Steve Goodbarn

Said to be even bigger than Black Friday and still only the 3rd highest day for on-line shopping, Cyber Monday is upon us. This is the day when workers use their workplace computers to shop on-line. 

It is also a significant date for Cyber crime, as noted by PC Magazine Security Watch: It's Holiday Cyber Theft Season.

MSNBC offers some tips on cyber crime and prevention:

Network World also has some tips here. But keeping up with the latest software patches has its own problems, as noted in this Network World Article: Latest Microsoft patches cause black screen of death.

The likelihood of being victimized by cyber crime is statistically low and particularly low if you follow common sense advice. As I have said before, the real crime is the cost embedded in the products we buy and the credit card fees we pay to have such a low level of on-line security.

Robert McMillan of IDG has three posts on hacking attacks today and over the weekend. We are heading into the busy Christmas on-line shopping season this is a particularly rich time for Internet crime:

New attack fells Internet Explorer "The zero-day flaw is unreliable, but Symantec expects reliable exploits in the 'near future".

This exploit is known to affect only older versions of Explorer, which commands "40 percent" of the browser market. Quite a few people could be affected.

Cyberattacks on U.S. military jump sharply in 2009:

Citing data provided by the U.S. Strategic Command, the U.S.-China Economic and Security Review Commission said that there were 43,785 malicious cyber incidents targeting Defense systems in the first half of the year. That's a big jump. In all of 2008, there were 54,640 such incidents. If cyber attacks maintain this pace, they will jump 60% this year. 

"The cost of such attacks is significant," the report notes. Citing data from the Joint Task Force-Global Network Operations, the report says that the military spent $100 million to fend off these attacks between September 2008 and March 2009.

One point about this data is that this is only the known attacks. I am sure that more than $100 million is spent securing our infrastructure. That is the real cost and the unknown attacks are the real threat.

The full 5MB+ pdf of the report can be found here.

Global warming research exposed after hack:

The files include about a decade of e-mail correspondence belonging to Phil Jones, director of the Climatic Research Unit at the University of East Anglia in Norwich, England. Shortly after news of the leak began circulating Thursday, critics of global warming science zeroed in on some of the messages as evidence of bias in the climate research community.

Judging from the data posted, the hack was done either by an insider or by someone inside the climate community who was familiar with the debate, said Robert Graham, CEO with the consultancy Errata Security. Whenever this type of incident occurs, "80 percent of the time it's an insider," he said.

The Wall Street Journal also reported on the leak: Climate Emails Stoke Debate:

The emails include discussions of apparent efforts to make sure that reports from the Intergovernmental Panel on Climate Change, a United Nations group that monitors climate science, include their own views and exclude others. In addition, emails show that climate scientists declined to make their data available to scientists whose views they disagreed with.

The IPCC couldn't be reached for comment Sunday.

In one email, Benjamin Santer from the Lawrence Livermore National Laboratory in Livermore, Calif., wrote to the director of the climate-study center that he was "tempted to beat" up Mr. Michaels. Mr. Santer couldn't be reached for comment Sunday.

In another, Phil Jones, the director of the East Anglia climate center, suggested to climate scientist Michael Mann of Penn State University that skeptics' research was unwelcome: We "will keep them out somehow -- even if we have to redefine what the peer-review literature is!" Neither man could be reached for comment Sunday.

The emails reveal significant bias, spin, and possible fraud involving climate data including correspondence with Andrew Revkin of the New York Times. The timing is horrible for global warming advocates. With a major conference next month in Copenhagen, there is considerable spin underway among global warming advocates and considerable disclosure underway by their opponents.

See video here and comments here from those opposed to cap and trade taxes.

I like fresh air but it is clear that anything you communicate electronically should be treated as a matter of public record and not private. There are too many ways for it to be made public.

On November 5th a new vulnerability was disclosed in SSL. The vulnerability could allow man-in-the-middle attacks that could compromise sensitive information.

All applications of SSL require a patch to close this authentication vulnerability. Because SSL is essential to on-line shopping this is of more than trivial interest to on-line merchants. The status of patching efforts is being monitored here.

SSL has been around for over 13 years so it is more than a little disturbing to discover a significant vulnerability. It raises the question as the whether this was discovered by someone long ago but not disclosed. 

Exploits of the vulnerability have been posted. See SSL at risk (again), this time Twitter is the first target  by Sean Michael Kerner at Internetnews.com. He writes:

SSL is of critical importance to all web users as the most commonly used method for securing websites. There is now a new publicly posted exploit technique available for SSL that takes advantage of a renegotiation flaw with TLS DEFINE:TLS>.

As a proof of concept, security researcher Anil Kurmas has blogged about how TLS/SSL renegotiation can be used to exploit Twitter's HTTPS (that is SSL secured) API.

"All in all, a man in the middle is able to steal the credentials of a user authenticating himself through HTTPS to a trusted website, and CSRF protections do not apply here," Kurmas wrote.

This is extremely serious and in my opinion represents perhaps the single biggest threat to the integrity of the Internet today. Without SSL, ecommerce becomes insecure and the vast majority of the web's population cannot login securely to any website.

Network World reports on yet another exploit: Security pro says new SSL attack can hit many sites:

Frank Heidt, CEO of Leviathan Security Group, says his "generic" proof-of-concept code could be used to attack a variety of Web sites. While the attack is extremely difficult to pull off -- the hacker would first have to first pull off a man-in-the-middle attack, running code that compromises the victim's network -- it could have devastating consequences.

This latest attack shows that the flaw could be used to steal all sorts of sensitive information from secure Web sites, Heidt said.

Because SSL, and its replacement standard, TLS, are used in a wide range of Internet technologies the bug has far-reaching implications.

Thierry Zoller, a security consultant with G-Sec, says that theoretically, the flaw could be used to attack mail servers. "An attacker can potentially highjack mails sent over secured SMTP [Simple Mail Transfer Protocol] connections, even if they are authenticated by a private certificate," he said in an instant message interview.

Zoller, who has not seen Leviathan's code, said that if the attack works as advertised, it will be just a matter of days before someone else figures out how to do it.

At this time patch implementations are not complete - so the Internet is vulnerable. It highlights what we already know: SSL alone is not adequate. Dan Kaminsky and others have noted that SSL is not secure without DNSSEC. DNSSEC is a complementary protection to SSL and both are needed if we are to have a secure Internet.

The Government Accountability Office released a 24 page document on their findings regarding cybersecurity within the Federal government. Not surprisingly, the report finds that threats are growing in frequency, with a 200% rise in incidents between 2006 and 2008. 

According to the report, which can be found here:

Compounding the growing number and kinds of threats, GAO—along with agencies and their inspectors general—has identified significant weaknesses in the security controls on federal information systems, resulting in pervasive vulnerabilities. These include deficiencies in the security of financial systems and information and vulnerabilities in other critical federal information systems. GAO has identified weaknesses in all major categories of information security controls at federal agencies. For example, in fiscal year 2008, weaknesses were reported in such controls at 23 of 24 major agencies.

Specifically, agencies did not consistently authenticate users to prevent unauthorized access to systems; apply encryption to protect sensitive data; and log, audit, and monitor security-relevant events, among other actions.

Note that authentication is sited as the number one problem and DNSSEC is the only effective way of authenticating who is whom on the Internet. DNSSEC will go a long way to improve government and infrastructure computer networks and time is of the essence. According to a recent report by McAfee (Report: Countries prepping for cyberwar) the threats are real:

Major countries and nation-states are engaged in a "Cyber Cold War," amassing cyberweapons, conducting espionage, and testing networks in preparation for using the Internet to conduct war, according to a new report to be released on Tuesday by McAfee.

The GAO report validates my impression that the US Government is more talk than action. I attend  government oriented cybersecurity conferences and my company is heavily involved in DNSSEC deployment. Despite much rhetoric, the pace of security improvement is slow and the funding has not been adequate.

DNSSC deployment in Federal agencies is far behind the target to meet OMB mandated adoption of DNSSEC by the end of 2009. One reason for this lack of compliance is lack of funding and another is lack of attention from the Obama Administration.

An authenticated Internet will boost the economy and help achieve other key goals. We are crazy to think we can put medical records on-line without DNSSEC.

The time for talk is past, it is time for action.

Computer malware has been disclosed that secretly downloads child pornography onto the victim's computer. According to AP reporter Jordan Robertson, lives have been ruined by this scam: 

Michael Fiola, a former Massachusetts government worker, was arrested two years ago after child abuse images were discovered on his state-issued laptop computer after officials became suspicious of huge data use bills associated with the machine and began an investigation. He was eventually cleared nearly 11 months later after defense experts were able to show that the laptop harboured malware programmed to visit as many as 40 child porn sites per minute, far faster than a human surfer would be able to accomplish.

Forensics experts hired by the prosecution agreed with these findings and the case, which had nearly ruined Fiola's life, was dropped.

Fiola was fired from his job before enduring death threats and losing friends. His wife stood by him, however, and the couple were able to raise a $250,000 legal defense fund after selling their car, cashing in their savings and re-mortgaging their home. "It ruined my life, my wife's life and my family's life," Fiola told AP.

A cap on the amount of damages they might receive has effectively prevented the Fiolas from suing the state.

There is not a lot of detail about how this happened or how it can be prevented, but with a nearly constant need to patch PCs and MACs for newly discovered vulnerabilities (See Massive OS X Update Fixes Dozens of Vulnerabilities and Windows exploit code coming for just this week's latest) how can anyone feel comfortable that their PC has not been contaminated? Or won't be in the future?

I suspect he either downloaded something by opening a fake email that led him to a malware site or he somehow visited a spoofed web site that downloaded the porn gathering program onto his PC. In either case DNSSEC, by authenticating the site, could have alerted him that something was amiss. Until DNSSEC is deployed we can all be nervous about this type of exploit.

This is another great report on just how insecure we really are with Internet enabled communications. The video of the generator blowing up and the simulation of an oil refinery fire are pretty scary.

 
Watch CBS News Videos Online and this particular video here.

What is clear is that despite the efforts of Congressman Langevin and others, we have a long, long way to go to solve the problem.

Microsoft is currently deploying Windows 7 and Windows Server 2008 R2, which are DNSSEC aware.

Although client PCs do not have to be DNSSEC aware to make DNSSEC useful, because the DNS servers themselves are DNSSEC aware, it covers "the last mile" of authentication and makes it much more useful.

Despite having DNSSEC aware products, Microsoft is strangely absent from the DNSSEC community. They shouldn't be. Authentication using DNSSEC will save Microsoft a lot of time, money, hostility and embarrassment by closing the two most common attack vectors - fake email and fake web sites. 

Because the Internet is insecure and has no authentication, Microsoft products end up bearing the brunt of security. And they are fighting a losing battle. Here is a sampling of security reports for the past week:

Wired: Windows 7 Still Vulnerable to Viruses — Durr, Really?

Infosecurity.US: Patch Update: Microsoft Patches Patch Targeting Crypto Patch… (I love the cone of silence)

SC Magazine: Three critical patches to be offered by Microsoft on Patch Tuesday

Daniweb: Avoid Windows Denial of Service

And from October 13, the biggest patch Tuesday of them all, from CNET news:  Critical Windows 7 holes fixed in record Patch Tuesday

Adobe, Java, and others problems also. Even Sweden's intelligence service has been shut down by denial of service attacks. With SSL becoming increasing suspect it does not take a genius to realize we need a different approach.

Windows 7's DNSSEC capability creates an opportunity for authentication. But DNSSEC will not be effective if there is not wider adoption. Microsoft would do well by getting on board with DNSSEC deployment.  

A major flaw has been found in the SSL protocol (Secure Sockets Layer - used for the padlock you see when conducting a credit card or other sensitive transaction on-line). See the article in Dark Reading: Major SSL Flaw Find Prompts Protocol Update.

"The bug results in a set of related attacks that allow a man-in-the-middle to do bad things to your SSL/TLS connection. The [attacker] in the middle is able to inject his own chosen text into what your application believes is an encrypted, secure communications channel," says Ray, a senior software development engineer for PhoneFactor. "This has implications for all protocols that run on top of SSL/TLS, such as HTTPS."

Dan Kaminsky, director of penetration testing for IOActive, says he doesn't think the flaw is limited to just injecting traffic. "HTTPS content will leak because of this bug," Kaminsky says. "Never underestimate the usefulness of a subtle cryptographic vulnerability. Nobody would say, 'Well, it's just an iceberg, and we're heading right for it, but it's not like it's cut a huge gash in the ship yet.'"

SSL has been under siege during the past year, with the groundbreaking man-in-the-middle hack by researcher Moxie Marlinspike, which dupes a user into thinking he's in an HTTPS session when in reality he has been taken elsewhere by the attacker, as well as Kaminsky's research exposing critical flaws in X.509 certificate technology used in SSL.

Patches may be available shortly and more detail on the flaw will be unveiled at the Internet Engineering Task Force (IETF) meeting in Hiroshima next week. SSL is used everywhere: it's going to be patch city on the Internet for some time.

SSL is vital to on-line shopping so I guess we should be happy a fix is underway just in time for Christmas.

I've written about SSL security issues in the past, most recently in my October 12, 2009 post "DNSSEC is needed to make SSL and email certificates trustworthy and usable". This is a big bug, along the lines of Dan Kaminsky's discovery of the DNS flaw in 2008. It will be interesting to see if this patch is a complete solution or a partial solution like the patch to DNS.

This problem is another indication of how little we know about our lack of information security.

One of the best security blogs is Byron Acohido's The Last Watch Dog. He had a post last week on the huge number of phishing emails related to social networking sites. See Unstoppable new phishing attacks blanket Facebook, Twitter, Hotmail.

Phishing email volume is at record levels and is increasingly personalized: It appears to come from a legitimate source that knows something about the recipient and requires urgent action, such as resetting a password, downloading essential software, or visiting a [malicious] website.

Once the victim complies they unwittingly  download malicious software such as a rootkit, virus, worm, spyware, or Trojan onto their PC or their web-enabled cell phone.  The fact that there are so many terms for variants of malware indicates what a thriving business exists to compromise your information security.

This downloaded malware can be difficult if not impossible to detect. It may spy on you, alter your system, make your device part of a "bot army" to attack others with SPAM or denial of service attacks, or simply slow down your system to frustrating levels so you go out and buy anti-malware software or another machine. 

So is this unstoppable? I think not. The problem only exists because we do not have an Internet-wide method to authenticate email. By authentication I mean verification that the email came from the source in the "sender" line of the email, including the name and the domain. It shouldn't say customer service@Facebook  if it came from a university in Uzbekistan. The Uzbek source should be revealed.

Current SPAM filtering solutions consist of some sort of filtering at the network or the PC level, and they don't reveal the details of the sender without looking up the source. It takes some work for the recipient. This will always put us one step behind the bad guys. DNS provides the necessary Internet-wide scaling and DNSSEC is the only way to achieve this authentication.

With DNSSEC adoption becoming inevitable we are going to get there. The fact that it is moving ahead so slowly is either because its usefulness is not well understood, or because many of the large players don't have solutions ready to go yet, or because they are making money off of our misfortune. You decide the correct answer.