How to Break Into Security, Schneier Edition

July 2, 2012
41 Comments

Last month, I published the first in a series of advice columns for people who are interested in learning more about security as a craft or profession. In this second installment, I asked noted cryptographer, author and security rock star Bruce Schneier for his thoughts.

Schneier: I regularly receive e-mail from people who want advice on how to learn more about computer security, either as a course of study in college or as an IT person considering it as a career choice.

First, know that there are many subspecialties in computer security. You can be an expert in keeping systems from being hacked, or in creating unhackable software. You can be an expert in finding security problems in software, or in networks. You can be an expert in viruses, or policies, or cryptography. There are many, many opportunities for many different skill sets. You don’t have to be a coder to be a security expert.

In general, though, I have three pieces of advice to anyone who wants to learn computer security:

  • Study: Studying can take many forms. It can be classwork, either at universities or at training conferences like SANS and Offensive Security. (These are good self-starter resources.) It can be reading; there are a lot of excellent books out there — and blogs — that teach different aspects of computer security. Don’t limit yourself to computer science, either. You can learn a lot by studying other areas of security, and soft sciences like economics, psychology, and sociology.
  • Do: Computer security is fundamentally a practitioner’s art, and that requires practice. This means using what you’ve learned to configure security systems, design new security systems, and — yes — break existing security systems. This is why many courses have strong hands-on components; you won’t learn much without it.
  • Show: It doesn’t matter what you know or what you can do if you can’t demonstrate it to someone who might want to hire you. This doesn’t just mean sounding good in an interview. It means sounding good on mailing lists and in blog comments. You can show your expertise by making podcasts and writing your own blog. You can teach seminars at your local user group meetings. You can write papers for conferences, or books.

Continue reading

Secunia’s Auto-patching Tool Gets Makeover

June 29, 2012
54 Comments

Vulnerability management firm Secunia has shipped a new version of its auto-patching tool — Personal Software Inspector 3.0 – a program for Windows users that can drastically simplify the process of keeping up-to-date with security patches for third-party software applications.

The final release of PSI 3.0 supports programs from more than 3,000 software vendors, and includes some key changes that address shortcomings identified in the beta version that I highlighted back in February.

The 3.0 version of PSI still keeps auto-patching on by default at installation, although users can uncheck this box and choose to manually install all available updates for third-party programs. Unlike the beta version — which was radically devoid of tweakable options and settings — the version released this week provides a more configurable interface that should be more appealing to longtime users of this tool.

Users also can review the history of installed updates, and select which hard drives should be scanned, options absent from the beta release. PSI 3.0 also lets users create rules that tell the software to ignore updates for particular programs.

Overall, the new PSI strikes a fair balance between configurability and ease-of-use, and is a notable improvement over the beta version. However, I had trouble with the program after installing it on my test machine — a Windows 7 64-bit machine with 8 GB of memory. The program seemed to get stuck on scanning for updates, and for an excruciating eight minutes or so the software sucked up most of my machine’s available memory and processing power. The only way I could get my system back to normal was to reboot the system.

Continue reading

Advertisement

DNSChanger Trojan Still in 12% of Fortune 500

June 28, 2012
15 Comments

In about two weeks, hundreds of thousands of computer users are going to learn the hard way that failing to keep a clean machine comes with consequences. On July 9, 2012, any systems still infected with the DNSChanger Trojan will be summarily disconnected from the rest of the Internet, and the latest reports indicate this malware is still resident on systems at 12 percent of Fortune 500 companies, and roughly four percent of U.S. federal agencies.

DNChanger chronology. Source: InternetIdentity

In a bid to help users clean up infections, security experts won court approval last year to seize control of the infrastructure that powered the search-hijacking Trojan. But a court-imposed deadline to power down that infrastructure will sever Internet access for PCs that are not rid of the malware before July 9, 2012.

According to Internet Identity, 12 percent of all Fortune 500 companies and four percent of “major” U.S. federal agencies are still infected (a link to Internet Identity’s full infographic is here). The latest stats from the DNSChanger Working Group, an industry consortium working to eradicate the malware, more than 300,000 systems are still infected.

That number is likely conservative: The DCWG measures infections by Internet protocol (IP) addresses, not unique systems. Because many systems that are on the same local network often share the same IP address, the actual number of DNSChanger-infected machines is probably quite a bit higher than 300,000.

Continue reading

‘Carderprofit’ Forum Sting Nets 26 Arrests

June 26, 2012
21 Comments

The U.S. Justice Department today unveiled the results of a two-year international cybercrime sting that culminated in the arrest of 26 people accused of trafficking in hundreds of thousands of stolen credit and debit card accounts. Among those arrested was an alleged core member of “UGNazi,” a malicious hacking group that has claimed responsibility for a flood of recent attacks on Internet businesses.

The carding forum Carderprofit.cc was an FBI sting operation.

Federal officials are calling the operation the largest coordinated international law enforcement action in history directed at “carding” crimes, in which the Internet is used to traffic in and exploit the stolen credit card, bank account and other personal information of hundreds of thousands of victims.

According to documents released by the Justice Department, the sting — dubbed “Operation Card Shop” — began in June 2010, when the FBI established an undercover carding forum called “CarderProfit” (carderprofit.cc) to identify users who were buying and selling stolen credit card accounts and goods purchased with stolen accounts.

The FBI kept track of Internet addresses used by forum members, and used members’ login information to gather additional information about registered users. The agency tightened the noose in May 2012, when it began imposing new membership requirements to restrict site membership to individuals with established knowledge of carding techniques or interest in criminal activity.

“For example, at times, new users were prevented from joining the site unless they were recommended by two existing users who had registered with the site, or unless they paid a registration fee,” the government said in a statement about today’s arrests. “New users registering with the [undercover] site were required to provide a valid e- mail address as part of the registration process. The e-mail addresses entered by registered members of the site were collected by the FBI.”

Carderprofit.cc as it appears now.

Meanwhile, the feds were collecting stolen credit and debit card accounts that were being traded by forum members, and feeding the information back to issuing banks. The Justice Department said it contacted affected financial institutions regarding more than 411,000 compromised credit and debit cards, and notified 47 companies, government entities, and educational institutions of the breach of their networks.

Continue reading

Bank Settles With Calif. Cyberheist Victim

June 26, 2012
20 Comments

A California escrow firm that sued its bank last year after losing nearly $400,000 in a 2010 cyberheist has secured a settlement that covers the loss and the company’s attorneys fees. The settlement is notable because such cases typically favor the banks, and litigating them is often prohibitively expensive for small- to mid-sized businesses victimized by these crimes.

In March 2010, organized computer crooks stole $465,000 from Redondo Beach, Calif. based Village View Escrow Inc., sending 26 consecutive wire transfers from Village View’s accounts to 20 individuals around the world who had no legitimate or previous business with the firm. The escrow firm clawed back some of the stolen funds — $72,000 — but that still left Village View with a $393,000 loss, forcing the company’s owner to take out a personal loan at 12 percent interest to cover the loss of customer funds).

In June 2011, Village View sued its financial institutionProfessional Business Bank — arguing that the bank was negligent because it protected customer accounts solely with usernames and passwords. Last week, Village View announced that it had reached a settlement with its bank to recover more than just the full amount of the funds taken from the account plus interest for Village View Escrow.

Kim Dincel, a shareholder at Silicon Valley Law Group, which represented the plaintiffs, said the Uniform Commercial Code and its corresponding California Commercial Code limits the damages resulting from wire transfer fraud to only the actual amount of money lost plus interest – nothing more.  Common law claims such as negligence, breach of contract and fraud, and the damages that attached to them, are generally precluded from being asserted by a victim of wire transfer fraud in a lawsuit involving wire transfer fraud, he added.

“Banks typically deny liability for the cyber-theft which forces small businesses to spend money they do not have on legal fees and regulatory expenses in order to recover a limited and defined set of damages under the Uniform Commercial Code (UCC),” Dincel said in a prepared statement released Monday.

The Bank of Manhattan, which acquired Professional Business Bank last month, did not return calls seeking comment.

Continue reading

How to Break Into Security, Ptacek Edition

June 25, 2012
58 Comments

At least once a month, sometimes more, readers write in to ask how they can break into the field of computer security. Some of the emails are from people in jobs that have nothing to do with security, but who are fascinated enough by the field to contemplate a career change. Others are already in an information technology position but are itching to segue into security. I always respond with my own set of stock answers, but each time I do this, I can’t help but feel my advice is incomplete, or at least not terribly well-rounded.

I decided to ask some of the brightest minds in the security industry today what advice they’d give. Almost everyone I asked said they, too, frequently get asked the very same question, but each had surprisingly different takes on the subject. Today is the first installment in a series of responses to this question. When the last of the advice columns have run, I’ll create an archive of them all that will be anchored somewhere prominently on the home page. That way, the next time someone asks how they can break into security, I’ll have more to offer than just my admittedly narrow perspectives on the matter.

Last month, I interviewed Thomas Ptacek, founder of Matasano Security, about how companies could beef up password security in the wake of a week full of news about password leaks at LinkedIn and other online businesses. Ptacek’s provocative advice generated such a huge amount of reader interest and further discussion that I thought it made sense to begin this series with his thoughts:

Ptacek: “Information security is one of the most interesting, challenging, and, if you do it carefully, rewarding fields in the technology industry. It’s one of the few technology jobs where the most fun roles are well compensated. If you grew up dreaming of developing games, the laws of supply and demand teach a harsh lesson early in your career: game development jobs are often tedious and usually pay badly. But if you watched “Sneakers” and ideated a life spent breaking or defending software, great news: infosec can be more fun in real life, and it’s fairly lucrative. Continue reading

PharmaLeaks: Rogue Pharmacy Economics 101

June 22, 2012
39 Comments

Consumer demand for cheap prescription drugs sold through spam-advertised Web sites shows no sign of abating, according to a new analysis of bookkeeping records maintained by three of the world’s largest rogue pharmacy operations.

Researchers at the University of California, San Diego, the International Computer Science Institute and George Mason University examined caches of data tracking the day-to-day finances of GlavMed, SpamIt, and Rx-Promotion, shadowy affiliate programs that over a four-year period processed more than $170 million worth of orders from customers seeking cheaper, more accessible and more discretely available drugs. The result is perhaps the most detailed analysis yet of the business case for the malicious software and spam epidemics that persist to this day.

Their conclusion? Spam — and all of its attendant ills — will remain a prevalent and pestilent problem because consumer demand for the products most frequently advertised through junk email remains constant.

“The market for spam-advertised drugs is not even close to being saturated,” said Stefan Savage, a lead researcher in the study, due to be presented early next month at the 21st USENIX security conference in Bellevue, Wash. “The number of new customers these programs got each day explains why people spam: Because sending spam to everyone on the planet gets you new customers on an ongoing basis, so it’s not going away.”

The researchers found that repeat customers are critical to making any rogue pharmacy business profitable. Repeat orders constituted 27% and 38% of average program revenue for GlavMed and SpamIt, respectively; for Rx-Promotion, revenue from repeat orders was between 9% and 23% of overall revenue.

“This says a number of things, and one is that a lot of people who bought from these programs were satisfied,” Savage said. “Maybe the drugs they bought had a great placebo effect, but my guess is these are satisfied customers and they came back because of that.”

Whether the placebo effect is something that often applies with the consumption of erectile dysfunction drugs is not covered in this research paper, but ED drugs were by far the largest category of pills ordered by customers of all three pharmacy programs.

One interesting pattern that trickled out of the Rx-Promotion data underscores what made this pharmacy affiliate unique and popular among repeat buyers: A major portion of its revenues was generated through the sale of drugs that have a high potential for abuse and are thus tightly controlled in the United States, including opiates and painkillers like Oxycodone, Hydrocodone, and mental health pills such as Adderall and Ritalin. The researchers noticed that although pills in this class of drugs — known as Schedule II in U.S. drug control parlance — comprised just 14 percent of orders for Rx-Promotion, they accounted for nearly a third of program revenue, with the Schedule II opiates accounting for a quarter of revenue.

“The fact that such drugs are over-represented in repeat orders as well (roughly 50 percent more prevalent in both Rx-Promotion and, for drugs like Soma and Tramadol, in SpamIt) reinforces the hypothesis that abuse may be a substantial driver for this component of demand,” the researchers wrote.

Continue reading

A Closer Look: Email-Based Malware Attacks

June 21, 2012
88 Comments

Nearly every time I write about a small- to mid-sized business that has lost hundreds of thousands of dollars after falling victim to a malicious software attack, readers want to know how the perpetrators broke through the victim organization’s defenses, and which type of malware paved the way. Normally, victim companies don’t know or disclose that information, so to get a better idea, I’ve put together a profile of the top email-based malware attacks for each day over the past month.

Top malware email attacks in past 30 days. Source: UAB

This data draws from daily reports compiled by the computer forensics and security management students at the University of Alabama at Birmingham, a school I visited last week to give a guest lecture and to gather reporting for a bigger project I’m chasing. The UAB reports track the top email-based threats from each day, and include information about the spoofed brand or lure, the method of delivering the malware, and links to Virustotal.com, which show the percentage of antivirus products that detected the malware as hostile.

As the chart I compiled above indicates, attackers are switching the lure or spoofed brand quite often, but popular choices include Amazon.com, the Better Business Bureau, DHL, Facebook, LinkedIn, PayPal, Twitter and Verizon Wireless.

Also noticeable is the lack of antivirus detection on most of these password stealing and remote control Trojans. The average detection rate for these samples was 24.47 percent, while the median detection rate was just 19 percent. This means that if you click a malicious link or open an attachment in one of these emails, there is less than a one-in-five chance your antivirus software will detect it as bad.

Continue reading

Beware Scare Tactics for Mobile Security Apps

June 20, 2012
25 Comments

It may not be long before your mobile phone is beset by the same sorts of obnoxious, screen-covering, scaremongering ads pimping security software that once inundated desktop users before pop-up blockers became widely-used.

A mobile ad for SnapSecure's software

Richard M. Smith, a Boston-based security consultant, was dining out last Friday and browsing a local news site with his Android-based smart phone when his screen was taken over by an alarming message warning of page errors and viruses. Clicking anywhere on the ad took him to a Web site peddling SnapSecure, a mobile antivirus and security subscription service that bills users $5.99 a month.

“This particular ad takes over the entire screen on my Android phone, so it gives the impression of being rather ominous,” Smith said, noting that it was the second time in as many days that he’d encountered the rogue ad. He further explained that the ad just appeared when he browsed to view a new story, and that he hadn’t clicked on an ad or anything unusual.

Michael Subhan, vice president of marketing for SnapSecure, said the company traced the ads back to some rogue marketing affiliates that have since been banned from its advertising program.

“We did find out which affiliate was serving up the ad, and they will be blacklisted from the network,” Subhan said. “We have strict advertising policies, and do not tolerate rogue affiliates. Unfortunately, with the volume of advertising that we do, there are sometimes affiliates that try and get around our guidelines.”

Meanwhile, the ad linked to in the overlay image still appears to be live and redirecting users to the SnapSecure purchase page.

Naming and Shaming the Plaintext Offenders

June 15, 2012
46 Comments

It was a fitting end to a week dominated by news of password breaches at major Internet companies. I’d sent a password reset request to a hosting provider I’ve used for years to host a file server online, and received an alarming response: The company sent me my password in plain text, all but advertising that they have zero regard for the security of their customers’ private information.

The site was used to store inconsequential files and images, but I cancelled my subscription nonetheless because the company’s response to my password reset request proved that they were storing my password without even making the weakest attempts at encrypting the information or storing it in a protected format.

Sadly, this practice appears to be quite common, particularly among low-cost hosting providers. I confronted the company, Hosting Metro, about its practices, but received no material response to my complaints aside from an automated “sorry to see you go” email.

I also submitted a redacted screen shot of the password reset email to plaintextoffenders.com, a site that regularly posts user-submitted images of password reset emails from companies that exhibit a complete lack of regard for customer password security. I would encourage all readers to do the same for any site that sends passwords in the clear.

Like many previous visitors to plaintextoffenders.com, I was surprised to see that the site’s search function does not work. The administrators of the forum seem to be aware of this, and have noted that visitors can search by company name via Google, by using the search convention “site:plaintextoffenders.com” followed by a Web site or company name. I would welcome the development of a browser plugin that uses a database of offending sites to warn users when they visit a site that practices unforgivably sloppy password security. Naming and shaming may be the only way to change this all-too-common practice.