Critical Log Review Checklist

 Back to blogging - after a long gap. If you are standardizing your Log Management program, its worth to check out the security log review checklist created by Anton and Lenny.

The random channel hopping algorithm cracked

The algorithm that prevents the interception of radio signals between cell phone and operators' base stations was cracked by a cryptographer -

The channel-hopping crack comes as the collective is completing the compilation of a rainbow table that allows them to decrypt calls as they happen. The table works because GSM encryption uses A5/1, a decades-old algorithm with known weaknesses. The table - a 2-terabyte list of known results that allows cryptographers to deduce the unique key that encrypts a given conversation - was developed by volunteers around the globe using giant clusters of computers and gaming consoles.

Point-of-sale (POS) terminals - Treasure for RAM scrapers

RAM scrapers are scouring the RAM of point-of-sale (POS) terminals, where PINs and other credit card data is stored in clear.

Verizon employees recently found the malware on the POS server of an unnamed resort and casino that had an unusually high number of customers who had suffered credit card fraud. The malware was sophisticated enough to log only payment card data rather than dumping the entire contents of memory. That was crucial to ensuring the malware didn't create server slowdowns that would tip off administrators.

The RAM scraper dumped the data onto the server's hard drive. The perpetrators visited at regular intervals through a backdoor on the machine to collect the booty.

Its not a new attack but rapidly getting on top of the hackers' chart.

Pushing the limits of Privacy!

Blippy is pushing the limits of privacy and proposing social netizens to push their credit card purchases to public networks.

Imagine being able to see everything your friends buy with a credit card as they do it. This not only tells you what kind of things they’re actually into (rather than someone just saying they like something), but also other information like how cheap they are, as well as where they actually are at a given time. There is actually a lot of data tied into the transactions we make, and Blippy takes that and makes it social.

Hope the folks in security world concur that this will result in more identify theft cases than ever before.

Northrop Grumman to join universities to address Internet security issues

After NSA's marriage with Microsoft with a commitment to enhance Windows 7 security w/o constraining the user to perform their everyday tasks, Northrop Grumman Corp is partnering with CERIAS, CMU and MIT to advance research and address the nation’s most pressing cyber threats.

Northrop is a major provider of cybersecurity support for U.S. defense and intelligence, and to civil governments in the U.S. and elsewhere. Brammer said the collaboration will speed up research with ideas that can be incorporated in contracts coming up soon as well as explore pro-active ways to protect information in the public and private sectors.

Swarm Intelligence: deploying new defense modeled after ants

Worms kill but Ants save! Researchers at WFU are deploying a new defense modeled after one of nature’s hardiest creatures — the ant. Why ant? Per researchers: 

Our idea is to deploy 3,000 different types of digital ants, each looking for evidence of a threat. As they move about the network, they leave digital trails modeled after the scent trails ants in nature use to guide other ants. Each time a digital ant identifies some evidence, it is programmed to leave behind a stronger scent. Stronger scent trails attract more ants, producing the swarm that marks a potential computer infection.

Good direction but not sure if 3000 ants will be sufficient to crawl 1 trillion URLs on the web in near future.

Using AI for monitoring "abnormal behavior"

This is not the first time Artificial Intelligence is used for monitoring or processing public information. In past researchers have suggested design for a smart computer that they believe will be able to detect insider trading fraud within the stock exchange almost instantly. Now EU has funded a five-year research program, called Project Indect, aims to develop computer programs which act as "agents" to monitor and process information.

According to the official website for Project Indect, which began this year, its main objectives include "to develop a platform for the registration and exchange of operational data, acquisition of multimedia content, intelligent processing of all information and automatic detection of threats and recognition of abnormal behaviour or violence".

It talks of the "construction of agents assigned to continuous and automatic monitoring of public resources such as: web sites, discussion forums, usenet groups, file servers, p2p [peer-to-peer] networks as well as individual computer systems, building an internet-based intelligence gathering system, both active and passive".

Chat-in-the-Middle attack

Phishers never stop innovating - after Vishing (voice phishing) and Smishing (SMS phishing), phishers are strengthening their phish by showing a bogus live chat support window to obtain more credentials via a live chat session initiated by fraudsters.

During the live chat session, the fraudster behind the attack presents himself as a representative of the bank's fraud department and attempts to dupe customers who are online into divulging sensitive information - such as answers to secret questions that are used for online customer authentication. This attack is currently targeting a single U.S.-based financial institution.

Credit info unlock using info on driver's license

According to a recent Consumer Report study, Car dealers have the technological ability to unlock test drivers credit report using only the info on the driver’s license. The report states that under FCRA, they must get driver's permission but the verbiage is a little ambiguous -

Under the federal Fair Credit Reporting Act, a car dealer must always get your permission to look at your credit report. He or she can get that permission in writing—when you sign a release or a loan application—or by implication, without your signature, if there is a “legitimate business need.” 

Now, it further states that test drives do not constitute a legitimate business need but only when consumer is actually initiating the purchase or lease of a vehicle qualify as business that possibly involves a need to check credit but since technological solution is available, hope someone reviews metrics such as how many reports were pulled vs. how many vehicles were sold by a dealership.

Net worth on the black market

Norton has developed a tool for evaluating your risk level, which provide an estimated value of your personal data to thieves in the criminal underground. The tool, which is built for raising consumer awareness on Cybercrime, can calculate your net worth on the black market using an algorithm and generates a report on cost of on line assets, value of on line identity on the black market, and risk of becoming a victim of identity theft.

I tried the tool when I was initially briefed on it a few months ago and was surveyed about my gender and age range; online assets (including credit card and bank account data, brokerage accounts, e-mail accounts, and social network accounts) and an estimated value of all that information; whether I use security software; how cautious I am when online; and how much I think my information is worth.

Can one calculate how much "risk" is added (or net worth increased on black market) in the process of gathering Users' financial (credit card and bank and brokerage accounts) and personal (e-mail and social network accounts) info. For a User, if it throws a low number ($10), would it mean that the probability of his/her identity theft is low?

Intelligent Information Privacy Management Symposium

Stanford's Center for Computers and Law is organizing the Intelligent Information Privacy Management Symposium on March 23 - 25, 2010.

This symposium takes a transdisciplinary approach in its exploration of privacy management by drawing from the key areas of Law, Computer Science, Artificial Intelligence, and Business. It will focus on the need to develop effective information privacy management frameworks, tools and techniques by addressing the underlying tension between transparency and disclosure in the privacy versus business strategy arenas.

The organizing committee is seeking three kinds of contributions: Issues papers, Position papers, and Technical papers. If anyone interested in coauthoring, please contact me. (The deadline seems tight though -- October 2, 2009).

Most common high risk vulnerabilities

SQL injection, cross-site scripting, and cross-request forgery attacks are rated the most common high risk vulnerabilities. Not only that, NTA found that 27% of all applications contained at least one high risk issue -- most dramatic change seen within charity and not-for-profit clients. See proposed suggestions, though I don't agree that they provide protection for all of the noted attacks -

• Make sure all user-supplied data is properly sanitised before returning it to the browser or storing it in a database.
• Organisations should switch from a persistent authentication method to a transient authentication method to help prevent cross-request forgery attacks.
• An account lockout mechanism should be in place, to lock out accounts permanently or temporarily, to help prevent attackers from being able to brute force user accounts.

How behavioral advertising is a threat?

A coalition of consumer organizations is urging Congress to adopt new legislation for behavioral tracking and ad targeting.

Many Web users are unaware of all the information that's being collected about them, especially by ad networks engaged in targeted or behavioral advertising.

---

The groups recommended that consumers should be able to obtain the information collected by behavioral advertising vendors, and should be able to challenge the data held about them.

Don't take me wrong - I respect consumers' privacy - but how big the threat is if the data is used for analysis only and not disclosed to or read by a human. Forcing Web sites to get opt-in permission before tracking user behavior would definitely help but as a consumer, how many of us pay attention to what we are opting in before clicking the check box.

Utilizing Risk Management for Managing Change

Jon presents good logic for using IT Risk Management for competitive advantage. He argues by investing in infrastructure improvement, embedding IT risk awareness and management in every business process, empowering IT management with proactive business leadership support, considering risk in terms of access, accuracy, and agility, and raising awareness of and embrace upside risks enterprise-wide, companies can make balanced trade-offs that positively differentiate them from the competition.

Wherever risks arise from, we can all agree there are a plethora of risks already present and more apparently forthcoming. Effective leadership requires choreographing change to address the upside and downside risks and the vulnerabilities inherent to both. This is especially true around IT risks since companies are ever more dependent upon the lift IT brings via automation of key business processes, linking to customers and suppliers, and ever-increasing, mandated compliance reporting.

Difference between IT Risk and Information Risk

I recently saw a post on Mark's blog - difference between IT Risk and Information Risk - which caught my attention. Mark has provided a good explanation of both - associating IT Risk with asset and Information Risk with Information itself.

IT Risks should have a focus on technology, while Information Risks should not.  By clearly positioning the two as different, it is easier to delineate responsibilities when partnering with the business on managing risks.  Knowing who owns what always increases your chances of being successful.  IT risks given their technology orientation, will rightfully so land more on the plate of IT professionals plate to manage vs. the business.  Information Risks should accordingly land more so on the business side.

I, being an Information Risk evangelist, would like to add a few points to Mark's well defined theory. Since IT started evolving, the focus had been on protecting the infrastruture, application, and other assets that store company's information. It was the era, when the term IT Risk Management was in very common and popular use. But as Information Governance started to get recognition as the subset of Corporate Governance, Board started to pay attention to Information Risk. In reality, the Board is accountable for ensuring that Businesses protect the Information and this shift in accountability has given rise to Information Risk (a subset of Operational Risk), which encompasses all the controls a company needs to implement to protect its information.

Burglars & Social Networks

More than 30 percent of Facebook & Twitter users have posted their holiday plans or if they'll be away for weekend.

In support of the report, an experiment was conducted to see how many U.K. social media users would accept a "friend" invitation from a complete stranger. Of 100 "friend" or "follow" requests issued to strangers selected at random, 13 percent were accepted on Facebook and 92 percent on Twitter, without any checks. This reaction could result in a complete stranger potentially being able to learn about a person’s interests, location, and movements in and out of their home.

Gosh, its going to be busy season for burglars.

Cracking WPA encryption in a minute

We know WPA encryption could be broken, but the Japanese researchers have taken the attack to a new level - by breaking in about one minute.

The earlier attack, developed by researchers Martin Beck and Erik Tews, worked on a smaller range of WPA devices and took between 12 and 15 minutes to work. Both attacks work only on WPA systems that use the Temporal Key Integrity Protocol (TKIP) algorithm. They do not work on newer WPA 2 devices or on WPA systems that use the stronger Advanced Encryption Standard (AES) algorithm.

But Computer scientists in Japan say they've developed a way to break the WPA encryption system used in wireless routers in about one minute. The attack gives hackers a way to read encrypted traffic sent between computers and certain types of routers that use the WPA (Wi-Fi Protected Access) encryption system.

Another code theft

These types of data theft could be prevented by implementing better data protection and content monitoring controls e.g., locking USBs, monitoring emails, blocking websites and outbound ports, and most importantly -- restricting access to code, etc.

He said that he had inadvertently downloaded a portion of [Company’s] proprietary code while trying to take files of open source software — programs that are not proprietary and can be used freely by anyone. He said he had not used the [Company's] code at his new job or distributed it to anyone else, and the criminal complaint offers no evidence that he has.

Why he downloaded the open source software from Goldman, rather than getting it elsewhere, and how he could at the same time have inadvertently downloaded some of the firm’s most confidential software, is not yet clear.

Removing the shield of anonymity

Microsoft Researchers will soon show a way to remove the shield of anonymity from shadowy attackers, even when the host's IP address changed frequently.

Tracing the origins of messages--a key task for tracking spam and other kinds of Internet attack--involved reconstructing relationships between account IDs and the hosts from which users connected to the e-mail service. To do this, the researchers clumped together all the IDs accessed from different hosts over a certain time period. The HostTracker software then combed through this data to resolve any conflicts. For example, sometimes more than one user appeared to originate from the same IP address or a single user had multiple ID addresses during overlapping periods of time.

Highly Predictive Blacklisting

A new technique, called highly predictive blacklisting, uses data from past attacks to block potential attackers in future.

In the same way that Amazon can recommend a book by comparing your past reading habits to many other individuals, it is possible to predict how you will be targeted by malicious internet activity by comparing your history of attacks with other webusers.

The Irvine team have tested their algorithm on a dataset of 1 month's worth of logs consisting of 100s of millions of security logs from 100s of networks. The team claims that the strike rate of its predictive blacklists is up to 70 per cent better than the state-of-the-art systems and that further improvements are well within reach.

My take - Amazon.com can recommend books because the Users (readers) have a specific taste and reading interest but in case of attackers - I do not think its as easy to draw the pattern, except the fact that professional hackers circle around the sites and databases with customer PIIs (Personally Identifiable Information).