Your are here: Home > Blog

Causes and Costs of Cyber Crime

August 2nd, 2010 | Posted by Sid Herron in Security - (0 Comments)

I read a couple of items today about security and cyber crime that I found rather interesting. One was an article that came out a week ago on infoworld.com about the “First Annual Cost of Cyber Crime Study,” conducted by Ponemon Institute. The study involved 45 midsize and large organizations, ranging in size from 500 to more than 105,000 employees. They represented a mixture of industries and government agencies. The study revealed that cyber crime cost these organizations an average of $3.8 million dollars per year…each. The reported costs ranged from a low of $1 million to a high of $52 million per year.

The reported costs represent the direct cost of coping with attacks, including such things as, for example, the amortized annual cost of a Web application firewall purchased to respond to an attack on a Web application. They also included the time spent responding to attacks, the cost of disruption of business operations, lost revenue, and the destruction of assets. They found that it took an average of 14 days to respond to a successful cyber attack, at an average cost of over $17,000 per day.

Admittedly, a sample size of 45 companies is relatively small. But still – $3.8 million per year, average? Holy smoke!

The other piece of light reading will help to flesh out the picture and add some perspective. It’s the 2010 Data Breach Investigations Report conducted by the Verizon RISK team, in cooperation with the U.S. Secret Service. It combines data from Verizon’s 2009 case load with additional data contributed by the USSS to form a data set that spans six years and over 900 security breaches, representing over 900 million compromised records. About two-thirds of the breaches covered in the report have either not yet been disclosed, or never will be.

While the cases worked by the USSS more frequently involved insiders, in Verizon’s own cases, almost all data stolen in 2009 – 98% – was the work of criminals outside the victim organization. 85% of that data was stolen by “organized criminal groups.” For a definition of “organized criminal groups,” see Appendix A of the report…it’s pretty interesting reading in and of itself.

Not surprisingly, financial services organizations were most frequently targeted (33% of cases), for the same reason Willie Sutton robbed banks: that’s where the money is. But you may be surprised to learn that the hospitality industry wasn’t that far behind (23% of cases), followed by retail (15% of cases). And here are some other things that might surprise you (note that the following percentages add up to more than 100%, meaning that some cases involved more than one factor):

  • 48% of breaches involved “privilege misuse” (that’s up 26% from the year before). The report defines this as any use of resources or privileges in a manner contrary to that which was intended, whether malicious or non-malicious. This category includes obvious actions such as embezzlement or deliberate theft of information by an insider, but also losses that resulted from abuse of system access, use of unapproved devices, violations of an organization’s Web or Internet use policy, abuse of private knowledge, use of unapproved software or services, unapproved changes and workarounds, and violations of an organization’s asset / data disposal policy.
  • 40% resulted from hacking (down 24%) – the majority of which involved either the use of stolen login credentials, or SQL Injection attacks. A fair number also involved exploitation of default or guessable credentials (or cases where no credentials were required), and brute force and dictionary attacks.
  • 38% utilized malware (unchanged)
  • 28% employed “social tactics” (up 16%) – using deception (spoofing, phishing, forgery), manipulation, intimidation, bribery, extortion, etc., as a means of breaching an organization’s security. Social tactics are often combined with other categories, for example, malware designed to look like antivirus software.
  • 15% were physical attacks such as theft, tampering, and surveillance (up 6%)
  • And what may be the most astounding finding of all: “…there wasn’t a single confirmed intrusion that exploited a patchable vulnerability.” Does that mean you don’t have to pay attention to patching your systems? No, of course not. But what it means is that just because you are current on all of your patches it doesn’t mean you’re safe!

Here are some more commonalities in the attacks:

  • 98% of all data breached came from servers.
  • 85% of attacks “were not considered highly difficult.”
  • 61% were discovered by a third party(!)
  • 86% of victims had evidence of the breach in their log files(!!)
  • 96% of breaches were avoidable through simple or intermediate controls.
  • 79% of the victims that were subject to PCI/DSS regulations had not achieved compliance with the regulations. Admittedly, that means that 21% had achieved compliance, and were breached anyway, but why stack the deck against yourself? If you’re subject to the regulations, make sure you’re in compliance.

So what are the takeaways from all of this data? Although I would encourage you to download and read all 66 pages of the Verizon report, here are a few points to consider:

  • 86% of victims had evidence of the breach in their log files, yet 61% of the breaches were discovered by a third party. That suggests that, just maybe, we should be paying more attention to our log files. Now, I understand that there aren’t many cures for insomnia that are better than trying to parse through several servers worth of log files looking for anomalies. But that’s why there are automated tools these days that will do that for you.
  • SQL injection has been around for over ten years, and still causes a large number of data breaches. Here’s a high-level example: you have a form on your Web site that is intended to capture user input and stuff it into a SQL database. Maybe it’s the billing information for your on-line shopping cart. But instead of entering the data you’re expecting, an attacker enters a SQL language statement that’s intended to either extract data from the database, modify data in the database, or deliver malware to the system.

    You can’t fix this by applying a patch, modifying a setting, or changing a Web page. It’s almost always an input validation failure. That means you have to fix the code behind the application so that it actually validates that the information that’s being typed into a field is really the kind of information that’s expected. It isn’t necessarily easy, and it isn’t necessarily inexpensive. But data loss isn’t cheap, either.

  • The use of stolen credentials was the top hacking method used. Two-factor authentication (e.g., RSA’s SecurID), which can largely render stolen credentials useless, has been around for years. Apparently not enough organizations are using it.
  • One of the more interesting (to me, anyway) recommendations in the Verizon report is to filter outbound traffic. That way, even if malware does get in the door, you have some measure of control over what information leaves your network. This is sometimes referred to as “Data Loss Prevention,” or “Content Security.” Here’s what they had to say about it:

    Most organizations at least make a reasonable effort to filter incoming traffic from the Internet. This probably stems from a (correct) view that there’s a lot out there that we don’t want in here. What many organizations forget is that there is a lot in here that we don’t want out there. Thus, egress filtering doesn’t receive nearly the attention of its alter ego. Our investigations suggest that perhaps it should. At some point during the sequence of events in many breaches, something (data, communications, connections) goes out that, if prevented, could break the chain and stop the breach. By monitoring,understanding, and controlling outbound traffic, an organization will greatly increase its chances of mitigating malicious activity.

    By a happy coincidence, one of our primary vendor partners, WatchGuard, recently introduced a line of appliances that are specifically designed for precisely this task. I’ll be writing more about that in a future post.

  • Don’t assume that you’re too small to interest the criminals. 9% of the breaches were in companies with ten or fewer employees. Another 18% in companies with 11 to 100 employees. 23% in companies with 101 to 1,000 employees.

And, finally, don’t assume that the situation is hopeless. Remember that only 4% of breaches were judged to have required difficult and expensive measures to avoid. To quote from the conclusions of the Verizon report, “Configuration changes and altering existing practices fix the problem(s) much more often than major redeployments and new purchases.” We do have the tools to get the job done. We just have to make up our minds to do it.

,

Citrix Has Your Back – Again

July 21st, 2010 | Posted by Sid Herron in Citrix | General | Mobile Computing | Remote Access | Security | XenApp | XenDesktop - (0 Comments)

I just read an interesting blog post over on ZDnet, entitled The Changing Face of IT: Five Trends to Watch. As I read through the article, I was struck by how Citrix solutions can enable IT organizations to deal with these trends. Consider:

  1. The consumerization of IT – “Workers are bringing their own laptops and smartphones into the office and connecting them to corporate systems. More people than ever are telecommuting or working from home for a day or two a week. And, the number of Web-based tools has increased dramatically…”

    Yep. In fact many companies are instituting “BYOPC” (Bring Your Own PC) policies, because in the long run it can be less expensive to give employees a fixed allowance and allow them to buy whatever they want than it is to issue – and maintain – a company-owned laptop. Citrix themselves instituted this policy a few years ago.

    If you’re using XenApp or XenDesktop to provide access to your key line-of-business applications, you don’t care what the endpoint is. If your employee prefers a MacBook, fine. Want to use an iPad? No problem. Connecting in from your home PC because your kids are sick? We’ve got that covered, too. Just install the Citrix Receiver and you’re good to go.

  2. The borderless network – “…today’s IT security model is more about risk management than network protection. Companies have to identify their most important data and then make sure it’s protected no matter who’s accessing it and from wherever and whatever device they’re accessing it from.”

    Citrix likes to say that their products are “Secure by Design,” meaning that security is built into them from the ground up. First of all, when you’re accessing your virtual desktop remotely, or running a published application from a XenApp server, the data never leaves the data center. The remote endpoint (whatever it is) is just sending keystrokes and mouse movements to the data center and getting back pixel updates. On top of that, we can encrypt that data connection using the Citrix Access Gateway.

    Citrix also gives you very granular control over whether files can be copied between client and server, and/or whether print jobs can be directed to a client-attached printer. In fact, using Advanced Access Control policies, those controls can be context-sensitive, i.e., you might allow files to be copied to the client device if the client device is a company-owned laptop, but not if it is a home PC; or you might allow client-attached printing if the client is connecting from a branch office, but not if the same user, using the same client device, is connecting from home, or from a hotel.

  3. The cloudy data center – Let me go on record as saying that the most cloudy thing about the cloud is trying to understand what someone means when they say the word. Not unlike the word “portal” a few years ago, the first question that usually needs to be asked in any discussion about cloud computing is: “When you say ‘cloud,’ what exactly do you mean?”

    But the point to remember is that when you’re delivering applications via Citrix, users don’t know and don’t care where the data center is or where the applications are being executed. It doesn’t matter. Want to move your entire infrastructure to a co-lo? Fine. Want to have multiple data centers with automatic failover from one to the other? We can do that, too. By some definitions of the term, we’ve been building “private clouds” since the release of WinFrame back in the mid-90s.

  4. The state of outsourcing – “Outsourcing is thriving in many different forms, and it’s reasonable to expect that it will accelerate.”

    We made the point above that users don’t know and don’t care where the data center is. The fact is, for about 90% of what they need to do, neither do the administrators. Virtualization in general, and Citrix products in particular, make it very easy to administer, troubleshoot, and repair issues remotely. We built the entire Evans Fruit Company infrastructure without ever having our engineer set foot on site. In fact, actually dispatching an engineer to a customer location is now the exception rather than the rule.

  5. The mobilization paradigm – “While PCs still make sense on the desks of knowledge workers, for all of these other workers who regularly move around as part of their daily job, the stationary PC often changes the natural flow of their routine because they have to stop at a system to enter data or complete a task. That’s about to change. Mobile computers in the form of smartphones and touchscreen tablets (like the iPad) have taken a big leap forward in the past four years. They are instant-on, easy to learn because of the touchscreen, and they have a whole new ecosystem of applications designed for the touch experience…”

    Very true…but these same users are going to still need to access your traditional line-of-business applications, which will not be transformed overnight into touchscreen enabled apps. It is axiomatic that, in IT, nothing ever actually goes away – instead, new technology just gets layered over the top of old technology…which is why you’ll still find applications running on big mainframes in a lot of enterprises. So how do you manage that transition?

    Once again, Citrix comes through. There’s a Citrix Receiver for the iPhone, one for the iPad, one for Windows Mobile phones, one for the Android, and just a couple of months ago, Citrix released a version of the Receiver for BlackBerry devices. And, of course, Receivers for Windows, Mac, and Linux PCs have long been available. I don’t know of any other product or technology that offers this kind of flexibility in delivering applications to users regardless of location, connection, or endpoint device.

    6. So a big “Thank you!” to Jason Hiner for an excellent post. You’ve just described, in a nutshell, why Moose Logic is still excited to be a Citrix partner after all these years. Just remember, as you work to adapt to all of these trends that are indeed changing the IT landscape, we’ve got your back.

, , , , ,

Is Office 2010 Worth It?

July 16th, 2010 | Posted by Sid Herron in General | Microsoft - (0 Comments)

Every time Microsoft releases a new version of Office, we all have to ask ourselves whether there is enough business value in the new and improved version to justify the time and effort of rolling out the upgrade, listening to our users complain about the things that may not work the way they used to, and helping them through the rough spots.

Since Moose Logic is a Microsoft Partner, we don’t have to pay for the Office licenses we use internally. Moreover, it’s important for us to actually use the technology that we’re promoting to our customers, so that’s another reason for us to upgrade. Even so, it costs us time and effort to upgrade everybody, and we have other critical applications that depend on Office – like the Word merge app that allows us to print quotes and sales orders from our MS-CRM records – so we have to make sure that those dependencies don’t get broken. So, like you, we have to ask, “Is it really worth it? Is there that much difference between Office 2007 and Office 2010?”

Well, actually there’s more than you might think, and J. Peter Bruzzese wrote an article about it over on infoworld.com earlier this week. Here’s just a quick bullet list of his “top 25″ new Office 2010 features. If any of them catch your eye, I’d encourage you to read his article for a more detailed description:

  1. Universal ribbon – the ribbon interface is now part of every Office application.
  2. Customizable ribbon – don’t like the defaults? Customize it.
  3. Backstage view (behind the “File” tab of an application)
  4. Paste preview
  5. Office Web Apps
  6. Protected View
  7. More themes
  8. Insert a screenshot
  9. Crop images to a shape from within the app
  10. New photo-editing options in Word
  11. Navigation pane in Word
  12. “Sparklines” (Excel)
  13. “Slicers” (Excel)
  14. 64-bit support, which allows for Excel workbooks larger than 2 Gb
  15. Video editing from within PowerPoint
  16. Broadcast slideshows (PowerPoint)
  17. Distribute slideshows as video (PowerPoint)
  18. Animation painter (PowerPoint)
  19. Sections (PowerPoint)
  20. Transition improvements (PowerPoint)
  21. Outlook conversation view
  22. Outlook MailTips
  23. Outlook Social Connector
  24. Outlook “quick steps”
  25. Outlook “Clean Up”

So, a tip of the antlers to Mr. Bruzzese for coming up with a great list. Again, if any of these catch your interest, I’d encourage you to read more about these features in the InfoWorld article.

,

Will There Be a Tablet Revolution?

June 18th, 2010 | Posted by Sid Herron in General | iPad | Mobile Computing - (0 Comments)

I read an interesting post over on ZDnet today that cites a Forrester Research report that predicts that tablets will begin to outsell netbooks in 2012. by 2014, they predict, more people will be using tablets than netbooks, and by 2015, tablets will constitute 23% of PC unit sales.

We can probably thank the iPad for most of the buzz that’s building around the tablet format lately, although tablets have been around for several years now. I’m on my second Motion Computing tablet, and had one of the original Compaq tablets before that, so I’ve used a tablet as my primary business computing device for the last seven or eight years, and I love them…although the way I use them has changed over the years.

When I first started using the tablet format, I thought it was very cool to carry it into a client meeting, fire up OneNote, and use the stylus to take my meeting notes. Over time, though, the “coolness” factor has worn off, and I’ve gone back to using pen and paper – mostly because I don’t have to wait for my pen and paper to boot up, and I never have to worry about battery life.

These days, I love it just for its portability. I’ve got a docking station in my office, and one at home, with external monitors in the two locations. It’s a snap moving back and forth between the two locations, and Win7 does a beautiful job of remembering the monitor settings. For several complicated reasons, the docking station is to the right of my external monitor in my office, and to the left of my monitor at home. I, of course, want to spread my desktop across both the external monitor and the tablet screen, and I also want, in both cases, to have the external monitor set as my primary monitor (because it’s bigger). When I was running Vista, I always had to open the display settings and drag the monitors back and forth when I moved between the two locations – Windows 7 always remembers.

When I travel, I snap on the removable keyboard, fire the tablet up in my hotel room, and just keep it there for the duration of my stay. I no longer need it for email when I’m out and about, because I have my AT&T Tilt (Windows Mobile) phone, and my Celio “REDFLY,” which connects to my Windows Mobile phone via bluetooth, for those times when I need a larger screen and/or keyboard to make reading and replying to email a bit easier.

Side note: Battery life is better as well. With a full charge, I can use my REDFLY and Windows Mobile phone to take notes all day in a training class using the version of Word that came with my phone. My tablet battery won’t last that long. The REDFLY has a substantial battery, plus it extends my phone’s run-time because it doesn’t have to power the phone’s display screen when I’m using the REDFLY. In fact, I can even hook it to the REDFLY with a USB cable instead of using bluetooth, and recharge it from the REDFLY…but I digress.

Personally, I’m intrigued by the iPad, and think it would make a great plaything, but don’t see enough business value compared to my Motion Tablet to make it a compelling purchase. I’m more interested in getting one just so I can demonstrate the Citrix Receiver for iPad to clients.

How about you? Have you ever used a tablet? Do you have one now? Is it an iPad? Have you ever used (or are you now using) one as your primary computing device? Do you have plans to acquire one and/or to support them on your business network? Inquiring minds want to know.

, ,

Time To Get Your Questions Answered

June 1st, 2010 | Posted by Shane Kalles in Education | General - (0 Comments)

Moose Logic is proud to announce a new weekly webinar series called “Weekly Q&A with Moose Logic” hosted by Senior Solutions Consultant Garry Corbin. Every Wednesday at 9am Pacific time we will be discussing another topic and answering your questions live, so check the schedule and make sure to sign-up for any topics that you have questions about. Here’s the schedule for the next 5 weeks:

In the future you will always be able to find the most up to date schedule on our upcoming events page. Also if you every have an idea for a topic you would like to see us discuss, send an email to sales@mooselogic.com and tell us your idea.

Copy Machine Security Risk

May 6th, 2010 | Posted by Sid Herron in General | Security - (0 Comments)

Here’s a 5-minute video you really need to watch. It’s a report by CBS News on what could be a huge security risk that most companies probably haven’t even considered: the office copy machine. And I’m not talking about the risk of someone copying sensitive information that they shouldn’t be copying – I’m talking about what happens when the copy machine is retired.

Most modern copy machines contain a hard disk drive. That’s why you can feed a stack of originals into them and walk away while the machine prints and collates multiple copies of your stack. But what you may not know is that most copy machines do not automatically delete those page images from the internal hard drive when they’re done printing. So when you turn that copy machine in at the end of your lease, you’re also handing over thousands of images of documents that you’ve copied on that machine.

Those copy machines are typically re-sold, with the hard drives still intact. Many are shipped overseas. And your documents are shipped right along with them, easily readable by anyone with commercially available hard disk forensic software.

Depending on the nature of your business, that may or may not be a big deal. But think about this:

  • Have you ever made photocopies of a new employee’s driver’s license or social security card for your files?
  • Have you ever photocopied an order form that contained a customer’s credit card information?
  • Have you ever photocopied your company tax returns, forecasts, bugetary information, or financial planning documents?
  • Have any of your employees used it to make copies of their own tax returns?
  • What about proprietary information or trade secrets?

And, of course, if you’re a business that deals with sensitive documents – such as a law firm, an insurance company, or a business that handles medical records – you (and your clients or patients) may have even more at stake.

So, please, spend five minutes and watch this video. Then, the next time you’re ready to retire a copy machine, find a way to get the hard drive out of it and destroy it yourself before it goes beyond your reach.

,

DNS Security Extensions and Why You Should Care

May 4th, 2010 | Posted by Sid Herron in Computer Basics | General | Security | Troubleshooting and How-Tos | WatchGuard - (1 Comments)

Tomorrow (May 5), at 17:00 GMT, all 13 root DNS servers on the Internet will begin using DNSSEC (Domain Name System Security Extensions) to reply to user requests. Here’s why you might care about this.

As most of our readers know, DNS is what translates the URL you type into your browser (like “www.mooselogic.com”) into an IP address (like “216.9.9.164″) that your computer can actually use to send packets of data across the Internet. If you have a Windows Server-based network, one (or more) of your Windows Servers is probably providing DNS services to the users on your network. But the DNS server on your network doesn’t automatically know where everything is. If it needs to resolve an address that doesn’t happen to already be in its local cache, it has to ask some other DNS server out on the Internet. Sometimes those queries go all the way to one of the root servers.

It’s been recognized for quite some time that the existing protocol used for DNS queries isn’t entirely secure. Therefore, the international standards bodies have been working on a more secure standard, which is DNSSEC. DNSSEC uses digital signatures to authenticate DNS responses, so your computer knows the response actually came from an authoritative DNS server.

So what’s the problem? The potential problem is that those DNS responses will arrive in significantly larger data packets than before. Specifically, rather than using UDP packets that are smaller than 512 bytes, the responses will not only be longer, but may be broken into multiple TCP packets. Some routers and firewalls specifically inspect DNS traffic to look for anomalies, and if you have older equipment that doesn’t know about the DNSSEC standard, these changes may very well look like anomalies, and be blocked. That would mean that your DNS clients or DNS server would not be able to communicate with the public root DNS servers, and that would mean that you would start having problems resolving DNS.

These problems may be intermittent in nature at first, because some DNS requests may be able to be resolved by using locally cached information…but DNS records typically have a “time to live” built into them, so eventually the cached information will expire and have to be refreshed. So if you do have a problem, it’s likely to get worse with time.

There are some tools available to help you determine whether you’re likely to have a problem. If you’re comfortable using a DNS query tool like dig (which is a command-line query that can be run from most unix or linux systems), you can find instructions on using it at https://www.dns-oarc.net/oarc/services/replysizetest. If you don’t have access to a unix or linux host, or don’t feel comfortable using such a tool, you can download a Java utility from http://labs.ripe.net/content/testing-your-resolver-dns-reply-size-issues, and run it on any system with Java run-time installed (which includes most Windows systems). Just download and save the file, then double-click it.

Watchguard customers should note that if you have a Watchguard Firebox or XTM appliance with current firmware, you should not have any issues with these new DNSSEC packets.

,

How Do You View Technology?

May 3rd, 2010 | Posted by Sid Herron in Computer Basics | General - (0 Comments)

A former colleague of mine once observed that most businesses could be divided into three broad categories, based on how they view their computer systems. Which category do you fall into?

1. A Necessary Evil
Some businesses really don’t need much technology to do what they do. For example, a small automotive machine shop may have one PC that they use to run a simple accounting program to keep their books and not much else. They may not even have an Internet connection at their place of business. Computer technology is not in the least strategic to what they do, and they’d rather not deal with it any more than is absolutely necessary. They’ll typically run the systems they have until they’re forced to upgrade.

2. Another Business Tool
Other businesses understand the need for technology, but do not view it as strategic. It’s just another business tool, like the telephone system. They don’t spend much time thinking about it, but they do expect it to work when they turn it on – just as they expect a dial tone when they pick up a telephone. They recognize that their computer systems provide essential business services – not just running the accounting system, but enabling their employees to keep in touch with clients and vendors, perform essential research on the Internet (when they’re not watching YouTube videos or updating their Facebook pages), create presentations, write letters, create budget and forecast spreadsheets, etc. Still, they don’t particularly want or need to be on the “bleeding edge” of the latest and greatest stuff – they just want the stuff they have to work, because they know it costs them money when it doesn’t. They don’t want to spend any more money than they have to, but they recognize that they have to spend some money to keep things working. They are reluctant to upgrade their systems as long as the systems they have are getting the job done.

3. A Strategic Asset
Businesses in this final category truly view technology as strategic to their businesses. They proactively look for ways to leverage technology to give their businesses a competitive advantage. Ultimately, all businesses exist to make money. You make more money by either selling more of whatever products and services you sell, or by taking cost out of the business so that your present level of sales becomes more profitable. Technology can be used to do both of these things, and in a variety of ways. In fact, that may be a good subject for a future series of posts – but in the meantime, if you give the matter a little thought, you can probably come up with several examples yourself of how to use technology to increase sales or reduce costs, or both.

One of the interesting things about this classification system is that it has very little to do with the size of the business in question, and everything to do with how the business views technology. I have known relatively small businesses who fell into category #3, and relatively large businesses who fell into category #2. (I haven’t dealt with very many category #1 businesses, because, frankly, a company like Moose Logic doesn’t have much to offer them. And, in fact, if you’re reading this blog, it’s a pretty strong indication that you’re not a category #1 business.)

It is, of course, important to us to understand which category you fall into, because it determines, to a large extent, what kind of conversation we’ll have about technology. If you’re in category #2, we should be talking about increased productivity, simplified management, the cost savings of virtualization, and perhaps even the outsourcing of some or all of the management of your systems. If you’re in category #3, we should also be talking specifically about how you go to market, how you differentiate yourself from your competitors, and how we can use technology to create or enhance that competitive edge.

But it’s equally important that you understand which category you fall into, and that you’re comfortable with it. The fact is that a category #3 business is going to spend more (relative to the size of the business) on technology than a category #2 business. If you claim to be in category #3, but you’re behaving like you’re in category #2, you’re simply fooling yourself, and you need to be realistic about your goals and objectives. If you want to be in category #3, but are hindered by budgetary constraints, then you can begin to plan for how you’re going to get there. If you’re in category #2, and you’re content to be in category #2, great! There’s absolutely nothing wrong with taking that position, as long as it’s a conscious decision made with a clear understanding of what it means for your business.

So… what category are you in? And are you comfortable there?

Scareware, Ransomware, and How to Avoid It

April 14th, 2010 | Posted by Sid Herron in Computer Basics | Storage - (0 Comments)

There’s a new piece of malware going around that falls into the “ransomware” category. This one locks down the user’s desktop, and displays a message warning that copyrighted content has been detected on the PC. It then attempts to extort $400 from the user as a “copyright holder’s fine,” while emphasizing that “the maximum penalties can be five years in prison and up to $250,000 in fines.” You can read more about this particular piece of malware in Dancho Danchev’s blog post over on ZDnet.

According to an earlier post by the same author last September, “scareware” and “ransomware,” have emerged as “the single most profitable monetization strategy for cybercriminals to take advantage of.” In general terms, scareware usually takes the form of fake security software – like the infamous “Antivirus 2008.” It is spread almost entirely through “social engineering” tactics that attempt to entice you to visit a compromised Web site. It attempts to trick you into believing that your computer is already infected with malware (or has some other problem, like the fake copyright violation angle), and that purchasing the fake security application or otherwise giving them money will solve the problem.

Some of this malware will prevent your legitimate security software from loading, and from being updated. Some will also attempt to prevent you from running system tools or third-party security applications, which makes it even more difficult to get rid of. Some even encrypt your files and attempt to extort money from you in order to decrypt them.

Needless to say, this is an extremely dangerous, and insidious, form of malware, and one that you want to avoid at all costs. To that end, I highly recommend Danchev’s September post, entitled “The ultimate guide to scareware protection.” It will help you understand what it is, how to recognize it, how it attempts to reach you, and how to avoid it, and provides a helpful gallery of images of many of the variants so you can spot them if they happen to pop up.

,

Compelled Certificate Creation Attacks

March 26th, 2010 | Posted by Sid Herron in Computer Basics | Security - (0 Comments)

Last October, we published a three-part series on SSL certificates: what they are, how they work, and how they’re used to secure transactions over the Web. You’ll find the series listed in our “Security” category. For most of us, this process has worked pretty well for a long time. But I recently ran across a paper by Christopher Soghoian and Sid Stamm that points out a vulnerability that, frankly, hadn’t really occurred to me before.

NOTE: I’ve chosen to place a copy of this paper on our own Web site, because I believe that the material is important enough that I wanted to ensure that it would be available even if the link I used to find it should no longer be valid. I believe that this is permissible under the Creative Commons Attribution license cited by the authors.

As we discussed in the previous series, the security of the public key infrastructure (“PKI”) that we’ve come to rely on ultimately depends on the trustworthiness of the Certificate Authorities (“CAs”) that grant the certificates. In general, a public CA (e.g., VeriSign) assumes some responsibility for verifying the identity of the person or organization requesting an SSL certificate. The level of verification performed depends on the type of certificate purchased. A small business purchasing a certificate that will be used to secure their Outlook Web Access site can get one pretty cheaply, and typically the issuer will only require that the requester be able to reply to an email message sent to the domain in question. On the other hand, Bank of America will go through a much more detailed process to get an “Extended Validation” certificate for one of their on-line banking servers (as well they should).

But if a bad guy could somehow obtain, from a trusted CA, a certificate for a Bank of America server, and then trick a user into visiting their fake BofA Web server, there would be no easy way for the user to know that something bad was going on – because the browser would indicate that a valid SSL session had been established.

Of course, any CA that knowingly issued such a certificate would risk irreparable harm to its reputation, punitive lawsuits, and potentially have its trusted status revoked by the major Web browser manufacturers. But, as Soghoian and Stamm point out in their paper, there are no technical restrictions that would prohibit a CA from doing so. So the integrity of the entire PKI and the security of millions of users’ communications ultimately depends on hundreds of CAs around the world choosing to do the right thing.

Now, I’m not particularly worried about VeriSign or GoDaddy, because I’m pretty sure they’re not going to cooperate in something like this without a court order (more on that later). But I didn’t realize that Microsoft, Apple, and Mozilla (Firefox) all include a number of national government CAs in their default “trusted root certification authorities” databases. For example, Microsoft’s program includes the governments of France, Korea, Latvia, Serbia, Tunisia, Turkey, and Uruguay, just to name a few. I’m sure that these government CAs are included for all the best reasons. But I’m not sure that I’m particularly comfortable with the idea of having my browser, by default, trust the government of Turkey with the blanket power to issue SSL certificates for any Web site. Correction – I’m sure that I’m not comfortable with that!

Why? Because the possibility is very real that some government, somewhere, might compel a CA to issue a false certificate that can then be used to perform a “man-in-the-middle” attack for surveillance purposes. In fact, as Soghoian and Stamm point out, there is evidence that this has already been done. (If you want the details on that, read their paper.)

As a result, they are working on a Firefox add-on that is currently known as “CertLock.” Certlock will keep track of the country of origin of the root CA of each Web site you visit, and if, on a return visit, it detects that the certificate being presented chains up to a root CA in a different country, even though your browser may trust that CA, it will warn you. For example, if your banking site uses certificates issued by VeriSign, which is a US-based CA, CertLock will store that information the first time you go to your banking site. If, on some future visit to that banking site, the Web server you hit presents a certificate that – although it appears to be valid – is chained to a root certificate issued by Etisalat in the United Arab Emirates, you’ll get a warning, and a chance to abort the connection.

Is this a perfect solution? No. Admittedly there are some scenarios that won’t be caught – but those are arguably not that significant anyway, with the possible exception of #4 below. To use a few of the examples cited by Soghoian & Stamm:

  1. Assume that the US government compels VeriSign to issue a certificate for use by a law enforcement agency wishing to intercept communications between a suspect located in the US and his/her US-based bank, which uses VeriSign certificates on all its Web servers. CertLock won’t detect that, because the CA issuing the fake certificate is the same CA that issued the legitimate certificates.

    However, if the government can get a court order compelling VeriSign’s cooperation, it could just as easily – and probably more easily – get a court order directly compelling the bank to disclose the suspect’s account information. So there’s little point in the exercise.

    The same holds true if the bank’s legitimate certificates were issued by, say, GoDaddy instead of VeriSign. They’re both US-based CAs, so CertLock won’t detect the attack – but, by the same reasoning, it’s still a moot point.

  2. Assume that a resident of China is accessing his/her online account with a Chinese bank that obtained its legitimate SSL certificates from VeriSign. Assume further that the Chinese government is interested in intercepting the suspect’s online transactions, and compels the China Internet Network Information Center (“CNNIC” – a domestic Chinese CA) to issue a false certificate for the operation.

    In this scenario, CertLock would detect the attack – although, again, it’s an improbable scenario because the Chinese government could just as easily compel the Chinese bank to provide the suspect’s account information.

  3. Assume that a US executive is on a business trip to China, and is attempting to access his/her gmail account from a hotel Internet connection. Once again, the Chinese government could compel CNNIC to issue a false certificate to employ a man-in-the-middle attack, since they have no leverage to compel the assistance of VeriSign, which issued the legitimate SSL certificates. This attack would be detected by CertLock.
  4. Assume that a Chinese executive is on a business trip in the US, and attempts to access his/her Chinese bank account from a hotel Internet connection. If the Chinese bank was using legitimate VeriSign SSL certificates, and if the US government obtained a false certificate from VeriSign, there would be no way for CertLock to detect the attack.

    5. Since American CAs dominate the certificate market, and are used by many foreign organizations, that last scenario is far from hypothetical, and would seem to give the US an edge in potential intelligence-gathering.

    So the bottom line is that the approach taken by CertLock is not perfect. But it’s a step in the right direction, and I’ll be downloading it as soon as I can get my hands on it. In the meantime, particularly if you’re interested in security issues or if your job includes security-related responsibilities, I’d heartily recommend that you download and read the entire paper. Although it’s a bit complex, it’s only 19 pages long, so it shouldn’t take you more than two cups of coffee to get through it.

, , ,