…is going to be worse.

…should include some funding for better IT security .

As if Santa Claus hasn’t got enough to do this week, it turns out he’s fighting off some very, very nasty elves.

The consumer advocacy group stopbadware.org said it was approached this week by an Incline Village, Nev., man who has legally changed his name to Santa Claus, who asked them to help figure out why his Web site was being flagged by Google Inc.‘s Web site filters.

It turned out that Santa’s Web site, Santaslink.net had been hacked.

On Friday, the Web site was still downloading malicious software, according to Roger Thompson, chief technology officer at Exploit Prevention Labs Inc. It exploits a bug in Internet Explorer that Microsoft Corp. patched last August, meaning that people running older versions of the browser could be at risk, Thompson said via instant message.

“The site is hacked,” he said. “If you are not patched, it uses an exploit to silently install a huge amount of adware and spyware.”

The security breach was not expected to delay gift deliveries.

Happy Holidays All!

There’s a proof-of-concept Vista exploit (actually works against Windows 2000 and XP as well) for privilege escalation on a russian language site, as reported by eWeek.

Mike Reavey, operations manager of the Microsoft Security Response Center, confirmed that the company is “closely monitoring” the public posting, which first appeared on a Russian language forum on Dec. 15. It affects “csrss.exe,” which is the main executable for the Microsoft Client/Server Runtime Server.

More interesting is the other quote later on in the article, describing the economics working against Microsoft these days…

The Microsoft confirmation comes hard on the heels of a claim by anti-virus vendor Trend Micro that underground hackers are selling zero-day exploits for Windows Vista at $50,000 a pop.

Yikes. Can’t you hear the discussions now? My enterprise pays X million dollars a year to license our operating systems, but the security/usability/safety/stability of our whole operation can be bought for under $50K?

I first noticed this phenomena when ING started it a few months ago. It was a minor annoyance then because only one of my banks was doing it, but now, others have started following suit, and it’s getting very annoying. I’m talking about the new login procedures that some banks are using – enter your account/user name/number, then you’re shown a butt ugly picture that you chose, and then you can type your password/passphrase in. I’m just glad they haven’t changed the way Quicken accesses my accounts (yet). I’m put through extra inconvenience for something that ultimately isn’t any securer than my standard username/password.

This is supposedly to mimic two-factor authentication, but since I’m still only typing in my username and password, I still call it one-factor with a lot of annoying extras. The idea is that the user sets up this image and description of the image that only they should know – AKA, they’re giving some “secret” to the bank. The bank has to show this “secret handshake” so that the user knows that the web page they are on is in fact the bank. Then the user types in their part of the secret handshake (the password), and they’re allowed in.

Why don’t they just use SSL with mutual authentication? It solves both of these issues, identifying the server, and identifying the client, and is true two-factor authentication.

I see two reasons for not using PKI: 1) Phishing sites can have legitimate SSL certificates that are installed in the OS trusted root store, and 2) There is a cost associated with issuing client certificates.

The first is rather easy to address – Each bank (or a group of banks), needs it’s own root CA, or one designated by a “public” Authority (like Verisign) as for banks only. This trust root is not installed into the OS by default, the user must actively obtain it. Web browsers must display the signer of the certificate (in some way that cannot be manipulated by javascript – ie not a pop up, or not in the status bar). And users must be trained to pay attention to who signed it! If it’s not this “approved” bank authority, they shouldn’t continue the connection. Of course, not everyone’s going to pay attention to this, but then the bank has done what they can to CYA, and it’s up to the users at that point.

The second is not as difficult either. Each bank has their own CA (maybe signed by the root described above) which issues user certificates – once the PKI is set up, it’s very cheap to issue more certificates – ie issuing 1 certificate is about as expensive as issuing 300,000. Heck, if users wanted to opt into more security – allow them to pay a one time fee of $50 or so (cost plus some) to buy a hardware token or smartcard with reader, which is mailed to their registered address. Or even better – add smartcard capabilities to their ATM cards (I’m all for that). I’d pay an extra one time fee to get a hardware token for my bank account – especially, if I can use it on my mac and under Linux ( there are tokens that work under all three, without extra drivers).

Yes, it does cost money to set up a PKI – and to run it, but not as much as some people make it seem – the cost of a few machines, a little bit of extra work by the system admins, but nothing that they’re not already used to. Consider it a sunk cost, and think of all the other uses for a PKI.

One more:

Facing a possible layoff from his job as an IT systems administrator, a 50-year-old New Jersey man was charged yesterday with planting malicious “logic bomb” code into the company systems where he worked that could have damaged more than 70 servers.

The government alleges that Lin then modified the inserted logic bomb code in November 2003, but that it was still scheduled to deploy on his birthday on April 23, 2004. Due to an error in the code, however, it didn’t deploy as scheduled. In September 2004, Lin allegedly corrected the code error and changed the deployment date to April 23, 2005.

Just because attacks involve computers doesn’t mean the attackers are any smarter. Lucky for us…

A recent Linux.com article highlights how configuration is important to security. Many times, when I’m visiting a site, and I ask if they have a configuration standard, or kickstart, or build image, I get blank stares. Many companies do not have a configuration standard – whether merely a document or otherwise. This standard is useful in two ways: 1) to set up the system initially, and 2) to document how the system is configured for later reference (change management comes in to play here as well). It also frees non-security minded IT folks from having to think about it all the time – most IT folks are not as paranoid as security folks. We actively look for holes in things, not just whether something will meet user requirements or not. The security folks can review the configuration standard on a regular basis to make sure that security requirements are met as well, and let the “regular” IT folks worry about user requirements.

This person , after leaving the company he worked for planted a “logic bomb” on his old company’s network.

A logic bomb is essentially leaving a piece of code to mess things up at a specified time.

Duronio quit his job as a systems administrator in February 2002 after repeatedly expressing dissatisfaction about his salary and bonuses, the statement said.

He then planted malicious computer code known as a “logic bomb” into about 1,000 of UBS PaineWebber’s approximately 1,500 networked computers in branch offices. On March 4, 2002, the “bomb” detonated and began deleting files.

Now this not-so-bright person was trying to profit off of the potential drop in stocks his old company would suffer after the files were deleted. Instead, he ended up losing $23,000 when the stock didn’t fall.

Meaning he likely bought the extra stocks after he left the company, or on margin (betting the stock would fall). Either way if he suddenly made $100,000+ from this “freak” accident either someone on Wall Street or his ex-company would probably get wind of this.

At least I hope so…

And he got caught either way. There are good/bad criminals and there are good/bad “hackers” – they are not necessarily the same thing.

That is probably why we’ve been seeing more organized crime organizations getting involved in cybercrime, recruiting talented coders from around the world. One has the technical skills, the other the criminal ones.

Combine that with low wages, youth, the “cool” factor, and the potential for some quick cash…

A dangerous trend for 2007.

Yes, yes…happens all the time and the news doesn’t even make headlines anymore. Here is the WTH part:

The attacks on the database began in October 2005 and ended November 21 of this year, when computer security technicians noticed suspicious database queries, according to a news release posted on a school Web site set up to answer questions about the theft.

More than a year…

Here in the States we really need to enact some legislation requiring companies, universities, etc. to disclose these types of data breaches.

Most people probably don’t know that such laws don’t exist — they most likely think that CA and NY just have really bad IT security.

From the SANS NewsBites today: Credit Bureau Security Breached.
My favorite part is the fact that one login had authorization to access multiple records from TransUnion – according to the article, any record in the country. This account supposedly belonged to a courthouse in Kingman, AZ. I want to know two things:

1. WTH is an account from Arizona doing with authorization to access any credit information in the country?

2. Why doesn’t TransUnion own up to the fact that yes, it was a breach of their security systems? – A misconfiguration on their part is still a security breach.

With regards to 1, the account was obviously given to a court to access other people’s records, and I can understand having access to multiple records, what I don’t understand is why that account was not configured to only have access to the records that fall under the court’s jurisdiction? This is a good example of why we use the principle of least permissions. Yeah, the person you assign that account to might be trustworthy, but people who get ahold of that account information probably aren’t. If the court needed access to records belonging to another jurisdiction, they should request that information from a court in that other jurisdiction, not help themselves to it. Sure, it’s a bit more of a hassle, but that’s security for you.

With regards to 2, WTH? If a windows admin assigns the Guest User Administrative privileges, that’s an authorization misconfiguration and a security breach in my book. Sure, the admins may not be responsible because their higherups told them that the account was to have those permissions, but the higherups are definitely responsible.
</end rant>

Just another hack attack, via SecurityFocus

A fan of the music group Linkin Park appears to have hacked into the lead singer’s mobile phone web account, stealing the phone bill, call records and digital photos taken using the phone.

Yeah, so what’s the big deal? Why am I suggesting it might be time to panic?

The explosive attack on the privacy of the band member reportedly came from Devon Townsend, an obsessed fan inside Sandia National Laboratories

Sandia Labs is part of the Nuclear Regulatory division of the Department of Energy… These are the folks that are dealing with the safety and security of our nuclear weapons.

If there’s someone working there that can get this obsessed with Linkin Park, what else do you think might go on there?