Network Security Blog

I’m sitting down to nurse a cup of coffee this morning.  Had friends over last night, a fair amount of drinking ensued, lots of male bonding through bad jokes and some rousing games of Alhambra and Saint Petersburg.  This is my idea of a good Friday night with friends, which worries me a little, since it makes me sound and feel like a middle-age geek.  Which I have to say is a pretty good description.  I guess I’ll have to overcompensate at Black Hat and Defcon next week.  In the mean time, here are some of the stories from this week that are clogging up my Firefox tabs.

• Adobe issues security advisory for Flash zero-day flaw – Rumor has it that Adobe has known about this flaw for over seven months.
• Help for internal auditors on PCI Compliance – Some of these points are going to help me as the assessor as well.  But more of them should be part of your security processes whether your trying to be PCI compliant or simply secure.
• Extending the concept: A security API for Cloud Stacks – Chris Hoff posted this concept last night and caused quite a bruhaha.  The basic idea is that the commonality of the various compliance structures should be built into a security control model that’s used to build Cloud infrastructure in a testable, open archetecture.  Very interesting concept, I want to see how Chris develops it going forward.
• Vulnerabilty scanning and Clouds: an attempt to move the dialog on – This is the post that kickstarted the Hoff’s thinking for the previous article.  Lack of vulnerability scanning is just one of the reasons that cloud computing gives compliance officers fits.
• The growing threat to business banking online – Somewhere in the last couple of years the Internet has gone from being the Wild West to the streets of Chicago in the 1920′s. The bad guys have become incredibly well organized and you’re taking your digital health in your own hands every time you go online.  Businesses and local governments are increasingly becoming targets.  After all, “That’s where the money is.”
• Mind games:  How social engineers win your confidence – Scams and grifting are as old as humanity, probably older if you want to consider some of the examples you can find in the animal kingdom.  And they stick around because once you’ve mastered the basic principals, it’s relatively easy to get what you want out of the majority of people and situations.  The best defense is to be educated and be able to recognize some of the clues you’re being social engineered without you having to consciously think about it.
• Network Solutions hack compromises 573,000 credit, debit accounts – Good job NS, you allowed code to be installed on a compromised system and gave up over half a million records, mainly of mom and pop stores.  I hope you do a better job protecting our domain names.

Just added – Matasano site compromised.  I couldn’t fault them too much for falling to a Zero Day, except for the fact that they’re a research firm that should be finding these things on other people’s sites, not their own. 

Some encounters are almost too strange to believe.  That doesn’t make them any less real.

I was walking down the street in San Francisco at lunch time Friday afternoon.  As I came up to a busy street corner I saw a paper grocery bag sitting on a bench with no one around it.  I walked up to the bag and peeked in to find three external hard drives, one Maxtor and two brands I didn’t recognize.  The drives looked like they were either well used or the product of a dumpster dive.  I knocked on the door of the one business nearby, but no one answered.  After a few minutes someone came out who worked in the building; he said there’d been a break-in recently but that he didn’t know anything about the drives.  I tried to call Rich for advice, but he was busy so I decided I’d finish my walk to lunch and think on the situation for a little while.

One burrito later, I walked up on the scene again.  This time a homeless man in dirty, ripped slacks was surveying the bag of hard drives.  He looked around much like I had done thirty minutes earlier, then scuttled up to the bag and pulled out one of the external hard drives.  After sniffing it for a second, he licked one side of the drive and put it back in the bag.  He then ran over to a parking meter and licked it, licked the taillights on both sides of an SUV and vanished from my sight behind the car. 

I lost any interest in the hard drives at that point.  That takes mom’s caution of “you don’t know where that’s been” to a whole new level.

Saliva incident aside, what would you do if you found a bag of hard drives in a park or public place?  Calling 911 didn’t seem appropriate, though there is a slim possiblity of explosives.  Taking the drives home and performing some forensics research on them crossed my mind; I have the technology if not much skill in the area.  I tried to turn them in to the business, but there was no one there.  I guess the gentlemen with the inquisitive taste buds saved me from a moral dilema. 

What would you have done?

We all know it’s going to happen and probably sooner than later; spammers will figure out that people are panicking about swine flu and they’ll start registering domain names and sending out email offering the latest information and drugs guaranteed to stop swine flu.  I’m actually surprised that it hasn’t started already, but I guess even spammers take the weekend off occasionally.

There are a few fairly simple steps you can take to protect your users from being taken in by this spam.  First of all, inoculate them by giving them real information about the swine flu.  Stephen Northcutt has written up a pretty good post with lots of links to important information like what influenza really is and what steps people should be taking to prevent the spread of the flu.  Here’s a couple major hints: wash your hands often and stay home if you’re sick. 

The second step you can take is to keep an eye on the Internet Storm Center.  There hasn’t been much activity in the spam arena around swine flu, but the guys at the ISC will probably be some of the first to let us know when it starts.  It’s not a question of if we’ll get spam related to the current public panic, so keep your eyes and ears open to prevent your users from getting taken in.

The third thing I can’t suggest highly enough is don’t panic.  There’s a lot of media hype around the swine flu, but the reality is, this doesn’t yet appear to be anything much more than our annual round of the flu.  True, it could turn into a lot more and we don’t yet have a vaccine for this strain, but relatively few people have died and most of those appear to be people who were already in a weakened state.  Plan, know what you’ll do if things do turn out to be worse than they appear, but do so in a calm, reasoned way.  Think of this as another incident response drill where you need to think about the steps you’ll need to take well in advance and you’ll be fine. 

Update:  Looks like the spammers started some time early this morning:  Swine Flu spam from McAfee Avert Labs Blog

It’s only 6:00 am PDT and I’ve already overdosed on April Fools jokes today.  All it took was a couple of minutes on the TechCrunch site and reading several emails from vendors and I’m April Fooled out!  It’s bad enough that I have to spend a significant portion of my day trying to wade through marketing emails and PR offers, but when you add the need to figure out if an IM/email/site is real or a prank on top of that, it’s more than I feel like dealing with. 

April Fools day is a lot of fun when it’s being played on family, friends and co-workers, but when it becomes one of the biggest marketing frenzies on the web (Look at us, aren’t we funny!), I decide to bow out of the whole experience.  I don’t have the time or energy for it.  So if you’ve sent me an email about how your company bought Twitter or is flying security analysts to Uranus (well, that would be funny) I take appropriate action: I round file it.

Thanks for participating.  I’ll be back to my normal online haunts tomorrow when the worst of the ‘me too’ flurries are over.

I’m pretty careful about who follows me in Twitter.  I get the email saying who’s following me every time I get a new follower, and without fail I click on the link to see who’s following me.  Most of the time I think “Cool, another follower” and move on.  If it’s an obvious bot (following 100′s to 1000′s but almost no followers) or if it’s someone who’s a marketing person who has nothing to do with security, I block them.  I’ve probably made a couple of mistakes and blocked some very good, legitimate people, but I’d rather lose a few good people than have the bots and spam twits following me.

Today I got something a little different, a twit who’s only purpose is to spam people with links to pr0n videos.  Or at least I strongly suspect they were, given the names of the videos; I wasn’t willing to risk the malware infestation I believe were probably behind the links to find out.  I immediately blocked that account, but got to thinking about other people who might not be quite as reluctant to follow the links as I am.  Which brought up an interesting question: how do you report spam accounts to Twitter?

I went to the main help page and could find information about how to report spam and didn’t see anything.  So I did what any good twit will do and sent out a tweet to see if anyone else knew how to report spam.  Turns out I’m not the only one who had little or no idea of how to report Twitter spam.  So I did the only thing I could think of and sent an email to support let it go at that.

I received back several replies asking me to let people know how to report spam, so I decided to take another look at the support page.  Lo and behold, there were instructions on the page right in front of me, I just hadn’t scrolled down the page far enough to find them.  Under the heading “Contact Twitter was the following information:

Contacting Twitter

More information about Twitter

*@spam: follow our spam profile and report Twitter spam via direct message

*Status Blog: check Twitter’s current system status.

*Twitter Blog: what’s new with Twitter

*Developer Blog: a technical blog from the Twitter engineering team

*Developer Group: if you’re a developer, join our mailing list

And there you have it.  If you receive a follower that is a spam bot, all you have to do is send a direct message to ‘spam’ at twitter.  Could they make it any easier?  Probably not.  Do your part, let the folks at Twitter know when you get a follower who’s a bot.  It’s not only good to kick those accounts off and stop the spam, it lowers the chances of seeing a fail whale.  And no one likes the fail whale.

Update:  Minor problem with the process.  To report spam, you have to follow @spam.  You’d think the guys at Twitter would make an exception for that account. 

Most of the ATM skimmers I’ve read about are reasonably easy to detect if you’re paying attention. Things like a cover that goes over the existing face of the ATM and contains a card reader and some memory.  But this one’s a new twist on the theme; the reader itself is just a small frame of plastic that wirelessly transmits the scanned card information to a ‘speaker’ a couple of feet away that also contains a video camera to capture your PIN while it’s at it.  This set up has been blamed for ten’s of thousands of dollars lost and I have to wonder how many others like it there are around the area.  If nothing else, watch the short video for the suggestions at the end for protecting yourself when using an ATM.  Found on Threat Level.

I don’t have a lot of time this morning, but here are four bits of information on Twitter and the phishing attack against it that started this weekend.  Haven’t there been a number of us that have been saying for a while “Don’t put your username and password into 3rd party applications on the web!”?

• Twitter and the Password anti-pattern – I’ve only gotten about half way through this paper, but I like the ideas I’m reading.  This is basically an argument for taking Twitter beyond username/password and adding in functionality that would allow you to share some of your capabilities as a user with a third party.  
• Phishing Scam spreading on Twitter – This was the first article I read on the Twitter Phishing this weekend.
• Gone Phishing – This is Twitter’s take on the phishing scam.  Glad they’re being proactive.
• Twitter Users attacked by Phishing efforts – Symantec’s take on events.

I asked once before “Is Twitter a security risk?“.  This isn’t a problem with twitter, this is a problem with people who are willing to give up their usernames and passwords for … what?  A little sense of an ego boost as they find they’re relevant somehow?  A pretty graphic that shows how they’re connected to other Twits? People don’t seem to realize this is another extension of their digital identity, just like a facebook account or email address.

The issue of the blogosphere echo chamber has come up a number of times lately, with both journalists and bloggers claiming that we don’t do enough fact checking before taking a story as the truth.  I’m willing to give up the point, but I’m not willing to take it as a dig against the blogosphere, instead I think it’s a fact of human nature, which is why we need to double-check what others say, whether it’s in the newspaper, on TV, written in a blog or just word of mouth.  We’re security professionals after all, we shouldn’t trust anyone without verifying.

In last night’s podcast, Rich and I mentioned a Cross Site Request Forgery(XSRF or CSRF) reported against Google by the Geek Condition blog (down as of this writing, presumably due to traffic from Google).  Neither Rich nor I were very concerned about the issue, since it was stated to be an issue that had been closed.  The important part to us was the fact that it shows a weakness in the common practice of sending password reset information to a ‘trusted’ email account.  But as this Proof of Concept pointed out, if you can somehow create a filter on someone’s email account, you can create a filter that forwards select emails and removes them from the users in box.  Once that filter is in place, it’s childs play to reset a password account and steal a domain or any other account with a similar reset method. 

Right after the podcast I ran across a Google Security post stating that the CSRF bug had been fixed long ago and that the domain theft had nothing to do with the vulnerability.  I’m willing to give the Google Security team the benefit of the doubt and believe them, however I’m left with a nagging question as to whether they can really make such a statement with certainty.  The referenced CSRF did in fact exist, though it was patched very quickly, and I know from clicking on a PoC for the vulnerability that it works (I won’t be doing that again).  I don’t see any reason to think that someone couldn’t have gotten any number of domain owners to fall for a link exploiting the CSRF and then waiting 2-3 months to make use of the compromised Gmail accounts. 

The fact is, I don’t see enough evidence for or against the exploitation of this vulnerability to prove either side of the story.   No amount of fact checking in the blogosphere is going to prove the point, there’s simply not enough known, it’s almost all speculation.  The Google Security team has to deny the report, it’s part of what they do.  But they have done a good thing in strongly suggesting everyone force their Gmail account only use SSL when logging in.  It’s not a perfect solution, but it is a step up from what most people are currently doing.

You trust your PIN Entry Device[PED] (the thing you swipe your credit card through at the checkout stand) don’t you?  You might need to rethink that trust:  PED boxes in Europe were tampered with, either at the factory or somewhere else in the supply chain, and had additional hardware installed to capture full stripe data as well as PIN information.  The information has been getting sent back to the crime ring responsible for the compromise and is turning up in fraud cases all over the world.  The funny part is the best way to distinguish a compromised machine from an uncompromised machine is to weigh them; the attack adds 3-4 ounces to the machines thanks to the additional hardware installed in them.

To me, this is one of the scariest attacks against credit cards yet.  True, attacking a merchant like TJZ will get you millions of credit card numbers, but an attack against the supply chain could affect every merchant if it goes unnoticed long enough.  This attack is comparatively to detect, given the extra hardware that was installed.   But what if the attack had taken place one or two steps earlier in the manufacturing process and actually became part of the software in the PED boxes?  I can imagine a PED box having a little extra memory installed to log all the credit card swipes it processes oin a daily basis and calling home to upload that information on a daily or weekly basis. 

This is the sort of attack that could possibly go undetected for years, especially if the people doing it have a fair understanding of the credit card company anti-fraud mechanisms.  It’d be easy to create an algorithm that is specifically designed to choose credit card numbers from the pool and use them in such a way as to fly under the radar with a little insider knowledge.  And anyone who’s already infiltrated the manufacturing companies will have a good chance at infiltrating other aspects of the process as well.

It took nine months for the authorities to track down and report on this breach of the supply chain.  The people who pulled it off knew what they were doing and knew how to make their devices look like they’d never been tampered with.  The authorities caught on, but the next time someone pulls this off, they’ll be smarter and it’ll be even harder to catch them.

This is just one more reason you should never use your debit card anywhere other than at a bank.  When your credit card is compromised, you’re only responsible for the first $50; if your debit card is compromised, it all depends on how nice your bank decides they want to be.  Do you want to rely on your bank’s charity?  I sure as heck don’t.

Update:  A little more information on this attack from the Wall Street Journal.  Thanks to Richard Stiennon

I almost think it’s time to create a new blog called “Security Stupidity”. The latest issue to catch my eye is Apple’s “it’s not a security problem because nobody noticed” declaration; Michael Arrington has pointed out that Apple has made it easy for someone to enumerate the me.com and mac.com email address range by making public folders that use the same name as the email address. I’m sure I can think of several dozen people who presented at Defcon a couple of weeks ago who could do this in a matter of hours.

Michael Arrington has this one dead to rights: the bad guys have probably already figured this one out and are taking advantage of it as you’re reading this. There’s no way to remove an account name from this list, which means that Apple has no way of fixing this information leak without a major overhaul of their systems. I didn’t sign up for a me.com address before and now I’m glad.

I hope you’re not using your me.com or mac.com addresses for anything major, because they’re about to become spam magnets. This is the real power of full disclosure: Michael Arrington tried to tell them, they didn’t do anything so he disclosed, now Apple is going to pay the consequences, along with everyone who owns one of these email accounts.

Rather than admitting they’re wrong and fixing the problem (if that’s even possible), Apple will probably continue to deny this is a problem. But once it becomes a widespread issue, they’ll probably still deny it and quietly step up their behind the scenes anti-spam efforts. And we all know how well that’ll work.