Tuesday, March 17, 2009
Where to start with IT Security
Source Taken from The Register
Episode 1 In a short series of webcasts The Register's expert panel will be tackling the current state of the security market.
Over the course of the next few weeks the experts will be looking into a variety of topics, from treating the main risks to the importance of an evolving security solution, and what 2009 has in store.
Starting today, Episode 1 asks what are the most important questions to be treated by anyone considering IT security, and how to go about approaching it. The panel will also look into how IT security can be treated as a business issue, and offer advice on the potential quick wins to be had, all in just 20 minutes.
Providing you with their expertise throughout are Jon Clay, Core Technology Marketing Manager from Trend Micro and Tony Lock, Programme Director at Freeform Dynamics.
This webcast is absolutely free and no registration is required, simply head on over here and press play. ®
Episode 1 In a short series of webcasts The Register's expert panel will be tackling the current state of the security market.
Over the course of the next few weeks the experts will be looking into a variety of topics, from treating the main risks to the importance of an evolving security solution, and what 2009 has in store.
Starting today, Episode 1 asks what are the most important questions to be treated by anyone considering IT security, and how to go about approaching it. The panel will also look into how IT security can be treated as a business issue, and offer advice on the potential quick wins to be had, all in just 20 minutes.
Providing you with their expertise throughout are Jon Clay, Core Technology Marketing Manager from Trend Micro and Tony Lock, Programme Director at Freeform Dynamics.
This webcast is absolutely free and no registration is required, simply head on over here and press play. ®
Labels: IT Security
Tuesday, March 10, 2009
Securing the corporation
Source Taken from The Register
In the past couple of articles we have considered why security is important and what are the threats faced, both internal and external. Most, if not all organisations will be doing something about IT security, so it isn’t going to be awfully useful to launch into a treatise on how everybody should be implementing IT security. It is perhaps worth revisiting some of the key elements of ‘security done right’, however, so we can consider what’s getting in the way.
At the heart of all good security practice lies risk management, a discipline shared with such areas as business continuity planning and Health and Safety practice. Done right, risk management considers business risks first and foremost – indeed it would be fair to say that business risks are the only ones that matter (or to put it another way, if your organisation is unlikely to suffer as a result of a given threat, it’s not really going to be worth dealing with).
It’s important to note of course that risks can be both technical and non-technical. Of course we have the ongoing dangers of theft or other malicious intent, which need to be protected through physical, technical and policy means. However many other risks may exist in the course of normal, day-to-day operations. Consider mobile phones for example, or instant messaging, home working or managing subcontractors. Each of these has a technical aspect – a phone could contain confidential contact lists for example, or home working could result in un-vetted individuals (i.e. the kids) running unauthorised software. But even in these cases it is important to consider any risks from a business perspective – what would be the impact of losing such a contact list, or of a child playing games?
Risk, then, needs to cover all areas, not just the more obvious ones. From this, eminently sensible starting point it is worth bringing up the topic of security standards, or in particular ISO 27001 (BS7799). Essentially, what the standard expresses is that to do security right, you first need a security management system that defines how security is to be done in your organisation; then, you need to actually do what it is you said you would do, one element of which is to re-assess the risks and review the measures in place on a regular basis.
It is hard to imagine how security best practice could be expressed more pragmatically or practically than the one-two-three of identifying the risks, deciding what to do about them and then doing it. We do know however that many organisations are operating security in a sub-optimal manner. There is even evidence that organisations are actively avoiding working through these things, for fear of what they might find. This is the equivalent of driving down a busy road with a blindfold on, for fear of what one might see.
In a more proactive world, in which the business risks are well understood, IT security measures can then go some way towards mitigating them. We spell this out in such terms because as we have already mentioned, IT security is about all of people, process and technology. It is here however that we hit the second challenge – that of applying solutions to securing the organisation, which take into account threats to the business coming from both outside and inside the organisation.
In principle, IT security measures ‘should’ be considered, designed and implemented in a holistic manner. From a technical perspective as well, security ‘should’ be considered across the architecture – the term ‘defence in depth’ is used to describe how the IT environment can be considered as a series of nested zones, each of which can be secured according to its own needs and with its own boundaries.
In practice however, while many organisations may indeed take their security responsibilities seriously, few achieve a level of security that could be called optimal. There are many reasons for this, the main one of which is that, bluntly, security is extremely hard to get right. It is a fine aspiration indeed to define and deploy a hardened security environment – but many (if not all) security measures can also have a detrimental effect on the business itself – indeed, too much security can be a business risk.
It is perhaps unsurprising then, that the security measures in place tend towards those which are easier to define and deploy. We can see evidence for this in the chart below, which shows what security products organisations have already implemented, or are planning on implementing.
As can be seen from the chart, there are essentially three ‘bands’ of security measures. The top band we could refer to as point products – antivirus, VPN and the like, which are already implemented by the majority of organisations. Languishing at the bottom are those security technologies we could consider as ‘architectural’ – for example, security event management and behavioural analysis technologies.
So, what’s the answer – are the majority of organisations destined to have willing hearts but weak bodies when it comes to implementing IT security? The answer is probably yes – unless either legislation or accepted corporate behaviour take a leap forward.
Ultimately however it is the risks, and how well they are mitigated, that should define whether or not an organisation has got things right. To take a specific example, an organisation may or may not have implemented an intrusion detection system (IDS). Far more important however is the knowledge of what information should be considered as confidential and to whom, and whether it is adequately protected against all the risks it may face.
In security, then, risk management offers both a start and end point. It is perhaps ironic that kicking off a risk management exercise, or a re-assessment of the risk register, need not be an onerous task – particularly if the 80:20 rule is applied appropriately. Indeed, not doing this is perhaps the biggest risk of all.
In the past couple of articles we have considered why security is important and what are the threats faced, both internal and external. Most, if not all organisations will be doing something about IT security, so it isn’t going to be awfully useful to launch into a treatise on how everybody should be implementing IT security. It is perhaps worth revisiting some of the key elements of ‘security done right’, however, so we can consider what’s getting in the way.
At the heart of all good security practice lies risk management, a discipline shared with such areas as business continuity planning and Health and Safety practice. Done right, risk management considers business risks first and foremost – indeed it would be fair to say that business risks are the only ones that matter (or to put it another way, if your organisation is unlikely to suffer as a result of a given threat, it’s not really going to be worth dealing with).
It’s important to note of course that risks can be both technical and non-technical. Of course we have the ongoing dangers of theft or other malicious intent, which need to be protected through physical, technical and policy means. However many other risks may exist in the course of normal, day-to-day operations. Consider mobile phones for example, or instant messaging, home working or managing subcontractors. Each of these has a technical aspect – a phone could contain confidential contact lists for example, or home working could result in un-vetted individuals (i.e. the kids) running unauthorised software. But even in these cases it is important to consider any risks from a business perspective – what would be the impact of losing such a contact list, or of a child playing games?
Risk, then, needs to cover all areas, not just the more obvious ones. From this, eminently sensible starting point it is worth bringing up the topic of security standards, or in particular ISO 27001 (BS7799). Essentially, what the standard expresses is that to do security right, you first need a security management system that defines how security is to be done in your organisation; then, you need to actually do what it is you said you would do, one element of which is to re-assess the risks and review the measures in place on a regular basis.
It is hard to imagine how security best practice could be expressed more pragmatically or practically than the one-two-three of identifying the risks, deciding what to do about them and then doing it. We do know however that many organisations are operating security in a sub-optimal manner. There is even evidence that organisations are actively avoiding working through these things, for fear of what they might find. This is the equivalent of driving down a busy road with a blindfold on, for fear of what one might see.
In a more proactive world, in which the business risks are well understood, IT security measures can then go some way towards mitigating them. We spell this out in such terms because as we have already mentioned, IT security is about all of people, process and technology. It is here however that we hit the second challenge – that of applying solutions to securing the organisation, which take into account threats to the business coming from both outside and inside the organisation.
In principle, IT security measures ‘should’ be considered, designed and implemented in a holistic manner. From a technical perspective as well, security ‘should’ be considered across the architecture – the term ‘defence in depth’ is used to describe how the IT environment can be considered as a series of nested zones, each of which can be secured according to its own needs and with its own boundaries.
In practice however, while many organisations may indeed take their security responsibilities seriously, few achieve a level of security that could be called optimal. There are many reasons for this, the main one of which is that, bluntly, security is extremely hard to get right. It is a fine aspiration indeed to define and deploy a hardened security environment – but many (if not all) security measures can also have a detrimental effect on the business itself – indeed, too much security can be a business risk.
It is perhaps unsurprising then, that the security measures in place tend towards those which are easier to define and deploy. We can see evidence for this in the chart below, which shows what security products organisations have already implemented, or are planning on implementing.
As can be seen from the chart, there are essentially three ‘bands’ of security measures. The top band we could refer to as point products – antivirus, VPN and the like, which are already implemented by the majority of organisations. Languishing at the bottom are those security technologies we could consider as ‘architectural’ – for example, security event management and behavioural analysis technologies.
So, what’s the answer – are the majority of organisations destined to have willing hearts but weak bodies when it comes to implementing IT security? The answer is probably yes – unless either legislation or accepted corporate behaviour take a leap forward.
Ultimately however it is the risks, and how well they are mitigated, that should define whether or not an organisation has got things right. To take a specific example, an organisation may or may not have implemented an intrusion detection system (IDS). Far more important however is the knowledge of what information should be considered as confidential and to whom, and whether it is adequately protected against all the risks it may face.
In security, then, risk management offers both a start and end point. It is perhaps ironic that kicking off a risk management exercise, or a re-assessment of the risk register, need not be an onerous task – particularly if the 80:20 rule is applied appropriately. Indeed, not doing this is perhaps the biggest risk of all.
Tweet hackers reopen Twitter vuln
Source Taken from The Register
Twitter's tit-for-tat struggle against clickjackers continues.
Two weeks after the micro-blogging site immunized its users against a fast-moving worm that caused them to unintentionally broadcast messages when they clicked on an innocuous-looking button, hackers have found a new way to exploit the clickjacking vulnerability.
The latest attack comes from UK-based web developer Tom Graham, who discovered that the fix Twitter rolled out wasn't applied to the mobile phone section of the site. By the time we stumbled on his findings, the exploit no longer worked. But security consultant Rafal Los sent us a minor modification that sufficiently pwned a dummy account we set up for testing purposes.
"The mobile site currently has no javascript on it at all, which is probably for a good reason as most mobile phones don't support it," Graham writes. "So it begs the question, how should Twitter prevent this click-jacking exploit?"
Click "Yes" Here ...
And this is what you get here
The proof-of-concept page presents the user with the question "Do you have a tiny face?" along with buttons to answer "yes" or "no." Choosing the affirmative while logged in to Twitter causes the account to publicly declare: "I have a tiny face, do you?" and then include a link to Graham's post.
The exploit is the latest reason to believe that clickjacking, on Twitter and elsewhere, is here to stay, at least until HTML specifications are rewritten. No doubt web developers will continue to come up with work-arounds, but hackers can just as quickly find new ways to exploit the vulnerability, it seems.
That's because clickjacking attacks a fundamental design of HTML itself. It's pulled off by hiding the target URL within a specially designed iframe that's concealed by a decoy page that contains submission buttons. Virtually every website and browser is susceptible to the technique.
Two weeks ago, Twitter was able to stifle the attacks by adding code to its site that changed its pages' location. That required the use of javascript that wasn't added to Twitter pages browsed by mobile users, presumably because they may have caused some older handsets not to work.
Readers of Graham's site already have zeroed in on a fix for the problem, but Los isn't sure it's foolproof. That's because it, too, is based on javascript, so it won't be effective against HTML-based attacks. Stay tuned. The clickjacking saga continues. ®
Twitter's tit-for-tat struggle against clickjackers continues.
Two weeks after the micro-blogging site immunized its users against a fast-moving worm that caused them to unintentionally broadcast messages when they clicked on an innocuous-looking button, hackers have found a new way to exploit the clickjacking vulnerability.
The latest attack comes from UK-based web developer Tom Graham, who discovered that the fix Twitter rolled out wasn't applied to the mobile phone section of the site. By the time we stumbled on his findings, the exploit no longer worked. But security consultant Rafal Los sent us a minor modification that sufficiently pwned a dummy account we set up for testing purposes.
"The mobile site currently has no javascript on it at all, which is probably for a good reason as most mobile phones don't support it," Graham writes. "So it begs the question, how should Twitter prevent this click-jacking exploit?"
Click "Yes" Here ...
And this is what you get here
The proof-of-concept page presents the user with the question "Do you have a tiny face?" along with buttons to answer "yes" or "no." Choosing the affirmative while logged in to Twitter causes the account to publicly declare: "I have a tiny face, do you?" and then include a link to Graham's post.
The exploit is the latest reason to believe that clickjacking, on Twitter and elsewhere, is here to stay, at least until HTML specifications are rewritten. No doubt web developers will continue to come up with work-arounds, but hackers can just as quickly find new ways to exploit the vulnerability, it seems.
That's because clickjacking attacks a fundamental design of HTML itself. It's pulled off by hiding the target URL within a specially designed iframe that's concealed by a decoy page that contains submission buttons. Virtually every website and browser is susceptible to the technique.
Two weeks ago, Twitter was able to stifle the attacks by adding code to its site that changed its pages' location. That required the use of javascript that wasn't added to Twitter pages browsed by mobile users, presumably because they may have caused some older handsets not to work.
Readers of Graham's site already have zeroed in on a fix for the problem, but Los isn't sure it's foolproof. That's because it, too, is based on javascript, so it won't be effective against HTML-based attacks. Stay tuned. The clickjacking saga continues. ®
Hacking contest offers $10,000 for iPhone exploit
Source Taken from The Register
An annual hacker competition planned for next month has setting its sights on Apple's iPhone and four other smart phones in a contest that will pay cash prizes of $10,000 to anyone who can break in to the mobile devices.
The contest will present contestants with phones running the Android, Symbian, and Windows Mobile operating systems as well a BlackBerry and an iPhone. To qualify for the $10,000 prize, hackers must submit exploits that work against email, SMS test, website browsing, and "other general actions a normal user would take while using the device," according to these rules published 3Com's TippingPoint unit, the competition's sponsor. All devices will be fully patched.
A second-track of the competition will challenge hackers to take their best shots at web browsers. Internet Explorer 8, Firefox, and Google Chrome will be running on a Sony Vaio running Windows 7, and Safari and Firefox will be installed on a MacBook running OS X. Successful exploits in this track will net $5,000 per bug.
This is the third year of the Pwn2Own contest, scheduled for March 18-20 at the CanSecWest security conference in Vancouver, British Columbia. Last year, a brand-new MacBook air was the first to fall during day two of the competition, which pitted the Mac against high-end laptops running Linux and Microsoft's vista. Charlie Miller of Independent Security Evaluators said at the time that he picked OS X because he thought it was the easiest.
The Windows laptop was the next to be hacked, leaving only the Ubuntu machine standing by contest's end.
Contest rules require winning contestants to keep details of their exploits confidential until after the vendor has fixed the underlying vulnerability. Sponsor TippingPoint runs the Zero Day Initiative, which pays bounties for vulnerabilities that are responsibly disclosed.
As has been the case in the past, day one of the competition will require exploits to work on a limited number of applications. On days two and three, the attack surface will be gradually be expanded. Physical access to the mobile devices will not be given.
Once again, The Register will be covering the contest in all its glory. ®
An annual hacker competition planned for next month has setting its sights on Apple's iPhone and four other smart phones in a contest that will pay cash prizes of $10,000 to anyone who can break in to the mobile devices.
The contest will present contestants with phones running the Android, Symbian, and Windows Mobile operating systems as well a BlackBerry and an iPhone. To qualify for the $10,000 prize, hackers must submit exploits that work against email, SMS test, website browsing, and "other general actions a normal user would take while using the device," according to these rules published 3Com's TippingPoint unit, the competition's sponsor. All devices will be fully patched.
A second-track of the competition will challenge hackers to take their best shots at web browsers. Internet Explorer 8, Firefox, and Google Chrome will be running on a Sony Vaio running Windows 7, and Safari and Firefox will be installed on a MacBook running OS X. Successful exploits in this track will net $5,000 per bug.
This is the third year of the Pwn2Own contest, scheduled for March 18-20 at the CanSecWest security conference in Vancouver, British Columbia. Last year, a brand-new MacBook air was the first to fall during day two of the competition, which pitted the Mac against high-end laptops running Linux and Microsoft's vista. Charlie Miller of Independent Security Evaluators said at the time that he picked OS X because he thought it was the easiest.
The Windows laptop was the next to be hacked, leaving only the Ubuntu machine standing by contest's end.
Contest rules require winning contestants to keep details of their exploits confidential until after the vendor has fixed the underlying vulnerability. Sponsor TippingPoint runs the Zero Day Initiative, which pays bounties for vulnerabilities that are responsibly disclosed.
As has been the case in the past, day one of the competition will require exploits to work on a limited number of applications. On days two and three, the attack surface will be gradually be expanded. Physical access to the mobile devices will not be given.
Once again, The Register will be covering the contest in all its glory. ®
Hacker pokes new hole in secure sockets layer
Source Taken from The Register
Website encryption has sustained another body blow, this time by an independent hacker who demonstrated a tool that can steal sensitive information by tricking users into believing they're visiting protected sites when in fact they're not.
Unveiled Wednesday at the Black Hat security conference in Washington, SSLstrip works on public Wi-Fi networks, onion-routing systems, and anywhere else a man-in-the-middle attack is practical. It converts pages that normally would be protected by the secure sockets layer protocol into their unencrypted versions. It does this while continuing to fool both the website and the user into believing the security measure is still in place.
The presentation by a conference attendee who goes by the name Moxie Marlinspike is the latest demonstration of weaknesses in SSL, the encryption routine websites use to prevent passwords, credit card numbers, and other sensitive information from being sniffed while in transit. Similar to side jacking attack from 2007 and last year's forging of a certificate authority certificate, it shows the measure goes only so far.
"The attack is, as far as I know, quite novel and cool," said fellow researcher Dan Kaminsky, who attended the Black Hat presentation. "The larger message of Moxie's talk is one that a lot of people have been talking about actually for a few years now: This SSL thing is not working very well."
Marlinspike said SSLstrip is able to work because the vast majority of sites that use SSL begin by showing visitors an unencrypted page and only offer the protection for sections where sensitive information is transmitted. When a user clicks on a login page, for instance, the tool alters the site's unencrypted response so the "https" is changed to "http." The website, however, continues to operate under the assumption the connection is encrypted.
Website encryption has sustained another body blow, this time by an independent hacker who demonstrated a tool that can steal sensitive information by tricking users into believing they're visiting protected sites when in fact they're not.
Unveiled Wednesday at the Black Hat security conference in Washington, SSLstrip works on public Wi-Fi networks, onion-routing systems, and anywhere else a man-in-the-middle attack is practical. It converts pages that normally would be protected by the secure sockets layer protocol into their unencrypted versions. It does this while continuing to fool both the website and the user into believing the security measure is still in place.
The presentation by a conference attendee who goes by the name Moxie Marlinspike is the latest demonstration of weaknesses in SSL, the encryption routine websites use to prevent passwords, credit card numbers, and other sensitive information from being sniffed while in transit. Similar to side jacking attack from 2007 and last year's forging of a certificate authority certificate, it shows the measure goes only so far.
"The attack is, as far as I know, quite novel and cool," said fellow researcher Dan Kaminsky, who attended the Black Hat presentation. "The larger message of Moxie's talk is one that a lot of people have been talking about actually for a few years now: This SSL thing is not working very well."
Marlinspike said SSLstrip is able to work because the vast majority of sites that use SSL begin by showing visitors an unencrypted page and only offer the protection for sections where sensitive information is transmitted. When a user clicks on a login page, for instance, the tool alters the site's unencrypted response so the "https" is changed to "http." The website, however, continues to operate under the assumption the connection is encrypted.
