Bogus E-mail from Microsoft
isc.sans.org and several other sites are reporting a bogus e-mail from Microsoft containing malicious code, an example of which is below. In addition to the various technical measures that can be taken such as blocking executables in e-mail, effective spam filtering, A/V protection, and endpoint protections, users should also be reminded to be on alert for these types of issues. Besides telling them to never click on these types of items, and not giving them the local rights to accomplish this, I believe we can go further in order to promote more security conscious activities at home, and hopefully reduce the number of zombied systems available for bot herders. In this example it is easy to spot the poor grammar in the e-mail as a sure giveaway that this is bogus. OK, my grammar is not exactly perfect either, but that is not the point. Now Microsoft or any company would most likely never distribute updates in this manner, but hopefully any valid communication from a company of this size would certainly not contain as many errors as I have illustrated below in bold, and that is exactly one of the items I point out to end users in classes I teach. My guess is that someone for whom English is not his or her native language wrote this – a former or current Russian state would be my guess.
Dear Microsoft Customer,Please notice that Microsoft company has recently issued a Security Update for OSMicrosoft Windows. The update applies to the following OS versions: MicrosoftWindows 98, Microsoft Windows 2000, Microsoft Windows Millenium, Microsoft WindowsXP, Microsoft Windows Vista.Please notice, that present update applies to high-priority updates category. In order to help protect your computer against security threats and performance problems, we strongly recommend you to install this update.Since public distribution of this Update through the official websitehttp://www.microsoft.com/ would have result in efficient creation of a malicious software, we made a decision to issue an experimental private version of an update for all Microsoft Windows OS users. As your computer is set to receive notifications when new updates are available, [how do they know that?] youhave received this notice. In order to start the update, please follow the step-by-step instruction:
1. Run the file, that you have received along with this message.
2. Carefully follow all the instructions you see on the screen.If nothing changes after you have run the file, probably in the settings of your OS you have an indication to run all the updates at a background routine.
In that case,at this point the upgrade of your OS will be finished.We apologize for any inconvenience this back order may be causing you.
Friday, October 10, 2008
Friday, October 3, 2008
Travelers Privacy Protection Act of 2008
A bill has been introduced into Congress that would finally put protection and requirements in place before the Customs Service could confiscate your laptop, or perform an inspection of the data on the laptop without reasonable cause. The act further defines specific periods the equipment can be maintained and requires a warrant to be issued before a device could be seized. The bill also prohibits profiling and sets privacy requirements while the Customs Officials are looking at your computer or electronic device. I believe this is a step in the right direction, and a small return of our privacy and dignity that travelers lose every time they enter an airport, supposedly in the name of security. Our constitutional rights should not be thrown out the door in this current purgatorial zone of legality that currently exists at every US airport, and the comedic security measures that are taken, like removing your shoes, are doing little if anything to reduce the risk to the country or the particular flight you happen to be on. However, they are visible and easy, and that seems to be the mantra for the TSA – but I digress.
I still don’t believe you can legally be compelled to reveal your password, and the cases that have been tried have had so many other circumstances that had the person simply refused to divulge their password they would have probably prevailed. There is no judicial precedent on this matter, but it seems to be ill conceived on so many levels, not the least of which is the 5th amendment. Laptop computers and other electronic devices contain too much personal or corporate confidential information on them to simply let a government employee have complete access and copies of that data. Strong encryption and just one judicial precedence will hopefully end this matter for most of us law abiding citizens, and I’m sure the law breakers would never think to store this information in e-mail, or some other Internet storage application they can send back and forth across most borders without any checks.
But perhaps that is the government's next priority into our lack of privacy – let’s hope not.
I still don’t believe you can legally be compelled to reveal your password, and the cases that have been tried have had so many other circumstances that had the person simply refused to divulge their password they would have probably prevailed. There is no judicial precedent on this matter, but it seems to be ill conceived on so many levels, not the least of which is the 5th amendment. Laptop computers and other electronic devices contain too much personal or corporate confidential information on them to simply let a government employee have complete access and copies of that data. Strong encryption and just one judicial precedence will hopefully end this matter for most of us law abiding citizens, and I’m sure the law breakers would never think to store this information in e-mail, or some other Internet storage application they can send back and forth across most borders without any checks.
But perhaps that is the government's next priority into our lack of privacy – let’s hope not.
Wednesday, September 24, 2008
Information Security and Privacy Class
Thanks so much for everyone who attended my class on Tuesday. I have published notes and links at the Class Notes link below. Please let me know if you have any questions, or need additional information.
Chris
Class Notes
Chris
Class Notes
Thursday, August 7, 2008
What can be learned from data breach reports?
I need to thank the people at Attrition.org who are maintaining a database of data breaches that I refer to on a regular basis. I believe the information in these types of breach databases are very valuable as a research tool into good measures to spend your time and money in order to keep your company off of this list. Of course we have to make several assumptions about the data contained in the reports, and of course “you don’t know what you don’t know”, but even so, this is probably as good of a starting point as any survey we’ve all seen, and of course your risk appetite as well as the specific risks of an organization will also have to be considered. Now for the numbers
The database covers the period from January of 2000, until July 31 of this year and includes 1051 breaches. Here is a breakdown of some of the interesting facts after removing a couple which show disputed in the type of breach.
87% of the breaches were not due to a loss from a third-party. Another report from Verizon claims that 39% of their breaches are from a third-party. I believe there may be some under reporting of this statistic here due to the third parties reporting, and their customers not reporting the same incident.
The distribution of breaches amongst Business, Government, Education and Medical were 34%,24%, 30% and 12% respectively.
Stolen data was the highest reported breach type at 37% followed by “hack” which is classified by Attrition as “computer-based intrusion, data not generally publicly exposed” came in second at 21% followed by web-based intrusions at 15%.
The database covers the period from January of 2000, until July 31 of this year and includes 1051 breaches. Here is a breakdown of some of the interesting facts after removing a couple which show disputed in the type of breach.
87% of the breaches were not due to a loss from a third-party. Another report from Verizon claims that 39% of their breaches are from a third-party. I believe there may be some under reporting of this statistic here due to the third parties reporting, and their customers not reporting the same incident.
The distribution of breaches amongst Business, Government, Education and Medical were 34%,24%, 30% and 12% respectively.
Stolen data was the highest reported breach type at 37% followed by “hack” which is classified by Attrition as “computer-based intrusion, data not generally publicly exposed” came in second at 21% followed by web-based intrusions at 15%.
Friday, July 18, 2008
NebuAd hauled down to Capitol Hill
WASHINGTON -(Dow Jones)- The chief executive of an Internet advertising start- up admitted Thursday that his firm could track peoples' activity on multiple Web sites without their express permission.
NebuAd CEO Robert Dykes said at a House hearing that the Internet service providers with which his company partners send their customers letters 30 days before any tracking begins.
The letters, which Dykes described as "robust," tell subscribers how they can opt out of the monitoring. If the customer doesn't respond, however, NebuAd begins collecting data on their browsing activities to offer ads relevant to their interests.
Yep - you can opt out alright, then they will place a cookie in your browser that will prevent their technology from performing its dastardly deeds. Of course if you ever get rid of that cookie, you are right back in the mix.
NebuAd CEO Robert Dykes said at a House hearing that the Internet service providers with which his company partners send their customers letters 30 days before any tracking begins.
The letters, which Dykes described as "robust," tell subscribers how they can opt out of the monitoring. If the customer doesn't respond, however, NebuAd begins collecting data on their browsing activities to offer ads relevant to their interests.
Yep - you can opt out alright, then they will place a cookie in your browser that will prevent their technology from performing its dastardly deeds. Of course if you ever get rid of that cookie, you are right back in the mix.
Thursday, July 17, 2008
Another ISP caught with their NebuAd down
The Washington Post is reporting a story today that Embarq, an ISP in Kansas has been using the same technology that Charter Communications was pressured to drop just weeks ago. Apparently Embarq didn't tell their subscribers about this, and Congress is fast considering this and similar uses of deep packet inspection technology to perform these types of actions wiretapping. They have a link right on their home page listed "your privacy rights", but apparently that is just for show.
This is the first of their "five privacy principles" that apparently allow them to look at where their customers travel on the web.
EMBARQ creates, obtains, and uses your personal information to provide you the products and services you order, and to present you with product and service offerings that we believe may interest you
This is their definition of personal information.
Personal information is information that is directly associated with a specific person such as his or her name, address, telephone number, e-mail address, activities, and personal preferences.
We collect personal information about users of our products or services in the normal course of our business. This is how we know where to send you a bill for service...
Or an ad for something you may want.
All of their references to cookies in the privacy policy relate to cookies on the Embarq site, and mention nothing of the types of cookies used in the NebuAd realm. I am usually the last one to think that congress does much effectively, but perhaps this will be the nail in the coffin of this technology and stop other ISP's from getting the same idea. These types of privacy mishaps where companies had a privacy policy not outlining these types of activities, but thought it was their god given right to do so have gotten several companies in trouble with the FTC for unfair and deceptive trade practices, and a nice visit form the auditors biannually for the next 20 years. I'm hoping Embarq is next, and it serves as a lesson to other ISPs.
This is the first of their "five privacy principles" that apparently allow them to look at where their customers travel on the web.
EMBARQ creates, obtains, and uses your personal information to provide you the products and services you order, and to present you with product and service offerings that we believe may interest you
This is their definition of personal information.
Personal information is information that is directly associated with a specific person such as his or her name, address, telephone number, e-mail address, activities, and personal preferences.
We collect personal information about users of our products or services in the normal course of our business. This is how we know where to send you a bill for service...
Or an ad for something you may want.
All of their references to cookies in the privacy policy relate to cookies on the Embarq site, and mention nothing of the types of cookies used in the NebuAd realm. I am usually the last one to think that congress does much effectively, but perhaps this will be the nail in the coffin of this technology and stop other ISP's from getting the same idea. These types of privacy mishaps where companies had a privacy policy not outlining these types of activities, but thought it was their god given right to do so have gotten several companies in trouble with the FTC for unfair and deceptive trade practices, and a nice visit form the auditors biannually for the next 20 years. I'm hoping Embarq is next, and it serves as a lesson to other ISPs.
Wednesday, July 16, 2008
Verizon data breach report
Verizon Small Business Services released a study of more than 500 data breaches that they were consulted in from 2004 to 2007 entitled 2008 DATA BREACH INVESTIGATIONS REPORT. Whether you can take the findings in here to be an accurate barometer of the state of information security or not is up to you, but I am much more impressed with this report, that anything else I have seen over the last several years. The sample size is a little small, and I have some concern over the source, since I didn’t even know Verizon did this type of consulting. So I am either out of touch, or other people in similar size organizations don’t know this fact either. They did report that 26% of the companies in the survey had at least 1001 employees. The actual segment states 1001-10,000, but since that is a little broad, I will go with my previous assessment and assume most of them are on the low end of this range.
What this report tells us about the state of Information security is that what we are doing, and where we are spending our money is not working, and that although you can write all of the policies you want, you had better make damn sure someone is reading them and following them. Now for my rambling thoughts and highlights of the report.
The report covered a period of 2004 to 2007 and covers 500 incidents. Of course these are only public incidents, and are only incidents where Verizon was involved, so all assumptions are made knowing that this may or may not be representative of the population as a whole.
26% were at organizations from 1001-10,000 employees
22% had 101-1,000 employees, and 30% had 11 to 100 employees
73% of the cases involved external parties as the source of the attack, 39% were the result of partners, and 18% was the result of an insider. The numbers are somewhat skewed in that some cases were a combination of those three leading to a number higher than 100%. I would assume from that that 30% of the cases involved a combination of all three, if my logic and math is correct here. This seems to go against everything we have always heard about insiders causing the largest percentage of losses. I still believe this may hold true and is not reflected in a large number of reports because there is no evidence of insiders performing these breaches, and the companies may not even be aware of them. The more interesting statistic is the high number of breaches due to partners, and when the report looked at the number of records compromised with the probability of compromise, the partners were the biggest risk here, although closely followed by internal employees - 73 to 67 respectively. So we need to have more controls, contractual obligations and monitoring around partners, but the internal threat, when you look at the numbers of records compromised is still a big threat. When the report calculated the number of records compromised form external sources it was dramatically lower than for internal employees (30,000 vs. 187,500). And what was the source of the internal breaches you may ask. 50% of the breaches were caused by IT admins. For the partner breaches, the report stated
“Partner-side information assets and connections were compromised and used by an external entity to attack the victim’s systems in 57 percent of breaches involving a business partner. Though not a willing accomplice, the partner’s lax security practices—often outside the victim’s control—undeniably allow such attacks to take place.”
What is needed here is controls and monitoring of partners, but how much of this will be effective? Making them change their passwords every x days wouldn’t have helped (see previous entry on this from 7/15), and perhaps monitoring wouldn’t have caught this either. What about serious liability statements in the contract with monetary penalties? If vendors are on the hook for not only their losses, but yours as well, might we be able to prevent some of these? Another interesting statistic is that in 16% of the cases where partners were the source of the breach, the deliberate, malicious actions of remote IT administrators were the cause.
One of the most interesting results from the report for me is in figure 12.which illustrates patch availability at the time of the breach. In 71% of the cases, a patch was available for more than a year, and in none of the cases reviewed was there a breach where a patch was available for less than a month. In only 4% of the cases was a patch available for 1 to 3 months. So all of the meetings on the second Wednesday of the month to review the recent Microsoft patch releases are a waste of time, and we should instead be focusing on whether patches are being applied or not across the board. A simple calculation of vulnerability to host ratio will suffice here, and the number should be decreasing over time.
Another stat of note is the review of common attack pathways. In 42% of the breaches, remote access and control was the cause of the breach, and Internet facing systems were the pathway in 24% of the cases, so we again seem to be spending money and time on the wrong thing here. Simply changing vendor default passwords would have most likely prevented most of these attacks.
So once these companies were attacked it took 63% of them months to discover the breach, and 70% of the breaches were reported to them by third-parties, employees ranked second at finding them (12%), event monitoring (4%) and third-party audit (1%). Interestingly enough in 82% of the cases, the victim had the information to detect the breach, but weren’t monitoring the events carefully enough to find them. This tells me that we need to spend more money on security awareness, and develop the monitoring as well as the collection of logs. I would like to know how many of those companies had expensive SIM products in place.
So what can we glean from this report.
- We need to spend more on basic controls and procedures, and make sure they are being followed
- We need to make sure employees know where and how to report suspicious activity because it is cheaper than monitoring events and three times as effective
- If you do collect logs – have some automation in place to alert you
- Patch as much as you can across the board regardless of when the patch came out
- Watch your partner connections
- Know where the data is (66% had breaches of data they didn’t know was on the system)
- Ensure procedures and policies are being followedMonitor IT admin activity and ensure background checks are performed
Subscribe to:
Posts (Atom)