Monday, December 19, 2005

Insiders - insights, trends and possible solutions

A recent research of the content monitoring market, and the U.S 2004’s "Annual Report to Congress on Foreign Economic Collection and Industrial Espionage" I've recently read, prompted me to post an updated opinion on this largely unsolved issue.

I have been keeping an eye on the insider problem for quite some time, in fact, I have featured a short article entitled “Insiders at the workplace - trends and practical risk mitigation approaches” in Issue 18 of the monthly security newsletter you can freely subscribe yourself to!

Insider as a definition can be as contradictive as the word “cheater” is :-) Does an individual become an insider even when thinking about it, or turns into such prior to initiating an action defined as insider’s one? The same way, can someone be defined as a “cheater” just for thinking about what’s perceived as cheating, compared to actually doing anything?! :-) When does one become the other, and is this moment of any importance to tackling the problem?

The biggest trade-off as far as the insider’s problem is concerned is between dealing with the problem while ensuring productivity, and that the company’s work environment isn’t damaged -- exactly the opposite. And while productivity is extremely important, the direct, or most often indirect and long-term loss of intellectual property theft is currently resulting in a couple of billion dollar unmaterialized revenues for nations/enterprises across the globe.

Going through 2004's “Annual Report to Congress on Foreign Economic Collection and Industrial Espionage”, a major trend needs to be highlighted as I greatly believe it’s a global one, namely, private enterprises efforts to obtain access to sensitive technologies in unethical way, outpaces a foreign government’s efforts to do the same. Corporations spy more on one another than governments do, but is this truly accurate? I don’t think so! The use of freelancers, among them ex-intelligence officers or experienced detective agencies to conduct national funded economic espionage is a growing trend, and the lines in this area are so blur, we should therefore try to grasp the big picture when it comes to national competitiveness -- both companies and nations directly/indirectly benefit from possible economic/industrial espionage, and you can’t deny it!

Yet another important fact to keep in mind, is the unusually high success of the oldest, and most common sense social engineering attack -- asking!! In certain cases a social engineer will inevitably establish contact with customer-service obsessed personnel taking care of you all your requests! A certain organization’s members may experience troubles differentiating sensitive and secret information, not taking the first one as serious as they should. Even worse -- U.S Secret Service and CERT’s “Insider threat Study : Illicit Cyber Activity in the Banking and Finance sector” reveal that,”83% of the insider threat cases took place physically from within the insider’s organization, and another 70% in all cases, the incidents took place during normal working hours”! No secretaries or CEO’s logging in at 3:00AM, and in this case, the lack of detected security incidents posed by insiders, means they are already happening!

Though, I have always looked at the insider’s issue, from both negative and positive point of view. Can an insider be of any use for the good of a free speech organization or a government? Yes, it can if you take into account the U.S government’s efforts to locate democratically minded individuals living in countries with restrictive regimes, or active Internet censorship efforts.
Now given, you are truly interested in the democratization of this particular region, and not another successful PSYOPS operation, being able to locate, establish, and actually, maintain contact with these individuals will prove crucial in case of a objective picture of what exactly is going on there! Ignoring the local, totally biased news streaming for certain regions, and focusing on locating insiders within rogue states has been a common practice for years.

Is there a market for protecting from intellectual property theft and sensitive information leakage? If so, how does it ensures today’s digital workplace, and road warriors’s flexibility is not sacrificed for the sake of protecting the company’s resources? Mind you, the current solutions scratch only the surface of the issue -- creating digital signatures of data and trying to spot it leaving the network. While a commonly accepted approach, it’s like one way authentication(passwords) when it comes to access control-- the first line of defense, but among the many other!

The insiders’ problem is far more broader one and given the today’s complexity and connectivity, a possible insider’s actions will most often constitute of normal daily activities. But what is the market up to anyway?

Currently, the content monitoring market is steadily growing fueled by the need of ensuring information marked as sensitive, or intellectual property doesn’t leave the company’s premises, or is alerted when someone attempts to transfer it, due to negligance or on purposely!

The main players are : Vontu, Tablus, Reconnex, and Vericept.

Whereas these solutions are a great concept,they all mainly rely on content analysis,and sensitive information signatures,monitoring multiple exit point)(email,web,chats,forums,p2p,ftp, even telnet), namely, reactive protection, while sophisticated insider’s actions may remain hidden due to covert channels or 0day vulnerabilities in the vendor’s product for instance!

Something else to consider, is should a IP(intellectual property) trap be considered as a benchmark for insider tensions?! In other words, should you consider an employee that has been on purposely sent a link containing company information he/she isn’t supposed to have access to, but has clicked to obtain it? Stanford thinks – yes! The University suspended potential candidates for obtaining info on their admission process only by following a link..you are either a one or zero, right?

Honeypots targeting insiders have also been discussed a long time ago by Lance Spitzner, from the Honeynet Project. Another proactive protection would be to look for patterns defined as malicious behavioral based mostly.

From an organization’s point of view, take into consideration the following :

- Clearly communicate the consequences, both individual and career, in case an insider is somehow identified, based on the company’s perception of the problem

- Ensure the momentum of negative attitude towards the organization is minimized to the minimum to ensure the lack of to-be-developed post-effect negative sentiments

- Do no fell victim of the common misunderstanding that technology is the key to the solution. Insiders are the people your technology resources empower to do their daily tasks, technology is as often happens, the faciliator of certain actions

- Does system identification accountability have any actual effect? My point, does as user’s loss of accounting data, resulting in successful attack is anyhow prosecuted/tolerated. If it isn’t, this puts any employee in extremely favorable “it wasn’t my fault” position, where the data could be shared, on purposely exposed, sold, pretended to be stolen etc.

- Building active awareness towards the company’s efforts and commitment to fighting the problem will inevitably discourage the less motivated wannabe insiders, or at least make them try harder!

From a nation’s point of view, the following issues should be taken into consideration :

- In today’s increasingly transparent and based on digital flow of information marketplace, open source intelligence capabilities played a leading role in the development of cost-effective competitive intelligence solutions. Even though, nations or their companies are very interested in exploiting today’s globalized world.

- Ensuring the adequate security level of the private and academic sectors’ infastructure(where research turns into products and services, or exactly the opposite) through legislations, or further incentives, will improve the national competitiveness, while preserving the current R&D innovations, as secret as necessary.

- Outsourcing should be considered as a important factor contributing to information leakage, and the individuals involved, or the company’s screening practices, should be carefully examined.

- A fascinating publication that I recently read is “Quantifying National Information Leakage” describing the implications of the Internet’s distributed nature, namely to what extend, U.S Internet traffick is leaking around the world, where it “passes by”. A nation’s habit or lack of efficient alternative of plain-text communications can prove tricky if successfully exploited. Of course, this doesn’t include conspiracy scenarios of major certificate authorities breached into.

The insiders’ problem will remain an active topic for discussion for years to come given its complexity and severity of implications. Insiders’s metrics are a key indicator for patterns tracking, whereas their creativity shouldn’t be understimated at any cost!

In case you are interested in various recommended reading, statistics, and other people’s point of view, try this research :

Understanding the Insider Threat - Proceedings of a March, 2004 Workshop

A Target-Centric Formal Model For Insider Threat and More

Analysis and Detection of Malicious Insiders

Insider Threat : Real Data on a Real Problem

Insider Threat Study : Computer System Sabotage in Critical Infrastructure Sectors

Preliminary System Dynamics Maps of the Insider Cyber-threat Problem

Technological, Social, and Economic Trends That Are Increasing U.S. Vulnerability to Insider Espionage

Preventing Insider Sabotage : Lessons Learned From Actual Attacks

Technorati tags : ,,,,,

Wednesday, December 14, 2005

IP cloaking and competitive intelligence/disinformation

SearchSecurity.com are running a great article entitled "IP cloaking becoming a business necessity", that I simply can't resist to express my opinion on.

Great concept that’s been around since the days of Anonymizer, who were perhaps the first enterprise to start targeting enterprise and government
users looking for ways to hide their online activities, be it unstructured data aggregation, competitive intelligence or simple end users' browsing.

Getting back to SearchSecurity's article, I don’t really consider a company’s SEC fillings or annual reports (found on any corporate web site) a trade secret! In this particular case, I bet it was extraoridinary traffic from known partners that tipped them that there's a sudden interest in the company's business performance. Any organization could easily look for patters on its web server, such as how often certain stakeholders visit it, given they use their associated netblocks, or ones known to be used by them. What to also to note is that, given the stakeholders in this case, employees, stockholders, suppliers, government, the general public or anyone else has a claim on the way the organization operates, it would be hard, pretty much impossible to differentiate intentions of any of these.

Small companies can easily measure their popularity among the big players, again, given these companies use their netblocks, but a large corporation with hundreds of thousands visitors, would have to put extra efforts in measuring, not only what's popular, but who's reading it, and are they on our watchlist.

How to compile these? Even though I'm certain someone out there has taken the time and effort to compile a Fortune 500 IP ranges list the way GovernmentSecurity.org have compiled a Government&Military IP ranges list. I soon expect to see companies offering segmented service for watchlists like the ones I mentioned, for instance - law firms, financial institutions, non-profit organizations segmented on geographical location, let's say New York or Tokyo based ones. An in-house approach can always be applied by any company, no matter of its size, all you have to do is your homework at RIPE.net for instance :

RSA Security
Symantec
Sophos
Kaspersky
ISS(Internet Security Systems)

An important trend though, is how the transparency that the ICANN wants to build whenever a domain is registered in order to easily prosecure cyber criminals will open up countless opportunities for open source intelligence professionals or wannabe's. A recently released report by the U.S Government Accountability Office, found 2.3M domain names registered with false data, given that's just the result they came up by sampling. Here're also the important findings. Without any doubt, it should be known who's who in the Internet's domain and IP blocks space, but knowing it and complying with this due to regulations, or good will is going to lead to further consequences for your organization.

Let's take anti-virus vendors for instance. I often say that anti virus is a necessary evil - given it's active!! Signatures based defense is futile, windows of opportunities emerge faster, 0day threats contribute, and overall, malware is starting to attack on a segmented based level => less major outbreaks, but the rates of signature updates is still a benchmark the public and some of the vendors like talking about. Email-Worm.Win32.Doombot.b for instance, is a good example of how the malware author is rendering the antivirus software into a useless application, just by blocking it from accessing its(publicly available, easy to find out through sniffin' etc.)
update locations. Even though the author wish he/she could "write" to these locations, that's not necessary, but the templorary advantage of exposing the user/organization to a particular window of opportunity, by making sure access to removal instructions and actual updates is disabled! Doombot's list is short, and a bit of a common sense one compared to others. And as always, the general public, sick of ads, and parasites, have taken the effort to constantly release updated hosts files to tackle their concernes. I wonder when, and how are vendors going to address this important from my point of view issue?

IP cloaking at the corporate level is still in its early stages, but represents a growing market due the following factors, among many others of course :

- governments and intelligence agencies are actively taking advantage of open source intelligence, OSINT, and vendors are already starting to offer relevant services. The Anonymizer among others, has also specially government/enterprise tailored services

- enterprises are getting extremely conscious about what others know of their surfing interests, and what are stakeholders on their watchlist looking at, on any of their extranets or corporate web sites

- citizens from countries with extremely restrictive Internet censorship practices will fuel the market's growth even more

Further reading can be found at :

Protecting Corporations from Internet Counter-Intelligence
Cloaking types

Technorati tags :
,,,

Monday, December 12, 2005

0bay - how realistic is the market for security vulnerabilities?

In Issue 19 (July, 2005) of the Astalavista Security Newsletter that I release on a monthly basis, I wrote an article entitled "Security Researchers and your organization caught in between?" whose aim was to highlight a growing trend, namely the monetization of vulnerability research, who benefits and who doesn't.

A recent, rather significant event at least for me covering and monitoring this issue for quite some time now, was an Ebay listing for a "brand new Microsoft Excel vulnerability". A bit ironical, but I had a chat with Dave Endler, director of security research at TippingPoint, and the issue of their future position as bidders for someone else's research were discussed a week before the Ebay's listing in Issue 23 (November, 2005) of Astalavista's Security Newsletter.


Two of today's most popular, and at least public commercial entities paying hard cash for security vulnerabilities are : iDefense, and the ZeroDayInitiative (TippingPoint).

But what is the need for creating such a market? Who wins and who loses? What are the future global implications for this trends, originally started by iDefense?

In any market, there are sellers and buyers, that's the foundation of trade besides the actual exchange of goods/services and the associated transaction. What happens when buyers increase, is that sellers tend to incease as well, and, of course, exactly the opposite. Going further, every economy, has its black/underground or call it whatever you want variation. And while some will argue a respected researcher will contribute to the the development of even more botnets, who says it has to be respected to come with a vulnerability worth purchasing?! It's a Metasploit world, isn't it?!

Going back to the market's potential. Sellers get smarter, transparency is build given more buyers join seeking to achieve their objectives in this case, provide proactive protection to their clients only, and build an outstanding, hopefully loyal researchers' database. These firms, to which I refer as buyers have happened to envision the fact that there are thousands of skilled vulnerability researchers', who are amazingly capable, but aren't getting a penny out of releasing their vulnerabilities research. Ego is longer important, and getting $ for research on a free will basis is a proven capitalistic approach. What these companies(and I bet many more vendors will open themselves for such a service) didn't take into consideration in my opinion, is that, starting to work with people giving $ as the ultimate incentive will prove tricky in the long-term.

What will happen of the Swiss cheese of software(yet the one that dominates 95% of the OS market today) Microsoft starts bidding for security vulnerabilities in its products? Bankruptcy is not an option, while I doubt they will ever take this into consideration, mainly because it would seriously damage a market sector, the information security one. Imagine, just for a sec. that Microsoft decides to seriously deal with all its vulnerabilities? But today's lack of accountability for software vendors' actions related to vulnerabilities is making it even worse. If MS doesn't get sued for not releasing a patch in any time frame given, why should we, the small compared to MS vendor care?

Howard Schmidt, former White House cybersecurity adviser, once proposed that programmers should be held responsible for releasing vulnerable code. I partly agree with him, you cannot cut costs in order to meet product/marketing deadlines while hiring low skilled programmers who do not take security into consideration, which opens another complex discussion on what should a developer focus on these days - efficiency or security, and where's the trade-off?

I originally commented on this event back then :

The position of Schmidt prompts him to address critical issues andlook for very strategic solutions which may not be favored by themajority of the industry as I’m reading through various news commentsand blogs. I personally think, he has managed to realize the importanceof making a distinction in how to tackle the vulnerabilities problem,who’s involved, and who can be influenced, where the ultimate goal isto achieve less vulnerable and poorly coded software. Software vendorsseek profitability, or might actually be in the survival stage of theirexistence, and as obvious as it may seem, they facts huge costs, and extremely capable coders or employees tend to know their price! What’s the mention are the tech industry’s “supposed to be” benchmarks for vulnerabilities management, picture an enterprise with the “IE is the swiss cheese in the software world in terms of vulnerabilities, and yet no one is suing Microsoft over delayed patches” – lack of any incentives, besides moral ones, in case there’re clear signs and knowledge that efficiency is not balanced with security. And that’s still a bit of a gray area in the development world.
Vulnerabilities simply cannot exist, and perhaps the biggest trade-off we should also face is the enormous growth of interactive applications, innovation approaches for disseminating information, with speeds far outpacing the level of attention security gets. Eventually, we all benefit out of it, web application vulnerabilities scanners and consultants get rich, perhaps the (ISC)² should take this into consideration as well :-)

Even though you could still do the following :

- build awareness towards common certifications addressing the issue

- ensure your coders understand the trade-offs between efficiency and security and are able to apply certain marginal thinking, whereas still meet their objectives

- as far as accountability is concerned, do code auditing with security in mind and try figure out who are those that really don’t have a clue about security, train them

- constantly work on improving your patch release practices, or fight the problem from another point of view

B ut unless, coders, and software vendors aren’t given incentives, or obliged under regulations (that would ultimately result in lack of innovation, or at least a definite slow down), you would again have to live with uncertainly, and outsource the threats posed by this issue. M icrosoft’s “Improving Web Application Security: Threats and Countermeasures” book, still provides a very relevant information.

Slashdot’s discussion


What also bothers me, is how is the virginity of the vulnerability identified? I mean, what if I have already found it, developed an exploit for it, sold it to the underground, and cashed with the industry as well, and no one came across it on his/her :) honeyfarm? The researcher's reputation is a benchmark, but in the long-term, the competitive market that's about to appear, will force the buyers to start working on a mass basis. There's a definitely a lot to happen!

Welcome to the wonderful world of purchasing 0-day security vulnerabilities! Have an enemy, bid for his ownage, have a competitor, own them without having to attract unnecessary attention, I'm just kiddin' of course, although the possibilities are disturbing.

What I really liked about this important moment in vulnerability research, was that it was about time the security researchers wanted to see how valued their research is in terms of the only currency that matters in the process - the hard one. In my point of view, monetizing the vulnerabilities research market wasn't the best strategic approach on fighting 0-day vulnerabilities, in this case, ensure you have the most impressive minds on your side, and that your clients get hold of the latest vulnerabilities before the public does.

So - who's the winner - it's...Symantec who first realized the long-term importance of security vulnerabilities, and where, both researchears and actual vulnerabilities are - Bugtraq/SecurityFocus, by acquiring it for US$75 million in cash, back in 2002, and later one integrating its joys into the DeepSight Analyzer - remarkable. Both from a strategic point of view, and mainly because that, by the time any post on any of the associated mailing lists doesn't get approved, it's Symantec's staff having first look at what's to come for the day of everyone.

SecurityFocus is running a story about the Ebay vulnerability listing, and so is eWeek, Slashdot also picked up the story. It was about time for everyone, given it actually happened during the weekend :-)

UPDATE : "Where's my 0day, please?

Recommended reading can be found at :

Vulnerability Disclosure Framework
A Structured Approach to Classifying Security Vulnerabilities
Guidelines for Security Vulnerability Reporting and Response
Economic Analysis of Incentives to Disclose Software Vulnerabilities
Impact of Software Vulnerability Announcements on the Market Value of Software Vendors – an Empirical Investigation
An Economic Analysis of Market for Software Vulnerabilities
Market for Software Vulnerabilities? Think Again
Talking about 0-day

Some stats :

National Vulnerability Database
CERT/CC Statistics 1988-2005

Technorati tags :

,,,,,

Wednesday, December 07, 2005

How to create better passwords - why bother?!

I have recently came across a practical article on how to create a better passwords, couresy of CSO Magazine. It reminded me of how many times I find myself actually getting into the science of passwords maintainance and creation in order to enforce real-life, cost-effective scenarios, while on the other hand, get myself seriously concerned on how easy it is to have your accounting data abused!

During the years I have written several articles, like this one - Creating and Maintaining Strong Passwords, mainly with the idea to actually provide a pragmatic approach on tackling weak, and prone to be cracked passwords. The result, at least from a sniffing point of view *grin* was that most of my friends lacking security knowledge, were indeed getting concerned by their easy to guess passwords. Later on, they were turning them into entire passphrases with the idea to avoid not having them cracked. That's an example of a "false feeling of security".

And while it was a progress compared to how predictable their passwords really were, strong passwords doesn't address the following issues that I later on covered in another article - Passwords - Common Attacks and Possible Solutions, namely, passwords can be :

- Sniffed
- Recovered
- Unintentionally shared
- Keylogged
- etc.

Recently, both from a CSO's point of view, and the financial industry, two factor authentication, has been gaining a lot of acceptance, in my opinion primary because of its tangibility. It greatly improves the authentication process, given the integrity of the system, and the network itself. And while from an organization's or bank's point of view providing tokens to the entire work force would represent a huge investment, I strongly feel prioritizing in respect to important customers, and executives will play an important role.

On October 12, 2005, the Federal Financial Institutions Examination Council, released its Guidance on Authentication in Internet Banking Environment, thereby enforcing the use of advanced, compared to passwords based only, authentication approaches.

Would it work? I doubt so, but it limits the age-old attacks we are so used to seeing in respect to passwords.

Bruce Schneier has been discussing the dangers of the two factor authenticaion buzz, and as far as online banking is concerned, Candid W├╝est has written a very good paper on Today's threats to online banking, namely the techniques discussed fully apply to any type of authentication. Passwords are out of the topic, even two factor authentications has its good and bad sides to it comes to end users' awareness, implementation and configuration.

What are the practical alternatives these days?

Password Safe is a bit unpractical(still works for lots of people out there) in today's interconnected world, namely, a HDD crash for instance would cause a lot of trouble to everyone, let's not mention the "availability" of the data. Just1Key seems to solve this problem to a certain extend. I also recommend you verify the strenght of your passwords by taking advantage of the Password Strenght Meter

ComputerWeekly, are also running an article "Security : have passwords had their day?", they sure haven't, at least not on a large scale, the way I've always wanted to see it - One Time Passwords in Everything! Check out RSA's One-Time Password Specifications , the concept in itself has the timeframe advantage!

Further reading on the topic can be found at :

The Memorability and Security of Passwords - Some Empirical Results

Passwords you’ll never forget, but can’t recall

One Time Passwords In Everything (OPIE) : Experiences with Building and Using Stronger Authentication

Stealing passwords via browser refresh

A Convenient Method for Securely Managing Passwords

Technorati tags :

,,,,,