Filling a BlackHole – Securelist

Today, exploiting vulnerabilities in legitimate programs is one of the most popular methods of infecting computers. According to our data, user machines are most often attacked using exploits for Oracle Java vulnerabilities. Today’s security solutions, however, are capable of effectively withstanding drive-by attacks conducted with the help of exploit packs. In this article, we discuss how a computer can be infected using the BlackHole exploit kit and the relevant protection mechanisms that can be employed.

via Filling a BlackHole – Securelist.

Categorized as I84D

Know Thyself Through Data-Driven Security Q&A — Dark Reading

It’s almost an inevitability at IT security conferences that some speaker will break out the Sun Tzu quote about knowing your enemy and yourself to avoid disaster in battle. But in this day of threat intelligence feeds and cyberawareness, all too often the emphasis is put on intelligence-gathering about the adversary. Meanwhile, the more obvious and often more available data about oneself remains unharvested.
At the recent UNITED Security Summit, two banking executives from a top 25 U.S. financial institution (who shared best practices on the condition of not naming their employer) challenged that lack of self-awareness, advising fellow practitioners to take a deeper dive into readily available data about their systems, users, and patterns in their environments to improve their risk management strategies with meaningful action. That process starts and ends with what Kelly White, vice president and information security manager, called a security Q&A for an organization.

via Know Thyself Through Data-Driven Security Q&A — Dark Reading.

Categorized as I84D

Is mobile privacy a bigger concern than a phone's brand?

A new Harris Interactive study provides a valuable barometer on current consumer perceptions and mobile privacy trends by examining issues, such as data collection, geo-location tracking, mobile advertising and privacy management responsibility.
Among the top findings: many smartphone users are more concerned about mobile privacy than a phone’s brand, screen size, camera resolution or weight; more than three-quarters of smartphone users won’t download an app they don’t trust; and although the majority of those surveyed don’t like the concept of tracking, nearly half (46%) of smartphone users are still unaware it even happens.

via Is mobile privacy a bigger concern than a phone’s brand?.

Categorized as I84D

ISC Diary | Evernote Security Issue

ISC Diary | Evernote Security Issue

Evernote reported a Security Incident. When there’s an event like this there are many ways a company can mishandle notification.
Scott Fendley, the ISC Handler who posted the note, did a nice job of speaking to the Incident Handling procedure Evernote employed:

From an incident response point of view, I will have to commend Evernote for how they are handling the situation.
It appears that their security operations was able to detect the incident in a reasonable period of time (within a day). In addition, their communications/PR arm responded with good initial recommendations in the news article. And while there is not much technical information yet, they were able to limit some of the questions about how they stored passwords (one way hash with salting). It is my guess that Evernote has been preparing for the eventuality that a security breach would occur, and prepared all of the appropriate parties to respond.
Protect, Detect, Respond, Recover. Remember to not just focus on one or two of these within the continuum.

The part I want to highlight is how the Evernote team and not just their Security Operations dealt with this. Too often companies will expect their InfoSec specialists to do it all: the normal Incident Handling cycle (identify, contain, eradicate, recover, and lessons learned) plus handle the notification and communications. When dealing with a Security Incident it is critically important that the InfoSec and other technical teams are focused on handling the event. Management, help desk, and in this case the PR team can best help by levering their skills communicating and running interference.
I look forward to Evernote proving us with a detailed report of what happened and how they handled things.
Of course, don’t forget:

And if you use Evernote, change your credentials soon to limit your personal exposure.

I’m a huge Evernote fan and user. This just reinforces for me why it’s a service I’ll continue to patronize.
More info:

via ISC Diary | Evernote Security Issue.

Categorized as I84D

Why Marissa Mayer’s ban on remote working at Yahoo could backfire badly — Tech News and Analysis

Mathew Ingram at GigaOm wrote an article on Yahoo’s new policy on remote workers:

Not long after her arrival at Yahoo, new CEO Marissa Mayer started handing out carrots to her new employees, including new smartphones, free food and other Google-style amenities. Now she has brought out the stick: namely, a directive that employees are no longer allowed to work from home, something that is expected to affect as many as 500 Yahoos. Mayer’s move has its supporters, who argue that she is trying to repair Yahoo’s culture — but in doing so, she could be sending exactly the wrong message for a company that is trying to spur innovation after a decade of spinning its wheels.

The moment I first heard Yahoo proclaimed this policy I became angry. It does not impact me directly, but as a highly skilled and experienced IT Security and Networking professional now on the market I can say that Yahoo is no longer on my list of companies I’d care to work for. Here’s why.
About 15 years ago while I worked for EDS as a Network Security Administrator my marriage fell apart. Up until then I rarely if ever worked from home. With divorce looming I had sole custody of my two young kids. I had to work from home when they were sick or were off of school. At the same time my role at EDS changed to include firewall administration, demanding more of my time to cover on-call and odd support hours.
I was fortunate to report to managers that understood my situation and worked to help me. I worked with a great group of professionals who didn’t complain about my flexible work schedule. In fact we all worked together so everyone could have the same flexibility I had. How did I handle things? I became infamous for keeping sleeping bags, pillows, snacks, and toys for my kids in my cube. I don’t know how many nights I carried the two of them into the data center in the middle of the night, each slumped over a shoulder while I badged through the security doors. They slept on the floor swaddled in their sleeping bags and little heads resting on Disney-themed pillows, lullabied by the white noise.
When I interviewed with Magna I was very upfront about what I needed to do to take care of my kids and what I would to do in return. They took me on without hesitation, and I always appreciated and respected the trust they placed in me. Similar to my days at EDS, the team at Magna embraced me and the flexibility I needed. I repaid my boss’ and team’s trust in many of the same ways I did for EDS, but there was one case that was  above and beyond.
For reasons that escape my memory the IT staff in Europe all quit on the same day. The organization I worked for was very lean. There were no extra people around to help fill in while they hired new staff. I stepped up, waking between 03:00 and 04:00 Eastern time to support Europe until I had to get my kids ready for school. I’d drop them off (no bus service) and return to cover the rest of the European day and my normal work. I was caretaker of servers and services in addition to the network and security. I did this for almost 6 months from my basement, buying the European IT director time to hire some great team members.
When I moved into management my team earned with me the same opportunities and respect that I earned. With instant messaging and email, IP telephony and video conferencing, and cheap Internet-based VPNs back to the company they could do everything they needed to do from home that they could do from work. Yes, you cannot replace face-to-face interaction. But by the same token how much hallway and water cooler talk is mere friendly trivia?
I’ll leave how companies chose to handle working from home to what makes sense for them and their business. But I want the conversation rephrased to talk about working from home as a tool and not a benefit. It can help both the employer and the employee, and that can’t be taken lightly.
I sincerely hope Marissa Mayer reconsiders her decision. She’s closing a door on quality hard-working talent that will go elsewhere just at the time when she needs them in Yahoo.
via Why Marissa Mayer’s ban on remote working at Yahoo could backfire badly — Tech News and Analysis.

Categorized as I84D

Move Over, APTs — The RAM-Based Advanced Volatile Threat Is Spinning Up Fast – Dark Reading

Advanced Volatile Threat (AVT) is an attack on RAM, not on data or programs stored on the system. It’s fast, ephemeral, & hard to detect, according to the article:

And that concern, (John) Prisco (CEO of Triumfant) says, could drive more attackers to drop their APT strategies and turn to AVTs instead. “The AVT is going to be attractive to sophisticated attackers because it’s there, and it’s gone,” he says. AVTs take a bit more effort, Prisco observes, because they only work once, but attackers who are highly concerned about attribution will likely be willing to do the extra work.
Using an AVT is no guarantee against detection, DeMesy says. “Detection of advanced volatile attacks is extremely difficult, even when best practices are followed,” he says. “However, you may be able to detect what the attackers are trying to do. Internal honeypots are an excellent way to entice attackers to reveal their presence. Attackers employing advanced volatile attacks are looking to get in and out of a network quickly, bringing with them as much information as possible, so seemly vulnerable targets, such as a honeypot, are a prime target.”

via Move Over, APTs — The RAM-Based Advanced Volatile Threat Is Spinning Up Fast – Dark Reading.

Categorized as I84D

Malware on oil rig computers raises security fears – Houston Chronicle

This article from the Houston Chronicle highlights the need for layered security including proper VLAN design to segregate & contain malware as part of security:

Malicious software unintentionally downloaded by offshore oil workers has incapacitated computer networks on some rigs and platforms, exposing gaps in security that could pose serious risks to people and the environment, cybersecurity professionals told the Houston Chronicle.
The worst-case scenario could be catastrophic: A malfunctioning rig and safety systems could cause a well blowout, explosion, oil spill and lost human lives, experts said.

The way the article reads it seems like these platforms have large flat LANs, where employees’ personal equipment is on the same network as the production equipment. I’m a fan of placing SCADA systems in their own VLAN with non-routable IP addressing – Internet and the rest of your local network. Place a physical firewall device between the SCADA LAN and the regular LAN, but lock that firewall down. Selectively open ports for maintenance and restrict when done. Monitor the heck out of the thing.
InfoSec professionals, how would you handle this type of situation?
via Malware on oil rig computers raises security fears – Houston Chronicle.

Categorized as I84D

The Determination of Idiots

It is hard to impossible to stop a determined idiot.
This axiom came to mind as I read the story of the man who leapt from a zoo’s train. His athletic jump cleared a sixteen foot tall protective fence and landed right in the pen of a Siberian tiger. The tiger attacked the man severely.
I’ve been trying to think of valid reasons why the man would do that. From the reports I read the man seemed intent upon clearing the safety fence, so this was no accident. He wasn’t trying to escape a giant space scorpion or an icky bug or a girlfriend he was trying to break up with. Even if he was trying to commit suicide I imagine there are ample other avenues available, avenues less elaborate and ultimately more effective. This seems to me more in the field of a frat prank or a dare or drunken misplaced determination or a desperate ploy to get famous.
I think the guy is an idiot. If one applies Hanlon’s Razor, i.e. “never attribute to malice that which is adequately explained by stupidity”, he’s an idiot. Even if he’s not, even if there’s a valid reason for this bizarre chain of events, let’s assume for the sake of this post that he is an idiot.
We’re left with an idiot that did, deliberately and with malice of forethought, jump into a Siberian tiger’s pen. The tiger did what tigers do: the man was mauled. The man was rescued by zoo staff.
I’m sure that some people read the stories and were appalled that a tiger would do such a thing. They might demand the animal’s destruction for daring to harm homo sapien in such a blatant way.
Others might read that story and say, “How can we let people jump from a moving train over a 16-foot fence into a wild animal’s pen? We must implement laws and elaborate security systems to prevent this.”
The zoo did neither. The zoo’s director, Jim Breheny, handled the situation, in my humble opinion, appropriately based on the actual risk.
The Associated Press quoted Breheny as saying, “When someone is determined to do something harmful to themselves, it’s very hard to stop that. … The tiger did nothing wrong in this episode”.
The most telling part from both a risk management and incident handling perspective is the other statement from the Associated Press article I read: “Zoo officials said they would review safety procedures but stressed that the situation was unusual.” By the way, they’re not going to euthanize the tiger.
“We review everything, but we honestly think we provide a safe experience,” Breheny said in the Associated Press article. “And this is just an extraordinary occurrence. … Somebody was deliberately trying to endanger themselves.”
The lesson: don’t make more out of an isolated incident than is there. If the particular ingredients to a problem are all unlikely to rare, then the response should be proportional. This isn’t to say that there aren’t lessons to be learned from every event. Rather, a rational and judicial
The corollary: given enough resources a determined person can defeat security measures. As my Dad said to me after my childhood home was broken into, “If someone wants to get in bad enough they’ll find a way”.
The same is true for determined idiots.
Categorized as I84D

Penny Wise & Pound Foolish

No, this is not a Steven King’s IT related post.

The other day I took 100 bottles and cans to the local liquor store for a refund. Here in Michigan we pay a ten cent deposit on every soda pop, beer, and other beverage containers. It has been this way for as long as I can remember. The deposit makes a difference. After having spent 5+ years in a no deposit state (Oklahoma), a $0.05 state (Connecticut), and the afore mentioned ten cent Michigan, I follow the deposit refund options far more religiously in the Great Lakes State.

But that’s not the point of this post, either.

The point is that the other day I took 100 bottles and cans, some beer and some soda pop, to the local liquor store for a refund. That is $10 in a refund that I invariably spend on more soda pop and beer. I like high quality local breweries, so $10 will often not quite cover a six pack just in that. After having dropped the containers off the store employee in charge of returns, Robert, chased me down to admonish me for my containers.

The way the MI law is written, stores only have to accept containers that they sell. The stores with automatic return machines enforce this. That’s why I take mine back to this store – no machines policing the returns. The store itself offers a decent beer selection, albeit smaller and a little more expensive than the other stores where I shop. I always end up spending more in the store after a return run than the refund.

When Robert flagged me down and lectured me loudly in the store on how hard it is for him to get $0.10 on a bottle they don’t carry from the store’s distributor, I argued. Uninterested, he dug through every neatly packed bag (and I do rinse and orderly arrange things). After everything was reviewed only 12 bottles out of the 100 were questionable. Since I had in my hands two six packs of beer and one 12 pack of pop worth $23 before tax and deposit, Robert was arguing about 5% of my total spend with them on that trip, $1.20.

Again, Robert was not wrong. A store’s obligations under the program are laid out. While I argue that such limitations negatively impact the effectiveness of the law, the law is plainly written.

Nevertheless I put the $23 of stuff back on the shelf and walked out with $8.80 in deposits. I let Robert keep the extra bottles. I spent that $8.80 plus more at another store. That was a loss of $31.80 (the $23 I was going to buy plus the deposit I was entitled to) instead of a $21.80 in sales (presuming the store had to eat the $1.20).

Since I was treated so poorly I later returned another 27 containers for cash at that store on my way to another store where I spent $23 in more of the same. That’s over $50 dollars lost for the sake of $1.20. Once I exceed $120 dollars I will talk with the owners.

For me I spent next to nothing on the extra fuel since the other options are less than a mile away. I saved about $1.50 on my purchases.

This illustrates “Penny Wise & Pound Foolish” very well.

I would be a fool if I didn’t cast a critical eye on myself. What have I done that, in retrospect, was penny wise & pound foolish?

At work the big thing that leapt out at me, fit for public consumption, was being so far behind on my expense reports. It always takes more time to complete them the longer it takes me to do them. It takes money out of my pocket both in covering the expense in a timely fashion as well as in any late charges that I have to absorb.

At home I just went through a big refresh in various parts of my life, so it is too early to tell there.

“Penny Wise & Pound Foolish” is another way of describing the Law of Unintended Consequences. How much time and effort would it cost to ask “What happens if …?” before making a decision?

Categorized as I84D