August 2008

You are currently browsing the monthly archive for August 2008.

The (In)security of Social Networking Sites

August 31, 2008 in Social Networking, Web

With the advent of Web 2.0, social networking sites with all their wonderful interactive capabilities have become extremely popular.  MySpace, Facebook, LinkedIn and others have enjoyed great popularity as they offer unique opportunities for collaboration and information sharing.  However, with this new technology comes fresh security concerns.  Below I will outline some of the more common security issues associated with social networking sites.

Social Engineering

By their very nature social networking sites encourage its users to post personal information about themselves such as home town, place of employment, birth date and more.  However, this information can be used by criminals to commit fraud or identity theft.  For example, it is not difficult to search a variety of social networks to obtain enough personal information on individuals to open a financial account in their name.  Gunter Ollman wrote an excellent outlining how to perform this type of social network hack.  The lesson here is to limit the amount of information you share about yourself and who you network with.

Malicious Content

Many social networking sites, MySpace in particular, allow users control over the content they provide on their pages.  This includes the ability to add banners, links, and other web content.  This provides the ability for the creators of those pages to embed malicious software or links to malicious sites on their pages.  A recent study by found that the number one host for malware on the Internet is the highly popular blogging site Blogspot.  This is indicative of the opportunities created for hackers by web sites that allow its users the ability to post their own content.

Worms

Recently, Facebook has been battling a new worm that infects users of the popular web site.  The worm, called , spreads when a user logs into his or her Facebook account and sends messages to their Facebook friends with links to malicious web sites.  When the friend clicks on the link they are asked to install an application to view a supposed video.  Of course this application is a trojan which allows the worm to continue to spread.  A similar worm is also affecting MySpace users.  These are not the first worms to target social networking sites as this has been an ongoing problem for several years.  In all likelihood worms will become a bigger problem as these sites grow in popularity.

Social networking sites can be useful tools for collaboration, keeping in touch, making new friends and growing your network of business associates.  However, these sites are not without risks and should be used carefully to avoid becoming a victim of fraud and/or an attack on your computer.

Red Hat Servers Hacked

August 25, 2008 in Hacking

On Friday, August 22, Red Hat on its web site that one or more of the servers used as part of the Fedora project had been compromised by hackers.  Even more troubling is the fact that the compromised servers included one that was used to signed Fedora packages.  Company officials claim to be confident that the passphrase that protects the private key used to sign the packages was not obtained.  However, the company did reinstall the affected systems and issued new keys for the signing of the packages as a precautionary measure which meant downtime for the affected servers.

But the hack did not stop there.  Red Hat also that a breach occurred on some its production systems which allowed the intruder to create and sign some OpenSSL packages for Red Hat Enterprise Linux 4 and 5!  According to Red hat:

In connection with the incident, the intruder was able to sign a small
number of OpenSSH packages relating only to Red Hat Enterprise Linux 4
(i386 and x86_64 architectures only) and Red Hat Enterprise Linux 5 (x86_64
architecture only). As a precautionary measure, we are releasing an
updated version of these packages, and have published a list of the
tampered packages and how to detect them at
.

At this point Red Hat does not believe that its Red Hat Network (RHN) service, which allows customers to download packages from Red Hat, was compromised.  As a result, they do not think that the tampered packages have been widely distributed.  Let’s hope they are right.

The problem with type of situation is that it is very difficult to tell the extent of the damage.  Red Hat believes they caught the intrusion quickly and rectified the situation.  But what if this has been going on for months.  It seems at least possible that other packages may have been hacked, signed and distributed without their knowledge.  This demonstrates one of the major security issues for software vendors.  How to write, maintain and distribute software in a secure manner.  By all accounts Red Hat was following good practices.  They signed all their packages with their private key so that those who downloaded them could verify their authenticity and integrity.  But when your signing server is compromised all bets are off.

Red Hat is not the first company to be facing such issues.  In 2004 hackers were able to steal 800MBs of source code from Cisco leading to wide speculation about the security of their products.  A similar theft of source code occurred with Microsoft in that same year.  Software vendors must be extremely vigilent in protecting their products.  One tampered package that goes unnoticed could lead to backdoors in thousands of systems.  Let’s hope that this did not occur with Red Hat.

The Dangers of Peer 2 Peer Software

August 21, 2008 in P2P

It seems people still don’t get it.  Those nifty little peer 2 peer (P2P) applications that allow you to download free music also allow others to download music or any other type of file from your machine.  This includes files containing sensitive information such as SSNs, bank information, medical records and virtually anything else stored on your hard disk.  P2P software such as Limewire, Kazaa, Bearshare and BitTorrent can allow anyone access to any file on your computer that is being shared by the application.  And by default, these applications are rather generous in what they decide to share, often including everything under the My Documents folder.

In order to demonstrate the ease with which one can find and download documents with sensitive information using P2P software, I fired up Limewire and performed a document search for files with the string “tax” in the name.  In a matter of minutes it had found hundreds of documents including a PDF file that looked like it might be a tax return.  I downloaded it and after opening it up I was staring at the 2007 United States tax return of someone from Louisiana who was unknowingly sharing this file with the entire online world. 

And in case you think I have just let the cat out of the bag, I only wish this were true.  In fact this tactic has been known for several years and certainly anyone willing to commit identity theft already knows how to search for sensitive documents in this manner.  So take heed.  The best defense is not to install P2P software in the first place and if you already have it installed, remove it.  You shouldn’t be downloading music and movies illegally anyway, right?  If you have an actual need for one of these applications be sure to restrict what it shares so that you don’t end up fighting to regain your identity.

The Evolution of Malware and the Underground Economy

August 15, 2008 in Fraud, malware

When I first started working in the information technology profession back in the early 1990′s, there was not really a defined field specifically for security professionals.  Network and system security was handled by the system and network administrators responsible for the general management of the networks.  Most security concerns revolved around viruses and basic access controls.  The term malware had not even entered the general IT lexicon.  Fast forward 15 years and the situation has changed dramatically.  The hacker underground has gone from young kids defacing websites for fame and glory to a sophisticated, financially motivated network that involves several different layers of actors and groups often including organized crime rings.

In the last few years the way in which malware is used by criminal elements has changed drastically.  Just 5 years ago a single hacker working with one or two friends would create a virus or trojan, distribute it to unsuspecting users via email and utilize the information gathered for their own personal gain.  But things are much different now.  The malware developers are content to sell their software for others to use, reducing their risk of being caught and allowing them to concentrate on the technical work they do best. And they have gone a long way to improve their products.  Far from simply selling malware on the underground marketplace, hackers have begun to sell a service providing easy access to information and allowing criminals to “rent” infected computers for a period of time.

Witness the web site.  This site provides a web interface to information gathered from all the machines that are part of the hackers’ botnet.  Criminals pay a fee to access the web site for a period of time which allows them to easily obtain personal information from the people using the infected computers.  The malware is able to collect information typed into forms including usernames and passwords, gather bank account information and intercept keystrokes among other things.  All of this information is sent back to the 76service web server where criminals login and use the information to steal money, obtain credit and make fraudulent transactions while the person with the infected host is left wondering why their bank account is shrinking and credit card balance is growing.

Another such service allows criminals to rent the use of all or part of a hacker’s botnet.  The botnet can be used to send spam or orchestrate DDOS attacks against another network.  The is a good example of this type of service whereby the creators of the botnet have been known to rent portions of the network to criminal elements.  All of this suggests that the underground economy is changing whereby multiple players are involved and criminals have easier access to tools that will allow them to obtain valuable information to commit fraudulent activities.  I expect to see more such services in the future with improved methods for delivery of information.  Imagine a database filled with personal information, constantly being updated by bots and automatically distributed to paying customers via encrypted channels.  This is possibly the direction that malware is headed as hackers continue to evolve their products and services.

Traveling in the Digital Age

August 13, 2008 in Travel

While I watch the Olympic games safely in my home, the United States government has issued a strong to travelers visiting foreign countries.  Even though the document does not mention China specifically, it does coincide with the games and is clearly intended to make travelers aware of potential security implications when heading to a country with little regard for privacy.  Some of the tips listed in the document include:

  • There is no expectation of privacy in many countries.  This includes hotel rooms that can be searched without your knowledge or consent and phone and internet connections that are monitored.
  • Police and criminals can track your movements via a cell phone or PDA.
  • Malware can be installed on your laptop via any connection controlled by the foreign government.  This malware can then be used to obtain private or sensitive information stored on your machine.
  • If your laptop or PDA is searched (especially if it is taken out of your site or searched while you are not present), assume that the contents of the hard disk have been copied.

But the threat does not stop with electronic spying.  Recently an aide to British Prime Minister Gordon Brown was on an official trip to China.  While at a club the aide met a young woman who agreed to accompany him back to his hotel room.  Imagine his surprise when she disappeared with his Blackberry which had unencrypted information on it.  It is suspected that the event was orchestrated by the Chinese intelligence service.  This is a classic example of social engineering and should serve as a reminder that foreign governments and criminals will use tactics to exploit basic human weaknesses.

The best advice in the report for protecting your electronic equipment while traveling in foreign countries is to leave your laptop, PDA and phone at home.  Obtain a temporary cell phone if necessary.  And if you must take your laptop or PDA, be sure that sensitive data is encrypted and that your use strong passwords to protect the keys.  Avoid using public wireless networks, don’t leave your electronic devices unattended (even in your hotel room) and don’t use any USB thumbs drives given to you as a “gift” as it will likely have malware that will infect your system.  Happy traveling.

The IDS Versus IPS Debate

August 10, 2008 in Intrusion Detection and Prevention

Recently I have been involved in a debate with colleagues regarding the management of IPS (intrusion prevention system) devices versus IDS (intrusion detection system) devices. This debate centers around the level of analysis required when the device alerts on or blocks network traffic. This is an especially salient question in a managed security services (MSS) environment where analysts are responsible for the protection of customer networks and must make decisions as to the validity of an alert generated by an IDS or traffic blocked by an IPS. As it turns out, where you stand on this issue seems to depend on the paradigm through which you view these devices.

IDS systems have been around for many years and are considered a standard part of any good network security system. They typically are deployed in promiscuous mode at strategic points in the network to monitor all traffic. Since they do not have the ability to block traffic, it becomes paramount that someone is available on a 24/7 basis to respond to alerts generated by the IDS. Because false positives are relatively common in a typical IDS deployment, the analyst needs access to network traces to determine if any particular alert is a legitimate attack or simply a false alarm. This is why many companies outsource this responsibility to managed security companies as they do not have the staff available to perform this function themselves.

Analysts who have been performing this job for many years argue that in order to accurately perform these tasks, an IDS must provide detailed packet captures so that they can see what happened to cause the IDS to generate an alert. Moreover, they need to see both sides of the traffic (i.e. traffic to and from the system under attack) in order to make a proper determination. Most IDS systems provide this capability as it is a necessity when dealing with a system that only provides alerting. However, using this information requires a high level of skill and can be very time consuming.

Then the IPS came onto the scene. The IPS is typically an inline device that all traffic must pass through before being sent on to its ultimate destination. This gives the IPS the ability to easily detect and block malicious network traffic. Many enterprises are switching to IPS systems so that rather than just getting alerted to attacks, the device can proactively block them. And if your job is to manage the IPS, you may be wondering how you can perform the analysis you are used to doing for IDS alerts. The short answer is that you don’t have to. When an IPS detects an attack, in most cases it will block it. Of course this is configurable, but the whole point of using an IPS is to block attacks rather than just sending an alert. As such, if the attack is blocked, there is no need to perform any analysis. Only in the event that the IPS is suspected of blocking legitimate traffic (false positive) is analysis required. And the IPS logs will provide plenty of information to determine if a false positive has occurred.

But how do we know that the IPS is blocking/allowing what it is supposed to without any packet captures to verify the traffic? Are we supposed to trust that the IPS vendors will block all bad traffic and allow only the safe traffic? These are the questions the IDS analysts ask. In the IDS world, every alert is investigated by looking at packet captures. False positives can be determined based on this information. In the IPS world, traffic the IPS deems as malicious is blocked. And unless there is a complaint, the analyst doesn’t really need to worry if it was a false positive. In the case of a false negative (traffic that should have been alerted/blocked, but was not), the IDS may be able to provide some packet captures for analysis assuming the analyst is made aware of the attack in a timely manner. However, in most cases this information may come too late to be any use. More information is likely to be found on the attacked host which could then be used to configure the IPS to block future similar attacks.

The IDS has served us well for many years. However, the IPS is quickly replacing the IDS in many organizations and this affects the management of these systems as well. Fortunately, it will mean less work for the analyst who will no longer have to investigate every alert generated by the IPS. Concerns about the lack of visibility into the traffic are misplaced as this is no longer required as is the case when managing an IDS. Movement to the IPS will ultimately reduce the workload of those responsible for managing these systems allowing them focus on other security related issues. This, along with the blocking capability of the IPS, will improve the overall security of networks where they are deployed.

Healthcare Providers Need Security Checkup

August 2, 2008 in Identity Theft

It seems like a week doesn’t go by that I don’t read about sensitive patient information being stolen, leaked or otherwise disclosed by a healthcare provider.  A recent event occurred in where staff employed at various healthcare facilities used information obtained from patient records to steal their identities and obtain fraudulent pay-day loans.  In all the group managed to steal more than $230,000.

Criminals are focusing more and more on healthcare providers because they typically maintain a treasure trove of sensitive information that can be useful for committing identity theft.  This includes social security numbers, credit card information, drivers license numbers, patient addresses: basically all the information a criminal would need to steal somone’s identity.  And based on my experience, many healthcare providers do not take adequate measures to ensure this information is secured.  This is especially true of small providers who often fail to understand the risks associated with collecting, storing and transmitting this type of information.

Below is a list of Do’s and Don’ts that all healthcare providers should follow to protect their sensitive patient data.  This is by no means an exhaustive list, but should get you started down the right path.

  1. Don’t collect any sensitive data that you do not absolutely need.  If you don’t need your patients’ SSN, don’t ask for it.  Use other unique patient identifiers.
  2. Don’t transmit any sensitive patient information without using encryption.  This includes diagnosis and treatment information as well as information that could be used by identity thieves.
  3. Don’t share one computer account for all staff to use simply because it is too much of a hassle to create individual userids for each staff member.
  4. Do use appropriate access controls to ensure that staff only have access to the data they need in order to perform their job.
  5. Do make sure all your computers have up-to-date anti-virus and anti-spyware software installed.
  6. Do ensure that your patient data is backed up regularly and that the backups are stored off-site for disaster recovery purposes.
  7. Do perform background checks prior to hiring staff and conduct regular security awareness training to ensure that staff are aware of security and privacy policies.
  8. Don’t assume that HIPAA doesn’t apply to you because it probably does.

Copyright © 2011 InfoSecStuff.com — All Rights Reserved