May 29, 2006
Enterprise Security – IT Security Solutions: Concepts, Practical Experiences, Technologies edited by Fumy and Sauerbrey
This book has the look and feel of a business school textbook, moving from topic to topic in a fairly academic matter. It is a combination of 14 essays from prominent authors in the topics they are writing on. This allows for a book that can treat a wide range of concepts and still maintain credibility and a tone of expertise with the downside being the structure of each essay is slightly different between authors. As such, it is meant more as a higher-level introduction to concepts and ideas that swirl around the information security industry but it is couched in the language of business in the hopes that enterprises will adopt a measure of culture change in the area of security. The book seems to have a more European focus, but it is not without value to an American audience.
The book begins with an introduction by the editors laying out what they view as three areas driving enterprise security and what they hope to accomplish with the book. They finger security threats, creating new business opportunities, and regulatory compliance as the main drivers of security investment for the enterprise. In their experience, the editors see businesses still creating processes and applications designed around speed and convenience with security being an afterthought. The editors then establish 4 items they wish to see changed in industry: review of information security requirements, assuming legal liability for poor security practices (it'll never happen), creating a security-aware culture, and security against insider threats. The rest of the book doesn't seem to truly address how to bring these four changes to fruition.
The rest of the book is divided into three sections: (1) Concepts & Trends (better described as emerging security technologies), (2) Practical Experiences, and (3) Technologies & Standards. As far as organization, it would seem better to have Practical Experiences come last in the book and address the technologies discussed previously; however this is not a serious deficiency in the book.
Parts 1 and 3 are presented to the reader from a high-level perspective. It assumes little prior technical knowledge and thus is accessible to a wide audience, particularly the business community. It helps the reader understand why these technologies are beneficial from an economic standpoint. Readers who are technically savvy may get easily bored from this section unless they are trying to develop a "business case" for the adoption of security mechanisms for their organization. In that regard, these essays help bridge the gap between "tech heads" and the "pointy-haired management".
The Practical Experience section is a collection of four case studies of four different organizations facing four different problems. It helps the reader to understand the challenges and obstacles in actual implementation of technologies. It helps bridge the gap between book-learning and real-world experience. 3 of the 4 essays revolve around PKI and digital identities. It is clear based on the focus of the editors that authentication is important to them, however and expansion of case studies based on their other goals would make the text that much more effective.
All in all, the book is a valuable primer for consultants and non-savvy managers who are seeking to get their minds around security and how best to sell the investment of security.
Posted by John Bambenek at 4:59 PM | Comments (0) | TrackBack
March 16, 2006
So how long til my CC info hits the web?
I was in a Washington Post article today in which I basically was quoted calling all the online credit card thiefs n00bs. I'm starting a pool, how long til they DoS me...
John Bambenek, a security incident handler at the Bethesda, Md.-based SANS Internet Storm Center, which monitors hacking trends, agreed."The reason there is often a delay is that a lot of the people who actually install a lot of these keylogger programs are not that sophisticated," Bambenek said. "In most cases, they're teenage hackers who flip the information to more organized criminal groups for some quick cash."
The scourge of keylogger programs is pervasive and growing, Bambenek said. He recently conducted an analysis for SANS estimating that nearly 10 million U.S. households own a computer that is infected with some type of keystroke logging program. Although not every PC user whose keystrokes are being logged has experienced financial losses -- perhaps because hackers are busy sifting their illicit logs for rare kinds of data -- Bambenek estimates that organized-crime groups have access to roughly $24 billion in bank assets from accounts associated with the owners of those infected machines.
Then there is this article where the reporter only mentioned my comments about porn sites. Awesome.
John Bambenek, a research programmer for the coordinated science lab at the University of Illinois, said some segments of retail on the Internet are not as trustworthy as others. "Porn is particularly bad," he said. "They'll take your credit card information and sell it to someone else. Since they're a dime a dozen, you have no idea who you're dealing with."
Posted by John Bambenek at 9:29 PM | Comments (0) | TrackBack
February 9, 2006
SANS Handler of the Day Diary Up
I got my Internet Storm Center Diary up. 5 critical security updates for Windows coming next Tuesday...
Fun.
Posted by John Bambenek at 7:08 PM | Comments (0) | TrackBack
October 2, 2005
My First Bugtraq Post
here.
Stupid vendor.
Posted by John Bambenek at 9:56 AM | Comments (0) | TrackBack
September 30, 2005
Over $24 Billion in US Consumer Money is at Risk of Being Stolen by Spyware
You can read the post I put up about it here.
Posted by John Bambenek at 9:56 AM | Comments (0) | TrackBack
July 30, 2005
It's Time to Ditch Cisco and ISS
Much has already been said about Michael Lynn’s presentation at Black Hat regarding exploitation of Cisco routers. ( Read about the injunction). What hasn’t been talked about is what to do now.
Michael Lynn revealed no new vulnerabilities but only shot down the deception peddled by Cisco that their devices can’t be taken over. Lynn’s presentation essentially shows a Cisco rootkit that will take over a router. ISS, his former employer, told him not to give the presentation so he resigned instead. In response, ISS and Cisco enjoined him permanently from discussing anything else about the matter and that he has to destroy all data he may have about Cisco vulnerabilities. Further, the FBI has begun a criminal investigation on the matter. The defense of ISS and Cisco is that he didn’t follow the methods of responsible disclosure, which apparently means that one week after every router on the Internet has gotten owned people can then say they knew about this a year ago.
Cisco and ISS have demonstrated with this incident that their first and foremost concern is saving face even when they have to bury huge security threats that are probably already known. Why would anyone trust ISS to consult on the state of their information security when they’ve demonstrated that they are willing to cover up for a vendor instead of giving solid unbiased advice? Why would anyone trust Cisco devices when instead of acknowledging flaws they seek to silence those who would disclose them? Through this incident, ISS and Cisco have a lot of egg on their faces but that’s not enough. People should stop buying their services until they display a commitment to security instead of a commitment to silencing security researchers that show vendors aren’t doing their jobs.
Posted by John Bambenek at 1:45 PM | Comments (0) | TrackBack
June 22, 2005
Web Attacks Using Blog Traffic Exchanges
This is a theoretical, but something I just thought about.
There are a few attacks of late that can infect your machine (or outright own your machine) by getting you to go to a webpage that installs "evil" code on your machine. Some of these will use images that can have this "evil" code in it, some just silently installs when you go to a wrong webpage.
The problem with those kind of things is how to get people to go to the malicious webpage. Enter blog traffic exchanges (or any traffic exchange for that matter). Here you have people surf random sites which can include bad images or bad code imbedded (or the bad image could be a banner ad).
Think what would happen if you did this to say, blogexplosion and their memberships... lots'o'infections... assuming your bad code worked to begin with...
Posted by John Bambenek at 10:23 PM | Comments (0) | TrackBack
June 21, 2005
Credit Card Theft, National IDs, and Strong Authentication
The NYT has this on Credit Cards being openly traded on the web.
It's not news to me, at least. (See this and this for examples of how easy it is to do and this was a year ago). The information is not hard to get and some sites are out there that show you how to "social engineer" the information out of merchants and people. This doesn't include things like Citibank getting their tapes stolen, the Mastercard theft, and others.
The problem is that credit cards are easy to use by people who are not the holder of the card. Ultimately, identity theft is also easy for the same reason. The privacy crowd crows that we don't want to have a national ID card, but the problem is, we already have one.
You need this ID to set up a bank account, get a job, get credit, go to the doctor, and a variety of mundane tasks. The ID is your social security number, and with that number you basically own the identity of the person.
The problem with both social security numbers and credit card numbers is that they both do not use strong authentication before using. Credit cards, for instance, use things like zip codes, the security number on the back, or your mother's maiden name to verify the information. The problem is, all that is public information or already on the card itself.
Strong authentication or two-factor authentication more appropriately, takes two things, something you have and something you know in order to authenticate you. The reason it takes both is that it is easy to steal things, but hard to steal knowledge. One can lift a wallet easy enough, or use the various technological means out there to pilfer a credit card number. If it requires something that only you know also, then having the number alone is useless. With that something you know being information like a zip code that is easily knowable by others, it becomes useless (or a lot less useless for security reasons at least).
The credit card industry needs to find something else (and I'll have a paper on the topic shortly), and we either need to ditch social security numbers as a national ID, or come up with something better.
Posted by John Bambenek at 12:52 PM | Comments (0) | TrackBack
June 3, 2005
Playing the Prophet
When I wrote this for the Internet Storm Center I was speaking in hypotheticals (the spyware part). Turn out in less than 2 weeks I was proved right. this story out of Israel (as well as this, and this, hat tip: Arik's Blog) shows a real-life example of the theory at work. I'm working on getting to code and certainly more detailed information, but the upshot is that malware was highly customized and targetted for corporate espionage purposes. It was going on for over a year before being caught, and I'm sure it is (1) going on at other locations from other attackers, and (2) we'll see more of it.
Posted by John Bambenek at 11:09 PM | Comments (0) | TrackBack
February 22, 2005
Cyberterrorism does not exist
Singapore ramps up against cyberterrorism
(Begin Rant)
There is no such thing as cyber terrorism. Doesn't exist. It's simply a word people use to either extract grant money or raise taxes. This tendency to laber things as "terrorism" is really ridiculous and is fast making it a meaningless word. Let's break it down.
Terrorism... Terrorize... to bring terror to.
There is a reason the word "terror" is in the word. It does not mean, "make someone's life inconvenient", or "cause the loss of money", or "clog up your inbox with spam". Terrorism is the intentional attack on a civilian population with the intent to terrorize, or psychologically manipulate a civilian population.
There is no such thing as terrorism because people will not be wetting themself for anything that happens to their computer. Sure, inconvenient, perhaps in some cases, dangerous, but not terrorism.
When and until someone figures out how to send anthrax (and I mean the powder, not the next variant of Bagle) through e-mail, there is no cyberterrorism.
Posted by John Bambenek at 7:34 AM | Comments (0) | TrackBack
