February 13th, 2008

404 and DNS re-directs are evil

Posted by Richard Stiennon @ 12:32 pm

Categories: Security, marketing

Tags: Google Inc., Advertisement, DNS, Fun, Richard Stiennon

Practically one of my first blog postings ever I published(Black and white and gray all over) a continuum of good and evil. I was attempting to investigate the shades of gray in moral behavior when it comes to online practices. Since 2005 there have been many innovations in unwanted advertising messages. The shear size of the online population has made something as crazy as buying and holding domains profitable. There are so many people that treat the URL window like a search engine that evidently you can make good money hosting ads on random sites.

Now we discover that in the latest beta of the Google tool bar if you go to a non existent page instead of getting the ubiquitous and annoying “404 page not found”, Google steals a few seconds of your time to redirect you to a page with “helpful” links which of course generate revenue through ads. Well I maintain that that is no different than the numerous spyware and so called “add supported” software of yore that redirected your searches and browsing to sites of their choosing.

This calls for an update to the Continuum of Evil depicted here.

You can see that I created a spectrum. On the top are obviously immoral behaviors. The 419 scam is obviously bad. I would say that spam that promises one thing and delivers another is worse than spam that represents legitimate offers. On the “good” end of the spectrum I start with magazine and newspaper ads. Sometimes I buy a magazine just for the ads! While television ads are annoying enough for me to not have television in my house most people will agree that you get what you pay for and if you want free programming you have to put up with the ads (or zap them with your DVR).

There is a thin line where I believe advertising crosses over from benign to evil. Hosting a site in the hopes that someone will mis-type a domain is just this side of OK. Redirecting someone’s search is on the other side. Google has once again fallen on the wrong side of “do no evil”.

The current kerfluffle over Comcast and their attempt to rate limit BitTorrent traffic is interesting. Wait until Comcast stumbles on new ad models. According to Esther Dyson, writing in the Wall Street Journal this past week, the next revolution in advertising is context driven ad placement by ISPs! I can tell you the various DNS software companies are very excited by the possibilities of making re-directs of non-exisitent and mis-spelled domains possible. The fun is only beginning.

February 1st, 2008

Third undersea cable severed in Mideast

Posted by Richard Stiennon @ 9:35 am

Categories: Security

Tags: Coincidence, Internet, Cable, Business Process Outsourcing (BPO), Network Technology, Security, Telecommunications, Personal Technology, It Operations, Networking

I am not going to parrot the inevitable sky is falling warnings that are sure to come from pundits everywhere regarding the just heard news that a third undersea cable in the Mideast has been cut. Coincidence or well timed targeted attack? will be the question of the day. Most likely it is coincidence. Anchors have an uncanny way of finding cables just as backhoes are the bane of terrestrial fiber.

But, I would like to disagree with Eric Schoonover, a senior analyst with TeleGeography. According to this article:

Schoonover said a similar Internet problem could not happen in the United States.

“We have all the content here,” he said. “It’s not going to be felt other than we won’t get the BBC.”

Nice attempt at calming the waters but network issues have a way of cascading. What if US oil and gas companies that have operations in the Mideast put some back up services there? What if another coincidence shuts down a data center in the US and the backups cannot occur in time because of unreachable storage devices? What about all the “Business Process Outsourcing” handled in India? Try telling Dell, or Microsoft, both companies that rely on Indian support services, that “most of our content is here”.

The US has had its own problems. Backhoes have taken out big chunks of the Internet. Routing flaps, bad route announcements, attacks on Cisco vulnerabilities could all impair our beloved Internet.

It’s one ‘Net now. Anyone relying on the Internet for their business has to be concerned about its inherent vulnerability and prepare for it as best they may.

January 20th, 2008

Using social networks for DDoS. Reddit as hacker tool.

Posted by Richard Stiennon @ 12:56 pm

Categories: Random, Security, Security Industry News

Tags: Social Networking, Web, Reddit, Network, RIAA, SQL, Distributed Denial Of Service, Tool, Channel Management, Hacking

Reddit is the hacking playground for today. While Reddit is just barely a “social network” with minor interactions between its members it is a powerful site for spreading the latest cool thing and in recent months has been pretty much taken over by Ron Paul enthusiasts and Fox News conspiracy theorists. This morning one redditer posted a link to a so-called “slow SQL” request to the web site of the RIAA. The intent would be to get thousands of people to launch simultaneous SQL requests that would bog down the RIAA’s web server thus effectively creating a denial of service attack. Evidently the site was vulnerable to a simple SQL injection attack which some other hacker proceeded to use to just wipe the entire database behind the informational web site.

This has been going on most of the day but it appears that as of this writing the operators of the RIAA web site have got it up and running and are successfully defending themselves against this malicious attack. Kudos to them for getting on the job so quickly on a Sunday! I am sure they will consider doing some web vulnerability scanning in future or even investing in web application firewalls ala Imperva or AppSec.

This event is a great study in mob behavior. There is no love lost between any technologist and the RIAA who is viewed as a corporate King Canute commanding the tides to stop. So a call to action that involves a “minor” thing like clicking on a link that set off a malicious attack got at least 649 up mods (user’s votes). Did 659 people click through? No way to know and it is a moot point because some impatient hacker took it upon himself to execute a more targeted attack.

So, Reddit has progressed from being a force for naming whales to enforcing the web’s ethos via DDoS.

January 18th, 2008

CIA reveals that hackers were responsible for power outages

Posted by Richard Stiennon @ 2:36 pm

Categories: CyberCrime, Physical Security, Security

Tags: CIA, Hacker, Outage, Manufacturing, Hacking, Security, Richard Stiennon

At a SCADA conference in New Orleans this week we learn that there have been multiple instances of hackers attempting to extort municipalities with threats of power outages - and then carrying out the threats, in at least once instance taking out several cities(none in the US, so far).

Need I say more?

January 18th, 2008

Anniversary of TJX breach announcement

Posted by Richard Stiennon @ 12:00 pm

Categories: CyberCrime, Data Security, Security, Security blog

Tags: Credit Card, TJX, TJX Story, Public Relations, Sales Channel, Financial Services, Security, Marketing, Corporate Communications, Sales

Jaikumar Vijayan over at Computerworld has a great round up of “lessons learned” from the TJX break ins first announced a year ago today. To his five points listed below I would add a couple of observations.

Breach disclosures don’t always affect revenue or stock prices …

… but they can be costly

PCI remains a work in progress

The card payment process has issues

The bad guys remain hard to catch

All great points. I would just point out two more of my own:

Reading the the news can be very helpful. If those responsible for TJX’s security and compliance had had their eyes open they would have clued in to the attacks against Lowe’s and DSW and perhaps been able to avoid the credit card losses altogether.

TJX is becoming the poster child for how not to handle the PR around a data breach. Their management should come clean on the exact techniques that were used (with simultaneous assurances that the technical problems have been addressed). Was it WiFi? Was it kiosks in the back of the store? Was TJX aware of the breaches well over a year ago? If not how did law enforcement officials file briefs in a Florida court citing these breaches months before TJX’s announcement?

The TJX story is far from over. I just hope the rest of the retail industry is reading the media. Especially security blogs. :-)

November 7th, 2007

Phishing attacks against salesforce.com the least of their worries

Posted by Richard Stiennon @ 10:25 am

Categories: CyberCrime, Data Security, Security, Security blog

Tags: Vulnerability, Phishing, Cyberthreats, Spam, Security, Viruses And Worms, Spam And Phishing, Richard Stiennon

David Berlind comments in his blog about recent successful phishing attacks against Salesforce.com employees and customers. He points out that as SFDC approaches one million users it is being honored with the attention of phishers. As I start to work on my 2008 predictions I have been thinking about the various “application platforms” and their vulnerability to hacks from a malicious application provider.

I think applications running on these new platforms will be as fraught with bugs as any applications and that hackers will use vulnerabilities to steal information. The risk with SFDC is that the 700+ applications available in the AppExchange quite often have access to a company’s most critical data store: its customer database which includes revenue, and pipeline information. Scary.

November 6th, 2007

35,000 Ron Paul supporters demonstrate trust

Posted by Richard Stiennon @ 8:25 am

Categories: Compliance, Data Security, Security

Tags: Campaign, Phishing, Sales Channel, Financial Services, Internet, Security, Spam And Phishing, Sales, Richard Stiennon

There is nothing as fly-by-night as a political campaign. By this time next year the RonPaul2008 campaign will be history. Yet yesterday, in a bizarre commemoration of the terrorist Guy Fawkes, Ron Paul’s campaign raised over $3.8 million in contributions through this online form.

I am sure most commentary this morning will be on the overwhelming support Ron Paul is garnering on the Internet. But I could not help being a little paranoid when I visited the donation site yesterday. The Ron Paul campaign has an admirable privacy policy and they even took the extraordinary measure of contracting with HackerSafe to scan their website daily for vulnerabilities. Even the Thawte certificate would normally make me feel “these guys know what they are doing”.

But how many of those 35,000 donors checked the URL carefully before providing their credit card information as well as the name of their employer? Was it a phishing site they were visiting? And what assurance do we have that the campaign does not store that information on someone’s laptop that will be stolen from their car when they are partying at the next Ron Paul campaign stop?

I personally have pretty high confidence in online storefronts such as Amazon, or even iTunes. Those are businesses that are here to stay and struggle daily to be compliant with the Payment Card Industry standards. But a political campaign site? I only hope they know what they are doing. A data breach could spell disaster.

October 19th, 2007

DHS has some house keeping to do

Posted by Richard Stiennon @ 3:30 pm

Categories: Security, State Sponsored Hacking

Tags: U.S. Department Of Homeland Security, Security, Richard Stiennon

The office of the Inspector General of the Department of Homeland Security has issued a 41 page report on how the department is progressing on security. Summary findings:

Systems are being accredited without key documents or missing key information.

Plans of Action and Milestones are not being created for all information security weaknesses.

Plans of Action and Milestones are not being monitored and resolved in a timely manner.

Baseline security configurations are not being implemented for all
systems.

This report is part of an ongoing requirement of every branch of government to report on the progress they are making in complying with NIST and other security standards. While it helps to expose a lot of areas as slow to respond and lacking in basic reporting and response capabilities I am afraid that is is glossing over some blatant holes in DHS security.

High level reports like this are not going to dig down to the level that I am more experienced with; ports, vulnerabilities, infections etc. But incidents like the recent dual theft of laptops from TSA (no secure cleanup, no encryption) lead one to believe that a look at actual audits would have a typical security practitioner weeping.

While the issue of accrediting networks as passing without maintaining the proper paper work is one that government oversight bodies can sink their teeth in to I feel that getting deep into configs, rules, and defenses is needed to truly understand the sad state of affairs at DHS.

October 3rd, 2007

Children. Be very, very afraid.

Posted by Richard Stiennon @ 10:59 am

Categories: CyberCrime, Data Security, Security

Tags: Professor, Hacking, Security, Richard Stiennon

I am sitting in on a presentation by Sam McQuade, a professor at Rochester Institute of Technology. He has a fascinating line of research at RIT on K-12 and cyber crime and victimization. Anybody remember my story from my first days out of school? I wrote it up in detail over at CIOUpdate. In short, I experienced first hand industrial espionage and theft of a specialized tool I needed to fabricate the Buick car seat I was working on. That led me to wonder about the current generations of graduates who I assumed were well versed in hacking techniques. My concern is that as we hire these kids they could increase the likelihood that our organizations could be caught up in hacking attempts.

Professor McQuade in his field work encountered: anonymous email bomb threats, downloading of pornography to cell phones in the hallway, pirated movie downloads, credit card theft, etc. He surveyed 13,773 students in his computer crime and victimization survey.

No surprises here. In the 7th-8th graders surveyed for instance: 21% have lied online about their age, 10% pretended to be someone else, 7% have circumvented security measures, 5% have used IT devices to cheat on school work.

One interesting result is that he found juvenile high-tech crime offenders tend to specialize. They are either good data miners, hackers, crackers, etc.

Professor McQuade’s overall message is that our school kids are involved in vibrant, sometimes dangerous online communities. In other words cyber space mirrors the playground. My message is that the behavior picked up in the digital school yard is going to carry over to the workplace. We will be expending much greater IT resources in the future to enforce acceptable behavior in our workforce.

August 31st, 2007

How to raise executive awareness?

Posted by Richard Stiennon @ 6:24 am

Categories: Compliance, Data Security, Security

Tags: Security, Eric, Richard Stiennon

In one form or another I have heard this question posed hundreds of times. It is always an expression of frustration on the part of some IT security practitioner. This time the question was posed to an IDC analyst at an event I attended this week in Zurich. The analyst, Eric Domage, gave one of the better responses.

The question (expanded): “You are preaching to the choir. IT security people know just how bad the situation is getting. But, how do we raise awareness at the C-level, or board level, so that we get the resources we need to counter these threats?”

My response usually take the form of some sort of risk management, scenario planning, asset identification process. Eric’s was more succinct: “Just wait for an incident. After you are hacked and there is significant loss of information and even public exposure of your loss you will get plenty of resources.”

Cold, Eric. Very cold. Although we have seen this over and over. CSX, Lowes, presumably TJX all invested more in security *after* incidents. The latest is Monster.com who lost a couple of million resumes to phisher/spammers this week.

From this news snippet.

Monster, the major online job-search site, says it’s beefing up its security measures after suffering a significant data breach earlier this month.

Eric is right. Too bad this is not great advice for those responsible for security because along with the new investment the incumbent security staff will probably be thrown under the bus.

-From Gate E08, Amsterdam.