November 27th, 2007

Hacking for profit. SEO techniques.

Posted by Richard Stiennon @ 1:18 am

Categories: Blog spam, CyberCrime

Tags: Technique, Search Engine Optimization, Google Inc., Site, Hacking, Blogging, Security, Internet, Richard Stiennon

I am traveling for the next two weeks. Today I write from the banks of the Thames in Marlow, England, a town that inspires writing if Jerome K. Jerome and Mary Shelley are any indication.

Hackers have attacked Al Gore’s website, but in an unusual way. Instead of the traditional defacement they have inserted links in the page’s source that lead to various sites selling pharmaceuticals. This is a clever way of increasing page ranking which is a gross measure of how important a page is and effects where it comes up in a Google search. The site has been fixed now. If anyone knows of a mirror of the hacked site I would appreciate a link!

I am surprised that this works because Google has an eery way of detecting blatant attempts to fiddle with their page ranking. For instance, the ThreatChaos blog has a page ranking of 7/10. Yet when you do a search on “security blog” it does not even appear in any of the search results. I attribute this to some amateurish attempts I made to increase its presence that must have set off some warning alarms at Google and got me de-listed.

Maybe if Ron Paul’s site had a few links back here? Nah.

I predict this type of hacking will be short lived. Once Google is clued in they will be able to de-list sites that have this type of incoming link and the hackers will be really sorry they attempted it.

November 20th, 2007

Regional security conferences

Posted by Richard Stiennon @ 1:32 pm

Categories: Cool Companies, Security Industry News, Trade Shows

Tags: Network, Conference, Beauty, Security, Richard Stiennon

I spend an inordinate amount of time on the road speaking at regional security conferences. Today I am at The West Coast Security Forum conference in Vancouver. These events are great because they are networking events for the local IT security folks. While I enjoy the speaking part the most I also love checking out the vendors that have put up the cash to exhibit at the conference. There is an ebb and flow in every vendor’s conference strategy. One year they will be at every event, the next year nothing. But the really educational part of seeing all these events is meeting the founders of new security startups.

This week I met Gary MacIsaac, President/CTO of a just born company called Cetacea. Great name if you are in to marine wildlife. Their twist is on more better IDS in that they use existing MIB traffic to monitor a network. They have a few simple algorithms figured out for what is “normal” and can alert you when something fishy is going on. They are still at that stage where they have not developed the pretty GUI that shows your network pulsing with attacks but I imagine that large data centers are going to be interested in this technique for monitoring huge amounts of data flow with no new overhead. What is really cool about their product is that it is delivered on the Gumstix device, which are the tiniest Linux computers ever.

There are dozens of new security companies that I encounter as I travel to these regional conferences (already booked for South Africa and Australia next year, heading to Hertfordshire next week). The beauty is that these are not your dotcom boom-bust types of developments. They will not end up on any list of 20 Worst VC Investments. These companies may just grow to small regional players, most likely they will be acquired, but either way innovation and progress are alive and well in IT Security

November 19th, 2007

Three trend analysis techniques

Posted by Richard Stiennon @ 1:01 pm

Categories: Uncategorized

Tags: Technique, Gartner Inc., Analysis, Richard Stiennon

There are three types of trend analysis that I have used in the past to predict the future: geographic, temporal, and intuitive. I describe these three in the introduction to my Seven Trends in Networking and Security pitch. (coming to your neighborhood soon!) They caught the ear of a journalist in Canada recently so we did a short podcast on that topic instead of the usual the sky-is-falling stuff. He wrote the seven trends up as well.

Herewith the three types of trend analysis:

1. Geographic trend analysis is the easiest and most reliable. Simply visit a country, region, city, where something is taking off and predict that that trend will spread, if not to the entire world, at least to some other area. Back in the 80’s many an automotive pundit visited Tokyo and came back to Detroit preaching the gospel of small, fuel efficient vehicles. I launched an ISP, RustNet, in Michigan based on seeing the fast adoption of the Internet in California. And you may have read how my trip to Istanbul in 2004 exposed me for the first time to hackers that reacted to defensive measures taken by banks trying to protect user accounts from their keystroke loggers. Those are all examples of geographic trend analysis and prediction.
2. Temporal trend analysis can be misleading if it is applied to random activity or leaves out critical factors. Stepping up to a roulette table and plunking $200 on red because it has come up seven times in a row for instance. Everyone knows the chance of red coming up again is Less in that case.* Temporal analysis can be used to predict the outcome of US involvement in wars of occupation (long costly affairs with indeterminate results). You can easily predict the effect of “change” in Washington: more taxes, more spending, more regulation. Or the effect of new tariffs and import restrictions: higher prices, less trade, and a tumbling stock market. Thus, the past is prologue.
3. Intuitive trend analysis relies most heavily on the ability of the futurist to absorb all there is to know about a topic and then predict what the logical outcome will be. This type of trending obviously is fraught with the most difficulty. Many times there are external factors that really influence the outcome. Gartner is famous for predicting that OS2 would be the desktop of choice for the enterprise. The analysts involved in that prediction were too close to the technology. They lost site of the market dynamics: super cheap software on even cheaper hardware. OS2 was indeed the better operating system for the office environment.

I am putting together my predictions for threats in 2008 using these techniques. But first I have to take an honest look at how I did for 2007. But, that should wait until December. There is still time for some of these to come true!

*I don’t really believe that red has less of a chance of coming up just because the ball has landed on it seven times in a row already. The chances of red hitting are 18/38. Period. (Assuming two greens).

November 17th, 2007

Brand jealousy, Scoble has it bad

Posted by Richard Stiennon @ 3:20 pm

Categories: Windows

Tags: Brand, Apple Inc., Apple Mac OS X, Scoble, Branding, Marketing, Richard Stiennon

The Scobleizer vents his frustration with the Apple Brand Juggernaut in his post today. He seems upset that Mac users are so vehement in defense of Apple products. Well, after years of seeing the Wintel duopoly dominate PC development it’s about time a contender is creeping up on it with better products, and yes some brand buzz.

Brand is not completely BS you know. It take more than marketing dollars to build buzz or cool. It takes good products, good product strategy, and satisfied customers.

Scoble makes a few points, somewhat facetiously. I feel compelled to defend one of my favorite brands (no, I don’t own Apple stock).

1. If your machine behaves badly it’s your fault. Sorry I don’t buy this. Sure I have had trouble with a bad sector on a disk. I had to download a special tool kit to fix it and finally I called Apple and paid $50 for someone to help me. And, hey! it works! The coolest thing about Apple is the help desk at the Apple Store. Just bring your machine in (which is usually pretty easy because it is so compact. I buckled my iMac into the front seat. Passenger airbag off of course.) There are really smart people wandering around the Apple Store. They know the products and want to help; something you don’t get a CompUSA, or any other store selling PC’s. I love an excuse to go to the Apple Store, it is a brand building experience.

2. Any idiot can use an Apple machine (that’s what they tell you before you buy one) but if your machine crashes then you must be a “genius” to fix it (they have bars at stores now where you can “borrow” a genius, but only after waiting in line — my son twice has been turned away from genius bars because they were too busy and was told to “come back tomorrow at 10 a.m.”). Obviously this is a rant. Scoble is a PC expert. He probably knows parts of the Windows registry by heart. Not me. I find Windows totally confusing. Mac OSX is a breeze compared to Windows.

3. If you dare complain about the brand promise you’ll get pounced on by hoardes of annonymous astroturfing Apple FanBois. And why not? These people love their Macs and hate your Windows. That’s what a brand is all about. Let’s hear it for the “FanBois”.

4. If you don’t get the brand promise of Apple don’t attempt to point out that the ads are ridiculous. Instead, just leave the cult and go back to using that “inferior” machine you used to use. Can I help you “get it”? Good design, robust multi-tasking OS, innovative graphical interface, world class packaging, great support, knowledgeable sales people, believable billionaire leader/founder, and did I mention great packaging?

5. Check out my new Mac, with its cool brushed metal surface and the light-up Apple logo. Niiiice! FTW!

6. If you use an Apple machine you will be as cool as Kevin Rose. Yes, and all the cool security researchers I interact with. And those cool kids I see at Starbucks that flip open their Powerbooks and start working while I calmly drink half my latte waiting for my Lenovo T60 to come out of hibernate mode.

Scoble continues his rant but it is easy to just sum it up as brand jealousy. I suggest he get used to it. It is often said that Apple lost the micro computing battle by refusing to adapt to standards. It is one of the greatest text book cases of how standardization can lead to industry dominance. It is why Microsoft, Cisco, IBM, Sony are always engaged in standards battles. Well Jobs took a different route. He went down the brand path, the same path Nike, or BMW, or Kate Spade took. And it is working.

Update Sunday morning. Just to drive home the point about Apple’s brand check out the rankings of various brands at BrandChannel. Number 2 world wide after Google.

Update Tuesday, November 20. Check out this explanation for the “Cult of the Mac”

November 16th, 2007

Chinese threat is a threat

Posted by Richard Stiennon @ 12:25 pm

Categories: State Sponsored Hacking

Tags: China, Threat, Cyberattack, Hacking, Viruses And Worms, Security, Richard Stiennon

I have to quote Lewis Page of the Register on this: A US government panel specially created to warn of danger from China has warned of danger from China. The panel, The US-China Economic and Security Review Commission (USCC), just published a 56 page document that they reported to congress last June. Most of the information for it was collected last February through May when members toured China to gather information and interviewed members of the US Defense Department. Significant timing in that this report was completed before the Pentagon, Whitehall, and German Chancellery attacks were publicized.

If you care to read the whole report you can download the PDF here. The report attempts to link many disparate instances of Chinese activities to paint a picture of a concerted attempt to undermine the US. Parts of it are rather sensationalist. As in this quote:

Speaking of the magnitude of the damage cyber attacks could cause, General
Cartwright said, “I think that we should start to consider that regret factors associated with a cyber attack could, in fact, be in the magnitude of a weapon of mass destruction.” Here, by
“regret factors,” General Cartwright was referring to the psychological effects that would be
generated by the sense of disruption and chaos caused by a cyber attack.

In all fairness the report did follow up this silly comparison with:
Read the rest of this entry »

November 13th, 2007

Better bank security scares off users? Oh well.

Posted by Richard Stiennon @ 1:47 pm

Categories: Bank security, Compliance, CyberCrime

Tags: Bank, Specter, Phishing, Financial Services, Cyberthreats, Security, Spam And Phishing, Richard Stiennon

That was my first reaction to reading this just posted article on BBC.com. The specter is raised that tokens, one time passwords, and security questions are going to increase the friction involved in online banking and lead to customer dissatisfaction. My reaction? Oh well.

It is better for banks to work on fixing their customer experience than address fraud issues due to their lack of action. Read further down in the article which is admittedly disjointed (probably an editor trying to raise the appeal of the piece, they do that you know) and you learn something interesting:

In late 2005 the US Federal Financial Institutions Examination Council (FFIEC) issued guidelines which forced banks to do more to protect online accounts.

Phishing statistics show a rapid move by the fraudsters to European banks and, said Mr Moloney, to smaller European banks using less protection.

Lists of phishing targets gathered by security companies show a huge shift away from big bank brands such as Citibank and Bank of America to Sparkasse, VolksBank and many others.

In other words, improved security is having an impact on phishing attacks! According to one source in the article online bank fraud descreased 67% while phishing attacks increased 40%. That is a tremendous justification of increased investment in security for banks. Keep it up!

November 12th, 2007

Insiders, you gotta watch 'em

Posted by Richard Stiennon @ 3:19 pm

Categories: CyberCrime

Tags: Insider, Accounting Fraud, Financial Services, Sales Channel, Operational Accounting, Strategy, Security, Sales, Finance, Management

It is a pretty common theme of my Cyber Crime Scenario presentation that insiders are a risk. The more so because markets for data, especially credit card info, are making it possible for just about anay knowledge worker with access to data to rob you.

But the real damage comes from the clever insider that figures out your business operations and a way to hack them. Accounting fraud has been around since the invention of commerce and many controls have been put in place to lower the risk associated with white collar crime. Using IT resources is just an extension of what has gone before.

The latest case: an insider at an online poker site figures out how to beat the house using his access to the internal systems. Cost to the company? $1.6 million.

The company’s response seems appropriate. They figured out every player that had lost money while playing against the insider’s hands and reimbursed them. I am interested in what the cost to Absolute Poker was in lost revenue due to loss of trust in the honesty of their systems. (Just a reminder to US citizens that online gaming is illegal for them).

When I was a white hat hacker for PricewaterhouseCoopers there was one realization that came quickly. Given three or four days insider access to any organization we could figure out how to steal from them. Controls must extend beyond the financial systems and be deployed systemically throughout IT.

November 8th, 2007

Hushmail betrays trust of users

Posted by Richard Stiennon @ 9:33 am

Categories: Compliance, Data Security, State Sponsored Hacking

Tags: Hushmail, E-mail, Online Communications, Richard Stiennon

One likes to think that a secure web based email provider would be able to secure your email. It is becoming more and more evident that there truly is a threat against your private communications. Governments are really eavesdropping on you. That threat translates into demand for secure communication products one of which is web based email. But, apparently any prosecutor that is on a fishing expedition for evidence can subpoena HushMail who will intercept a user’s pass phrase and deliver complete records of decrypted email communications to help in an investigation. Great recounting of the events by Ryan Singel over at Wired.

My advice to anyone designing a secure communication service: make it impossible to comply with government requests. You don’t have to risk going to jail. Sure, give up the encrypted data if required. But don’t hand over the keys. Do that by not storing the keys.

My advice to anyone who truly wants to maintain their privacy: don’t trust service providers. Control your keys. Encrypt on your desktop. If you still need to use web based email services go with providers that have cumbersome legal systems for your country to deal with. One of HushMail’s advantages is that they are in Canada. That slows down the rate of spurious fishing expeditions on the part of US prosecutors.

November 7th, 2007

Phishing attacks against salesforce.com the least of their worries

Posted by Richard Stiennon @ 10:25 am

Categories: CyberCrime, Data Security, Security, Security blog

Tags: Vulnerability, Phishing, Cyberthreats, Spam, Security, Viruses And Worms, Spam And Phishing, Richard Stiennon

David Berlind comments in his blog about recent successful phishing attacks against Salesforce.com employees and customers. He points out that as SFDC approaches one million users it is being honored with the attention of phishers. As I start to work on my 2008 predictions I have been thinking about the various “application platforms” and their vulnerability to hacks from a malicious application provider.

I think applications running on these new platforms will be as fraught with bugs as any applications and that hackers will use vulnerabilities to steal information. The risk with SFDC is that the 700+ applications available in the AppExchange quite often have access to a company’s most critical data store: its customer database which includes revenue, and pipeline information. Scary.

November 6th, 2007

35,000 Ron Paul supporters demonstrate trust

Posted by Richard Stiennon @ 8:25 am

Categories: Compliance, Data Security, Security

Tags: Campaign, Phishing, Sales Channel, Financial Services, Internet, Security, Spam And Phishing, Sales, Richard Stiennon

There is nothing as fly-by-night as a political campaign. By this time next year the RonPaul2008 campaign will be history. Yet yesterday, in a bizarre commemoration of the terrorist Guy Fawkes, Ron Paul’s campaign raised over $3.8 million in contributions through this online form.

I am sure most commentary this morning will be on the overwhelming support Ron Paul is garnering on the Internet. But I could not help being a little paranoid when I visited the donation site yesterday. The Ron Paul campaign has an admirable privacy policy and they even took the extraordinary measure of contracting with HackerSafe to scan their website daily for vulnerabilities. Even the Thawte certificate would normally make me feel “these guys know what they are doing”.

But how many of those 35,000 donors checked the URL carefully before providing their credit card information as well as the name of their employer? Was it a phishing site they were visiting? And what assurance do we have that the campaign does not store that information on someone’s laptop that will be stolen from their car when they are partying at the next Ron Paul campaign stop?

I personally have pretty high confidence in online storefronts such as Amazon, or even iTunes. Those are businesses that are here to stay and struggle daily to be compliant with the Payment Card Industry standards. But a political campaign site? I only hope they know what they are doing. A data breach could spell disaster.