Network Security Blog

Whether you call it Veteran’s Day, Pocky Day,Binary Day or something else, it’s Friday, I don’t know about you, but I’m looking forward to this weekend and spending some time with friends.  Being a parent, I don’t get out for adult time as much as I once did, which makes the rare occassions all that much more special.

If you know a veteran, today would be a good day to tell them thanks.  I ‘repaired’ radios long ago and far away on a little artillery base in Germany.  I put repair in quotes because our job was to say “Yep, it’s broken”, replace the radio and send the broken one off for repair by someone who actually did electronics troubleshooting.  I was lucky and my enlistment was during a relatively peaceful time, but we have hundreds of thousands vets out there who saw events and actions most of us can’t even imagine.  Please respect them for their sacrifices.

I haven’t done this in a few days, so there’s a lot of built up articles.

Open Tabs 11/11/11:

• Anonymous blasts El Salvador offline – I guess they found some soft targets.  
• How your signature can propel your security career – How are you putting your signature on the security at your company?  Don’t do what everyone else has done.
• Top 10 Security Voices on Twitter – I didn’t like @jgamblins list; half of the accounts on it are businesses.  Who would be on your Top 10 Security Voices list?
• Supreme Court justices concerned about pervasive, technology-enabled government surveillance – As they should be!  Wait until the government admits they’re also turning on the microphones and other sensors in your phone.  And don’t think they aren’t.  
• Judges weigh phone tracking – A little more to feed your paranoia.
• Doom, gloom and infosec – Of course our career field isn’t all feces and stench, but it’s not roses and cake either.  
• Cisco CSO:  Infosec pros should get back to basics – Yes, let’s quit buying all of Cisco’s blinky light solutions and get back to patching and policy.  That’s what he meant, isn’t it?
• ‘Biggest cybercriminal takedown in history’ – The hyperbole isn’t Brian Krebs’, but the rest of the article is some great stuff.  DNS can be dangerous stuff.
• Steam database hacked.  Encrypted credit card information and passwords compromised – First thing I had the spawn do when they got home from school yesterday was change their passwords!

November marks five years of the Network Security Podcast.  Think about that for a moment: five years of Martin mouthing off into a microphone, nearly three years of Rich and over 18 months of Zach.  A little scary when you think about, or at lease when we think about it.  We’re probably going to put off celebrating much until hit episode 250, but we’re still going to talk about how things have changed in that time.  And we also want to make sure that everyone who’s listening knows how much all three of us appreciate that people still download the podcast week after week.

It’s just Martin and Rich this week.  Zach is off somewhere getting paid real money while Martin is sick at home and Rich is saying “Can we hurry up so I can take my daughter to swim class.”  In other words, pretty much situation normal.

Network Security Podcast, Episode 220, November 9, 2010
Time: 36:33

Show Notes:

• Who’s firing off rockets in SoCal? – Rich says it’s us, otherwise there’d be a bigger fuss
• Give me the power & the money – NSA Chief wants more power over the Internet.
• Things to think about when moving to the cloud – Dimitri McKay has 5 points to ponder
• The GSA needs some DLP (and TLC) – D’ooh, I didn’t mean to send out 12,000 people’s SSNs.
• Random thoughts from Anton – On PCI 2.0 that is
• Personal experiences with Vishing – Martin’s credit union was targeted by robocalls trying to get cardholder information
• Tonight’s music:  Cold Blooded Man by Sugar Blue

Last year Rich Mogull and Jeremiah Grossman created a little know certification, the Certified Application Security Specialist or Certified ASS.  To those in the know, or with the intelligence of the average house pet, it should be immediately obvious that this was an April Fool’s joke.  Funny, and it’s been a continuing joke through out the community, but apparently someone took it seriously enough to actually include it in a job description recently on Craigslist.  And strangely enough, the link I had now leads to the scam page on Craigslist.  Luckily I had the foresight to grab a copy of the post before it disappeared.  What were these people thinking?  Don’t they know they’re supposed to save this sort of stuff for the beginning of April?  The full job description after the page break.

Tired of Coding? Become an Application Security Specialist! (san jose south)

We have an immediate opening for a junior application security specialist (ASS) to join our growing consulting company. This permanent, full-time position is a great opportunity for someone with strong web application development skills that would like to move into the interesting and fun field of application security. This is a highly technical hands-on role that will utilize your web application development skills but involves little coding.

We will provide the right candidate with on-the-job training. The goal will be to quickly teach you how to perform detailed web application security assessments (black-box) and penetration tests by pairing you up with seasoned consultants. We have plenty of interesting projects to work on, including a wide variety of web applications (financial, e-commerce, gaming, etc.) and web services. Longer-term, we will train you to perform security code reviews.

This is an opportunity for a team player who would like to move into a new and exciting field, is ready to get started quickly, and is eager to learn some new skills and have fun while doing so.

Continue Reading »

Jailbreaking an iPhone unlocks some very useful features that the iPhone is lacking and gives you the control over your device that you should have in the first place.  Just getting access to the xGPS project and it’s turn by turn directions has been more than enough reason for my friend Bob to jailbreak his phone multiple times.  But as Uncle Ben once told Peter Parker, “With great power comes great responsibility.”  Apple locked down the iPhone in part to protect users from the bad guys out there and if you’re in the Netherlands with a jailbroken iPhone, you may be regretting having a taken your security into your own hands.

A Dutch hacker has started breaking into iPhones that have been jailbroken and left SSH running with the default root password.  This enabled the hacker to log into the iPhones and send the owner a message telling them their iPhone is insecure.  It goes on to give them a link and asks for 5 euros in order to secure the phone.  This has been sighted on a relatively few iPhones so far, but it’s not inconceivable that this could be weaponized and used on a much wider scale.

This just highlights that the act of jailbreaking your iPhone or hacking any manufacturer’s device places the onus of securing the device back on the owner rather than on the manufacturer.  I have no problem complaining about companies like Time Warner who’ve consistently given their users given their users insecure routers.  The company is supplying and configuring the device, the responsibility (and the power) to secure the routers is theirs and theirs alone.  The user has no ability to make changes and in most cases, probably doesn’t know much more than how to plug the router in and turn it on. 

But once you’ve taken the steps to jailbreak an iPhone or hack your router, you’ve relieved the company of that responsibility.  It may not take much, but if you’ve done the necessary research to download the tools to free your device, you are also taking on the responsibility of securing the same device.  So take the time to do a little more research and figure out what steps you need to take beyond just jailbreaking to secure your iPhone, or whatever device you’re hacking into today.

Micheal Arrington sure knows how to stir up a crap storm.  Saturday he started bringing to light the amount of scamming and dishonest practices behind ads and games on Facebook and MySpace.  I’m pretty sure that the people who think the ads are legitimate are in the minority, but even I was stunned by the sheer magnitude of the money changing hands behind the scenes.  I assume part of why I was unaware of the issue is my own limited of use of Facebook and complete refusal to visit MySpace.  Sure, there are rules that try to limit the scams, but the reality is that the technology allowing scammers to earn big bucks is changing much faster than anything the big social network sites can do.  I wonder if this sort of ecology isn’t exactly why Twitter has never allowed ads?

Today TechCrunch is running a guest blog post by Dennis Yu, an advertiser who knows a lot about the guts of running Facebook scams, since he used to make his money performing the exact sort of scam Arrington is trying to call out.  He claims to be reformed, he claims to feel guilty, but he’s not offering to give any of the money back in an act of contrition.  I guess the best we can hope for is that the information he’s sharing can be used to limit the damage caused by scammers going forward.  And limiting the damage is the best that can be hoped for, since the money being generated by Facebook ads is too tempting to stop all together.

One of the biggest keys to encouraging a user to click on an ad has always been to make it look like it’s coming from a trusted source.  Looking like a legitimate Facebook ad is important, but using personal information from the users profile is even better, according to Mr. Yu.  Which has been one of the things that Facebook has been the leader of providing since it’s inception.  Developers have always had easy and wide ranging access to user data on Facebook, in many cases even data that’s marked as ‘private’.  Facebook’s privacy policy spells this out, but few users ever read the policy when they sign up for Facebook and even fewer read it whenever it’s updated.

It’s no wonder that developers flock to Facebook either; according to Mr. Yu, he was able to earn 40-60 times what Google Adsense could for the same ads.  Not that the ads were actually effective for the advertisers, but the companies were still paying out for ad placement.  The funny thing is that most of the ads didn’t convert to real sales, since a lot of the people using Facebook didn’t have or use credit cards.  In other words, they don’t actually buy things that ads are selling.  But there are a three things that don’t cost end-users money that they’re willing to accept: toolbars, supplying an email address or supplying their phone number.  Toolbars are egregious because they are often nothing more than conduits for spyware.  An email address is obviously useful for spamming, especially if you already have all the other information being supplied by Facebook.  The worst of the three for consumers is giving up a phone number, since this can lead to a reoccurring monthly bill that you might not even realize you have tacked onto your phone.  After all, how many people actually check their phone bills that often?

The bad guys, and even the guys who aren’t bad but want to make a buck, are going to find ways to exploit Facebook, MySpace and other social media spaces as long as there is money to be made.  They’re going to take advantage of weak enforcement and a lack of motivation to stop the scams from happening.  But the social media companies have to decide for themselves if the cost of accepting the ads is worth it in the long run.  Users aren’t stupid, they realize the ads are often scams and many of them are playing the game just as hard as the advertisers, providing false or partially true information to get the rewards for clicking on banners and ads.  Soon Facebook will have to decide if they want to be the premier site on the Internet or be relegated to the backwaters of the Internet, used only by scammers and fools. 

Fraud alerts on your credit cards are one of those really useful tools that have been put in place by law, only to be neutered by the same law.  They’re great in that they put a lock on your credit scores and let you know when anyone is trying to open an account in your name, but at the same time they’re incredibly hard to use because you have to fill out paperwork every three months.  There is an extended fraud alert that will protect you for a period of seven years, but in order to qualify for that, you have to provide a police report proving that you’ve been targeted by identity theft.  To top off the insult from the credit reporting companies, you have to file separate fraud alerts with each company and maintain them yourself if you want to be relatively safe.

Enter Lifelock; for a small monthly fee they would maintain your fraud alerts for you and even provide a number that creditors could call in order to unlock your credit ratings.  This was great for consumers, it let them keep their credit scores locked so that it was that much harder for someone to open an account in your name or for the credit card companies to review your credit score and send your monthly junk mail offerings.  This a big win for us, but it cuts into the major source of the big three credit scoring companies, Experian, TransUnion and Equifax.  If too many people keep their credit scores hidden, the scoring companies can’t sell their big lists of names, or at least those lists lose some of their value.  So in 2008, Experian sued LifeLock to block the practice and won.  Experian and LifeLock have settled the lawsuit and LifeLock is forever forbidden from filing credit locks on behalf of consumers.

According to Experian and LifeLock, this is a positive for LifeLock, which it is.  They get to move out of the shadow of a nasty lawsuit and rework their business model to find something else to do to help protect consumers.  Experian and the other two credit scoring companies find this to be a huge win, since this sets precedence and makes it that much harder for any other company to provide a similar service.  The big loser in this transaction is us, the consumer, since we now have to remember to reset our credit lock with all three credit scoring companies every three months if we want to protect ourselves.  Thanks, Experian.  You’ve made it perfectly clear what you’re really trying to protect: your revenue stream.

It takes a brave man to admit publicly that he almost fell for a phishing email, especially when he’s the head of one of the biggest law enforcement agencies in the world.  It takes an even braver man to admit that his wife has forbid him from doing any online banking in the future.  But that’s exactly what FBI Director Robert Mueller did earlier this week; he told the world that he almost fell for a phishing scam recently. 

I can’t blame Director Mueller in the least.  Like most people who have a semi-public email address, I get several hundred spam and phishing emails a day.  If I let my account go for a weekend, it’s not uncommon for me to end up with over a thousand messages in my spam folder and 40-50 that make it through several layers of protection to my in box.  And of those I can dismiss 90% with a glance.  But it’s that last fraction of a percent that really worries me.  I have to take a long close look at them and I still don’t know sometimes if they’re really phishing attempts or just poorly written emails from one of the dozens of people I have legitimate business with.  If there’s any doubt in the end, I delete them without the email.  I’m sure I’ve deleted some real emails from time to time, but I’d rather not take the chance.

I wish it was as easy of saying “You’re bank will never send you a link to click on”, but the truth is there’s a lot of banks that really will send you links in an email.  To make matters worse, some of them will use odd domains or redirect through other company domains.  It’s easier for them to market too you if they can send you a nice easy link to click on for that new mortgage.  And we’ve all encountered marketing and sales professionals who don’t get it even if you try to explain until your blue in the face.  Some IT professionals don’t understand it any better and I’ve even run into some security professionals with the same weakness.  Phishing emails are purposely confusing and as close as possible to the real thing as they can get in order to get through.

I hate the to bang the drum of “we’re losing the cyberbattle”, but right now, I think the tide is in favor of the bad guys.  And I think it’ll get worse before it get’s better.  But unlike 10 or even 5 years ago, the FBI and other law enforcement agencies are getting geared up to make a real difference in the war.  We’ve got a few years before the tide starts to turn again, but I think we’ll start seeing some effect much sooner.  The FBI’s arrest of 33 people in Operation Phish Phry is a good start, but it’s only a drop in the ocean. 

Update:  Thanks to Walt Conway for letting me know I had the wrong link and sending me one for Operation Phish Phry as well.

I imagine there are a fair number of people out there who are like me and instead of a cup of coffee and the morning paper they take the same cup of coffee and open up their favorite news sites online to get the morning’s news.  So I imagine there were more than a few people who were surprised yesterday morning to get a little something extra when they opened the New York Times site yesterday and got a pop-up ad telling them that their computer was infected with several hundred viruses and that they needed to buy some wonderful new anti-virus product to secure themselves.

We don’t know exactly how the NYT site was compromised and this code implemented, but there is a good analysis of the malware at Inputs & Outputs.  The ad used a scare tactic but by itself it didn’t do much.  But this phishing scheme did point users to a small program that probably did some very interesting things to the end user’s computer if you believed you actually were infected.  If you’re a Firefox user with NoScript installed, you probably didn’t even notice that this fun piece of code had been added to the NYT site.  Score one more for blocking scripts by default.

Looking at the analysis of this compromise, it appears that the code wasn’t directly on a NYT server, rather it was served up by one of the third-party services that provide ads for the NYT.  Once again, it shows that even if you trust a particular site you’re visiting, the interaction between that site and the secondary systems supporting it offer a great attack vector for the bad guys to gain access through.  The New York Times probably has a great security team who’s up on the latest vulnerabilities and does an excellent job protecting their site, but if the other companies they rely on for additional code can’t protect their systems, even the best team at the NYT won’t be able to do a thing.  It’s something for anyone who relies on third-party code on their site to think about.

Rich Mogull took the time to read through the entire indictment against the hackers who targeted not only Heartland, but also 7-Eleven and Hannaford as well.  The first thing that really leaps out at me about this is that the attacks were using command execution via SQL injection or XSS via SQL injection.  Given that these are both methods of attack that the PCI DSS specifically calls out to protect against, this blows a pretty big hole in the case Heartland CEO Robert Carr made that his QSA let him down.  We’ve known about SQL injection for years and there should be no need for a QSA to tell a company or it’s security team about the problem.  There should also be no reason that SQL command execution should be enabled on any SQL server that’s exposed to potentially malicious traffic.   As Rich points out, on most modern SQL servers, this is a capability that has to be enabled, not a feature that’s turned on by default.

It’s a little surprising to me that one group of hackers is connected to so many high profile breaches, including TJX, OfficeMax and Dave & Busters.  Are they an isolated group who managed to find a way into these networks or are they just the group of hackers that was stupid enough to get caught?  The possibility that these guys are just the hackers who were unlucky enough to get caught worries me, since their capture may lead a number of security professionals to breath a sigh of relief and get back to life as normal.  Which means arguing with management to get new tools and toys for the network while ignoring serious configuration errors like having SQL command execution enabled on transaction servers. 

I finally had the time to sit down and read the NSS Labs Web Browser Security Phishing Protection paper this morning. This paper is a test of the more popular browsers in use today and how well the reputation based systems they’ve built work to protect users against phishing attempts by malicious sites.  The big winners in the test were Firefox 3 (not 3.5) and IE8, which almost tied at 80% and 83% accuracy for blocking phishing sites.  Given that the study quotes a margin of error of 3.6%, the two browsers are equal for most intents and purposes.  The big loser of the test was Safari 4, which only had a 2% blocking rate for malicious sites.  I hope Safari on my iPhone is better than it is on my Macbook, or at least that there are less phishing sites targeting the iPhone.

It’s very interesting that Firefox 3, Chrome 2 and Safari 4 all use Google’s Safebrowsing data feed but have very different results from the same data.  Chrome 2 only had a 16% success rate in blocking, compared with Firefox 3 at 80% and Safari 4 at 2%.  So why the big difference between the three browsers running off of the same information?  NSS Labs doesn’t offer an explanation and apparently none of the developers did either, so either Firefox is pulling in a lot of additional information from somewhere or the Chrome and Safari developers have some learning to do.

What I personally found the most interesting about the paper though was that the Anti-Phishing Working Group is quoted as saying that the average phishing site only has a lifespan of approximately 52 hours.  None of the browsers really reach full effectiveness for blocking a phishing site for about 48 hours after the site has become active, therefore you’re only getting 4 hours of maximum benefits.  The long term trends look good, but it’s a little disturbing that many phishing sites are relatively undetected for at least the first 24 to 48 hours they’re live. 

I’d be curious to see how Firefox 3.5 changes this mix.  Apparently it wasn’t stable enough to be used in this test, but maybe we’ll see a new set of tests next quarter.  I’m also wondering what affect the FF plugin NoScript would have on the results.  Since NoScript isn’t strictly speaking an anti-phishing tool, I doubt NSS Labs will be testing it any time soon, but I’d like to know how much more secure it makes my web surfing experience.

Now to go back and read the Socially Engineered Malware report.