Tag Archives: security

Black Hat: Targeted network security attacks beating forensics efforts

Do you notice when things change… slowly?

LAS VEGAS — Two researchers peeled back the curtain on targeted malware today at the Black Hat Briefings, demonstrating examples of attacks that relied on a variety of hacks, ranging from zero-day PDF attacks to memory-based rootkits. In each of the four examples, the attack was specially crafted to beat the target company, and new layers of functionality were added to the malware to either beat detection protections already in place, or frustrate network security forensics investigators.

“Customization of malware is the key,” said one of the presenters, Nick Percoco, senior VP at Trustwave’s SpiderLabs, the Chicago-based forensic company’s security research arm. “Also, slow and steady wins the race for today’s attackers. They’re not in it for quick and dirty hacks. Persistency is the key; they have to get in and maintain the attack,” Percoco said.

Targeted, persistent attacks have been prominent this year, starting with Google’s admission that it, along with more than 30 other technology companies, large enterprises and defense contractors, had been infiltrated by attackers from China using sophisticated attacks to quietly siphon sensitive data. The attacks also introduced APT, or advanced persistent threat, into the security lexicon.

While targeting may be gaining more prominence, the means by which attackers are getting into enterprises aren’t much different than they were 18 months ago. Keyloggers, network sniffers and memory-dumping rootkits are still in vogue; the newness is in the way attackers are covering their tracks in order to maintain a persistent presence inside an organization.

via Black Hat: Targeted network security attacks beating forensics efforts.

Report: NSA creating spy system to monitor domestic infrastructure | Raw Story

The Wall Street Journal cites unnamed sources as saying that the NSA has issued a $100-million contract to defense contractor Raytheon to build a system dubbed “Perfect Citizen,” which will involve placing “sensors” at critical points in the computer networks of private and public organizations that run infrastructure, organizations such as nuclear power plants and electric grid operators.

In an email obtained by the Journal, an unnamed Raytheon employee describes the system as “Big Brother.”

“The overall purpose of the [program] is our Government…feel[s] that they need to insure the Public Sector is doing all they can to secure Infrastructure critical to our National Security,” the email states. “Perfect Citizen is Big Brother.”

You know, I don’t feel any safer knowing the government twisted the NSA’s mandate to spying on everyone inside the nation.   For some reason, I don’t think the government’s “security” goals are the same as my own.

via Report: NSA creating spy system to monitor domestic infrastructure | Raw Story.

SQL injection flaw leaves door wide-open to valuable user information on a popular file sharing site

I wonder why, after being online for so many years, Pirate Bay still had SQL injection vulnerabilities?  Did they recently re-engineer their site and forget to sanitize input?

This week, a trio of hackers based out of Argentina uncovered various entry points into the popular (and controversial) file-sharing site Pirate Bay using SQL injection flaws contained in the site. The infiltration gained them access to upwards of four million user profiles containing names, addresses, email accounts and other sensitive and (potentially) incriminating information.

As originally reported by Krebs on Security, the group gained access through SQL injection vulnerabilities contained within the site. The leader of the hacker group, Ch Russo, maintains that he and his accomplices did not crack the site for any personal gain, though he did admit, once inside, it had dawned on him that some of the information uncovered would have been valuable to the Recording Industry Association of America and Motion Picture Association of America. But at the end of the day, they chose not to share information with either organization. The group says that they were only attempting to spread awareness that security vulnerabilities exist and SQL injection flaws can still be readily found in today’s applications and websites.

[…]

Hackers are able to gain access to apps through weak SQL portals by adding their own Structured Query Language (SQL) into language field features on sites and in applications. These coded statements instruct the app or site to respond to their coded request and (in most cases) grant them administrative or backend access. Once access is gained, typically the sky is the limit to what database information becomes available and what changes can be made.

via SQL injection flaw leaves door wide-open to valuable user information on a popular file sharing site – Software Quality Insights.

PCI Standards to be updated on new three-year cycle

The Payment Card Industry Security Standards Council (PCI SSC) will update the Payment Card Industry Data Security Standards (PCI DSS) on a new three year cycle.

PCI DSS has been on a two year update cycle. The council made the changes to give merchants more time to implement the standards between iterations. In addition, the PIN Transaction Security (PTS) requirements and the Payment Application Data Security Standard (PA-DSS), will also be moved to a three year development cycle.

A little more time to comply between changes is always welcome.

via PCI Standards to be updated on new three-year cycle.

Customers pleased with Google Enterprise desktop security – Security Bytes

NATIONAL HARBOR, Md. — Enterprise information security professionals, by nature, tend to be somewhat paranoid, especially regarding new and emerging technology. So to this observer it seemed somewhat surprising not only to hear two Google Enterprise desktop customers extol the security and privacy of the search giant’s enterprise productivity offerings, but also to watch about 200 of the attendees at Gartner Inc.’s Security and Risk Management Summit 2010 hanging on every word.

[…]

Loveland said his employer, a $6 billion global packaging firm, wanted to standardize its email and collaboration tools across geographies. His key privacy concerns were providing users unfettered access to corporate data – both email and shared documents — from virtually any Internet-connected computer, and offering the ability to sync with mobile devices not managed by the company.

This is also a boon to securing your corporate network – rather than needing to open up your Intranet to outside access for your employees on the go, your users may need less access to corporate resources, allowing you to close up some ports and access points to the Internet in general if all the docs, email, and calendaring are on Apps.

Also, are your own servers as hard as this?

“Google’s security strategy revolves around hiring talented security professionals and building multiple wholly owned data centers,” Bolt said. Those data centers, according to Google, feature custom-built servers running a hardened version of Linux with no video cards, drivers, USB ports or any other service that could risk compromising security. ”These layered security practices span the physical and logical, and they hire the right people and install values of security.”

via Customers pleased with Google Enterprise desktop security – Security Bytes.

Perimeter defenses deemed ineffective against modern security threats

Item One:

For Leslie Lambert, former CISO at Sun Microsystems who recently joined Juniper Networks Inc. as CISO, assuming that the bad actors behind cybersecurity threats are already inside the network raises the issue of how sensitive data is secured. Juniper has acknowledged that it was among the victims of Operation Aurora.

“If they’re already in, how have you applied the principals of data protection?” she asked.

via Perimeter defenses deemed ineffective against modern security threats.

Item Two:

Historically, the reason key management worked for stored data was that the key could be stored in a secure location: the human brain. People would remember keys and, barring physical and emotional attacks on the people themselves, would not divulge them. In a sense, the keys were stored in a “computer” that was not attached to any network. And there they were safe.

This whole model falls apart on the Internet. Much of the data stored on the Internet is only peripherally intended for use by people; it’s primarily intended for use by other computers. And therein lies the problem. Keys can no longer be stored in people’s brains. They need to be stored on the same computer, or at least the network, that the data resides on. And that is much riskier.

Let’s take a concrete example: credit card databases associated with websites. Those databases are not encrypted because it doesn’t make any sense. The whole point of storing credit card numbers on a website is so it’s accessible — so each time I buy something, I don’t have to type it in again. The website needs to dynamically query the database and retrieve the numbers, millions of times a day. If the database were encrypted, the website would need the key. But if the key were on the same network as the data, what would be the point of encrypting it? Access to the website equals access to the database in either case. Security is achieved by good access control on the website and database, not by encrypting the data.

via: Data at Rest vs. Data in Motion.

If you harden the interior of your organization, where do you store the keys?  How difficult are they to find? (And that’s a rhetorical question, do not tell me in the comments where your keys are.)

Windows 7 Security Primer Part 1

If you’ve now using or about to begin switching to Windows 7, Robert Shimonski has written a fairly in-depth overview of Windows 7’s security capabilities, and how to harden the OS, including manual tuning and the usage of security templates from Microsoft.

Regardless of which version of OS you are running, this is a good set of steps to follow to start out fresh, clean, streamlined, and secure:

Step 1 – Installation of Base OS selecting any options during installation the increases security and not selecting unneeded services, options and programs.

Step 2 – Installation of any Administrator toolkits, security tools and needed programs.

Step 3 – Remove services, programs and unneeded software. Disable or remove unused user accounts or groups.

Step 4 – Service Pack update, hot fixes and service packs. Update all installed programs as well.

Step 5 – Run security audit scanner, template, MBSA, etc to assess current security level

Step 6 – Run System Restore and create a restore point. Backup and Restoration application for disaster recovery.

Step 7 – Backup the OS with a way to quickly restore it in the event of disaster.

This list is a simple guide. You can add more steps and extend this list further. This list is not definitive, but a good start in getting an idea of where to start when applying security to Windows 7 after a base installation. If completing a fresh install of Windows 7, then the next step is to remove any unwanted software, services, protocols and programs that you do not want or need running on it. This can be done easily in the Control Panel.

via Windows 7 Security Primer Part 1.

Microsoft’s Security Study & How Regulations Can Hinder Security Advances | Sword & Shield Enterprise Security, Inc.

To what extent are you able to make live easier for your users, or to innovate in your security policies, before you run up against regulations?

Cormac Herley, a principal researcher for Microsoft, published a study last year that, among other things, finds that changing passwords adds no real value from a risk or security standpoint. Herley focuses heavily on the cost-benefit trade-off of regularly changing passwords (and its negative effect on productivity) versus the cost associated with password compromises.

Herley’s study gives some much-needed attention to an opinion many of us in the security industry have been expressing for years: much of the old security advice that has been handed down for 20 or 30 years is either no longer relevant, or was never effective to begin with.

via Microsoft’s Security Study & How Regulations Can Hinder Security Advances | Sword & Shield Enterprise Security, Inc..