Wednesday, July 29, 2009

IBM Acquires Ounce Labs

Big Blue has added another notch to its growing belt of security products and services with the acquisition yesterday of Ounce Labs, an application testing provider, according to an IBM press release.

Ounce Labs is a well-known player in the application security testing market, offering tools for ferreting out security glitches in application code during development. Ounce has taken advantage of the growing market for application security products, as attackers have set their sites on application layer rather network layer attacks, a trend long in the making over the past several years.

Ounce is known for being flexible and able to integrate with other development tools, which IBM hopes to add to its Rational software development products. IBM also hopes to outflank Hewlitt -Packard, another growing player in the application security space with its acquisition in 2007 of SPI Dynamics, a leading web application security scanner.

Terms of the deal for Ounce, a privately-held company, weren't disclosed.

Thursday, July 23, 2009

Poor Access Control Policies Expose Michael Jackson File

It seems nosy employees at the Los Angeles County coroner's office, who shouldn't have had access, were able to view Michael Jackson's death certificate. Though this story reported by the Associated Press is just another in the millions of articles about the celebrity, if you take a closer look, it's really about IT security and access controls.

The story reported that the certificate is stored in a state-supervised computer system, access to which is open to anyone with a state-issued password, which includes not only employees at the coroner's office, but also those at funeral homes, hospitals and county and state registrar's offices.

What the story didn't report was whether strong passwords were enforced, among other access control policies. What other holes exist in the system that could lead to information about the dearly departed?

Though Jackson's celebrity status makes him an easy target for the curious, what about identity thieves poking around for an identity to grab? Even the dead can have their identity stolen, which can be grave (pardon the pun) consequences for their living relatives.

Sometimes it seems only identity thieves can bring the dead back to life.

New EV SSL Certificates Already Vulnerable

Two security researchers are scheduled to unveil at the upcoming Black Hat conference next week in Las Vegas a way to breach Extended Validation SSL certificates.

Conceptually, the attack is pretty simple but, in practice, is difficult to execute, according to Mike Zusman, principal consultant at Intrepidus Group, and one of the two researchers. The other is Alex Sotirov, an independent security researcher.

The attack works because it takes advantage of a web browser flaw that can't tell the difference between EV and regular Domain Validated (DV) SSL certificates.

Beyond that, basically, the attack consists of two steps. The first requires the attacker to get a traditional DV cert from a Certificate Authority (CA) and then use a rogue man-in-the-middle server that uses certificate combinations to conduct the attack. Since web browsers don't distinguish between EV and DV certs, the address bar would still show the green light, indicating a valid site.

The researchers will provide details at Black Hat and are expected to release a sample proxy tool shortly afterward.

Tuesday, July 21, 2009

How The Twitter Hack Did It

The French hacker, who goes by the nom de guerre of Hacker Croll, gave extensive details of his exploit to TechCrunch in a fascinating article last week.

Did he use fancy hacking tools? Was he a hi-tech evil genius? No, on both accounts and far from it. He used the same type of password reset features that another hacker in Tennessee used to crack Alaska Gov. Sarah Palin's e-mail account last year, when she was running for vice president.

Basically, what Croll did was gain access to the Gmail account of a Twitter employee. He used information publicly available on the web about Twitter and from social networking sites to gather enough possible responses to password reset questions.

This led to a dormant Hotmail account the Twitter employee had once used but now was long forgotten. By cracking that account, as well -- also using password hints from the same public sources -- Croll was able to control the back up account to the employee's Gmail e-mail. This way the employee wouldn't be tipped off to the changes by any notifications to the secondary Hotmail account.

Some lessons learned from the attack are to be extra careful what you put on social networking sites, including clues about jobs, addresses and names of children and pets, for example. Also, make sure to have complex passwords, and don't use the same passwords for every account.

In the case of the Twitter hack, Croll found that the employee had used the same password not only for e-mail but for personal and financial accounts, as well.

E-mail, Twitter, it doesn't matter. They don't have to be scary. Just follow some safe account maintenance and password practices.

Sunday, July 19, 2009

Milw0rm Exploit Site Back in Business

The well-known exploit site, Milw0rm, is now back online after a week hiatus. The site's operator, str0ke, had announced in early July that he was taking down the site because he didn't have the time to maintain it.

Of course, word spread quickly through the security community about the loss of such a valuable source of exploit information.

But str0ke was able to work out an agreement with some of his colleagues to share the work of maintaining the site and was able to bring the site back to life last week.

Tuesday, July 07, 2009

Cyberattack Hits South Korean Government Web Sites

This is a developing story with few details but it was just reported about an hour ago on Agence France Presse that South Korean police are investigating a series of cyberattacks against their government web sites.

About 25 sites were down for four hours on Tuesday in a Denial of Service attack that hit the presidential office, the defense ministry and other government web sites.

This follows a report last week, also from AFP, that the South Korean military was setting up a cyberdefense command to fight possible cyberattacks from North Korea and other countries.

Malware Robs Kentucky Bank Online

This is an absolutely fascinating blow-by-blow account of a malware attack from Brian Krebs of the Security Fix blog. The attack allowed the hackers to steal $415,000 from an online bank account. The attackers, cybercriminals in the Ukraine, stole the money from the bank account of a county government in Kentucky.

The story has all the elements of a great cybermystery, along with a cast of two dozen co-conspirators in the U.S. The hackers used the county government's own Internet connection, and then set up fake accounts for the co-conspirators to handle the ill-gotten funds wired to their accounts.

They also took over the account of a local judge with access to the bank account, even going so far as to change his e-mail address, so alerts about fraudulent activity would never get to the judge. Instead, they would go to the attackers, who would, of course, ignore them.

What's really interesting here is that these tricks allowed the attackers to bypass classic fraud detection schemes, such as PC fingerprinting. After all, they were using the county's own Internet connection. That shouldn't raise any red flags, right? And, even so, the attackers would get any e-mail alerts.

The investigation is still continuing, so there's still a few missing details and pieces of information.
Also, as footnote, Krebs is in my personal Hall of Fame of security blogs for his outstanding coverage of security issues. Security Fix is one of those must-reads that should be bookmarked by every security professional.

Monday, July 06, 2009

Defending American Cyberspace Isn't Just About Cyberwar

In this thought provoking piece in The New York Times, Jack Goldsmith makes an interesting and succinct case for defending American cyberspace. What I like in his guest Op-Ed is that he cuts through so much of the noise surrounding this issue and the criticism of Obama's recently unveiled cyberdefense plans.

Goldsmith argues that much of the cyberinfrastructure, like its physical counterpart, is in private hands. Hands that may run that infrastructure well as a business but still need to rely in the government to defend it from attacks.

Goldsmith goes through all the usual arguments in a paragraph each about civil liberties, surveillance and other fears about government control of the defense of cyberspace. He says we may be squeamish about the extent of government activity required but the balance can still be struck in defending both cyberspace and our civil freedoms.

What I also found interesting was that Goldsmith is not a techie, nor a veteran in the cybertrenches. He's an attorney and his arguments are well thought it. He's also written a book, Who Controls the Internet?: Illusions of a Borderless World, recently released on Amazon.

Insider Threats from Main Street to Wall Street

Here are two totally unrelated inside jobs that, though very different, show how the insider threat is as dangerous and devastating as attacks from outside hackers. In fact, unlike a distant hacker, an insider already has access, often privileged.

In this story last week from Network World, a security guard at a Dallas hospital used his access to install malware on the hospital's network. The malware could not only steal confidential patient information, but also control the hospital's climate-control systems. The guard then had the nerve to post videos on YouTube of his exploits.

Hospitals, and health care institutions, in general, are still a long way from securing patient data, much of which contains the Identity Theft Quartet -- name, address, birthday and Social Security Number -- which together can be used for full-blown identity theft.

In another story broke by Reuters, also last week, the FBI arrested a Russian immigrant who had worked as a developer at Goldman Sachs for stealing application code used for high-volume trading. The former Goldman Sachs employee was going to bring the code over to a his new employee in exchange for a salary hike.