The register has an article about three London hospitals shutting down their computer systems due to a worm. However, except for transportation, all functions of the hospital seem to be continuing despite the lack of computer systems.

I took away three things from this article: computer systems are not essential for health care, someone wasn’t patching or following security policies, and the worm provides a back door for attackers. The doctors and the hospital are still providing medical care to patients. The computer systems certainly help them do this job more efficiently, but they’re not required. I think this points out the importance of security vs convenience. The doctors just want to help their patients, and if they have to do that without computer systems, so be it. Most of the computerized equipment they really need should not be (and usually isn’t) connected to a network. If the computer systems become difficult to use because of security – the doctors will just not use them.

The second thing I noticed, but wasn’t mentioned directly in this story was that the worm had to get on those systems in the first place. That was either over the network, or brought in from a user. Either way, it tells me that patches weren’t applied and anti-virus was not running on access. Someone wasn’t following policy.

The final piece of information that was glossed over in the Register’s article is that the worm opens back doors on systems and contains spyware. Now, I’m sure the writers of the worm didn’t think that it would end up on a healthcare system, so they’re probably not looking for Personally Identifiable Information (PII), but that information is still there, and likely accessed by the users of those systems. If a keylogger was installed, all of that is now “public” to the botnet’s users. I think the hospitals will have a larger job of cleaning up after this and determining what the worm did with that information than they do now in getting the systems back up and running.

Recovering from an “attack” is not as simple as restoring last known good configurations. You have to duplicate the drives, re-install the systems, then restore data (and hope you have good recent backups). If you want any chance of prosecuting the individual(s) responsible, duplicating the drives for forensic analysis is one of the most important steps. And until that’s done, these hospitals will be without computer systems.

SQL injection attacks are in the news again this week. More web sites were found to be carrying hidden threats that originated from a “new, stealthier, and more closely guarded SQL injection toolkit.” You can take a look at the details of the attack here. Sites have been infected and re-infected as administrators have failed to address the root of the problem, poorly-written code.

Because of my belief that education is important to the elimination of bad habits, I thought it would be a good idea to point our readers to some resources that will help them understand SQL injection and how to avoid it. (more…)

Recently, I was buying a bottle of wine at the grocery store and was asked to show my ID.  My license picture was taken about 4 years ago, when I was 20-30 lbs lighter and before I started shaving my head, so it doesn’t look all that much like me anymore.  The clerk was skeptical, and he asked me to show another form of ID, which I provided by showing him a few credit cards.  Apparently, that was enough to convince him that I was who the license said I was.

What if I had just stolen someone’s wallet, though?  I would have easily been able to produce credit cards that accompanied the license in the wallet.  Showing that extra piece of ID really didn’t add any authentication to the transaction at all, but it allowed me to complete my age-restricted purchase.

Most IT people have heard of the concept of two-factor authentication;  pick two of the three classic categories (“something you have”, “something you know”, “something you are”) for a high level of authentication.  I’ve heard it argued, however, that multiple items from the same category (specifically, the “something you know” group), can be considered stronger than one.  I disagree with this sentiment.

If you can get “something you know” from someone, such as a network password or other shared secret, it’s generally trivial to get another “something you know” from them.  Two pieces of information are almost exactly as strong as one piece of information.  However, if an application designer, much like the store clerk that sold me the wine, is willing to accept two of the same authentication factor as a strong assurance of identity, then the application is more of a security risk than one that accepts only one form of identity because of the nature of the information that application is likely to provide.

It’s a common mantra of security theory that I’ve repeated ad nauseam:  security controls must be appropriate for what is being protected.  Two pieces of knowledge are not better than one, and if they are treated as such, then the application is not secure if it must protect information that requires something more than just a password.

In 2007 a handful of companies (including Google, Microsoft, and Yahoo) decided to draft a set of guidelines influencing the behavior of online businesses when it comes to the subject of policies and regulations dealing with human rights. It was to be a kind of unofficial voluntary code of conduct initiative thing.

According to this letter(pdf) from Yahoo to Senators Durbin and Coburn:

Principles on Freedom of Expression and Privacy [...] provide direction and guidance to the ICT industry and its stakeholders in protecting and advancing the enjoyment of freedom of expression and privacy globally. The Principles describe key commitments in the following areas: Freedom of Expression; Privacy; Responsible Company Decision Making; Multi-Stakeholder Collaboration; Governance, Accountability & Transparency

Along with censorship and freedom of speech, the idea was also to provide general requirements for privacy. The idea also calls for a way to determine if a company is compliant with the code and a way to hold companies accountable if they violate it.

This is important because it shows that some of the most relevant internet-based companies are taking the rights of their users seriously. So seriously, in fact, that they are willing to sponsor a set of guidelines that help other companies protect THEIR user’s rights as well. If more companies get on board, this could be a step in the right direction in helping to strengthen the trust between service provider and user.

One of our clients unintentionally DoSed themselves this weekend by switching registrars. In what turns out to be an honest mistake on someone’s part, the new registrar set the company’s DNS servers to the registrar’s (pretty standard action), but they didn’t copy the old DNS information from the previous registrar. Effectively denying service to the organization’s mail server (no DNS entry and no MX record), and some websites that generate revenue.

I would suspect that this is a common situation for smaller companies. They decide that they’re not happy with their current registrar for whatever reason, and switch. Unfortunately, not understanding how computers find each other and buying into the “complete hosting solution” packages offered by many registrars. In an effort to prevent other small companies from suffering the same fate, I present DNS, whois, and hosting for dummies.

(more…)

Authoring web sites was a lot easier in the 90’s…write some static HTML, maybe some JavaScript, and you were done.  Need to update the site?  Just edit the HTML pages and upload.

In the past decade or so, web applications have made a lot of progress with interactivity and dynamic content.  Services hosted outside of the application container, such as third party web services and databases,  can provide a boatload of flexibility when designing and implementing a web site.  But, these services rarely, if ever, allow anonymous interaction…so we need to go back to our old friend, the password.

Passwords are usually stored in a configuration file along with a web application.  The configuration files are generally not made accessible with an application URL, but often connection information is stored unencrypted, which means vulnerability to security bugs that can trick the web app into displaying the configuration files.  Local access would also compromise the password, but local access almost always means that nothing is safe.

I’m in the process of authoring a new .NET app, and I’m feeling okay about the capability to encrypt sections of the web.config file (including service passwords).  This seems to be able to hide data from prying eyes using keys managed by the local security authority.  However, I haven’t yet figured out how to manage this in a deployment scenario.  Encrypting the section inherently makes it difficult to update the configuration – this now has to be done through code, because the security provider has to be invoked to decrypt and re-encrypt the configuration sections.  If the same authentication provider is used to authenticate administrators to perform these updates, then what if there is a problem with that authentication provider, and the administrators get locked out from fixing the configuration?

From a security standpoint, I have to make this work (and be usable)...I just haven’t yet figured out how.  If anyone in my legion of loyal readers has any tips, I’d be glad to hear them.

IBM’s X-Force R&D has sent out a report( pdf ) detailing computer security statistics collected over the first six months of 2008.

Among the results of this report, we find the following (compared to last year’s figures):

• Decreased time between disclosure and public exploit


• Further shift from OS and multimedia exploits to web browser exploits


• Further shift from browser core to browser plugins

What this tells us is that attackers are keeping a steady eye on the disclosure process itself, quickly adapting the details into POC code. It also shows that attackers are recognizing and taking advantage of the browser as an attack vector—a trend that has been steadily increasing over the past few years.

Another interesting trend that caught my eye was the most commonly used web browser plugin exploits… most attacks exploited vulnerabilities that were between 1 and 2 years old. On one hand, I would say that an improvement has been made—no longer are people getting exploited by 4 or 5 year old bugs. But at the same time, we have a long way to go before people constantly address the security issues of software that is regularly exposed to the dangers of web browsing.

The rest of the report ( pdf ) is a very solid read—they cover everything from spam, to phishing, and even the relatively fresh vulnerability frontier of virtualization.

If you’re lucky enough to be traveling to China for the 2008 Summer Olympics, you should think carefully about the security and safety of your personal belongings, as well as your information.  Travelers should be aware that as in any large metropolitan area, any computing devices (such as smart phones, PDAs, and laptops) are at a high risk of theft.   Additionally, the United States State Department has advised the following about travel to China:

Security personnel may at times place foreign visitors under surveillance.  Hotel rooms, telephones, and fax machines may be monitored, and personal possessions in hotel rooms, including computers, may be searched without the consent or knowledge of the traveler.  Foreign government officials, journalists, and business people with access to advanced proprietary technology are particularly likely to be under surveillance.

Therefore, we recommend the following approach for 2008 Olympics Visitors in order to keep their information and belongings safe:

• If at all possible, leave your computing devices home.  It will eliminate potential travel hassles, and alleviate the need to keep tabs on your things while you are out and about.  Enjoy the Olympic Games, and take a vacation from your email.


• If you bring a computing device, keep it with you at all times.  If you cannot bring the device with you, inquire at your hotel about a safe, or other secure storage area.  Hotel rooms and rental cars are prime places for theft to occur in China.


• Use file or disk encryption.  Products such as TrueCrypt or SecureDoc, or operating system capabilities such as Encrypting File System or BitLocker can keep your information safe even if your device is stolen.


• If you must write down passwords, secure them.  If you keep a post-it note with passwords on the lid of your notebook, the criminal may be able to use this information to get further access to the information in your machine or your networks.


• Keep your identification documents safe. Keep passports and other identification documents safe from pick pockets.  The State department recommends travelers make photocopies of their passport bio-data pages and Chinese visas and to keep these in a separate, secure location in case of passport theft.

We hope visitors to Beijing find this information useful, and stay safe during their visit to the 2008 Olympic Summer Games!

Over seventy-five percent of banking web sites examined by researchers at the University of Michigan were found to have design flaws that make it easier for identity thieves to trick customers.

The researchers found that many banks silently redirect users to third-party sites, plop “secure login” boxes on insecure Web pages, and improperly use Social Security numbers or e-mail addresses — which an outsider can figure out — as default user names.

Practices like these can make it harder for the user to notice when they have been directed to a phishing site. Even more careful users might tire of checking to see if the login box posts to a secure site. Then, phishers have a better chance of catching someone off guard as opposed to sites that keep customers on their toes.

I suggest going with a bank whose online banking makes it easy to check for authenticity. You should be able to tell by looking at your address bar or status bar if the site is secure. You should be able to easily check the details of the server’s certificate. You should not have to dig for this information.

Also, be careful about trusting a site because of information it might present to you. Having your SSN show up in the User ID box or presenting an image to you that you previously selected are not terribly impressive feats. Use them as reminders to double-check the site’s authenticity.

Endpoints can be almost anything – USB drives, iPods, laptop computers, cell phones, even digital cameras with SD cards. Billions of dollars have been spent making sure brilliant hackers can’t attack computers from across the globe. But firewalls generally don’t stop anyone from attaching a finger-size drive to a computer and stealing gigabytes worth of secrets from a company or government agency.

Oddly enough, security breaches or data leakage through this form is usually never intentional. It usually just ends up being a careless employee who’s trying to get their work done quicker. The network is slow, permissions are acting up, email file size limitations, whatever the reason, and it’s probably never intentional. With the size of USB thumb drives getting smaller and smaller, it’s not hard for these things to be misplaced, or even forgotten about.

The situation is serious, but not hopeless. Making sure you have solid policies in place is a good start. Protecting important documents with encryption is an even better start. There are many makers of thumb drives with built in encryption mechanisms. You can even opt for a full on encryption suite for you company that includes a form of removable storage encryption. There are some that include mini-software packages that will allow you to decrypt the data on a system that doesn’t have the master encryption suite installed.

But encryption isn’t the only answer. A simple process of purging thumb drives could eliminate left over documents that the user simply forgot to delete of the drive.

So let’s not forget that even with the most robust firewall protection and million dollar network security solutions. A single careless employee an easily circumvent all these, and nine times out of ten, it’s probably unintentional.