Network Lighthouse

While this is not my usual topic, there’s something very wrong with this story, it pays to remember how closely information security is tied to physical security:

Former Energy Worker Admits Trying To Sell Nuclear Secrets – Insider threats/Attacks – DarkReading.

The short of it is that a janitor managed to walk out of a US DoD site with a number of components developed as part of a nuclear research project.   After successfully getting them on site, he tried selling them to the French Government.  Fortunately it was the French, not some semi-hostile government, and so they reported him to the FBI who arrested him.

What can we learn from this story?  Firstly treat your cleaners as if they are privy to your most sensitive secrets, because in all likelihood they are. Things get left on desks, in photocopiers, ’secure’ document disposal bins  all the time, and cleaners often have unsupervised access to all parts of your offices.

Secondly, a number of vital security controls were either missing or failed for him to take them.  Inventory control should have noticed that sensitive items were missing,and so sparked a full scale investigation.  Secondly it shows the weakness  of manual security searches, why was he taking equipment on and offsite anyway.

Somewhere in the region of 100 million credit cards numbers have been acquired from payment processor Heartland by cyber-criminals in what is likey to be the largest breach of its kind to date.

Payment Processor Breach May Be Largest Ever – Security Fix.

What makes this worse is that Heartland was PCI DSS compliant, having passed the audit April 2008.    Undoubtedly this will bring about even further debate about the validity of the PCI standard.

-Daniel

e are always told to choose strong passwords, over eight characters, with lower & upper case letter, numbers and symbols, but really what difference does it make.

Lets have a look at 4 different classes of passwords each 8 characters:

A) Lower case letters only

B) Mixed case letters

C) Mixed case letters and digits

D) Mixed case letters, digits and 32 symbols

The table below shows the number of possible combinations and the time to crack based on Elcomsoft’s rates for md5 password recovery on a dual core processor (4.7 million passwords/second)

So you can see a password that just has lower case letters can be cracked in less than a minute!  While a password that covers the full spectrum of character types will take 15 days, that’s a lot of extra effort to get into your account.

So what if you want to have a strong password, but you don’t want to have to remember a string with upper case letters, numbers and symbols.  Can you have a password, containing just lower case letters, that provides as much protection as a password that contains at least 1 character from each group?  Absolutely, you just have to trade complexity for length.  Have a look at this table to see how long passwords need to be to be at least as strong as a 8 character class D password.

So if you want a password of lowercase letters that provides the same level of protection as a more complicated password, you’ll need 12 characters.

Of course a password that is based on dictionary words is still not going to keep the bad guys at bay for long, it still needs to be a fairly random string of letters,  there are plenty of ways to come up with good passwords, but thats another article.

-Daniel

Over the last one or two years, we have seen a fairly major shift in the methods of criminals working on the internet.  In the past viruses that spread rapidly and took down networks were the norm.  Just cast your mind back to Code Red, Nimda (both of 2001) and Sasser (2004), and you’ll get a feel for what I am talking about.  All these worms did massive amounts of damage during their limited life spans, with their primary purpose to disrupt computer systems.

However in the last couple of years there has been a shift to more organised criminal activities, the storm worm (first appeared early 2008) which at its peak some researchers estimated as having infected over 10 million machines provides a great example of this.

The storm botnet, was created in such a manner that parts of it could be leased to others which could then be used for trojan and spam distribution, DDOS attempts and other activities.  While viruses and worms from previous generations of malware where designed to have a single payload, the purpose of storm appeared to be focused on turning a profit.

Another indication of the changes that I have alluded to is the recent release of an out of band patch release, MS08-067, by Microsoft.  In brief this patch closed a flaw in all versions of windows which, for Windows 2008 and XP at least, allowed for remote code to be executed as the local service account.   Several security experts were concerned about the potential of to be used to create a worm of Code Red/Nimda proportions.   This threat never really eventuated, there were a couple of worms that took advantage of this vulnerabilty but nothing really eventuated.

Why did the expect horror worm never eventuate?  It appears (to me at least) that today’s malware authors are not interested in high profile activities, and any worm based on MS08-067 was sure to gain additional publicity, in the interests of generating a name for themselves.  Malware authors today are looking to create more stealthy worms and trojans that go undetected for as long as possible, quietly stealing credit card data,sending spam and replicating themselves.

One example of how stealthy these new threats can be is Rustock.C, discovered in May 2008 it has been identified as been in the wild, as least as far back as October 2007.  It employeed a number of very sophisticated techniques to hide itself and prevent itself from being analysed.  No longer are malware authors working to build a name for themselves, they are looking to develop a product or service that can be sold to make a profit, just like any other software company in the world.

It used to be the case that when your computer was infected with a virus/trojan/etc you would realise eventually, something bad would happen, CIH would destroy your partition table, Blaster caused network flooding and machine instability.  These days you would be lucky to notice your machine was running slow before finding out months later that your credit card details were stolen by a trojan running quietly in the background.

That’s all for this article, stay tuned for part 2, Identity Theft and Credit Card Fraud.

-Daniel

Wikipedia have a great resourse, Timetable of notable Computer Viruses and Worms, from which information was taken for this article (a number of linked articles were also reference).