Monthly Archives: May 2015

Criminals use IRS website to steal data of 104,000 people

30 May 2015

On 10 June 2014 I wrote my first post on this blog about the eBay data breach, which was published on 21 May 2014. This Thursday, nearly a year later, the Internal Revenue Service (IRS) data breach was made public. Cyber attackers used personal information mined from other attacks, even perhaps from the eBay attack, to breach the “Get Transcript” accounts of more than 100,000 taxpayers.

Jose Pagliery wrote on CNN Money on May 26, 2015: “The IRS said criminals were able to use the Get Transcript service, because they plugged in personal data they had already stolen: Social Security numbers, birthdays, physical addresses and more. They even answered correctly those personal identity verification questions — the ones we all know as being too specific, annoying and difficult to answer ourselves.”

FIDO U2F Security Key

FIDO U2F Security Key

Well said, those identity verification questions are really annoying. And inherently unsafe, as we learned from a Google study published this week.

And yet the obvious solution would be to discard all those questions and to use Two Factor Authorization instead. For example a FIDO U2F security key in combination with a one-time PIN or fingerprint would be a nearly unbreakable and cheap solution.

How many data breaches must still take place before organizations seriously start securing their customers personal data?

Have a good weekend!

Is Micro-Segmentation the new universal remedy?

28 May 2015

On Saturday, I blogged about globally defined service accounts and their impact on the attack surface. In my opinion, rigorous avoidance of globally defined service accounts, combined with the concept of trusted administration zones, is an effective means to boost IT security.

In the past month I was involved in discussions about a network segmentation, which is a common means to increase IT security. The relatively new and less spread micro-segmentation technology is hailed as universal remedy.

Let me quote briefly from the VMWare white paper ‘Data Center Micro-Segmentation, A Software Defined Data Center Approach for a ”Zero Trust” Security Strategy’:

“Micro-segmentation of the data center network can be a huge help to limit that unauthorized lateral movement”

That’s true, but if you use globally defined service accounts for administration of the systems in segmented networks, the ‘huge help’ will be considerably lower. This is because e.g. the Active Directory services are working on network layers where segmentation has no impact.

The old rule still applies: Isolated security measures do not necessarily increase the overall security level.

But the combination of network segmentation with strict avoidance of globally defined service accounts and trusted administration zones will make the difference.

Have a good day!

Some thoughts about ‘Mitigation strategies for data-wiping malware’

21 May 2015

In article ‘Mitigation strategies for data-wiping malware’ published on Security Think Tank in January 2015, Peter Wenham talks about mitigation strategies for data-wiping malware.

Peter’s proposals for creating a prevention strategy, training and strict refusal of local administrator access for employees, can be implemented quickly and at a fair price.

To complement this, companies should add a trusted zone concept for administrative tasks. A server administrator should never sign in to a server from a system at a lower trust level, e.g. from the laptop he uses to connect from outside the company network to a server. A trusted admin zone concept will prevent the lateral drift of attackers within the company network once they got access through e.g. a phishing attack and a RAT (Remote Access Trojan).

Have a good day!

Security falls often by the wayside if availability is a priority

16 May 2015

When we talk about information security we often forget printing. We add labels like ‘Confidential’ or ‘Top secret’ to documents to make it clear to everyone that these documents contain the company’s crown jewels. But when it comes to printing the printouts stay in the printer output bin, sometimes for days and accessible for everyone.

Fortunately most printer vendors developed secure print systems to support the users in the secure handling of information. In a secure print system documents are not output immediately when printed by the user. Instead, they are cached by the print service and output only after request by the user.

Before the user can request a printout he has to sign-in to the printer with his username and password. Since it is very annoying to sign in for every printout users can register their ID cards or special printing cards to speed up the output process. For fallback, e.g. if the user forgot his ID card, sign in with username and password is possible.

Secure Printing Threat Model

Secure Printing Threat Model. Click to enlarge.

If a user requests a printout, he places his ID card on the card reader attached to the printer. The built-in Authentication Manager (AM) sends an [1] Authentication Request to the Authentication and Authorization Manager (AAM). The AAM checks against the Active Directory whether the user is valid [2] and against the ID-Card Database [3] whether the ID-Card is valid and registered. Upon successful authentication the AM notifies [4] the Print Manager (PM). The PM on the printer retrieves a list of the user’s prints jobs from the Print Service and prints the selected jobs or all.

This works perfect. And since every document is cached by the print service and send only on request to the printer the users can request printouts on every printer attached to the secure printing system.

Unfortunately documents cannot be output when the network connection to i.e. the Authentication and Authorization Manager is not available. And this is a real disaster!

To boost availability the secure print system suppliers introduced the local credential cache [7]. After successful sign in to the printing system the user’s credentials and badge number [6] is cached in the printer. If the connection to the AAM service is down, the system authenticates the user against the locally cached credentials. Great!

But with the local credential cache the suppliers built-in a weakness into the system. If a terminated user could disturb the network connection to the AAM he could use the secure printing system with the credentials stored on the printer.

To securely terminate an employee you need to disable his ID card and his active directory account immediately. This will make sure that he can no longer access the secure printing system.

In addition you shall clear the user’s credentials from every printer he used for secure printing to make sure that he cannot access the secure print system in the case of a system failure.

At this time at the latest, risk evaluation makes sense. Under normal conditions it is very unlikely that an employee without administrative privileges could disturb the connection to the AAM. Thus the risk is low that an employee without administrative privileges can exploit this weakness.

But it is necessary to check the workflows for terminating employees. Since an employee can reach the secure print system by login with his username and password it is very important to disable the account immediately. This will prevent unauthorized access.

If you already introduced a secure printing system I would strongly recommend to restart the risk evaluation process for your printing system and to check the processes for terminating employees.

Don’t panic…

… and have a good weekend.

An ISO 27001 Certification is worth every dollar

15 May 2015

Some weeks ago I took part in an ISO 27001 Foundation training. The students were all IT professionals, some of them involved in certification projects. Many of them complained about the high effort in getting certified.

Certification is often seen as a pure cost factor, in particular information asset classification. But once you have identified and classified the information assets the entire organization can start working smarter. Let me show this by the means of two examples.

Since you know exactly who is responsible for an information asset, you know the information owner and who is able to grant access to an asset if required. The onboard process of employees is simplified because based on the job description access to the relevant information assets could be granted much easier. The same is true for the off-board process or the transfer of employees.

Your IT organization knows exactly what information assets are stored and processed on what IT systems. In the case of a new vulnerability you know exactly what systems have to be patched first. Thus IT organizations could focus again on their primary role as business enabler.

From my point of view an ISO 27001 certification is worth every dollar. It’s just a question of the right marketing…

Have a good day.

A mere detection strategy will fail in the defense of cyber-attacks. Just like a mere prevention strategy.

10 May 2015

Article ‘Falling Off the End of the Cyber Kill Chain’, published by Anup Ghosh, Founder and CEO at Invincea, in the May edition of The Cyber Intelligencer is worth to read and comment.

For years now detection is praised from all cyber defense experts and system vendors as the spearhead in the defense of cyber-attacks. Gartner Security Analyst Neil MacDonald’s puts it succinctly in his tweet: ‘Prevent you may, Detect you must!’

Just set up a SIEM system and record any events from any server, database, firewall, application server, network, etc. With big data methods your data scientist will find every small hint to a cyber-attack from this universe of data, in the best case only some minutes after the attack happened, in the worst case some month later or never. In the meantime the cyber attackers will quietly copy your intellectual property.

A mere detection strategy in the defense of cyber-attacks is doomed to failure, just like a mere prevention strategy.

Just a short example. Let us assume that your Windows 2012 member servers are well protected, with the latest security features configured and the latest patches installed. One of your administrators becomes a victim of a phishing attack. An attacker steals the password for the administrator account of one of your member servers and signs in to the system. He debugs the LSASS process to get access to the password hashes or the plain text password or runs a DLL injection attack against the LSASS process.

Both events are recorded in the event log of the member server. Both events are hints to cyber-attacks and must be directly investigated. But it is very likely that these events are never investigated because no one checks the logs in time.

But if your SIEM system regularly collects the critical events from your member servers the attacks are detected within minutes and proper measures can be taken.

In my opinion a successful defense strategy requires a finely balanced mixture of both detection and prevention. SIEM comes into play when all other protection measures have failed. It should be neither the first nor the sole line of defense.

Take care!

Back door Linux/Cdorked.A – An old friend returns

7 May 2015

Yesterday evening I found the link ‘Hackers open malware backdoor in Apache webservers‘ in my email. In this E-Guide Warwick Ashford talks about a new threat named Linux/Cdorked.A that targets Apache web servers. Although back door Linux/Cdorked.A is known for years the attack vector is still not known. In addition Linux/Cdorked.A appears to be hard to detect because

‘All information related to the backdoor is stored in shared memory on the server, making detection difficult and hampering analysis.’

I fully agree, this behaviour makes it really hard to detect the back door. Nevertheless, sometimes it is required to restart a server or at least the httpd daemon. If the backdoor would only live in memory it would not survive the next restart. To become persistent it is necessary that the httpd executable is modified. And this is the weak point of the back door.

If set up on a clean Linux installation and well configured and maintained, integrity checkers like AIDE or OSSEC are able to detect changes to whatever executables. However, most important is, that the log files written by the integrity checkers are regularly checked for integrity breaches, and alarms are directly processed. And this is the weak point of system administration.

Don’t panic… and focus on right and important things.

A Program in a Program in a Program

2 May 2015

In the past weeks I did a lot security assessments for complex applications. I always use the Socratic Method – i.e. dialogues in small groups with subject matter experts (SME) and support from infrastructure specialists where required. No rocket science! The only but important thing new is, that we look at the applications from the malicious insider’s view.

And, for sure we do a 360-degree assessment which includes

  • People, Processes, Technology,
  • Servers, Middleware, Databases,
  • Interfaces to other Applications and to Infrastructure systems.

Our talks were very fruitful. And it was amazing to see, how fast people have become familiar to the malicious insider’s view.

When it comes to secure operation of databases lots of experts from various disciplines are involved because the database is a complex application for itself. Hardening of a database without hardening the underlying operating system, the application and the middleware makes no sense. Security standards have to be defined and implemented for servers, databases and application components to achieve a good overall security level. Moreover security standards must undergo continuous development because the threat situation is fast developing.

Thus an application security program comprises nested programs for the building blocks of applications.

For each building block security baselines have to be defined in interdisciplinary teams.

In addition a team of innovators is required for continuous development of the baselines.

And a knowledge management team to make sure that all teams share their knowledge of threats, lessons learned from major data breaches and mitigation best practice.

In particular knowledge management is the one of the weak points of many security programs…

Have a good weekend!