Monday, July 30, 2007
Unsurprisingly, a $1.8m new study funded by CA Secretary of State Debra Bowen, and conducted by researchers at the University of California, has confirmed what researchers at Princeton and many security researchers already knew: the electronic voting machines currently in use are not secure.
The study focused on machines manufactured by Hart, Diebold, and Sequoia. The findings, published today, cover aspects of physical security (i.e. locks, screws, accessibility to hard disk, accessibility of ports, etc), firmware security, and software security.
The researchers also tested the capability of each system to create an audit trail (logs relating to any non-authorized modifications of the system), and whether or not the Windows operating system was still configured to enable things like allow unauthorized wireless devices to operate.
Avi Rubin, a professor of computer science and technical director of the Information Security Institute at Johns Hopkins University, summed it up when he told TechNewsWorld:
"I was shocked by how severe the problems were... what's even scarier is that the researchers were looking at certified systems that have been already used in an election."
I would love to list all of the problems found, but email feedback on my recent essay-length Security 3.0 posting suggests I should keep the length of this post to "one cup of hot cocoa". So here's the summary:
* Sequoia: Researchers analyzing Sequoia's e-voting machine bypassed locks and gained access to a HP ProLiant DL360 G5 server by simply removing screws. In doing this, the researchers discovered "numerous" ways to overwrite the Sequoia Edge firmware using simple tricks such as "malformed font files" or "doctored update cartridges"
* Diebolt: Researchers were able to exploit vulnerabilities in Diebold's Windows operating system to initiate events that the server did not record in its audit logs. Researchers were also able to manipulate components networked to the server. This allowed them to load wireless drivers onto the server so a wireless device could be plugged surreptitiously into the server. Researchers found a number of ways to overwrite the Diebold firmware and change vote totals, among other things - in one example, researchers were able to escalate privileges from "voter" to "poll worker" to "central count administrator", enabling them to reset the election, issue unauthorized voter cards and "close the polls". Diebold's physical security was also lacking, the researchers found.
* Hart: Researchers discovered an undisclosed account on the Hart e-voting system that enabled attackers to penetrate the operating system and gain unauthorized access to the Hart Election Management Database. The researchers were then able to overwrite Hart's firmware and also access menus that were not locked with passwords. Additional attacks allowed researchers to alter vote totals and attach a device that caused Hart's system to authorize access codes without poll worker intervention.
Scary, huh? So now what?
California obviously could choose to get rid of its voting machines, but that isn't really a viable option, budget-wise. Many of these $3,500 machines are just one year into a three year lease. The people that recommended them will lose their jobs.
The smart play here is for one vendor - Hart, Diebold or Sequoia - to say "we hear you", instead of attempting to disparage yet more detailed results from yet another respected source. The smart play is to do that - and spend the considerable cash they have on hand on fixing the problems.
Note to vendors: The whole concept of electronic voting is poised on a knife-edge right now - there is no room left for empty promises. These problems must get fixed. If you don't fix the problems, it will be fifteen years before you get back in the door. The first vendor that successfully commits to solving the problems - and validating the existing investment by government - will win.
Authentium has patent-pending technology available that could significantly assist electronic voting machine vendors when it comes to eradicating software vulnerabilities and hardening the audit trail.
Saturday, July 28, 2007
Security breaches can be dealt with in any number of sensible ways. However, NASA has chosen a risky strategy in seeking to downplay news that employees at a NASA subcontractor, Invocon, deliberately sabotaged a computer destined for the International Space Station (ISS).
Yesterday, NASA said, in essence, "no big deal". The sabotaged computer was a "non-critical" component.
This is, of course, nonsense. Everyone knows there is no such thing as a "non-critical" component in space. Every gram of mass counts - every kilogram placed in low earth orbit requires 20 kilograms of fuel to get it there, for starters - and every sensor must function.
The consequences of sensor failure are well-known, post the Challenger disaster.
Ten years ago, prior to co-founding Authentium, I worked in the space industry. During my time there, I met and worked alongside a lot of extremely smart engineers - rocket scientists - including some of the Saturn V guys, and some of the engineers charged with designing components for the shuttle and the ISS.
The sabotaged computer sensor was destined to monitor stress on an ISS truss segment - in orbit. This is not a "non-critical" task. The truss is the most critical structural component of the ISS there is - it is the component that all other ISS modules and components are connected to. Here's an overview, courtesy of space.com:
The truss is the backbone of the ISS. When it is completed, it will be the length of a football field, with its axis perpendicular to the station's main axis. Labs, living quarters, payloads and systems equipment will be directly or indirectly connected to it. Also attached will be U.S. solar arrays supplying enough power to light a town.
In other words, the truss "holds everything". Had the computer flown "as is", the sensor would have been blind to any problems with the monitored truss segment, or, as NASA puts it, the sabotage "would have prevented the collection of structural performance data".
In user-speak, this means non-critical data like "this truss is under critical stress, and under-performing relative to the design spec" could potentially have gone unnoticed.
This is hardly likely - space-bound components are tested rigorously prior to launch, which is how this was discovered. But that isn't the issue. The issue is that NASA is once again making a strategic mistake by downplaying this security breach.
They should be showing how committed they are to security by taking extremely touch action - like immediately suspending all work with this contractor, pending a third party investigation, and invoking the maximum financial penalties.
If you think that is harsh, consider this: this sabotaged computer appears to have originated from the same contractor that provides the sensors charged with monitoring the integrity of the space shuttle's wings - i.e. the mechanism designed to prevent another Challenger explosion.
This is a non-critical issue? I think not.
UPDATE: In a separate development, NASA chiefs announced today (Saturday) that they will impose a 12 hour "bottle to throttle" drinking ban on astronauts.
Earth to NASA: you need to do a much better job of reading the tea-leaves. Control of an asset into which tens of *billions* of taxpayer dollars have been poured maybe warrants a tad more discipline than a 12-hour "dry-out" of pilots and commanders.
Friday, July 27, 2007
After several years of being designated "SSSS" and having my bags selected for "additional screening", due to the disproportionate amount of last-minute travel I do, I have become somewhat blase about the procedure. So you can imagine my surprise when my Sony Vaio laptop set off an alarm upon being swabbed for explosive residue at Palm Beach International.
For a moment, I didn't know quite how things would evolve... it is somewhat unsettling to hear the alarm go off and suddenly have the TSA team turn their attention to you.
Thankfully, they were relaxed about it. No guns were drawn. They tested the laptop a few more times, turned my laptop bag inside out, and finally felt okay enough about things to let me catch my flight.
It left me deeply curious about what could have caused it, however. As we discussed the issue, they asked me if my laptop had been near any explosive materials.
After a few minutes of thought, I realized my laptop *had* been near explosives - during a dinner party, I had briefly taken the laptop from our dinner table, and stored it under our stairs, in exactly the same place I had previously set down a couple of hundred dollars worth of (legal) Fourth of July fireworks.
The white-uniformed guy asking the questions smiled and nodded - it appears I was not the first executive in Florida to store a laptop and explosives in the same location.
Later, researching the situation online, it was revealed that false positives, far from being rare, are somewhat common at TSA checkpoints - somewhere in the order of 2-3%. In fact, a cursory look at the clipboard onto which my laptop was being written up revealed that there had been a half-page full over the previous few days.
Here's some info that will prevent your heart-rate rising if you're also targeted: One of the leading causes? Nitro-based statins (heart drugs) - which are not altogether uncommon in Palm Beach County.
Another frequent cause of false positives? Trace elements of nitrogen-based compounds in urine - most commonly caused when child seats are swabbed for explosive residue (hint for parents - change those diapers regularly).
Monday, July 23, 2007
Some folks in the business are attempting to build a "Security 2.0" paradigm, suggesting that computer security is moving through a second wave of innovation comparable to the developments taking place as part of "Web 2.0".
I disagree that there is a direct correlation between these innovation cycles. Based on our product history, and using the malware vectors and sales channels associated with the different phases of computer usage as reference points, I would argue that we've already experienced two distinct phases of computer security, and are now on the cusp of Security 3.0.
Authentium (then Command Software) shipped its first Security 1.0 product back in 1989 - "Security Guardian" - a system-level PC security product designed to lock down executables.
The focus then was protecting the device against rudimentary forms of malware propagated via what was back then the primary vector - the floppy disk. The distribution channel back then was primarily the retail store or the OEM manufacturer image.
Authentium's second product, F-Prot Pro, back then a co-venture with F-Secure and Frisk Software, shipped in 1992. F-Prot Pro was considered by many to be the first "professional" on-demand antivirus product to enter the market.
Twelve years later, the Authentium ESP suite introduced advanced firewall and URL management functionality and was designed to enable ISPs to provide protection to consumers worried about the "always on" nature of broadband - and the increasing number of attacks targeting the user's personal data, rather than the device.
Interestingly, during this phase, the malware vector and distribution channel became one and the same - the broadband service provider. However, security measures deployed during this phase, including multi-application security suites and two-factor authentication, were largely effective against non-real time criminals and managed to effectively mitigate problems and prevent large-scale financial losses.
The emerging world of Security 3.0 is quite different.
In this world, the PC is no longer the target of attack, nor is the user's generic - and massively cumbersome - accumulated store of personal information.
The criminals invoking Security 3.0 no longer want to sift through your garbage. These criminals understand that the most valuable information obtainable is the information that is most "fresh" - i.e. your stock trading credentials, your two-factor authenticated session keys, the data you are inputting in real-time into your tax form or mortgage application.
Real-time attacks via the Internet may sound like fantasy, but recent attacks on tax filing sites, and online stock trading firms eTrade and TD Waterhouse have shown us it isn't. The evidence isn't only anecdotal: Gartner and other research firms are predicting a renewed focus on access controls, session management, and ID management. There is a ton of venture money pouring into firms, such as Authentium, that offer advanced session-based security solutions.
Time will tell if the investment bring made is large enough. In the world of Security 3.0, criminals are already moving well beyond the dumpsters, focusing their funds on the targeting of users of financial service providers in real time.
They are building advanced systems capable of manipulating hundreds of stolen trading credentials at once - in support of real time buying and selling. They are developing methods of automatically modifying data inputed via forms - again in real-time - using advanced social engineering techniques combined with an array of client and server-side strategies.
One example: earlier in the year, I blogged about a series of "pass-through attacks" involving bogus tax filing sites that popped up a week or two prior to the April 15th tax filing deadline.
These phishing sites were created for one purpose: to replace, in real-time (or in near real-time), the bank account information entered in the "refund" field by the user prior to submission of the tax form to the IRS. The client-side attack took the form of a spoofed email - the server side took the form of a spoofed web site. The targeted information was tax refund and bank account information.
This attack was successful enough to set off alarm bells at the IRS and security companies, globally. However it is nothing compared to what we're going to see happen in the near future.
Here's my prediction: Next year, attacks on consumers filing their taxes online will take the form of a targeted "mail-merge" advertising campaign to a subset of high net worth individuals identified using a stolen database (i.e. a replay of the recent BBB and FTC attacks, but with zero spelling mistakes). The attack will involve an email personally addressed to the user. It will be signed by the VP Sales of a leading tax management application manufacturer and carry their brand.
Links in the email will enable host file modifications and lead consumers to a site identical to the manufacturer's site. Once there, consumers will experience services identical to that performed by the manufacturer. They will enter first their names, then their social security numbers, then their addresses, then their personal tax information, then the details of the account they wish their refund to be remitted to.
The attackers will modify their approach during the scam, and consumers will not notice changes in the format of the email or the location of the web sites supporting the scam because their experience will constitute one isolated session. However, during the course of the attack, the criminals will systematically change every aspect of the scam, including hosting companies, receiving bank, and email format. They will also, or course, automate the altering the bank account details of every tax return requiring a refund, as per this year's test run.
The criminal sites will not feel to consumers like fake sites. From a QoS perspective, they will potentially mirror the quality of service of existing sites. Smart criminals will avoid attention by passing through even those tax returns not requiring a refund. The IRS will receive the tax form via the criminal as if it were coming from the consumer (or business) and return to the submitting party an acknowledgment that their form is being processed - via email.
A few months after that, their refund payment will be sent. To a bank far far away. If the criminal gangs involved are clever, millions will be stolen. If they are exceptionally smart, that number could run into the billions within a few short years.
None of are looking forward to this coming true. but come true it will - online criminality is evolving fast and the black hats are as competitive as the rest of us. Unfortunately, two-factor authentication and other systems will not help. As most security professional already know, when it comes to real-time attacks, criminals will profit equally from consumers using 2FA (two factor authentication), as from other simpler forms of authentication.
The good news is that I am increasingly convinced we have an answer to this problem - the results of third party testing and technical evaluations of the past few months have convinced me that we can successfully mitigate many of these issues for consumers.
My objective now is to get this technology to market in large enough numbers to make a difference during the 2008 tax filing season.
The Safari browser shipping with the iPhone has been hacked by researchers at Independent Security Evaluators, based in Baltimore.
Charlie Miller, who used to work at the NSA before going over to ISE, appears to have based his attack on a buffer overflow exploit he originally found while researching Safari on his Mac - and planned to reveal next month at Black Hat. He said after the hack he was in "complete control" of the hacked iPhone.
Here's how the New York Times described the attack (I take it that the fact that ISE's web site points to this article establishes this as the "official" version of events - either that or they just think the NYT picture of Miller on his iPhone is cool - which it is):
Dr. Miller, a former employee of the National Security Agency who has a doctorate in computer science, demonstrated the hack to a reporter by using his iPhone’s Web browser to visit a Web site of his own design.
Once he was there, the site injected a bit of code into the iPhone that then took over the phone. The phone promptly followed instructions to transmit a set of files to the attacking computer that included recent text messages — including one that had been sent to the reporter’s cellphone moments before — as well as telephone contacts and e-mail addresses.
“We can get any file we want,” he said. Potentially, he added, the attack could be used to program the phone to make calls, running up large bills or even turning it into a portable bugging device.
This is a pity on many levels. I got to play with the iPhone browser the other day, and it provides a superlative - and extremely responsive - user experience.
But, that said, user experience and coolness counts for less if someone can steal your files, copy your text messages, mess up your game stats, or make phone calls from your phone via your iPhone browser.
The vulnerability is still very new, but with hundreds of press articles likely to land at the feet of the first hacker to design the "iWorm", you can bet there are already several folks out there lining up cases of RedBull and cracking their knuckles.
What does this mean for Apple? It means, with 15% share of the 2007 laptop market and millions of iPhones/computers likely to ship the same year, that they are finally becoming big enough in terms of market share to grab the attention of hackers.
Apple shareholders should read this news as positive. After all, the iPhone security vulnerability will be fixed in short order - that's what operating system developers and security companies, such as Authentium, do for a living.
Will there be more vulnerabilities? Of course - with success comes attention. Parasites love a healthy host, and the iPhone appears to have a long, healthy life in front of it.
Sunday, July 15, 2007
The argument over where the battle against spam should be fought - on the desktop, or at the gateway - goes back to the dawn of Internet time.
There are two parts to the argument over which approach is best: the first is a "cost" argument concerning the cost of allowing terabytes of spam to travel across a network to the desktop. The second part concerns the "value" of an ISP or consumer portal's email address.
Scanning for spam at the gateway is by far the most sensible and efficient method from the point of view of network management and bandwidth utilization. Authentium partners with the three leading gateway antispam service providers, as ranked by Gartner, and we scan somewhere north of four to five billion emails every week as part of this process.
The ROI provided by scanning at the gateway is easy to visualize, and form the basis for many an "ROI Calculator" out there on the web.
Assuming a spammer targets 1m subscribers of a broadband ISP or retail portal with 100 spam emails in the course of a week-long "campaign", each containing a 12k attachment (i.e. virus or dropper or other form of malware) = 1.2MB of bandwidth x 1m end points. That's 1.2 terabytes worth of unnecessary data moving through the network - not including the potential upstream traffic created by zombified user PCs.
Is 1.2 terabytes of data traveling over a wholly-owned network really that much of a problem? Yes, it is. Service level demands are rising rapidly as video viewing moves increasingly to the small screen and P2P technologies such as BitTorrent continue their rise.
On Friday nights at 10pm, you need every bit of available bandwidth, because slow service = more calls. Gateway spam filtering is a proven way to improve service levels and help reduce call-volume.
The "value of an ISP domain or consumer portal email address" is a far more interesting argument from a business standpoint. Oftentimes, an ISP or portal's email address is cited by bankers as the core credential and most important source of value for that company.
Many ISPs and consumer portals utilize highly-effective gateway scanning and market these email addresses as "safe havens" from spam.
I heard a great example of the power of this approach yesterday while listening to the Kim Commando Show on the radio - IMHO, the best consumer-oriented computing show on the air. An ISP subscriber called up complaining that his ISP in North Carolina was letting through up to 400 spam emails a day.
Kim didn't waste any time. She gave him extremely sensible advice: lose that ISP (and email address) and get another email address from an ISP willing to demonstrate that they value your privacy, time, and patronage, by providing you with a safe haven address.
I would imagine the caller took this advice, and now that ISP (the name of which was mentioned on air) and possibly several hundred more of its subscribers are shopping for a new ISP.
Could happiness have been achieved using desktop antispam software? Yes, but the same level of happiness is possible simply by moving to Yahoo, or any other email portal that implements a decent gateway policy.
At the end of the day, while desktop antispam is capable of decreasing spam for consumers, the only sensible solution for an ISP wishing to grow or retain value for its email address - a core strategic asset - is to adopt the best technology they can at the mail gateway.
Note: Over the past few years, we have licensed in several "best-of-breed" desktop anti-spam technologies at the request of clients, and set about implementing them as part of ESP.
Despite the general excellence of these technologies, we haven't yet been asked to deploy them - smart ISPs know the value of building a solid email offering, and filtering at the gateway. Smart consumers appreciate having at least one email address that doesn't bite back, and stay longer with those companies that provide them.
Thursday, July 12, 2007
A few weeks ago, I blogged about some of the problems the FTC has introduced with the design of their online complaint form (FTC Complaint Form a "Keylogger's Paradise").
The FTC folks now have a new problem, and it is again complaint-related.
The problem the FTC is facing takes the form of a variation of the BBB email phishing scam that emerged in March. This scam looks so real, and is so well crafted, that only a single spelling mistake ("filled" instead of "filed") makes you think twice before opening that attachment.
Catch 22: The FTC cannot now respond by email and warn people pro-actively, because any email from the FTC must now be considered suspect.
Consumers, once again, will need to rely on their antivirus software to strip out this attachment, and hope that their antivirus technology partner has heuristics that are capable of detecting this kind of variant on the fly.
In addition the world's largest database of identified threats and variants, Authentium employs extremely advanced heuristics, designed to detect new threats.
Authentium's antivirus and antimalware services protect against all known forms of this scam.
Monday, July 9, 2007
Sometimes it takes a long time for news to reach people.
Technology vendors know this and some go to great lengths to try and get rich in between the release of the news of a hack and their customer's realization of it. The hacking of two-factor authentication is one such example.
Two-factor authentication was supposed to save online banking and e-commerce. It arrived on the scene over twenty five years ago, was finally productized into marketable form a decade ago, and finally found its market at the turn of the century: online banks.
Despite the massive costs involved with procuring, customizing, configuring, distributing and supporting two factor authentication, several banks signed up - along with the monetary authorities of several leading high-tech countries.
The first cracks appeared in two-factor authentication were whispered about several years ago, but they showed up in force last year (2006) when two scions of the industry, Mikko Hypponen of F-Secure, and Zulfikar Ramzen of Symantec, both weighed in and essentially called it "game over" for 2FA when asked to comment on a hack targeting Citibank customers.
The reason? It turns out that two-factor authentication *does not* protect online banking customers against a real-time man-in-the-middle phishing attack. In fact, Ramzen went on to say to say, essentially, that two-factor works well against dummies, but is not nearly so great in real time - especially when it comes to an attacker that's serious about getting your money:
"...if an attack is more sophisticated and the phisher can use the credentials in real time, we are the ones out of luck. I believe that two-factor authentication security will be almost futile when we tackle the next generation of phishing attacks."
Ross Andersen of Cambridge University's Computer Lab goes even further. In an address to the e-Crime Congress in London in May 2007, he outlined the vulnerabilities involving two-factor authentication and further warned:
"Banks are resisting because their technical staff know that it will be expensive to introduce and will not be effective. Some banks will introduce it, it will be quickly broken and then quickly forgotten."
Of course, cost is an issue: It can cost more than $50 per customer to procure, customize, configure and distribute a physical token. But the real issue here is trustworthiness, ROI and real risk reduction.
Two factor or single factor, it doesn't matter. Client-side security is not sufficient when it comes to thwarting a man-in-the-middle hack. A comprehensive, end to end, client-to-server security solution (such as Authentium VirtualATM) is the only kind of solution capable of protecting banking customers against fast-evolving forms of malware involving non-trusted downstream devices and the compromise of a branded, trusted channel of communications.
Used in combination with two-factor client-side authentication, or without additional forms of authentication, Authentium VirtualATM could radically reduce the kinds of crimes now being planned by sophisticated online criminals by eliminating man-in-the-middle attacks and forcing criminals towards softer, or less-valuable, targets.
Note: sometimes "two factor" ain't exactly "two factor". For a great article on this, check out Bruce Schneier's comment here.
Sunday, July 8, 2007
The Register, a great read, and a usually sensible source of IT-related news, just published an article under its antivirus section entitled "Time to Blacklist Blacklists" in which the word "blacklist" is used to describe a list of items to be avoided.
Dear folks at The Register: I have friends and family that find the term "black list" offensive. It is time for a change.
Most of the security industry is moving to adopt the terms "Allow" list (or "Allowed" list) and "Block" list (or "Blocked" list) - sometimes known as "A-Lists" and "B-Lists" for short.
As for the plethora of Register articles holding the line that all malware detection should be done using zero-day technologies (rather than Block lists), it's time you went and visited a pharmacy. Every technology has its efficiencies and uses - when it comes to fighting bad guys, there is no "best way", just a "best combination" of available approaches.
The efficacy of scanning files for known issues cannot be disputed - the benefits of including ever more advanced heuristics, including zero-day exploit detection techniques, also cannot be disputed.
Let's continue to use both, when appropriate.
Wednesday, July 4, 2007
Further to reports on our blogs recently, another variant of the Postcard Trojan scam appears to be doing the rounds this Independence Day - except that this time, the payload appears to be a Storm worm variant.
This is a simple (some would say dumb) scam - a variant of an old email scam that first appeared in the late nineties. Potential victims are sent an email that says "A friend has sent you a postcard". In the email is a link that connects to a file disguised as a flash movie, shockwave plug-in, or similar innocuous download.
Authentium says: If you receive an email claiming to be an e-postcard or greeting card from a friend or family member, do not click on any links in the email unless you are 100% sure of the source, the sender, and the recency of your antivirus definition files.
If you *must* click on the link, update your antivirus software first and think twice about clicking on anything with the following subject lines (this list courtesy of SANS), or an Independence Day theme:
Celebrate Your Independence
Independence Day At The Park
Fourth of July Party
American Pride, On The 4th
God Bless America
Happy B-Day USA
July 4th Family Day
Your Nations Birthday
July 4th B-B-Q Party
Happy 4th July
4th Of July Celebration
Fireworks on the 4th
Happy Birthday America
Independence Day Celebration
Celebrate Your Nation
America's 231 Birthday
July 4th Fireworks Show (new)
America the Beautiful (new)
Independence Day Party (new)
America the beautiful (new)
4th Of July Celebration (new)
God Bless America (new)
Corporate buyers of consumer data obtained through illegal acts are leading off the second half of the year when it comes to making consumer data less safe.
Yesterday, it was reported that JAM Marketing, a Seminole-based data broker, had paid "substantial consideration" to one William Sullivan, a former database administrator (DBA) for payments processor Certegy Check Services Inc, a division of Fidelity National Information Services to obtain consumer records held by Sullivan.
Millions of accounts were involved. It is alleged that Sullivan provided JAM with 2.3 million consumer profiles, 2.2 million of which contained bank account information. According to a law suit filed by Certegy against Sullivan, Sullivan sold JAM Marketing the data either through S&S Computer Services, or directly.
JAM then appears to have provided the information to three additional marketing firms - Strategia Marketing in Largo, Data Secure IP LLC in Tampa and Whitehat.com Inc. in Tempe, Ariz.. The suit mentions that Whitehat may have further distributed the consumer information to two other companies, MCList Escrow Inc. in Seminole and Custom Response Teleservices in Elkhorn, Neb., and Quality Resources Inc. in Clearwater.
Several of the firms who obtained the data have since contacted these consumers and made marketing calls to them.
Who deserves what: Certegy's PR team probably deserve some kind of credit for releasing this info the day prior to a national holiday.
Who deserves what: Sullivan deserves more than the boot - he deserves some serious jail time. Unless we start to take this kind of theft seriously, consumers will continue to have their assets placed at risk.
Now that the US Secret Service is involved, hopefully that is what will happen.