Jimmy's Blog

App and Add-on culture - the breeding ground for a new type of malware?

2010-07-19T12:05:33Z

I've just been reading on the Mozilla blog that they've removed a Firefox add-on called "Mozilla Sniffer" that intercepted the details of all Web logins and sent them to a remote site. Mozilla's metrics state that Mozilla Sniffer was downloaded approximately 1,800 times and had 334 active daily users - ouch.

This is hot on the heals of spoof banking applications for Android targeting users of the First Tech Credit Union and Travis Credit Union US banks. SMobile also released a report last month that estimated up to 20% of the then 48,000 Android apps on the Google Marketplace could contain spyware (although their definition of spyware is a little open).

The interesting point to note is that both Android and Firefox are extolled by the geekerati for their 'open' approach, while Apple is criticised for its walled-garden approach to development for their platforms.

The reality is that we live in a dangerous world. As information security professionals, we've banged on for years about only downloading from trusted sources and the check the integrity of the downloads. Websites like Download.com built their reputation on being a trusted source of downloads for IT professionals in a sea of malware.

Now the same technical people are hailing the fact that Android 'can install an app from any Website, rather than having to go to a controlled marketplace' or the 'openness of the Google Marketplace' as if it is a good thing.

Now I'm not saying that everything about the Apple AppStore is all sweetness and light. They have made some pretty arbitrary decisions on approval and they will, inevitably, let some malicious applications through.

I can tell you, however, as someone who owns both platform and develops for both Android and iOS - I feel a lot safer downloading from the AppStore than I do the Google Marketplace.

Response to Jay Heiser from Gartner's "Why I’m ambiguous about SaaS email"

2010-07-16T11:50:31Z

I read Jay Heiser from Gartner's "Why I’m ambiguous about SaaS email" post. He brings up some interesting points in his posting, especially with regards the suitability of existing security standards and certifications to evaluate vendors utilising what is a fairly new and evolving delivery model.

The work by Cloud Security Alliance and Cloud Audit are making good progress in delivering a set of recommended controls specific for the cloud, along with a mechanism for third-party evaluation of conformance but in the mean time customers just have to exercise caveat emptor on a case-by-case basis.

Customer due diligence is the key in choosing to outsource your email to a third-party, but this due diligence has to take into account what you actually do on-premise as a baseline and not have some utopian expectation.

I work as the CSO for a leading email management SaaS vendor and I can't tell you the number of 300 - 400 hundred question RFPs we receive from customers who've searched for them on the Internet. On closer inspection of the customer's current solution you find PST files scattered across their network, unencrypted archive databases, countless email and archive administrators, single points of failure and fragmented inconsistent administration across the multiple platforms that form their email infrastructure.

In these instances moving to the cloud is going to instantly deliver improvements over their existing security, but still these customers hold irrational fears because they are nervous about moving their data from a data centre where they can touch and feel the hardware to a service that abstracts it all away. They deliberately build a level of expectation that far exceeds their currently level of security as a mechanism to justify not moving to the cloud.

Security breaches are bad for cloud service providers, they elongate the sales cycle increasing the cost-to-sell; they impact renewal revenue, which is the means of survival for must cloud vendors; and breaches play into the hands of on-premise vendors using FUD to put customers off considering the cloud. Cloud vendors cannot get away with throwing a bunch of hardware and software into a customer data centre and disappearing for three years until the next upgrade is due.
Cloud vendors are judged day-in day-out by the performance, and the security, of their services. Due to this, most cloud providers take considerable effort to ensure their environments, platforms and services are secure.

Not all cloud vendors are created equal however, many aren't true cloud services. They are the latest incarnation of what were application service provider or management service provider platforms, re-purposing on-premise appliances or software by just creating a web front-end to these products which are often ill-suited to run in multi-tenant environments. Customer due diligence must identify these kinds of 'cloud' offerings and the risks that are inherent to these environments (for instance client separation; end-to-end encryption; chains-of-custody of data that may need to be used as evidence at a later date).

Email is a critical business tool, but a commodity, which makes it prime candidate to outsourcing to a cloud provider. Cloud providers will often deliver immediate benefits in security, but potential customers must exercise the appropriate due diligence and weigh the results against their current environments as a baseline. Many customers will find themselves pleasantly surprised by decreased cost, increased functionality and increased security.

Interesting cloud security points from the Cloud Computing World Forum

2010-06-30T09:23:29Z

I've been attending the Cloud Computing World Forum in London this week and I enjoyed the Cloud Security session yesterday afternoon. Two points specifically stood out:

Firstly, Jason Hart, SVP Europe for CRYPTOCard pointed out that too many cloud services rely on a weak method of authentication - passwords. Cloud service providers need to up their game and implement stronger authentication mechanisms.

Then during the panel session, the topic of whether 'the cloud' had inherent security weaknesses came up. The conclusion drawn was that "the cloud doesn't have a security problem, it has a trust problem".

This is a topic that is close to my heart as I believe companies are taking a totally different approach to the due diligence of cloud services providers which is often unrealistic. I've stressed over-and-over that due diligence is a critical part of selecting the right cloud services provider but the due diligence framework has to be realistic and based on fact.

Organisations wanting to move from an in-house solution to one that is cloud-based need to baseline their security against what they are doing at the moment, and what they need to protect the particular data in question. I've had more than one 40 page security due diligence questionaire that they've downloaded from the Internet from a 100 seat organisation, who themselves have their entire email infrastructure in a comms room in a single office, with an Exchange administrator who has never been backgrouded screen and have never performed a penetration test.

The entire discipline of information security revolves around working out which data is sensitive and critical to the business; assessing risk exposure to that data; doing a gap analysis to work out whether you're handling the risk accordingly at present; assessing controls for the areas you're not handling sufficiently well on a cost/benefit analysis basis; then deploying the controls; and managing them on an ongoing basis.

During the conference Klaus Bartosch, the EVP of Sales and Marketing for Virtual Ark, made a good case for a due diligence methodology involving these steps for cloud service providers which mimics the approach above - the title of his presentation?: "Cloud security isn't bad - it's just different". After listening to his presentation I'd say, it isn't different, it needs the same risk assessment approach that the information security community has built up over decades - the difference is instead of deploying the controls, you make it a mandatory requirement that the service provider implements them. If they don't move to the next provider, its a competitive market out there.

The critical thing is to remember that the level of protection needs to be proportionate to the sensitivity and criticality of the data involved. More often than not organisations achieve a better level of protection for their data by moving to a cloud service, they are just nervous because they cannot physically walk into a server farm and touch the storage arrays containing the data any more.

Appropriate due diligence cannot be based on irrational fears and prejudices, it has to be based on fact.

Adobe patches critical vulerabilities in Flash

2010-06-10T23:47:11Z

Adobe Systems has released a patch today for all platforms to plug over 30 vulnerabilities, including a critical one that hackers were actively exploiting to install malware on user's machines.

This vulnerability let attackers to take complete control of vulnerable machines after viewing websites that contained specially crafted Flash content - you can start to see why Steve Jobs doesn't like it. We've had been seeing a lot of emails recenty being sent out attempting to direct users to sites containing such content.

Adobe also announced that a patch for a related vulnerability in Acrobat won't be available until June 29, but has published some interim workarounds, including deleting the autoplay.dll (Windows), AuthPlayLib.bundle (Mac OS X) or libauthplay.so.0.0.0 (Linux) files or disabling JavaScript within Acrobat.

The patch can be downloaded from the Adobe site.

Preparing for my CISM exam tomorrow

2010-06-10T23:31:59Z

I have been studying for several weeks to take my ISACA Certified Information Security Manager (CISM) exam on Saturday morning, at 7:30 AM I may add!

I have really enjoyed this course. I was expecting to have ISACA's COBIT framework rammed down my throat, but the course material took a surprisingly agnostic ad pragmatic view of security programe frameworks. The main complaint from CISSPs is that the Certified Information Systems Security Professional exam is a mile wide and an inch thick. The CISM on the other hand is totally focused on the area of strategic management of security within the organisation, especially on the governance side of things.

I wish all of the security professionals swotting hard for the exam tomorrow all the best, good luck!

iPad 'vulnerability': A Reality Check

2010-06-10T22:27:40Z

I was asked by our PR team today whether that was a story on the recent iPad 'vulnerability' that is doing the rounds in both the tech and manstream media. The vulnerability was found by Goatse Security (great name guys) and is being pitched as 'Apple's worse security breach'.

The situation has got massively out of hand, I recieved a number of emails from worried staff today and I've even read that the FBI are investigating 'the cyberthreat posed by this exposure'. This is a classic example of security researchers using FUD to manipulate the media for publicity's sake. The media is complicit as well, while what they are reporting is factually true, the apocolyptic impacts they are espousing are laughable. The reality is that the only story is that there isn't really a story at all.

So its time for a reality check:

This isn't a vulnerability in the iPad. It is, in fact, a badly designed and implemented Website by AT&T, the US carrier for the iPad. This explains why the problem is limited to the US and has not been seen in any of the other territories that the iPad is available in. But a bug on a Website doesn't make as much of a good story as a vulnerability on a device selling in its millions across the globe - does it?

AT&T had designed a Web interface that would return an associated email address when presented with an identifier of an iPad known as an ICC-ID. Goatse simply wrote a PHP script that made it look like the useragent was an iPad and then looped through all possible ICC-IDs and harvested the returned e-mail addresses.

The ICC-ID to e-mail mapping has nothing to do with the iPad, this is all pulled in from the back-end OSS systems at the carrier - its a simple schoolboy error.

That brings me on to the second issue with the story - what was exposed, really?

What was exposed was Internet facing email addresses, no passwords, no phone numbers, no credit cards... Many of the addresses could probably have been easily guessed based on name or harvested using traditional directory or Web-harvesting techniques.

While an Internet email address could be considered a Personally Identifiable Information (PII) digital identifier, the sensitivity or impact level of this data on its own is very low. The use cases for someone who has harvested this data are quite limited.

While it shouldn't have been so easy to automate the collection of these emails, in the grand scheme of things this hardly represents a big risk, certainly not on the level of being suggested in some of the articles I've read.

As security professionals we cannot cry wolf for our own notoriety's sake or users will start to suffer from threat fatigue. The resulting deminished, or distracted, user awareness will hit us all in the long run.

Novell ad based on Hoff's Cloud Security Doesn't Matter Blog Post

2010-05-19T22:08:33Z

Ever wondered what a blog posting by one of cloud computing's leading security experts would sound like as performance art - look no further:

“Cloud: Security Doesn’t Matter (Or, In Cloud, Nobody Can Hear You Scream)” by Chris Hoff from Novell, Inc. on Vimeo.

Malicious Search Engine Optimisation: another headache for Google

2010-05-02T01:02:32Z

It would seem that the spreaders of malware are adopting Search Engine Optimisation techniques targetting the Google search algorithm to ensure that their links to malicious code appear before legitimate websites – this is worrying when around 80% of people do not go beyond the first page of Google search results.

This is happening to the extent that attackers to tracking trends across the Internet and then rapidly optimising their sites to appear high up in the search results. Research by cloud security firm ZScaler found in one instance 90% of top 100 search results on Google for a particular trend were leading to sites hosting malware:

86 links were sending users directly to a malicious, fake antivirus page that tries to install malware.
4 malicious links were down or Google displayed a warning page

Now if 80% of Google users don’t click beyond the front page, which typically contains 10 results, the user at a statistically high chance of clicking on a link to malware.

The attackers are obviously targeting optimising for the Google search algorithm, as the same search conducted on Bing and Yahoo! does not net the same results. ZScaler’s findings are that Bing returned no links to malware and Yahoo! only had 4 links in pages 2, 6 and 7.

What isn’t clear is that are the attackers targeting Google as they have the vast majority of the search market, or are they taking advantage in inherent weaknesses in the Google search algorithm?

When the office copier is your worst enemy

2010-05-02T01:00:30Z

Many of us in the information security industry have policies and procedures about the secure disposal of storage media, or at least the subset of that storage media that contains sensitive data. The reality today is that many of the digital photcopiers and multifunction devices contain hard disks and they may escape our attention.

Digital Copier Security in California is one of the only companies specialising in this area of information security and they were recently commissioned by CBS News to obtain 4 copiers and to analyze the data left on them using their INFOSWEEP forensics tool. The copiers were brought from one of a number of office equipment surplus centres spread across the United States. The copiers were selected based on the manufacturer/model and the total number of pages that had been copied, scanned or printed.

Within 30 minutes the hard drives had been removed from the machines and the forensic analysis of the contents using INFOSWEEP started in earnest. In one of the cases they didn’t even need to do that, the previous owner – Buffalo, New York Police Sex Crimes Division – had disposed of the copier with a confidential document still left on the scanning plate.

After 12 hours worth of analysis the results were then collated:

On the machine from the Buffalo Police Sex Crimes Division there were detailed domestic violence complaints and a list of wanted sex offenders.
A machine from the Buffalo Police Narcotics Unit contained a list of targets in a major drug raid.
The third machine, from a construction company in New York, there were design plans for a building near Ground Zero in Manhattan; 95 pages of pay stubs including the names, addresses and social security numbers of employees; and $40,000 worth of cheques.
The final machine, from a New York based health insurance company called Affinity Health Plan, provided over 300 pages of patient medical records. These records contained details of drug prescriptions, blood test results and even included a cancer diagnosis. A major breach of the Federal Health Insurance Portability and Accountability Act (HIPAA).

These results are obviously very worrying, but what can those responsible for information security do to improve the situation? Well, dealing with the two major issues when it comes to the security of these devices is a good starting point:

Deal with the ignorance: In 2008, a survey by Sharp Imaging found that 60% of responders didn’t know that their copiers contained hard disk drives. The purchasing of any devices that could impact on the security of information security should be approved by the security function of the business. The security function should examine the requested device for all possible threats as a part of the risk assessment – reading the specifications, or querying the manufacturer, as to whether a device does, or does not, contain a hard drive is critical. Once you have been able to ascertain whether a device contains a hard drive, you can implement the appropriate controls to manage the risk – for instance ensuring that the hard drive inside the copier is subject to the same disposal procedure as hard drives from computers handling data of the same classification.

Deal with the outsourcing: Many organisations lease their equipment to reduce capital expenditure and ease the maintainable overhead. At the end of the leasing agreement the copier will be returned, complete with your data on the hard drive, to the leasing company who will almost certainly dispose of it through a surplus office equipment company. It is critically important that the destruction of, or at very least the secure of data on, any hard drives containing sensitive information is stipulated in the lease agreement. Ideally the serial numbers of the internal drives should be recorded when the machine is deployed, and the drives returned to the leasee for destruction at the end of the lease.

Veteran UK tech journalist Guy Kewney dies

2010-04-08T22:00:00Z

Guy Kewney, one of the UK’s best known and most influential tech journalists passed away peacefully this morning.

I was lucky enough to be interviewed by Guy a couple of times for an article on cloud computing. We met at his sailing club and enjoyed several cups of coffee as we discussed the migration cycle from mainframe to client/server to the cloud. Guy had a very broad knowledge of not just technology, but also its impact on society and the human element was always present in his questioning.

I grew up reading Guy’s articles in Personal Computer World and he was a major influence on my decision to move into the field of computing.

Any discussion of Guy isn’t complete without mentioning the now famous Guy Coma incident, in which a very bemused Congolese Economics graduate who was working as a minicab driver is dragged into a live BBC News 24 television interview under the mistaken assumption he is Guy Kewney:

Update 12 April: The Register has an obituary for Guy today.