Mark Ciampa's Blog (Security+ 4ed)

Updated Community Server Web Site

Mark Ciampa — Wed, 23 May 2012 12:17:00 GMT

By now you've noticed that this Web site has undergone a radical facelift starting today (May 23 2012). This redesign has been underway for several months involving many different individuals, long hours of work, and countless meetings. In addition to all of the content from the previous site still being available on this updated Web site, additional security content is being added. And the site is now easier to navigate. In the coming weeks watch for more new security-related material to appear.

Thanks to everyone at Cengage who worked on the redesign (to see a partial list of names and photos click OUR TEAM and then "Marketing/Editorial").

Stay secure!

http://www.cengagesites.com/Networking-Security/50/information-security/

Another Warning on Medical Devices

Mark Ciampa — Tue, 22 May 2012 11:31:00 GMT

The lack of security on medical devices is continuing to raise concerns. Last year a security researcher, who was himself a diabetic, demonstrated at the Black Hat security conference a wireless attack on an insulin pump that could change the delivery of insulin to the patient. The security vendor McAfee found that they could scan a public space from up to 300 feet away, find vulnerable pumps made by a specific medical device manufacturer, and then force these devices to dispense fatal insulin doses. In 2009 an assistant professor in computer science "hacked" into a defibrillator (used to stabilize a heartbeat) and reprogramed it. He also disabled its power-save mode so the battery ran down in hours instead of years. Last month the national Information Security and Privacy Advisory Board (ISPAB) recommended that one federal government agency like the Food and Drug Administration (FDA) be responsible for ensuring the security of wireless medical devices, and called for the National Institute of Standards and Technology (NIST) to determine which security features should be enabled by default on these devices (see Apr 14 2012 blog).

Now the Department of Homeland Security (DHS) has issued its own report entitled "Attack Surface: Healthcare and Public Health Sector." It says, "The communications security of medical devices to protect against theft of medical information and malicious intrusion is now becoming a major concern." While the Food and Drug Administration (FDA) regulates the design and manufacture of these devices it does not have any regulations regarding how they should be configured and connected to a network. The report specifically notes the risks of using these devices on wireless networks {Chapter 8 Security+ 4ed} and the failure to use trusted operating systems {Chapter 10 Security+ 4ed}. It says, "In a world in which communication networks and medical devices can dictate life or death, these systems, if compromised, pose a significant threat to the public and private sector."

You can download the report at http://publicintelligence.net/nccic-medical-device-cyberattacks/.

Stay secure!

http://www.cengage.com/community/infosec

Wireless Warning

Mark Ciampa — Thu, 17 May 2012 13:43:00 GMT

The rapid growth of wireless local area networks (WLANs, also called "Wi-Fi") based on the IEEE 802.11a/b/g/n--and soon-to-be-released IEEE 802.11ac standard with theoretical data rates of up to 3.6 Gbps) has been nothing short of phenomenal. According to some estimates by 2014 there will be 1.4 billion devices shipped annually that support wireless data standards, and these devices will transmit the amount of data traffic equal to almost one billion DVDs. By the end of 2011 one quarter of all households around the world, or 439 million households, were using wireless data technology, with South Korea leading the way with over 80 percent of its households using wireless (the U.S. was eighth with 61 percent). It is estimated that by 2016 over 800 million households will have wireless data technology installed. Considering that wireless local area networks were not even available until 2000, this makes their widespread installation that much more amazing.

This huge popularity of WLANs is also seen in the number of free wireless networks available at hotels, coffee shops, airports, and restaurants. There are over 65,000 free wireless "hotspots" in the U.S., most notably at Starbucks (23,000 locations), McDonald's (at 11,000 of its 13,000 restaurants), and Panera Bread (1,500 stores). Panera recently reported that last month there were 2.7 million wireless sessions activated, an increase of half a million from April 2011, with half of that traffic from laptops and the other half from smartphones and tablets. And the popularity of free wireless networks is projected to skyrocket, in part due to the end of unlimited smartphone and tablet data plans. Yesterday (May 16 2011) Verizon Wireless revealed that it was ending all unlimited data plans for 4G LTE devices, which were already required of new customers but current customers could be grandfathered in. T-Mobile still offers unlimited plans but slows the transmission speed after users consume 2 gigabytes each month. Many users opt to find a free wireless network when possible in order to save their bits when traveling.

With this increased use of WLANs, particularly free wireless networks, it is even more important to be secure when using these wireless networks {Chapter 8 Security+ 4ed}. Earlier this month the FBI's Internet Crime Complaint Center (IC3) issued a warning that attackers are "targeting travelers abroad through pop-up windows while establishing an Internet connection in their hotel rooms." When a user attempts to setup their wireless Internet connection from their hotel room a pop-up window appears notifying the user that they should update the software on their device. However, this warning is a fake and if the user clicks to install the update then malware is installed instead.

Although the IC3's report is slim on specific instances of when and where these attacks are occuring, the advice is still good, particularly when traveling. Update your devices before you leave home using your secure network connections, limit your Internet activity when possible (such as don't make large financial transactions from a hotel room), and never blindly click on an update message that appears.

Stay secure!

http://www.cengage.com/community/infosec

Leopard Finally Updated--Sort Of

Mark Ciampa — Wed, 16 May 2012 11:21:00 GMT

In a disturbing trend by some software vendors, older versions of software are being neglected when it comes to security updates. On Monday (May 14 2012) Apple issued its first security-related update to its Leopard operating system (OS X 10.5) in almost one year ago. Yet this update does not even patch any known vulnerabilities but instead only removes older versions of the Adobe Flash Player: any Flash Player older than 10.1.102.64--which was released in November 2010--is now disabled. This update is the same that Apple released last week for Snow Leopard (OS X 10.6) and Lion (OS X 10.7). And although Apple still provides security updates for Java for users running Snow Leopard and Lion, it has not distributed any security patches for Java running on Leopard since June 2011.

It's certainly troubling that Apple as well as other security vendors is not keeping older versions of their software updated (see May 15 2012 blog posting). Their patch management {Chapter 5 Security+ 4ed} capabilities certainly are in place for distributing security updates on a timely basis. Is this lack of active patching a hidden push to increase revenue by forcing users who want to be protected to update to the latest version of the software?

Stay secure!

http://www.cengage.com/community/infosec

Adobe Retreats on Pay for Patches

Mark Ciampa — Wed, 16 May 2012 02:11:00 GMT

Adobe's track record for creating and maintaining secure protects is less than stellar (see May 7 2012, Dec 8 2011, and Aug 17 2011 blog postings). And to add the proverbial "insult to injury", Adobe recently said that they will no longer patch critical vulnerabilities {Chapter 5 Security+ 4ed} in older versions of their software and that users must purchase the latest software versions to be protected. After a storm of criticism Adobe has now reversed course.

There are a total of 8 vulnerabilities in Adobe Illustrator (5 vulnerabilities) and Flash Professional CS5.5 (1 vulnerability)--which have been out for only one year--and two-year old Photoshop CS5 (2 vulnerabilities). Last week Adobe told its users that they must upgrade to the Creative Suite 6 (CS6) editions if they wanted to have this software with the patched vulnerabilities. That cost could be $99 (for Flash Professional), $249 (Illustrator) or $375 (CS6 Design & Web Premium that includes all three). Now Adobe has now changed its mind. After a huge outcry, Adobe said in its blog that is "in the process of resolving the vulnerabilities" and there will be no charge for the updates. You can read the Adobe blog at:

http://blogs.adobe.com/psirt/2012/05/update-to-security-bulletins-for-adobe-illustrator-apsb12-10-adobe-photoshop-apsb12-11-and-adobe-flash-professional-apsb12-12.html

Come on Adobe, really? Patching year-old software was not important to you? Do you think it might be important to your customers? Will you ever get this security thing figured out?

Stay secure!

http://www.cengage.com/community/infosec

Critical Adobe Flash Update

Mark Ciampa — Tue, 08 May 2012 00:49:00 GMT

Adobe sent out a warning today (May 7 2012) that attackers are exploiting a vulnerability {Chapter 1 Security+ 4ed} in the Adobe Flash Player software. Adobe assigned this vulnerability a "1" priority rating, indicating that it's an actively-exploited (or likely soon-to-be exploited) vulnerabilities and should be patched within 72 hours.

What should you do to protect yourself? Unfortunately the answer is, "It all depends." The Adobe Flash version 11.2.202.235 contains the necessary patch. If you are running Google Chrome your browser should have automatically been updated last Monday (Apr 30 2012) with Google's Chrome release of 18.0.1025.168. If you are running Microsoft's Internet Explorer (IE), Firefox, Safari or Opera on Windows then Adobe's new silent background update feature--which silently updates Flash in the background--should automatically update the Flash plug-in. This silent background update feature was also released for Apple Mac last week (Apr 30 2012). However, there are some reports that patch is not being pushed out promptly. You can go to Adobe's site and see which version of Flash you are running as well as download the latest patch at http://get.adobe.com/flashplayer/.

Stay secure!

http://www.cengage.com/community/infosec

Blackmail or Idiot Tax?

Mark Ciampa — Thu, 03 May 2012 16:16:00 GMT

Misunderstandings are often the result of a difference in interpretation (aka semantics). However, in this recent computer security attack much more may be at stake.

Elantis, a credit provider located in Belgium, was the apparent victim of an attack in which employee login credentials and confidential loan application information on 3,700 customers--name, job description, contact information, annual income, ID card number, etc.--was stolen. Last Friday (Apr 27 2012) the attackers contacted Elantis and threatened to publically publish the information if the bank does not pay 150,000 euros (about $197,000) by tomorrow (May 4 2012). The attackers claimed that the data was stored unencrypted {Chapter 11 Security+ 4ed} on unprotected servers, and parts of what they claimed to be stole data was provided to prove their claims.

And to add insult to injury, the attackers also said, "While this could be called 'blackmail,' we prefer to think of it as an 'idiot tax' for leaving confidential data unprotected on a Web server."

Elantis took their servers offline, contacted the Belgian Federal High Tech Crime Unit, and said "We are not prepared to pay. We don't like blackmail."

Stay secure!

http://www.cengage.com/community/infosec

Conficker Still Alive

Mark Ciampa — Tue, 01 May 2012 18:40:00 GMT

A notorious worm {Chapter 2 Security+ 4ed} known as Conficker is still on the loose. And this is after 3 years since its introduction and 4 years since the original patch was distributed to close the vulnerability that it expoits.

Conficker first surfaced in November of 2008 and different variants (Conficker.A, .B and .C) later came onto the scene. It targets a known buffer overflow {Chapter 3 Security+ 4ed} vulnerability in the Windows Server service used by Windows 2000, Windows XP, Windows Vista, Windows Server 2003, Windows Server 2008, and Windows 7 Beta (but not Windows 7); a patch for this vulnerability was released back in October 2007. Conficker is known for its ability to disable a computer's security defenses. It turns off different Windows security system services such as Windows Automatic Update, Windows Security Center, Windows Defender and Windows Error Reporting while also blocking Internet access to security product Web sites, preventing the computer from receiving anti-virus update signatures {Chapter 5 Security+ 4ed}. Conficker then receives further instructions--spread to other computers, gather personal information from the infector computer, or to download and install additional malware--by connecting to a server or another infected computer. The worm also attaches itself to certain Windows processes. Conficker.A creates an HTTP server on the infected computer and then opens a random port (between 1024 and 10000) as well as resets Windows System Restore points. Conficker.B and Confliker.C take advantage of the Windows Autorun feature and tries to guess administrator passwords that are weak by using its own built-in list of weak passwords (seems like weak passwords are always somewhere involved in a successful attack today). To see a list of those weak passwords you can go to http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Worm:Win32/Conficker.C

Although it appears that the original attackers behind Conficker have abandonded it, the worm is still on the loose around the Internet. Last week Microsoft reported that 1.7 million computers were attacked by Conficker in the last three months of 2011, which is an increase of 100,000 from the previous quarter.

Users can take advantage of an online test to see if their computers are infected at http://www.confickerworkinggroup.org/infection_test/cfeyechart.html.

Stay secure!

http://www.cengage.com/community/infosec

SSL Websites Vulnerable

Mark Ciampa — Fri, 27 Apr 2012 22:12:00 GMT

Perhaps the most common transport encryption algorithm is Secure Sockets Layer (SSL), which is a protocol developed by Netscape for securely transmitting documents over the Internet. SSL uses a public key to encrypt data that is transferred over the SSL connection. Transport Layer Security (TLS) is a protocol that guarantees privacy and data integrity between applications communicating over the Internet. TLS is an extension of SSL, and they are often referred to as SSL/TLS {Chapter 12 Security+ 4ed}. One use of SSL is to secure Web Hypertext Transport Protocol (HTTP) communications between a browser and a Web server. This secure version is actually “plain” HTTP sent over SSL/TLS and is called Hypertext Transport Protocol over Secure Sockets Layer (HTTPS). HTTPS uses port 443 instead of HTTP’s port 80. Users must enter URLs with https:// instead of http://.

A just-released study shows that 90% of the top 200,000 HTTPS Websites are vulnerable, according to the Trustworthy Internet Movement (TIM), which is a "nonprofit, vendor-neutral organization leveraging the power of the global security community to advance industry-wide technology innovations and initiatives for actionable change". TIM has created a project called SSL Pulse. SSL Pulse uses automated scanning to analyze the strength of HTTPS implementations on the top 1 million Web sites (as published by Alexa). SSL Pluse looks for what protocols and versions are supported by the these Web sites (SSL 3.0, SSL 2.0, TLS 1.1, etc). It also looks for the key length used (512 bits, 1024 bits, 2048 bits, etc.) and the strength of the supported ciphers (256 bits, 128 bits, etc.). SSL Pulse then assigned a score (0-100) and grade (A-F) to each HTTPS Web site.

Here's what they found: over half of the 200,000 Web sites received a grade of "A". But SSL Pulse also says that just 10% were "strong" with the highest level of security. And 75% could be vulnerable to a specific attack that could decrypt authentication tokens and cookies from HTTPS requests, and 13% support the insecure renegotiation of SSL connections that could result in man-in-the-middle attacks {Chapter 3 Security+ 4ed}.

The SSL Pulse Web site, at https://www.trustworthyinternet.org/ssl-pulse/, shows the latest data and also allows you to enter an HTTPS-enabled Web site to check on its status.

Stay secure!

http://www.cengage.com/community/infosec

Macs With Windows and Mac Malware

Mark Ciampa — Thu, 26 Apr 2012 10:41:00 GMT

Here's something that few users--particularly Mac users--would have ever expected. The security firm Sophos offers Mac users a free online antivirus scanner (yes, Macs can become infected!). After over 100,000 Mac computers ran that software then Sophos examined what the scanner found. And the results were surprising: almost one out of every five Macs (20%) contained at least one instance of Windows malware. Although this Windows malware cannot function on the Mac, it can be transferred to another Windows computer through USB flash drives and other removeable media, or through network file sharing.

Sophos also found 3% of the 100,000 scanned Macs were infected with Mac malware. About 75% of the infected Macs were victims of Flashback (see Apr 11 2012 blog posting). It's estimated that some 600,000 Macs still have this malware while a new version of Flashback has infected another 700,000 Macs. The next most common infection was a fake antivirus "scareware" infection (18%) with the third most common infection (5.5%) was Domain Name System (DNS) poisoning {Chapter 3 Security+ 4ed} malware that redirected infected Macs to a fake DNS server controlled by attackers.

Stay secure!

http://www.cengage.com/community/infosec

There's Real Money In It

Mark Ciampa — Tue, 24 Apr 2012 19:07:00 GMT

Just in case there is still someone out there who doesn't think "security" (or a lack thereof) and "money" go hand-in-hand, two recent events may help convince them that these two elements are inseparably linked.

First, on the defense side Google has increased the bounties it pays independent researchers who uncover vulnerabilities in its core Web sites, services and online applications. How much of an increase? How about an increase from $3,133 to a whopping $20,000 per vulnerability. Google's Vulnerability Reward Program (VRP) pays for a vulnerability that would allow an attacker to hijack a computer and plant malware on it that is directed against Google.com, Gmail, Youtube.com, and the new Google Play. And a $10,000 bounty will be paid for SQL injection {Chapter 3 Security+ 4ed} vulnerabilities or "significant" authentication bugs and data leak vulnerabilities. Cross-site scripting (XSS) {Chapter 3 Security+ 4ed} flaws will only pay between $100 and $3,133. In the last 12 months Google has received over 780 eligible vulnerability claims and has paid $460,000 to about 200 security researchers.

And on the other side, a Russian security analyst firm reported that Russian-speaking attackers netted $4.5 billion globally using different online attacks. That is over one-third of the estimated $12.5 billion netted globally by all cybercriminals in 2011. Online banking fraud, phishing attacks {Chapter 2 Security+ 4ed} and the theft of stolen funds amounted to $942 million, followed by spam at $830 million.

Stay secure!

http://www.cengage.com/community/infosec

259 Attacks in 90 Days

Mark Ciampa — Thu, 19 Apr 2012 14:40:00 GMT

Breaking into 259 different Web sites and databases in three months is no small feat, considering that's close to 3 successful attacks per day. Yet when the suspect is only a 15-year-old student, that makes it even more amazing.

In January 2012 an Austrian student aged 15 was, by his own admission, bored and wanted to prove himself. Craving recognition, praise and affirmation for his limited technology knowledge and skills, he discovered an online forum in which the 2,000 registered members were given points for achieving successful attacks. That launched him into action. Over the next 90 days this script kiddie {Chapter 1 Security+ 4ed}, using attack software that searched for unpatched servers and anonymizing software to hide his tracks, successfully breached the servers belonging to 259 different companies around the world. After defacing Web sites and stealing data, he boasted about it on his Twitter account, where he also posted links to the stolen data. By the end of March he was ranked in the top 50 attackers on the online forum.

His downfall was the anonymizing software tool that failed to hide his IP address. Austria's Cyber Crime Competence Centre (C4) had been monitoring the attacker after receiving several complaints, and he was tracked to his house in Lower Austria. After obtaining a search warrant and questioning him, the 15-year-old confessed. The investigation is continuing so there is no estimate yet on the damages.

Stay secure!

http://www.cengage.com/community/infosec

Patient Data Breaches Growing

Mark Ciampa — Mon, 16 Apr 2012 16:13:00 GMT

A recent survey indicates that healthcare organizations are experiencing more security breaches that expose confidential patient information. And one of the primary culprits is unsecured mobile devices.

The Healthcare Information and Management Systems Security (HIMSS) organization commissions a twice-a-year survey regarding the loss of patient information. In their most recent survey of 250 healthcare organizations 27% of the respondents had at least one security breach over the past year. Over half were called "unauthorized access to information," such as the patient's name and birth date. This is an increase from 19% in 2010 and 13% in 2008. And a whopping 79% of those breaches were due to the actions of employees (the second highest category was outsourced or contract employees).

While the misuse of paper records was the cause for 40% of the problems (including "improper destruction" {Chapter 14 Security+ 4ed}), problems with electronic records are rapidly increasing. Almost 22% of the breaches were a result of "actions or loss" related to a portable mobile device like a tablet or laptop (only 11% were attributed to these devices in 2010). External attacks on the healthcare network that opened up the data were responsible for just 3% of the breaches. And almost one-third of the respondents said that patient information stored on a portable mobile device was among the factors most likely to contribute to the risk of a breach.

This patient data is protected under the Health Insurance Portability and Accountability Act (HIPAA) {Chapter 1 Security+ 4ed}. Health care enterprises must guard protected health information and implement policies and procedures to safeguard it, whether it be in paper or electronic format. Those who wrongfully disclose individually identifiable health information with the intent to sell it can be fined up to $250,000 and spend 10 years in prison.

You can read the report at http://www.himssanalytics.org/research/AssetDetail.aspx?pubid=79879&tid=4

Stay secure!

http://www.cengage.com/community/infosec

Preventing Attacks on Wireless Medical Devices

Mark Ciampa — Sat, 14 Apr 2012 10:24:00 GMT

There have been some recent notable attacks using wireless technology {Chapter 8 Security+ 4ed} , such as the neighbor terrorizing a young couple (see Jul 19 2011 blog) and the massive theft of data from TJX (see Feb 8 2010 blog). Now there are calls for the federal government to step in to protect against wireless attacks of the worst kind: manipulating wireless medical devices.

Last year a security researcher, who was himself a diabetic, demonstrated at the Black Hat security conference a wireless attack on an insulin pump that could change the delivery of insulin to the patient. Recently the security vendor McAfee found that they could scan a public space from up to 300 feet away, find vulnerable pumps made by a specific medical device manufacturer, and then force these devices to dispense fatal insulin doses.

Now the national Information Security and Privacy Advisory Board (ISPAB) has stepped in. It is recommending that one federal government agency like the Food and Drug Administration (FDA) be responsible for ensuring the security of wireless medical devices. It also called for the National Institute of Standards and Technology (NIST) to determine which security features should be enabled by default on these devices. And since most medical devices are connected to the public Internet, the ISPAB said that the United States Computer Emergency Readiness Team (US-CERT) should create "defined reporting categories for medical device cybersecurity incidents."

Let's hope that we never have wireless attacks that make it into those reporting categories.

Stay secure!

http://www.cengage.com/community/infosec

600,000 Infected Apple Macs

Mark Ciampa — Wed, 11 Apr 2012 19:56:00 GMT

Who doesn't know an Apple Mac user who says (more often "gloats") repeatedly that Macs are infinitely more secure than Windows PCs. A recent attack targeted to Macs may shake complacent Mac users into the harsh reality that they too need protection, just like everybody else.

Over 600,000 Apple Macs have been infected with a Trojan {Chapter 2 Security+ 4ed} called Flashback. It is estimated that more than half of these infected computers are in the U.S., while 100,000 are in Canada, 68,000 in the U.K., and 32,000 in Australia. The vulnerability is not in the Apple Mac OS, but instead is a flaw in Java. Java's parent company, Oracle, released patches for this vulnerability back on February 14. However, for some reason Apple elected not to deploy these fixes at the time (they were made available shortly after the information on Flashback was released last week). Strictly speaking, Apple has stopped packaging Java in its operating systems as of July 2011, yet it still issues Java security updates to users running the Lion and Snow Leopard versions of the Mac OS. Why? Because Apple users still encounter the need for Java when accessing specific Web sites that have Java applets and they are prompted to install Java the first time they try to run a Java applet.

Apple users can determine if they are running Java by going to Utilities and launching Terminal within the Application folder and then type "java -version". If the message "No Java runtime support" appears you don't have Java installed; otherwise, the version number of the installed Java software will appear. As an alternative you can disable the Java plug-in from the browser. Because Apple no longer supports Leopard (10.5) with any security updates, including Java patches, disabling the plug-in is the only option.

Apple users must be cautious--just like everyone else--because attackers do not just target a vulnerability in an operating system to launch a successful attack. Web applications, social engineering, and a host of other attack points can be used to compromise a system.

The news on Flashback coincides with another vendor releasing antivirus software {Chapter 5 Security+ 4ed} for the Mac. This now makes at least eight antivirus tools for the Mac now available. Mac users may want to consider one of these products to help protect their computers.

Stay secure!

http://www.cengage.com/community/infosec