Thursday, March 30, 2006

Good measure, but not enough

According to the InfoWorld:

German bank fights phishing with electronic signatures
Postbank to begin attaching electronic signature to all e-mail correspondence with customers

By John Blau, IDG News Service

March 30, 2006

German retail banking giant Postbank AG, the target of several phishing attacks, aims to curb the theft of online personal information with the help of electronic signatures.

The bank will begin attaching electronic signatures to all e-mail correspondence with customers, Postbank spokesman Jürgen Ebert said Thursday.

It's a very good measure, specially when the bank sends messages with links to account balances and other private information. However, they need to be aware that this will not be enough to avoid problems with authentication data theft.

In Brazil we've had a large number of phishing scams pretending to be from the Banks a couple of years ago. But now the fraudsters realize that people are already aware that these are fake. They are using a different approach now, sending trojan horses to capture the same information when the users are accessing the real bank website. It's easier to make people click on messages that appear to be from apparently innocent or not related to banking sources, like virtual cards websites or government agencies (saying that you have problems with your tax report, for example).

Banks need to protect their communication with their clients, but it won't be enough to ensure that credentials will not be stealed. They need to use additional measures to avoid that, like One Time Passwords cards or tokens like SecureID.

Why phishing works?

I've just read a very good article about Why Phishing Works. I'm glad that some of my personal thoughts on the subject were confirmed with the study presented in the text. I'll try to find some time and to recover some of my ancient programming skills to develop an anti-phishing toolbar Proof of Concept. I know that there are too many of them, but it's a good excuse to try to build something up after so many years :-)

Tuesday, March 28, 2006

Products Evaluation

I"ve just read a very good article about doing security evaluation of IT products . I liked this part specially:

"9. Do not be sorry for a vendor.
There were projects when our evaluation results literally made people cry and beg to buy their products. One vendor even offered a 100K product for free, so they could add the company logo to the list of their customers. Remember, you are choosing the product to protect your assets and if it fails and expose your data - you are the one who will be in trouble."

Some vendors look at me like furious animals after arguing with me about their products security features. I just can't hear things like "We have an assymetric 198 bits 3DES encryption" (yeah, it was exactly like that) without complaining.

What makes me feel uneasy is that if vendors are used to give answers like that (or just saying "don't worry, the data is encrypted") it means that people are not doing the right questions and neither they understand the answers.

Monday, March 27, 2006

How to deal with this?

It's the second time in this year where we have a known vulnerability that can be used to install malicious code on users' computers without a released patch. Just remember that almost all big companies rely on the "Patch Management + Antivirus" formula to avoid this threats.

What would be a big threat for those companies? Let's suppose, malicious code designed to steal corporate information. If Mr.Criminal creates one of these and spread it through a limited target space (to avoid being identified by antivirus vendors) using one of those unpatched vulnerabilities, he will succeed in stealing a good bunch of information. Will it be detected? Probably not, specially if his code vanishes from the victim's computer after doing the job (and sending the results through proxy-enabled HTTPS or DNS tunneling).

I'm not trying to spread FUD when I show this imaginary scenario. I believe that companies need to understand that the PM+AV formula is not enough to avoid problems caused by infected workstations. Yes, it fits perfectly to combat dumb and simple malware, but not those made by professional criminals. And we are already seeing that this is not science fiction (good example).

There is a need for better workstation protection and better abnormal user behaviour. Users suddenly trying to collect and send out huge amounts of information need to be promptly detected by the Security Team. This is one of the goals of my current Master Thesis. I'm trying to integrate differente forms of Intrusion Detection targeted to the internal networks. Honeytokens will probably play a part.

Friday, March 24, 2006

x.805 -> ISO18028-2

It was recently announced that the x.805 standard became also ISO18028-2. It's a network security standard. It was presented to me by my friend Nelson Correa. It was written by people related to the telecom world, and it's very similar to other telephony standards, with all its planes, dimensions, etc.

Anyway, I think it's a great document. I like it because it's very pragmatic, more focused than, for example, ISO17799. I suggest to any Infosec professional to take a look at that. There is a draft available here.

Blog visits increase explained

Yesterday I was looking the access log from this blog and noticed a sudden increase on the number of visits. I thought about what could have caused this and today my hypothesis was confirmed.

Thanks Martin McKeay for mentioning the blog in the Network Security Podcast of this week! It was the starting push I was hoping to find.

Martin showed, as all English native speakers, how hard is to say my name when you don’t know Portuguese (Spanish is similar). You can hear how to pronounce it right in http://www.oddcast.com/sitepal/, where you can use the SitePal demo. There is a Portuguese (female Brazilian) voice there that can read anything you type, it’s interesting to play with.

 

 

Thursday, March 23, 2006

Bank trojans - it's just beginning

There are lots of news in the last days about trojans targeting bank customers. Although they are making noise because of their ability to capture authentication data, I still think this is nothing very different from what was being predicted for a long time.

My main concern is with code that still has not appeared. Last year I made a presentation with a PoC about a code that installs itself as a BHO (Browser Helper Object). It is not a trojan that steals information, it changes information. A user can access his Internet Banking website with two factor authentication (like a SecureID) and authenticate again when doing a transaction, but the trojan will not save any information. It just changes the target account. It does not need to be able to send information back to its creator, it fullfills the fraud alone, while being authenticated by the user.

Internet Banking security won’t be safe until the endpoint security problem is not solved. You can build fraud detection and prevention process to live with the risk, but if you want to solve the problem you will need to provide endpoint security.

NEw IE vulnerabilities

I usually don’t like to spread FUD by asking people to leave IE and migrate to this or that browser. However, I must admit that today it’s more secure to NOT use IE.

I think there’s a difference that comes from the market share and from the amount of “haters” that MS has. People with intention to do harm will focus on looking for vulnerabilities that can provide them a bigger return, and “MS haters” tend to not follow responsible disclosure guidelines when dealing with MS products. This, even if unrelated to the software quality, will make IE more insecure. I use Firefox and really like it. Making more people adopt it, if my line of thinking is correct, can even make IE more secure as they start to share the focus of attackers.

I believe that all of them have vulnerabilities, and with equal conditions (vuln research focus and responsible disclosure) a well oriented user will be able to use any with acceptable security.

Testing BlogJet

I have installed an interesting application - BlogJet. It's a cool Windows client for my blog tool (as well as for other tools). Get your copy here: http://blogjet.com

"Computers are incredibly fast, accurate and stupid; humans are incredibly slow, inaccurate and brilliant; together they are powerful beyond imagination." -- Albert Einstein

Monday, March 20, 2006

Security through Begging

From Schneier's blog. Not only this solves the wrong problem, according to Schneier, but it also shows that governments are victims of VERY bad Infosec advisory. It's quite common to see defense department people responsible for advising on these matters. There are lots of trivial relationships between real warfare and information warfare, but assuming that they are the same thing is a real big mistake. Call the Subject Matter Experts, please.

Security Through Begging

From TechDirt:

Last summer, the surprising news came out that Japanese nuclear secrets leaked out, after a contractor was allowed to connect his personal virus-infested computer to the network at a nuclear power plant. The contractor had a file sharing app on his laptop as well, and suddenly nuclear secrets were available to plenty of kids just trying to download the latest hit single. It's only taken about nine months for the government to come up with its suggestion on how to prevent future leaks of this nature: begging all Japanese citizens not to use file sharing systems -- so that the next time this happens, there won't be anyone on the network to download such documents.

Even if their begging works, it solves the wrong problem. Sad.

Is it a joke?

Oracle is releasing a software to help people on searching through their personal data. The most interesting thing in this is this speech by Larry Ellison:

"We have the security problem solved. That's what we're good at, and that's the hard part of the problem."

Is it a joke? Why does Ellison keep ignoring everything David Litchfield is showing about their products.?


(I never thought I would say something like this:) It's time for Oracle to learn a bit about dealing with security issues from Microsoft. Yes, they have a lot of them, but at least they are taking the matter seriously.

Friday, March 17, 2006

Firefox extensions for webapp testing

For those that perform security tests on Web Applications, today I ran through this list of Firefox extensions that can help a lot in the job. One of them allows you to edit your cookies, while other can be used to edit the entire HTTP request. Very good to test the applications without installing Paros or other proxies.

BS7799-3

The BSI has just published the new document of the 7799 family, BS7799-3. It is a guide to the implementation of a Risk Management process, one of the main parts of the ISMS proposed by BS77799-2/ISO27001. I haven't read this document yet, but it's good to know that material to support the development of the main infosec processes needed by an organization is being produced. There are several other standards being developed by the SC27 of ISO, which is in charge for the 27000 family. I believe that in a few years we will have a very good set of security standards.

Threat evolution

It's interesting to watch the evolution of vulnerability research and exploit development.

In the beginning we used to see vulnerabilities in basic network protocols implementations, like ICMP, IP, TCP. It was the time of TCP Spoofing, Fragmentation attacks, Ping of Death.

Later, those protocol implementations started to be more solid, and the hackers (both white and black hats) changed their focus to the daemons, like HTTP (Apache, IIS), SMTP (sendmail!), etc. I think that this was the most fertile terrain for them until now, mainly because of the diversity of versions and configurations of all those daemons.

But even daemons became more solid. So, where to look for more vulnerabilities? Initially we thought it would be the web applications. But to find web applications vulnerabilities wasn't so cool for those who were searching. It wouldn't bring the desired publicity to the researchers (one thing is finding a vulnerability that can impact all Windows users, another is to find something that is related to a specific website shopping cart), and for the black hats, less profit. So, what did become the next target?

Something very natural happened. They climbed the layers! We departed from downstairs, from layers 3 and 4, directly to layer 6. Yes, people started to find quite interesting things in the presentation layer (that is so strange that only few people understand what it does really mean). There are lots of standards for representing data like images, audio and video. People started to verify how the applications were dealing with data manipulation. That's when vulnerabilities related to the use of ASN.1, several image type files (JPG, TIFF, and the latest WMF), video (WMV) and many others. And they'll still probably find more, as these data handling functions were never considered risky by the developers. There must be a lot of bad code in there. But what it brings in terms of security is what really matters.

First, there isn't anymore that link between the service and the vulnerability. You can't view the problem as "I don't have this port open in my firewall so I'm secure" anymore. The vulnerable file types can be transferred in several ways, by different applications and services, mainly HTTP (ops..isn't AJAX making everything HTTP?) and e-mail protocols. It's hard to understand the impact of a vulnerability in a big network. The attacks doesn't need to be targeted to the servers, as many applications dealing with the files run in the workstations. The target now is the user, the workstation. And that will be a real problem, because everybody was busy thinking about putting the public servers in DMZs and buying another IPS, trying to keep the perimeter safe. Hehe, sometimes I feel like saying "I told you! I told you", but it's not very productive. :-)

An important step is trying to reduce the impact of having a compromised workstation in the network. Today's networks are too "all or nothing", it won't help with this new reality. Another important thing is trying to build better ways to protect the workstations. Today the main protection tool for them is the antivirus, reactive and signature based. These tools need to evolve, improving their ability to deal with "0 days" and being more preventive. Isn't anybody selling a "workstation IPS"? Gee, it would be a good "revolutionary new product category" :-)

This threat evolution is changing the way that we need to build our defenses. Just that is enough to make our jobs interesting. It's certainly bad in terms of business risk, but yeah, it's really cool.

Why I don't like IPS

Someone asked me some days ago why I don't like IPSes. It's another device in the traffic path, subject to its own vulnerabilities and failures (see a recent vulnerability report for the TippingPoint IPS). I think that's too much risk for too few benefits, specially if you have a good vulnerability management process and a properly managed firewall.

I still think it can be a good tool for companies that are common targets to Script Kiddies and that have lots of published services available, as it is easier for them to let something wrong pass through its process and defenses. But, IMHO, for most cases, just waste of resources.
E

Brazilian bank trojans

I was impressed today when I read this story from The Register. Trojans that capture mouse clicks to defeat "screen keyboards" are common here in Brazil for more than 2 years. Are we (Brazilian infosec people) failing to report these things to the international community?

I remember reviewing forensics information from ftp servers used by these trojans a couple of years ago. There was a lot of little images with the area that has been clicked by the user, together with txt files with typed passwords. One of those trojans was also capable of stealing private key information from the user.

These trojans perhaps are the main motive why Br banks are distributing cards with passwords to be used in a "one time password" like scheme, like this one from Banco Itaú:

CSO challenges

The challenges of a CSO job are very well stated in this CSO Magazine article. One of the statements caught my eye:

"Business Continuity Planning is like concern for the Environment. Something that can only be reliably practiced by the well off. Protecting the rain forests is important to citizens of developed countries lacking rain forests. For citizens of rain forest areas, the main concern is getting by, feeding the kids and survival, which doesn't necessarily equate to protecting the environment, and can actually lead them to cut valuable trees for charcoal to use for cooking fires. In a similar manner, maintaining redundant systems of production and building hardened sites for maintaining business continuity requires a vision beyond the bottom line. If the sky falls, those who set aside the resources for BCP will shine, however, until the sky falls the BC planner looks like a spendthrift and is in the sights of the budget cutter. When the disaster strikes the poor planner has the best excuse in the world, it was God's will. HSD did the best it could during Katrina, The intelligence agencies did the best they could during 9/11. No one can blame them right? Everyone understands lack of foresight, we are all guilty of that, the ones who seem to survive best are the ones whose heads are in the sand. Those who actually foresee a disaster like those are negligent if they cannot share their vision. So, why bother? It doesn't bode well for getting the committment required to spend the money and avoid cutting it during the next budget cycle."

Terry Clark
IT Director
The Republic

File hijacker trojan

There is a story in Security Focus this week about a trojan that encrypts files in the victim computer so its creator can ask for money to decrypt them later. The price seems to be something like 300 bucks. However, imagine this kind of thing in a corporate environment. Running something like that in a file server or even in a database would be enough to raise considerably larger amounts of money. Very good "movie plot".

pauldotcom podcast

I'm still just starting to select my favorite infosec podcasts, but pauldotcom definitely is one of them. The guys are extremely funny. I specially like the "I may or may not" Twitchy stories. Kudos guys!

ISO NBR 27001

Tuesday I went to the final meeting of the comitee that deals with the Brazilian Information Security Standards to approve the local version of ISO27001. It's very good to be part of the process. The Standard will be published as NBR/ISO 27001 in the next weeks. The translation was very well done, it will be a great document. I hope to see it being used by the Brazilian companies in the next months.

Thursday, March 16, 2006

blogging in english

Hello! For those who don't understand Portuguese, welcome to my blog. I've been blogging about Information Security for more than two years now, but always in Portuguese. I'm very happy to have several Brazilian collegues constantly accessing my website, but I also want to be able to post to a broader community. I noticed that it would only be possible by blogging in English. I apologize for the native speakers about my bad grammar, feel free to correct me if you like.

I'll try to post some translations of my older favorite posts first. Meanwhile, I'll also try to put my quick comments about news (what I constantly do in portuguese) also in english. I hope you enjoy this blog, and please feel free to comment the posts and to drop me a line if you want to discuss anything presented here.

X 1 (go! go! go!)