Tuesday, August 25, 2009

What is cloud computing?

Having listened to Google, having done my reading I am still not clear on what cloud computing is for each of the companies offering it. I guess it depends on who you talk to and how they define the cloud and what cloud computing offering they have for you. Most of us Internet oldtimers remember that the Internet was the original cloud. It took care of things e.g. routing. But are all the cloud offering taken care of e.g. security? Privacy and security seem to be still at an immature state.

Now NIST has taken on the challenge of helping with the definition of "cloud computing" and has drafted a document. I guess the next step is to define a standard for cloud security or at least some common APIs.

Background material:
NIST Cloud computing

1SSA - Security Consulting, Training and Products

Infected websites on Google &Yahoo

We all (or at least the majority of us) use Google and Yahoo to search the Internet - "Just google for it" has become the answer to most questions that cannot be answered. This is something that many hackers are using now to infect computers with malware (virus, bots, worms, etc).

The latest case now has over 64 thousand (see pictures, click to enlarge) websites that contain a so called "Iframe" (a reference to another website in a section of the page, that gets displayed) which points to a web server that tries to infect your computer.

Nowadays googling for something and clicking on a search result can easily result in malware infections. Counting on your Anti-Virus/Spyware tools to catch the attack is a gamble that you might loose. Most of the sites use zero-day (or close to 0 day) exploits for browser vulnerabilities. Microsoft sometimes needs months to fix such issues.

On the other hand organizations need to show more due diligence in patching such holes. It is part of the TOC of your Internet presence.

Some background information:
Mass infection turns websites into exploit launch pads
Free Antivirus Software
A grim day for browser security at hacker contest

1SSA - Security Consulting, Training and Products

Saturday, August 22, 2009

SMS based 2-factor authentication not that secure?

There is a push to get away from token based two factor authentication (for the not security savvy folks: Tokens are the little things that displays numbers and are used to login to your bank or work account). Using your cell phone (for the non-US readers: mobile phone) instead seem to be a general trend. Many companies are now offering SMS based two factor authentication, using your cell phone as a secure device to provide you with a code.

How does it work? A text message (SMS) is send to your cell phone containing a code. Once received, you simply need to type it when trying to log into your account online.

The idea sounds brilliant. Cutting down the cost by not buying the expensive token devices. And as an extra benefit, no clunky device on your key chain

But as always the devil is in the details. Is a cell phone really that secure? The GSM standard that has been the predominant technology worldwide for quite some time, with core developed taken place quite some time ago. At that time some compromises were made when it came to security, simply to shave of some of the costs.

Also in some of the more "regulated" countries the encryption, that is offered with the GSM standard, is not used (e.g. Pakistan). Other Operators like "Eltasel", a mobile operator in the United Arab Emirates, seem to have their own idea of privacy and security. According to several news articles Eltasel tried to install malware on its customers Blackberries to snoop on them. It is suspected that Eltasel was serving the local government when doing this but it is still not clear.

Another development of interest is that suddenly certain cell phone models are increasing in price on the 2nd hand market. A German Nokia 1100 handset supposedly went for 25K Euros in the Netherlands. Rumors have it, that those handsets can be used to intercept SMS messages. Currently an investigation into the technical details are pending but if it is possible than it is just a question of time before other models might come in demand with even bigger flaws.

All in all this does not look too good if you ask me. Cell phones were designed for voice calls and security even for that has been lacking. But now we are trying to use this platform for way more, a secure communication device that allows us to log into critical systems. If you ask me, I think we have a little bit to go before there is a clear trust model on channel and end-point security with mobile devices in general.

Some background reading:

25K Euros for an old Nokia
Handset makers the criminal's friend
Eight accused in AT&T, T-Mobile $22m ID theft scam

1SSA - Security Consulting, Training and Products

Friday, August 21, 2009

Ameriprise website security: Fly-by-night operation

Ameriprise one of the larger financial investment companies did not patch major security flaws on their investment site for at least five months. Russ McRee notified Ameriprise financial several times but none of his emails were answered. The flaws Mr. McRee discovered allowed even lesser skilled attackers to exploit those vulnerabilities and ultimately bring customers/users of Ameriprise at risk. One of the flaws allowed for sending Ameriprise customers bona fide links to the Ameriprise website that opened pages that intermingled counterfeit content with legitimate text and graphics.

I can only think of one case that tops this "fly-by-night" operation and this is with ISH/UnityMedia a cable company in Germany, that actually replied to emails complaining about Spam coming from their network with the comment "Just configure your Anti Spam software, this is not our problem".

Seems like irresponsibility is on the rise.

Read the article: Security bugs crawl all over financial giant’s website

1SSA - Security Consulting, Training and Products

Wednesday, August 19, 2009

Radisson joining the club of credit card victims

Today, August 19th, Radisson Hotels put up an open letter addressing its guest that stayed at their chain between November 2008 and May 2009. The letter is to notify guests about a security breach that exposed credit and debit card information. According to the letter just some hotels have been involved in this incident but the letter does not specify which ones.

As usual free credit monitoring for a year is offered. I wonder who came up with this idea, to let organizations off the hook so cheaply. It is well known in the security industry that credit card information is not used immediately and sometimes stored/traded for years before being used.

If this year continues like this close to every credit card owner in the United States has free credit monitoring for at least a year, or maybe even double and triple monitoring for a year.

Read the letter:
Radisson's open letter

1SSA - Security Consulting, Training and Products

Monday, August 17, 2009

Data of over 130 Million Credit Cards stolen

This year will become a record breaking one for sure. Albert Gonzalez a man who already is jailed on charges of hacking into major retail computer networks has been indicted a third time for allegedly stealing data on a record number of credit and debit cards.He is accused of stealing data involving 130 million (yes the number with 6 zeros) credit cards. Some of them being used at stores like 7-Eleven stores and other well known chains.

According to Prosecutors Gonzalez is charged along with two co-conspirators identified only as "Hacker 1 and Hacker 2, both of Russia." They allegedly moved the data to computer servers operating in California and Illinois, and overseas in Latvia, the Netherlands and Ukraine.

What is "entertaining" to me is that he could be also fined up to $500,000...which he can probably pay with credit card, question is who's card?

Article in the Guardian

1SSA - Security Consulting, Training and Products

Sunday, August 16, 2009

111,000 bogus Antivirus products found in Q1 2009

According to Pandalabs more than 111,000 bogus antivirus (or other anti-malware tools), so called scareware, have been discovered in the first quarter of 2009. This is more than what was discovered in 2008 in total!

Before downloading and using a tool that claims to check and remove a virus it is advisable to do a check against one of the white lists, to see if the vendor is reputable. Otherwise the tool might infect the computer that it has been installed on.

Here is a link to a whitelist page: Antivirus Vendor Whitelist

1SSA - Security Consulting, Training and Products

Saturday, August 15, 2009

eVoting - Not ready for prime time

I find the idea of eVoting kind of appealing but on the other hand scary. With so many security problems that we have with our regular IT systems, I am not sure how secure eVoting can be made. I monitored for a while the email threads on the various security blogs and it seems that some security researcher had quite some fun with eVoting systems.

Here are some interesting articles:
- Voting machine hack costs less than $100K
- Sequoia e-voting machine commandeered by clever attack
- Can DREs provide long lasting security?

1SSA - Security Consulting, Training and Products

Wednesday, August 12, 2009

Cookies for the feds?

That the Obama administration is taking on hot topics is nothing new. This time it is the cookie ban that the federal government has in place now for over 9 years. Since 2000 the federal government has banned so called "tracking cookies" with government websites. This has caused quite some pain for web application developers and other groups wanting to use those. Now the Obama administration has proposed a revised version of this ban, making it a three tiered approach. This seems to now cause the American Civil Liberties Union some pain and it is opposing the new approach.

Read the online article.

1SSA - Security Consulting, Training and Products

Tuesday, August 11, 2009

US government cybersecurity bigwigs leaving

According to the Register two key people of president Obama's cyber security staff left over the 5 months.

In March, Rod Beckstrom, resigned as head of the National Cyber Security Center. He headed an office within the Department of Homeland Security that is responsible for coordinating the defense of civilian, military, and intelligence networks. According to the article there was quite some frustration on Mr. Beckstrom's side regarding the funding of responsibilities of his office.

Last week then Mischel Kwon submitted her letter of resignation. She was the director of the Department of Homeland Security's U.S. Computer Emergency Readiness Team. Again the

According to the Washington Post Kwon, who was the fourth US-CERT director in five years, was frustrated with bureaucratic obstacles and a lack of authority to fulfill her mission.

According to the Post also the lead White House cyber security official, Melissa E. Hathaway, is going to step down next week.

What is going on with the nation's cyber security? I must say I have not been impressed so far with the approaches that the nation has been going to secure some of the nation's most critical infrastructure. But those resignations make me believe we might have had the right people but they could not execute.

Here are the articles:
Mischel Kwon article
Rod Beckstrom article

1SSA - Security consulting, training and products: http://www.1ssa.net

Analysis on Twitter DDoS

As I already had suspected, the attacks on Twitter were politically motivated. People seem to not learn. This just results in the target becoming a martyr. In the case of last weeks DDoS attacks on Twitter and Facebook it is a Pro-Georgian blogger going by the name of Cyxymu.

F-Secure and McAfee each have put together an analysis that can be read here:

1SSA - Security consulting, training and products: http://www.1ssa.net

Friday, August 07, 2009

Updated: Twitter taken down by distributed denial of service attacks

After a series of complaints from foreign entities and groups Twitter finally became the target of a distributed denial of service attack (DDoS). Somehow that was just a question of time before that happened: If you can't get the people to shut up than you go after the medium they use to communicate. Twitter is currently operating normal but the DDoS seems to be ongoing according to Twitter's official blog.

Update: Rumors say that a massive wave of spam using Twitter brought it the service to it's knees, not a planned DDoS attack.
Update2: It is now confirmed that it was a DDoS attack on a particular account - see post from 08/11/09

Link to Twitter's official blog: http://status.twitter.com/post/157191978/ongoing-denial-of-service-attack

1SSA - Security consulting, training and products: http://www.1ssa.net

Tuesday, August 04, 2009

Hacking the hacker - fake ATMs in Las Vegas

During Defcon and Blackhat several ATMs (Automated Teller Machines, for the non-US readers) were discovered that were not dispensing any money but charging the account of the user. Strangely that happened at the same time when Defcon and Blackhat, some major hacking events took place.

Read more at: http://www.pcworld.com/businesscenter/article/169473/security_analyst_las_vegas_atms_may_have_malware.html

1SSA - Security consulting, training and products: http://www.1ssa.net