he has no computer science training or financial motive. He posted screenshots to a few online forums and twitter found out within a few hours, either from a tip or from noticing when someone from France logs onto twitter as the President of the United States. (He did not actually tweet as POTUS, but just wanted to show he could break into the account.)

Now, this is news in and of itself but the interesting part is that the following academic paper, released about three weeks ago, told how easy this hack really is to implement. In this paper, Joseph Bonneau of the University of Cambridge and two colleagues from the University of Edinburgh show how hackers stand a 1 in 80 chance of guessing common security questions such as someone’s mother’s maiden name or their first school within three attempts.

According to the blog post announcing the paper’s release, Joseph Bonneau states:

There’s finally been a surge of academic research into the area in the last five years. It’s been shown, for example, that these questions are easy to look up online, often found in public records, and easy for friends and acquaintances to guess.

This is probably what happened to President Obama’s account. It would be interesting to know what the answer was to Obama’s secret question is, but it is very difficult to find the screenshots referenced in the WSJ article. The academic paper continues:

It turns out the majority of personal knowledge questions ask for proper names of people, pets, and places, and the rest are trivially insecure (eg “What is my favourite day of the week?”).

Which is why your system should never ask for things like that. Companies are starting to try and solve this problem. At RSA there was a new company, RavenWhite, which seemed to have a unique new approach which you can learn about at http://www.ravenwhite.com/iforgotmypassword.html

People really need to rethink the way they implement security to the end user. There is no way any automated technology could have prevented Obama’s account from being attacked simply because they were using the system in the perfectly intended way. It is what the user did afterword that differentiated the attacker from an actual twitter user.

Verizon Business Christian Moldes as a great post about Plane Crashes and Security Breaches and how they are very similar. He hits it right on the head! During our engagement wrap-up meetings where we explain the various potential scenarios an attacker can use to break into a client’s network we are always asked to put a specific ranking on a specific risk. I argue that that almost doesn’t matter because normally the big breaches are not from a single vulnerability but many chained together.

Christian quotes Malcom Gladwell, and says:

The typical [plane] accident involves seven consecutive human errors.

When we work with clients we normally see that breaches are caused by a chaining of at least three errors: exploitation of a vulnerability, then a mis-configuration is used to find a privileged account user name and password, and then data is found on the network somewhere it wasn’t supposed to be that the privileged account has access too.

Even with many controls in place you cannot always prevent a security breach. This is the exact reason why we recommend that incident response policies and processes (Which should be tested like you test your Disaster Recovery processes!) should be the FIRST THING you implement when building a security program at an organization followed by detective controls such as logging to detect a breach as soon as possible.

Although I think DDoS extortion is declining due to the rising lucrative ransomware and scareware tactics, DDoS extortion remains interesting to me due to its sheer supervillainary. (plus the stories sound cool when you tell them). I was giving the example to a CSO I met today and after telling the story he asked, “How do I survive a DDoS Extortion Attack”, so here is how:

Businesses hit with these attacks have almost no reprisal to fight back and even have a disincentive to alert authorities who could work to defend against them.

DDoS, distributed denial of service, extortion occurs when a hacker threatens to utilize a vast botnet of many infected computers to bombard a single target online. By using up the target’s resources to accommodate the botnet traffic, legitimate traffic is unable to access the site, causing a denial of service. This prevents businesses from using their website, which may be integral to their business operations.

Before the DDoS attack, the extortionist will contact the site webmaster and offer to spare them from the attack for a payment. If the payment is not made by the given date, then the attack begins and the price usually increases.

Companies have three ways to retaliate: pay the attacker, use DDoS protection, or go to the authorities. Unfortunately, most companies choose to simply pay the attacker since it is the easiest and least expensive way to fix the problem. This only emboldens these kinds of attacks, causing more extortion on other companies.

It is possible to use DDoS protection to block bots, but in the extortionist will warn that if such an attempt is made then they will only increase the number of bots attacking the website, making it much more expensive to deal with.

Going to the authorities can be so ineffective that extortionists will not even discourage their target from doing so. Extortion attacks usually come from other countries, usually Eastern Europe, where the FBI has little recourse. Furthermore, businesses are afraid of reporting the crime because it could damage their brand if it got out that they were helpless against extortionists. This makes it harder for any countermeasures to be developed since it is impossible to tell how often extortion occurs, how much money is extorted, and who are the targets of extortionists. According to experts, every online gambling site is paying an extortion, usually around $40,000.

For these, reasons too often companies will simply remain quiet about the extortion and pay their fee. The ransom is much less than the costs incurred from a denial of service attack. Sometimes, the extortionist even gives their victim the opportunity to pay for an attack on a competitor. Why not? It gives the victim a chance to level the playing field and the extortionist a chance to make even more money.

The best way to combat attacks like these is for businesses to put aside competitive differences and share their information regarding security and cyberattacks with industry peers and law enforcement authorities. But that’s never going to happen and businesses are likely to continue to fight an every-man-for-themselves battle.

Until then, it’s up to companies to build up internal protections and beef up their security to protect against botnet attacks. Also, if this ever starts to happen to your business you can always contact me and I can see how I can help!

I received an email from John Zurawski at Authentify that I thought was worth posting. I personally am tired of bailing out the banks and continuing to spend tax payer money so I want to ask Congress to Step Up, start using our money for things that matter, and start to protect the end user’s by requiring the banks that don’t properly implement security controls to pay. John asked in his email for me to repost his email and ask others for help. Read below and if you are heading to RSA stop by the booth and sign the petition if you agree.

I’m emailing to ask for your help in something that can make a difference at the RSA Conference.  In recent months it’s become apparent that many smaller banks, credit unions and ultimately small businesses are being victimized by organized cyber criminals.  We at Authentify, along with many others, believe it’s time to stop the bleeding.  The regulatory oversight of the financial services industry has plenty of “guidance”, but few actual requirements to protect their customers from sophisticated online criminals.  The breaking point has come with a bank suing it’s customer for being a “cyber-victim” and asking the courts to declare its security procedures as “commercially reasonable”.  The technologies exist to prevent most malware inflicted financial losses.  It’s time to get Congress to get involved.  Just as the federal government is making funds available to healthcare to get health records digitized and online, it’s time to use TARP funds or other sources – to REQUIRE that financial services firms protect their customers.

Authentify will be seeking signatures on a petition to Congress in its booth at the RSA Conference next week.  We have put this effort ahead of our new product introductions and other RSA promotions.   Please stop by Booth #732 on the Expo floor if you believe it’s never commercially reasonable to let a bank’s customer’s be victimized by malware.

Honeypots are a lot of fun for security professionals. We get to trick the tricksters who try to trick security systems. These opportunities give us whitehats a chance to be a little devious for once and get in the heads of those we are protecting against.

So Microsoft conducted a little honeypot of their own to collect some data on the kinds of automated password attacks hackers are using to break into user accounts. They created a fake FTP server and allowed hackers to go to town trying to crack the password for about a year. The FTP logged and processed the information gathered by login attempts.

The honeypot gathered hundreds of user names and tens of thousands of password that have been used in automated attacks. The data told us a few things we already knew, basically that the most common password hack attempts resemble the most commonly used passwords. But the data told us one new thing that we did not already know about password cracking. That is, simply having a long password isn’t good enough anymore if it is still dictionary-based. The honeypot attackers routinely used passwords 8-10 characters in length and would even try passwords 10, 15, or 20 characters long. Also, hackers are persistent, even for using automated systems. One tenacious attacker attempted 400,000 passwords to crack the fake FTP.

The emphasis on password strengthening is now more relevant than ever with the reemergence of “L0phtCrack” – a password auditing software. L0phtCrack attempts to crack passwords at swift speeds by scanning through a dictionary of words and forming probable password guesses. Basically, it does the exact same thing as the automated password crackers the hackers use, but for whitehat purposes. Of course, critics are worried that L0phtCrack is a double-edged sword since it could be used for that very purpose.

Passwords are actually the easiest security measure to ensure protection. As long as your password follows the basic password strengthening guidelines – length, alphanumerical, case variance, special characters, etc – it should never be cracked. At least, not by an automated tool.

We bid for some FISMA work at NASA so I thought I would share with everyone what NASA hasn’t been doing properly….You might think that out of all U.S. federal agencies, NASA would be among the top ranking in cybersecurity defense. But according to a report issued by the Government Accountability Office, the National Aeronautics and Space Administration has been hit with 1,120 security incidents in 2007 and 2008.

It seems at NASA, malware installations, data breaches, stolen laptops, and botnet infections are commonplace. Among the stolen information were unencrypted data on a prototype hypersonic jet and plans for a lunar orbiter space telescope. Some time ago, 82 NASA computers were found to be part of a Ukranian botnet and 86 computers were infected by the Zoneback Trojan.

Since then, NASA was told to plug up its security holes, but the new report by the GAO says NASA has not done enough. Apparently, it isn’t difficult for intruders to infiltrate NASA networks and steal, delete, or modify mission critical information.

As the report states, “NASA’s high profile and cutting edge technology makes the agency an attractive target for hackers seeking recognition, or for nation-state sponsored cyber spying.” NASA’s security gaps make the administration susceptible to stolen data by competing space programs or private sector networks who wish to gain a competitive advantage. At the same time, terrorist groups may use cyber attacks to disrupt or destroy NASA missions. Still, attacks could come from identity thieves who could access sensitive employee information on NASA’s nearly 20,000 employees.

I believe the security gaps at NASA put our national interests at risk and weaken the strategic technological advantage of the US. But, simply the existence of these security holes creates an embarrassing situation which may embolden hackers to increase their attacks on other government agencies. After all, if security is so poor at NASA then how much better could it be at crucial military organizations?

Since the Christmas Day underpants bomber revitalized our terrorism fears, I have been thinking about the similarities between preventing terrorists from physically attacking us and protecting our digital information from hackers and cyberwarfare groups.

The Department of Homeland Security is reluctant to admit that there are no amount of security measures that can be taken to guarantee 100% safety at all times from terrorist attacks. Security engineers must also be aware of this fact. Cyberdefenses can never fully guarantee protection. What can be done in both cases is to make it as difficult as possible for the enemy to bypass the cyber and physical defenses we do create. We analyze their current attacks and schemes to make sure that existing attacks will not breach defenses. We also attempt to understand what future attacks will look like, always trying to be one step ahead of the enemy.

The enemy in both cases consists of small, agile groups that operate within networks. Whether it is an Al Qaeda branch or the Ukranian Fan Club, both organizations are small and nimble enough to promote faster organization than their adversaries. Most IT security teams as well as the Department of Homeland Security are large, powerful organizations whose greatest weaknesses is their slow response time due to their sizes and internal bureaucracies. As we have seen from the underpants bomber, the DHS has perhaps become too large and slow to connect disparate pieces of information that would have prevented the bomber from boarding the plane.

In both struggles, the main problem is the issue of safety versus freedom, or protection versus convenience. How many airport security measures will people endure in order to improve their safety? IT security professionals struggle with the idea of promoting safety without impeding the freedoms of the business. Social networking and file sharing can be very useful tools for businesses, but they also greatly increase the chances of malware infections and cybercrime hacks.

It would be unreasonable to eliminate freedom entirely for the sake of safety in both scenarios. After all, if you never take your business online then you will never be hacked – just like if you never go on a plane you will never attacked by a terrorist passenger.

With the end of 2009 approaching, cybersecurity engineers as well as cybercriminals are looking to next year to see what the future of internet security holds. Where will current cybercrime trends go and what new ones will emerge? Well, here are a few of my predictions on what virtual mines the Internet landscape will have in 2010.

Emboldened Social Engineering – This should be no surprise to anyone in cybersecurity or who has read this blog before. In 2009 cybercriminals realized that social engineering is the easiest way to obtain sensitive information from users. And while social engineering was big this year, it will continue to grow exponentially next year. Expect social engineers to become more organized and bolder in their methods. There may be more incidents where social engineers visit sites physically to gain trust and information that no software can physically protect.

Social Networking Sites Will Become a Bigger Target – Social networking sites like Twitter and Facebook are only gaining popularity and no amount of security warnings are going to keep users away. Cybercriminals will use these sites to their advantage in two ways. While I believe the sites themselves will become more proactive in creating security defenses, the third party applications made for these sites will have exploitable vulnerabilities. Additionally, social networking site users will increasingly become the victims of social engineering. These sites give social engineers a terrific medium for contacting, communicating with, and taking advantage of users.

Ransomware Will Replace Scareware – Hijacking a users PC and holding it for ransom may seem outrageous, but it’s happening now and proving to be more profitable than scareware tactics that users are now growing wise to. Expect cybercriminals to go where the money is – users would rather pay a small price to regain control of their PCs than go through the trouble of manually removing malware – or nuking their PCs.

Mobile Devices Will Be Hit Hard – Mobile phones have enjoyed their short lives mostly free of threats while continuing to propagate. But now that they have increased in complexity, becoming mini notebook computers, the likelihood of vulnerabilities has also increased. 2009 saw the Sexy Space botnet and the iPhoneOS.Ikee – what awaits our precious smartphones in 2010?

Organized Cybercrime – The cybercrime underground has evolved into an elaborate economy where, in 2009, cybercriminals have begun to network, collaborate, and pool resources for mutual gain. Malware infected PCs and botnets are bought and sold like commodities. I expect this trend will continue in 2010, and it may be the most dangerous prediction. Combating such cybercrime organizations will require the same organization among security experts.

Way back in 1984, Ken Thompson theorized about a type of virus that could infect the tools that create programs, rather than the programs themselves. In this way, a virus would remain undetected in the program creator but be inserted in every program created.

Now, in 2009, this theoretical virus is now a reality. Win32.Induc or Induc is a virus that targets development environments in order to infiltrate applications at the point they are written and compiled. Specifically, Induc infects files that are used to create programs in versions 4.0 to 7.0 of Delphi resulting in Induc infected applications and files when they are compiled. Whenever these Induc-infected applications are run on another PC, the virus searches for a Delphi installation and attaches itself to it, thus spreading the virus to any new software compiled in the infected environment, and so on.

The Induc virus seems to have no malicious payload, but serves as a proof-of-concept to test how such a virus might spread. The challenge in dealing with such a virus is that the infection must be traced back to the original Delphi compilers to correct the source. With the virus removed, all software would have to be recompiled. It is believed that a number of software houses specializing in developing applications with Delphi must have been infected already.

Induc has been hiding out and replicating itself for more than a year before it was discovered in August. Researchers believe it’s one of the top most common viruses. Even though Induc does not have a malicious payload, current AV software updated to detect the virus will cause disruptions as infected applications and files will be quarantined. AV vendors will be flooded with false positive claims in applications that are actually Delphi files infected with the virus. Chaos and confusion will ensue and the AV people are going to have to sort through this mess.

Additionally, the virus has the potential to bypass AV because it can affect whitelisted programs which are ignored and regarded as safe by AV software. Even if the programs are whitelisted, the compilers used to make them may become infected and pass on the infection to these whitelisted programs.

Since the virus corrupts tools that create programs, innocent programmers are the unintentional distributors of the virus. As Ken Thompson said in 1984, “The moral is obvious. You can’t trust code that you did not totally create yourself. No amount of source-level verification or scrutiny will protect you from using untrusted code.” Pretty scary stuff, huh?