Today Slashdot had a story about how a news story about an Australian transportation plan was broken early by a newspaper. The transport minister said the access of this information was akin to the newspaper trying to “pick the lock off a secure office and take highly confidential documents”.  What was the brilliant security plan that was supposed to be protecting this information?  The information was all stored on an unpublished URL with no security or authentication in place.

We in the security industry call this “security by obscurity“.  And it is not security at all. (more…)

When companies create security policies designed to keep their information secure, they are often most focused upon the threat of an outsider.  Certain measures, like using secure protocols such as SSL and TLS, or using S/MIME encrypted email can help keep your information from being viewed by third parties when it is sent over untrusted networks.  Other measures, like performing hard disk encryption on your laptops help keep your information secure when a laptop is lost or stolen, or a hard drive is sold on eBay.  None of these measures will help in the scenario of a trusted insider getting access to over 1300 documents that they have no business having.

According to the complaint, Jhaveri admitted being employed by Bristol-Myers-Squibb as a Technical Operations Associate from November of 2007 until his termination on February 2, 2010. The complaint further alleges that during his employment, Jhaveri stole numerous trade secrets as part of a plan to establish a pharmaceutical firm in his native India which would compete with Bristol-Myers-Squibb in various markets around the world.

How do you protect against the insider threat?  It is one of the more complicated issues of information security and there are a lot of opinions on how to deal with it.  Certainly it has to start with understanding what information you have which needs to be protected, how damaging that information could be if it were to be lost/stolen, and then making some cost/benefit analysis decisions on the best ways to protect it.  Everything from a rights management services type of solution to a strong security event and information management (SEIM) system could be useful in preventing and detecting insider threats.

Recently, Imperva released a study (pdf) of the passwords extracted from the December 2009 RockYou security breach that resulted in the compromise of over 32 million user accounts. This study examined some statistics of the passwords retrieved, including the number and variation of characters use to construct them. The results were pretty bad. Here are the highlights:

-30% of users had passwords made up of 6 characters or less. Most brute force attempts are moderately successful against short passwords.

-Over 50% of passwords were all lowercase, or all numbers. This is bad because the keyspace is reduced. Even a password that is longer than 6 characters is weakened if it has a small character set distribution.

On the surface, these two statistics aren’t a good look at all, especially considering the ease with which an attacker could successfully guess simple passwords.

Also, in many cases, a password breach may not just make a user’s account vulnerable on the breached site, but can also lead to their account being compromised on other sites as well (plenty of people use the same password on multiple sites).

However, there is an alternative way to interpret this data. Although there is no way to verify this, it could be the case that users are starting to give value to the importance of some accounts AND the security of the website associated with it. And those accounts that are of low significance (like a site they just sign up on to play a game) get simple, easy-to-remember passwords, while accounts of greater personal significance (banks, primary email, etc.) get the more robust passwords. Similarly, it could be the case that users think sites like RockYou are sketchy anyway, and thus more likely to get hacked than other more-serious sites.

So, in a way, the user could be protecting themselves from a site breach. I know I wouldn’t care if I had a RockYou account and the site got breached since I wouldn’t really use that same password anywhere else important. It may be annoying, but it is much better than knowing that my super-secret 28-character password is sitting on some stranger’s computer simply because somebody left the door open.

So if you think of this report from the perspective of users managing risks reasonably instead of users being victimized, it almost makes sense that 29,000 people had ‘123456′ as a password.

According to a new article on TechTarget, a study by the Ponemon Institute has revealed the cost of a data breach has increased once again, to $204 per compromised record. The study is available for download at http://www.encryptionreports.com/ after giving away some personal details.

The “Fifth Annual U.S. Cost of Data Breach Study,” funded in part by encryption vendor PGP Corp., determines the annual cost of the breach by establishing a company’s cost of lost business as a result of an incident; expenses incurred by notifying individuals and authorities of a breach; costs associated with legal fees and consulting firms and new investments made in technology and employee education.

In our down economy, it is interesting that the cost of data breaches have been rising for five years running.  If I were cynical, I might suggest that one of the reasons for the constantly increasing costs in this study is the partnership with PGP, who sells products designed to protect you in the case of a lost laptop or storage device.

That said, I’m not even sure that those items above can accurately represent the cost of data breaches, especially in certain environments.  The loss or damage of reputation caused by a data breach can be so devastating that the monetary cost can’t even be calculated.  If you don’t know what I’m talking about, what is the first thing that comes to your mind when I mention Heartland Payment Systems, TJX, or the Department of Veterans Affairs?  These organizations have suffered tremendously because of wide (and widely publicized) data breaches.  Imagine the firestorm of criticism if some of the most trusted companies were to suffer data breaches along the lines of Heartland’s breach?

In addition to the loss of reputation, what are other costs of data breaches that the Ponemon study doesn’t reveal? Let us know in the comments.

Google has just announced that HTTPS access would be “on by default” starting immediately. This is in response to the recently publicized attacks against Google and Gmail which are causing Google to reconsider their approach to China.

While I’m happy that Google will now be encrypting Gmail-related communication by default, I’m a little surprised and disheartened that it took an attack to cause this to be implemented. Sure, https has been an option since July of 2008, but Google had previously warned of a security / usability tradeoff with turning it on:

Because the downside is that https can make your mail slower. Your computer has to do extra work to decrypt all that data, and encrypted data doesn’t travel across the internet as efficiently as unencrypted data. That’s why we leave the choice up to you.

Today’s computers are fast enough to handle https without concern, thank you very much. And I think they meant to say your encrypted email “can’t be cached by proxy servers” instead of “doesn’t travel across the internet as efficiently” – which is a good thing, right? The use of always-on-HTTPS is an infrastructure problem – establishing and maintaining all those different secure sessions with different keys certainly takes time and processing power. It is unfair to solve your infrastructure problem by suggesting that the user might not want comprehensive security.

Are you aware of any other services that allow the user to make a poor security decision in the (perhaps unjustified) name of speedier access? Let us know in the comments!

A recent study on lost laptops by Dell and the Ponenom Institute show how important data protection and encryption are, especially for portable devices. Here are some of the findings.

• 12,000 laptops are lost in US airports each week.
• 65-70% are never reclaimed.
• 53% carried sensitive corporate information.

Guess how many of those machines were protected with encryption.

You can read the entire report [pdf] and find out on page 7.

Overnight, the Clear Registered Traveler Program ceased operation.  I do travel by air 5-10 times per year, and had considered the program to speed my visits through airports.  There were three main reasons why I didn’t, and I wonder if they are reasons why they have had to cease operation.

1. There weren’t Clear lanes at every airport I travel to; the only way this system could be cost effective for me would be if it worked everywhere.
2. As mentioned at the Consumerist, the Clear lanes just provide shorter lines; you still were subject to all the security checkpoint hassles.
3. My home airport, Dulles International, opened the Black Diamond lanes: basically the same as Clear without the fee.

In addition to the $199/year charge, enrolling in Clear required presentation of two IDs, your social security number, and the capture of your fingerprints and retinal scan. Clear lost (and found) a laptop last year, and although their privacy policy (pdf) indicates that all personal information is always stored and transmitted encrypted, it doesn’t indicate what algorithm is used or how key management is performed. (Remember, ROT13 is an encryption algorithm…)  Biometrics are the only identification factor that you can’t have revoked and reissued, so giving mine up to both a private company and the Transportation Security Administration to save perhaps 15 minutes didn’t seem like a good idea.

The privacy policy also indicates that personal information is removed from their system automatically after 90 days if you are no longer a Clear member. It is not yet clear if the cessation of operation that occurred overnight will trigger this data removal event. It is also not clear if the TSA ever gives up your data which Clear shares.  All told, if I had been a Clear member, I would seriously examine tools for detecting and preventing identity theft for a while.

Verizon Business has released their 2009 Data Breach Investigations Report [pdf] and an accompanying blog post.

2008 was a crazy year in the world of data breaches… The percentage of breaches in our caseload involving financial service organizations, targeted attacks, and customized malware all doubled in 2008. It’s sure to win me the “Captain Obvious Award” from the Securitymetrics list, but organized crime activity increased and was responsible for over 90% of the 285 million records compromised.

The report is sure to be a good read. We linked last year’s report, and this year’s report has some improvements–it is based on more data was collected more often, and goes into a lot more detail than the previous report. 285 million is a lot of compromised records. Wonder if mine was one of them.

Pop quiz! Be honest as you answer these questions:

Well, if you answered anything other than C for the above questions, let me introduce you to your worst nightmare: sslstrip.  The author of this program realized that most people don’t type in the https prefix, and don’t look closely for padlock icons; people don’t care about security, they just expect it to work.  Most of the time, the way you get to SSL pages is by clicking on links, or being redirected with an HTTP 302 status.

sslstrip takes advantage of this, and transparently hijacks HTTP traffic, replacing all HTTPS links and redirects with look-alikes.  It even can supply a favicon which looks like a browser’s lock icon.

It’s pretty evil, actually. Of course it requires that the attacker running sslstrip has already compromised your network, through ARP spoofing, DNS poisoning, or otherwise having your traffic routed to the attacker. Good luck noticing if it’s being used against you. The author used it on a TOR node — note that TOR is generally used by people that are paranoid by their privacy and security — and collected 254 passwords over a 24 hour period.

What’s the fix? As far as I’m concerned, there isn’t one. It’s a design flaw with the way most “secure” websites work today. Do you have ideas on how to prevent this attack? Let us know in the comments.

First, what is network sniffing? It’s listening to the bits on the wire (or in the air) that are sent between computer systems. Really, it’s all 1s and 0s that are sent in a particular format. That particular format is usually “Ethernet” or 802.3, but can also be 802.11 (wireless) or single/multi-mode fiber. There are ways of sniffing by “vampiring” the physical wires, but we’re going to start a step above that and assume you have a computer that can already connect to the network somehow.

A basic introduction to how 802.3 works would be useful, so here we go. Because of the way Ethernet works, the machines on the network have to take turns transmitting or their transmissions will interfere with each other. There’s one signal that is sent out first to see if the wire is clear. If it is, then that machine starts sending its data. If not, an exponential back off timer starts, and the machine asks again once that timer goes off. As long as the wire is shared, every single machine on that wire can hear what every other machine is sending. You now see how easy it is to listen in on other conversations Hubs and repeaters are considered part of the same physical wire. All they do is boost the signal and rebroadcast to all their other ports. Switches are one step above that and place a physical barrier between network segments. They don’t indiscriminately rebroadcast to all of their ports. They just re-broadcast to the one port that has the destination machine. How do they do that, as in how do they know what port to broadcast on? That’s where MAC addresses come in – Media Access Control. These addresses are (supposed to be) unique for every single network connected system manufactured. In practice – not so much, although it’s generally “good enough” – except when you ship an entire box full of Ethernet cards to a university, and they all have the exact same MAC address…

The MAC address is sent with every single packet that is sent on the wire. The switch remembers which ports have what MAC address (and so do a lot of machines). This is stored in a table on the switch – with a limited amount of memory. If the switch gets overloaded, it will tend to revert to hub operation – rebroadcasting to all ports. One packet at least will be broadcast to all ports until the switch knows what port a specific MAC address is on. In normal operation (i.e., not *trying* to break the switch) and with a properly planned network, the switch has enough memory to maintain the table for the number of ports it has (and the bandwidth it’s expected to provide). However, what if there is a hub connected to the switch? That means X more MAC addresses the switch has to remember above and beyond the number of ports that it has. There used to be a rule of thumb – never have more than 3 hubs/switches connected together. This was part of the reason. You’d see degraded network performance because the MAC table couldn’t keep up (it also had to do with the physical limitation on Ethernet cable lengths).

So, you now have a switch, and if you don’t happen to be on the port that the packets are being sent to, you can’t “hear” their communication. But, if you “break” the switch and make it revert to broadcasting to everyone, you can “hear” the traffic. Another way to “break” the switch is to keep telling the switch that you are the destination’s MAC address, and the switch will start rerouting everything to you instead. If you want to sniff something useful, you’d better be prepared to keep routing the traffic to the “real” machine (and not through the switch you just “broke”), or you won’t get very far.

Most of this applies to wireless networks as well, although they use a slightly different method of telling other systems that they want to transmit.

For anyone who wants to delve more in-depth on how Ethernet works, the Ethernet Wikipedia page has a good discussion, and any good college textbook on networking will discuss Ethernet and several other technologies as well.

Each Tuesday, Security Musings features a topic to help educate our readers about security. For more information about Gemini Security Solutions’ security education capabilities, contact us!