Targeted Attacks - 2010 Predictions

It doesn't seem long into the new year and we already have two really high-profile targeted attacks,

• The one reported at the end of December was a targeted attack on Google and a few other companies using some 0-day code. - Google's release
  
• The other is a new report of defense contractors being targeted using a only-recently patched exploit for adobe acrobat reader. - F-secure's writeup
  

Not surprisingly, motivation of would-be attackers continues to move from targets of opportunity to targets of value, the surprising thing about it is how quickly this trend is progressing.

Security Updates - 2009/2010

Sorry about the hiatus between posts - its been a busy holiday season and isn't showing any signs of slowing down in the next few weeks. I've posted a few tweets here and there for some quick updates but nothing major, so here are a few links that have really caught my eye over the last month or so (some really good stuff here!).

Best Practice / Research updates

• NIST has published a draft revision of an important risk management framework which guides the implementation and compliance approaches with FISMA. In my opinion this strengthens the guidance and makes it easier to implement - NIST's SP 800-37 Rev. 1 - DRAFT Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach. The draft was open for comment until the end of December, so look for a release sometime in January.

• ISACA has published two new sets of documents for members, updated guideline on implementing and improving IT governance, and a new framework and practitioner tool-set for identifying and managing IT risks. In my opinion the RiskIT material provides a great high-level explanation of the IT risks management principals and provides and excellent set of tools for identifying and measuring risks as part of an assessment. If you have IT Risk management responsibilities and aren't a member of ISACA it's time to sign up!

Security Tool Updates

There are tons of new updates to tools, in fact too many to list them all here - if your job requires finding and using open-source and commercial tools your box just got a lot bigger.

PacketStorm Security has a bunch of updates to open-source tools recently, too many to list but notables include;

• wafp - web application finger printing
• hostmap - for mining DNS information
  
• wapati - new web application vulnerability scanner
  
• scapy - update to a great packet manipulator
  
• metasploit! - after the Rapid7 acquisition lots of development happening here...
  

All for now - have a great new year!

Today's Security Variety

I've recently come across a few security related items of interest that I thought might be useful to everyone.

1. Shodan - a fairly robust internet search engine that can be used to identify specific products and interfaces. From the site:

"SHODAN lets you find servers/ routers/ etc. by using the simple search bar up above. Most of the data in the index covers web servers at the moment, but there is some data on FTP, Telnet and SSH services as well. Let me know which services interest you the most and I'll prioritize them in my scanning."

2. Social Media Governance - a site with resources targeted at organization's use of social media. This includes a list of companies such as Walmart, BBC and U.S. Airforce and their social media policies.

3. Wired Story on 9/11 Pager Texts - Looks like Wired is following the wikileaks break of millions of pager messages supposedly captured during the 9/11 terrorist attacks. This will be interesting to follow.

TLS Renegotiation Vulnerability

As many of you have already heard, there was a very serious vulnerability discovered in the TLS protocol that is used across the general internet to secure many many forms of communication, from the browser used to access banking online, to the protocols used to secure messaging servers.

The vulnerability itself is a design weakness found in the protocol's ability to renegotiate the encryption used in a session after a long-standing connection.

Here is a good write-up and links to some other information regarding the issue.

Stay tuned on this though - and expect many many patches and work-arounds to be issued by vendors.

RBS Worldpay Reading

Here are a few links from a few of the sites that are discussing the details of the RBS Worldpay hack.

Veracode
SOURCE Conference
Cybercrime and Doing Time
Helpnet Security News

I'm going to try to find out more and maybe provide some additional analysis of how this hack seems to follow the same MO as the other credit/debit hacks.

Evil Maid and the Challenges of Full Disk Encryption

Joanna and the crew over at Invisible Things have posted a tool to demonstrate how trivial it is to circumvent full-disk encryption products. Evil maid requires that you have access to the machine and can boot it using a usb-stick with the software installed. It then is able to transparently record the user's passphrase for the disk.

This is another example of how full-disk encryption products need to be architected carefully to ensure that problems like this can be considered and controls put in place to avoid them.

NIST SMB Security Guide - Steps in the Right Direction

NIST has published an excellent draft guide on the basics of information security without throwing the users over the deep end. It seems to address the "certainties" of security risks, and provide very basic methods of addressing them, without being too product focused.

It is likely, although it will depend on the organization, that SMB's will need to work through this to understand how their current practices compare to this guidance, and figure out the most effective ways to address any short falls.

I would encourage all security professionals to give the guide a read and provide Richard with comments on improvements to make this guide as helpful as possible. Just don't be like Gartner's Adam Hills and post a critique before the standard is published.