Bill’s Security Blog

Quoting selectively from The Korea Time’s article:
“Defense Ministry’s Cyber Network Is Hacker-Proof”

A Defense Ministry spokesman assured Tuesday that the department’s cyber-security system is “hacker-proof,” adding that its intra-net computer data network is detached from the external Internet.

But Defense Ministry spokesman Won Tae-jae told local reporters during a press briefing Tuesday that the ministry’s intra-net network is not connected to the external Web, “so that outsiders can’t approach the internal network through the Internet.”

And regarding computers with Web access, “we have been instructing our staff not to store any military data on those computers. Also, our staff members are not allowed to use programs like word-processing on Internet-enabled computers,” the spokesman said. “We are also constantly monitoring our network and the Web-enabled computers.”

I don’t know what self-respecting security professional would ever make a claim that any piece of electronic is “hacker proof.”

I mean, someone hacked a damn coffee maker for christ sake.

And as far as physical separation of networks. Ya, it’s great in theory.

But what about: “Malware infects space station laptops“?

It’s hard to get more physically isolated than being on the International Space Station 200 miles into outer space.

Learning from the Oracle debacle, perhaps one might be tempted to make such a claim if their intent was to draw a lot attention from hackers/crackers in order to test and improve defenses.

Something tells me that’s not what the Defense Ministry meant.

Bill

Bruce Schnier summarizes and expands on the discussion from several security professionals in his post, “Security ROI” - quoting parts:

“ROI” as used in a security context is inaccurate. Security is not an investment that provides a return, like a new factory or a financial instrument. It’s an expense that, hopefully, pays for itself in cost savings. Security is about loss prevention, not about earnings. The term just doesn’t make sense in this context.

And a company should implement only security countermeasures that affect its bottom line positively. It shouldn’t spend more on a security problem than the problem is worth. Conversely, it shouldn’t ignore problems that are costing it money when there are cheaper mitigation alternatives.

I don’t necessarily agree that you should see a direct impact on your bottom line as the result of a security investment. I believe security investment is more like insurance where there may be no direct cost savings, but reduction in potential cost. I also like the insurance analogy because I think most non-security people can quickly grasp this analogy.

Let me explain.

As Bruce alludes to in his article, he traditional model for calculating risk in the security space is:
risk = threat x vulnerability x consequence

In my mind, “security” investment helps provide the mitigation necessary to reduce the vulnerability variable to a point where the risk value is acceptable.

Security countermeasures are a risk mitigation strategy.

Insurance is a little different, it helps offset the consequence variable.

But there is a similarity between “security” and “insurance” that I think most business people can understand.

They are both investments you are happy to pay, because they offset expected risk.

I have health insurance, car insurance, term insurance, permanent insurance, disability insurance, and probably a host of others as a part of my compensation package.

I’m very happy to “throw this money away” because it offsets risk to the point that I’m happy.

If I died today, I know my fiance will be taken care of, financially. I don’t see a direct reduction in my expenses, or increase in bottom line revenue if the threat never materializes.

I think business investment in security products and services are similar.

We implement them to reduce the risk value to the point where we are satisfied.

I like the insurance analogy, and think that it is much more tactile for non-security folks.

Bill

From ITWorld.com, “Privacy feature in Internet Explorer 8 leaks private data”

Forensic experts however found it trivial to retrieve the history, according to a test by Webwereld, an IDG affiliate in the Netherlands, and Fox IT, a Dutch firm specializing in IT security and forensic research.

But researchers were able to retrieve data displaying general information about the browser’s behavior. Although URLs (Uniform Resource Locators) aren’t stored, Prickaerts was still able to restore the browsing history. “The remaining records in the history file still enable me to deduce which websites have been visited,” said Prickaerts.

Even more data is stored in the browser’s cache, a feature designed to speed up performance of websites by storing a copy of recently accessed information on a user’s hard disk. InPrivate Browsing failed to disable this feature. Users seeking a higher level of privacy could manually delete the cache, but it can later easily be retrieved through commonly available forensic tools.

The shortcomings in InPrivate Browsing put the level of privacy protection in Internet Explorer 8 on a par with Firefox 2 and 3. The open source browser allows users to delete all private data, but does that by merely deleting files. Those too can easily be retrieved. Developers have crafted plugins for Firefox which mitigate the risk of information leaks.

Microsoft’s main goal with InPrivate Browsing is to prevent other users of the same computer to gain access to the browsing history, the company said in an e-mail response. The feature isn’t designed to protect a user’s privacy from security experts and forensic researchers, the company said.

I’ll give Microsoft the benefit of the doubt. They do have time to fix these issues before final release.

But really. Come on!

This isn’t rocket science.

Now, I’d be a little less disappointed if the forensic team got the information from memory swap space, or by having to apply cryogenic memory retrieval tactics. This would at least indicate that Microsoft tried.

But from the article, it seems that they retrieved the files right out of the browser’s default local storage.

Here’s what really chafs me…

Microsoft IE runs on Microsoft Windows. Microsoft Windows runs on the hardware.

Microsoft runs the entire system. Memory allocation, process scheduling, you name it.

How can it be that they can fail to develop a simple tool that doesn’t store anything on disk, but uses only in-memory storage?

This is Microsoft doing what Microsoft does best: 80%.

Bill

A snapshot of what’s been talked about in the IT Security realm over the past week.

Who’s responsible for Cyber Sec?

Lots of talk lately over who’s responsible for Cyber Security - the government or the private sector.

I suspect that since this is an election year, everyone’s trying to position themselves to be in the best position to get the ear of the next administration.

A smattering of articles

• National Cybersecurity Responsibilty: Public v. Private. Where Do You Stand?
• Disconnect Between Private Sector and Government on Cybersecurity

Threats

BGP Vulnerable
Some articles about the BGP hack executed by Anton “Tony” Kapela, data center and network director at 5Nines Data, and Alex Pilosov, CEO of Pilosoft, showed their technique at DefCon.

Revealed: The Internet’s Biggest Security Hole

No one seems to be freaking out about this like they were with the DNS vulnerability discovered by Dan Kaminsky, but time will tell.

Perhaps it’s because you need a BGP router :)

Dan actually posted some good details on the actual threat:
The Emergence Of A Theme
Worth a read, start at the section titled: “Kapela and Pilosov’s BGP flaw”

Microsoft ActiveX
I didn’t even bother to read the bulletin on this one, but the vulnerability is another example of why we should focus on attack surface reduction…

Microsoft Windows Media Services “nskey.dll” ActiveX Control Remote Buffer Overflow

The description leads to perhaps the most useful piece of documentation from Microsoft:
How to stop an ActiveX control from running in Internet Explorer

Note, The article fails to mention how to uninstall the controls for the safest form of mitigation.

To be fair to Microsoft, there were a few other ActiveX vulnerabilities disclosed this week as well.

See you next week.

Bill