Friday, August 26, 2011

Krypt3ia - From China, With Love ... Thank you

Thank you Krypt3ia for this post and the relevant links to chinese cyber-operations from 2008 and on. Please refer to my previous post and the call to make more data loss breaches public in an effort to illustrate scale. None of this is new, why are you all so shocked and wide-eyed?

Go F-Secure - Researcher finds the RSA email in VirusTotal haystack

F-Secure research Timo Hirvonen (who sounds like he should be playing in the NHL) recently wrote a tool to look for flash objects in the gigantic DB that is VirusTotal and came up with what appears to be the exact email that was sent to EMC/RSA employees with the attached excel file that included the malicious flash code that was eventually opened. The rest is now history and the security giant is still keeping relatively quiet while looking at the world now through a bruised and blackened eye. The Network World article spells it out very well so I won't get into the details, but what it clearly illustrates to me is the expanding need for things I've touched upon before (here, here and here, and in this interview) :

  1. Data loss needs to be publicized much further so the general public (and press) has a better understanding of the scale of what is going on in the cybercriminal and nation-state espionage worlds
  2. REAL Security Awareness programs. Lance Spitzner's work on Securing the Human is excellent and take his SANS course, it's great.
  3. Application Whitelisting. If you are only allowing business approved applications to run on your hosts, you have thwarted the ability to run malicious code.
  4. Identity based profiling, authorization and access controls. Identity at the packet layer and the ability to tie that back to an authorization directory and create dynamic rules on the fly of what that packet (person) can access. You now have an inventory of everything that is authorized to connect to your network, where they are and what they can do. That almost sounds too good to be true, and, yes, I'm specifcally refering to Cisco's ISE. Just wait until they add NAC posturing to it.
  5. Information classification programs and policies. KNOW what you are protecting and its business criticality.
  6. Peer groups. Executive periodic peer group discussions to review trends, methods, controls and metrics.

Wednesday, August 24, 2011

China's PLA video - accidental or a strategic showing of their hand?

It's being called the "smoking mouse" already. This state sponsored propaganda video archived on F-Secure's blog site has already been removed from the PLA's site (or at least been edited to remove the images of the PLA hacking tool). It clearly shows that the tool is from the People's Liberation Army Information Engineering University, so the obvious conclusion is that China has been outright lying (*gasp*) to the rest of the world when denying any involvement and/or sponsorship of the gaggle of recent cyber-crime incidents. But was it truly accidental? China has a history of flaunting their espionage feats in the face of the U.S. (David Wise's book on U.S./China espionage Tiger Trap is excellent), so one has to wonder if it may have been another event in a long line of examples of China showing their adversaries one of the cards in their hand to remind everyone that they still have assets that the rest of the world should worry about. That it would be unwise to ignore their capabilities. Which is absolutely true. It just seems a little childish if this were the case.

Thursday, August 11, 2011

EMV coming to America

I was very pleased to read this article which reports that Visa will be pushing for and eventually requiring any company that processes Visa transactions to support EMV cards by 2013. This is great news, as the EMV cards (short for Europay, Mastercard and Visa) are in wide use in Europe and greatly increases transaction security through an encryption chip on the card itself that replaces the magnetic strip, making it much more difficult to not only grab transactions off of the wire but also use stolen credit card info.

The U.S. has largely ignored implementing these better controls because of the costs to every company that swipes cards to replace their existing Point of Sale equipment with new gear that supports the EMV cards. So as an incentive to retailers, Visa will waive much of the costs of PCI-DSS compliance validation if companies have at least 3/4ths of their POS systems EMV capable. It seems entirely feasible that if EMV cards provide end to end encryption from card to processor, PCI-DSS scope may drastically change with most businesses like gas stations, convenient stores and restaurants that never store card data now not having to even think about whether or not their systems and networks are secure enough to meet today's PCI-DSS requirements, and therefore expensive remediation controls. Keep an eye on this one.

Wednesday, August 3, 2011

Shady RAT and national economies

McAfee yesterday (8/2/11) released a pretty amazing study on 72 major global cyber-compromises over the last 5 years that were all exceptionally related and were most likely initiated by the same nation state. The Register has a good summary here.

Here is my 2 cents. The game has changed. There is something about your organization that sets you apart from your own competition, makes you stand out among the crowd. Whether it is your sales processes, your business model, your innovative ideas or your project management frameworks. Let alone your legal documents and email archives. All of these are being targeted in an effort to gain international competitive advantage and results in the further lack of economic growth in the countries they have been exfiltrated from. In the U.S., as well as most other nations, national economic security is reliant on the security of every organization and company that contributes to it. And every organization and company that contributes to it is responsible for securing their own business critical assets. I've posted my own views on this before. Security is subjective and there are no effective standards that everyone must conform to regarding the protection of their own methodologies, secrets and intellectual property. There may never be such standards, which means a heightened awareness must be developed and cultured. Peer groups encouraged to discuss methods, controls and metrics. Data loss needs to be publicized so the general public begins to realize the scope of what is happening. And for the love of whatever you may find holy, people, stop allowing weak passwords. I've been in this industry almost 20 years now and weak passwords and policies are STILL one of the top mechanisms of compromising systems. If we can't improve on that one in 20 years how can we have faith that all the companies that today support our nation's economy are able to defend themselves against the latest zero-day vulnerability that was spear-phished to a member of their executive council?