Bill’s Security Blog

The Security Catalyst’s Security Round Table – Episode 2 podcast, focused on data theft.

The focus of the conversation turned to individual responsibility. Should individuals be responsible for the theft of the data?

My opinion? I wholeheartedly agree.

My background as an economist says to hit them where it hurts. For a public company, hitting the bottom line hurts the most. For government officials, money may not be as important as position (I assume CEO’s make more than government officials).

But what hurts both. Jail time!

I still think that very high fines for public companies would be very effective, but I’m not sure that same philosophy works for governmental organizations who might just work to increase their appropriations to cover their stupid mistakes.

We’ve already seen criminal liability ala Sarbanes Oxley. Perhaps it is time to extend that to the protection of personal information.

How do we extend this internationally? What happens if a German company looses data on American customers? Good question. I’ll leave this to the lawyer-types.

But accountability is the key. I cannot influence how my personal information is used or abused, so responsibility for keeping it safe must be applied to those who are in possession of that information.

Bill

From the advisory:

The vulnerability is caused due to an unspecified error when handling .HTA applications and allows execution of the .HTA application on the user’s system without any user interaction when e.g. visiting a malicious web site.

Um, why does my browser execute anything without asking? IE does not have a setting to disallow execution of HTA applications…

Wow. Who owns your box?
Bill

Come to think of it, why am I an administrator on the local machine?

I set up a computer for my girlfriend a few months ago.

I created two accounts, one with administrative rights, and one without.

She uses the “without” account for daily work, and we use the admin account when we need to install software.

This seems like a good step.

Linux distributions that I’ve used facilitate this by default.

When will Microsoft do this?

Bill

From US-CERT:

I. Description
Source routing is a technique to determine the network route for a packet based on information supplied by the sender in the IP packet. The TCP/IP driver in some versions of Microsoft Windows contains a buffer overflow in the handling of packets with source routing information. The driver fails to validate the length of a message before it is passed to an allocated buffer. Microsoft states that IP packets containing IP source route options 131 and 137 could be used to initiate a connection with the affected components.
II. Impact
A remote attacker with the ability to supply a specially crafted packet may be able to execute arbitrary code on an affected system. The attacker-supplied code would be executed with kernel privileges.

Umm…

When is the last time there was an overhaul of the IP protocol? How long has this bug been in the code? Is someone smoking CRACK!?

Remember, the network protocol stack runs with kernel rights.

Own the kernel, you own the box at a level where antivirus and other HIDS systems are useless.

In my previous post I gave a few recommendations on how to improve code security.

Here’s another:

• Implement a “critical code” team responsible for the parts of the system that must meet extraordinary security requirements

Organizations should provide full training and resources for this group. Attempt to achieve CMMI level 4 or 5 for software development. This group should have the ability to halt a release if a critical flaw is suspected.

I pay you.

Bill

If this weren’t funny, it would be sad: http://www.kb.cert.org/vuls/id/394444

I give Microsoft a lot of credit.

They have millions if not billions of lines of code they maintain. Errors are bound to creep up. Bugs are going to be discovered.

But for the love of God and all that is holy, a buffer overflow!

In 2006, there is absolutely no excuse for a buffer overflow in production code. Beyond basic software engineering skills training, there are automated tools to check for overflows.

If you are serious about security, as Microsoft claims to be, you would institute a few changes (5 years ago, when they first started talking about security would have been a good time…).

• Develop coding best-practices checklists that identify possible trouble statements (scanf) and ways to avoid them
• Institute software inspection regimen to precede any introduction of code into the source tree
• Adopt policies that reward developers who have the fewest bugs, and provides incentives developers who have work to do in this area
• Employ automated tools to assist in the search for overflows and other common code-level vulnerabilities
• Employ automated tools that search for run-time vulnerabilities
• Develop significant test case libraries and harnesses for both of the above

Can this be done and still bow to your shareholders who want timely deliveries of products?
I assert that YES it can!

Without getting into it too deeply, the end game is that you end up removing your time from post-launch bug fixing and redeployment earlier in the software lifecycle.

Removing bugs before they are introduced is factors of time smaller than after the code is in production.

By getting smart, you can actually deploy products, bug-free, on time or even ahead of schedule.

I point readers to a few key resources:

• “Rapid Development” and “Code Complete” by Steve McConnell - actually, read all of his books :) - Excellent books on software engineering methodology in today’s business climate.
• “Software Release Methodology” by Michael Bays - details on the full lifecycle as relates to deploying software.
• PSP and TSP (Personal and Team Software Process) books by Watts Humphrey. Become a great coder.

There are also some great texts on software testing, and I urge you to read as many as you can.

Don’t trust code. Verify.

Bill

Do an iTunes podcast search for DEFCON to find the feed. Get the video version posted by The Dark Tangent.

If you use a computer, you probably would benefit from this video.

Bill

The following is from the ADFSL listserv…

This is a call for papers for the Journal of Digital Forensics, Security and Law (JDFSL).

To be considered for the third issue of the journal, submissions should be received by midnight (EDT) of Monday, July 31, 2005

We thank those who have already submitted articles and we are now beginning review process.

More information on this call for papers is available at:
http://www.jdfsl.org/call-for-papers.htm.

The JDFSL is calling for papers in, or related to, the following topic areas:

1) digital forensics curriculum
2) cyber law curriculum
3) information assurance curriculum
4) accounting digital forensics curriculum

5) digital forensics teaching methods
6) cyber law teaching methods
7) information assurance teaching methods
8) accounting digital forensics teaching methods

9) digital forensics case studies
10) cyber law case studies
11) information assurance case studies
12) accounting digital forensics case studies

13) digital forensics and information technology
14) cyber law and information technology
15) information assurance and information technology
16) accounting digital forensics information technology

Manuscripts should be submitted for blind review at the following link:
http://www.jdfsl.org/submission.asp.

Manuscripts may also be submitted to editor@jdfsl.org in Word, Word Perfect, RTF, or PDF format. In special circumstances papers will be accepted in paper format, but this may considerable delay the review of the paper. Authors are advised to contact the Editor before submitting hard copy.

The mission of JDFSL is to publish original research and comments about digital forensics and its relationship to security and law. Contributions are particularly welcome which analyze the results of interdisciplinary research. Publications will include the results of research and case studies that advance the curriculum, practice and understanding of digital forensics methods and techniques to support efficient and effective investigations.

The primary audience will include individuals who are interested in developing curriculum and teaching methods as well as conducting research related to the areas of digital forensics, security and law. This new journal will be of value to both academic and practitioner audiences.

In his Silver Bullet Security Podcast, Gary McGraw, CTO of Cigital, recently interviewed Dan Geer of Verdasys.

First, a discussion of the evolution of the Risk Management field of information security.

• A focus on risk management has moved into the business mindset… Business are realizing the dollar value of the information they hold.
• A relatively new phenomenon, workers with formal education in information security are beginning to enter the field

Dan discusses his paper: Cyber Insecurity, the Cost of Monopoly (PDF) which addresses the tradeoff between diversity versus homogony.

Dan describes the uselessness of the concept of “security through obscurity.” (Bravo!) He asserts that must assume people will cause a system to fail in some way. His advice, plan to reduce cost to recover from a failure. Mean time to repair beats mean time to failure. He doesn’t argue to forget about MTTF, focus must be on both sides.

Gary and Dan discuss secure software engineering, a topic of particular interest to me.

• Dan identifies a “security product” as anything that has “sentient components,” ie, if someone will actively try to break into it.
• Software security requires monitoring. The development process, the testing process, and the execution of the software must be actively monitored by people and processes.

Finally, the two discuss data security:

• The value of a corporation’s data is growing.
• The cost of the data exceeds the cost of the systems that house it.
• The total volume of data is increasing exponentially (ala Moore’s Law).
• Other security concerns pail in comparison to the “cost” of data theft because of the volume and value of the data.

Great interview Gary, I look forward to the next installment.

Bill

From SANS NewsBites:

Energy Dept. Officials Learn of Data Security Breach Months After the Fact (9 June 2006)
Senior Energy Department officials learned on June 7 that a cyber intruder stole a file containing names and Social Security numbers (SSNs) of 1,500 workers at the Energy Department’s nuclear weapons agency from a computer system at the National Nuclear Security Administration (NNSA). The breach occurred in September 2005. Although NNSA administrator Linton Brooks learned of the breach in September, he maintains he did not know whose job it was to inform Energy Secretary Samuel Bodman or Deputy Energy Secretary Clay Sell. Secretary Bodman has directed that the individuals affected by the data theft be notified immediately; no effort to notify them had been made before.

One take from SANS was that more attention needs to be paid to security implications of remote workers.

My take is a little different.

If you want to hurt the US, you target it’s critical capabilities.

My concern is that these names were stolen to:
1) provide an inside track for social engineering
2) provide a means of impersonating a valid user in a targeted system attack.

You can discover for yourself what National Nuclear Security Administration (NNSA) does. I imagine that the 1,500 or so employees probably have access to data we probably don’t want the average Joe to have access to.

The threat here far supersedes identity theft.

Bill

A fellow student in my Master’s degree program did a research project on the security of Bluetooth.

Bluetooth is installed in everything under the sun now… Phones, PDA’s, laptops, wristwatches and toasters all have integrated Bluetooth.

If you have a Bluetooth technology enabled device, this read is a must. You must take the time to secure your device, and I’ll take the time to pray for you.

This is one of the tips on the aforementioned US CERT site:
http://www.us-cert.gov/cas/tips/ST05-015.html

Bill