Monthly Archive for October, 2009

Page 2 of 2

SECTOR Sniffing: It Smells, as does the Response

Published by adam on October 15, 2009 in Uncategorized. 3 Comments

Apparently, at the SecTor security conference, someone tapped into the network and posted passwords to a Wall of Sheep.

At the SecTor speakers dinner, several attendees were approached by colleagues and informed that their credentials appeared on the “Wall of Shame” for all to see. When questioned about how the encrypted and unencrypted traffic was being monitored, Eldon Sprickerhoff (founding partner at eSentire) stated that, although capturing and decrypting the “secured WiFi” traffic was possible, it was much easier to directly connect a network tap into the physical network and capture both streams of traffic. Because both streams were unencrypted by the time the traffic reached the physical network, the security of the secured WiFi no longer existed. Enterasys, when questioned about their involvement in or knowledge of the collection, stated that they were only aware that the unsecured wireless network was being monitored and were shocked to find out that the physical network was also affected.

Andrew Hay comments (at length) in “Security Vendor Illegally Collects and Displays Attendee Information at Security Conference.”

I’d like to set aside, for a moment, the legality and ethics, and look at the outrage. Before I do, I have no reason to think that Andrew is wrong, and he quotes David Fraser at length, and I’ve read and enjoyed David’s blog for years. Additionally, what was done was likely unethical.

That said, I have been watching with fascination — utter fascination — the outrage factory going to school on these guys. Have you read the terms of service that your hotel network makes you click through? Are you aware that AT&T installed entire rooms in their network hubs to capture not only your usernames and passwords, but are anticipating feeding into a yottabyte-scale datacenter?

From where I sit, there are an awful lot of people who should be using a full-bore VPN to get out of clear and present danger to a host and network that they trust, and they’ve been caught with their pants down.

Being outraged that someone actually captured your data? Are you a security professional? [If you are,] why not do something about it, rather than sputter?

SSH has had tunneling for so long I can’t remember when I first used it. I know I was tunneling SSH through SSL proxies while I was still consulting, so at least a dozen years. A good number of modern operating systems include IPv6. It’s not that hard to do something about most of these problems.

[If you're not a security professional, then I'd suggest directing your outrage in roughly equal parts at the people who did this and the security pros operating the services which are not secured against this sort of thing.]

[Updated after comments from Andrew Hay.]

New Best Practice: Think

Published by adam on October 14, 2009 in Uncategorized. 8 Comments

Since anyone can declare anything a best practice in information security, I’d like to add my favorite to your list.

Think.


Thank you.

Visual Complexity Web Site

Published by Russell on October 10, 2009 in Uncategorized. 0 Comments Tags: , .

A collection of very interesting and beautiful visualization methods for networks of all sorts:

visualcomplexity

 VisualComplexity.com intends to be a unified resource space for anyone interested in the visualization of complex networks. The project’s main goal is to leverage a critical understanding of different visualization methods, across a series of disciplines, as diverse as Biology, Social Networks or the World Wide Web. I truly hope this space can inspire, motivate and enlighten any person doing research on this field.

Not all projects shown here are genuine complex networks, in the sense that they aren’t necessarily at the edge of chaos, or show an irregular and systematic degree of connectivity. However, the projects that apparently skip this class were chosen for two important reasons. They either provide advancement in terms of visual depiction techniques/methods or show conceptual uniqueness and originality in the choice of a subject. Nevertheless, all projects have one trait in common: the whole is always more than the sum of its parts.

I found a few examples specific to information security including “Windows vs Linux Server Complexity“, “Starlight – Network Security“, and The Effect of Worms on the Internet“.  Beyond these three, there may be some methods and ideas that can be adapted to InfoSec.  They say that a book is in the works.

The Cost of a Near-Miss Data Breach

Published by Russell on October 6, 2009 in Science of Risk Management. 6 Comments Tags: , , .
Jerry escapes death, but is it cost-free? (Image from tomandjerryonline.com)

Jerry escapes death, but is it cost-free?

If one of your security metrics is Data Breach Cost, what is the cost of a near miss incident? This seemingly simple question gets at the heart of security metrics problem.

Consider the gleeful Jerry Mouse in this cartoon. Tom the Cat has just missed in his attempt to swat Jerry and turn him into mouse meat. Is there any cost to Jerry for this near miss? Is Jerry’s cost any different than if he was running with Tom no where in sight?

By “near miss” I mean a security incident or sequence of incidents that could have resulted in a severe data breach (think TJX or Heartland), but somehow didn’t succeed. Let’s call the specific near-miss event “NM” for short. For sake of argument, let’s assume that the lack of attack success was due to dumb luck or attacker mistakes, not due to brilliant defenses or detection. Let’s say that you only discover NM long after the events took place. For simplicity let’s assume that discovering NM doesn’t result in any extraordinary costs, meaning that out-of-pocket costs are the same just before and immediately after NM. Finally, assume that your expected cost of a successful large-scale data breach is on the order of tens of millions, with the worst case being hundreds of millions of dollars.

How much does NM cost?  The realist answer is “zero”.  (Most engineers are realists, by disposition and training.)  There is a saying in street basketball that expresses the realist philosophy about losses and associated costs: “No blood, no foul”.  If you ask your accountants to pour over the spending and budget reports, they will probably agree. Case closed, right?

Not so fast….

Continue reading ‘The Cost of a Near-Miss Data Breach’

Botnet Research

Published by David Mortman on October 6, 2009 in Data Analysis and data. 0 Comments

Rob Lemos has a new article up on the MIT Technology Review, about some researchers from UC Santa Barbara who spent several months studying the Mebroot Botnet. They found some fascinating stuff and I’m looking forward to reading the paper when it’s finally published. While the vast majority of infected machines were Windows based (64% XP, 23% Vista), 6.4% were running either OS X Tiger or Leopard, demonstrating yet again that just because you have a Mac doesn’t mean you are safe. More interesting to me was:

The researchers also discovered that nearly 70 percent of those redirected by Mebroot–as classified by Internet address–were vulnerable to one of almost 40 vulnerabilities regularly used by the most popular infection toolkits designed to compromise computer systems. About half that number were vulnerable to the six specific vulnerabilities used by the Mebroot toolkit.

The research suggests that users need to update more often, says UCSB’s Vigna.

Unfortunately, until the paper comes out we won’t know which vulnerabilities were being used and how old they are. Hopefully, that will be explained further as it would be really interesting to see how this data compares with what Verizon found in their research.

Changing Expectations around Breach Notice

Published by adam on October 5, 2009 in breach laws. 0 Comments

Earlier this month, the Department of Health and Human Services imposed a “risk of harm” standard on health care providers who lose control of your medical records. See, for example, “Health IT Data Breaches: No Harm, No Foul:”

According to HHS’ harm standard, the question is whether access, use or disclosure of the data poses a “significant risk of financial, reputational or other harm to [an] individual.”

I wasn’t the only one deeply concerned by that standard. Apparently Henry Waxman and Charles Rangel have written the Secretary of Health and Human Services to explain that “This is not consistent with the Congressional intent,” and

“ARRA’s statutory language does not imply a harm standard,” the lawmakers wrote. “Committee members specifically considered and rejected such a standard due to concerns over the breadth of discretion that would be given breaching entities, particularly with regard to determining something as substantive as harm from the releases of sensitive and personal health information.”

Their letter is here. See also “Lawmakers Urge Lower Bar for Health IT Data Breach Notification.”

Five years ago, no one would have said such things. It’s nice to see how quickly the field is maturing.