Jason Ross's presentation at the Blackhat DC conference related the
issues about checkbox compliance, that companies are using checkbox
compliance as a means to indicate whether they are secure. When in fact
it should be deemed as the lowest possible level of acceptance a
baseline of acceptance and he points out as others have that some of
the largest privacy compromises of personal information were done at
companies that had past their external PCI audits. Compliance is
absolutely wonderful it enforces at least a baseline of requirements
but it should not be used as a means that you have a seal that protects
you from exploits and non-publicized holes in the grid.
Jason points out the difficulties of detecting Malware in enterprise environments, that by the time the antivirus sends off an alert about a malware or virus being seen it's usually too late you have already been owned, as Dan Geer pointed out a few years ago at the Gartner Risk Conference it's hard to get exact metrics on what is happening because by the time that alert kicks off 6 other events have already happened that were not detected.
For IT and Security administrators that have been through some of these malware wars with Downloaders and Polymorphic attacks know that just because the antivirus says it's cleaning up there are way too many other things happening. I once saw some thing interesting it was a Polymorphic virus that was loaded on a system that had Microsoft's development studio on it, that we could watch as the polymorphic virus recompiled other malware from it's code that would attempt many ways to infect the machine and other machines quickly and one time there was a downloader. Even Microsoft writes about recovering the operating system and files from a known state from before this activity started unfortunately with out historical view of activity on this node and user that information and the correlation of events will be difficult.
Jason Ross points out the goals of malware now is to have Business support models. Their objective is not to be noisy but to be very quietly performing their tasks of infecting other hosts and using a network of hosts to make money and the use of malware like URL Zone and Monkif
In the presentation he talks about Spider Monkey - By Didier Stevens a tool for helping to analyze malcode. The use of SAN NETS to isolate malcode in action so that it can be analyzed to determine what it wants to connect with or what services or files it wants to abuse with Polymorphic viruses that constantly change it's usually interesting to observe them in action in a closed environment.
Years ago I can't remember the movie name, but the analyst in the movie were collecting them and keeping the code and binaries for sale and redistribution or modifying them in some way not to be detected.
Another point from the presentation is that Malcode writers are now
writing them so they can not be easily detected by signatures by using
multicode that each binary performs a small function of the code.
netForensics will be at HP Universe in Hamburg Germany this week.
On December 16th through the 18th at HP Universe 2009 we will be featuring how our Information Security Management tools integrate with HP uCMDB and HP Operation Center Management. IT Enterprise frame works including the OCG's ITIL v3 and the ISACA's COBIT 4.1 call for Information Security Management, Change management. Service Asset and Configuration Management processes to be implemented across the ITIL Service Lifecycle from the Service Strategy, Service Design, Service Transition and Service Operation.
nFX SimOne provides the ability for Information Security Management and Operations Management to be closely aligned throughout the Service Life Cycle, by integrating with HP uCMDB, HP Operations Manager (OVO) and Information Security Management ( SIEM tools ), organizations will have common view of the relationships of host and host resources and applications and automatic change history. This provides organizations a common view of the Service Design and it's control environment allowing Information Security management to create effective correlation event scenarios based on the enterprise framework and business processes, providing effective event management and incident management.
The mission and function of the task force will be to provide advice to the Attorney General for the investigation and prosecution of cases of banks, mortgage, loan, lending fraud; securities and commodities fraud, mail and wire fraud, retirement fraud, tax crimes, false claims, unfair competition, discrimination, and other financial crimes and violations.
Federal Register Executive Order 13519--Establishment of the Financial Fraud Enforcement Task
Force
"That the nation faces unprecedented challenges in responding to the financial crisis that has gripped the economy for the past year. Mortgage, securities and corporate fraud schemes have eroded the public's confidence in the nation's financial markets and have led to a growing sentiment that Wall Street does not play by the same rules as Main Street."
Recently in the Brazilian Power outage events, even an implied weakness in the controls of Critical Infrastructure could be used to destabilize the financial stability in markets, subverting the controls that are involved in financial trading. There have been conflicting reports about whether the attack was caused by an attack on the controls of its Dam's systems. Employees and Contractors of the system complained that their pay checks and statements had been modified to include a message from the attackers.
With all of this talk on financial fraud and critical infrastructure vulnerabilities, I could not help but be reminded of the 1983 movie Superman III where Robert Vaughn's character sites "Computers rule the world today and the fellow that rules the computer, rules the world." and Richard Pryor hacking into secret defense systems to ruin the coffee crop for the next 5 years, Superman III: Tornado Scene.
While it all may seem very tongue and cheek and some what unrealistic, the simultaneous collapse of the financial markets due to fraudulent transactions combined with the failure of major Scada Systems would have a serious effect on a nation's stability. In 2002 the U.S. Naval War College conducted a study that concluded it would probably take about 5 years to plan and cost about 290 million dollars to plan a significant electronic attack.
Digital Stenography: The advantage of steganography, over cryptography alone, is that messages do not attract attention to themselves.
Infosectoday's article: Digital Steganography Threat or Hype: by James E. Wingate - Summary:
Use of steganography will never be detected if no one ever looks for it.
Brian Krebs from Security Fix at the Washington Post cautions business users to use LIVE CD Operating Systems to to perform online banking. Live CD distributions are generally free, Linux Based operating systems that one can down load and burn to a CD-Rom.
This allows the user to boot the operating system off of the CD everything is just run in memory and when your done with your transactions everything that was performed is now not available on any disk. The advise is just to use the LiveCD for Online Banking transactions and not to visit other sites.
Brian Krebs also points out that this is not only his recommendation but the recommendation of the Financial Services Information Sharing and Analysis Center
(FS-ISAC)
I just want to point out that one needs to be sure where you are acquiring these distributions, simply obtaining one from a download or from an expert does not verify the validity of the distribution make sure that you can verify the distribution before running it.
A response noted by "neversaylie"
"Some Windows malware perform DNS spoofing/ARP poisoning/DHCP spoofing, so even a LiveCD won't help you if you're on a network with some infected Windows machines."
So if you are using Live CD but your DNS or DHCP servers are spoofing IP's your still resolving fake addresses to your on line banking institution and not free of man in the middle attacks.
Neil deGasse Tyson once said, "To a discoverer all data is valuable even bad data." When looking at data individually, you may believe that the data is not valuable and does not tell you anything. But, when combined with other types of information that are within a relevant time frame, the information becomes very valuablle and the more layers of information being presented more useful.
Some of the most valuable data that you get does not even come within the realm of logical data gathering. It is the information from outside of logical analysis of data which brings to mind Sam Walton's expression "I know what I know but tell me what you know." According to Kevin Mitnick, the most effective approach is to try to exploit the weakest link -- not operating systems, firewalls or encryption algorithms -- but people. In information security, knowing what is of value, where is it located, who has access to it, and what are the trust zones and controls that allow access to it is core to aligning information security with business goals.
Monitoring perimeter scans for known intruders and bogons is information that we all need, but knowing how trust zone can be compromised to gain access to valuable or confidential data is critical. It's the continual discovery process and breaking through the silos of knowledge and control that will help provide additional layers needed in developing an effective information security program.
Why is my executive office printer using https and ftp outbound traffic to a Home ISP DHCP range or using Goto My PC?
The Korea Herald reports that North Korea is the suspected source involved in a DDOS attack against South Korean government agencies, banks, and Internet portals and all the network range of the attack may point to North Korea, this may not have been done under the direct orders of the Kim Jon-il Government. South Korea believes that the North Korean Government has also stepped up their cyber-warfare initiatives including developing cyber-warfare simulation applications call "100 combat methods." Just as physical weapons have been for sale, are there now Botnets and warfare simulators that could be used as tools for those that may want to have a sneak peak at cyber defenses and forensics abilities - kind of like testing radar abilities but from a distributed source - to see at what point the counter attacks begin?
While there have been these types of reports coming from South Korea on suspecting the DDOS attacks may have originated from North Korea, other professional forensics experts are not ruling out that the cyber attacks that occurred over the 4th of July Holiday need to be further analyzed, that it just may haven been a smoke screen for an intrusion that would have been masked in all the noise. This method of trying to disguise a real intrusion with a cloud of DDOS attacks is a known tactic that Managed Security Service providers know when looking at distributed attacks. The attackers want to draw everyone's attention to one or many DDOS attacks while there is a valuable trust that has been compromised somewhere else that has nothing to do with the DDOS attack.
Ahnlabs believe the attacks were a modified versions of the MyDoom worm that used botnets to initiate the attack.
Rented Botnets seems be a new method of Cloud Computing to either test defenses, distract attention from what is really taking place, or simply making a political protest.
There has been a lot of discussion about the internal struggle of the Indian intelligence community views of implementing Hauwei's Telecom products throughout India's core infrastructure and views of India's DOT and Government owned BNSL on the matter.
According to the Economic Times and Gulf Base.com , "The Indian communication ministry has warned state-owned telco BSNL that telecom networks supplied by Chinese equipment major Huawei must be tested for trapdoors, blackboxes, malwares, and also, if it is susceptible to remote hacking before they can be allowed to be operational."
"In fact, Huawei was also the sole company that was shortlisted for BSNL's 25 million lines in Western India, but the PSU now plans to award this contract, worth $1.5 billion, to French-Indian combine Alcatel-ITI. BSNL has identified this as an alternate solution as the telco cannot award this contract to Chinese equipment major Huawei on security grounds as the West zone shares sensitive boundaries with Pakistan."
India is very competitive in the design of telecom components but China remains the leader in bulk manufacturer of telecom equipment.
While Huawei is fastly becoming one of the world's largest Telecom providers to China, India, Africa, and Europe, there still remains this concern that the company is linked to Chinese supported cyber war initiatives funded by the Chinese military.
ZTE, China's second largest telecom provider and the world's 6th largest cell phone provider, is trying to grow its market in the EU. ZTE is now ready to provide China with its approved 3G Network. This year China is also coming up with its own 586 Billion Dollar stimulus package to help its economy. While Huawei is accused of being linked to cyber warfare or cyber intelligence gathering, ZTE has had its share of accusations. In 2007, ZTE was accused of being involved or linked in hacking to some German Government files, and there was trouble with a deal with the Philippine Government.
Its an interesting contrast being two of the world's fasting growing telecom providers implementing ADSL, WiMAX and LTE networks and 4G phones, or is it this embedded portal for the Chinese military for cyber intelligence gathering. I believe at one time Microsoft was accused of providing cryptology plugins for the NSA, or involved with the development of Vista and maybe that ZTE, Huawei, or any one else does not have any choice in the matter when it comes to the concerns of its government's national security issues. Perhaps maybe it is a 'Cyber Arms Race' having back doors into some of the world's largest networks is probably too tempting for any intelligence security agency.
These are some of risks that nations have to be concerned about when it comes to their own interests of national security and sovereignty when purchasing software or networking infrastructure. Who is your business partner and what risks are you willing to take? The reality is just like our economies - all the networks and software are interconnected.
Today Canada's Public Safety Minister Peter Van Loan said, Cyber Security is like the new arms race. He said there is not one minute of the day that someone somewhere is trying to break-in to our information systems.
Everyone knows information security and information services in this global economy
of interconnected services, that what he said is correct - that every minute of every day, someone or something launched by someone is analyzing what it can do to break-through a trust zone. Chances are your business supply chain is online 24/7 and if your really analyzing your data and doing your research you know these attacks do not stop. In a matter of minutes what you once thought was at least up to date, could now be openly attacked by new discovered flaws and it becomes a race of what is the grace period before applying new security updates and the testing of implementing the new updates and when there will be a massive outbreak. And then, there are the flaws have not been made public that you need to convince the LOB managers that these outstanding exposures should be mitigated before the next security update.
Peter Van Loan's comments go along to point out that executive governance on information security practices and procedures are not just coming in the government sector but in the private and public sectors as well.
In the U.S. we have seen mandates from states on the protection of privacy information and new bills introduced for the forth coming legislation on Information Security. PCI Security Standards for the way that your information security architecture needs to be structured for Payment Card applications and the new Red Flag Law for Identity Theft.
At the same time the U.S and Canada met to discuss a new partnership to protect against trans-border theats: UPI.com . They discussed:
-- Developing joint threat and risk assessments.
-- Advancing initiatives that manage risk while facilitating movement of legitimate goods and people.
-- Working to ensure that separate systems prevent entry of dangerous goods or people to either country when national laws bar sharing managed risk initiatives.
-- Expanding integrated law enforcement operations along the border and waterways to prevent criminals and terrorists terrorists from evading enforcement or harming the two countries.
Mercury News reports that 160,000 UC-Berkeley students' records have been compromised and about 97,000 of them had links between their health records and their social security accounts.
Theft at Berkeley
The server breach began on Oct. 9, 2008, and continued until April 9, 2009, when campus computer administrators performing routine maintenance identified messages left by the hackers.
"Patient privacy and quality care are cornerstones of our services," said Steve Lustig, associate vice chancellor for health and human services. "We are deeply troubled that this breach will concern our current and former clients and want to reassure them that the medical records systems were not touched in this incident."
A Bill to Amend the Federal Power Act - Critical Electric Infrastructure
With more than a trillion dollars worth of assets, 200,000 miles of transmission lines, and 800,000 megawatts power serving 300 million people, the electric infrastructure has been become increasingly dependent on computer control systems and are now connected directly or indirectly to open systems networks. Legislators are concerned that our electric power grid will come under cyber attack by foreign nations, or e-social protests as well as exposed to EMP "Magnetic Pulse Events." Legislators and the Department of Homeland Security believe that utilities are only reporting a small percentage of their Critical Infrastructure Assets.
The Bill states that the Secretary of Homeland Security working with other National Security Agencies will identify threats and vulnerabilities that require immediate proactive correction, and that the DHS will perform ongoing threat and vulnerability assessments. FERC may issue orders or rules needed to protect the critical electric infrastructure and may issue an emergency rule without prior notice or review effective for 90 days.
![Reblog this post [with Zemanta]](http://img.zemanta.com/reblog_e.png?x-id=748a0e9e-5394-4503-9062-a44fa2f55524)
![Reblog this post [with Zemanta]](http://img.zemanta.com/reblog_e.png?x-id=4011c3f1-5552-4ee7-9262-2c11a7a6670f)
![Reblog this post [with Zemanta]](http://img.zemanta.com/reblog_e.png?x-id=a62363bc-497f-4d21-a8bc-d8da436859ff)
