General: September 2006 Archives
This is a real article in ZDNet Australia. The Australian Army expects suicide hacker attacks.
Now, I'm just rolling on the floor laughing as I read this article. To me, the key part of a suicide attack is when the attacker kills himself as part of the attack. To Colonel Paul Straughair, a suicide attack would be someone willing to go to prison for 30 years for their cause.
Its a slippery slop when you take real warfare terms and apply them to computers. The label cyberterrorism has been applied to the garden variety Internet worm. As Rob Rosenberger has pointed out, there is no where to go when the next event is worse. Are you going to call a major event cyber-genocide? For years people like Richard Clark has predicted a "digital Pearl Harbor". To me these labels are irresponsible. Comparisons with genocide or Pearl Harbor are inappropriate until thousands of people are killed in a hack attack.
A suicide hack attack would include the death of the attacker, not their loss of freedom, not the deletion of their user account.
Netcraft is reporting that websites hosted at hostgater have been hacked in en mass through a new cPanel exploit. An Iframe was inserted causing visitors to their pages to be hit with the VML zero day.
Cpanel is widely used in Apache based webhosting, so this could be huge.
Steve Riley mentioned this over at his blog. While defeating a fingerprint lock like this isn't new, its neat to see on video. I'm not sure of the air date for this.
Steve make some good points about Identification versus authentication in his blog entry.
On Friday, I ran into an issue with my Bluecoat evaluation. Bluecoat is an HTTP security and caching company.
One of our developers couldn't connect into a Webex session with an external company. So my time, the developers time and the external companies support time was wasted. I would have solved the problem quickly, but I thought I had used WebEx through Bluecoat successfully. I found if I disabled antivirus scanning going to the WebEx website that I was able to connect to webex meetings.
It seems to me that if Bluecoat as widely used as they claim, this would be a well known problem. Its not listed in their KB, and my pre-sales support guy only came back with what I said to him, "if I disable antivirus it works." Shouldn't they provide a list of known issues so I can preconfigure my proxy appropriately and not have to stumble into these problems? Better yet, find out why the problem occurs so I dont have to bypass AV when going to webex.com.
I ordered pizza using Dominos online tonight. Strangely they are using a self-signed certificate for the SSL portion of the site.
I also got a kick out of the terms of service. It basically says its your responsibility to protect your username and password. So if anyone orders pizza under you're i.d. its your responsibility. I suspect all the pizza places have those policies. But still it did give me pause.
An interesting blog entry at ZDNet Australia by Munir Kotadia.
The entry theorizes a new style of attacks. Rather than going to the trouble of setting up a phishing site, and sending out a million emails only to have spam filters stop most of your email, savvy users ignore what gets through, while your phishing site is shut down, attack the trusted e-commerce site.
The cybercriminal underworld is well funded and employs skilled software engineers to develop and test malicious code.In a recent interview with Trend Micro's CTO David Rand, he said: "In one case there was at least US$250,000 funding for one piece of malware. That is a lot. It means they can do QA, proper engineering development, testing and a complete product cycle… We think they are cutting edge technologies".
"Our job, as always, is to anticipate what they are going to do next and create effective countermeasures. If we try to simply play catch up we will never win," he added.
Are your security defenses up to the challenge?
Microsoft put out a security alert today, regarding Adobe Flash. I posted on the new Flash release at the beginning of July shortly after Microsoft updated Flash in the June updates.
This may be a precursor to Microsoft releasing their own package of the Flash 9 update. I would recommend users update to Flash 9 now rather than waiting.
An Eweek article reviews the 1988 attack of the Morris worm concludes the same problems remain today.
1. Buffer overflows
2. Poor configuration
3. Bad/default passwords
I received in the mail this week Edition 1, Volume 1 of the SANS Cyber Security Technology Update. It looks like they are using the same top 10 (20) format used by their successful FBI/SANS Top 10 vulnerability announcement. This time they are focusing on important technological trends tin the coming year. Response strategies will be made at the upcoming SANS conference in Las Vegas.
Top Ten Important Security Trends for the Coming Year
1. Laptop Encryption will be made mandatory at many government agencies and other organizations.
2. Theft of PDA smart phones will grow significantly.
3. More legislation governing the protection of consumer information.
4. Targeted attacks will be more prevalent particularly against government agencies, military contractors, and businesses with consumer data.
5. Cell pone worms will infest at least 100k phones.
6. VOIP systems will be the target of cyber attacks.
7. Spyware will continue to be a big problem.
8. Zero day vulnerabilities will result in major out breaks resulting in many thousands of PCs being infected
9. Bots will be bundled with rootkits making removal nearly impossible requiring a reinstall.
10. NAC will become more common.
Top New Attack Tools and Techniques
Metasploit 3.0
Blue Pill
Yersinia
Javascript Malware
Cross-Site Request Forgery
Wireless Device Driver Attacks
Importing Malicious Root Certificates.
According to FCW the Air Force Air Combat Command is going to implement the Anixis Password Policy Enforcer. I'm a big fan of Anixis Password Policy Enforcer and recommend its us in AD environments for more granular password security requirements.
With native password enforcement in Microsoft, you basically have one option, on or off. You cant make the requirements granular. They must apply to all. With third party software such as Anixis, you can apply password policy to an OU, security group or individual account. The password complexity options are greater as well. If you use client software, you can provide an accurate error message telling the user why their password was rejected. Natively Windows can only recite the full policy which does not help the user select a better password.
Chase Circuit City has joined the lost Personally Identifying Information club.
"Chase Card Services is notifying some current and former Circuit City credit card account holders that computer tapes containing their personal information were mistakenly identified as trash and thrown out. If your personal information was included on the tapes, you will be notified by mail.No other credit card and bank accounts were affected by this.
Working closely with federal and local law enforcement, we conducted a thorough investigation and we believe that the tapes were compacted, destroyed and are buried in a landfill.
We have not identified any misuse of personal information connected to this incident. We will continue to closely monitor affected accounts.
Security Pro Pleads Guilty to USC Breach
So this guy finds a SQL injection attack, verifies it, reports it and gets charged with computer hacking. Not the first time this has happened. But kind of a stark reminder.
I think people who find and publicize vulnerabilities in software products do much more damage.
This so-called researcher (the USC hacker, not Moore), embarrassed the university so they took him down. In the article it says he is responsible for paying back $38k worth of damage.
Wow!
Thomas Shinder attempted to rebut a Bluecoat webcast in this blog entry from February. In their Webcast, Bluecoat apparently presented the results on a report from Broadband-Testing comparing ISA and Bluecoat in the area of HTTP security. Mr. Shinder clearly has a dog in the fight since apparently makes his living writing ISA books, as an MVP in ISA, and moderating on isaserver.org. Looking at his other posts, he really has it in for Bluecoat. I'm not sure why.
I have used ISA 2000 and 2004 and am currently testing a Bluecoat appliance. I have read the Broadband-Testing document and I've probably seen the webinar he references.
Lets take it by the numbers. According to Shinder, Bluecoat asserts:
1. Bluecoat is more secure because its built on the SGOS rather than a Windows OS that needs constant patching.
I would say the SGOS is security through obscurity. However, its not going to be used as a firewall so it shouldn't be held to the same standard as ISA. The bottom line is however, that with ISA you could be patching the OS monthly. Not so with Bluecoat.
2. ISA cant content inspect SSL traffic
Here, Shinder knows what they are talking about but misdirects the issue into that of content inspection of traffic that is reverse proxied (external to internal). The real issue is that if I'm behind an ISA firewall, my SSL traffic goes straight out. Bluecoat can play man in the middle and intercept SSL traffic and perform content inspection and antivirus. This becomes important as more and more traffic is sent over SSL.
From another one of Shinder's articles it does appear that there is an add-on product for ISA that would compete with Bluecoat in this area.
3. ISA is unable to manage P2P and IM
Hinder answers as if the issue is blocking P2P. The idea is manage it. Does Bluecoat do as good a job as Akonix, Symantec, et al? No they don't, but they certainly do more than ISA.
4. ISA has limited access control
I'm not really qualified to compare the depth and breadth of access control options. I think ISA's control options are geared to the firewall not to http controls.
5. Performance
Shinder attacks the external study claiming the ISA server must have been mis-configured to attain such results.
The bottom line for me is that ISA works great at protecting OWA servers and allowing remote employees to access email. However, its not a great HTTP security system without a bunch of add-ons. Those add-ons just ultimately create a kludge rather than a solution.
Check out the comments from Shinder's post. Its hard to tell who is actually the 18 year old kid the commenter named anti-Shinder or Shinder himself.
The people who believe in full disclosure of Microsoft bugs continue to attack en mass Johnny Cache presenter of the Mac and Intel wireless bug.
Johnny Cache posted a response to the Daily Dave list here.
