Tuesday, October 27, 2009

The Legendary Evil Maid Laptop Thief

This is a not-so-far-fetched scenario. In this post on TechRepublic's IT Security blog, the mythical evil hotel maid uses her equally mythical handy-dandy Evil Maid USB Stick to boot up your laptop from your hotel room, circumventing your TrueCrypt disk encryption, and steals data from your laptop.

And, she gets away with it without you ever knowing it. You don't suspect anything when you get back to the room. The laptop is off and closed, just as you left it, before you headed out a few hours before.

Substitute the mythical maid for an industrial spy who social engineers his or her way into your hotel room, and you have a real-live data theft scenario, coming to a theater near you.

While the example in the blog post is about a workaround to defeat TrueCrypt, the basic idea is that someone with physical access to a box basically owns it. Today it might be bootable USB key, but yesterday it was a bootable something else, like a live Linux CD, such as Knoppix.

So, what's the best defense?

As an occasional road warrior myself, I never let my laptop out of my sight. Yes, that's right. The best lock is an eye. Wherever I go, the laptop goes. And, it never stays in the room during the day, when the mythical Evil Maid might come by.

Monday, October 26, 2009

Avalanche More Than Name for Phishing Gang

A phishing gang that goes, not surprisingly, by the name of Avalanche has spawned a quarter of all phishing attacks in the first half of this year, according to a study by the Anti-Phishing Working Group, as reported in Network World.

The gang has been successful by registering domains at multiple registrars, some in small countries, and with stolen credit card numbers from those same countries, and then hop scotches around if one of the domains gets shuts down, the report says.

But, on the other hand, an indicator of phishing success, which the report calls "uptime," shows that registrars are getting savvy about Avalanche's tricks, especially because of its use of stolen card numbers. Apparently, as a result, Avalanche's uptimes, around 14 hours, are significantly lower than the phishing "industry" average, if you will.

Though not considered a phishing attack, rogue anti-virus programs are, like phishing, a form of social engineering, according to legitimate anti-virus vendor, Trend Micro. In this scam, which again resembles a phishing attack, a pop up window appears on a legitimate web site with a security warning. The unsuspected user then forks over cash to pay for protection, which never appears.

Saturday, October 24, 2009

Five New Sins in Howard Book and Some Myths

Michael Howard, application security guru at Microsoft and author of some landmark books on software security, has recently added five new sins with this two co-authors, David LeBlanc and John Viega, in the new edition, 24 Deadly Sins of Software Security, of his outstanding handbook.

There really are six new sins, but since one old sin was dropped from the 19 in the old volume, the new total is back up to 24.

What I like about this book is that rather than being a textbook, it's more like a catalog for developers of the most common and nasty security weaknesses in application sofware. Unlike Howard and LeBlanc's other reference on the subject, Writing Secure Code, another famous reference on the subject, a developer can pinpoint the exact issue of interest, zoom down to specific code examples and find remedies in the most common programming languages.

The new sins of the 24 are the following:
Sin # 2: Web-Server Related Vulnerabilities
Sin # 8: C++ Catastrophes
Sin # 9: Catching Exceptions
Sin #15: Not Updating Easily
Sin #16: Executing Code with Too Much Privilege
Sin #18: The Sins of Mobile Code

Co-author John Viega, another noted author in the software security field, also recently wrote, The Myths of Security, a fascinating non-technical book on the fallacies peddled by the software security vendors. He zeroes in on anti-virus software, a subject he has an intimate knowledge of as CTO of the SaaS Business Unit at McAfee.

This book is a real wake up call not only to the general public about the pitfalls of anti-virus and other security products for home users, but to the arrogance of some geeks who think they're invincible because they'd never click on a bad link.

Between my new found awareness of my software sins and my arrogance as a geek, I was both humbled and enlightened by these two fantastic books.

Health Care Privacy Still Needs Intensive Care

Health care privacy, to say the least, is still critically ill, according to a recent study last week of health care IT security professionals by the Ponemon Institute. The survey found that 80 percent of health care organizations had experienced at least one breach of health records in the past year.

Added to that, 70 percent of respondents said their management didn't think privacy and data security were a priority.

The professionals surveyed expressed concern that with the push for electronic health records, security had to get more attention. Few dispute the value of centralized and easily available medical records -- something that could save lives -- but those records should only be available to those who need them, not crooks and identity thieves.

Hospitals and medical institutions continue to lag behind other industries in protecting data, privacy and IT security. And, despite the complaints about the effectiveness of PCI, the corresponding regulation for health care, HIPAA, has little teeth.

A breach at Express Scripts in St. Louis last year may have impacted as many as 700,000 people.

SearchSecurity.com ran an article last week explaining new HIPAA provisions and tips for implementing an effective HIPAA program.

Tuesday, October 13, 2009

Social Networking: ID Theft Goldmine

Ever watch what your friends put on Facebook or other social networking sites and just shake your head in amazement? Hackers sure don't. They don't even need any fancy tools or tricks to steal someone's identity from off a social networking site.

Besides the obvious like telling the whole world when you'll be away on vacation -- an open invitation not to hackers but land-based thieves looking for an easy break-in -- consider other information people put on sites: job information, birthdates, schools attended and graduation dates and family photos. How about other family information, like your mother's maiden name?

All of this can be used to knit together enough of a profile for an identity thief to bypass security questions on banking sites, create false ID cards and even open loan applications in the victim's name.

Although 57% of respondents to a survey in the UK on identity theft said they were concerned that social networking sites make ID theft easier, two thirds of those surveyed said they didn't take adequate protection.

Maybe a little common sense is in order, rather than some new tool or service, when it comes to posting on social networking sites.

Tuesday, October 06, 2009

No Free Checking with This Banking Trojan

A new Trojan hitting banking sites, as if this were really something new, has been making the rounds. So, what's new about the new URLzone Trojan?

Unlike other common banking Trojans, like Zeus and Clampi, which just transfer funds from a victim's account to those of criminals, URLzone can block anti-fraud detection systems. It can even be set to not drain an account to a zero balance, flying under the radar of other detection systems triggered by empty bank accounts.

The Trojan is allegedly being operated by a Ukraine-based gang, according to security company Finjan.

Other sophisticated ways the Trojan evades detection is to only hit accounts at random and then only a limited number of times, again throwing off fraud detection systems, which generally look for suspicious patterns of withdrawals.

Phone Phreaking No Different Today Than Yesterday

Remember when they were called phone phreaks? Maybe I'm dating myself, but that was back in the 70s (maybe earlier?), when they used different colored home-made toys called blue, black and red boxes.

Those were the tools of yesteryear pre-dating electronic switching, when data and computer commands ran on the same voice lines.

Well, they're back and actually doing better. In fact, I think, they never really went away. But now with the growth of phone service over the Internet, like VoIP, they can use a lot of the same tools and techniques for hacking phone services, as they can for cracking the Internet.

Also, unlike the phreaks of the past, who did it for fun, now they're organized into multinational syndicates stealing phone services on one country and diverting it -- for a fee of course -- to homesick immigrants in other countries wanting discounts on their international calls, according to this Network World article.

There are four weaknesses in phone configurations that trip up IT managers:

  1. Weak user authentication and access control -- Companies often don't extend the same protections, like two-factor authentication, to their VoIP phone networks.
  2. Relying only on session border controllers and media gateways for security -- During the handoff between networks and SIP trunks running phone services, application level security is needed to protect from phone attacks.
  3. Inadequate virtual LAN separation and control -- The use of Virtual LANs (VLANs) to logically separate voice and data traffic isn't adequate to prevent an attacker from breaching the VLAN.
  4. Inadequate use of encryption -- What else is new? This is simply not encrypting traffic over internal networks. Even if encrypted over public networks, when it enters the company networks, it still needs to be protected.