Wednesday, April 27, 2011

Join the Data Encryption Summit

Free Online Event on May 5th

The simultaneous increase in data volume and access endpoints has created a data security landscape clogged with data and riddled with uncertainty. Many security professionals are looking to encryption tools to protect sensitive personal and corporate data, but it can be challenging to implement effectively.

Register for the free online BrightTALK Data Encryption Summit to stay up-to-date on the latest best practices for using encryption to achieve maximum security through different products, solutions and use cases.

Sign up to attend the live, interactive webcasts on May 5, 2011, or view them afterward on demand here:
http://bit.ly/eh1Vmq

Presentations include:

"Encryption & the New Social Media”
Marc Sel, PwC Enterprise Advisory Services, Director of Information Protection

"Epic Battle: Compliance vs. Security”
Dr. Anton Chuvakin, Security Warrior Consulting; Rebecca Herold, Rebecca Herold & Associates; Boris Segalis, Information Law Group; Josh Corman, The 451 Group

"Social Media Security: Adoption, Adaptation and Adversaries”
Josh Corman, The 451 Group; Bradley Anstis, M86 Security; Daniel Peck, Barracuda Networks; Tom Eston, SecureState

"Protecting Corporate Assets: Best Practices for Data Encryption"
Sandra Gittlen, SLG Publishing; Winn Schwartau, Mobile Active Defense; Steve Orrin, Intel; Phil Hochmouth, IDC

"Using Encryption in a Safe Manner”
Jeff Reich, Director of Operations, Institute for Cyber Security, The University of Texas at San Antonio

"Encryption & Tokenisation: Friend or Foe?”
Gary Palgon, VP Product Management, nuBridges

You can view the full lineup and sign up to attend any or all presentations at
http://bit.ly/eh1Vmq.

This summit is part of the ongoing series of thought leadership events presented on BrightTALKTM. I hope you are able to attend.

Tuesday, April 26, 2011

Pen Test Magazine - Publication from Hakin9 team

New Penetration Testing Magazine Released

A new magazine dedicated to Professional Penetration Testers has been released. The magazine subscription is to ensure that you do not get 80 pages of publicity and a few pages of content. The magazine will focus on thorough coverage of different aspects of Security Testing and Penetration Testing. You can get a teaser for free.

PenTest Magazine, the only magazine devoted to penetration testing, is launched. It features articles by penetration testing specialists and enthusiasts, experts in vulnerability assessment and management. We cover all aspects of pen testing, from theory to practice, from methodologies and standards to tools and real-life solutions.

You can download the “Edition #zero” which is the teaser issue from pentestmag.com for free.

Regular issues will be available by monthly subscription – subscribe now and download the next issue in May!

Visit pentestmag.com.

Sunday, April 24, 2011

Cyber Threats To Critical Infrastructure Spike

80% Critical Infrastructure companies faced large-scale DOS attacks

As cyber threats and vulnerabilities for critical infrastructure continue to rise, more than 40% of U.S.-based critical infrastructure companies still have no interaction with the federal government on cyber-defense matters, according to a survey of more than 200 critical infrastructure executives.
In 2010, according to the report, which was conducted on behalf of McAfee and the Center for Strategic and International Studies, 80% of critical infrastructure companies faced a large-scale denial of service attack, and almost 40% of respondents saw them monthly.
However, the global survey found that, even as these attacks rise worldwide, the U.S. government lags significantly in working closely with industry on cybersecurity issues as compared to some other countries. As compared to 40% in the United States, only about 5% of Chinese executives, for example, said that they had not worked with their government on network security.
The deficits extend from the frequency of contact to the depth of that contact, as well. In Japan, every company surveyed had been subject to a government audit of their security, whereas the number of companies in the United States subject to government audits hovered at close to 15%.

Thursday, April 21, 2011

Data Breaches: Inside the 2011 Verizon Report

Hackers targetting Smaller Targets & Security Gaps

The number of compromised records resulting from data breaches dropped dramatically in 2010, falling from 144 million in 2009 to just 4 million, according to Verizon's newly-released 2011 Data Breach Investigations Report.

The decrease, which reflects only the incidents across all industries that Verizon and its partners investigated -- not the entire universe of data breaches -- still reveals a promising trend, Verizon says. It builds on the drop in compromised records noted in 2008's report, when compromised records totaled 361 million.

The less promising trend: This year's report includes 761 data breaches, which is the highest caseload ever included in Verizon's 7-year-old annual report. That figure nearly matches the entire six-year total of 900 breaches logged from 2004 to 2009.

But the 2010 report does include more global information, which increased the number of breaches Verizon reviewed. Information provided by the National High Tech Crime Unit of the Netherlands Policy Agency accounted for one-third of the cases reviewed in the report. And for the second consecutive year, the U.S. Secret Service also collaborated with Verizon, providing information about domestic breaches it has investigated.

Among some of the report's key findings:
  • Hacking, at 50 percent, and malware, at 49 percent, are the most prominent types of attack, with many incidents involving weak or stolen credentials and passwords;
  • Physical attacks, such as skimming at ATMs, pay-at-the-pump gas terminals and POS systems, for the first time rank among the three most common ways to steal information, comprising 29 percent of all investigated cases;
  • Outsiders are responsible for 92 percent of breaches, while the percentage of insider attacks dropped from 49 percent in 2009 to 16 percent in 2010.
Attacks Remain Easy

According to the report, 83 percent of the databases hit in 2010 were targets of opportunity; 92 percent of the attacks were classified as "not highly difficult."

"It is important to remember that data breaches can happen to any business, regardless of size or industry, or consumer," says Peter Tippett, Verizon's vice president of security and industry solutions. "A good offense remains the best defense. It is imperative to implement essential security measures broadly throughout your security infrastructure, whether that is a small home setup or an expansive enterprise infrastructure."

Some relevant statistics:
  • 86 percent of the year's breaches were discovered by third parties;
  • 97 percent were avoidable through simple or intermediate controls;
  • 89 percent of the corporate or organizational victims were not compliant with the Payment Card Industry Data Security
Standard at the time of the hack.

"Unfortunately, breaching organizations still doesn't typically require highly sophisticated attacks," Verizon states in a summary of the report. "Most victims are a target of opportunity rather than choice, the majority of data is stolen from servers, victims usually don't know about their breach until a third party notifies them, and almost all breaches are avoidable [at least in hindsight] without difficult or expensive corrective action."

Top threats remain unchanged. Hacking and malware are to blame for increases in external threats, the report finds. Malware was a factor in about half of the 2010 caseload and was responsible for almost 80 percent of lost data. And the percentage of breaches linked to physical attacks, such as card compromises at ATMs and POS devices, doubled from 2009 to 2010.

With the addition of 2010 data, the Verizon data breach series spans seven years and includes more than 1,700 breaches with more than 900 million compromised records.

Recommendations

Focus on Controls: Don't make the mistake of focusing only on high security in certain areas. Businesses are much better protected if they implement essential controls across their organizations;

Store Essential Data: Only store what you need and ensure data that must be stored is monitored and secured;

Limit Remote Access: Restrict access to specific IP addresses and networks, and ensure access to sensitive information, even within the network, is limited;

Audit and Monitor Users: Monitor users through pre-employment screening, limit user privileges and establish separate duties. Managers should provide direction and monitor employees, ensuring security policies and procedures are followed;

Watch Event Logs: Don't get bogged down by the minutia. Monitor and mine event logs for obvious anomalies. Reduce compromise-to-discovery time to days, rather than weeks;

Bolster Physical Security: Monitor every device that accepts payment cards, including ATMs and pay-at-the-pump gas terminals, for tampering and manipulation.

For more insight on the 2011 Verizon Data Breach Investigations Report, please see: Data Breaches: Inside the 2011 Verizon Report.

Wednesday, April 20, 2011

Do your security policies meet leading standards?

Get the free Security Policy checkup!

Information Shield’s free 15-Point Security Policy Checkup allows you to quickly assess your security policy program in 15 core areas against leading practices from standard frameworks including COBIT™, HIPAA, ISO 27002, PCI-DSS and NIST.

Get the Security Policy Checkup now: http://bit.ly/eE5I8Z

Sunday, April 17, 2011

Top Ten Inside Threats

How to prevent them? - Whitepaper

Insider theft and other malicious behavior are particularly difficult to detect and prevent because employees often have legitimate access to sensitive corporate data and tend to know the weaknesses in their organization's infrastructure. Over the course of hundreds of customer interactions, Prism Microsystems, a leading security information and event management (SIEM) vendor, has developed best practices for monitoring insider abuse.
This whitepaper discusses:
  • The top ten insider activities you have to monitor to make sure your employees are not violating security policy or opening up easy routes for insider abuse;
  • How implementing these recommendations is fast, cost effective and will help prevent costly insider hacks and data leakage from impacting your business.
Please refer here to download this whitepaper (registration required).

Saturday, April 16, 2011

Tips on Leveraging Social Media

Managing Risks of social media to the organization

Here are tips on leveraging social media while managing risk to the organization:
  • Create a framework—Research how individuals are using social media and use this information as input to define a corporate social media strategy, policy and training program.
  • Develop the strategy—Align the strategy with corporate objectives and obtain senior management approval. This should include outlining key channels, type of engagement, risks, communication and ongoing monitoring.
  • Minimize the risk—Identify controls to minimize unnecessary risk to the organization (i.e., brand, reputation, consumer confidence).
  • Training and awareness—Incorporate social media and security within the corporate security awareness and training program. Educate users on industry best practices for securely using these types of online environments.
  • Ongoing monitoring—Monitor ongoing exploits occurring in the social media environment. Provide a vehicle to determine and communicate ongoing risks and appropriate risk mitigation strategies.
For more guidance on social media, download a complimentary copy of ISACA’s social media white paper, Social Media: Business Benefits and Security, Governance and Assurance Perspectives.

Thursday, April 14, 2011

WordPress Hacked

Attackers Get Root Access

A hacker has gained access to WordPress.com servers and site source code was exposed including passwords/API keys for Twitter and Facebook accounts. From the official blog post: 'Automattic had a low-level (root) break-in to several of our servers, and potentially anything on those servers could have been revealed. We presume our source code was exposed and copied. While much of our code is Open Source, there are sensitive bits of our and our partner's code. Beyond that, however, it appears information disclosed was limited.'

Wednesday, April 13, 2011

How to secure mobile devices?

Safeguarding Critical Information In Today’s 24/7 Workplace

It has been written regularly in this group that security should be a business enabler but with iPads, SmartPhones and clouds enabling staff to access data from just about anywhere – where do you need to draw the line?

SC magazine have been doing some research with 500 CIOs into this very issue to establish how to secure staff across multiple access points without hampering productivity. They are addressing the findings and offering practical solutions in 2 webcasts going live this Tuesday and Thursday – you can see more details and sign up for both at http://www.scwebcasts.tv/ .

I have also listed some more information below for you to establish the relevance for your teams:

1. Safeguarding Critical Information In Today’s 24/7 Workplace

Goes live on 14th April at 3pm
Sign up for free @ http://www.scwebcasts.tv/

With access points and resultant breaches increasing all the time this webcast will offer ideas to ensure that only the right people gain entry to your critical information. Learnings relate to all platforms from clouds through to social networks and mobile devices to help you sleep easier.

Speakers for this live webcast include:
Mike Moir, Entrust Product Manager, Entrust
Special guest CIO to be confirmed

2. Are Mobile Attacks Undermining Your Business Security?

Goes live 12th April at 3pm
Secure your free place @ http://www.scwebcasts.tv/

This webcast will help you pinpoint specifically the relative vulnerabilities of each mobile device with the help of a recent ‘Top 3 iPhone Attacks’ case study. It will also shed vital light on the progress of international policies relating to data in transit to ensure you always stay on the right side of the law.

The experts featured include:
Tim Mathias, Director of Security, Thomson Reuters
Chris Wysopal, Co-founder and CTO, Veracode

I know thousands of you are now members of SC’s webcast community in which case you need only click attend on each of them at http://www.scwebcasts.tv/ to secure your free attendance. Otherwise you need only follow the one-off sign up process.

Do feel free to feed back to us on the content of these webcasts or with any ideas for the future. We hope that you find them useful.

Monday, April 11, 2011

Guidelines to keep your money safe

How to protect your money?

Your card, your PIN and other banking passwords are the key to accessing your money electronically. So it's important that you keep them secret. Following these guidelines will keep your money safe.

Protection your card

- As soon as you receive your card, sign it on the back using a ball-point pen.
- Carry your card whenever you can, and regularly check that you still have your card.
- Never give your card to someone else, even friends or family.
- Remember to retrieve your card whenever you use it.
- Cut up any expired cards and dispose of the pieces securely.

Loss, theft and other fraud risks

You need to tell your bank immediately, if:

1) your card is lost or stolen,
2) someone else has used your card, or
3) you think someone has discovered your PIN or banking passwords.

If you don't, you may be held responsible for losses that occur as a result of you not telling your bank sooner.

Protecting your PIN or password

- Memorise your PIN or password straight away and destroy any bank letters or correspondence that it's included in.
- If you need to record your PIN or password somewhere, make sure it's disguised and kept well away from your card.
- If you select your own PIN or password, make sure you change it regularly, say every two years.
- Never tell anyone your PIN or password, not your friends, family or retailers.
- Never enter your PIN in an electronic banking terminal that looks suspicious, does not look genuine or looks like it's has been modified.
- Make sure no-one watches you as you enter your PIN or password at an ATM, EFTPOS terminal, using Telephone Banking or Online Banking.
- If you do select your own PIN or password, don't choose something that is going to be easy to guess, for example: part of the number printed on your card, an old PIN or password, consecutive numbers, repeated numbers, a numeric pattern, your date of birth, phone number or drivers licence number.
- Tell your bank straight away, if your PIN notification arrives damaged in the mail. If your PIN or password changes without you requesting it or if you've requested or are expecting one, that hasn't turned up.

Safe Usage

- Always check your account statements and contact your bank straight away if there are any transactions you don't recognise regardless of the amount.
- Be careful when providing your card details over the phone or internet.
- Always exercise caution when viewing emails claiming to be from your bank. Your bank would never ask you to click on a link in an email, nor would your bank will ask for your account information or login details by email.
- Before travelling provide your bank with your travel itinerary so your bank doesn't unnecessarily interrupt your trip with security questions.
- When travelling, be aware of card security and keep your belongings safe at all times.
- Avoid using ATMs in poorly lit areas.
- Due to your bank security measures, you may experience a delay or inability to perform some transactions in some overseas locations. If this occurs, please contact your bank using the number on the reverse of your card.

Chargebacks

- If an unauthorised transaction or error has been made, in some cases your bank can charge it back to the merchant.
- In order for your bank to reverse the transaction, you need to report the transaction to your bank and provide them the details they need.
- You have 90 days from the date of the transaction to request a charge back, otherwise your bank may not be able to reverse the transaction.

Saturday, April 9, 2011

Symantec reports Targeted Threats & Mobile Attacks increased in 2010

Symantec detected more than 286 million malware threats last year

In its annual Internet Security Threat Report, the company found that threats are more sophisticated and targeted. The report highlighted increasingly sophisticated attacks, the growth of networking sites as an attack vector, using Java to spread malware, an increase in rootkits and a shift toward smartphone attacks. Not only were there more threats in 2010, the threats were more sophisticated than before, according to Symantec’s annual Internet Security Threat Report, which the company released April 5. Automated attack kits targeting Websites accounted for two-thirds of all Web-based attacks.

The number of Web-based attacks grew 93 percent in 2010 from 2009. The most popular attack kit was Phoenix, which accounted for 39 percent of attacks observed by Symantec. NeoSploit and Nukesploit attack toolkits were also highlighted, with 18 percent of attacks each. The targeted attacks were effective and had a higher success rate since they allowed hackers to break into enterprises and spy on employees in order to gather information that can be used to tailor social engineering methods that could trick the users.

Malware highlighted in the report included Hydraq, a Trojan that compromised Google and other companies, and Stuxnet, a sophisticated piece of malware that damaged nuclear centrifuges in Iran. The report identified Facebook and Twitter users as being particularly vulnerable to social networking threats. Attackers successfully used social networks to distribute malware and other attacks because people were willing to trust messages they thought came from their friends on the platform.

Symantec estimated about 17 percent of links posted on Facebook were actually links to malicious software. URL shorteners were an effective way to drive users to malware sites. Of the malicious links found in users’ news feeds, 65 percent were malicious and about three-quarters of those links were clicked on at least 11 times. Attackers changed their infection tactics in 2010, targeting Java or other application vulnerabilities to compromise systems. Java accounted for 17 percent of vulnerabilities affecting browser plug-ins in 2010. Adobe Flash and Reader were heavily targeted and exploited in 2010.

The rise in Web-based threats and the increasing number of attack kits being used was also reported in HP DVLabs report on April 4. HP also noted the toolkits were very affordable and easy to use in its report. There were more attacks on mobile devices in 2010 as more people used them for mobile computing and Web surfing. Users are less security savvy about malware on mobile devices, and the report specifically called out Android users as being vulnerable. Apple’s prevetting mobile apps may have a lot to do with iPhone being less targeted.

Most malware attacks targeting mobile devices were Trojans posing as legitimate apps in various app stores. There were 163 known vulnerabilities in mobile operating systems in 2010, up 42 percent compared to 115 in 2009. In many cases, the security flaws were exploited on Android smartphones to install harmful software. Criminals view mobile phone hacking as a potentially lucrative activity. Even though the number of attacks on mobile platforms remained small compared to other cyber-crimes such as phishing, the company expected these mobile attacks to increase in 2011.

The Symantec report also had a number of other interesting numbers. More than 260,000 identities were exposed per data breach in 2010, and the 286 million malware threats exploited 6,253 new vulnerabilities. Those threats were used in 3 billion attacks.

The report is based on data gathered from 240,000 points around the Web in more than 200 countries. More than 133 million systems use Symantec’s antivirus products, which also provide data used in the report.

Wednesday, April 6, 2011

'Tricked' RSA Worker Opened Backdoor to APT Attack

APT Presents New Attack Doctrine Built to Evade Existing Defenses

A well-crafted e-mail with the subject line "2011 Recruitment Plan" tricked an RSA employee to retrieve from a junk-mail folder and open a message containing a virus that led to a sophisticated attack on the company's information systems, a top technologist at the security vendor says in a blog.

An Excel spreadsheet attached to the e-mail contained a zero-day exploit that led to the installation of a backdoor virus, exploiting an Adobe Flash vulnerability, which Adobe has since patched, writes Uri Rivner, head of new technologies, identity protection and verification at RSA, in a blog posted Friday.

RSA unveiled on March 17 that an attacker targeted its SecurID two-factor authentication product in what it termed an advanced persistent threat breach. An APT refers to sophisticated and clandestine means to gain continual, persistent intelligence on a group such as a nation or corporation. The RSA official says the attacker initially harvested access credentials from the compromised employee and performed privilege escalation on non-administrative users in the targeted systems, and then moved on to gain access to key high value targets, which included process experts and IT and non-IT specific server administrators.

If the attacker thinks they can exist in the environment without being detected, they may continue in a stealth mode for a long while. If they think they run the risk of being detected, however, they move much faster and complete the third, and most 'noisy' stage of the attack. Since RSA detected this attack in progress, it is likely the attacker had to move very quickly to accomplish anything in this phase.

While RSA made it clear that certain information was extracted, it's interesting to note that the attack was detected by its Computer Incident Response Team in progress

Tuesday, April 5, 2011

IBM report: computer hackers getting smarter

X-Force 2010 Trend and Risk Report from IBM

There is good news and bad news in this year’s X-Force 2010 Trend and Risk Report from IBM. The good news is that it seems that spam and phishing attacks are leveling off. Also, mobile devices have not been compromised in any big way, yet. The bad news is that IT security threats are getting increasingly sophisticated and targeted.

Based on intelligence gathered through research of public vulnerability disclosures, and the monitoring and analysis of more than 150,000 security events per second during every day of 2010, the observations from the IBM X-Force Research team finds that more than 8,000 new IT security vulnerabilities were documented, a 27 percent rise from 2009. Public exploit releases were also up 21 percent from 2009 to 2010. This data points to an expanding threat landscape in which sophisticated attacks are being launched against increasingly complex computing environments.

There seems to be a declining interest in spamming

IBM reports the historically high growth in spam volume leveled off by the end of 2010. This indicates that spammers may be seeing less value from increasing the volume of spam, and instead are focused on making sure it is bypassing filters. Spam volumes peaked, and then leveled off — In 2010, spam volumes increased dramatically, reaching their highest levels in history. However, the growth in volume leveled off by the end of the year. In fact, by year’s end, spammers seemed to go on vacation, with a 70 percent decline in traffic volumes occurring just before Christmas and returning early in the new year.

There were significantly fewer mass phishing attacks relative to previous years, but there has been a rise in more targeted attack techniques

Although phishing attacks still occurred, the peak volume of phishing emails in 2010 was less than a quarter of the peak volumes in the previous two years. This may indicate a shift toward other, more profitable, attack methodologies such as botnets and ATM skimming. Despite this decline, “spear phishing,” a more targeted attack technique, grew in importance in 2010, as meticulously crafted emails with malicious attachments or links became one of the hallmarks of sophisticated attacks launched against enterprise networks. 2010 saw some of the most high profile, targeted attacks that the industry has ever witnessed. For example, the Stuxnet worm demonstrated that the risk of attacks against highly specialized industrial control systems is not just theoretical.

These types of attacks are indicative of the high level of organization and funding behind computer espionage and sabotage that continues to threaten a widening variety of public and private networks.

Trojan botnet activity increased during 2010

This growth is significant because despite increasing coordinated efforts to shut down botnet activity, this threat appeared to be gaining momentum. However, IBM X-Force’s data did illustrate the dramatic impact of a successful effort in early 2010 to shutdown the Waledac botnet, which resulted in an instantaneous drop off in observed command and control traffic. On the other hand, the Zeus botnet continued to evolve and constituted a significant portion of the botnet activity detected by IBM X-Force in 2010. Due to its extreme popularity with attackers, there are hundreds, or even thousands, of separate Zeus botnets active at any given time. The Zeus botnet malware is commonly used by attackers to steal banking information from infected computers.

Smartphones are still safe, but for how long?

In 2010, IBM X-Force documented increases in the volume of vulnerabilities disclosed in mobile devices as well as the disclosure of exploits that target them. The desire to “jailbreak” or “root” mobile devices has motivated the distribution of mature exploit code that has been reused in malicious attacks. However, overall, IBM X-Force concludes, attacks against the latest generation of mobile devices were not yet widely prevalent in 2010. Still, growing end user adoption of smartphones and other mobile devices is making plenty of more work for IT security departments, who are struggling to bring these devices safely into corporate networks. According to the report, best practices for mobile security are evolving with enhanced password management and data encryption capabilities.

Market will drive more cloud security

The IBM report also tackled the security issues posed by cloud computing for the first time. The report highlighted a shift in perception about cloud security, still considered an inhibitor to adoption. Cloud providers must earn their customers’ trust by “providing an infrastructure that is secure by design with purpose-built security capabilities that meet the needs of the specific applications moving into the cloud. As more sensitive workloads move into the cloud, the security capabilities will become more sophisticated.”

Over time, the report says, the market will drive the cloud to provide access to security capabilities and expertise that is more cost effective than in-house implementations. This may turn questions about cloud security on their head by making an interest in better security a driver for cloud adoption, rather than an inhibitor.

Sunday, April 3, 2011

Massive SQL injection attack

Mass Injection hits over 694,000 URLs

Hundreds of thousands of URLs have been compromised—at the time of writing, 694,000—in an enormous and indiscriminate SQL injection attack. The attack has modified text stored in databases, with the result that pages served up by the attacked systems include within each page one or more references to a particular JavaScript file.

The attack appears to be indiscriminate in its targets, with compromised machines running ASP, ASP.NET, ColdFusion, JSP, and PHP, and no doubt others. SQL injection attacks, which exploit badly-written Web applications to directly perform actions against databases, are largely independent of the technology used to develop the applications themselves: the programming errors that allow SQL injection can be made in virtually any language.

The underlying cause is a programmer trusting input that comes from a Web page—either a value from a form, or a parameter in a URL—and passing this input directly into the database. If the input is malformed in a particular way, the result is that the database will run code of the attacker's choosing. In this case, the injected SQL is simply updating text fields within the database, to make them include an extra fragment of HTML. This HTML in turn loads a JavaScript from a remote server, typically "http://lizamoon.com/ur.php" or more recently, "http://alisa-carter.com/ur.php." Both domain names resolve to the same IP address, and presently that server is not functional, leaving browsers unable to load the malicious script when they visit infected pages. Previously, it contained a simple script to redirect users to a fake anti-virus site.

The massive scale of these attacks (and the rapidly growing number of affected URLs) was first noticed by Websense Security Labs. On Tuesday, around 28,000 URLs were compromised; now more than 20 times more URLs are infected, and the numbers are still growing. The injected code is also found on a number of product pages on Apple's iTunes Store. Apple fetches RSS feeds from podcasters that broadcast using iTunes, and in a number of cases these broadcasters have been compromised by the SQL injection attack. As a result, the malicious code has made its way into Apple's system.

However, due to the way Apple processes the RSS feeds, there appears to be no exploitation vector; the injected HTML is safely nullified. SQL injections following this pattern appear to have been happening off and on for six or more months now. The domain name hosting the JavaScript changes each time, but the file name—ur.php—and the style of injection remain consistent. The actions of the scripts have been similar too; pop-up windows and malware downloads. Previous efforts were on a much smaller scale, however: hundreds of compromised URLs instead of hundreds of thousands.

In these earlier cases, the attacks originated from IP addresses in eastern Europe and Russia. It's been a busy week for SQL injection; at the weekend, MySQL.com, the website of Oracle-owned open source database MySQL, was hacked, again using SQL injection. A little embarrassing for a database vendor to be unable to use its own database securely.

Saturday, April 2, 2011

No news is bad news for two-factor logins

Assume SecurID is broken?

It's been a week since RSA dropped a vaguely worded bombshell on 30,000 customers that the soundness of the SecurID system they used to secure their corporate and governmental networks was compromised after hackers stole confidential information concerning the two-factor authentication product.

For seven days, reporters, researchers, and customers have called on RSA, and its parent corporation EMC, to specify what data was lifted – or at the very least to say if it included details that could allow government or corporate spies to predict the one-time passwords that SecurID tokens generate every 60 seconds. And for seven days, the company has resolutely refused to answer. Instead, RSA has parroted Security 101 how-tos about strong passwords, support-desk best practices, and the dangers of clicking on email attachments.

Officials from RSA and EMC have steadfastly refused to give yes or no answers to two questions that have profound consequences for the 40 million or so accounts that are protected by SecurID: Were the individual seed values used to generate a new pseudo-random number exposed and, similarly, was the mechanism that maps a token's serial number to its seed leaked?

Without the answers to those two basic questions, RSA customers can't make educated decisions about whether to continue relying on SecurID to prevent unauthorized logins to their sensitive networks. After all, if the breach on RSA's servers exposed the seeds and the mapping mechanism, SecurID customers have lost one of the factors offered by the two-factor authentication product.

An RSA spokesman released an updated statement earlier this week that said in part: “Our investigation to date has revealed that the attack resulted in certain information being extracted from RSA’s systems. Even with this information being extracted, RSA SecurID technology continues to be an effective authentication solution for customers.” (Notice the statement didn't say “an effective two-factor authentication solution.”)

The statement went on to say that revealing additional details “could enable others to try to compromise our customers’ RSA SecurID implementations, so we are not disclosing further information.”

Translation: Yes, we were hacked, and yes, the hackers made off with confidential information that compromises the security of a product you've spent huge amounts of money on, but you'll just have to trust us that you're still safe.

In the wake of this information blackout, the prudent thing for customers to do is to assume that SecurID seeds have been lifted, and to also assume that the mechanism that maps a particular token's serial number to its individual seed has also been taken. That means if attackers can trick individual SecurID users into giving out the number printed on the back of their token, its two-factor protection has been broken. The same applies if a company's database of serial numbers is breached.

That assumption would be consistent with an advisory RSA sent to customers on Monday urging them to strengthen the personal identification numbers that are used along with a user ID and the one-time password, since the PIN would be the single factor of authentication left.

SecurID's two-factor authentication may not be broken, but until RSA comes clean and provides some yes or no answers to two simple questions, it's better to assume it is. The network security you preserve may be your own.