The massive security breach at TJX Companies Inc. that exposed more than 45 million customers to identity fraud is hitting the bottom line big-time, if the company's second-quarter earnings report is any indication.
The Framingham, Mass.-based retail giant acknowledged it has spent $256 million dealing with the breach, which was first disclosed in January. That's more than 10 times the $25 million figure TJX cited in May.
TJX said the expenses went into battening down its computer system and responding to a growing list of investigations and lawsuits against it.
According to TJX's latest earnings report, costs related to the data theft in the second quarter bit into TJX's profit by $118 million. Still, TJX said, strong sales continued during the same period, which it cited as proof that customers aren't walking away.
TJX has acknowledged that at least 45.7 million credit and debit cards were stolen over an 18-month period by hackers who managed to penetrate its network. The company gave a tally of the damage in a regulatory filing with the Securities and Exchange Commission (SEC) in March, and also acknowledged that another 455,000 customers who returned merchandise without receipts were robbed of their driver's license numbers and other personal information.
The attackers reportedly began their assault on TJX by exploiting Wi-Fi weaknesses at a Marshalls clothing store near St. Paul, Minn. Investigators believe the thieves aimed a telescope-shaped antenna at the store and used a laptop to snatch data transmitted between hand-held price-checking devices, cash registers and the store's computers. The exploit eventually led them into the central database of TJX, where they would repeatedly rob the system of sensitive customer data.
Friday, August 31, 2007
Latest Microsoft flaws affect Windows, IE, Excel
Microsoft released nine security updates Tuesday for flaws in Internet Explorer, Excel and other programs within the Windows OS. Attackers could exploit the most serious flaws to hijack targeted machines and launch malicious code, the software giant warned.
Six updates address critical flaws, which Microsoft typically describes as those an attacker could exploit to take complete control of an affected system to install programs; view, change, or delete data; or create new accounts. The rest of this month's updates are rated important.
Amol Sarwate, manager of vulnerability research for Redwood Shores, Calif.-based security firm Qualys, said IT administrators should put the most urgency on deploying MS07-046, which fixes a flaw in how Windows' Graphics Rendering Engine handles specially crafted images.
Microsoft said an attacker could exploit the flaw by constructing a specially crafted image that could potentially allow remote code execution if a user opened a specially crafted attachment in email, and that a successful attacker could take complete control of an affected system. All supported editions of Windows are affected except for Windows 2003 Server Service Pack 2 and Windows Vista.
"This is a flaw that affects the core of the Windows Graphics Library, so it should really be on the top of the list," he said, adding that IT shops should also patch the latest Internet Explorer and Excel flaws as soon as possible, since those programs are so widely used.
Sarwate said this month's security updates reflect a continuing trend toward more Web-centric vulnerabilities, with more cracks being discovered in image files, media players and browsers. Agreeing with him is Dave Marcus, security research and communications manager for McAfee Avert Labs.
"Many of the vulnerabilities addressed by Microsoft's fixes could be exploited if a Windows user simply visits a malicious Web site," he said in an emailed statement. "Microsoft's patches again underline the trend of malware writers seeking out the Web browser as a means of attack and reinforce the need of safe browsing habits."
In addition to MS07-046, the "critical" security updates are:
MS07-042, which fixes a flaw attackers could exploit by luring Internet Explorer users to a specially crafted Web page. Specifically, the vulnerability could be exploited by attacking Microsoft XML Core Services. The flaw affects all supported editions of Windows 2000, Windows XP, Windows Vista, Microsoft Office 2003, and the 2007 Microsoft Office System.
MS07-043, which fixes a flaw in Object Linking and Embedding (OLE) attackers could exploit to run malicious code on targeted machines. This flaw affects all supported editions of Windows 2000, Windows XP, Microsoft Office 2004 for Mac, and Visual Basic 6. "This security update addresses the vulnerability by adding a check on memory requests within OLE automation," Microsoft said in its advisory.
MS07-044, which fixes flaws in Microsoft Excel. Attackers could exploit the flaw to launch malicious code if a user opens a specially crafted Excel file, Microsoft said. The update is critical for supported editions of Microsoft Office 2000, and important for supported editions of Microsoft Office XP, Microsoft Office 2003, Microsoft Office 2004 for Mac, and Excel Viewer 2003. Microsoft addressed the problem by modifying the way that the program handles specially crafted Excel files.
MS07-045, a cumulative update for Internet Explorer that fixes flaws attackers could exploit to launch malicious code when a user views a specially crafted Web page with the browser. "The security update addresses two vulnerabilities by setting the kill bit for ActiveX controls, and addresses a third vulnerability by modifying the way Internet Explorer handles certain strings in CSS files," Microsoft said.
MS07-050, which fixes a flaw in the Vector Markup Language (VML) implementation in Windows. "The vulnerability could allow remote code execution if a user viewed a specially crafted Web page using Internet Explorer," Microsoft said. The update affects supported releases of Internet Explorer 5.01, Internet Explorer 6, and Internet Explorer 7.
The "important" security updates are:
MS07-047, which fixes two flaws in Windows Media Player. "These vulnerabilities could allow code execution if a user viewed a specially crafted file in Windows Media Player," Microsoft said.
MS07-048, which fixes several Windows Gadgets flaws. "If a user subscribed to a malicious RSS feed in the Feed Headlines Gadget, added a malicious contacts file in the Contacts Gadget or clicked on a malicious link in the Weather Gadget, an attacker could potentially run code on the system," Microsoft said.
MS07-049, which fixes a flaw in Microsoft Virtual PC and Microsoft Virtual Server that could allow a guest operating system user to run code on the host or another guest operating systems. Microsoft noted that only guest operating system users who are granted administrative permissions to the guest operating system would be able to exploit this vulnerability. The update affects all supported releases of Microsoft Virtual PC 2004, Microsoft Virtual Server 2005, Microsoft Virtual Server 2005 R2, Microsoft Virtual PC for Mac Version 6.1, and Microsoft Virtual PC for Mac Version 7.
Six updates address critical flaws, which Microsoft typically describes as those an attacker could exploit to take complete control of an affected system to install programs; view, change, or delete data; or create new accounts. The rest of this month's updates are rated important.
Amol Sarwate, manager of vulnerability research for Redwood Shores, Calif.-based security firm Qualys, said IT administrators should put the most urgency on deploying MS07-046, which fixes a flaw in how Windows' Graphics Rendering Engine handles specially crafted images.
Microsoft said an attacker could exploit the flaw by constructing a specially crafted image that could potentially allow remote code execution if a user opened a specially crafted attachment in email, and that a successful attacker could take complete control of an affected system. All supported editions of Windows are affected except for Windows 2003 Server Service Pack 2 and Windows Vista.
"This is a flaw that affects the core of the Windows Graphics Library, so it should really be on the top of the list," he said, adding that IT shops should also patch the latest Internet Explorer and Excel flaws as soon as possible, since those programs are so widely used.
Sarwate said this month's security updates reflect a continuing trend toward more Web-centric vulnerabilities, with more cracks being discovered in image files, media players and browsers. Agreeing with him is Dave Marcus, security research and communications manager for McAfee Avert Labs.
"Many of the vulnerabilities addressed by Microsoft's fixes could be exploited if a Windows user simply visits a malicious Web site," he said in an emailed statement. "Microsoft's patches again underline the trend of malware writers seeking out the Web browser as a means of attack and reinforce the need of safe browsing habits."
In addition to MS07-046, the "critical" security updates are:
MS07-042, which fixes a flaw attackers could exploit by luring Internet Explorer users to a specially crafted Web page. Specifically, the vulnerability could be exploited by attacking Microsoft XML Core Services. The flaw affects all supported editions of Windows 2000, Windows XP, Windows Vista, Microsoft Office 2003, and the 2007 Microsoft Office System.
MS07-043, which fixes a flaw in Object Linking and Embedding (OLE) attackers could exploit to run malicious code on targeted machines. This flaw affects all supported editions of Windows 2000, Windows XP, Microsoft Office 2004 for Mac, and Visual Basic 6. "This security update addresses the vulnerability by adding a check on memory requests within OLE automation," Microsoft said in its advisory.
MS07-044, which fixes flaws in Microsoft Excel. Attackers could exploit the flaw to launch malicious code if a user opens a specially crafted Excel file, Microsoft said. The update is critical for supported editions of Microsoft Office 2000, and important for supported editions of Microsoft Office XP, Microsoft Office 2003, Microsoft Office 2004 for Mac, and Excel Viewer 2003. Microsoft addressed the problem by modifying the way that the program handles specially crafted Excel files.
MS07-045, a cumulative update for Internet Explorer that fixes flaws attackers could exploit to launch malicious code when a user views a specially crafted Web page with the browser. "The security update addresses two vulnerabilities by setting the kill bit for ActiveX controls, and addresses a third vulnerability by modifying the way Internet Explorer handles certain strings in CSS files," Microsoft said.
MS07-050, which fixes a flaw in the Vector Markup Language (VML) implementation in Windows. "The vulnerability could allow remote code execution if a user viewed a specially crafted Web page using Internet Explorer," Microsoft said. The update affects supported releases of Internet Explorer 5.01, Internet Explorer 6, and Internet Explorer 7.
The "important" security updates are:
MS07-047, which fixes two flaws in Windows Media Player. "These vulnerabilities could allow code execution if a user viewed a specially crafted file in Windows Media Player," Microsoft said.
MS07-048, which fixes several Windows Gadgets flaws. "If a user subscribed to a malicious RSS feed in the Feed Headlines Gadget, added a malicious contacts file in the Contacts Gadget or clicked on a malicious link in the Weather Gadget, an attacker could potentially run code on the system," Microsoft said.
MS07-049, which fixes a flaw in Microsoft Virtual PC and Microsoft Virtual Server that could allow a guest operating system user to run code on the host or another guest operating systems. Microsoft noted that only guest operating system users who are granted administrative permissions to the guest operating system would be able to exploit this vulnerability. The update affects all supported releases of Microsoft Virtual PC 2004, Microsoft Virtual Server 2005, Microsoft Virtual Server 2005 R2, Microsoft Virtual PC for Mac Version 6.1, and Microsoft Virtual PC for Mac Version 7.
Inside MSRC: Microsoft releases searchable update database
Microsoft's Christopher Budd explains the software vendor's new Update Catalog, a searchable database of all Microsoft security updates, drivers, and service packs. Also a look at this month's updates.
For August 2007, we are releasing nine new security bulletins as part of our standard monthly bulletin release. In addition, we are re-releasing one security update from July 2007. Finally, we are releasing a security advisory to make you aware of a new update that can help improve your overall security.
To help you assess this month's release, I'll cover the re-release and the security advisory. I'll also cover the changes in functionality in two of this month's Critical new security updates as well.
First, I want to mention our detection and deployment tools so you are aware of the latest deadlines and new offerings.
SUS 1.0 Expiration
I want to explain the expiration of support for Software Update Services (SUS) 1.0 that I mentioned in last month's column.
Last month's bulletin release marked the end of support for SUS 1.0. This means that starting with this month's release, new updates, including security updates, will NOT be available through SUS 1.0. We hope that everyone has migrated to a supported version of Windows Server Update Services (WSUS): either WSUS 2.0 or the new WSUS 3.0. If you have not migrated, we encourage you to do so right away because your SUS 1.0 clients will not receive this month's security updates or any future security updates.
Microsoft Update Catalog
This new tool can help you deploy updates including security updates. The Microsoft Update Catalog is a searchable catalog of all security updates, drivers and service packs that are available through Windows Update (WU) and Microsoft Update (MU). You can also use the Microsoft Update Catalog to obtain and deploy hotfixes. You can use the Microsoft Update Catalog to distribute these updates through a corporate network using tools such as WSUS 3.0, System Center Essentials (SCE) or System Center Configuration Manager (SCCM).
The Microsoft Update Catalog expands the capabilities of your update deployment infrastructure and provides the capability to deploy hotfixes to address known issues in security updates when they occur. We encourage all who are using WSUS 3.0, SCE or SSCM to evaluate the Microsoft Update Catalog for their environment.
Expiration of Support for MBSA 1.2.1
I also want to remind you again of the upcoming expiration of support for Microsoft Baseline Security Analyzer (MBSA) 1.2.1 on Oct. 9, 2007. Once again, we encourage all customers to upgrade toMBSA 2.0.1, the latest version of MBSA.
Microsoft Security Advisory (932596)
We are releasing one security advisory today: Microsoft Security Advisory (932596). This is to make customers who run x64-based Windows operating systems aware of an update for Kernel Patch Protection.
This update adds additional checks to Kernel Patch Protection for increased reliability, performance and security. We periodically make updates to improve the security of Kernel Patch Protection. While this update does not address security vulnerabilities in Kernel Patch Protection, it contains changes that help improve security. So, we are releasing Microsoft Security Advisory (932596) to help customers who run x64-based Windows operating systems so they are aware of this update, and to encourage them to test and deploy it.
Re-Release of MS07-038
We are re-releasing MS07-038, the security update for the Windows Vista Firewall from July 2007. There are no changes to the update itself; the update as originally released protects against the vulnerability discussed in the bulletin. We've made changes to the installer for this update to address installation issues that a very small number of customers were experiencing. These are outlined in Microsoft Knowledge Base Article 935807. If you've already applied this update then you do not need to take any action. However, if you were experiencing the issues outlined in the article, you should go ahead and apply the updated version.
Severity ratings and killbits for Microsoft Internet Explorer Bulletin MS07-045
For the new security updates this month, I call your attention to information about this month's Microsoft Internet Explorer security update for your risk assessment and your testing and deployment.
Specifically, while this bulletin is rated as "Critical" for Internet Explorer 5.01 and Internet Explorer 6 on Windows XP Service Pack (SP) 2, it is rated as "Important" for Internet Explorer 7 on Windows XP SP2 and Windows Vista. Further, because of the Enhanced Security Configuration (ESC) on Windows Server 2003 SP1 and SP2, this is rated as "Moderate" for these platforms when running Internet Explorer 6 and "Low" when running Internet Explorer 7.
Next, in addition to addressing the security updates discussed in the bulletin, this month's IE update sets the killbit for a number of ActiveX controls:
ouactrl.ocx: a control that is out of support
The CAPICOM control addressed in Microsoft Security Bulletin MS07-028
The Download Manager ActiveX control, available from Akamai Technologies
An ActiveX control available from Lenovo
An ActiveX control available from Motive Incorporated.
Please see security bulletin MS07-045 for more information on these ActiveX controls.
Functionality changes for Windows Media Player Bulletin MS07-047
Next, for your testing and deployment, I wanted to make you aware of a change to functionality in this month's security update for Windows Media Player, MS07-047.
For more information about this change, please see Microsoft Knowledge Base Article 940893.
Conclusion
In closing, I want to encourage you to join me and Mike Reavey on Wednesday, Aug. 15, at 11 a.m. Pacific Time. Like we do each month, we'll review the bulletin in more depth and answer your questions with information from our subject matter experts. If you can't join us for the live webcast, don't forget that you can listen to it later on demand. You can register for the webcast here.
Be sure to mark your calendars for the September 2007 bulletin, which will release on Tuesday, Sept. 11th. I'll be joining you here again in September with information to help you plan and deploy the release for your environment.
For August 2007, we are releasing nine new security bulletins as part of our standard monthly bulletin release. In addition, we are re-releasing one security update from July 2007. Finally, we are releasing a security advisory to make you aware of a new update that can help improve your overall security.
To help you assess this month's release, I'll cover the re-release and the security advisory. I'll also cover the changes in functionality in two of this month's Critical new security updates as well.
First, I want to mention our detection and deployment tools so you are aware of the latest deadlines and new offerings.
SUS 1.0 Expiration
I want to explain the expiration of support for Software Update Services (SUS) 1.0 that I mentioned in last month's column.
Last month's bulletin release marked the end of support for SUS 1.0. This means that starting with this month's release, new updates, including security updates, will NOT be available through SUS 1.0. We hope that everyone has migrated to a supported version of Windows Server Update Services (WSUS): either WSUS 2.0 or the new WSUS 3.0. If you have not migrated, we encourage you to do so right away because your SUS 1.0 clients will not receive this month's security updates or any future security updates.
Microsoft Update Catalog
This new tool can help you deploy updates including security updates. The Microsoft Update Catalog is a searchable catalog of all security updates, drivers and service packs that are available through Windows Update (WU) and Microsoft Update (MU). You can also use the Microsoft Update Catalog to obtain and deploy hotfixes. You can use the Microsoft Update Catalog to distribute these updates through a corporate network using tools such as WSUS 3.0, System Center Essentials (SCE) or System Center Configuration Manager (SCCM).
The Microsoft Update Catalog expands the capabilities of your update deployment infrastructure and provides the capability to deploy hotfixes to address known issues in security updates when they occur. We encourage all who are using WSUS 3.0, SCE or SSCM to evaluate the Microsoft Update Catalog for their environment.
Expiration of Support for MBSA 1.2.1
I also want to remind you again of the upcoming expiration of support for Microsoft Baseline Security Analyzer (MBSA) 1.2.1 on Oct. 9, 2007. Once again, we encourage all customers to upgrade toMBSA 2.0.1, the latest version of MBSA.
Microsoft Security Advisory (932596)
We are releasing one security advisory today: Microsoft Security Advisory (932596). This is to make customers who run x64-based Windows operating systems aware of an update for Kernel Patch Protection.
This update adds additional checks to Kernel Patch Protection for increased reliability, performance and security. We periodically make updates to improve the security of Kernel Patch Protection. While this update does not address security vulnerabilities in Kernel Patch Protection, it contains changes that help improve security. So, we are releasing Microsoft Security Advisory (932596) to help customers who run x64-based Windows operating systems so they are aware of this update, and to encourage them to test and deploy it.
Re-Release of MS07-038
We are re-releasing MS07-038, the security update for the Windows Vista Firewall from July 2007. There are no changes to the update itself; the update as originally released protects against the vulnerability discussed in the bulletin. We've made changes to the installer for this update to address installation issues that a very small number of customers were experiencing. These are outlined in Microsoft Knowledge Base Article 935807. If you've already applied this update then you do not need to take any action. However, if you were experiencing the issues outlined in the article, you should go ahead and apply the updated version.
Severity ratings and killbits for Microsoft Internet Explorer Bulletin MS07-045
For the new security updates this month, I call your attention to information about this month's Microsoft Internet Explorer security update for your risk assessment and your testing and deployment.
Specifically, while this bulletin is rated as "Critical" for Internet Explorer 5.01 and Internet Explorer 6 on Windows XP Service Pack (SP) 2, it is rated as "Important" for Internet Explorer 7 on Windows XP SP2 and Windows Vista. Further, because of the Enhanced Security Configuration (ESC) on Windows Server 2003 SP1 and SP2, this is rated as "Moderate" for these platforms when running Internet Explorer 6 and "Low" when running Internet Explorer 7.
Next, in addition to addressing the security updates discussed in the bulletin, this month's IE update sets the killbit for a number of ActiveX controls:
ouactrl.ocx: a control that is out of support
The CAPICOM control addressed in Microsoft Security Bulletin MS07-028
The Download Manager ActiveX control, available from Akamai Technologies
An ActiveX control available from Lenovo
An ActiveX control available from Motive Incorporated.
Please see security bulletin MS07-045 for more information on these ActiveX controls.
Functionality changes for Windows Media Player Bulletin MS07-047
Next, for your testing and deployment, I wanted to make you aware of a change to functionality in this month's security update for Windows Media Player, MS07-047.
For more information about this change, please see Microsoft Knowledge Base Article 940893.
Conclusion
In closing, I want to encourage you to join me and Mike Reavey on Wednesday, Aug. 15, at 11 a.m. Pacific Time. Like we do each month, we'll review the bulletin in more depth and answer your questions with information from our subject matter experts. If you can't join us for the live webcast, don't forget that you can listen to it later on demand. You can register for the webcast here.
Be sure to mark your calendars for the September 2007 bulletin, which will release on Tuesday, Sept. 11th. I'll be joining you here again in September with information to help you plan and deploy the release for your environment.
Novell To Acquire Senforce For Endpoint Security
Novell today announced the acquisition of endpoint security vendor, Senforce Technologies Inc., in a deal that would integrate Senforce into an endpoint security suite.
Terms of the deal were not released. Novell and Senforce launched ZENworks Endpoint Security Management, during a recent partnership development. The endpoint software package was designed for corporate networks.
Draper, Utah-based Senforce was one of the early vendors developing network access control (NAC) technologies. Senforce, and a host of other smaller vendors, such as Elemental Security Inc., and Lockdown Networks Inc., have been competing with Microsoft, Juniper Networks Inc., McAfee Inc. and Cisco Systems Inc., to sell NAC systems. Each vendor configures NAC differently.
In recent years it has extended to securing the endpoint with removable device and wireless control features, application control, encryption, and personal firewalls.
Interest in deploying NAC is ultimately prompting vendors to make acquisitions to develop an endpoint security strategy, said Natalie Lambert, a senior analyst for Cambridge, Mass.-based Forrester Research Inc. Ultimately, NAC will fold into client management products to be the access control solution dictated around policies that in the client management suite, Lambert said.
"A lot of endpoint security functionality and tools are being handled by the operations group," Lambert said. "Customers are demanding this because they now have one set of staffers managing this area and they want single set of tools to be able to best manage their environments."
Prior to the acquisition, Novell shared a close partnership with Securewave for application device control. Securewave was acquired by Patchlink in June.
A lot of the major vendors have made acquisitions to bolster device security and data leakage protection when devices enter a corporate network. Symantec jumped in early, acquiring a number of multiple point solutions including Sygate in 2005. McAfee acquired Onigma and several other point solutions in 2006.
"This is really a move for [Novell] to become one of the players that can compete against Altiris and others," Lambert said. "This is something they should have done early and hopefully they've done early enough to be a competitor."
Altiris is a provider of IT service-oriented management software with an emphasis on network security management.
Senforce's ZENworks Endpoint Security Management software conducts automated encryption policy enforcement at the desktop, regardless of whether a user is on or off-line. The software also includes tools for removable device security, personal firewalls, wireless security and application control to secure the network.
"Combining Senforce's technology with Novell's existing systems and resource management solutions creates a new level of control and protection for our customers, Joe Wagner, senior vice president and general manager at Novell said in a statement.
Terms of the deal were not released. Novell and Senforce launched ZENworks Endpoint Security Management, during a recent partnership development. The endpoint software package was designed for corporate networks.
Draper, Utah-based Senforce was one of the early vendors developing network access control (NAC) technologies. Senforce, and a host of other smaller vendors, such as Elemental Security Inc., and Lockdown Networks Inc., have been competing with Microsoft, Juniper Networks Inc., McAfee Inc. and Cisco Systems Inc., to sell NAC systems. Each vendor configures NAC differently.
In recent years it has extended to securing the endpoint with removable device and wireless control features, application control, encryption, and personal firewalls.
Interest in deploying NAC is ultimately prompting vendors to make acquisitions to develop an endpoint security strategy, said Natalie Lambert, a senior analyst for Cambridge, Mass.-based Forrester Research Inc. Ultimately, NAC will fold into client management products to be the access control solution dictated around policies that in the client management suite, Lambert said.
"A lot of endpoint security functionality and tools are being handled by the operations group," Lambert said. "Customers are demanding this because they now have one set of staffers managing this area and they want single set of tools to be able to best manage their environments."
Prior to the acquisition, Novell shared a close partnership with Securewave for application device control. Securewave was acquired by Patchlink in June.
A lot of the major vendors have made acquisitions to bolster device security and data leakage protection when devices enter a corporate network. Symantec jumped in early, acquiring a number of multiple point solutions including Sygate in 2005. McAfee acquired Onigma and several other point solutions in 2006.
"This is really a move for [Novell] to become one of the players that can compete against Altiris and others," Lambert said. "This is something they should have done early and hopefully they've done early enough to be a competitor."
Altiris is a provider of IT service-oriented management software with an emphasis on network security management.
Senforce's ZENworks Endpoint Security Management software conducts automated encryption policy enforcement at the desktop, regardless of whether a user is on or off-line. The software also includes tools for removable device security, personal firewalls, wireless security and application control to secure the network.
"Combining Senforce's technology with Novell's existing systems and resource management solutions creates a new level of control and protection for our customers, Joe Wagner, senior vice president and general manager at Novell said in a statement.
Apple iPhone To Provoke Complex Mobile Attacks, Expert Warns
Though mobile malware has been circulating for more than three years, Mikko Hypponen has seen no evidence of phones being targeted for the type of profit-motivated attacks PC users have suffered at the hands of botnets, rootkits and self-spreading worms. But believes more sophisticated mobile phone attacks are coming, with the bad guys emboldened by the current craze over Apple's iPhone.
As director of antivirus research for Helsinki-based F-Secure Corp., Hypponen has been a leading voice on the dangers of mobile malware, repeatedly warning IT professionals to prepare for attacks where phone infections could be passed to company networks. He repeated those warnings Thursday at the Usenix Security Symposium in Boston, predicting that attackers will be inspired by the iPhone's popularity.
"The iPhone has really put the concept of smart phones on the table, especially in the United States," he said in an interview with SearchSecurity.com. "The amount of hype around the iPhone is pretty unbelievable, so it's a given that people will continue to play around with it and find ways around the security features of the phone. It's quite likely that we'll see iPhone malware sooner or later."
The security of the iPhone has been the topic of much debate in the information security community, and late last month a group of security researchers unveiled a couple of simple ways to take complete control of the iPhone. The results were the first real success researchers have had in trying to find ways to exploit the new device, which lacks many of the common user interfaces and inputs that hackers rely on for successful attacks.
Hypponen is among the legions of experts picking the phone apart in search of weaknesses. One of his more encouraging observations is that it'll probably be very difficult, if not impossible, to create iPhone malware that could be spread to other smart phones.
"It's probably unlikely because iPhone is such a closed device that runs its own operating system," he said. "We've seen a little over 370 different examples of malware running on smart phone platforms. Almost all of them target Symbian-based phones, because Symbian is by far the market leader, with over half the smart phones in the world running that operating system. Bluetooth is the most common vector of how malware jumps from one device to the other."
But while iPhone has Bluetooth, he said, the Bluetooth chip can't be used on the device for file transmissions. If there were self-spreading malware on iPhones, it would probably be spread by email, Hypponen said.
Even if one takes the iPhone out of the equation, he said it's only a matter of time before attackers launch more sophisticated attacks against smart phones in general. While there are currently no signs of botnets using mobile phones, for example, he said the threat might grow in the future because mobile phone processing power and mobile network connection speeds are growing. "I could see mobile phone botnets being used to send email spam or text messaging spam to other phones," he said.
Hypponen noted that there are about 3 billion mobile phones in circulation around the world, with tens of thousands of mobile malware infections reported thus far. The Cabir and Commwarrior malware is now afflicting phones in more than 30 countries.
"Cabir was the first, appearing in June 2004, and it's still spreading," he said.
In recent interviews, when asked how mobile malware could spread to desktops and corporate networks, he pointed to malware called SymbOS.Cardtrap as an example. It installs Windows malware on the infected phone's memory card and tries to fool users into investigating the phone problems with a PC and a memory card reader, making it possible for Windows malware to spread. Mobile devices provide a wider variety of communication methods than traditional PCs, and this could mean new ways to spread malware, he said.
To guard against mobile malware, he has recommended IT professionals use common sense and install security software both for their PCs as well as to their smart phones. He also warns against accepting or installing software from untrusted sources, or swapping memory cards between phones."
As director of antivirus research for Helsinki-based F-Secure Corp., Hypponen has been a leading voice on the dangers of mobile malware, repeatedly warning IT professionals to prepare for attacks where phone infections could be passed to company networks. He repeated those warnings Thursday at the Usenix Security Symposium in Boston, predicting that attackers will be inspired by the iPhone's popularity.
"The iPhone has really put the concept of smart phones on the table, especially in the United States," he said in an interview with SearchSecurity.com. "The amount of hype around the iPhone is pretty unbelievable, so it's a given that people will continue to play around with it and find ways around the security features of the phone. It's quite likely that we'll see iPhone malware sooner or later."
The security of the iPhone has been the topic of much debate in the information security community, and late last month a group of security researchers unveiled a couple of simple ways to take complete control of the iPhone. The results were the first real success researchers have had in trying to find ways to exploit the new device, which lacks many of the common user interfaces and inputs that hackers rely on for successful attacks.
Hypponen is among the legions of experts picking the phone apart in search of weaknesses. One of his more encouraging observations is that it'll probably be very difficult, if not impossible, to create iPhone malware that could be spread to other smart phones.
"It's probably unlikely because iPhone is such a closed device that runs its own operating system," he said. "We've seen a little over 370 different examples of malware running on smart phone platforms. Almost all of them target Symbian-based phones, because Symbian is by far the market leader, with over half the smart phones in the world running that operating system. Bluetooth is the most common vector of how malware jumps from one device to the other."
But while iPhone has Bluetooth, he said, the Bluetooth chip can't be used on the device for file transmissions. If there were self-spreading malware on iPhones, it would probably be spread by email, Hypponen said.
Even if one takes the iPhone out of the equation, he said it's only a matter of time before attackers launch more sophisticated attacks against smart phones in general. While there are currently no signs of botnets using mobile phones, for example, he said the threat might grow in the future because mobile phone processing power and mobile network connection speeds are growing. "I could see mobile phone botnets being used to send email spam or text messaging spam to other phones," he said.
Hypponen noted that there are about 3 billion mobile phones in circulation around the world, with tens of thousands of mobile malware infections reported thus far. The Cabir and Commwarrior malware is now afflicting phones in more than 30 countries.
"Cabir was the first, appearing in June 2004, and it's still spreading," he said.
In recent interviews, when asked how mobile malware could spread to desktops and corporate networks, he pointed to malware called SymbOS.Cardtrap as an example. It installs Windows malware on the infected phone's memory card and tries to fool users into investigating the phone problems with a PC and a memory card reader, making it possible for Windows malware to spread. Mobile devices provide a wider variety of communication methods than traditional PCs, and this could mean new ways to spread malware, he said.
To guard against mobile malware, he has recommended IT professionals use common sense and install security software both for their PCs as well as to their smart phones. He also warns against accepting or installing software from untrusted sources, or swapping memory cards between phones."
Microsoft To Update Critical Windows, Office, Flaws
Microsoft Corp. plans to hand customers nine security updates Tuesday, patching flaws in Windows, Office, IE, Virtual PC and XML Core Services. Six updates will address critical vulnerabilities attackers could exploit remotely to run malicious code on targeted machines.
Microsoft Windows, including Vista will be among the software being updated according to the security updates Microsoft announced on its TechNet site Thursday. Other fixes will target security holes in Microsoft Office, Internet Explorer, Visual Basic, Virtual PC and Virtual Server.
Microsoft typically describes critical flaws as those attackers could exploit to take complete control of an affected system to install programs; view, change, or delete data; or create new accounts.
Meanwhile, the software giant will release several non-security, high-priority updates on Microsoft Update (MU) and Windows Server Update Services (WSUS); and two non-security, high-priority updates for Windows on Windows Update (WU) and Software Update Services (SUS). And, as it does every month, the company will update its malicious software removal tool.
Last month, Microsoft released six security updates, three of which addressed critical flaws in Excel, Windows and the .NET Framework.
The exploits of August While there's no indication this month will be more problematic for IT administrators than usual, there is a history of trouble following Microsoft's August patch releases.
Last year, the U.S. Department of Homeland Security, which rarely joins the post-Patch Tuesday stampede of warnings, issued a public advisory urging Windows users to install the MS06-040 security update as soon as possible because the Windows Server Services flaw addressed in the update was considered highly wormable. Within days of the patch release, attackers were targeting the flaw with malware in a bid to expand their IRC-controlled botnets.
Two years ago, security experts sounded the alarm following the Windows Plug and Play vulnerability, which Microsoft had patched in its MS05-039 security update. Attackers exploited the flaw a few days later with the Zotob worm.
And in July 2003, Microsoft released MS03-026 to patch the RPC-DCOM flaw. By early August, the Blaster worm was using the flaw to tear up cyberspace.
Some have theorized that August tends to be a bad month because attackers like to strike when a lot of IT professionals are on summer vacation. Others believe it's because hackers like to use Microsoft's August flaws to try out attack methods they picked up at the Black Hat and Defcon conferences, which are held each year at the beginning of August.
Microsoft Windows, including Vista will be among the software being updated according to the security updates Microsoft announced on its TechNet site Thursday. Other fixes will target security holes in Microsoft Office, Internet Explorer, Visual Basic, Virtual PC and Virtual Server.
Microsoft typically describes critical flaws as those attackers could exploit to take complete control of an affected system to install programs; view, change, or delete data; or create new accounts.
Meanwhile, the software giant will release several non-security, high-priority updates on Microsoft Update (MU) and Windows Server Update Services (WSUS); and two non-security, high-priority updates for Windows on Windows Update (WU) and Software Update Services (SUS). And, as it does every month, the company will update its malicious software removal tool.
Last month, Microsoft released six security updates, three of which addressed critical flaws in Excel, Windows and the .NET Framework.
The exploits of August While there's no indication this month will be more problematic for IT administrators than usual, there is a history of trouble following Microsoft's August patch releases.
Last year, the U.S. Department of Homeland Security, which rarely joins the post-Patch Tuesday stampede of warnings, issued a public advisory urging Windows users to install the MS06-040 security update as soon as possible because the Windows Server Services flaw addressed in the update was considered highly wormable. Within days of the patch release, attackers were targeting the flaw with malware in a bid to expand their IRC-controlled botnets.
Two years ago, security experts sounded the alarm following the Windows Plug and Play vulnerability, which Microsoft had patched in its MS05-039 security update. Attackers exploited the flaw a few days later with the Zotob worm.
And in July 2003, Microsoft released MS03-026 to patch the RPC-DCOM flaw. By early August, the Blaster worm was using the flaw to tear up cyberspace.
Some have theorized that August tends to be a bad month because attackers like to strike when a lot of IT professionals are on summer vacation. Others believe it's because hackers like to use Microsoft's August flaws to try out attack methods they picked up at the Black Hat and Defcon conferences, which are held each year at the beginning of August.
EMC's RSA To Acquire Tablus For Data Loss Prevention
RSA, EMC Corp.'s security division, on Thursday said it is acquiring privately held Tablus, a provider of data-loss prevention products and services. The financial terms of the deal were not disclosed.
Tablus, of San Mateo, Calif., is one of a number of small start-ups that have been angling for enterprise IT dollars in a small, but growing, niche of the security market.
EMC, of Hopkinton, Mass., said it plans to integrate Tablus' Content Sentinel and Content Alarm products with its RSA division's encryption and information management offerings. How exactly that integration will be handled remains to be seen, however.
The acquisition gives EMC a foothold in the emerging market for products that stop sensitive information from leaving corporate networks. The rash of stolen laptops, security breaches and lost backup tapes in the last few years has brought the task of securing such data to the forefront and made it a key issue for senior management as well security professionals. (For more on the data storage implications of this announcement, please see "EMC buys Tablus for data classification and security" by Beth Pariseau on SearchStorage.com.
High-profile incidents such as the theft of a hard drive belonging to the Veterans' Administration and this week's revelation that a laptop containing personal information on VeriSign Inc. employees was stolen from a car also have shown that the problem is not limited to small organizations or those without the budget to put proper controls in place
Aside from the security aspects of the problem, one of the major stumbling blocks in putting a data-loss prevention product in place is classification of the company's data. Determining which data needs strict controls and which can be less closely watched is a time-consuming task and one that can be layered with inter-departmental battles. Tablus' products help with this classification and enable customers to identify sensitive intellectual property. The products also have the ability to monitor email and other network traffic and enforce policies relating to what content can go where.
Data-loss prevention products have gained in popularity in recent years, but the vendor landscape is still populated mainly by start-ups such as Vericept, Vontu, Reconnex and a handful of others. EMC is the first major IT vendor to get into the market. That is one of the things that made the Tablus deal attractive to RSA, officials said.
Consolidation in the market is inevitable said Paul Stamp a principal analyst with Cambridge, Mass.-based Forrester Research Inc. In December, WebSense started the trend by acquiring PortAuthority Technologies. Tablus was probably acquired at a bargain price since it doesn't have the market footprint that Vericept and Vontu has, Stamp said.
"This is not a technology that can stand on its own," Stamp said. "Tablus has really good technology but they haven't really captured the imagination of the enterprise."
Stamp said to look for larger security vendors to acquire or develop similar technology as part of an overall information lifecycle management suite as enterprises struggle to lock down systems and protect sensitive data.
"Data leakage is a symptom of companies not knowing where their data is and where it is going," Stamp said.
The data-loss prevention market "is growing to critical mass and beginning to be tracked and identified by analysts…though no large company has addressed this space yet," said Dennis Hoffman, vice president and chief strategy officer at RSA.
If history is any guide, the Tablus acquisition may start a run on similar deals in the next few months as other large IT providers look for a way in.
Tablus, of San Mateo, Calif., is one of a number of small start-ups that have been angling for enterprise IT dollars in a small, but growing, niche of the security market.
EMC, of Hopkinton, Mass., said it plans to integrate Tablus' Content Sentinel and Content Alarm products with its RSA division's encryption and information management offerings. How exactly that integration will be handled remains to be seen, however.
The acquisition gives EMC a foothold in the emerging market for products that stop sensitive information from leaving corporate networks. The rash of stolen laptops, security breaches and lost backup tapes in the last few years has brought the task of securing such data to the forefront and made it a key issue for senior management as well security professionals. (For more on the data storage implications of this announcement, please see "EMC buys Tablus for data classification and security" by Beth Pariseau on SearchStorage.com.
High-profile incidents such as the theft of a hard drive belonging to the Veterans' Administration and this week's revelation that a laptop containing personal information on VeriSign Inc. employees was stolen from a car also have shown that the problem is not limited to small organizations or those without the budget to put proper controls in place
Aside from the security aspects of the problem, one of the major stumbling blocks in putting a data-loss prevention product in place is classification of the company's data. Determining which data needs strict controls and which can be less closely watched is a time-consuming task and one that can be layered with inter-departmental battles. Tablus' products help with this classification and enable customers to identify sensitive intellectual property. The products also have the ability to monitor email and other network traffic and enforce policies relating to what content can go where.
Data-loss prevention products have gained in popularity in recent years, but the vendor landscape is still populated mainly by start-ups such as Vericept, Vontu, Reconnex and a handful of others. EMC is the first major IT vendor to get into the market. That is one of the things that made the Tablus deal attractive to RSA, officials said.
Consolidation in the market is inevitable said Paul Stamp a principal analyst with Cambridge, Mass.-based Forrester Research Inc. In December, WebSense started the trend by acquiring PortAuthority Technologies. Tablus was probably acquired at a bargain price since it doesn't have the market footprint that Vericept and Vontu has, Stamp said.
"This is not a technology that can stand on its own," Stamp said. "Tablus has really good technology but they haven't really captured the imagination of the enterprise."
Stamp said to look for larger security vendors to acquire or develop similar technology as part of an overall information lifecycle management suite as enterprises struggle to lock down systems and protect sensitive data.
"Data leakage is a symptom of companies not knowing where their data is and where it is going," Stamp said.
The data-loss prevention market "is growing to critical mass and beginning to be tracked and identified by analysts…though no large company has addressed this space yet," said Dennis Hoffman, vice president and chief strategy officer at RSA.
If history is any guide, the Tablus acquisition may start a run on similar deals in the next few months as other large IT providers look for a way in.
Mozilla To Extend Security In Major Firefox Update
The next major release of the popular Firefox browser will include a number of significant security upgrades designed to protect users from both attackers and from themselves.
The most visible changes will be the additions of new anti-phishing and anti-malware capabilities that are designed to prevent users from endangering themselves by visiting malicious sites. The phishing protection takes the form of a red icon in the address bar and an accompanying pop-up dialog box warning the user that the site he's visiting is a suspected phishing site. The user will have the option of closing the box and continuing on to the suspicious site or being redirected away from it, said Window Snyder, head of the security group at the Mozilla Foundation, which maintains Firefox. Snyder, along with Mike Shaver, director of ecosystem development and one of the founders of the Mozilla project, described the new security tools in a presentation at the Black Hat USA Briefings here last week.
The new anti-malware function in Firefox is much more aggressive than the anti-phishing tool. Instead of giving users the choice of visiting a suspected malicious site, when Firefox 3 encounters a site that is known or suspected of hosting malware, it will prevent the user from actually connecting to the site. It also will throw up a full-page warning that tells the user that the site is known to be an attack/malware-hosting site and Firefox is preventing the user from connecting to it. Firefox 3 also will allow users to report suspect sites that the browser doesn't yet recognize as being malicious.
Snyder and Shaver emphasized that Firefox 3 is still in development and it's not yet certain whether all of the currently planned features and tools will end up making it into the final version of the browser. But the clear motivation behind all of the security upgrades is making it as simple as possible for ordinary Web surfers to avoid unsafe content without having to become security experts.
"In the long term, we'd like to be known for making the Web a safer place," Shaver said.
That's an ambitious goal, to be sure, and it's one that a number of other organizations and companies are trying to help Mozilla achieve. The guts behind the new anti-phishing and anti-malware capabilities in Firefox 3 come from Google Inc.'s ongoing project to index all of the known or suspected malicious sites on the Internet.
True to its open-source roots, Mozilla uses a completely open development process, from tapping the development skills of contributors around the world to holding open conference calls on the status of various projects. Mozilla also uses a number of outside security firms, including Matasano Security, IO Active, Leviathan Security Group and iSEC Partners, to help evaluate various portions of the software.
Snyder, who helped develop Microsoft Corp.'s threat-modeling process when she worked at the Redmond, Wash., software maker, said Mozilla has adopted many of those practices as well, and also puts its software through code reviews and both manual and automated penetration tests. Although Mozilla has come under a bit of public scrutiny lately for the back-and-forth with Microsoft over the URI protocol-handling vulnerability, Snyder and Shaver both said the group remains committed to getting security fixes into the hands of users as quickly as possible once a problem is confirmed. And that goes for vulnerabilities that Mozilla finds internally, as well, Snyder said.
"The thing we've figured out that some other vendors seem not to have yet, is that just because something was discovered internally doesn't mean it's not known externally too," Snyder said. "If it's a fix and not a feature, it's something that should probably be shipped to everyone and not something you make them pay for."
Snyder also announced during the talk that Mozilla will be releasing a pair of fuzzing tools that the group has developed recently. The first, a JavaScript fuzzer, is available now on the group's Bugzilla site. Jesse Ruderman, a Mozilla developer who wrote the JavaScript tool, said he'd used it to find 280 bugs in Firefox, 27 of which were exploitable. The second new tool is a protocol fuzzer designed to find problems in FTP and HTTP, which was developed in conjunction with Matasanao and Leviathan. It will be available later this year.
The most visible changes will be the additions of new anti-phishing and anti-malware capabilities that are designed to prevent users from endangering themselves by visiting malicious sites. The phishing protection takes the form of a red icon in the address bar and an accompanying pop-up dialog box warning the user that the site he's visiting is a suspected phishing site. The user will have the option of closing the box and continuing on to the suspicious site or being redirected away from it, said Window Snyder, head of the security group at the Mozilla Foundation, which maintains Firefox. Snyder, along with Mike Shaver, director of ecosystem development and one of the founders of the Mozilla project, described the new security tools in a presentation at the Black Hat USA Briefings here last week.
The new anti-malware function in Firefox is much more aggressive than the anti-phishing tool. Instead of giving users the choice of visiting a suspected malicious site, when Firefox 3 encounters a site that is known or suspected of hosting malware, it will prevent the user from actually connecting to the site. It also will throw up a full-page warning that tells the user that the site is known to be an attack/malware-hosting site and Firefox is preventing the user from connecting to it. Firefox 3 also will allow users to report suspect sites that the browser doesn't yet recognize as being malicious.
Snyder and Shaver emphasized that Firefox 3 is still in development and it's not yet certain whether all of the currently planned features and tools will end up making it into the final version of the browser. But the clear motivation behind all of the security upgrades is making it as simple as possible for ordinary Web surfers to avoid unsafe content without having to become security experts.
"In the long term, we'd like to be known for making the Web a safer place," Shaver said.
That's an ambitious goal, to be sure, and it's one that a number of other organizations and companies are trying to help Mozilla achieve. The guts behind the new anti-phishing and anti-malware capabilities in Firefox 3 come from Google Inc.'s ongoing project to index all of the known or suspected malicious sites on the Internet.
True to its open-source roots, Mozilla uses a completely open development process, from tapping the development skills of contributors around the world to holding open conference calls on the status of various projects. Mozilla also uses a number of outside security firms, including Matasano Security, IO Active, Leviathan Security Group and iSEC Partners, to help evaluate various portions of the software.
Snyder, who helped develop Microsoft Corp.'s threat-modeling process when she worked at the Redmond, Wash., software maker, said Mozilla has adopted many of those practices as well, and also puts its software through code reviews and both manual and automated penetration tests. Although Mozilla has come under a bit of public scrutiny lately for the back-and-forth with Microsoft over the URI protocol-handling vulnerability, Snyder and Shaver both said the group remains committed to getting security fixes into the hands of users as quickly as possible once a problem is confirmed. And that goes for vulnerabilities that Mozilla finds internally, as well, Snyder said.
"The thing we've figured out that some other vendors seem not to have yet, is that just because something was discovered internally doesn't mean it's not known externally too," Snyder said. "If it's a fix and not a feature, it's something that should probably be shipped to everyone and not something you make them pay for."
Snyder also announced during the talk that Mozilla will be releasing a pair of fuzzing tools that the group has developed recently. The first, a JavaScript fuzzer, is available now on the group's Bugzilla site. Jesse Ruderman, a Mozilla developer who wrote the JavaScript tool, said he'd used it to find 280 bugs in Firefox, 27 of which were exploitable. The second new tool is a protocol fuzzer designed to find problems in FTP and HTTP, which was developed in conjunction with Matasanao and Leviathan. It will be available later this year.
Cisco Warns Of Critical IOS Flaws
Cisco is warning customers about multiple vulnerabilities in its Cisco Internework Operating System (IOS) and IOS secure copy server as well as its Unified Communications Manager, which could be exploited remotely by an attacker to conduct a denial of service or execute arbitrary code.
Cisco said multiple vulnerabilities occur in its IOS and Unified Communications Manager when handling malformed Session Initiation Protocol (SIP) packets. SIP is a standard protocol for initiating an interactive user session that involves multimedia elements such as video, voice, chat, gaming, and virtual reality.
Cisco said the router can be crashed by a malformed SIP message. A memory leak and memory corruption also can occur when processing a malformed SIP message, Cisco said in its advisory. Cisco IOS versions 12.0 through 12.4 are vulnerable and Cisco Unified Communications Manager versions 5.1 through 6.0 are vulnerable. Patches are being released.
In addition the IOS is prone to a remote buffer-overflow vulnerability because it fails to perform adequate boundary checks on user supplied data. Also, Cisco said its IOS secure copy server is prone to a remote security-bypass vulnerability.
Danish vulnerability clearinghouse Secunia rated the flaws "moderately critical." Symantec's DeepSight Threat Management System said Cisco customers can block external access at the network boundary, unless external parties require service until the software is updated.
"If global access isn't needed, filter access to the affected device at the network boundary," Symantec said in its advisory. "Restricting access to only trusted computers and networks might greatly reduce the likelihood of exploitation."
Cisco said multiple vulnerabilities occur in its IOS and Unified Communications Manager when handling malformed Session Initiation Protocol (SIP) packets. SIP is a standard protocol for initiating an interactive user session that involves multimedia elements such as video, voice, chat, gaming, and virtual reality.
Cisco said the router can be crashed by a malformed SIP message. A memory leak and memory corruption also can occur when processing a malformed SIP message, Cisco said in its advisory. Cisco IOS versions 12.0 through 12.4 are vulnerable and Cisco Unified Communications Manager versions 5.1 through 6.0 are vulnerable. Patches are being released.
In addition the IOS is prone to a remote buffer-overflow vulnerability because it fails to perform adequate boundary checks on user supplied data. Also, Cisco said its IOS secure copy server is prone to a remote security-bypass vulnerability.
Danish vulnerability clearinghouse Secunia rated the flaws "moderately critical." Symantec's DeepSight Threat Management System said Cisco customers can block external access at the network boundary, unless external parties require service until the software is updated.
"If global access isn't needed, filter access to the affected device at the network boundary," Symantec said in its advisory. "Restricting access to only trusted computers and networks might greatly reduce the likelihood of exploitation."
Wi-Fi Simplicity Edging Out Wi-Fi Security
For years, enterprises were reluctant to adopt wireless LAN (Wi-Fi) technology because, they clamed, immature products and weak standards would expose their networks to any number of potential threats.
Today, Wi-Fi security standards and products have evolved to the point where businesses can ensure rock-solid security over the air and on wireless endpoints, but despite that accomplishment, industry analysts say the technology is being overlooked in favor of simplicity.
Michael Disabato, service director with Midvale, Utah-based research firm Burton Group, said he's found enterprises are adopting the simpler strategy of placing access points beyond the network perimeter and requiring all wireless users to gain network access via VPNs, instead of grappling with the advanced Wi-Fi security standards.
"People have been using IPsec and SSL VPNs forever and nobody has hacked them," Disabato said. "It's just that you've got to make sure all those access points are outside the firewall.
"Standards development In the early days of Wi-Fi technology, products relied on the security scheme called Wired Equivalent Privacy, or WEP, but it was soon obvious that hackers were able to bypass WEP as easily as punching through paper. In 2003, the Wi-Fi Protected Access (WPA) standard was developed to replace WEP, but adoption was slowed by the need for user authentication systems and legacy software and hardware that didn't automatically support the new standard.
The following year, another iteration called WPA2, or 802.11i, was introduced and included a next-generation encryption method called Advanced Encryption Standard (AES), but deeper interoperability problems became apparent when organizations learned access points would need hardware upgrades to function properly, while other existing equipment couldn't be upgraded at all.
While it may be tempting to assign blame, Disabato suggested the problem resulted from a disconnect between the engineers who developed the 802.11i standard and practitioners tasked with enforcing it.
"I don't think [the engineers] realized the pushback they were going to get," he said. "I don't think they thought about what the implementation ramifications were going to be when people saw all of the pieces that go into it."Choosing sides
As it stands now, Disabato said 802.11i's many "moving pieces" have frustrated a number of network and security managers to the point where they've found Wi-Fi security easier to manage by treating all wireless devices like external, untrusted clients.
"It's a very complex protocol to get working," Disabato said, because it requires Extensible Authentication Protocol, a public key infrastructure, operating system support or supplicant software and wired LAN support for communication with a RADIUS server for authentication.
However, the easier approach isn't necessarily the recommended one. Jean Kaplan, research analyst with Framingham, Mass.-based research firm IDC, said that he doesn't believe that many organizations are using VPNs instead of 802.11i. He said it's not an approach companies should be undertaking as a matter of course.
Kaplan said while it's no surprise that organizations are falling back on the security methods they know and trust, the complexities of Wi-Fi security and radio-frequency (RF) management are such that IDC recommends utilizing the underlying strengths of today's Wi-Fi security protocols instead of VPNs.
Yet for that to happen, Disabato said the 802.1x authentication protocol -- utilized by 802.11i -- must be simplified, and that's unlikely.
Experts agree that any Wi-Fi security method is better than none at all, but inevitably it will be the market that decides which method works best. But even if some enterprises decide the answer may be VPNs, Disabato said the method does have its advantages. "At least if you're a user," he said, "you're going to get into the network the same way, no matter where you are."
Today, Wi-Fi security standards and products have evolved to the point where businesses can ensure rock-solid security over the air and on wireless endpoints, but despite that accomplishment, industry analysts say the technology is being overlooked in favor of simplicity.
Michael Disabato, service director with Midvale, Utah-based research firm Burton Group, said he's found enterprises are adopting the simpler strategy of placing access points beyond the network perimeter and requiring all wireless users to gain network access via VPNs, instead of grappling with the advanced Wi-Fi security standards.
"People have been using IPsec and SSL VPNs forever and nobody has hacked them," Disabato said. "It's just that you've got to make sure all those access points are outside the firewall.
"Standards development In the early days of Wi-Fi technology, products relied on the security scheme called Wired Equivalent Privacy, or WEP, but it was soon obvious that hackers were able to bypass WEP as easily as punching through paper. In 2003, the Wi-Fi Protected Access (WPA) standard was developed to replace WEP, but adoption was slowed by the need for user authentication systems and legacy software and hardware that didn't automatically support the new standard.
The following year, another iteration called WPA2, or 802.11i, was introduced and included a next-generation encryption method called Advanced Encryption Standard (AES), but deeper interoperability problems became apparent when organizations learned access points would need hardware upgrades to function properly, while other existing equipment couldn't be upgraded at all.
While it may be tempting to assign blame, Disabato suggested the problem resulted from a disconnect between the engineers who developed the 802.11i standard and practitioners tasked with enforcing it.
"I don't think [the engineers] realized the pushback they were going to get," he said. "I don't think they thought about what the implementation ramifications were going to be when people saw all of the pieces that go into it."Choosing sides
As it stands now, Disabato said 802.11i's many "moving pieces" have frustrated a number of network and security managers to the point where they've found Wi-Fi security easier to manage by treating all wireless devices like external, untrusted clients.
"It's a very complex protocol to get working," Disabato said, because it requires Extensible Authentication Protocol, a public key infrastructure, operating system support or supplicant software and wired LAN support for communication with a RADIUS server for authentication.
However, the easier approach isn't necessarily the recommended one. Jean Kaplan, research analyst with Framingham, Mass.-based research firm IDC, said that he doesn't believe that many organizations are using VPNs instead of 802.11i. He said it's not an approach companies should be undertaking as a matter of course.
Kaplan said while it's no surprise that organizations are falling back on the security methods they know and trust, the complexities of Wi-Fi security and radio-frequency (RF) management are such that IDC recommends utilizing the underlying strengths of today's Wi-Fi security protocols instead of VPNs.
Yet for that to happen, Disabato said the 802.1x authentication protocol -- utilized by 802.11i -- must be simplified, and that's unlikely.
Experts agree that any Wi-Fi security method is better than none at all, but inevitably it will be the market that decides which method works best. But even if some enterprises decide the answer may be VPNs, Disabato said the method does have its advantages. "At least if you're a user," he said, "you're going to get into the network the same way, no matter where you are."
VeriSign Employee Data Exposed In Laptop Theft
A laptop housing the personal information of current and former VeriSign Inc. employees has been stolen, exposing them to potential identity fraud.
It is not known how many identities were exposed when the laptop was stolen from the car of a former employee last month. The Mountain View, Calif.-based company, whose product line includes security services and tools, said there's no indication of fraudulent activity thus far.
The vendor said it is taking the theft "very seriously" and that it started an investigation the moment the theft was discovered.
"The local police have said the theft may be tied to a series of neighborhood burglaries. We disabled any access by the employee's computer to the VeriSign network," VeriSign said in a public statement.
The company said the car was burglarized while parked in the employee's Northern California garage between the evening of Thursday, July 12, 2007 and the morning of Friday, July 13, 2007. The laptop may have contained such personal information as names, Social Security numbers, dates of birth, salary information, telephone numbers and home addresses. But it did not include credit card numbers, bank account numbers, or password information, nor did it contain any information on VeriSign customers, the company said. The vendor also noted that the employee responsible for the laptop has since left the company.
"We are contacting all individuals whose personal information may have been on the stolen laptop," the company statement continued. "We have no reason to believe that the thief or thieves acted with the intent to extract and use this information; the police have indicated that there may be a connection to a series of petty thefts in the neighborhood. The laptop was fully shut down and requires a username and password to log on to the Windows application. To our knowledge, the thieves do not have the password."
The incident may be especially embarrassing to VeriSign since it is known, among other things, for its security offerings. The company bills itself as the leading secure sockets layer (SSL) certificate authority enabling secure e-commerce and communications for Web sites, intranets, and extranets. It also owns the iDefense Security Intelligence Service.
The theft or loss of laptops with sensitive data has become all to common in the past year. The most notorious case involved the theft of a laptop and external hard drive containing personally identifiable information on 26.5 million veterans and active-duty military personnel.
The VA laptop was found approximately a month later and law enforcement officials believe that none of the sensitive data was even accessed by the thief. However, the VA's handling of the incident and slow response led to an internal investigation that resulted in a scathing report from the department's Office of the Inspector General.
It is not known how many identities were exposed when the laptop was stolen from the car of a former employee last month. The Mountain View, Calif.-based company, whose product line includes security services and tools, said there's no indication of fraudulent activity thus far.
The vendor said it is taking the theft "very seriously" and that it started an investigation the moment the theft was discovered.
"The local police have said the theft may be tied to a series of neighborhood burglaries. We disabled any access by the employee's computer to the VeriSign network," VeriSign said in a public statement.
The company said the car was burglarized while parked in the employee's Northern California garage between the evening of Thursday, July 12, 2007 and the morning of Friday, July 13, 2007. The laptop may have contained such personal information as names, Social Security numbers, dates of birth, salary information, telephone numbers and home addresses. But it did not include credit card numbers, bank account numbers, or password information, nor did it contain any information on VeriSign customers, the company said. The vendor also noted that the employee responsible for the laptop has since left the company.
"We are contacting all individuals whose personal information may have been on the stolen laptop," the company statement continued. "We have no reason to believe that the thief or thieves acted with the intent to extract and use this information; the police have indicated that there may be a connection to a series of petty thefts in the neighborhood. The laptop was fully shut down and requires a username and password to log on to the Windows application. To our knowledge, the thieves do not have the password."
The incident may be especially embarrassing to VeriSign since it is known, among other things, for its security offerings. The company bills itself as the leading secure sockets layer (SSL) certificate authority enabling secure e-commerce and communications for Web sites, intranets, and extranets. It also owns the iDefense Security Intelligence Service.
The theft or loss of laptops with sensitive data has become all to common in the past year. The most notorious case involved the theft of a laptop and external hard drive containing personally identifiable information on 26.5 million veterans and active-duty military personnel.
The VA laptop was found approximately a month later and law enforcement officials believe that none of the sensitive data was even accessed by the thief. However, the VA's handling of the incident and slow response led to an internal investigation that resulted in a scathing report from the department's Office of the Inspector General.
IT pros impede PCI, Sarbanes Oxley compliance
Corporate IT professionals lack a critical understanding of risk and compliance issues and pose a barrier to collaborating on compliance initiatives with audit and compliance professionals, according to a study of 845 IT pros and audit and compliance managers conducted recently by the Ponemon Institute.
The study found that 65% of audit and compliance pros surveyed believe their IT counterparts lack the knowledge of risk and compliance issues to collaborate on identity and access management. In contrast, 42% of IT pros said audit and compliance managers lacked sufficient technical expertise to collaborate.
"I think what they're saying is that IT practitioners care about their effectiveness and making IT better, but they don't care about compliance the same way compliance and audit people care," said Larry Ponemon founder and chairman of the Traverse City, Mich.-based Ponemon Institute. "It's definitely true that collaboration is an issue and creating problems for identity or access management, but not clear if both sides share a common view of why those problems exist."
Experts say a number of high profile data breaches, such as the massive breach earlier this year at TJX Cos. Inc., is fueling spending on technologies that lock down data and monitor systems containing critical information. But technology alone won't solve the problem of data leakage, experts warn.
Collaboration between IT and compliance professionals as well as sound security policies are essential to keeping data locked down. Identity and access management is critical to compliance because it defines the process of an organization to allow end users to access systems containing critical data.
"A lot of people have the misconception that it's only technology, but it's also the control practices that an organization has in place," Ponemon said. "When people leave or move into new job functions, access rights change in conformance to what they are currently doing."
Ponemon said collaboration between IT and compliance and audit professionals is an important factor in reducing risk at an organization. IT pros also need to have the tools to assign access rights and change privileges when the organization changes. Compliance managers need to know whether access rights conform to the organization's policies and that the policy reduces the business risk, Ponemon said.
Meanwhile, an organization's business unit views identity and access control as a business need, he said. If end users can't access the systems they need to do their job, the business unit may step around IT and compliance managers by sharing a common password to bypass an access control system.
"I think IT people are coming to the realization that they have an important part to play in ensuring integrity and security of an organization," Ponemon said. "At the end of the day, IT has a lot of power but many times the business units have more control."
Both IT pros and compliance and risk managers agree that identity management and access control needs to be addressed to comply with current regulations and avoid a high profile data breach. According to the survey, 71% of compliance professionals believe identity and access management is "very important" or "important" for meeting compliance requirements within their organizations versus 70% of IT professionals.
But audit and compliance professionals may not feel comfortable collaborating with IT pros, Ponemon said. According to the survey, only 23% of respondents said they should be involved in the monitoring of compliance and 5% said they should be involved in shaping policy.
"The IT practitioners are more likely to own the creation of identity policy and fixing of deficiencies," Ponemon said. "It's hard to gauge the mindset of audit and compliance people in general, but there is a significant technology component that they may not feel comfortable with."
In addition, the study found that IT and compliance pros don't agree on what rules and regulations are driving compliance initiatives. Sarbanes Oxley and the Payment Card Industry Data Security Standards are ranked by compliance and audit professionals as the main drivers for spending on compliance projects in 2007. But IT professionals put much more weight into data breach laws and privacy laws such as the Gramm-Leach-Bliley Act and state data breach notification laws, than compliance professionals.
The Web survey was conducted independently by the Ponemon Institute and underwritten by identity and risk management vendor Sailpoint Technologies, based in Austin, Texas. Respondents averaged about eight years of experience in the audit or compliance field and more than three years of experience in the position they currently hold. About 50% of respondents said their job function or position is located within the corporate compliance department. About 22% said they report to the organization's chief financial officer, and 13% are located in the IT department.
The study found that 65% of audit and compliance pros surveyed believe their IT counterparts lack the knowledge of risk and compliance issues to collaborate on identity and access management. In contrast, 42% of IT pros said audit and compliance managers lacked sufficient technical expertise to collaborate.
"I think what they're saying is that IT practitioners care about their effectiveness and making IT better, but they don't care about compliance the same way compliance and audit people care," said Larry Ponemon founder and chairman of the Traverse City, Mich.-based Ponemon Institute. "It's definitely true that collaboration is an issue and creating problems for identity or access management, but not clear if both sides share a common view of why those problems exist."
Experts say a number of high profile data breaches, such as the massive breach earlier this year at TJX Cos. Inc., is fueling spending on technologies that lock down data and monitor systems containing critical information. But technology alone won't solve the problem of data leakage, experts warn.
Collaboration between IT and compliance professionals as well as sound security policies are essential to keeping data locked down. Identity and access management is critical to compliance because it defines the process of an organization to allow end users to access systems containing critical data.
"A lot of people have the misconception that it's only technology, but it's also the control practices that an organization has in place," Ponemon said. "When people leave or move into new job functions, access rights change in conformance to what they are currently doing."
Ponemon said collaboration between IT and compliance and audit professionals is an important factor in reducing risk at an organization. IT pros also need to have the tools to assign access rights and change privileges when the organization changes. Compliance managers need to know whether access rights conform to the organization's policies and that the policy reduces the business risk, Ponemon said.
Meanwhile, an organization's business unit views identity and access control as a business need, he said. If end users can't access the systems they need to do their job, the business unit may step around IT and compliance managers by sharing a common password to bypass an access control system.
"I think IT people are coming to the realization that they have an important part to play in ensuring integrity and security of an organization," Ponemon said. "At the end of the day, IT has a lot of power but many times the business units have more control."
Both IT pros and compliance and risk managers agree that identity management and access control needs to be addressed to comply with current regulations and avoid a high profile data breach. According to the survey, 71% of compliance professionals believe identity and access management is "very important" or "important" for meeting compliance requirements within their organizations versus 70% of IT professionals.
But audit and compliance professionals may not feel comfortable collaborating with IT pros, Ponemon said. According to the survey, only 23% of respondents said they should be involved in the monitoring of compliance and 5% said they should be involved in shaping policy.
"The IT practitioners are more likely to own the creation of identity policy and fixing of deficiencies," Ponemon said. "It's hard to gauge the mindset of audit and compliance people in general, but there is a significant technology component that they may not feel comfortable with."
In addition, the study found that IT and compliance pros don't agree on what rules and regulations are driving compliance initiatives. Sarbanes Oxley and the Payment Card Industry Data Security Standards are ranked by compliance and audit professionals as the main drivers for spending on compliance projects in 2007. But IT professionals put much more weight into data breach laws and privacy laws such as the Gramm-Leach-Bliley Act and state data breach notification laws, than compliance professionals.
The Web survey was conducted independently by the Ponemon Institute and underwritten by identity and risk management vendor Sailpoint Technologies, based in Austin, Texas. Respondents averaged about eight years of experience in the audit or compliance field and more than three years of experience in the position they currently hold. About 50% of respondents said their job function or position is located within the corporate compliance department. About 22% said they report to the organization's chief financial officer, and 13% are located in the IT department.
Immunity Releases New Exploit-Writing Tool
Immunity Inc., a Miami-based company specializing in penetration testing technology, has released a new tool to quicken the process of writing exploits, analyzing malware and reverse engineering binary files.
The organization unveiled Debugger at the Defcon conference in Las Vegas Friday. Immunity claims Debugger will help researchers and penetration testers cut their exploit-making time in half, with "simple, understandable interfaces [and] a robust and powerful scripting language for automating intelligent debugging."
The company also claims the tool has better connectivity to fuzzers and exploit development tools.
"It builds on a solid user interface with function graphing, the industry's first heap analysis tool built specifically for heap creation, and a large and well supported Python API for easy extensibility," Immunity said on its Web site.
The Immunity team said in an online statement that the main objective in developing Debugger was to "combine the best of the command line-based and GUI-based debugger worlds."
Early reaction appears positive for Debugger, which can be downloaded from the Immunity Web site for free.
"Some are trying [Immunity Debugger] one out as it seems to take the best of command line interfaces as well as the GUI ones and combined it into one package," Scott Fendley, a handler with the Bethesda, Md.-based SANS Internet Storm Center (ISC), wrote in an ISC Web site entry on debugging technology.
For those looking to test different debugging tools against Debugger, Fendley suggested IDA Pro from DataRescue and OllyDbg, shareware some analysts say is easier to use to than other tools.
The organization unveiled Debugger at the Defcon conference in Las Vegas Friday. Immunity claims Debugger will help researchers and penetration testers cut their exploit-making time in half, with "simple, understandable interfaces [and] a robust and powerful scripting language for automating intelligent debugging."
The company also claims the tool has better connectivity to fuzzers and exploit development tools.
"It builds on a solid user interface with function graphing, the industry's first heap analysis tool built specifically for heap creation, and a large and well supported Python API for easy extensibility," Immunity said on its Web site.
The Immunity team said in an online statement that the main objective in developing Debugger was to "combine the best of the command line-based and GUI-based debugger worlds."
Early reaction appears positive for Debugger, which can be downloaded from the Immunity Web site for free.
"Some are trying [Immunity Debugger] one out as it seems to take the best of command line interfaces as well as the GUI ones and combined it into one package," Scott Fendley, a handler with the Bethesda, Md.-based SANS Internet Storm Center (ISC), wrote in an ISC Web site entry on debugging technology.
For those looking to test different debugging tools against Debugger, Fendley suggested IDA Pro from DataRescue and OllyDbg, shareware some analysts say is easier to use to than other tools.
Black Hat 2007: Estonian Attacks Were A Cyber Riot, Not Warfare
Security researcher Gadi Evron helped investigate massive cyberattacks that sent the Web-dependent nation of Estonia reeling last April. While plenty of questions remain as to what happened and why, he's confident the culprit was not the Russian government as many assumed from the outset.
Instead, he said this was a mob riot in the streets of cyberspace, sparked by anger over the Estonian government's decision to move a revered WW II memorial from the Soviet era. Evron, a security evangelist with McLean, Va.-based Beyond Security, told attendees at the Black Hat USA 2007 Briefings Thursday.
He said the good news is that Estonia's CERT (Computer Emergency Response Team) and IT professionals from the private sector were well-coordinated and the Baltic nation quickly bounced back following the incident. The bad news is that cyber riots like this will probably happen more in the future, engineered by people in command of botnets and inspired by what happened in Estonia.
"The Estonians held the line, practiced online mob control and focused on getting things back up and running," Evron said. "[But] the concept of an online mob has proven itself and this will likely receive more attention in the future."
While the attacks hardly broke records in terms of size or sophistication, Evron said they still managed to cause serious short-term disruptions in Estonia, a nation of 1.3 million people that has become almost entirely dependent on the Internet. He noted that the country built its infrastructure from scratch after the collapse of the Soviet Union, with the Internet forming much of the backbone. Almost 100% of its citizens conduct their banking online, and everyone has an ID card with a PKI (public key infrastructure) chip embedded inside. Elections also take place online, with voters casting their ballots from home.
Soon after the attacks began Saturday, April 27, people were unable to buy such essentials as gas and groceries, Evron said, since credit card transactions couldn't be completed.
"Critical infrastructure proved to be [IT systems] in the private and business sectors, not things like transportation and energy," he said. "ISPs, banks and media Web sites became critical items that had to be protected."
The attackers and defenders acted in an ad hoc manner, Evron said. On the Estonian side, citizens volunteered to comb through network activity logs. Conversely, one person enraged by the relocation of the WW II statue made an online request for donations to a PayPal account for the purpose of hiring a botnet to launch attacks. In the same message thread, someone volunteered two of his botnets. In the final analysis, Evron said, the attackers used botnets the way rioters in the street might use rocks and bottles.
And though the Estonians probably weren't as prepared as they should have been, Evron pointed to the controlled, coordinated response as an example from which other governments and private sector entities can learn.
Rather than trying to respond to every individual attack, the first responders made bringing systems back online their top priority, focusing on the targets instead of the source of attack. Technical analysis was limited to cases where a difference could be made, Evron said.
He praised the Estonian CERT for staying on top of events and coordinating well with the private sector. Of course, he added, in a small, tightly knit nation, a successful comeback was easier than it might have been had the attacks been directed at the United States or another large country.
"Estonia is unique," Evron said. "Everyone knows each other and the country's online presence is concentrated. There's a networking of small groups with less burocracy, and it worked for them."
As noteworthy as the Estonian attacks were, Evron said its significance has been overblown in the media, with more FUD than warranted. He said he gets irritated when someone describes the attacks as "the first Internet war."
He said, "What happened in Estonia has happened many times over. The techniques were not new."
Instead, he said this was a mob riot in the streets of cyberspace, sparked by anger over the Estonian government's decision to move a revered WW II memorial from the Soviet era. Evron, a security evangelist with McLean, Va.-based Beyond Security, told attendees at the Black Hat USA 2007 Briefings Thursday.
He said the good news is that Estonia's CERT (Computer Emergency Response Team) and IT professionals from the private sector were well-coordinated and the Baltic nation quickly bounced back following the incident. The bad news is that cyber riots like this will probably happen more in the future, engineered by people in command of botnets and inspired by what happened in Estonia.
"The Estonians held the line, practiced online mob control and focused on getting things back up and running," Evron said. "[But] the concept of an online mob has proven itself and this will likely receive more attention in the future."
While the attacks hardly broke records in terms of size or sophistication, Evron said they still managed to cause serious short-term disruptions in Estonia, a nation of 1.3 million people that has become almost entirely dependent on the Internet. He noted that the country built its infrastructure from scratch after the collapse of the Soviet Union, with the Internet forming much of the backbone. Almost 100% of its citizens conduct their banking online, and everyone has an ID card with a PKI (public key infrastructure) chip embedded inside. Elections also take place online, with voters casting their ballots from home.
Soon after the attacks began Saturday, April 27, people were unable to buy such essentials as gas and groceries, Evron said, since credit card transactions couldn't be completed.
"Critical infrastructure proved to be [IT systems] in the private and business sectors, not things like transportation and energy," he said. "ISPs, banks and media Web sites became critical items that had to be protected."
The attackers and defenders acted in an ad hoc manner, Evron said. On the Estonian side, citizens volunteered to comb through network activity logs. Conversely, one person enraged by the relocation of the WW II statue made an online request for donations to a PayPal account for the purpose of hiring a botnet to launch attacks. In the same message thread, someone volunteered two of his botnets. In the final analysis, Evron said, the attackers used botnets the way rioters in the street might use rocks and bottles.
And though the Estonians probably weren't as prepared as they should have been, Evron pointed to the controlled, coordinated response as an example from which other governments and private sector entities can learn.
Rather than trying to respond to every individual attack, the first responders made bringing systems back online their top priority, focusing on the targets instead of the source of attack. Technical analysis was limited to cases where a difference could be made, Evron said.
He praised the Estonian CERT for staying on top of events and coordinating well with the private sector. Of course, he added, in a small, tightly knit nation, a successful comeback was easier than it might have been had the attacks been directed at the United States or another large country.
"Estonia is unique," Evron said. "Everyone knows each other and the country's online presence is concentrated. There's a networking of small groups with less burocracy, and it worked for them."
As noteworthy as the Estonian attacks were, Evron said its significance has been overblown in the media, with more FUD than warranted. He said he gets irritated when someone describes the attacks as "the first Internet war."
He said, "What happened in Estonia has happened many times over. The techniques were not new."
Black Hat 2007: For Financial Firms, Availability Too Often Trumps Security
Financial services organizations are considered to be on the bleeding edge of information technology, but the market's widespread use of subpar security protocols for financial transactions could soon leave deep scars across the industry.
In a presentation Thursday at Black Hat 2007, researchers with Matasano Security lifted the shroud on some of popular exchange protocols and found a shocking lack of security baked in. For many financial services firms, the overwhelming pressure to keep trading applications available coupled with the need to conduct the majority of their communications over private networks has nudged security to the back of the development line.
"When you look at the priorities around trading protocols, performance and availability are the most important parts. The faster they can communicate, the better they can capitalize on situations," said Dave Goldsmith, president of New York-based Matasano and a founding member of vaunted consultancy @Stake.
"With automated trading, microseconds do count," he said. "Any kind of security that introduces latency is going to be frowned upon in these systems."
Security with many of these protocols relies on insider trust, familiar security mechanisms like firewalls, and segregating communication over private networks. And within the financial services realm, this makes sense.
"As a pen-tester, we're concerned with traditional systems about how we can get root [access]. When we found availability issues, we'd get their eye faster than when we found confidentiality issues," Goldsmith said. "The system must stay up and running. A bad trade will be caught, but if a server goes down, it costs them money."
Goldsmith and his partner, Matasano's Jeremy Rausch, dove into the Financial Information Exchange (FIX) protocol, one of the most transparent protocols used today -- FIX specifications are available online for anyone to review.
FIX runs over TCP and includes a messaging and application layer. It specifies, for example, how transactions are to be conducted using Web services over HTTP or other messaging standards, like MQ or other multicast UDP. Security, however, is never mentioned among the thousands of pages that make up the specification.
Compounding the problem is the fact that while transactions run on a dedicated line, once they're inside an internal network, there's nothing preventing them from traversing other network segments where a transaction could be exposed.
Worse still, increasing awareness regarding FIX's security shortcomings is a challenge because unless an IT professional happens to be intimate with FIX -- or other financial protocols like QIX, OUCH, OTTO, RASHport, DROP, CTCI or ITCH -- it's unlikely that he or she would find much information about it.
One thing working in the financial industry's favor is that exploits haven't been publicly reported, but as Goldsmith pointed out, successful attacks on financial systems likely wouldn't be publicized.
"There isn't a lot of public information about what people should do, and there's good reason for that," Goldsmith said. "This has generally been between people who have been trading together since before computers. It's challenging because as more and more people are developing FIX applications, more people run the risk of getting it wrong."
In a presentation Thursday at Black Hat 2007, researchers with Matasano Security lifted the shroud on some of popular exchange protocols and found a shocking lack of security baked in. For many financial services firms, the overwhelming pressure to keep trading applications available coupled with the need to conduct the majority of their communications over private networks has nudged security to the back of the development line.
"When you look at the priorities around trading protocols, performance and availability are the most important parts. The faster they can communicate, the better they can capitalize on situations," said Dave Goldsmith, president of New York-based Matasano and a founding member of vaunted consultancy @Stake.
"With automated trading, microseconds do count," he said. "Any kind of security that introduces latency is going to be frowned upon in these systems."
Security with many of these protocols relies on insider trust, familiar security mechanisms like firewalls, and segregating communication over private networks. And within the financial services realm, this makes sense.
"As a pen-tester, we're concerned with traditional systems about how we can get root [access]. When we found availability issues, we'd get their eye faster than when we found confidentiality issues," Goldsmith said. "The system must stay up and running. A bad trade will be caught, but if a server goes down, it costs them money."
Goldsmith and his partner, Matasano's Jeremy Rausch, dove into the Financial Information Exchange (FIX) protocol, one of the most transparent protocols used today -- FIX specifications are available online for anyone to review.
FIX runs over TCP and includes a messaging and application layer. It specifies, for example, how transactions are to be conducted using Web services over HTTP or other messaging standards, like MQ or other multicast UDP. Security, however, is never mentioned among the thousands of pages that make up the specification.
Compounding the problem is the fact that while transactions run on a dedicated line, once they're inside an internal network, there's nothing preventing them from traversing other network segments where a transaction could be exposed.
Worse still, increasing awareness regarding FIX's security shortcomings is a challenge because unless an IT professional happens to be intimate with FIX -- or other financial protocols like QIX, OUCH, OTTO, RASHport, DROP, CTCI or ITCH -- it's unlikely that he or she would find much information about it.
One thing working in the financial industry's favor is that exploits haven't been publicly reported, but as Goldsmith pointed out, successful attacks on financial systems likely wouldn't be publicized.
"There isn't a lot of public information about what people should do, and there's good reason for that," Goldsmith said. "This has generally been between people who have been trading together since before computers. It's challenging because as more and more people are developing FIX applications, more people run the risk of getting it wrong."
Discovery Of Malware Cesspool Triggers Attack Fears
Security researchers at Tokyo-based antivirus vendor Trend Micro reported finding a Russian Web server hosting about 400 malicious programs, as well as several Italian Web sites linked to the server.
According to Trend Micro, the discovery could set the stage for a large-scale attack.
In a blog entry Thursday, researchers said most of the malware on the Russian server appears to just be copies of each other, but among them were three specific groups that are typically used to display pornographic Web sites in a victim's Web browser.
Meanwhile, Trend Micro Senior Software Engineer Feike Hacquebord reported "Italian-like" Web sites containing IFRAMES that point to the Russian Web server. These sites apparently reside in a hosting facility in Germany, with registration data pointing to an email contact hosted in Russia, researchers wrote.
"Looking at these massive samples of malware, we can't help to think that there's something brewing in Russia," researchers wrote. "We have just seen these cybercriminals pull the Italian Job recently. Are we now seeing a Russian Uprising coming our way?"
Last month, a cyberattack infected thousands of Web sites, most of them Italian.
Trend said it's monitoring the current situation, and has blocked the malicious Web sites. It is also adding patterns to ward off new malware found on the Russian server.
According to Trend Micro, the discovery could set the stage for a large-scale attack.
In a blog entry Thursday, researchers said most of the malware on the Russian server appears to just be copies of each other, but among them were three specific groups that are typically used to display pornographic Web sites in a victim's Web browser.
Meanwhile, Trend Micro Senior Software Engineer Feike Hacquebord reported "Italian-like" Web sites containing IFRAMES that point to the Russian Web server. These sites apparently reside in a hosting facility in Germany, with registration data pointing to an email contact hosted in Russia, researchers wrote.
"Looking at these massive samples of malware, we can't help to think that there's something brewing in Russia," researchers wrote. "We have just seen these cybercriminals pull the Italian Job recently. Are we now seeing a Russian Uprising coming our way?"
Last month, a cyberattack infected thousands of Web sites, most of them Italian.
Trend said it's monitoring the current situation, and has blocked the malicious Web sites. It is also adding patterns to ward off new malware found on the Russian server.
Black Hat 2007: Vista Users Urged To Beware Of IPv6
Vista users would be wise to turn off the Teredo IP tunneling system that is enabled by default in Microsoft's newest operating system, since attackers may be able to exploit it for phishing, pharming and other mischief. James Hoagland, principal security researcher for Symantec Corp., issued that warning Thursday during a presentation at the Black Hat 2007 conference.
Hoagland -- along with fellow researchers Matt Conover, Tim Newsham and Ollie Whitehouse -- conducted an extensive analysis of Vista. They found that while Microsoft has significantly improved security in the latest version of Windows, new vulnerabilities were likely created in the process.
Hoagland said the best example may be Vista's default enabling of Teredo. The software giant has embraced Teredo as a way to help users transition from IPv4, the long-standing protocol that is quickly running short on IP address space, to IPv6, a more advanced protocol that vastly increases the number of IP addresses available to networked devices.
He said Microsoft loves IPv6 because, among other things, it eases the process of setting up peer-to-peer (P2P) gaming programs. But on the down side, IPv6 can also double Vista's possible attack surface -- at least until IPv4 is eliminated. Furthermore, many network security controls may not be ready for IPv6.
Hoagland noted that the Cupertino, Calif.-based Symantec has already discovered one Teredo/IPv6-related flaw in Vista, which Microsoft patched in the MS07-038 security update released last month. According to the researchers, the Teredo interface in Vista was not properly handling certain network traffic, allowing remote attackers to bypass firewall-blocking rules and obtain sensitive information via crafted IPv6 traffic.
"There are some serious security implications with Teredo," Hoagland said. "This includes the potential for unexpected host accessibility, phishing and pharming threats and possible peer address disclosure."
Attackers could also exploit Vista's implementation of Teredo to bypass such network security controls as firewalls and intrusion detection-prevention (IDS/IPS) systems. To correct this, Hoagland said security tools need to be reprogrammed so they are specifically aware of Teredo.
"Because it can be so difficult to inspect Teredo, a consensus has been reached [in the information security community] that Teredo should not be used in managed networks," Hoagland said.
To be fair, he said, there are some positives with Teredo. It requires a lot of packet-sanity checks, which can prevent a number of attacks. The program also includes some decent anti-spoofing mechanisms. But for Hoagland, that's not much of a silver lining.
"Disable Teredo and block it on the network," Hoagland instructed, "upgrade your security controls and beware of Teredo tunneling through your network."
Hoagland -- along with fellow researchers Matt Conover, Tim Newsham and Ollie Whitehouse -- conducted an extensive analysis of Vista. They found that while Microsoft has significantly improved security in the latest version of Windows, new vulnerabilities were likely created in the process.
Hoagland said the best example may be Vista's default enabling of Teredo. The software giant has embraced Teredo as a way to help users transition from IPv4, the long-standing protocol that is quickly running short on IP address space, to IPv6, a more advanced protocol that vastly increases the number of IP addresses available to networked devices.
He said Microsoft loves IPv6 because, among other things, it eases the process of setting up peer-to-peer (P2P) gaming programs. But on the down side, IPv6 can also double Vista's possible attack surface -- at least until IPv4 is eliminated. Furthermore, many network security controls may not be ready for IPv6.
Hoagland noted that the Cupertino, Calif.-based Symantec has already discovered one Teredo/IPv6-related flaw in Vista, which Microsoft patched in the MS07-038 security update released last month. According to the researchers, the Teredo interface in Vista was not properly handling certain network traffic, allowing remote attackers to bypass firewall-blocking rules and obtain sensitive information via crafted IPv6 traffic.
"There are some serious security implications with Teredo," Hoagland said. "This includes the potential for unexpected host accessibility, phishing and pharming threats and possible peer address disclosure."
Attackers could also exploit Vista's implementation of Teredo to bypass such network security controls as firewalls and intrusion detection-prevention (IDS/IPS) systems. To correct this, Hoagland said security tools need to be reprogrammed so they are specifically aware of Teredo.
"Because it can be so difficult to inspect Teredo, a consensus has been reached [in the information security community] that Teredo should not be used in managed networks," Hoagland said.
To be fair, he said, there are some positives with Teredo. It requires a lot of packet-sanity checks, which can prevent a number of attacks. The program also includes some decent anti-spoofing mechanisms. But for Hoagland, that's not much of a silver lining.
"Disable Teredo and block it on the network," Hoagland instructed, "upgrade your security controls and beware of Teredo tunneling through your network."
Black Hat 2007: Researchers Demonstrate Webmail, Social Networking Flaws
Researchers at Errata Security have developed tools that sniff out users of Web-based email and social-networking sites over Wi-Fi and hijacks their sessions.
Users of Google's Gmail, Microsoft's Hotmail and Yahoomail are at risk as are users of Facebook and other Web 2.0 social-networking Web sites, said Robert Graham, a security researcher and CEO of Errata Security. Software-as-a-service (SAAS) offerings such as Salesforce.com are also at risk, Graham said.
"Web 2.0 is fundamentally broken," Graham said. "Using the tools it's easy to hijack other people's credentials. It's a fundamental flaw in Web 2.0."
Two tools, created by Graham and David Maynor, chief technology officer of Errata, are called Hamster and Ferret. They work in tandem over Wi-Fi to sniff out URLS and cookies and then store and translate the information to allow the attacker to open a Web-based email session without detection.
The sniffer detects the cookie data being transferred between a wireless router and a computer. Cookies are used for authenticating a user and can last for several years, allowing an attacker to sniff out the information and store it for future use, Graham said.
Graham demonstrated the tools during a session at Black Hat 2007, sniffing out URLs of users in attendance until he found a Gmail user and quickly opened up the person's session. Although the tools are still in their early stages of development – they lack an easy-to-use installer and are buggy– Graham said he plans to place them on his Web site to download for free.
The Black Hat session was called "Simple Solutions to Complex Problems, from the Lazy Hacker's Handbook." The technique is a lazy way to hack, Graham said, since a hacker could sit at a hotspot and easily hijack sessions.
While a hacker can browse through a person's email and change some settings, the hacker cannot change a password, because many Web 2.0 applications require a second log-in, Graham said. Google also allows users to use SSL to access their accounts, a feature that will bar an attacker from gaining access, he said.
James Booseman, a San Jose, Calif.-based security architect, who attended the session, said he was surprised by the demonstration. But Booseman said that by using the appropriate security steps when on public Wi-Fi, such as using a virtual private network, can avoid data leakage.
"It's about keeping yourself from being at risk," Booseman said. "I bet there are many people out there who are wide open to this kind of attack."
Users of Google's Gmail, Microsoft's Hotmail and Yahoomail are at risk as are users of Facebook and other Web 2.0 social-networking Web sites, said Robert Graham, a security researcher and CEO of Errata Security. Software-as-a-service (SAAS) offerings such as Salesforce.com are also at risk, Graham said.
"Web 2.0 is fundamentally broken," Graham said. "Using the tools it's easy to hijack other people's credentials. It's a fundamental flaw in Web 2.0."
Two tools, created by Graham and David Maynor, chief technology officer of Errata, are called Hamster and Ferret. They work in tandem over Wi-Fi to sniff out URLS and cookies and then store and translate the information to allow the attacker to open a Web-based email session without detection.
The sniffer detects the cookie data being transferred between a wireless router and a computer. Cookies are used for authenticating a user and can last for several years, allowing an attacker to sniff out the information and store it for future use, Graham said.
Graham demonstrated the tools during a session at Black Hat 2007, sniffing out URLs of users in attendance until he found a Gmail user and quickly opened up the person's session. Although the tools are still in their early stages of development – they lack an easy-to-use installer and are buggy– Graham said he plans to place them on his Web site to download for free.
The Black Hat session was called "Simple Solutions to Complex Problems, from the Lazy Hacker's Handbook." The technique is a lazy way to hack, Graham said, since a hacker could sit at a hotspot and easily hijack sessions.
While a hacker can browse through a person's email and change some settings, the hacker cannot change a password, because many Web 2.0 applications require a second log-in, Graham said. Google also allows users to use SSL to access their accounts, a feature that will bar an attacker from gaining access, he said.
James Booseman, a San Jose, Calif.-based security architect, who attended the session, said he was surprised by the demonstration. But Booseman said that by using the appropriate security steps when on public Wi-Fi, such as using a virtual private network, can avoid data leakage.
"It's about keeping yourself from being at risk," Booseman said. "I bet there are many people out there who are wide open to this kind of attack."
Black Hat 2007: Forensics Software Security Holes Revealed
Vulnerabilities found in leading forensics software not only create a rich environment for denial-of-service and remote code execution exploits, but could lead a vigilant attorney to argue against the credibility of evidence collected by these tools.
Researchers from consultancy iSEC Partners presented that scenario Wednesday at Black Hat following the conclusion of a six-month study of Guidance Software's EnCase and the open source The Sleuth Kit (TSK). The findings have also been published in an iSEC Partners paper entitled, Breaking forensic software: Weaknesses in critical evidence collection.
The software, widely used in corporate circles for gathering evidence in civil and criminal litigation, or for human resource cases in-house, is susceptible to a number of nasty bugs including:Data hiding where the software fails to detect evidence stored in a specially crafted filesystem, essentially leaving it hidden in plain view.
Code execution, where programming shortcomings lead to buffer, stack or heap overflows Denial-of-service bugs where an attacker might hide incriminating evidence in a file that repeatedly crashes the software.
ISEC tested Guidance EnCase and EnCase Enterprise -- which enable procurement of hard drive data and images over networks -- and TSK using blind fuzzing and targeted fault injection techniques.
"These products have ridiculously large attack surfaces and crash a million times," said iSEC principal partner Alex Stamos, pointing out that forensics software can read evidence stored in hundreds of file formats. "It can read anything, and that should be terrifying to people who use these products. Think about Microsoft Word; that's one format and it's had six remotely exploitable buffer overflows.
The forensics problem is two orders of magnitude bigger."Stamos was careful to point out that iSEC did not create any exploit code. "Our research indicates people should be prepared for an exploit to circle," Stamos said, adding that he's heard from several practitioners and read anecdotal evidence on message boards regarding similar experiences with the software crashing. Guidance responded to the findings on the Bugtraq mailing list, and refused to call any of the bugs security vulnerabilities.
"All of the testing involved intentionally corrupted target data that highlighted a few relatively minor bugs. The issues raised do not identify errors affecting the integrity of the evidence collection… Moreover, the issues raised have nothing to do with the security of the product. Therefore, we strongly dispute any media reports or commentary that imply that there are any vulnerabilities or denials of service exposed by this report," Guidance said in a statement.
Chris Ridder, a fellow at Stanford Law School, said that given there aren't current exploits, theoretical assertions that perhaps evidence had been exploited would likely not get it tossed in court.
"If there are code execution exploits such that a given image might have been exploited, that changes the calculus a little bit," Ridder said. "The more likelihood of compromises circulating and the easier exploits are to do, and the less testing of these systems, now you're inching up to where evidence potentially is not being admitted."
Researchers from consultancy iSEC Partners presented that scenario Wednesday at Black Hat following the conclusion of a six-month study of Guidance Software's EnCase and the open source The Sleuth Kit (TSK). The findings have also been published in an iSEC Partners paper entitled, Breaking forensic software: Weaknesses in critical evidence collection.
The software, widely used in corporate circles for gathering evidence in civil and criminal litigation, or for human resource cases in-house, is susceptible to a number of nasty bugs including:Data hiding where the software fails to detect evidence stored in a specially crafted filesystem, essentially leaving it hidden in plain view.
Code execution, where programming shortcomings lead to buffer, stack or heap overflows Denial-of-service bugs where an attacker might hide incriminating evidence in a file that repeatedly crashes the software.
ISEC tested Guidance EnCase and EnCase Enterprise -- which enable procurement of hard drive data and images over networks -- and TSK using blind fuzzing and targeted fault injection techniques.
"These products have ridiculously large attack surfaces and crash a million times," said iSEC principal partner Alex Stamos, pointing out that forensics software can read evidence stored in hundreds of file formats. "It can read anything, and that should be terrifying to people who use these products. Think about Microsoft Word; that's one format and it's had six remotely exploitable buffer overflows.
The forensics problem is two orders of magnitude bigger."Stamos was careful to point out that iSEC did not create any exploit code. "Our research indicates people should be prepared for an exploit to circle," Stamos said, adding that he's heard from several practitioners and read anecdotal evidence on message boards regarding similar experiences with the software crashing. Guidance responded to the findings on the Bugtraq mailing list, and refused to call any of the bugs security vulnerabilities.
"All of the testing involved intentionally corrupted target data that highlighted a few relatively minor bugs. The issues raised do not identify errors affecting the integrity of the evidence collection… Moreover, the issues raised have nothing to do with the security of the product. Therefore, we strongly dispute any media reports or commentary that imply that there are any vulnerabilities or denials of service exposed by this report," Guidance said in a statement.
Chris Ridder, a fellow at Stanford Law School, said that given there aren't current exploits, theoretical assertions that perhaps evidence had been exploited would likely not get it tossed in court.
"If there are code execution exploits such that a given image might have been exploited, that changes the calculus a little bit," Ridder said. "The more likelihood of compromises circulating and the easier exploits are to do, and the less testing of these systems, now you're inching up to where evidence potentially is not being admitted."
Black Hat 2007: New Database Forensics Tool Could Aid Data Breach Cases
A new database forensics tool being developed by database security guru David Litchfield could help data breach investigators build evidence against attackers.
Litchfield, managing director at UK-based NGS (Next Generation Security) Software Ltd. plans to release the Forensic Examiners Database Scalpel. The new tool is designed for Oracle database management systems and automates the process of sifting through mountains of system metadata to discover the cause and extent of a data security breach.
In his presentation at the Black Hat USA 2007 Briefings in Las Vegas, Litchfield, called for further research in the area of database forensics. Litchfield, who has focused his research on Oracle database security, said he has been conducting forensics research on Oracle 10g database management system for about six months.
"We've seen database breaches occurring all the time and we need to see how they are occurring," he said.Litchfield said he has a legal hurdle to overcome with Oracle Corp., since the tool uses some of Oracle's proprietary algorithms. The new tool would be the first of its kind once it is released, he said. There are no database specific forensic analysis tools on the market."There are tools that allow you to ascertain a compromise or not, but by running those tools, you could compromise evidence," Litchfield said. "There are tools that allow you to fudge your way through, but by running them you can change a system in a drastic way."
Litchfield said that investigators examine redo logs, data files and Apache logs to follow the patch of a hacker.The process of examining metadata and statistics could yield evidence of the creation of foreign database objects and database row deletions. Investigators can find hidden clues that reveal the path a hacker took and build a case using the information.
"An attacker may go around creating objects and then go and attempt to clean up and hide evidence," Litchfield said.But often, hidden deep within an Oracle data block, hackers leave traces of their past presence. The header and row directory in a data block correspond to areas within a database that can yield revealing clues, Litchfield said.Litchfield said that forensic analysis conducted by investigators should always be done in the presence of the database administrator, who should be able to recognize problems.A database administrator who attended Litchfield's presentation, wished to remain anonymous, but said the new tool is vital to conducting forensics research on specific data blocks. Without the tool, the work is too time consuming, he said.
"A tool like this could make a difference," he said. "There are ways to conduct an analysis with other tools, but they can alter tables and possibly damage evidence."
In recent years, database-related news at Black Hat has been dominated by Litchfield. He has focused on flaws in Oracle databases, though last year he focused instead on flaws in IBM's Informix family of database products.
Black Hat 2007: Rootkit Hunters Caught In Cat-and-Mouse Game
No malware, let alone a virtualized rootkit, is undetectable. That was the message delivered loud and clear Wednesday at the Black Hat USA Briefings. A team of well-known security researchers led a session on the methods they believe would be effective in finding virtualized rootkits, such as Joanna Rutkowska's infamous Blue Pill or Dino Dai Zovi's Vitriol. The researchers outlined a number of techniques for detecting traces of such a rootkit's activity, including side-channel attacks, finding hypervisor bugs and looking for errors caused by the malware.
"You're basically stuck in a cat-and-mouse game in which the attacker designs some code, you look for characteristics of that code and detect it, and then it all repeats in a big cycle," said Nate Lawson, principal at Oakland, Calif.-based Root Labs, and one of the co-presenters of the session. "We've seen this before and people have always found countermeasures, and we expect that will continue the same way."
The presenters, who also included Thomas Ptacek of New York-based Matasano Security, Dai Zovi and Peter Ferrie of Cupertino, Calif.-based Symantec Corp., focused much of the talk on the properties of Blue Pill and the ways in which they would expect it to behave on a compromised system. Rutkowska, a well-known researcher based in Poland, gave a talk on the hypervisor rootkit at Black Hat in 2006, causing quite a stir. But she has not talked much about the exact features and functions of Blue Pill since then, and her claims of it being completely undetectable have drawn a lot of criticism from other researchers.
"We're really interested in debunking that claim," Ptacek said.
"We're really interested in debunking that claim," Ptacek said.
The crux of the presenters' criticism of Blue Pill is that it attempts to emulate the entire architecture of an x86 machine, instead of just certain portions of the operating system as a conventional kernel-mode rootkit would. That ambitious design is exactly what makes Blue Pill detectable, Lawson said. Because it has to emulate so many difference components, it is bound to leave traces somewhere.
One of the methods Lawson outlined for detecting a virtualized rootkit involves observing changes in the Translation Lookaside Buffer (TLB), a cache in the CPU. When something causes a virtual machine to exit, the hypervisor leaves traces of its presence in the TLB. So, Lawson said, one way to detect a hypervisor rootkit would be to cause it to somehow exit, and then read the TLB and look for changes.
But, Lawson and Ptacek conceded, there's nothing stopping the malware author from writing a feature to detect the "rootkit detector," which Lawson said leads back to the familiar attacker-defender cat-and-mouse game.
"What you end up with is the same cycle that we see with AV engines and viruses, where I look at the latest version of your code, find ways to detect it and then you write a new version and we start all over again," Lawson said. "The reality is, there's no absolute endgame here. The malware authors can't make something that's 100% undetectable and I can't write a detector that makes all malware detectable."
The team of researchers also discussed a few details of their own detection software, called Samsara, which they plan to release in the next few weeks. They will make the code for the tool freely available, and also intend to make a prototype hardware-based rootkit available for testing purposes.
The rootkit session originally was intended to be a live demo in which Rutkowska would load Blue Pill onto one of several clean Vista machines, and Ptacek and his co-presenters would load Samsara onto all of the PCs and try to detect the rootkit. But Rutkowska declined the offer and instead sat in the audience.
Black Hat 2007: VOIP Security Reaches Tipping Point
Industry experts have warned for years that companies are ignoring security when deploying VoIP. Researchers at this year's Black Hat conference say the state of VoIP security is as bad today as it was two years ago, with many adopters relying on protocols that are easy to attack. But PGP creator Phil Zimmermann has unveiled new software he believes will help turn the tide.
Zimmermann calls his new creation Zfone, a VoIP phone software product that lets users encrypt their calls over the Internet. Zfone uses a new cryptography protocol called ZRTP, which has a better architecture than such other VoIP security protocols as SIP (Session Initiation Protocol), H.323 and IAX. Users can download a free beta of Zfone from the Zfone Project Web site.
Zimmermann calls his new creation Zfone, a VoIP phone software product that lets users encrypt their calls over the Internet. Zfone uses a new cryptography protocol called ZRTP, which has a better architecture than such other VoIP security protocols as SIP (Session Initiation Protocol), H.323 and IAX. Users can download a free beta of Zfone from the Zfone Project Web site.
"Zfone sits in the IP protocol stack and runs as a filter, and it works with multiple programs such as Windows Mobile, Apple iChat, Symbian and Nokia," he said before running a demonstration of how the technology works.
To show how Zfone can protect VoIP sessions from man-in-the-middle attacks without the need for PKI or certificate authority, Zimmermann initiated two VoIP calls with someone in the audience using iChat and then Gizmo, a free Internet phone application.
"To prevent a man-in-the-middle attack, we have to use the same session key," he said, pointing out how his software allows for that to happen. "When you have the same session key at both ends, there can be no man in the middle."
Throughout his presentation, Zimmermann stressed the importance of encrypting VoIP transmissions, even though, as he noted, some in the government believe that would hobble law enforcement's ability to tap VoIP conversations as part of criminal investigations. The problem, he said, is that organized criminal outfits are quickly figuring out how to turn the tables by tapping VoIP calls made by the authorities attempting to bring them to justice.
"We have to encrypt our phone calls because the VoIP environment just isn't safe," he said. "It's getting easier for the bad guys to use something like spyware to tap the VoIP conversations of judges, prosecutors and the police."
Zimmermann's demonstration received a positive response from the audience, and other experts backed his claim that it's no longer difficult for digital miscreants to exploit VoIP insecurity.
"To prevent a man-in-the-middle attack, we have to use the same session key," he said, pointing out how his software allows for that to happen. "When you have the same session key at both ends, there can be no man in the middle."
Throughout his presentation, Zimmermann stressed the importance of encrypting VoIP transmissions, even though, as he noted, some in the government believe that would hobble law enforcement's ability to tap VoIP conversations as part of criminal investigations. The problem, he said, is that organized criminal outfits are quickly figuring out how to turn the tables by tapping VoIP calls made by the authorities attempting to bring them to justice.
"We have to encrypt our phone calls because the VoIP environment just isn't safe," he said. "It's getting easier for the bad guys to use something like spyware to tap the VoIP conversations of judges, prosecutors and the police."
Zimmermann's demonstration received a positive response from the audience, and other experts backed his claim that it's no longer difficult for digital miscreants to exploit VoIP insecurity.
Himanshu Dwivedi and Zane Lackey of San Francisco-based digital security firm iSEC Partners Inc. gave a presentation on the various ways attackers can exploit SIP, IAX and H.323. The latter, they say, is particularly vulnerable to attack, but that most users assume H.323 is secure because little evidence to the contrary has been presented. They urged the audience to build a layered defense, noting that the state of VoIP security is as bad now as it was a couple years ago.
"Four to five years ago, we started hearing about the security problems of VoIP, and it's really no better today," Dwivedi said. "The security vendors are not on top of the problem and users are relying on protocols they think are safe, when in fact they are not."
The two then ran through a series of examples showing how attackers could exploit the protocols to listen in on VoIP conversations and extract sensitive information in the process, and create havoc through denial-of-service attacks and by impersonating certain people on the call. IDs, time stamps and certain hashing functions can easily be sniffed, they warned.
Several Black Hat attendees said their organizations aren't using a lot of VoIP yet, but that they know it's something they'll soon have to deal with.
Andrew Fried, an IT security specialist with the U.S. Treasury Department, said his agency wants to increase its VoIP capabilities and hopes the Black Hat sessions will bring him up to speed on the security risks he'll have to be worrying about.
"The government is trying to push more and more work at home and VoIP will be used as part of that … but fraudulent use of VoIP is something we're more concerned about, with [attackers] making calls in the name of the IRS using VoIP services that are nearly untraceable," Fried said. "Welcome to the world of fraud."
"Four to five years ago, we started hearing about the security problems of VoIP, and it's really no better today," Dwivedi said. "The security vendors are not on top of the problem and users are relying on protocols they think are safe, when in fact they are not."
The two then ran through a series of examples showing how attackers could exploit the protocols to listen in on VoIP conversations and extract sensitive information in the process, and create havoc through denial-of-service attacks and by impersonating certain people on the call. IDs, time stamps and certain hashing functions can easily be sniffed, they warned.
Several Black Hat attendees said their organizations aren't using a lot of VoIP yet, but that they know it's something they'll soon have to deal with.
Andrew Fried, an IT security specialist with the U.S. Treasury Department, said his agency wants to increase its VoIP capabilities and hopes the Black Hat sessions will bring him up to speed on the security risks he'll have to be worrying about.
"The government is trying to push more and more work at home and VoIP will be used as part of that … but fraudulent use of VoIP is something we're more concerned about, with [attackers] making calls in the name of the IRS using VoIP services that are nearly untraceable," Fried said. "Welcome to the world of fraud."
Subscribe to:
Posts (Atom)