November 26, 2008

Security of food supply in doubt again, this time in America

By now we've all heard about the contaminated Chinese-made baby formula, recently traces of that same dangerous substance, Melamine, has been found in US made baby formula. It's terrible that the health of babies have been put at risk from this contamination. With the continued growth of globalization, unfortunately I suspect this won't be the last incident.

This brings me to my point: food security is the next area where we need to focus on. While there are some checks and balances built into the production and distribution systems, there aren't enough. There aren't enough FDA inspectors or checks in place in US or around the world where we get our food. Interestingly, the FDA recently opened an office in China to coordinate inspections of food shipped to the USA. This is a good first step but much more needs done.

The threat? Disgruntled employee(s) or an international terrorist organization. Now a wide spread contamination might be difficult, but regional one is very possible where thousands of people sicken or killed. And with the globalization of the news media it would likely cause a large uproar and scare that these attacks are designed to achieve.

Note to President-elect Obama: we need to improve the security of our food supply, period.

November 21, 2008

Malware Analysis Challenge Results

The contest that Tyler Hudak and I ran has concluded and the results have been posted. We had a ton of great submissions from some very very talented folks. I want to thank all of the people who submitted and participated in the contest. I also want to thank the sponsors who generously provided all of the great prizes.

Tyler and I plan to have another contest early in 2009 (likely in January) so keep your eyes open for the announcement.

Any data leak might be worth something

President-elect Barack Obama's cell phone records were accessed by cell phone company employees. According to the story the account was accessed where they are able to see what phone numbers were called and received and how long - no recording of conversations were done.

The good thing about this is that the telco is monitoring account access by internal employees. The article doesn't say anything about when the access occurred nor how quickly it was discovered but let's hope it was quick. They did say that the phone is no longer used which makes me wonder how quickly they did detect this unauthorized access.

The bad is why didn't the secret service lock this account down. I'm sure they have some arrangement they are able to make to put extra security measures in place for high ranking folks in the government such as President, VP, cabinet members, aids, etc. I would think that they do this now because otherwise we'd hear more stories about this.

The officials from the telco stress that there was no recording of conversations nor access to voice mail. Some folks might think 'no big deal' right? Well it might not be anything, just a curious employee, or it might be something. Being able to see who he called and received calls from, how long he spoke, and how often might give some insight into some of the policy initiatives or who he might tap for various positions in his administration. This data could also be used to determine his people network and ties.

What if this data lands in the hands of lobbyists? Or Republican strategists? How about foreign governments? Data that might otherwise seem useless might actually be worth something to an adversary trying to figure out how to defeat your defenses or how to steal your key employees or customers.

This data might be more valuable than one would think. Something to think about in your organization.

November 17, 2008

Protecting Your Brand Online: Is There Another You on the Internet?

There's a great article by Richard Stiennon over at the ThreatChaos blog about the potential for Twitter being used to attack brands. Washington Post's Brian Krebs also talks about claiming your space on these social networking sites. If you are worried about protecting your company's or YOUR brand go read these articles.

I, for one, have been working on Internet brand protection for the past year or so. From my name to the organizations I help run I've been registering domain names and setting up accounts on various websites; all in an effort to try to protect the brand. It's time consuming and expensive and I still have much work to do.

There are a TON of social networking sites: see this great Wiki page listing various sites along with information such as the focus of the site. And the big problem with this is that they don't validate the creator. I could set up a profile using the name George W Bush with no problem. Well, that is until the Secret Service show up at my house. doh. Worse, sometimes they don't even index on the profile name allowing an evil twin attack to occur. It would take you days to set up profiles on all of these sites and honestly I don't feel you need to do this. Focus in on the popular sites and the sites that are appropriate for your brand. For example if you aren't into or brand doesn't relate to fantasy or sci-fi than you don't need to register on Elftown. However, you might want to consider which is an online city guide where people rate businesses in their neighborhood. Yelp even offers a page for business owners to monitor your business page.

Even though anyone can impersonate you there are some measures you can take to help protect yourself and your brand. So the areas that I recommend you consider in your online protection strategy are:
  • Domain Names
  • Social Networking Sites
  • Email Addresses

Domain Names
  • Of course!
  • at a minimum
Social Networking Sites
Email Addresses
  • Gmail
  • Yahoo
There are plenty of other sites that you should create profiles on but use these as a starting point.

November 13, 2008

Rogue and Fraudulent Security Software and Websites a Growing Threat

The line between these two is blurring, but let's try to to define them anyway...
  • Rogue : The primary purpose of this software is to compromise your computer with the intent of giving the attacker access to it, to steal your information, or both. This is done by malicious code inside of the software that is installed or run on your computer without you knowing it. In most cases this software does not live up to advertised functionality. For example an anti-virus software that appears to be security software instead installs a trojan on your computer that records your keystrokes with the intent on stealing your account login credentials.
  • Fraudulent : The primary purpose of this software is to separate you from your money. This software might operate as advertised, but in many cases it doesn't. The software will use fraudulent practices to get you to buy it. Some of the tactics might be to scan your machine and then show you have several dangerous viruses on it or other such scare tactics. I have tested some of these on newly built virus-free systems only to have them report there are some 30 viruses on the machine. Scanning with a reputable product shows that it's clean. I have even seen cases where the fraudulent software places actual viruses on the system. :(
In my opinion the problem of rogue and fraudulent security software is quickly approaching epidemic proportions. I have seen a dramatic rise in the number of fraudulent applications and websites in the past few months to where there isn't a day that goes by where I don't come in contact with one or see one pop up. It used to be maybe once a month or so. And everybody is getting infected: my friends, relatives, co-workers, everyone is falling victim. Trend Micro says that 10 percent of all infections they see are caused by rogue software.

There are few solutions that I can think of currently at our disposal to solve this issue: education of users, law enforcement crackdown, and enforcement of usage policies by ISPs and web hosters.

User Education
It boils down to the basics and examples from the physical world map quite nicely to the cyber world: if it looks or sounds too good to be true, it probably is. You don't (usually don't) get something for nothing. While there are some great free software on the Internet you need to be wary. As a security professional help them by providing them with a list of known good security software and where to get them.

Law Enforcement Crackdown
My theory here goes: if the criminals think they can get away with it, they will. IMO, the deterrence factor is missing. There have been very few prosecutions so the risks of getting caught, unfortunately, are low. If there were no police watching the roadways would you still go the speed limit? Without the deterrence factor things will not get better.

There are many factors causing this problem but let me send a plea out to the folks in control of the budget purse strings: please fund your cyber police better! Provide training to them and hire more. Also tie any funding assistance to other countries to cyber crime cooperation. These topics are big enough for a separate post so I wont get into them here.

ISP Enforcing Usage Policies
I understand that ISPs and resource challenged like many of us and also are in the business to allow and route traffic but things are just out of hand. ISPs need to do several things: 1) enforce your EULAs, 2) stop routing to the bad networks, 3) react quicker to complaints and pressures from industry professionals about rogue elements on your networks, 4) MONITOR your networks for these bad actors and then shut them down and report them to the authorities, 5) react quicker to law enforcement queries. In many ways you, ISP, hold the keys to the cars that the criminals use. A better analogy is that you provide them with the roads they drive on. Put up those toll booths, stock them with machine gun wielding guards and stop them if they are doing bad.

One last note: ICANN please please please do your job of enforcing your domain registration policies with your authorized registrars. For more information see the great folks at who are combating this problem and news articles here from The Industry Standard, eWeek, and Axcess News.

UPDATE: A great win!
McColo hosting center, who had been hosting many websites that propagate malware, rogue security software, and spam has lost its Internet connection. Two Internet providers have stopped routing to this California-based hosting company. See article by Washington Post reporter Brian Krebs here. He also has an update here. The immediate result? IronProt reports spam has dropped by 66 percent. 66 percent! reports a 75 percent decrease. See graph.

This is a great example of how a community comes together for a good cause and makes a difference. Fight the good fight!

Speaking of McColo, check out a new report released by that shows that data and analysis behind the case against McColo. Several security researchers contributed their data and analysis to this article, including me. ;-)

November 5, 2008

Domains Registered with Obama's Name Recently

Well now with the US presidential election being over I thought I'd poke around the Internet domain records to see what names have been registered. I see that around the November 3rd thru 4th time frame no fewer than 312 names have been registered with the word 'obama' in them. Most are parked right now.

Some of the more interesting ones...

Some scary ones (secret service might want to watch these)...
This guy is definitely not a fan of Barack. On this site he says that "46% of the country did not vote for Barrack Obama". You know, if he's a Republican I need to remind him that during the 2000 election 48.4% of America did not vote for George W. Bush. As a matter of fact the MAJORITY of Americans voted for the Democrat Al Gore. Short memory there Mr. ObamaHacker.
For what? Winning the election?

Must be some of the $250K+/yr folks...

Did John McCain register this one?

Interestingly, some of these names are hosted on the same servers where some malware and fake security software reside. This does not mean these sites are bad, just interesting. I personally suspect some might be fake websites used in attacks against unsuspecting victims, but nothing has been detected at this time.

Now onto more non-political items...

November 3, 2008

This Years Summit is Over

Well the Information Security Summit is done and by all accounts the conference was a big success. Have heard nothing but very positive comments from the attendees many saying they learned enjoyed the presentations learning a great deal from the speakers. The topics seemed to be very timely as well.

I was pleased to hear this and pleased with how well the operations went, which was in large part due to the great folks working behind the scenes. These folks are all unpaid volunteers putting in countless hours to ensure things go well. The conference operations rivals larger national conferences in both quality of operations and content.

To recap the Information Security Summit ...

By the numbers:
  • 6th year in existance
  • 2 days
  • 3 keynote sessions
  • 36 breakout sessions
  • 44 speakers
  • 2 Birds-of-a-Feather sessions
  • 12 sponsors
  • 3 participating organizations
  • ~350 attendees
Topics covered:
  • Theme was risk management
  • Measuring and managing risk
  • How your security program is costing you money?
  • It’s 10 PM do you know where your risks are?
  • Information risk vs. information security
  • PCI compliance
  • SOX compliance
  • Security frameworks
  • Threat modeling
  • Web application security myths
  • Application security testing
  • Data encrypting
  • E-discovery
  • File remnants in Windows Vista
  • Data leak prevention
  • Penetration testing with Fast-Track
  • Risks of social networking sites
  • Tiger Team pen-testing
  • Bootable CD/USB environments
  • Malware techniques
  • Illicit spam networks
  • Phishing
  • Identity theft protection
  • Secure building designs
  • Business Continuity Planning
A big THANK YOU goes out to all everyone who helped make this event a success - from the speakers to the sponsors to the volunteers and the attendees who supported it!
See you next year at the Summit.