Insecure Mag 31

8/3/2019 Insecure Mag 31

http://slidepdf.com/reader/full/insecure-mag-31 1/77







Summer is slowly winding down and the security community continues its heavy work. Cyberthugs, obviously not slowed down by the heat, are in a severe need of a beat down.

Since the last issue of the magazine saw the light of day, we traveled the world and attendedBlack Hat in Las Vegas, the SecurityByte Conference in Bangalore and the fantastic Bitdefenderre-branding event in Romania.

Meeting security professionals at all these gatherings gave us the assurance of havingoutstanding and talented people on our side of the fight, and we hope that thought will encourageyou as it did us.

With that in mind, enjoy the 31st issue of (IN)SECURE!

Mirko ZorzEditor in Chief

Visit the magazine website at www.insecuremag.com

(IN)SECURE Magazine contactsFeedback and contributions: Mirko Zorz, Editor in Chief - [email protected]: Zeljka Zorz, News Editor - [email protected]: Berislav Kucan, Director of Marketing - [email protected]

Distribution

(IN)SECURE Magazine can be freely distributed in the form of the original, non modified PDFdocument. Distribution of modified versions of (IN)SECURE Magazine content is prohibitedwithout the explicit permission from the editor.

Copyright (IN)SECURE Magazine 2011.

www.insecuremag.com



Researchers identify flaws in theAdvanced Encryption Standard

Researchers have found a weakness in theAES algorithm. The attack applies to allversions of AES even if it used with a singlekey, and shows that finding the key of AES isfour times easier than previously believed; inother words, AES-128 is more like AES-126.

Even with the new attack, the effort to recovera key is still huge: the number of steps to findthe key for AES-128 is an 8 followed by 37

zeroes. To put this into perspective: on atrillion machines, that each could test a billionkeys per second, it would take more than twobillion years to recover an AES-128 key.

Because of these huge complexities, theattack has no practical implications on the

security of user data; however, it is the firstsignificant flaw that has been found in thewidely used AES algorithm and was confirmedby the designers.

The AES algorithm is used by hundreds ofmillions of users worldwide to protect internetbanking, wireless communications, and thedata on their hard disks.

It is also used in more than 1700 NIST-

validated products and thousands of others; ithas been standardized by NIST, ISO, andIEEE and it has been approved by the NSA forprotecting secret and even top secretinformation.

The attack is a result of a long-termcryptanalysis project carried out by AndreyBogdanov (K.U.Leuven, visiting MicrosoftResearch at the time of obtaining the results),Dmitry Khovratovich (Microsoft Research),and Christian Rechberger (ENS Paris, visitingMicrosoft Research).

www.insecuremag.com 5



Chinese mobile phone monitoringservice found

What do you think cyber crooks do with theinformation collected from mobile phones bymalware? Trend Micro has one of the answersto that question. Its researchers have recentlydiscovered a Chinese website that provides amobile phone monitoring service to thosewilling to pay between 2,000–3,600 Chineseyuan (US $300–540).

Once the payment is executed, the customeris provided with access to a backend server ofthe service, where all the collected informationcan be viewed.

The first step for every customer is to send outan MMS carrying the malicious payload to the

target's cell phone, and he or she cancustomize it in such a fashion as to appear itcomes from a phone number familiar to therecipient, making it more likely that theattached payload will be downloaded andinstalled.

Once installed, the malware is free to collectinformation and to send reports to thebackend service. Reports about executedphone call, sent text messages, emails andthe location of the device are also delivered.

For now, the service is available for those whowant to spy on someone using a phonerunning on Symbian or Windows Mobile, butthe researchers say that it is highly likely thatusers with Android devices won't be safe fromit for long.

Is this the phishing email thatcaused the RSA breach?

"I forward this file to you for review. Pleaseopen and view it," says simply the email thatis thought to have been the means ofdeploying the backdoor that resulted in themassive RSA breach in March.

Using a few of the details shared about it -namely, that the email contained an

attachment called 2011 Recruitment plan.xls,and "2011 Recruitment Plan" in the subjectline - F-Secure researcher Timo Hirvonen

burrowed for months in the malware databaseshared by Virus Total with security companies,in the hopes that the attached file wasuploaded for a check by someone.

As it turns out, both the email and theattachment were uploaded.

With a "From" email address spoofed to looklike it was coming from the web master of

recruiting website Beyond.com, it was sent toan EMC employee and CC'd to three otherson the 3rd of March.

The attached Excel spreadsheet contained aFlash object that was executed by Excel andtook advantage of a vulnerability to install thePoison Ivy backdoor on the victim's computer.

The backdoor then proceeded to contact aserver from which the attacker was able toaccess remotely the workstation and othernetwork drives, and from that, to the rest ofthe network.




Google servers as a DDoS tool

Google's servers can be used by cyberattackers to launch DDoS attacks, claimsSimone "R00T_ATI" Quatrini, a penetration

tester for Italian security consulting firm AIRSicurezza.

Quatrini discovered that two vulnerable pages- /_/sharebox/linkpreview/ and gadgets/proxy?- can be used to request any file type, whichGoogle+ will download and show - even if theattacker isn't logged into Google+.

By making many such request simultaneously- which he managed to do by using a shellscript he's written - he practically usedGoogle's bandwidth to orchestrate a smallDDoS attack against a server he owns.

He points out that his home bandwidth can't

exceed 6Mbps, and that the use of Google'sserver resulted in an output bandwidth of atleast 91Mbps.

"The advantage of using Google and makerequests through their servers, is to be evenmore anonymous when you attack some site(TOR+This method). The funny thing is thatApache will log Google IPs," says Quatrini."But beware: igadgets/proxy? will send yourIP in Apache log, if you want to attack, you’llneed to use /_/sharebox/linkpreview/."

He says he has discovered the flaws thatallow the attack on August 10 and that hecontacted Google's Security center about it.After 19 days of receiving no reply fromGoogle, he published his findings.

Linux source code repositorycompromised

The Kernel.org website - home to the Linuxproject and the primary repository for theLinux kernel source code - sports a warningnotifying its users of a security breach thatresulted in the compromise of several serversin its infrastructure.

The attackers are thought to have gained rootaccess on a server via a compromised usercredential, and to have escalated theirprivileges from there. After having done that,they proceeded to modify files belonging tossh (openssh, openssh-server and openssh-clients) and add a Trojan to the system start

up scripts so that it would run every time themachine was rebooted.

Luckily for everyone, the Linux kernel sourcecode is unlikely to have been tampered with.

"That's because kernel development takesplace using the git distributed revision controlsystem, designed by Linus Torvalds," it isexplained. "For each of the nearly 40,000 filesin the Linux kernel, a cryptographically secure

SHA-1 hash is calculated to uniquely definethe exact contents of that file. Git is designedso that the name of each version of the kerneldepends upon the complete developmenthistory leading up to that version. Once it ispublished, it is not possible to change the oldversions without it being noticed."

The Linux kernel sourcecode is unlikely to havebeen tampered with.




How the unredacted US cables wererevealed to the public

A few days after former WikiLeaks stafferHerbert Snorrason refused to say whoinadvertently made public the password forthe encrypted file containing unredacted USdiplomatic cables, some people managed topiece together the various hints dropped byinvolved parties and track down where it has

been published.

In short, the password has been always inplain sight, printed in the book by Guardian journalist David Leigh titled "Inside JulianAssange's War on Secrecy". The Guardianclaims that they were told by Assange that thepassword would be changed a few days afterthe journalist downloaded the file.

Unfortunately, the file was inadvertently pickedup by Daniel Domscheit-Berg when he left theorganization and took a dataset off the server

containing the file with him. Once he returnedthat which he took to WikiLeaks, the wholecontent was shared online via BitTorrent byWikiLeaks supporters, who were alsounaware that the file in question was there.

In the recent escalating war of words betweenDomscheit-Berg and Assange, the former tried

to prove that Assange and WikiLeaks couldn'tbe trusted with sensitive data. According toDer Spiegel, people associated withOpenLeaks began hinting of the existence ofthe file "in the wild".

Finally, somebody pointed Der Freitag - aGerman weekly publication and OpenLeakspartner - in the direction of the location of thepassword. They didn't share the actualinformation with the public, but confirmed thatanyone familiar with the material could find it.It took only a couple of days for that claim tobe proven right, and the password wasrevealed.

WikiLeaks accused the Guardian and its journalist of being responsible for the leak andhas spoken to the US State Department inorder to commence legal action against thepaper and the journalist, and to make sure

that the informants mentioned in the cableswere warned about the danger they might findthemselves in following this mess.

Japanese defense contractorbreached

Mitsubishi Heavy Industries has revealed thatits networks have been breached in what isconsidered the first cyber attack to hit Japan'sdefense industry.

According to Reuters and Japanesenewspaper Yomiuri Shimbun, the breach wasdiscovered on August 11, and theinvestigation mounted by the company

revealed the existence of some 80 infectedcomputers in the company headquarters inTokyo and various R&D and manufacturingsites in Kobe (nuclear power stationcomponents), Nagasaki (escort ships) and

Nagoya (guided missiles and rocket engines).

A variety of malware has been discovered onsaid computers, including an information-stealing Trojan. The company has admittedthat it is possible that confidential informationwas stolen by the attackers.

"We've found out that some systeminformation such as IP addresses have beenleaked and that's creepy enough," added a

company spokesman. "We can't rule out smallpossibilities of further information leakage butso far crucial data about our products ortechnologies have been kept safe."




Bots troll hacker forums to discoverdata breaches

Texas-based CSIdentity has managed todevelop software that can mimic the speechpatterns of cyber crooks, allowing thecompany to simultaneously engage a greatnumber of hackers looking to sell stoleninformation on online forums, chat rooms,

blogs, websites and torrent sources.

As is customary for this type of transaction,the crook usually offers a sample of the wareshe's selling to prove that it's good, and that isthe information that the firm is after. Thesoftware collects this proffered informationand sends it to the company's team of human

investigators to analyze and figure out fromwhere the information was stolen and towhom it belongs.The bots are quite adept at posing as cybercriminals or people involved in the trade ofstolen information. The company hasanalyzed thoroughly how these peopleinteract online, and the specific lingo is

recreated by the bots.

CSIdentity earns money from the companiesand organizations that have signed up for itsservices, and the main goal for retaining thoseservices is the ability to quickly discover thattheir systems have been compromised and itsinformation extracted.

Unfortunately, the bots are unable to help lawenforcement investigators involved in morecomplex sting operations aimed at well-organized cyber criminals usually coming fromEastern Europe and Russia. The bots shouldbe able to be taught the language, but theappropriateness of their reactions is simplynot to be trusted when it comes to suchdelicate operations.

Global cost of cybercrime? $114billion annually

For the first time a Norton study calculates thecost of global cybercrime: $114 billionannually. Based on the value victims surveyedplaced on time lost due to their cybercrime

experiences, an additional $274 billion waslost.

With 431 million adult victims globally in thepast year and at an annual price of $388billion globally based on financial losses andtime lost, cybercrime costs the worldsignificantly more than the global black marketin marijuana, cocaine and heroin combined($288 billion).

According to the Norton Cybercrime Report2011 more than two thirds of online adults (69percent) have been a victim of cybercrime intheir lifetime. Every second 14 adults becomea victim of cybercrime, resulting in more thanone million cybercrime victims every day.

The report reveals that 10 percent of adultsonline have experienced cybercrime on theirmobile phone. In fact, Symantec reported

there were 42 percent more mobilevulnerabilities in 2010 compared to 2009 – asign that cybercriminals are starting to focustheir efforts on the mobile space.




Windows 8 new security features

Setting aside usability, efficiency, speed andall the other things that are most important toregular users, what news does this previewbring to those of us most concerned aboutsecurity?

Windows 8 has a built-in antivirus that actuallyworks. "It stopped not only the EICAR test file,but more than a dozen malware items inMetasploit," confirmed a security instructorthat has been testing the beta version of thenew OS version.

Another crucial change is Microsoft'sabandonment of BIOS ROM in favor of Unified

Extensible Firmware Interface (UEFI), whichallows for a quicker boot up of the machine,but also things like automatic scanning of aUSB drive used to boot the OS.

This particular feature, which lets users bootup a portable Windows environment from anUSB drive, and the purposefully infected USB

triggered a warning about an "invalidsignature" and stopped the booting process.

Windows Defender, Microsoft's antispywaresoftware will also be upgraded "all the way upthough antimalware, antivirus," according toSteven Sinofsky, president of Microsoft'sWindows and Windows Live division, andusers will be able to chose if they want toemploy it or some other AV solution.

A curious new feature that will be available forusers of touchscreen-equipped PCs is theability to create passwords for accessing themachine by choosing a combination ofpictures and gestures (taps, circles, straightlines, etc.), which will surely be a welcomeaddition to those users whose memory ismore easily triggered by visuals and motions.

Botnet masters are spreading theirresources

Having noticed that in some of the top spamcountries the number of infected computersfalls by a few percents as in others rises bynearly the same amount, Kaspersky Labresearchers have analyzed the informationgathered on the top 11 countries on that listand have come to the conclusion that botnetsin various countries are very likely run by the

same people.

Taking into consideration the fact that the sizeof botnets continually changes and that thereare smaller, "local" botnets in every country

that interfere with the measuring of the weeklyspam traffic, they have noticed that some ofthese countries present a similar dynamicwhen it comes to spam distribution.

"Synchronous distribution of spam fromcountries located on different continents doesnot mean that computers in these countriesare united in one big botnet," explain theresearchers. "Several small zombie networks

can also operate synchronously, receivingcommands for distributions from the sameindividuals."

As botnets can be run from anywhere in theworld, it stands to reason that the bot herdershave decided to concentrate their infectionefforts on countries that still don't haveeffective laws regulating internet activity. Also,another logical step for them is to spread theirbotnets throughout various countries in case

that one of them comes to the conclusion thata nation-wide alert to infected users (alongwith disinfection instructions) is a good idea.




DigiNotar breach report revealslousy security practices

An interim report issued by security audit firmFox-IT, who has been hired to investigate theDigiNotar breach, revealed that things are farworse than we were led to believe.

"The most critical servers contain malicioussoftware that can normally be detected byanti-virus software," it says. "The separation ofcritical components was not functioning orwas not in place. We have strong indicationsthat the CA-servers, although physically very

securely placed in a tempest proofenvironment, were accessible over thenetwork from the management LAN."All CA servers were members of one Windowsdomain and all accessible with one user/ password combination. Moreover, the usedpassword was simple and susceptible tobrute-force attacks.

The software installed on public-facing webservers was outdated and unpatched, and noantivirus solution was installed on them. Therewas no secure central network logging inplace, and even though the IPS wasoperational, it is unknown why it didn't block atleast some of the attacks.

"In at least one script, fingerprints from thehacker are left on purpose, which were alsofound in the Comodo breach investigation ofMarch 2011," they revealed. "Parts of the logfiles, which would reveal more about thecreation of the signatures, have beendeleted."

Researchers steal 20GB of corporateemails via doppelganger domains

According to researchers from the GodaiGroup, there is an easy-to-execute type of

scheme that is likely already beingperpetrated by individuals located in China. Itconsists of using so-called "doppelgangerdomains" and mail servers for interceptingemails sent by mistake to them.

151 of the Fortune 500 companies profiled bythe two researchers are potentially vulnerableto this kind of attack, including IT companiessuch as Yahoo, Dell, Cisco, IBM, HP and IBM.

The main problem here is that almost all ofthose companies have regional subdomainsthat usually look something like this:xx.company.com (the "xx" stands for the top-

level domain of the countries where thecompany is present). As it turns out, people

quite often make the mistake of omitting thefirst fullstop when writing emails in a hurry.That would not represent such a big problem ifthese destination addresses were non-existent, but when someone takes the troubleto register a doppelganger domain, set up amail server for it and configure it to to receiveall email addressed to it, he is able to harvestall the information contained in thesemessages, without the company or the senderbeing none the wiser.

And this is exactly what the researchers did.The result? "During a six‐month span, over120,000 individual emails (or 20 gigabytes ofdata) were collected which included tradesecrets, business invoices, employee PII,network diagrams, usernames andpasswords, etc," they say.

All that information, and they were basicallydoing nothing. But, as they point out, thepossibilities don't end here. The attackers canalso execute a Man-in-the-MailBox type ofattack.








The potential scale of the breach was simplystaggering.

But Heartland was by no means a solitary blipon the security radar - far from it. If anything,the attack on Heartland’s systems was simplybusiness as usual. Hacking, and especiallystealing information from businesses, had en-

tered an industrial age.

The previous year, 2008, had also been a badone for big breaches. Earlier in the year, Han-naford Brothers, a Maine-based supermarketchain, announced that over 4 million creditcard numbers had been stolen in a breach.Also in 2008, 7-Eleven suffered a breach,while RBS Worldpay suffered a smaller, butno less embarrassing breach affecting its cus-tomers.

A pattern of attacks was emerging: hackerstargeted large processors of credit cards tosteal saleable information before moving on tothe next victim.

Anatomy of a hack

Apart from holding credit card data, the tar-gets of many of these criminal hacks had little

in common with each other. Nevertheless, theprocess of attacking them bore many similari-ties. Initially the attackers looked for a weak-ness in the victim’s systems. This might be assimple as a poorly configured computer, per-haps left with default usernames and pass-words or missing critical patches.

In other cases, vulnerabilities in the web-facing applications of the target were identifiedand used. These vulnerabilities often took the

form of improperly written code to read infor-mation from databases accessible through theweb application such as a customer accountdatabase. As such, the attacker could utilize atechnique known as an SQL injection attack toliterally turn the victims’ applications againstthemselves, and gain access to a trusted sys-tem inside the target’s defenses.

From that point onwards, the attackers contin-

ued to probe, looking for more systemicweaknesses, testing security (both technicalsecurity and the ability of the security person-nel to respond to attacks) while they plannedtheir next move.

Once a suitable target system was found andaccessed, the attackers would insert customsoftware to quietly and steadily steal informa-tion such as credit card data as it transitedthrough the network.

Once enough data was hauled in, the attack-ers would return and simply copy the informa-

tion, before sending it on to their customersand cashing the check.

This type of hacking was, and is, very com-mon. Indeed, even though SQL injection at-tacks have been well understood for tenyears, according to one recent study by Veri-zon and the US Secret Service this techniqueis still used in around one fifth of this kind ofcriminal attack. Indeed, it is this ability to con-tinue to use well-known (and therefore ad-dressable) vulnerabilities than enables hack-ing to be such a profitable enterprise.

One of the great ironies regarding this seriesof breaches is that some of the biggest oneswere perpetrated by a small team led by asingle hacker – Albert Gonzales. In fact, Mr.Gonzales - who is currently serving 20 yearsin prison - managed to organize and pull offsome of the largest data breaches in history

while simultaneously working as an informerand advisor to the US Government.

A new age of hacking

With the arrest and conviction of the man re-sponsible for such massive breaches, it mightbe thought that the security world would atleast experience a small reprieve from at-tacks. But even though the number of spec-tacular, big breaches hitting the headlines di-

minished, their absence simply masked a farmore serious problem.

As Kim Peretti, Former Senior Counselor,DOJ, said of Gonzalez, “…comparing him toother criminals out there, especially interna-tionally, (he was) towards the upper end butcertainly not at the top end of skill or ability.”

Unfortunately, that core of highly capable

criminal hackers usually operating outside ofthe US has been developing over the lastcouple of years, and they cooperate in target-ing, infiltrating and attacking systems for profit.




These attackers typically use highly custom-ized malware designed in such a way as tomake it extremely difficult to detect and evenharder to analyze after a breach has occurred.

Even the way in which organizations are tar-geted reflects this "business-centric" hackerethos. While some organizations are certainly

targeted specifically, in the majority of attacks

that have been studied the hackers were ac-tually searching for known vulnerabilities thatthey could exploit. If an organization exhibitedthese vulnerabilities, they became a target foran attack. If not, the hackers simply moved onto find a new target - it’s just more efficientand, sadly, there is no shortage of potentialtargets.

While some organizations are certainly targeted specifically, in the majority of

attacks that have been studied the hackers were actually searching for known

vulnerabilities that they could exploit.

The post-industrial age

While the hacker-for-profit world underwentchanges in the last few years, a new form ofhacking began to make its presence felt:hacktivism. The term actually goes back muchfurther, to the mid-1990s, and the act of at-tacking a computer system to make a politicalpoint predates that by at least a decade, but itis really within this last year that hacktivismhas become a staple of main stream discus-sion.

The title of “most famous hacktivist group”would probably have to be awarded to thehacker collective Anonymous, which sprangenergetically onto the cyber stage by perpe-trating a number of attacks on credit cardprocessors in defense of WikiLeaks, in addi-tion to attacks on Sony to retaliate their law-suit against George Hotz, who had “jailbroken”the Sony Playstation. Anonymous has alsobeen active for some time hacking govern-

ment sites around the world, including those inZimbabwe, Egypt, Tunisia and The Nether-lands.

Attacks often took the form of website de-facements, but also included Distributed De-nial of Service (DDoS) attacks, during whichsites are flooded with incoming requests andsimply get overwhelmed - a type of attack thatis troublesome and difficult to defend againstwithout adequate preparation.

Following hard on the heels of Anonymouscame the highly visible attacks of LulzSec, anapparently smaller but highly active hackinggroup who went on to target Sony, Fox, PBS

and high-profile government sites such asthose belonging to the FBI and the CIA. Al-

though LulzSec has been short-lived (there isevidence that other hacking groups turned onthem and have forced the group to disband) itseems unlikely that hacktivism as a whole willvanish with them.

If anything, we may stand on the brink of anew era of hacking in which distributed groupscan quickly form and make use of tools thatare readily available to cause disruption togovernment and business targets alike.

Building on success, APTs, and thescript-kiddie horde

Tools to attack systems are not just the pre-rogative of a professional criminals andhacker collectives. In fact, many automatedtools requiring little in the way of technical un-derstanding are freely available on the Webfor download. These tools enable a kind of

point and click hacking that has given rise to anew generation of so-called script kiddies -hackers who have little in the way of technicalknowledge beyond the rudiments necessaryto activate the programs.

While the technically adept hackers may scoffat the capabilities of these neophytes, theystill represent a potential problem for busi-nesses, if only because they can cause dis-ruption to online services and potentially

stumble upon valuable and poorly protectedinformation.

Of greater concern, though, are attacks fromthe other end of the capability spectrum.




These attacks originate from overseas anddon’t target saleable data such as credit cardinformation, but highly sensitive governmentor research information.

These threats are collectively referred to asAPTs, an acronym for Advanced PersistentThreats, and are generally considered to

originate mainly in the Asia-Pacific region. InJanuary of 2010, Google described how theirsystems had been under attack for approxi-mately a year in what later became known asOperation Aurora.

This attack also targeted a number of high-tech and defense businesses including Juni-per Networks, Yahoo!, Dow Chemical andseveral others. Analysis later showed that itwas highly likely the attack was state-sponsored and was certainly technically highlysophisticated.

These attacks typically use a combination oftried-and-tested social engineering methods(such as sending fake emails carrying mal-ware payloads) in addition to using undis-closed vulnerabilities in software to gain ac-cess to systems. And unlike with the “hackingfor cash”, these attacks are highly targeted.

The attackers continue to attack an organiza-tion’s systems for as long as it takes to find avulnerability and exploit it.

Despite the alarming nature of APTs, securityexperts disagree over how widespread suchattacks actually are - and in some cases sim-ple criminal hacking may be incorrectly cate-gorized as an APT. For most businesses, itseems likely that the professional criminal is agreater threat than state-sponsored cyberespionage.

For most businesses, it seems likely that the professional criminal is a greater

threat than state-sponsored cyber espionage.

Adding fuel to the fire

If the situation seems complex and difficult tomanage now, things may be about to get awhole lot worse.

One of the most powerfully disruptive forces atwork in the world of information technologymay be the concept of “cloud.” Cloud comput-ing models (at least public cloud models) es-sentially remove the physical hardware froman organization’s infrastructure and replace itwith services offered through the Internet.

While such services offer significant businessbenefits, including significant cost savings,rapid scalability and a high degree of self-service for business units, they also changethe security landscape significantly.

Without actual physical control over the sys-tems, security becomes much harder to en-force and measure. Add to that the fact that

these systems may well be shared with othercompanies, and that they must be accessedremotely, and the problems of securing tradi-tional, brick-and-mortar IT infrastructure mayseem small by comparison.

Cloud computing has the potential to funda-mentally change the face of malicious hacking

in ways that are hard to predict at this point.There are, however, two elements that are dif-ficult to dispute.

The first is that cloud models provide a high-degree of centralization of resources. Publicclouds, the kind that are shared betweenmany organizations, will become large reposi-tories for information. Much of it will undoubt-edly be of little value but, as business aredriven by economic pressures to outsourcemore and more of their core business func-tions to cloud providers, more and more sensi-tive, and saleable, information will reside outthere, in the cloud. That means that cloudproviders could become the ideal target forhackers.

Willie Sutton, the prolific 1930s bank robber,famously responded to the question, “Why doyou rob banks?” with the quip, “Because that’s

where the money is.” If the same logic is ap-plied to data theft, then cloud providers shouldexpect to receive increasing and unwelcomeattention from cyber criminals as the value oftheir data stores rises.




The second effect of cloud computing oncriminal hacking is that it may offer capabilitiesand tools on a previously unimaginable scale.

The capability of cloud computing models toscale services at incredibly low cost meansthat for very modest fees significant comput-ing resources can become available to indi-

viduals with nothing more than some technicalskill and a credit card (theirs or someoneelse’s.)

In January of 2011, Thomas Roth, a Germansecurity consultant, claimed to have cracked aWPA wireless network key using Amazon’sElastic Compute Cloud (EC2), in around 20minutes at a total cost of less than $10.

While other researchers have pointed out thatthe passwords in these cases were short (6characters) and therefore relatively insecure,the simple fact that cloud resources offer somuch power on tap for so little cost is con-cerning.

Perhaps more concerning is the capability toleverage cloud resources to perform denial ofservice attacks, or host very large botnets (ashas already happened).

This also raises the specter a cloud servicebeing utilized by hackers to attack other cloudstorage providers, or even itself.

Clearly, combining a highly powerful tool setwith a new model for keeping information se-cure presents both opportunities to improvethe way security is handled as well as signifi-cant risks. Such an opportunity will be to im-plement more effective and consistent security

across public cloud environments possiblewith the limited resources of any individualcompany.

However, it will require investment and com-mitment on the part of the cloud providers,and their customers, to stake a claim to thenew frontier of computing, ahead of thehacker/cracker communities.

Conclusion

Hacking is a term loaded with many mean-ings. While its original usage was intended tocarry no pejorative meaning, it has sadly be-come synonymous with malicious and oftenillegal activity.

While many (probably most) hackers aregenuinely beneficial to the development oftechnology, the criminal minority, so often inthe headlines, now seems to have co-optedthe term in the minds of the public.

Malicious hacking itself has gone through anequivalent evolution -- from pranks to isolated,technically adept attacks and now to full-scaleorganized criminal activities. Yet I believe wehave still to see the full emergence of the newface of malicious hacking.

The new hackers will be highly organized andwill continue to utilize emerging technologiessuch as cloud, perhaps even ahead of legiti-mate uses, to enhance their capability to per-form attacks.

However, there is hope that the threats fromsuch hackers can be at least reduced. With

the change to highly distributed models ofcomputing there comes an opportunity to re-write the rules for security of systems anddata.

The upheaval of the IT landscape, which weare just beginning to see, can be used tochange the playing field to our advantage andwill not necessarily only serve to benefit at-tackers -- if we can act quickly enough and ina sufficiently collaborative way.

Sharing information about attacks, greateropenness about the way in which cloud sys-tems are implemented, and a willingness toinvest in improving security will pay greaterdividends now as the change to cloud is oc-curring, rather than waiting until it is too late -before the hackers once again set the termsof the engagement in their favor.

Chris Burchett is an expert in both embedded firmware and enterprise software, and is the author of numerouspatents. Since co-founding Credant (www.credant.com) in 2001 he has been the driving force behind the tech-nical direction of the their product line. Burchett currently leads the development effort and product manage-ment team.




Over the years, I reviewed a number of secure USB devices that provide on-

board encryption, offering an easy and secure way to migrate data. Crypto

Adapter is a step up from this usual concept and offers its users a higher

class of authentication combined with the possibility of transforming any USB

drive into a secure one.

Patented by Norwegian company High Den-sity Devices, [hiddn] is a top of the line, fulldisk encryption technology whose featuresinclude the possibility of setting key lifetime,read-only/write only keys, up to 32 differentAES 256 bits encryption keys per user, a cus-tom Master Boot Record, forensic capabilitiesand split key functionality.

[hiddn] is the basis of the company's productline that ranges from this type of a standalonedevice to laptop, desktop and even a SATAcomputer bus interface.

This article is based on the Crypto AdapterSOHO version, i.e. two devices that arepaired to work as a "team".

The scenario I mostly practiced with this setupis using one device in my work environment

and leaving one at home.

Crypto Adapter is a PIN-based input devicethat comes with an additional authentication

factor - a smart card. Encryption keys arestored on the smart card you receive andeach card has its own unique six-number PIN.

Crypto Adapter connects to your computer viaan USB port. On the top of the device is anUSB slot where you insert your portable me-dia. When doing this for the first time, have inmind that the content of the drive will be com-

pletely erased since the drive needs a freshstart for the encryption.

When you insert your smart card and enterthe right PIN code, the computer will mountthe USB drive and you can use it as any typi-cal USB drive.

Crypto Adapter is all about hardware encryp-tion and I liked the fact that no software appli-cation has to be installed on the computer.

The device also doesn't need the user to haveadministrative privileges.








As early as 2005, many industry analysts predicted “consumerization” - the

introduction of consumer-owned/purchased devices into enterprise and busi-

ness environments - would become one of the most important technology

trends through the next 10 years (Gartner 2005).

Six years later, the prediction has proven true. Employees now rely on per-

sonal smartphones, tablets or other mobile devices to send or receive corpo-

rate email, exchange sensitive information and intellectual property, and even

access enterprise networks and applications.

Earlier this year, Gartner also surveyed to-day's CIO to gain perspective on consumeri-zation in the enterprise. Gartner vice presidentNick Jones’ report, "CIO Attitudes towardsConsumerization of Mobile Devices and Appli-cations," shows that U.S.-based respondentsbelieve that in two years, approximately 38percent of their employees will be usingemployee-purchased mobile devices in theenterprise.

This technology migration introduces severalIT security challenges, including identity ac-cess management (IAM) obstacles, mobilesecurity and authentication requirements,compliance enforcement and general security

policy. In fact, a late 2010 Morgan Stanley re-port, "Ten Questions Internet Execs ShouldAsk & Answer," states the market will hit aninflection point in 2012 where, conservatively,shipments of mobile devices and smartphoneswill surpass those of PCs. Understanding thisshift, technology vendors like Dell, Apple, HPand Microsoft are heavily investing in the mo-bile consumer space.

Explosive growth: Mobile devices take

over

Any number of logical reasons serve as cata-lysts for the growth of mobile device use -price, expansion of Wi-Fi, faster cellular data




speeds, always-on simplicity, or the ease offinding, installing and using mobile applica-tions.

And as the mobile market share grows, so toohave the challenges around mobility in the en-terprise. The technology convergence of workand personal lives is real. But organizations

shouldn’t shy away from this shift. It’s a per-manent change in how people live, not a trendor fad.

As enterprise-specific applications are intro-duced — whether from the organization orthird-party developers — efficiency will growexponentially. In a 2010 Forrester study, “In-sights for CIOs: Make Mobility Standard Busi-ness Practice,” senior advisor Tim Sheedyfound that “around 75 percent of organizationsdeploy mobile applications to increase workerproductivity, and 65 percent to increase em-ployee responsiveness.”

It’s also important, however, to embrace em-ployee lifestyles during the development ofnew mobile strategies. Not every person willown the same device (e.g., Apple iPhone vs.

Android), so broad interoperability will be nec-essary. The same Sheedy study discoveredinteresting growth statistics for enterprise en-vironments once dominated by BlackBerry-friendly infrastructure.

While the RIM devices are supported by ap-proximately 70 percent of enterprises in

Europe and North America, Forrester releasedfindings in April 2010 (Enterprise and SMBNetworks And Telecommunications Survey,North America And Europe, Q1 2010) thatshows support for Windows Mobile (41 per-cent), Apple iOS (29 percent) and Google An-droid (13 percent) is growing quickly in thecorporate realm.

Additional evidence even goes beyond con-sumerization; 51 percent of enterprises plan topurchase tablets for employees in the next 12months, according to a February 2011 MorganStanley Blue Paper, “Tablet Demand and Dis-ruption Mobile Users Come of Age.” This is inaddition to another 16 percent of organiza-tions that already allow employees to connectto sensitive networks with their own device.

THE TECHNOLOGY CONVERGENCE OF WORK AND PERSONAL LIVES IS REAL

Lifestyle convergence

Logically, true consumerization began when,in mass, consumers began purchasing mobiledevices for personal use. Being affordable,easy to use and always on, the mobile plat-forms became the centerpiece of consumerlifestyles. And it didn’t take long before this

reliance shifted to the enterprise space.

Dual-purpose applications became availablethat further enabled convergence of personaland professional lives.

While five years ago it was mainly voice-onlyuse, mobile device capabilities quickly ex-panded to email, calendar management, col-laboration, business applications, general cor-

porate connectivity and more.

With this growth, more opportunity for risk wasintroduced.

Mobile platforms at risk

Mobile growth has increased the incidence offraud targeting mobile devices. Whether sim-ple rogue text messages, fictitious billingscams or more malicious attacks using mal-ware installed on the device, the number ofattacks grow at an alarming rate; mobile mal-

ware increased by more than 45 percent in2010. And with less education about mobilethreats, users seem more inclined to fall victimto them during mobile sessions.

Further, online-banking users - both consum-ers and commercial users - continue to be thetarget of sophisticated attacks. Financial insti-tutions are targeted by advanced malwarethreats that leave many traditional safeguards

ineffective. Instead of phishing attacks thatlead to fake websites designed to harvest us-ernames and passwords, the techniques arenow more sophisticated and effective againstpreviously deployed defenses.






The nature of the server-based technologybegs the question: does it even make senseto have centralized IT infrastructure?

A secure resolution

With the ubiquity of mobile devices estab-lished, what are the answers to solving the

aforementioned challenges? And how canmobile devices themselves be used to actuallyincrease enterprise security?

In short, organizations should layer securitytechniques and capabilities. Ideally, this ap-proach is already the basis for generalidentity-based security within the enterprise,but it’s equally valid for the mobile space.

Core to this theory is the use of a versatileauthentication platform. This approachauthenticates all identities - whether human,software or machine - within a government,enterprise or consumer space. Specific meth-

ods and technology are available that help se-cure the mobile platform, as well as transformthe mobile device itself into a layer of the se-curity architecture. The end goal is to secureevery possible attack point to help reduce thevulnerability - whether perceived or realized -of mobile platforms.

Increasingly, organizations understand mobiledevices are an important component to end-user lifestyles. Many carry their mobile deviceat all times, making it a prime candidate toserve as an identity credential. This behaviordictates that smartphones or mobile deviceswill increase end-user adoption becausethey’re rarely “forgotten at home.”

In fact, mobile devices are able provide evenmore security than what is available on themarket today. As the market matures, and or-ganizations adopt mobile as a credential, wewill likely see many uses for mobile devices.

MOBILE DEVICES ARE ABLE PROVIDE EVEN MORE SECURITY THAN WHAT IS

AVAILABLE ON THE MARKET TODAY

Mobile authenticationTransparent soft token An authentication software module is embed-ded within the mobile application. End-userswill only enter usernames and passwords intoapplication fields. The mobile applicationautomatically accesses the custom authenti-cation module to generate a one-time-passcode (OTP) token in the background. TheOTP token, along with the unique user ID, istransparently sent to the secure server. This

all occurs in real-time with little user input.

Digital certificates Leveraged more in the enterprise, digital cer-tificates identify and secure a multitude oftransactions, identities or communication.They enable trusted device authentication foraccess to corporate applications, VPNs, serv-ers and more.

Mobile as a credentialMobile smartcard reader This is a mode of operation where a mobiledevice is used to read smartcards. For exam-ple, an employee can use a mobile device to

read a smartcard, then use out-of-bandauthentication to gain access to a laptop/ desktop or even verify a transaction. It alsohas practical applications for online-bankingcustomers. In all examples, a smartphoneequipped with RFID-reading capabilities, andpossibly dedicated software, is required.

Mobile device as a smartcard Similar to the mobile credential, this is a modeof operation where a mobile device is the cre-

dential, replacing the need for a physicalsmartcard. In the enterprise, end-users canbring their mobile device near a desktop orlaptop for secure authentication. This isachieved via wireless, proximity-based trans-mission technology such as Bluetooth and/ornear field communication (NFC).

Transaction verificationBasic transaction approval

Real-time transaction verification - right on auser's mobile device - is one of the most ad-vanced methods of stopping malware and on-line fraud. This is particularly useful for enter-prises and financial institutions as organized






Here are some of the Twitter feeds we follow closely and can recommend to anyone interested inlearning more about security, as well as engaging in interesting conversations on the subject.

If you want to suggest an account to be added to this list, send a message to @helpnetsecurity on Twitter. Our favorites for this issue are:

@mattcuttsMatt Cutts - Head of the webspam team at Google.

http://twitter.com/mattcutts

@TimelessPTimeless Prototype - Security Analyst.

http://twitter.com/TimelessP

@WeldPondChris Wysopal - Veracode CTO and co-founder.

http://twitter.com/weldpond

@0xcharlieCharlie Miller - Accuvant LABS principal research consultant.http://twitter.com/0xcharlie




SecurityByte 2011 is India's largest security conference. The event featured

over 30 talks with 3 parallel tracks, challenging War games and thought-

provoking panel discussions.

Located twenty kilometers south of the city ofBangalore, Electronic City is the Indian ver-sion of Silicon Valley. Ever since the firstphase of the project was finalized, the areahas specialized in attracting technology com-panies.

In the early 1990s, P.V. Narasimha Rao (theIndian Prime Minister at the time) started

working on the liberalization of the Indianeconomy and soon - as a result of a success-ful combination of great ideas and a vision -this part of the Karnataka state became THEplace for global technology outsourcing.

While flying here to Bangalore, I read a bookthat identified Texas Instruments as the firsttech company that opened its offices in thisarea. Nowadays, while driving around Elec-tronic City you will see big buildings with fa-

miliar names such as HP, Siemens, 3M and,of course, some of the India's own mega-companies like Wipro and Infosys. These or-ganizations provide jobs, but it is also impor-

tant to note that the area hosts a large num-ber of educational institutions, mainly special-izing in economics, engineering and IT.

After the inaugural event in New Delhi, held inNovember 2009, the SecurityByte team isback with this year's edition of the conference.The move to Bangalore was strategic anddefinitely makes sense - there is no better

place for hosting an information security con-ference than the IT capital of India. The eventwas planned to be held at the Sheraton hotelin center of Bangalore, but a couple of monthsago a definitive decision was made to host itin the Electronic City's deluxe Crowne Plaza.

This year's conference is organized in threeparallel tracks - technical, management anddeveloper - but if you ask me, for an audienceof around 600 individuals, that is one track too

many.

The event started with a series of keynotes byinfluential people in information security,




as well as those in the local government.

Dr. Whitfield Diffie, one of the icons of the in-dustry who now serves as VP for InformationSecurity at ICANN and Scientific Advisor toUniken (one of the event sponsors - a globaltechnology solutions provider with innovationcenter in Pune, India), addressed the public

first.

He talked about the importance of the inven-tion of the radio back in the day and how theaddition of cryptography had a huge impacton its usage, and compared that with cloudcomputing and the absolute need for new en-cryption mechanisms for it. He believes thatcloud computing is as revolutionary as the ra-dio was a hundred years ago.

Everybody welcomed the networking opportunities during breaks.

As controversial as it might initially sound, Dr.Diffie also explained that he does not sharethe opinion of one of his colleagues who saidthat if he had the chance to go back in timeand build the Internet from scratch, he wouldintegrate strong authentication mechanisms init.

"The incredible, commercial and cultural forcethat is the Internet is something that would not

come about without the free communicationthat the lack of authentication produces," hesaid, and added that he strongly believes thatauthentication mechanisms would have killedthe Internet.

The second keynote speaker was EdwardSchwartz, RSA's CSO who was hired after thebreach. He shared his opinion that we cannotprotect everything and that in a number ofdaily information security programs there area lot of aspects that are mostly waste of time.

He also noted that there are three winningstrategies we should employ:

• Information centricity (understanding whatreally matters to us versus the broad view;knowing what is useful for the information as-surance process and making that opera-tional).




Edward Schwartz, VP and Divisional CISO, RSA.

• Risk focus (developing adversary-based

threat model).

• Agility (certain aspects of security principlesshould be built-in from scratch).

The first day keynotes were closed byspeeches by His Excellency Shri HR Bhard-waj, The Governor of Karnataka and Shri S.Prabhu, Principal Account General of Karna-taka. They applauded SecurityByte's move to

India and stressed out the importance of posi-tioning Bangalore as a center of IT and secu-rity research, as well as pointing out the needfor a nodal agency that would deal with cybersecurity.

According to Mr. Prabhu, SecurityByte is aperfect example of a public/private partner-ship and that the level of research and knowl-edge that will be shown at the event shouldbe continued in Bangalore on a more perma-

nent level.

After the keynotes, I attended a couple oftalks. Two of the most interesting ones were

"Implementing a Joint Computer Emergency

Response Team (J-CERT)" by John Bumgar-ner, Chief Technology Officer of the U.S. Cy-ber Consequences Unit, and "From Printer toOwned: Leveraging Multifunction PrintersDuring Penetration Testing", held by seniorsecurity engineer Deral Heiland who alreadyexhibited variations of this presentation to fullypacked rooms at ShmooCon and Defcon.

Mr. Bumgarner is a person with immense ex-

perience in intelligence and information secu-rity and his speech was an interesting take onthe current status of global intra-CERT rela-tions as told through the perspective of cyberconflicts and the events such as the Georgiancyber war.

The conclusion is that joint CERTs are a wayto go, but prior to this there is a need for es-tablishing international standards.

Deral Heiland's talk on hacking printers is areality check that shows how easy you canwreak damage with multi-functional printers incorporate environments.




The majority of printers connected to localnetworks - and some of them connected to

the Internet - contain some type of a vulner-ability.

His Excellency Shri HR Bhardwaj, The Governor of Karnataka.

If you ask yourself how can a printer endan-ger your network, just think about some of theusual functions in these type of devices -scanning to files, saving copies locally, LDAPconnectivity, sending over email and so on.

All of these functions can produce some typeof data that can either generate information

disclosure or become the first phase of a suc-cessful full network compromise.

The practical examples he talked aboutshowed that the current status of security ofthese devices makes it seem like we are back

in the mid 1990s.

Berislav Kucan is the Marketing Director of (IN)SECURE Magazine and Help Net Security.






Cloud computing is enjoying tremendous growth. But like any nascent tech-

nology, it is not without its challenges. In fact, many consumers of cloud

computing state that security remains a significant inhibitor to widespreadadoption despite the fact they are already in the cloud. However, the cloud

has the promise to be more secure than traditional enterprises, especially

when designed to meet unique industry demands and regulations.

Ultimately, many of us are already accessingservices in the cloud as individuals, if not on alarger scale as organizations. We may lever-age a web-based set of sales tools, connect to

our company via our mobile device or get ouremail from the web - all these things are de-livered via the cloud.

When we look at how cloud has permeatedour lives, the security question goes beyondwhether the cloud provider has the right levelof confidence required. Organizations nowneed to consider the best way to leverage thecloud in a secure manner.

More importantly, companies need to ask howthey can adopt cloud technology given theprobability that they will likely have multipleinstances of clouds in an organization. In re-sponse to the last challenge, I often recom-

mend to clients to assess their foundationalcontrols over cloud security.

Although foundational controls sounds like a

cool new phrase, it’s really a structure thatprovides a framework for applying an organi-zation’s unique security needs and considera-tions to cloud computing.

Foundational controls are the subset of con-trols that capture the security culture of theorganization, and provide the basis for howthe organization implements security and ap-plies that security to both its internal and ex-ternal obligations. Once established, these

controls can be leveraged to span the multipleinstances of cloud and at the same timecommunicate what is important to the organi-zation and why in as simple a form as possi-ble.




After all, one of the biggest challenges in de-veloping the right security approach is notnecessarily addressing one specific threat butin the understanding and application of theright security approach.

So what exactly are foundational controls?Simply put, they are high-level security cate-

gories that represent the organization culture.Overall, an organization rarely exceeds 70 orso controls, and rarely has less than 20 con-trols over security. They are something every-one in the company should be able to com-municate and understand. In fact, they oftenappear throughout the organization’s day today operations.

This leads to the question of how organiza-tions should benefit from foundational controlsin the real world. Ultimately, foundational con-trols form a basis for cloud adoption. Let’s as-sume an organization has decided to pur-chase expensive software-as-a-service offer-

ing from a vendor. The organization would firstassess the foundational controls to provide aguideline for attributes that the customer musthave in each cloud instance. In this case,maybe the vendor has a different passwordpolicy - for example, it requires six characters,but the foundational controls dictate that anorganization needs at least eight.

Clearly, that vendor does not align with theorganization’s culture, so they might decidenot to engage with them. At the same time,the next vendor has a minimum passwordlength of nine. One might assume that makesit more secure, but in reality that may not bethe case. The fact that the vendor and clientpolicies don’t correlate means that it’s notpossible for employees to have consistency.If we were to expand that example to five or10 clouds - all with different policies and rules- employees would then be attempting tomanage multiple discreet passwords.

ONE OF THE BIGGEST CHALLENGES IN DEVELOPING THE RIGHT SECURITY

APPROACH IS NOT NECESSARILY ADDRESSING ONE SPECIFIC THREAT

BUT IN THE UNDERSTANDING AND APPLICATION OF THE RIGHT

SECURITY APPROACH

In the above example, it can be seen howfoundational controls might shape an en-gagement. Let’s consider one more scenario,which is occurring every day for consumers ofthe cloud. An organization could decide to usecollaborative software as a service cloud toreduce collaboration costs. The CIO or IT pro-fessional is aware that his or her organizationhas specific regulatory requirements it mustadhere to, but is unclear what needs to becaptured or how interfaces occur.

Fortunately he has a foundational control as-sessment, which describes how clouds aregoverned, and can leverage this information toensure that interfaces and/or reports exist thatenable the company’s auditors to evaluate thecloud.

So where does an organization start whenidentifying foundational controls? The bestplace to begin when building a list of founda-tional controls is to look at the existing gov-

ernance models for your organization. Most ofthe key controls for operation in organizationshave a security slant. For example, an organi-zation may have a key control over operationsfor Sarbanes-Oxley compliance, which statesthat only authorized personnel have access toyour company’s chart of accounts. The IT pro-fessional doesn’t need to actually know what achart of accounts means, but what he doesneed to know is that the company believes inlimited access to some types of information.

As the IT professional looks across the com-pany’s business controls, he will probably no-tice that the phrase “only authorized persons”appears quite a bit. This indicates that from afoundational level, the company values privi-lege access to certain data or applications. It’sreally quite simple, in fact the company’s lead

IT executive or security executive alreadyknows what the foundational controls are; they

just need to be documented in the cloud secu-rity plan.




As those controls are documented, it helps tocategorize them into key areas that simplifyunderstanding. At IBM, we have identifiedeight key areas for organizing foundationalcontrols:

Access and identity - In this area we includeall foundational concepts relative to how ac-

cess and identity should be applied across allcloud engagements. This can sometimes re-sult in improvements as to how access andidentity is currently managed, as it requires aretrospective look at how we address who hasaccess, and who really should have access toinformation.

Data protection - This category really fo-cuses on understanding that certain classes ofdata have different needs, and the ways theorganization approaches those needs. Whenone looks at cloud security, the notion of pro-tecting only what’s inside a building’s wallsbecomes limited. Instead, the focus is on iden-tifying data and figuring out how it can be pro-tected at a granular level. Also, organizationsmight ask if they really have the right levels ofprotection for the information in their cloud.

Release management - Organizations often

leap to the cloud without thinking about theconsequences associated with moving be-yond the confines of their traditional environ-ments. Release management sets guidelinesfor how information and solutions migrate tothe cloud, especially in terms of complex sys-tems that have interdependencies, whichmight result in failures or increase vulnerabili-ties.

Security event and vulnerability manage-

ment - This category deals with setting guide-lines for what should be monitored in thecloud and how - a key challenge for thosemoving to the cloud. This is combined withspecifying how patches are managed and ap-plied, which can help reduce the cloud threatlandscape dramatically.

Physical security - Identifying key physicalsecurity requirements relative to who has ac-

cess and what redundancy exists can enable

an organization to survive major catastrophicevents.

Problem management - The problem man-agement controls subset provides clarity as tohow to address issues and who really needsto be aware of events. By documenting keyresources for events, organizations can more

rapidly respond to events and mitigate dam-ages and/or vulnerabilities.

Governance and compliance - Auditing re-mains a key challenge to cloud adoption. Of-ten there are explicit needs for audit and com-pliance identified by the organization, and fail-ure to consider the challenges the cloudbrings can create immense challenges for or-ganizations. More important is creating astructure that enables active monitoring ofcloud technologies, which is key to successfulutilization of cloud technologies.

Change and configuration management -The cloud is by its very nature dynamic. As aresult, the evolution and life cycle of cloud im-plementations make it prone to the inadvertentintroduction of vulnerabilities. This also offersa fertile ground for the introduction of mali-cious code as elements are reverting through

their various life cycles. Having controls thathelp the organization manage cloud instancesreduces the probability that such vulnerabili-ties will be exposed in the cloud.

Foundational controls help to navigate thecritical details that shape an organization’s fu-ture experience with the cloud. By leveragingthis critical tool in cloud efforts, an IT profes-sional can more easily select a vendor whichwill work best with the organization and not

require special security bridges, which reducethe value proposition of the cloud for the or-ganization. Foundational controls also help tobuild continuity between cloud initiatives byremoving the skills and resource challengesassociated with managing multiple cloud in-stances. While foundational controls are notan end-all solution to a company’s cloudneeds, they do represent the first step in the

journey to secure cloud computing.

Harold Moss is the CTO Cloud Computing Strategy, IBM (www.ibm.com).




The security of data is defined through the fol-lowing three parameters:

• Availability• Integrity• Confidentiality.

Classification is the approach to standardizeor categorize something according to specifiedclasses in order to sort out special attributesor subjects from a group of assets. Commonly,data has been – if at all – classified only by itsconfidentiality (sensitivity) requirements.

This has often led people to focus mainly onaccess control, and to a lot of money beingspent on additional assessment rounds focus-ing on availability and integrity control.

Thesis

1. Data has to be independently classifiedbased on availability, integrity and confidential-ity.

2. Classification needs to be data-centric, notfocusing on the systems or databases (those

will be addressed after the classification isdone), and to be stored within the data itself.This way, the data keeps these attributes whileit “travels” through the infrastructure anddoesn’t rely on source systems. It will, there-fore, allow decentralized filters or decisioncontrols of what needs to be done with thisdata.

3. Finally, to allow for an easy to understanddata and control markup, I introduce theOberlaender-(C³) cube. It will also help to fol-low the necessary (and to be defined) prac-

tices and mechanisms to safeguard such datathat is available in printed (document) form.On one hand, this approach serves for the se-cure control of the data flow(s), on the otherhand it supports a pragmatic organizationalimplementation of data security measures.

Data owner

As a matter of principle, it will be defined thatall data will get assigned an owner (in the

sense of an administrator), whose duty is toclassify the data according to a data classifica-tion table. From a legal (property-rights) per-spective, the data of cause is and will remain




the property of the company or owner. Theherein described data owner (or trustee) (inanalogy to the Bell-LaPadula model -tinyurl.com/68uhkoz) is the person responsiblefor the correct allocation of the data into one ofthe classes provided in the next paragraph.This same person also serves as "administra-tor" for any possibly upcoming reclassifica-

tions.

Fundamentally, the person who creates thedata for the first time becomes the data ownerin the above sense. In cases where data iscreated by an automated process, the processowner (who created/designed the process) isthe formal data owner. This role can later betransferred to another person, but as a resultof that it may never become "empty" ("void" orunassigned to a real existing person). For ex-isting data, appropriate terms will be defined inwhich the data will be assigned (to the owner)and afterwards be classified.

The objective of this approach is that, in thelong run, all data will be classified accordinglyto achieve an economic and relevant securehandling and custody of this data. Upon theleave or change of an employee, the role ofthe data owner will be assigned to the respec-

tive manager until the role is assigned to an-other real person. This may happen in a re-cursive way upwards in the organizationalstructure (ultimately the CEO and the board ofdirectors of the company is data owner in theabove sense).

Data classification table

The table below is a reality-based example ofhow one could define the different levels andrelated requirements for the three-parameter-approach defined earlier.

The specified damage values need to beadapted to each company or property ownerwilling to use the presented classification ap-proach. To provide a common ground, I used apercentage value of the IT budget. This willallow for a realistic and value based classifica-tion, and is a necessary step for the adopter ofthe scheme presented in this article.

The below listed classes may exist in allcolumn-combinations (see also further belowthe C³) – the columns are (mathematicallyspoken) "orthogonal" to each other.

Level

/ Class

Availability Integrity Confidentiality

0 Unclassified.~90% as a guidance level.Recoverability not guaranteed.

Unclassified.

Integrity not guaranteed.

Unclassified.

Confidentiality not guaranteed.

1 Offline Backup, one-time stor-age (de-duplication acceptable),

99% <= 0.5 week recovery timeobjective.

The loss of the availability ofthis kind of data for several daysis uncritical, but must be possi-ble nevertheless.

The maximum possible damageis <= 0.01% of IT budget.

Ex.: archived historic data, older

emails (older than a year), oldannual reports (>3 years).

CRC or similar checksums.

The loss of the integrity ofthis kind of data calls for alimited work effort, but isnegligible. The maximumpossible damage is <=0.01% of IT budget.

If the error will be recog-nized depends on theuser’s discretion and is notcritical for the organization.

Ex.: standard documents,simple architectural plans,telephone lists, internalemails, project plans, priceinformation.

Un-restricted.

This kind of data doesn’t needto be encrypted.

Information, which may becomepublic without risk for the partiesinvolved at the time of the clas-sification.

The maximum possible damageis <= 0.01% of IT budget.

Ex.: year end (annual) reports,

public website content.




Level

/ Class


2 Online backup.

99.9% <= 1 day recovery timeobjective.

The loss of availability of this

kind of data for a maximum of 1day is uncritical, but needs to bepossible during this time period.

It doesn’t create a directlymeasurable damage, but withfurther delay an image damagemight occur, or a maximumpossible damage <= 0.1% of ITbudget.

Ex.: normal documents, emails(newer than one year), actualprice information, productcharts, brochures, telephonelists.

HASH MD-5 / SHA-1 with-out time-stamp.

The loss of the integrity ofthis kind of data entails aheightened work effort forthe re-creation of the data,or leads to a direct loss.

Maximum possible dam-age <= 0.1% of IT budget.

It is necessary that the er-ror is recognized, thereforea hash is being required.Unintended change to thedata by third parties should

be barred.

Ex.: product information,network / infrastructureplans.

Internal.

Information which is only to beseen by the persons directly in-volved in the case at hand.Therefore, this data needs to besymmetrically encrypted, andthe used key is only to be madeavailable to the intended groupof persons.

Maximum possible damage <=0.1% of IT budget.

Ex.: architectural plans, tele-phone lists, internal emails, project plans, price information.

3 Highly available.

99.99% <= 1 hour recovery timeobjective.

The loss of availability of this

kind of data is critical. It gener-ates a directly measurabledamage or image damage <=1% of IT budget.

Ex.: public web site content, an-nual report at the time of publi-cation, information to crisismanagement (call trees).

HASH SHA-256 withouttime stamp but with digitalsignature.

The loss of integrity of thiskind of data entails a high

work effort for the re-creation of the data, orleads to a directly loss.

Maximum possible dam-age <= 1% of IT budget.

It is necessary that the er-ror is recognized. There-fore, a secure hash algo-rithm is required. The un-authorized change to thedata by third parties mustbe securely excluded for along period of time.

In addition, it is necessarythat the source of the datacan be definitely attributedto a specific person or or-ganization.

Ex.: personal data, annual

report before the actualauthorized publication.

Confidential.

Information for which the publi-cation to unauthorized individu-als or the public has a maximumpossible damage <= 1% of IT

budget.

Therefore, this kind of data hasto be asymmetrically encrypted,and the used personalized keysare only to be handed to the re-spective, authorized individuals(use of a PKI is recommended).

Ex.: Personal data, annual re-port before the actual author-ized publication.




Level

/ Class


4 Highly available, multiple re-dundant (hot site), <= 1 minuterecovery time objective.

The loss of the availability ofthis kind of data is businesscritical and has a direct impactto the business (balance sheet).

A direct measurable damage orimage damage of > 1% of ITbudget is generated.

Ex.: breakdown of the businessprocess(es).

HASH SHA-256 with timestamp and qualified digitalsignature.

The loss of integrity of thiskind of data entails a highwork effort for the re-creation or leads to a directloss, maximum damage >1% of IT budget.

It is necessary that the er-ror is recognized; thereforea secure hash algorithm isrequired. The unauthorizedchange to the data by thirdparties must be securely

excluded for a long periodof time.

In addition, it is necessarythat the source of the datacan be distinctly attributedto a specific person or or-ganization. Also, that theexact point in time of thedata creation (e.g. publica-tion) is definitely and veri-fiably possible.

Ex.: particular personaldata, annual reports at thetime of publication, tendercompetitions.

Strictly confidential.

Information, of which the loss orthe publication to unauthorizedindividuals or the public cancreate a maximum damage >1% of IT budget.

The emergence of this kind ofdata can create long term imagedamage.

Therefore this data needs to beasymmetrically encrypted, andthe used personalized keys areonly to be handed to the respec-tive authorized persons (usage

of a PKI necessary).

Ex.: particular personal data(sex, race, religion etc.), busi-ness plans (M&A, initial publicofferings / listings), marketingplans, strategy documents.

Figure 1: Classification table.

The above data classification table serves asan example of how data could be classified

based on the descriptive terms and values ineach respective column.

The classification and compliance cube(C³)

Not all data needs always the same level ofsecurity in regards to availability, integrity andconfidentiality.

Instead, it can occur in all possible variationsof these three parameters, and it is helpful toremember the data space cubicle illustratedon the following page.

Here, the black marked single cube stands forthe completely unclassified data. The red one

depicts data that is very available, but has notundergone a classification for integrity andconfidentiality.

The green single cube stands for data withvery high integrity needs, but without a ratingfor availability or confidentiality. The yellowsingle cube depicts data that needs to be par-ticularly available and requires high integrity,but has no classification requirements for con-fidentiality.

Finally, the white single cube represents datathat has the highest requirements for all threeparameters.




The chosen color selection seems discretion-ary at the first glance, but is, in fact, very wellintended. It is based on the RGB color model(used in electronics and IT), and shall clarify,where the to-the-organization-critical data re-sides (white).

To bring the notation sequence (availability,

integrity, confidentiality) in line with the RGB

color model, the assignment of the color red toavailability, green to integrity and blue to con-fidentiality has been performed.

Therefore due to the 5 levels (0-4) and theRGB approach with 255 as a maximum valueper parameter, one has to add 64 each timefor the color value per level, to assign each

cube the correct color code.

Figure 2: The Oberlaender Cube (C³).




Example: The cube in the middle of the top C3 level with the coordinates (2,4,2) receives thecolor: (2*64, 4*64, 2*64), respectively:

Figure 3: The 2,4,2 - Cube.

At this time, we have understood that the cu-bicle color scheme is a 3-D-representation ofthe availability, integrity and confidentiality as-signments one can perform.

Color distribution

For the overall color distribution of the datawithin the C³ applies that, depending on indus-try, company philosophy, and history, most ofthe data will be "black", meaning it has no par-ticular requirements to A, I and C.

For instance, banks and insurances will put

relatively high requirements to all three pa-rameters, as false (such as a couple of zerostoo much) or unavailable (online banking), butalso unintended publicized actual confidentialdata (such as account balance and accountchange information) can become very costlyvery fast.

In the producing industry in average, mediumrequirements in regards to the three parame-ters (A,I,C) will be imposed to the affected

data. And there is still again special informa-tion that has the highest requirements to con-fidentiality (coke formula) and also integrity(mixing ratios in the chemical industry).

As an opposite, the retail sector will have themost (but not all) data which is not confiden-tial, and also their requirements in regards tointegrity and availability – in comparison withthe above industry sectors– will be far less.

Now that the data gets classified appropriately,one can achieve a clearly apparent classifica-tion by either an appropriate color imprint forpaper documents (the RGB model is very

easy to implement for all IT systems or is al-ready implemented almost everywhere) oralso by a naming convention (such as„2_4_2_filename_version123_YYYYMMDD“)for electronic documents (in addition to thecolor marking in the page header or footer). Tohinder unwanted manipulation by third parties,one could also list the classification (like2_4_2) in the page headers or footers, createa hash (SHA-256) for the file, and store/saveand transfer this hash separately of the file.Public domain software and tools at no chargesuch as GNU PGP deliver a good service inthat regard.

Complementary, attention is invited to the al-ready existing security models of Bell-Lapadula, Biba, Clark-Wilson, Brewer-Nash,Graham-Denning, Harrison-Ruzzo-Ullman,and Take-Grant (to start, look at:en.wikipedia.org/wiki/Computer_security_model).

One could now conclude to depict the confi-dentiality axis via Bell-LaPadula and the integ-

rity axis via Biba respectively Clark-Wilson.However, these models also fall back to thetrustee (respectively trusted subject, owner,transformation procedures) model, to performthe assignment or re-allocation of data into thecorrect class(es). Also, the availability axiswould not be normalized by such a model, andtherefore the author is following a different ap-proach, namely the "enablement" of the "dataowner".

This role is the linchpin for the whole classifi-cation, and shall be commissioned accordinglyfor all three dimensions, to perform the correctallocation in the classification (and also




the re-classification). The incurred costs are tobe accounted for by this data owner. Thus thenecessity to identify a "business owner", whois able to allocate these costs to a cost center,is obvious.

The above represented color model providesfor a clear overview, which kind of data is

more expensive (the more “white” the data is,the more effort is necessary to secure it):(4,4,4) – data (marked white) is much moreexpensive than unclassified (0,0,0)-data(marked black) or low classified data such as(1,1,1).

More extreme cases (more examples)

To be clear, data containing one or more zeros(such as (0,2,4) or (3,0,3) etc.) simply was notyet classified in that dimension. However,there might be data with a low classification inone (or more) dimension, but with a high rat-ing in another dimension. We will put somefocus in examples of that kind to make it moreunderstandable.

In general, data with a low availability classifi-cation (1,I,C) could be any sort of phone book.There will be other ways to find out a number

of a person to call (operator, contact, friend,another phone book etc.).

Data with a low integrity classification (A,1,C)can be thought of any type of online pollswhere there is no authentication and accesscontrol at all, simply press a button to vote foryour favorite, or do it twice. Low confidentialitydata (A,I,1) is all type of directory information,and not intended to be confidential, so peoplecan find it.

However, there is also information which mayhave received a high integrity rating but only alow availability and confidentiality classifica-tion, such as a lottery (1,4,1) where it is impor-tant that the data is correct, but it is not confi-dential and there are many ways to obtain itshould the data source be lost.

Similar is the patient’s blood type informationin a hospital. Another example here is en-dorsed public health information i.e. by theCDC, telling people to take certain drugs dur-ing outbreaks or similar.

A good example for (1,1,4) data (with highconfidentiality) is a department staff listingcontaining personally identifiable information(PII) that combines the phone book with somevery stringent and protected data such as aSSN or account numbers. Another examplemight be the data of a court (expunged courtcases).

For the (4,4,1) data I can think of emergencycontact information for the public – it shouldbe highly available and also be integer, but itdoesn’t need to be (nor should it be) confiden-tial. So in essence, there are all possible com-binations of these dimensions with all the vari-ous triplets.

It always depends on the specific circum-stances, how the owner classifies the data inregards to all three dimensions.

ROI of the C³

It should be clear by now, that while puttingsome effort into the correct classification issomewhat burdensome and needs properplanning and discussion, the large benefit ofthis approach is that finally all the classifieddata received the correct and appropriate

handling, cover and protection.

Simply put, the one-size-fits-all approach is farmore costly and mainly inappropriate in to-day’s corporate or organizational environment.Most of the data breaches have not followedthese best practices, and huge amount ofstorage chunks are becoming bigger and big-ger, without questioning the data category/ type/classification first.

Completely without any classification, a lot ofdata may be unnecessarily secured againstlosses (in A, I, or C regardless) as there is noway of telling if the data needs a more secureenvironment or protection requirement ordoesn’t need those at all.

Having a proper classification routine in placewill enable even the largest corporations tohandle their initial as well as the update proc-ess well and ensure a cost savvy, smart ap-proach to keep the data available, integer andconfidential to the right amount.




This could save huge sums of money, depend-ing on industry, organization type and datastructure. The specific ROI needs to be calcu-lated by the implementer.

Conclusion

After having defined and argued about the im-

portance of all three of the main parametersrepresenting security (availability, integrity andconfidentiality), we have learned about the po-tential orthogonality (independence) of theirclassification distribution.

We have seen a pragmatic example of how toassign values and handling requirements intable 1, and understood the requirement toadapt these for each company according to itsspecific situation. Afterwards we learned aboutthe C3 cube, which depicts a representative3D model of a helpful color scheme adoptionof the standard RGB model to these threemain parameters.

This will then help to easily assign a classifica-tion notation such as (2,4,2) respectively thecolor markup as shown in figure 3.

Having found an easy notation scheme both inalgebra (with easy to understand transforma-tion formulas) as well as in color will certainlyhelp vendors to introduce solutions to help to

further reach our common goal of appropriateand useful data classification.

The ROI case development is reduced to asimple math calculation. Asking the BCP ormarketing teams about their approximatedvalues might be helpful here.

This article is appropriated as a think tank ap-proach, to perform further going research, tofinally reach the ultimate goal of data centricclassification.

Michael S. Oberlaender is currently serving as Chief Security Officer for the largest European cable networkprovider and has held senior information and security roles in both the US and Germany for two decades. Heis member of (ISC)², ISACA, and several industry associations and is certified CISSP, CISA, ACSE, andGSNA. He holds a diploma of physics (MS) of the University Of Heidelberg, Germany. His public profiles can

be found at: www.linkedin.com/in/mymso as well as www.xing.com/profile/Michael_Oberlaender.






VB2011 - 21st Virus Bulletin International Conferencewww.virusbtn.com/conference/vb2011 - Barcelona. 5-7 October 2011.

RSA Conference Europe 2011www.rsaconference.com/2011/europe/ - London. 11-13 October 2011.

The 2011 Governance, Risk Management and Compliance Summitwww.thegrcsummit.com - Boston. 1-3 November 2011.

SANS London 2011www.sans.org/london-2011 - London. 3-12 December 2011.

Black Hat Abu Dhabi 2011www.blackhat.com/html/bh-ad-11/bh-ad-11-home.html

Abu Dhabi. 12-15 December 2011.




When someone mentions biometrics, the first (and sometimes the only) thingthat comes to mind to many people are physical characteristics on the basis

of which people can be unequivocally differentiated and identified: DNA, fin-

ger and palm prints, iris shape, and more. All in all, characteristics that people

don't have control over.

But as useful for verification and identificationas these characteristics are in the real world,the online one is another matter. The technol-

ogy behind their exploitation for online authen-tication is still simply too difficult and too ob-trusive to integrate and use and, let's face it,too costly.

Still, there is another class of biometrics thatcan prove to be useful and way easier to usefor this particular purpose - behavioral biomet-rics. The term is self explanatory: it's the bio-metrics that are related to a person's behavior.

We all have a way of walking and talking thatis typical for us, and the same goes for theway we type. Typing is something we all mustdo in order to interact with the computer and,

through it, with people and online services.Our typing behavior is much easier to recordand store, and that process doesn't require

special (read: expensive) devices.

It's no wonder, then, that a lot of companieshave set their sights on developing a solutionthat will use keystroke dynamics for identifyingor verifying users, often in conjunction withother authentication factors.

But, to my knowledge, a German firm by thename of TM3 Software is the only one so farthat has been able to develop a solution that

works with any text entered by the user, whichmeans that the user's workflow does not haveto be disrupted and that the user can even beunaware of the authentication or identification




process - perfect for thwarting fraud attempts.

The name of the solution is KeyTrac, and hasbeen available to the public only for the lastfour or five months. The solution and thecompany are a direct result of the work thatDr. Thomas Wolfl - the company founder andCEO - and his team of software development

and artificial intelligence experts have beendoing at the University of Regensburg.

How does KeyTrac work?

As with all biometric solutions, the first step isto collect the data and use it to create a pro-

file. The KeyTrac recording module can be in-tegrated into an existing form - whether it's aregistration form, a form for entering addressand banking data, product descriptions, forumposts, and more - or into a standalone appli-cation (e-mail programs, Office solutions, etc.)

The module records the way that the user

types and not what the user types, and turnsthe collected information into biometric key-stroke data:

The best part of it is that the collected datadoes not contain any type of personal informa-tion or information that can be used to drawconclusions about the user. The text becomes

anonymous as its being typed, and the con-tents of the text can't be reconstructed by thesystem operator or by KeyTrac.

It also doesn't matter in what language theuser types, it only matters that he is familiarwith it. It even doesn't matter what keyboardthe user uses, since every key is assigned akeycode and it is the keycode that gets re-corded, which allows the solution to be usedwith any international keyboard layout.

Once the collected keystroke data is sent tothe KeyTrac Core Engine, a user profile iscalculated on the basis of several attributesthat are extracted from it and stored in a data-

base, to be used after in the identificationprocess.

The identification process starts when an un-

known user types in text into a form or an ap-plication. The keystroke data is collectedagain and sent to the KeyTrac Core Engine,which compares that information with the in-formation in the user profiles collected in thedatabase.

If the goal is to check if the registration is aduplicate - for example, if the user has forgothis login credentials and is creating a new ac-count - the data will be compared to all the

profiles in the database. If the aim is to detectan intruder with stolen credentials, the datawill be compared only to the profile of the userwhose account the fraudster is trying to hijack.




Among the things that KeyTrac can be usedfor is also online fraud prevention. Fraudsterscould be recognized by their typing pattern,regardless of whether they are using stolencredentials or have opened a new accountwith bogus information.

If a central database of online fraudsters and

their typing behavior is set up, the data canalso be compared against the profiles in thatparticular database, preventing, for example,the initiation of fraudulent transactions.

There are other authentication solutions usingkeystroke dynamics out there, but the fact thatthe process can be performed without theuser knowing about it or without the require-ment of typing in a predefined text is the fea-ture that differentiates Keytrac from them.

"All other traditional keyboard biometrics solu-tions can only be used for password harden-ing or authentication with always the samefixed text (for enrollment and for authentica-tion)," points out Dr. Florian Dotzler, TM3Software's Head of Product Management."KeyTrac can identify the user by any typedtext." And this is what makes it perfect for e-

payment providers, online retailers and banksfor securing online banking.

KeyTrac can also be used to prevent sub-scription or account sharing - very handy forsoftware providers who offer Software-as-a-Service or use the "named user" licensemodel. Furthermore, it can also be utilized toverify the identity of the individual taking anonline test, of the author of a digital document,and even to digitally sign emails or docu-ments:

Seems like a dream come true, doesn't it?And what's more, the integration of the vari-

ous KeyTrac solutions is easy.

"It takes only one or two days to integrate it inweb environments," explains Dr. Dotzler. "Inweb scenarios, you only have to integrate a

short JavaScript in the header of the websitein order to record the typing samples, and

then deploy a WAR-File (KeyTrac core sys-tem) on the webserver or you integrate ourweb service."




"Integration in legacy systems also needs two-three days," he adds. "But this depends on theuse case."

Is it effective?

When it comes to authentication, behavioralbiometrics are usually considered less reliable

than physical biometrics because they are dif-

ferent in nature. With physical biometrics,you're dealing with absolutes - pass or fail.But behavioral biometrics are more about sta-tistics and percentages.

For example, when I tested the KeyTrac on-line demo, I was consistently identified, but Inever achieved a 100% acceptance of refer-

ence profile.

It is actually practically impossible even for thesame person to replicate the exact pattern re-corded and used as reference. But, a 98,96%probability that the I am the person that cre-ated the reference pattern was high enoughfor the system to let me "pass".

I don't know what percentage is the set cut offpoint on this demo, but I know that when Itried to pass off two of my colleagues as meand have them type in a text, they were re-

jected. And the same happened when Ichanged my typing pattern by slowing it downand pausing between letters in a word.

The point is, keystroke dynamics is probablynot accurate enough to be used as the onlyidentification and authentication method, butcombining it with others might just prove to bethe missing ingredient for a foolproof solution.

Dr. Dotzler points out that every biometric sys-tem has false positives, and that one canlower their number but one can never com-

pletely avoid them. The issue can be resolvedin a number of ways which depend on the usecase.

Keystroke dynamics does present one signifi-cant benefit over other authentication meth-ods: keystrokes can be captured constantly,making situations like someone forcing a per-son to login into a service by typing his pass-word and then taking over the keyboard easilydetectable.

But what about the fact that the way one typeschanges with the time of day, emotional orphysical state?

"The system works with algorithms from artifi-cial intelligence," explains Dr. Dotzler. "Thesealgorithms learn the different characteristicswhen a user uses different keyboards. During

that learning process, there is a lowering ofquality of the method."




But, there are ways to solve this problem."You can create a second profile for the user(for the second keyboard)," he says. "Also, ifthe user brakes an arm, his keystroke dynam-ics will differ so much that the system must beretrained. But small injuries are not a prob-lem."

Conclusion

Every technology has its weak spot. As werecently witnessed, the RSA breach hasshowed that even proven technologies suchas the SecurID tokens can be bypassed andmisused if one knows where to look and whatto do.

The saved reference patterns needed forKeyTrac to work could probably be stolensomehow, but can they be used to recreatethe typing pattern and execute an successfulattack? If the technology itself proves effectiveand begins to be used by many, there is nodoubt in my mind that, in time, someone willfigure out how to trick it.

In the meantime, a number of e-payment ande-commerce providers have started usingKeyTrac. It may be too early to tell if it is themissing piece of the puzzle that will solve theissue of digital identity verification, but it cer-tainly looks promising.

Zeljka Zorz is the News Editor of (IN)SECURE Magazine and Help Net Security.






There is no doubt that the cloud is revolutionizing the implementation of IT

and application architectures. The issue that we face today is how exactly

should we move to the cloud while maintaining the security of our data.

According to a recent survey by KasperskyLab, over 62 percent of IT managers stateconcerns about security as an obstacle tocloud adoption. Prioritizing security activitiesand implementing new controls to address thenew realities of the cloud is the fundamentalproblem organizations struggle with today.

In this article, I will address the issue of howthe fundamental split in ownership of the ap-plication “stack” from the computing resourcesupturns traditional security assumptions ofhow to build walls around data, and how wecan re-build walls back into the amorphouscloud.

Challenging our assumptions

In order to solve the security problem thatarises with the move to the cloud, we mustchallenge our assumptions. The cloud haschanged how we think about IT architecture

and application infrastructure, and the samemust happen to our security perspective. Tobe specific, there is a physical ownership as-sumption built into traditional security modelsthat simply doesn’t carry over into the cloud.To be fair, the consumerization of IT and theloss of strict network boundaries have also

forced changes in ownership-based models.However, these earlier changes represent afiner degree of segmentation and specializa-tion rather than a change in how we must ap-proach security in the cloud.

The history of PCI is a great example of howthis assumption played out in real life. PCI 1.0began with a strict data encryption require-ment (Section 3.4) as the best practice to pro-tect cardholder data. It became immediately

apparent that just about every organizationwould be unable to adhere to these guidelinesbecause of more fundamental reasons relatedto data discovery and data elimination




before they could even reasonably think aboutdoing encryption.

PCI 1.1 provided a stop-gap risk mitigationstrategy by letting organizations compensatefor the lack of Section 3.4 compliance bydocumenting and putting in place controls thatessentially assume physical ownership of the

resources.

You could pass a PCI audit if you owned theinfrastructure, proved solid segmentation,passed additional checks against malwareand other threats, and implemented best prac-tices around the systems that control this data.

These were all very valid controls and onecould reasonably assume data protectiongiven the strong control of the entire imple-mentation stack.

The problem, of course, is that this level ofownership is not possible in - and is, in fact,entirely in opposition with - cloud-based infra-structures.

The break in the foundation

One of the most difficult things for people to

assess is who is responsible for data securityin the cloud. The short answer is everyone.

Your organization will secure the part of its in-frastructure that it places in the cloud andcloud providers will secure and attest to thesecurity controls they have in place in theirpart of the cloud.

The easiest way to understand this is to thinkabout the cloud from an OSI model perspec-

tive: the stack is essentially going to be splitbetween the two parties.

To simplify things, we’ll focus here on Infra-structure as a Service, or IaaS. (SaaS is gen-erally the responsibility of the cloud providerand a matter of attestation and contract nego-tiation. PaaS is an extremely variable architec-ture too complex to cover here.)

In IaaS, the cloud provider essentially ownseverything at and below the hypervisor,shimmed in just below your OS. You own eve-rything above. As a result, a tremendousamount of existing security controls remain the

same. The thing that changes is who imple-ments them.

1. Partial ownership by the cloud provider

Your IaaS provider is responsible for physicalsecurity and the proper vetting and training ofemployees. They own the switch fabric and

are responsible for the proper segmentationand VLANing.

They also own, to some degree, the networkisolation around you as a customer within theirIaaS environment. Yes, you will have your ownfirewalling and topology to work with, but thecloud provider is responsible for separatingyou from the other “tenants” in the multi-tenantarchitecture. You would expect them to deploygood firewalls with proper configuration.

They take care of DNS integrity, proper routingand so forth. Other than that, the burden ofsecurity controls for the rest of the applicationand hosts above the hypervisor fall onto you,the cloud customer.

2. Partial ownership by the cloud customer

On the flip side, as a customer, you would still

be responsible for patch management. Even ifthe IaaS provider gave you the instance, youare still responsible for patch and configura-tion management. You’re still responsible forhost integrity and anti-malware.

You’re responsible for configuration control,proper training and vetting of your employeeswho work with these systems, and building asolid security and change management proc-ess around it.

You are responsible for application code ontop of it, adhering to secure coding principlesand practices, and even conducting regularsecurity reviews and possible pen testing.

In actuality, a lot of what organizations do heredoesn’t change dramatically from non-cloudactivities. What does need addressing is theloss of the physical isolation and controls thatwere once a given in the traditional proprietarydata center.




Setting a solid footing

Knowing that physical ownership and isolationare no longer a given and that host instancesare sitting on new, possibly vulnerable hyper-visors, we can turn to encryption to isolate ourinformation, provide segregation of duties, andreduce your overall information risk profile.

1. Instance and volume encryption

The great, untapped opportunity to reduce riskin the cloud is encryption at the lowest layerowned by the customer: the instance and vol-ume level. Implementing encryption, whendone properly, can provide a fourfold benefit: itcan protect data in off-line dormant imagesand storage, reduce the overall exposure todata leakage, provide segregation of dutieswhen authentication is separated from thecloud provider, and give another audit and re-porting mechanism to monitor the cloud.

2. Cloud attestation of controls for hyper-visors and dormant instances

Encryption dramatically reduces the overallrisk profile but in itself isn’t perfect. It only re-duces the number of vectors attackers can

use to gain access to the data.

To complement the use of encryption, you willneed to check that the cloud provider has con-trols for preventing data breaches that couldhappen in running instances (after all, datahas to move to clear text to be used). On thehypervisor front, ISO standards and SSAE 16(formerly SAS 70) attestations can help as-sure you of hypervisor controls.

In addition, using an encryption system thatuses key obfuscation in memory reduces ex-posure of the critical encryption keys. Finally,good cloud providers won’t store running in-stances to avoid exposure of data in memory,or provide APIs to let security products knowto do encryption key wiping prior to snap-shotting or storage.

3. Reexamine data encryption

Organizations that don’t already encrypt dataat the application or database level should re-

examine doing so in workloads that are movedto the cloud. It is an easy risk mitigation tech-nique that complements lower-level encryptionat the instance and volume level.

Regulations like PCI require it and, specifi-cally, new PCI guidelines on virtualization puteven more pressure on encrypting at multiple

levels.

4. Customer controlled proper encryptionkey management

Doing key management wrong can completelyundermine the security of the entire cryptosystem and negate the non-repudiation andtrust an auditor will look for in your implemen-tation.

FIPS 140-2 certifications, adherence to NIST800-57 guidelines, and an experienced trackrecord of key management by vendors canhelp ensure proper deployment.

Look specifically for proper key storage (forinstance, not storing keys with images), strongkey derivation beyond simple password-basedkeys, key granularity enabling individualinstance/volume/data elements to be sepa-

rately encrypted, the ability to easily performkey rotation in adherence with best practices,and customer retained control of the encryp-tion keys to help ensure proper key manage-ment deployment.

5. Elastic encryption

Finally, it is imperative that the implementationguidelines listed above support the elasticity,dynamic provisioning and agility that is the

reason organizations are moving to the cloudin the first place.

Specifically, these implementations should in-tegrate with cloud management platforms be-ing deployed over the cloud, support the ca-pability to automate authentication andauthorization based on the activities of thecloud management system, and provide inter-faces to these systems to help integrate secu-rity into the overall cloud process workflow.

Dean P. Ocampo, CISSP, is the Director of Cloud and Compliance Solutions, SafeNet (www.safenet-inc.com).




Recently (IN)SECURE Magazine visited Bitdefender in Romania as it unveiled

a complete reinvention of its brand spanning the entire product line and

offered a glimpse into the features that we can expect in future products.




Bitdefender's headquarters are located in Bucharest and house around 380 employees.

Alexandru Catalin Cosoi (up left), the Head of Online Threats Lab at Bitdefender, was our guide forthe tour that took us through a large portion of the Bitdefender offices.




Bitdefender CEO Florin Talpes illustrated the story behind the re-branding process in an eventpacked with both media and partners.




Google search results much cleanerthan in 2010

It used to be that among the first ten pages ofsearch results for popular terms, up to 90percent of the offered links would take theusers to a malicious page serving malware.Now, the same sample contains only up tothree malicious links, and the great majority ofthese links take users to pages offering fakeAV.

There are many reasons behind this fortunate

decline. It seems that not only have thehosting companies begun reacting morequickly when it comes to the takedown ofmalicious domains, but that webmasters have

also begun cleaning up their sites morespeedily as well.

There is no doubt that Google deserves somecredit for this last change, as it has beguneducating webmasters by popping upwarnings in Google Webmaster Tools and bysending them emails notifying them that theirsite was hijacked.

But, it's not all good news. Malicious search

results for popular terms might have declinedconsiderably, but cyber crooks have extendedtheir interest to a broader range of topics andtypes of searches - for example, poisonedGoogle image searches.

"Searches for buying software online remains90 percent malicious, redirecting users to fakestores, says Zscaler's Julian Sobrier. "Therehas been no significant improvement on thatfront, with 60 different fake store domains

observed in July 2011." But, as he points out,this is a problem shared by all search engines.




Install one Trojan, get three more

Downloader Trojans are often used by cybercrooks to thoroughly infect systems in order toextract anything that might be of value tothem.

Trojan.Badlib is a particularly effective piece ofmalware belonging to that particular category,

effectively acting as a malware distributionnetwork.

When Badlib is firstly installed and detects anInternet connection, it tries to reach a C&Cserver in order to receive commands from it. Itsearches for it on a number of hard-codeddomains, and if it doesn't find it, it proceeds tocheck out several IP addresses on a defaultlist.

Once the C&C is contacted, it instructs theTrojan on where to download further malware.The response includes the number of files ithas to download and their digital signature soas to make sure it downloads the right ones.

According to Symantec researchers, Badlib iscurrently downloading three distinct Trojans:Trojan.Badfaker (disables present AV solution,hides that fact from the user),Trojan.Badminer (uses the power of theinfected computer's GPU to mine Bitcoins),and Infostealer.Badface (harvests logincredentials for a number of popular socialnetworks).

Improved SpyEye variant actively

attacking Android devices

The first SpyEye variant, called SPITMO, hasbeen spotted attacking Android devices in thewild.

“When a user browses to the targeted bank amessage is injected presenting a 'new'mandatory security measure, enforced by thebank, in order to use its online bankingservice," Trusteer’s CTO Amit Klein explains.

"The initiative pretends to be an Android

application that protects the phone’s SMSmessages from being intercepted and willprotect the user against fraud. How’s that forirony!”

Once the user clicks on "set the application"he is given further instructions to walk himthough downloading and installing theapplication.

To complete the installation, the user isinstructed to dial the number "325000"; thecall is intercepted by the Android malware andan alleged activation code is presented, to besubmitted later into the "bank’s site". Besidesconcealing the true nature of the application,this "activation code" does not serve anylegitimate purpose.

Once the Trojan has successfully installed, allincoming SMS messages are intercepted andtransferred to the attacker’s Command andControl server. A code snippet is run when anSMS is received, creating a string, which willlater be appended as a query string to a GETHTTP request, to be sent to the attacker'sdrop zone.

“What makes all of this so scary is that the

application is not visible on the device’sdashboard, making it virtually undetectable, sousers are not aware of its presence and willstruggle to get rid of it."




Morto worm spreads via RDP, brute-

forces Administrator accounts

There's a new worm in town and it's the firstone that spreads by taking advantage of theRemote Desktop Protocol (RDP).

"Once a machine gets infected, the Mortoworm starts scanning the local network formachines that have Remote DesktopConnection enabled," explains F-Secure."This creates a lot of traffic for port 3389/TCP,which is the RDP port."

When such a machine is found, the wormproceeds to try to brute-force its way to anAdministrator account. It tries around thirtymost often used passwords (admin,

password, 111111, 12345, and similar).

"Once a new system is compromised, itconnects to a remote server in order todownload additional information and updateits components," warns Microsoft.

"It also terminates processes for locallyrunning security applications in order toensure its activity continues uninterrupted."

According to Microsoft's analysis, Morto'smain functionality seems to be launchingDDoS attacks against attacker-specifiedtargets.

Morto is capable of infecting both Windowsworkstations and servers. According to somecomments by infected users, it seems thatrunning a completely patched system doesn'tdo much for protecting it, as the worm does

not exploit a vulnerability in the software, butthe unfortunate user tendency of choosing apoor password.

As a number of Morto variants have beenspotted already, and the number of infectedhosts is rising, users are advised to eitherchange the password for the Administratoraccount to something much more complex, orto disable their Remote Desktop Connection ifit's not needed.

Additional analysis of this worm revealedmore than one never-before-seencharacteristic.

Morto is capable

of infecting both

Windowsworkstations and

servers.Not only does it spread by using the RemoteDesktop Protocol, but it also uses a novel wayto contact its C&C in search for instructions:via DNS (Domain Name System) TXT

records.

"While examining W32.Morto, we noticed thatit would attempt to request a DNS record for anumber of URLs that were hard-coded into thebinary," said Symantec's security responseengineer Cathal Mullaney.

"This is by no means unusual or unique, butwhen we examined the URLs, we noticed thatthere were no associated DNS A recordsreturned from our own DNS requests. Onfurther investigation, we determined that themalware was actually querying for a DNSTXT record only – not for a domain to IPlookup – and the values that were returnedwere quite unexpected."

All in all, the information provided was abinary signature and an IP address fromwhich the worm can download further

malware - the same information that mostthreats receive using more establishedcommunication channels.




Bitcoin mining botnet also used for

DDoS attacks

A recently discovered P2P Bitcoin miningbotnet has acquired DDoS capabilities, warnsKaspersky Lab expert Tillmann Werner.

It's main reason of existence has so far beenBitcoin mining, as the bot installs threeTrojans with that function (Ufasoft, RCP andPhoenix), but it also functions as a way ofdelivering other malicious software to theinfected machines.

And among the delivered files are two DDoSprogram. Their targets change as differentvictim lists are delivered to it by the botnetoperators.

The first module - which uses HTTP flooding -has been spotted attacking estate agencyportals and food industry sites. The second

one, using UDP flooding, was targeting the IPaddresses of companies that offer anti-DDoSservices.

Unfortunately, given the P2P architecture, thisbotnet will be extremely hard to take down. Asthings stand, the number of infected machinestaking part of it is increasing. And, as itstargets are easily updated by its operators, thenext ones will likely be determined by thepeople who will rent its services in the future.

The number ofinfected machinesis increasing.

Cyber crooks misusing audit tool tobreach VoIP servers

SIPVicious - the popular bundle of toolsdesigned for auditing SIP (Session InitiationProtocol) based VoIP systems - is currentlybeing used by crooks that aim to compromiseand likely use vulnerable VoIP servers forplacing unauthorized calls to premium rate

numbers or for vishing (voice phishing)scams.

It all starts with the user visiting acompromised legitimate site injected with a

malicious iFrame, which redirects him to a sitehosting the Black Hole exploit kit.

The exploit kit does its thing - it searches forvulnerabilities present in the visitor's systemand, if it finds one, downloads a Trojan(jqs.exe) and executes it on the system.

After contacting its C&C server anddownloading instructions, the Trojan tries to

connect to a .cc domain, from which itdownloads the SIPVicious toolset, a Pythoninterpreter and an unraring tool.

"The Trojan invokes Microsoft installer andinstalls Python silently in the background,"shared the researchers. "It also unrars theSIPVicious toolset."

Under orders from the C&C server, SIPViciousis used to scan for SIP devices inside the

network, which are then hit by a bruteforceattack. If the attack is successful, the Trojanattempts to register extensions on the device,which will then be misused by the crooks.




Pay-per-install services attempt

discreet comeback

"Pay-per-install businesses can be temporarily

compromised by welcome law enforcementaction, but the crooks will always find a way toreturn," says McAfee's Francois Paget, whoshared his recent discovery of a newly openedforum offering free malware to its users.

The offer was obviously made to attract asmany users as possible at that moment, but itlasted only seven days, during which theforum was opened for registration to anyone.

Once the seven days pass, inactive users aredeleted and aspirant members are able to joinonly by invitation.

To make the forum seem hopping with activity,the site administrator and various moderatorshave resorted to opening threads and copy-pasting information from (uncredited) sources

all over the Internet. But, the threadsdedicated to the buying and selling of goodsand services seems to be thriving without theirhelp.

Paget ran into an offer mentioning, amongothers, the well-known fake antivirus businessBest AV, whose operation was seeminglydisrupted back in July due to efforts by lawenforcement agencies in the US and othercountries. Pay-per-install services - most ofwhich had their websites recently shut down -are also present.

"The pay-per-install forum sponsors servicesthat will install malware for a price. Manycountries are available, though not Russia andsome others in Eastern Europe," says Paget."I suspect all these services reach a uniquegroup that is engaged in designing a newbusiness model they hope will be more

discreet."

Cybercriminals impersonating

government agencies

Notable threats for August 2011 includedspam and poisoned search engine resultstargeting fans of Harry Potter, Trojans posingas electronic traffic tickets from the New York

State Department of Motor Vehicles, andphishing emails disguised as official noticesfrom the Department of Defense.

"Last month, we saw scammers out in fullforce," said Christopher Boyd, senior threatresearcher at GFI Software. "They tried toexploit the incredible public interest in thelaunch of the Harry Potter fan site Pottermore,and they concocted fresh schemes toimpersonate government agencies in order to

defraud the public."

"In many cases, cybercriminals are recyclingthe same tactics. That underscores how muchwork still needs to be done to educate thepublic, but it also helps the securitycommunity anticipate new threats."

The FBI recently issued a warning againstfraudulent charity organizations solicitingdonations for victims of Hurricane Irene, a

tactic that cyber scammers continue to employin the wake of natural disasters.




New Zeus-based variant targets

banks around the world

Another Zeus-based offering has beenunearthed by Trend Micro researchers, and by

the look of things, this one seems to be bettercrafted than the recently discovered Ice IXcrimeware that doesn't deliver on its promises.

Having analyzed the code, they believe that itwas created by using version 2.3.2.0. of theZeus toolkit and that it was created specificallyfor a professional gang comparable to LICAT.

This solution is likely to succeed where Ice IXhas failed: an updated encryption/decryptionalgorithm that should prevent trackers from

analyzing its configuration file.

Also, an update of the Zeus builder capabilityof checking for bot information anduninstalling it should make antivirus solutionsunable to use it for detecting the bot andautomatically purging the system of it.

"It is also worth mentioning that this malwaretargets a wide selection of financial firmsincluding those in the United States, Spain,Brazil, Germany, Belgium, France, Italy,Ireland, etc," say the researchers. "It targetsHSBC Hong Kong, which suggests that thisvariant may be used in a global campaign,which may already include Asian countries."

BIOS rootkit found in the wild

Security researchers have recently discovereda new rootkit that targets computers' BIOS,making the infection harder to detect anderadicate, and persist even if the hard drive isphysically replaced.

According to Webroot, the malicious packagecontains a BIOS rootkit, a MBR rootkit, akernel mode rootkit, a PE file infector and aTrojan downloader. Once it downloaded on a

computer, the malware first checks whichBIOS it uses. If it's Award BIOS - used bymotherboards developed by PhoenixTechnologies - it hooks itself on it so that

every time the system is restarted it can infectit all over again if the need arises.

Once it's there, it proceeds to add code to thehard drive's master boot record (MBR) inorder to infect the winlogon.exe (Windows XP/ 2003) or winnt.exe process (Windows 2000),which will be used to download an additionalfile and execute it. It is another rootkit, andthis one aims at preventing the MBR codebeing cleaned and restored to normal by anAV solution.

Mebromi is currently targeting Chinese users,which is obvious by the security software ittries to find and block. And even if the victim'scomputer isn't using Award BIOS, the threatisn't thwarted - it simply omits the first stepand goes directly for the MBR.

Webroot's Marco Giuliani speculated that thereason why Mebromi only targets Award BIOSROM is because it has been modeled afterthe IceLord rootkit - a PoC that did the same

thing. To make Mebromi a major threat, itscreators must make it fully compatible with allmajor BIOS ROM out there - and that is adifficult feat.






IBM’s Lotus Domino is a unique server platform that blends the traditional

web, application, and database servers into one. Its unique structure creates a

very different set of security concerns, and its small market share has left it

largely ignored by the security community.

Many standard attacks such as SQL injectionare simply not possible with Domino although,at the same time, many other - often more se-rious - vulnerabilities are present. Most of thecommonly used tools have very limited cover-age of the attacks that are unique to Domino,and very little literature seems to exist.

If you want to test Domino applications, you’regoing to need to know about its structure andsome of the unique vulnerabilities it may pre-sent.

IBM’s Lotus Domino (formerly known as LotusNotes Server) is a server platform that can beused to build custom applications. Intended byIBM to be a groupware and application mid-dleware platform, it can act as a web server,

perform business and application logic, andcontains a custom database format whosefiles use the .nsf extension.

Within a Domino database (which is containedin a .nsf file), are several components that canbe accessed; the primary ones are docu-ments, views, and forms. There are also spe-cial Domino objects such as the icon, help,and about objects.

Because all of these items reside within theDomino database, the client accessing theapplication is actually running Domino data-base commands directly through the browser.The URL of an action in a Domino applicationactually contains the database command tobe run. The Domino database uses its ownproprietary command format and the numberof possible commands is far more limited thanany SQL server on the market.

The syntax for accessing objects in a Dominodatabase is as follows:

http://server/database.nsf/DominoObje

ct?Action




The DominoObject can be a view, frameset,form, navigator, agent, document, or page.Special identifiers may be present which beginwith the $ symbol. The following chart detailsthe possible actions that can be issued toeach object type. When entering as a URL,there is a question mark between the objectand the action. Special identifiers usually have

a slash instead:

http://server/database.nsf/$SpecialId

entifier

View● Openview – opens the view● ReadViewEntries – accesses the view datain XML format● $first – returns the first document in the view● $searchform?opensearchform – opens a

search form from which the view can besearched

Frameset● OpenFrameset – opens the framesetForm● OpenForm – opens the form● ReadForm – displays the form without itseditable fields● CreateDocument – sent using an HTTP

post. Domino will create a document with thecontents of the HTTP post packetNavigator● OpenNavigator

Agent● OpenAgent

Document● EditDcoument● SaveDocument – sent as an HTTP post.

Domino will update the document with thecontents of the form● DeleteDocument● OpenDocument● $file/attachmentName – returns the docu-ment’s attachment with the name “attach-mentName”

Page● OpenPage

There are several special actions and objectthat can be accessed from the root of theDomino database. All of the following strings

can be concatenated onto the end of a URLthat ends with .nsf.

● ?Redirect – allows redirection to another da-tabase based on it’s ID.● ?openDatabse● /$about?OpenAbout – opens the “about thisdatabase” document● /$help?openhelp – opens the help document● /$icon?openicon – opens the icon for the da-tabase● /$defaultview – returns the default view (ifthere is one)● /$defaultform – returns the default form (ifthere is one)● /$defaultnav – returns the default navigator● ?openpreferences – opens the preferencessetting.

These actions can be combined. For example,the following syntax is valid, and will allow theuser to edit the first document located in thedefault view of the database “database.nsf”.

http://host/database.nsf/$defaultview

/$first?editdocument

Domino uses views to access data from withinthe database. Each view is created by the de-

veloper, and has access to certain data withinthe Domino database. Because each view isrequested by the client through the URL, theclient can request any view it desires, and if ithas permission to read it, it can see the re-sults. This can be thought of as similar to astored SQL procedure, except the client cancall these stored procedures directly. To findgeneric names of views that may be used inany given Domino databases, the Dominodocumentation was searched for sample code

and the most common view names werefound to be:

1. By Category (135 occurrences)2. View A (36 occurrences)3. All (31 occurrences)4. Main (26 occurrences)5. Categorized (23 occurrences)6. Main View (22 occurrences)7. All Documents (13 occurrences).

There are also default databases that can of-ten be found on Domino web servers.




Although the potential list of default databasesnumbers in the hundreds to the myriad ofconfiguration options and versions available,the most common ones include:

● names.nsf - often the most important data-base of any Domino server, it contains theDomino directory, the repository of all users

and roles within that database● log.nsf - shows events on the server● WebAdmin.nsf - a web version of the adminclient.

There are also default databases that can of-ten be found on Domino web servers. Whendoing a security review of a Domino applica-tion, do not rely solely on the standard webapplication review process. Check for thevarious special identifiers and Domino objects.

As with any default resources that may be leftover from any other application or platform,default objects may contain valuable informa-tion about the application, help you fingerprintthe infrastructure more accurately, and on oc-casion will even provide access to additionalfunctionality. Always check the about object tosee what notes the app developer may haveleft - not knowing it could be publicly read.

Checking for default views, navigators, anddocuments may uncover private data.

Enumerating views, using both the commonview names provided here and educatedguesses based on the application itself canuncover serious information leaks. Ensure thatsensitive data cannot be accessed via ma-nipulation of various Domino objects.

Make a special point of checking for a default

navigator (/$DefaultNav?OpenNavigator) - if itis accessible, it will list all non-hidden views inthe database. This is analogous to getting(and being able to run) all of the stored SQLprocedures in a database. Domino allowsviews to be marked as “hidden”, however theycan still be accessed through the browser byputting parenthesis around the view name.

For example, if you want to see if the view

named “All” is available in database.nsf, and“All” is hidden from view, you must enter

/database.nsf/(all) as the URL. Unless the de-veloper has explicitly set various security con-trols to protect the documents within a hiddenview, they can still be accessed. Many timesan application will rely on views being marked“hidden” to protect their contents, howeverhidden views are not actually part of the Dom-ino security model. Hiding a view is a cos-

metic feature that can be abused if used as asecurity control.

Domino’s search form is another object withsecurity implications. When a client requests asearch form, Domino will by default first lookfor a custom search form. If there is none, itwill look for a search template. If there isnone, it will use the default search page.

The default search page can return any datathat has been indexed, whether the client ismeant to have access to it or not. If a data-base has been indexed, and the developerhas not created a custom search form, anyview that is searchable becomes a means ofexfiltrating all data from the database.

Domino agents could potentially create a vul-nerability to DoS attacks. Since they can beactivated directly by the client, a client could

request an agent be run an arbitrarily a largenumber of times. Unless there is anti-automation logic built into the agent logic, itcould result in excessive CPU or memory utili-zation. This is also a concern when usingautomated scanners as they may accidentallycause an undesired DoS attack.

Since the standard three-tiered architecture isnot possible with a Domino server (the appli-cation logic and the data are too tightly cou-

pled to be reasonably separated), clients havethe ability to gain greater access to the inter-nal application logic. Lax permissions thatusually would go unnoticed due to protectionsfrom another tier will be far easier to exploit ina Domino environment.

As a security tester you have to understandDomino’s unique structure and capabilities inorder to adequately review it for vulnerabili-

ties.

Ari Elias-Bachrach (www.angelsofsecurity.com) is a CISSP, CEH, and GWAPT. He works as an in-house in-formation security engineer focusing on web and mobile applications.






Black Hat USA 2011 took place at Caesars Palace in Las Vegas, July 30-Aug 4.

Members of the security industry were able to choose between over 50 multi-

day training sessions, 7 briefings tracks with the latest research, and 2 work-

shop tracks dedicated to practical application and demonstration of tools.

(IN)SECURE Magazine was on-site, and what follows is a photo walkthrough.




At the event, Qualys announced QualysGuardWeb Application Scanning (WAS) 2.0, the newQualysGuard User Interface (UI) as well asthe new QualysGuard Consultant Edition.

The new UI for the QualysGuard IT Securityand Compliance SaaS Suite features interac-tive dashboards, streamlined workflows, ac-tionable menus and filters with improved vis-ual feedback, making it easier for customersto utilize the comprehensive services in theQualysGuard Suite.

QualysGuard WAS 2.0 enables organizationsto leverage the power and scalability of the

cloud to discover, catalogue and scan large

numbers of web applications. The new versionsimplifies the complexity and reduces costs ofweb application scanning with an automatedsolution with an extremely low false positiverate and a rich dynamic UI that simplifies the

workflows for scanning and reporting.

A new edition of the QualysGuard Consultantservice features virtualized scanner appli-ances and a report customization module. Itbrings the power of the SaaS model to con-sultants, delivering accurate network auditing,comprehensive vulnerability assessments,policy compliance and web application scan-ning, reducing time on-site for consultants and

providing data-rich, customizable reports.




Aruba Networks, which provided and main-tained the wireless network for last week’sBlack Hat USA 2011 conference, providedsome interesting statistics around the net-work’s use.

The device-fingerprinting capabilities of theAruba network enabled visibility into exactlywho was using what on the network:

• Apple devices were most prevalent at 43.3percent of all devices (28.4 percent alone foriOS iPad and iPhone, with another 14.9 per-

cent running OS X).

• Linux users composed 35 percent of the to-tal.

• Windows users represented 21.8 percent.

The network was accessed by more than2,400 attendees, with 853 as the maximumnumber of concurrent users.

The network detected and contained morethan 8,790 independent security events, in-cluding 670 rogues, 191 AP flood attacks, 489instances of AP spoofing, 579 instances of IP

spoofing, 1,659 “Hotspotter” attacks and 1,799“Block ACK” attacks.






In another high-profile presentation, Dan Ka-minsky played with systems the old fashioned

way, cobbling together various interesting be-haviors with the last few shreds of what lowlevel networking has to offer:

• IPv4 and IPv6 fragmentation attacks, eightyears in the making.

• TCP sequence number attacks in modernstacks.

• IP TTLs: not actually expired.

• Inverse bug hunting: more things found onthe open net.

• Rebinding attacks against enterprise infra-structure.

• BitCoin: network manipulation for fun and(literal) profit.

• The net neutrality transparency engine.




As you build your cloud infrastructure strategy, identity management for

software-as-a-service (SaaS) applications needs to be on your radar screen.Since business units are already buying and deploying SaaS applications,

sometimes even without consulting the IT department, they could be putting

sensitive information into the cloud without understanding the security and

compliance risks. Inevitably, sensitive data will find its way into these projects

and systems, putting the organization at risk.

Don’t assume that by their very nature SaaSapplications are not mission-critical. One ofthe most popular and well-known SaaS appli-

cations, Salesforce CRM, provides an exam-ple of how many companies could be expos-ing sensitive data in the cloud.

Salesforce is often used to track a company’ssales forecasts, customer and prospect lists,and customer support records, including cus-tomer satisfaction details. This is highly confi-dential and private data, and data that couldbe very damaging in the hands of a competi-

tor.

You should have additional concerns if the ITstaff dedicated to your identity managementand compliance requirements is not involved

with the user administration of these SaaSapplications. Because SaaS applications areoften purchased and deployed outside of IT,

it’s very common for an employee in market-ing, sales, or customer support to function asthe application’s user administrator.

Does this person understand the data securityand compliance implications of the actions hecarries out? Are the right privileges beinggiven to the right people? Is there a solidbusiness process in place that ensures thatthese application privileges are removed when

users change roles or leave the company?These questions are all critical for your com-pliance and security initiatives, but most likelynot at the top of the mind of business users.




One final area of concern comes from the factthat SaaS applications do not exist on a tech-nology “island,” but are integrated with otherapplications within the enterprise. Some SaaSapplications connect to and exchange datawith other mission-critical systems, such asERP systems.

Under the rules of Sarbanes-Oxley (SOX) andother legislative mandates, if an applicationintegrates with core financial applications suchas an ERP solution, then that application(whether SaaS or not) also becomescompliant-relevant.

What is required for identity managementof SaaS applications?

From an identity management perspective, thesame administrative and governance functionsare needed for SaaS applications as areneeded for core datacenter applications. Or-ganizations must protect and govern access tocritical applications, systems and databases inthe cloud - and be ready to answer the criticalquestion: “Who has access to what?” In orderto meet compliance requirements, it’s impor-tant that users are only granted access privi-leges to SaaS applications that are appropri-

ate to their job functions and that the accessprivileges of all SaaS users are reviewed on aregular basis to ensure they are correct.

Making things more complicated, there is stilla lot of uncertainty as to the specific regulatoryrequirements applicable to the cloud. Thereare currently no compliance standards specificto cloud computing.

Many service providers undergo SAS 70 (now

SSAE 16) audits to prove compliance, but itbehooves enterprises to look for service pro-viders that proactively incorporate risk man-agement standards and practices, such asthose recommended by ISO 27001 and NIST,who has published very helpful guidance oncloud computing.

Just as important as compliance concerns,organizations must also ensure their ability tomeet business demands for higher levels ofservice for identity management. As new em-ployees and contractors come on board, theyneed prompt access to a variety of IT systems

and applications, including both cloud and da-tacenter hosted resources.

As users’ relationships with the organizationchange (e.g., a job change or termination),their access must be updated or revoked in atimely manner across all systems, regardlessof where they are hosted.

These joiner/mover/leaver business processesneed to be automated, controlled and moni-tored for SaaS applications. Effectively man-aging these provisioning and de-provisioningprocesses is critical to keeping the businessrunning, but is also important from a cost con-trol perspective.

Many SaaS application providers invoice theirclients based on the number of active user ac-counts, so organizations need to rigorouslymanage application usage.

SaaS roadblocks to identity governance

While many identity management require-ments will look familiar to enterprises, SaaSapplications do present some unique chal-lenges around data access and managementcontrol. For example, many SaaS applications

do not provide the necessary interfaces andreporting capabilities to support identity gov-ernance requirements. This places an in-creased burden on IT organizations to manu-ally manage users and enforce corporate andregulatory policies in order to meet audit andcompliance requirements.

Additionally, cloud service providers often donot expose information to user organizationsabout how deep their authorization models go

in terms of enabling access to their SaaS ap-plications. For example, it is common practicein Salesforce to allow complex, direct entitle-ment assignments between people and data.

The implications of these assignments are of-ten very hard to effectively manage and evenharder to comprehend and govern. As part ofa broader identity governance strategy, it istherefore increasingly important for the or-ganization to know exactly “who” is accessing“what” within the SaaS application employed.

A third challenge is that cloud service provid-ers are not always required to share audit and




security information pertaining to how the ap-plication infrastructure is managed. To meetvarious industry and government regulations,an organization must have control and visibil-ity of IT staff and privileged users who haveaccess to application infrastructure. Mostcompliance mandates require visibility not onlyto who has privileged access, but also to log

data that shows what those users did with thataccess.

IT organizations should require cloud serviceproviders to disclose how they govern andmonitor administrative staff access as part ofstandard vendor evaluation and vendor riskmanagement practices.

Extending identity governance to SaaSapplications

In an ideal world, an IT organization will havethe ability to consider these challenges and toplan their strategies for identity managementbased on a clear understanding of what capa-bilities their SaaS provider can deliver. Butsince business users are already rapidly de-

ploying SaaS applications without IT involve-ment, frequently little or no consideration isgiven to the ability to integrate the SaaS appli-cation back into the organization’s core iden-tity management processes and audit con-trols. Instead, IT organizations must retroac-tively address these identity managementconcerns.

For those situations, there are three strategiesto help IT organizations gain control overSaaS applications:

1. Focus on an integrated IdM strategy thatlooks at the datacenter and SaaS applicationsholistically.

2. Educate business users about the risks ofSaaS applications and build their involvementin the broader identity governance strategy.

3. Partner with the cloud service provider tounderstand how they will open up their inter-face to allow the organization to more easilymanage and govern user access to SaaS ap-plications.

IT ORGANIZATIONS SHOULD REQUIRE CLOUD SERVICE

PROVIDERS TO DISCLOSE HOW THEY GOVERN ANDMONITOR ADMINISTRATIVE STAFF ACCESS

Focus

Since accountability for compliance and secu-rity of SaaS applications falls directly on theenterprise, it is critical that organizations putthe right controls in place to gain this assur-

ance regardless of whether the data lives inthe datacenter or in SaaS applications.

What’s needed is an integrated approach togovernance that leverages a consistent set ofcontrols across the entire IT portfolio, regard-less of where the application or data is de-ployed.

Organizations can’t approach SaaS applica-tions with ad hoc approaches to identity man-agement. Instead, a centralized governanceand control model needs to be in place thathelps provide enterprise-wide visibility into theidentity data, which in turn allows organiza-

tions to move forward into the cloud whilemaintaining the security and compliance stan-dards the business requires.

Educate

At the same time, IT organizations need toeducate their counterparts in the various busi-ness units about the IT risks associated withSaaS applications.

Fortunately, identity and access governancetechnology helps address the unique chal-lenges of managing user access to SaaS ap-plications in line with an organization’s existingidentity management processes from integrat-ing internal controls with the service providerto knowing on both sides who accessed whatdata and when. But, you can’t manage whatyou don’t know about.




Although SaaS applications allow businessunits to circumvent much of the traditional ITprocurement process, they need to under-stand the direct implications those solutionshave toward a company’s IT risk posture.

Partner

From the beginning of working with a SaaSservice provider, organizations need to beprepared to partner with them to ensure theyare adequately addressing identity manage-ment requirements in the cloud.

To do this, it is crucial for end-user organiza-tions to make sure the service level agree-ments with cloud providers are comprehensiveand balanced enough to ensure a necessarylevel of compliance and the ability to incorpo-rate their own identity governance capabilitiesinto the application.

By taking a proactive approach to governingthe user access to cloud applications, organi-zations can eliminate potential gaps in controland visibility over sensitive data and help fa-cilitate the safe adoption of cloud computingand the operational efficiency it promises.

ONCE THE LARGEST CLOUD SERVICE PROVIDERS ADOPT

SCIM, IT WILL PROVIDE GUIDANCE FOR THE SMALLER

CLOUD VENDORS

Looking to SCIM to address IdMchallenges in the cloud

Fortunately, some of the challenges outlinedabove are not lost on technology vendors.Many are working with the largest cloud pro-viders, including Google, Webex and

Salesforce.com, and systems managementproviders to define the Simple Cloud IdentityManagement (SCIM) interface standard.

This will create a much-needed uniform man-agement interface for SaaS and cloud applica-tions to make automated account provisioningpossible for even more SaaS applications.The SCIM specification is currently being de-signed to build on existing efforts, placing spe-

cific emphasis on simplicity of developmentand integration, while supporting existingauthentication, authorization, and privacymodels.

In short, SCIM will make it easier for Web 2.0applications to interface with each other tocreate and manage identity. Its intent is to re-duce the cost and complexity of user man-agement operations by providing a commonuser schema, and a much needed unified set

of CRUD (Create, Read Update & Delete) op-erations.

SCIM’s ultimate goal is to make it faster andeasier for SaaS applications to move user ac-counts in, out, and around the cloud. SCIM isdesigned with simplicity in mind to ensure thatmajor cloud providers all use the same REST-based (representational state transfer) model

for their user management automation.

Once the largest cloud service providers adoptSCIM, it will provide guidance for the smallercloud vendors and help take the guessworkout of governing SaaS applications.

As is typical with all industry standards, it willtake some time for everyone to come togetherand agree on the final SCIM specification.

Adoption of it will likely take even longer still.

The good news for the industry is that tech-nology vendors and service providers agreeon the need for the approach and the keyplayers are already involved to help make it areality. As more end-user organizations educa-tion themselves on the need for identity gov-ernance in the cloud, and in turn demand thatservice providers help address the identitymanagement challenges for their SaaS appli-

cations, the process will only accelerate.

Darran Rolls is the CTO of SailPoint (www.sailpoint.com), a provider of identity management solutions.


