Security is “No Easy Day”

The recently published book containing the details of the raid on and killing of Osama bin Laden has caused a firestorm in military and security circles.

In “No Easy Day”, Mark Owen (a pseudonym, his real name is Matt Bissonnette) provides a first-hand account of the planning and execution of the operation to kill the world’s most wanted terrorist.

The ex-Navy Seal gives a blow-by-blow in what is described as a vivid, and sometimes gruesome documentary.

The Pentagon claims that it contains “sensitive and classified” material. You may argue that the very honor, ethics and cultural values of America’s elite fighting force has also been compromised.

But this debate goes beyond disclosure of classified information, which is a crime.

These types of disclosures have very real parallels in information security, as well.

Some security experts argue that disclosure of security operations, particular during databreaches and other incidents, is critical to the successful handling and prevention of future incidents.

The concept is that the more that is published about how particular vulnerabilities were exploited, the better prepared other organizations can be to defend them.

Some claim that the disclosure of databreaches and their related vulnerabilities only invites copycats. After all, how many organizations will take action on advice, once given?

Still another argument suggests that disclosures weaken the defenders themselves, rather than the vulnerabilities. The more an attacker knows about our Tactics, Techniques and Procedures (TTPs), the better they can work around them.

Sharing information is critical, whether it’s done at the department, industry or nation level. The question then becomes, how can we share intelligence without compromising our own mission?

The concept of Operational Security (OPSEC) has existed for millennia. During times of war, mission plans are the most sought after of all artifacts.

During times of peace, they are surpassed only by the plans for war.

Many argue that Mark Owen has now put the lives of many Navy Seals in jeopardy. At a minimum it’s going to make their jobs a little harder for a while.

And if nothing else, it has brought visibility to the importance of Operational Security.

Irrespective of which side of the fence you sit, you need to know where the fence is. And you can be pretty damn sure that there’s somebody on the other side.

Now we know that they’ve got 23 other guys, dropped out of a stealth chopper and are carrying M4s.

Advertisements

In Security We Trust

The American Presidency is designed to disappoint.

After watching much of the Republican National Convention (mostly online, God bless the Interwebz), I am truly prepared for an underwhelming four years.

This is in small part due to the fact that my candidate is behind in the polls and unlikely to win the election. But also consider this;

For the past year we’ve been inundated by candidates from all parties with promises of change and other transformative programs that will take America in the direction necessary for prosperity, safety, international diplomacy and the future development of our nation.

Each candidate has made promises to improve the economy, education, healthcare and human welfare, our international citizenship, critical infrastructure and more.

Candidates have regaled their programs’ unique features, and proclaimed how they are exclusively qualified to carry out these duties.

And irrespective of which box you check on your Voter Registration Card, you’ve invariably heard about how one political party is superior to the other.

But the truth is, no matter who makes it into the White House – Obama or Romney, Democrat or Republican – they will fail to deliver on their promises.

And this is as it should be.

You see the Founding Fathers were pretty smart dudes, and they knew a little something about security. They could see Obama and Romney coming a mile away, and they knew that the rhetoric of change was just that.

So they instituted a system of checks and balances. They created institutions that limited the President’s power to specific charges and duties.

They built a system of trust that ensured the President’s ability to control was dependent upon what Congress, the Supreme Court, the Federal Reserve Board, other nations and reality will allow him.

In fact, one of the most important security controls we use today – segregation of duties – is built into the Constitution and nearly every other important document that this country was founded on.

So on election day, let’s all take a deep, collective breath.

You may take the Presidency seriously, but rest assured that regardless of who wins, our forefathers were smart enough to neuter the CEO of America.

More Tales From the (Unen)Crypt

You just can’t make this stuff up.

Last week I received the following text message from an unknown number: “I received check. Thank you. Alice“.

A quick bit of research revealed that the number came from a woman (OK, I made some assumptions on the “Alice” part) who owns a flower shop in a small town in Florida.

They offer a full line of floral favorites, houseplants and perennials, and they also accept Visa, MasterCard and PayPal. The web site doesn’t say anything about accepting personal checks but apparently they’re cool with that, too.

I sat on the text for over an hour, as various scenarios piled up in my mind. I couldn’t help but wonder how security-conscious Alice was. Now that she had opened the door, I wanted to walk through and see what was on the other side.

My curiosity was piquing. Was Alice from Wonderland, carrying a big, nasty broom, and sweeping out all that would dare trespass on PII? Or was she just another careless merchant exposing helpless customers’ personal data?

I couldn’t help myself.

Hi Alice. I don’t remember which acct I used can you resend the routing and acct number.

We would soon find out.

Like all disasters, you prepare for the worst and hope for the best. We all want to believe in human beings’ natural sense of good, to protect our own and to want the best for others. We are the only species on the planet that has been gifted with morality, a true sense of right and wrong. We are truly blessed.

Over two hours had passed and I felt strong. In a world where security breaches, fraud and cybercrime were the norm, Alice was a beacon of hope. A shining example of what was right in this sordid world where so much has gone wrong. Alice, a frail, aging shopkeeper would show us what fortitude, diligence and a sense of righteousness truly means. If Alice could do it, anyo (bzzzzzt)…

021000322 XXXXXXXXXXXX XXXX

Don’t buy flowers in Florida.

Black Hats – Function or Fashion?

If you’re like many people, you’ve either been in Vegas this week, or you’ve been getting a few extra newsletters describing the heavily publicized antics that went on at this year’s Black Hat conference.

Unfortunately, I fell into the latter category.

Like years past, Black Hat delivered as advertised. Although the Secret Service didn’t halt any sessions for purposes of national security, there were some great pieces.

Black Hat (and DEF CON) always provide security professionals with plenty of new things to think about. I suppose that’s why they’ve become the most popular security conferences in the world.

But let’s be honest, they’re a lot like fashion shows.

I find fashion shows hilarious. A bunch of high-brow, Paris-types, with more time than other things convene and parade utterly garish clothing that’s entertaining and thought-provoking, but not in the least bit wearable. The ornaments, trappings and meatpuppets draped over wafer-thin models will never see a department store rack, let alone the closet in your home.

Other than an evening of pageantry and spectacle, it’s a complete waste of time.

Kinda like Black Hat.

Please don’t take this the wrong way – I love Black Hat, DEF CON and the spirit behind these events. It’s just that they tend to be a distraction from what’s going on in the real world.

For example, one presentation suggested that businesses add offensive tactics to their arsenals. The presentation went on to purport that attacking, or “bringing pain to” your attackers has simply become necessary and other security tactics have become obsolete.

Another presentation, titled “Catching Insider Data Theft with Stochastic Forensics” gave attendees a look at how to predict unpredictable things in a precise way.

Yet other research focused on compromising iris recognition systems.

I feel like I need to repeat that these researchers are doing a great service, and their findings are truly revered.

However, most businesses can’t even manage to use decent passwords. They don’t patch. They don’t train their employees. Forget about introducing stochastic forensic analysis, most companies don’t have a shredder.

There was some really great research presented this year on circumventing web application firewalls, trust models and the latest findings on malware in the wild. You could say that some of these fit like an old pair of jeans.

The rest will probably stay in the closet until next year.

To Train or Not to Train, That is Not the Question

Recently, CSO published an article suggesting that organizations eliminate security awareness training from their security programs. The article has stirred great debate in security circles, including this one.

Citing the  “Carronade” phishing test failure at West Point in 2004, the author went on to claim that any investment in security awareness training “is money wasted”. The overarching theme of the piece suggested that human susceptibility is impossible to eliminate. Because complete (100%) security is impossible to achieve in this area, resources should be dedicated elsewhere.

If this argument were true, there would be no firewalls. No antivirus. No security controls of any kind.

Let me first say that I respect the author for offering a viewpoint counter to that of the masses, and for getting us to think a bit. Let me then say that I believe the author missed the point. It’s not about eliminating training, it’s about eliminating ineffective training.

Anyone who has been protecting things for any length of time knows that trust is hard to come by. And it gets harder every day. Consider this:

  1. Business has become complex, amorphous and dynamic. An increasingly younger workforce cares less about privacy and security. Wireless, social media, virtualization, mobility – all of these have made it harder to protect critical assets.
  2. Attackers are multiplying and motivations are increasing. China just arrested 10,000 online criminals and other individuals suspected of Internet crimes. 10,000. And hacking is still not illegal in most countries.
  3. The tools to steal banking credentials and roll malware can be bought online with incredible ease. They’re inexpensive and come with technical support, just like Microsoft Office. Anyone can get into online crime.

Fighting cybercrime is a $400B industry, and we’re just getting started.

So now ask yourself, what – or better yet who – are you trusting to protect your assets?

I offer this counterpoint to the CSO article; an effective security awareness training is the best, perhaps the only security practice that, done effectively demonstrates dramatic, measurable return in today’s environment.

Your employees are everywhere, and they do everything. They touch every database. Every SSN. Every locked door. Every web application. Every e-mail. Every credit card number. Every line of code. Every turnstile. Every firewall rule.

Get the right message to your employees on a consistent basis and you have solved a significant number of your security challenges, or at least reduced risk in those areas. Change your employees behaviors and you have instantly changed your security profile. There is no other single security control that has that same potential.

Today, you may be trying to save the company time by making training optional for employees. Today, you may be trying to save the company money by having the security guy deliver your training. Today, you may be trying to save the company energy by delivering the same PowerPoint slides to management, IT and staff.

Today, you are wasting your money.

Tomorrow is another day.

Have a Coke and a (Security) Smile

Sometimes, security just sucks.

It was never meant to be that way. In fact, done properly security should support a business goal or a higher-level strategy. When it’s done well, security is not painful and it serves a purpose. It protects things worth protecting. It saves our @sses.

When it’s not done well, well…

I went out-of-town for a few days last week for the holiday. It was a last-minute decision, but a good one. The trip was short and sweet, and local. I used a hugely popular travel web site to make hotel reservations. To protect the not-so-innocent, the travel provider will remain nameless. But let’s just say that it wasn’t Expedia or Orbitz and it starts with a “hotels.com”.

Lately we’ve been using this service for business travel, as you can rack up free hotel stays quickly as long as you make reservations through their web site. Of course, you need to log in to your account before making your reservations – this I would learn the hard way.

The trip was wonderful – we did some biking, ate some great food and got to sleep in. Things all vacations should be made of.

Getting credit for the hotel stays was another story.

What I thought would be a quick call to the provider, started out bad and turned worse.

“Thank you for calling [hotel provider], can I help you?”

I explained that I needed to add credits to my account for stays that I had just completed. The customer service representative immediately requested my name, account number, DNA chains and a bunch of information that made me queasy. I asked politely why they needed this information for this activity, and why they would have had this information anyway. I certainly hadn’t provided it prior. These are hotel reservations after all, not the codes to The Football.

After several minutes of haggling, I was told that this individual could not post my credits. They would need approval from a supervisor. I was baffled.

I then asked her if she could get me the secret recipe for Coke, while she was at it. Either she didn’t get it or she didn’t think I was funny.

Making a long story short, I will be calling my hotel provider back on Monday, as this situation still isn’t resolved.

This is why people shudder when IT or their company’s Information Security team start talking about reinforcing security controls or “locking things down”. Forget matching your organization’s culture and personality with your controls (which we almost never experience), but let’s remember that your security implementation should match your risk.

Even the Secret Service lets the President kiss a few babies.

I will be calling back on Monday and immediately asking for a supervisor. When I get him or her on the phone, I will do my best to refrain from security advice.

But I might still ask for that Coke recipe.

Flame and the Impending Inferno

Earlier this month, security media were ablaze with news of the freshly discovered Flame malware toolkit, which according to reliable sources began infecting Iranian computers as early as 2008.

Since the first reports, we’ve learned more about Flame, its capabilities and intent. The results of this analysis have been impressive and sobering.

Like its alleged sibling, Stuxnet, Flame is highly sophisticated, purpose-built and effective. As someone who spent many years in software development, I appreciate what it takes to write code for many platforms and devices while minimizing flaws. The authors of Stuxnet and Flame deserve credit for this, if nothing else.Image

Unlike Stuxnet, Flame is a toolkit – a veritable Swiss Army knife – of attacks that can be activated remotely by its command and control operator. The Flame payload is delivered such that all of the modules are available and integrated into the initial assembly, with no additional download or communication required.

Bluetooth sniffing, keylogging, an Autorun infector, the ability to hijack the Windows AutoUpdate function and more – up to twenty unique modules – all nicely packaged in one nefarious kit.

With all of this, Flame may have supplanted Stuxnet as the most complex and sophisticated piece of weaponized software ever developed in the [known] history of mankind.

But as powerful as Flame seems, the economic ecosystem on which its built may be even more interesting.

For decades, Microsoft, Adobe, Google and Oracle have been recruiting, paying for and getting the absolute best and brightest software designers, architects and developers on the planet. Until now.

In this post-neo-infosec-challenged world that we live in, the uber-software Gods work for the bad guys.

You may not put it on your CV or LinkedIn profile, but if you want a fun, exciting, incredibly well-paying job writing the newest, coolest and most coveted code on the planet, move to Romania and hook up with a Russian cybergang.

And it gets worse. As these malicious international software factories become more successful, they get richer, they buy better people and the cycle repeats.

Over the past several weeks the FBI, Interpol and other international law enforcement agencies arrested twenty-four individuals suspected of various card fraud schemes and activities. Suspects were spread out across thirteen countries around the world. One of them was arrested less than 45 minutes from GreyCastle Security headquarters.

None of them were software developers.

The people most typically being arrested for online crime are the individuals using the tools, not the ones building them. No, these digital mercenaries are tucked safely away in their posh Baroque villas on the outskirts of some small town in Estonia, busy writing their next module and withdrawing laundered cash from untraceable bank accounts.

And the hits keep coming. And the fire burns brighter.

Flame may just be the spark that starts the inferno.

Indian Food, Spartacus and Credit Card Fraud

Friday night was date night.

After five weeks of client meetings, traveling and conferences without a single day off, I was looking forward to a relaxing evening with my girlfriend enjoying some Indian food and downtime. We had been looking forward to fully exercising a $25 Groupon on a table-full of exotic curries and then catching up on one of our favorite new series.

The meal did not disappoint. We left properly stuffed and excited for the rest of the evening’s activities – three episodes of Spartacus.

As we walked home we noted how beautiful the evening had become. We made it to the block where I live when my girlfriend noticed something interesting on the ground. We stopped to take a closer look.

It was the customer copy of a credit card receipt.

Upon closer inspection we discovered that this was no ordinary receipt. In addition to the full credit card number, it had the CVV, expiration date, zip code, phone number, full name and customer signature.

And amazingly the retailer managed to write down the customer’s CVV and expiration date but not the total. You can’t make this stuff up.

Here it is, blurred for confidentiality.

As you can see it contains everything necessary to commit identity theft and card fraud, with the possible exception of one piece of data – the customer’s billing address. So I did what any self-respecting security professional would do – I called and asked for it.

The conversation went something like this:

“Daniel [name changed to protect the guilty] I live in [city deleted] and I found a credit card slip with your name on it. I’m really scared that someone will use it to steal your identity, if you give me your address I’ll send it to you.”

Of course, Daniel assumed that because I already had his name and number and that I appeared to be a good Samaritan, that I was worthy of his home address. This is exactly how card fraud is taking place at restaurants, retail stores and hotels across the country.

This is not just Daniel’s problem. Merchants are instructed to not write additional information on receipts for this very reason. The merchant where Daniel used his card is a prominent and highly regarded institution in the Capitol Region. Just like the Desmond.

This week I plan to send Daniel his receipt, along with a note to be more careful. Not just with his credit card and receipts, but with the information that he gives out over the phone. I was a good Samaritan, but the next person may not be.

I may also give the merchant a call and offer free advice on avoiding public relations nightmares.

And then I’ll just sit back and wait for the good karma to roll in.

The Desmond Breach, and Why We Haven’t Learned Anything Yet

In May of 2011, the Desmond Hotel and Conference Center in Albany, NY was compromised by an as-yet-unnamed foreign entity. Very little has been made public about the incident, and it’s possible that we will never know the true extent of the damage.

What we do know is that the credit and debit card numbers of every hotel guest from May 2011 to March 2012 were potentially compromised. At least one patron had their bank account drained.

This story was noteworthy because it was local, because it affected countless individuals and because the Secret Service was involved.

Otherwise, it was just like the countless other breaches we’ve witnessed recently.

First, The Desmond had been compromised for nearly a year and didn’t know it. The Secret Service discovered evidence of the Desmond breach during routine investigations of foreign hackers and notified the hotel of their findings. We can only assume that the compromise would still be going on today if this stroke of luck hadn’t occurred.

Second, The Desmond didn’t have an Incident Response Plan. This is an assumption on my part, but one that I am confident in, given the post-event fallout. The incident, which could likely have been better contained, grew quickly and became a public relations nightmare that lasted for days.

Third, they didn’t think this could happen to them.

This is not a smear piece. The Desmond is my favorite hotel in the area, and one that we hope to make a client someday. Unfortunately, they became long-hanging fruit. They were simply the next target in a long line of victims, a queue that grows daily.

The Desmond made the news. 99% of breaches don’t. And it seems that until an organization experiences their own incident, there is little compelling them to protect themselves.

The industry, our peers, the media, the company where you work – all are providing us an education, but we are not learning from our mistakes. Psychology 101 teaches that human beings learn best when content is relevant, entertaining and interactive. It would seem that major public data breaches tick all of these boxes.

For now it seems the only thing that’s ticked is The Desmond’s customers.

 

Why Your Penetration Test Might Suck

Penetration testing has become a term synonymous with information security.

Often the stuff of legends, penetration testers spin tales of breaking bank vaults and cracking wireless networks, of perforating firewalls and “rooting” servers. One by one companies fall to white hat hackers armed with Metasploit and cases of Mountain Dew.

The problem with penetration testing is that in many cases, it’s not doing the client organization any good. It may seem odd that something as popular as pentests could be doing so little for companies that perform them, but there are many reasons why this is true.

Here are just a few:

  1. Compliance Takes Priority – Organizations in banking, healthcare and critical infrastructure, among other industries are required to perform annual penetration testing. But they aren’t required to care about the results and they aren’t required to be secure. Getting your penetration test checkbox doesn’t require much, and many organizations aim low and still miss the ten ring.
  2. Clients Limit Test Scope – Many organizations become their own worst enemy by limiting the assets that are tested. By excluding the CEO from social engineering or cloud applications from SQL injections, some of the greatest vulnerabilities are left unexposed and subsequently unmitigated.
  3. Testing is Inconsistent – Any IT provider with a vulnerability scanner (yes a vulnerability scanner) can offer “penetration testing” services. Service definitions vary across providers, organizations and regulations. This inconsistency makes shopping for a pentest similar to shopping for a mattress – you’re usually comparing apples to orangutans. In the worst case testing results can give organizations a false sense of security.
  4. Testing is Unrealistic – If your security provider tells you that they’re going to “pentest your firewall”, do yourself a favor and end your contract. The kids from Romania aren’t going to pentest your firewall, so neither should your security provider. Good penetration testing should simulate a real-world attack. Sensitive assets like intellectual property, sensitive information and bank accounts should be targeted, just as they are in real life.
  5. It’s Not for Everyone – Pentests are great if the results are meaningful and useful. If your security defenses aren’t mature, there’s no sense turning them into swiss cheese just to prove that it’s possible. Instead, use that money for something productive like an assessment or an Incident Response Plan for when something bad happens for real.

If you’re looking for penetration testing standards, you may be surprised to know that there is little out there. NIST has provided some guidance around security testing, but there is only one small section on pentesting.

There is another emerging standard for penetration testing that is getting some attention. Called the Penetration Testing Execution Standard (PTES), it provides recommendations for exploitation, intelligence gathering and perhaps most importantly, reporting.

If you are about to embark on a penetration test, ask your security provider if they utilize these or other standards for testing. Also ask yourself what your goals are and if you’ve set yourself up to be successful.

Your pentest should be as realistic as possible without introducing unnecessary risk. It should target the things that are most important to you, and it should be performed without the knowledge of your organization so you can monitor how well they react to these situations. You should include all of your assets in the test unless there’s a compelling reason not to. Potential embarassment is not a compelling reason.

The security provider that you select should be knowledgeable and experienced. They should utilize a standard for security testing. They should know the difference between a vulnerability scan and a pentest. They should understand that the goal of the test is risk reduction, not legends and campfire stories.

And if you’re lucky, you’ll figure out where the holes are before some kids in Romania do.

%d bloggers like this: