Monday, November 25, 2013

Shhh Files, Security Hunters and Malware Writers, Oh My!

I attended Michael Gough and Ian Robertson’s training on Friday, entitled “From Joe to Pro – Finding Malware in Your Environment,” sponsored by our local ISSA Capital of Texas chapter, BSides Austin, Critical Start and SourceFire.  I know from previous software employers  who have paid ransoms that there are dirty secrets called Shhh! in security.  While it isn't publicized, companies pay handsome ransoms to prevent exploits found from being made public.  Government agencies do, too.  In the case of software companies, it’s self preservation.  In the case of government agencies, might be something tasty they want to let play out, for their own reasons.

First, accolades to Michael and Ian for their service to the security community.  They’re active in ISSA, InfraGard, ISACA and Bsides.  They take time out of their busy days to share security intelligence and their findings as security practitioners with the community.  Great blog about security hunters versus gatherers here http://hackerhurricane.blogspot.com/2013/11/like-natives-infosec-needs-to-become.html 
Caveat, IMHO: grassroots security training, effective patch management, compliance efforts and ongoing security monitoring using conventional means might be called “gathering” -  while not sexy, these measures can monitor or alert on  many security issues without drama.  That being said, compliance is, by its nature, not very effective against dynamically changing security attacks.

For sure, malware writers have the attacker’s advantage.  They have test labs equipped with available security software.  They are not inclined to release malware that won’t work against common countermeasures.  They choose when and where to release their malware.  Defenders are at a distinct disadvantage. 


The training was great, and enjoyed by a full house of security professionals!  One of the many perks of living in Austin is the community of security practitioners.

Monday, November 11, 2013

The Mysterious Case of ATM Denial of Service: Help Us Figure Out Who Dunnit


A security-conscious friend of mine recently received an automated call telling him that his ATM card was being cancelled due to a data breach.  The robo call said a new card was in the mail, asked him to monitor the account for suspicious activity and not to use the card – hence the denial of service.

He felt there may be more to the story, being an infosec professional – so he immediately called the bank to get more clues.  He found the keyword to getting intelligent insights from the bank was to use the word “fraud”, which got him to a knowledgeable customer service rep quickly.

The bank’s story:
The bank indicated that they had received a call from VISA specifying the ATM card number “might” have been compromised.  The key thing to understand is that there was apparently a data breach – his ATM number must have been in a breached database, ostensibly a 3rd party database.  Remember, he only used this ATM card at bank-approved ATM machines, not for anything else.  According to the bank, VISA did not tell them which 3rd party or database had been compromised.   

So it’s not a typical data breach, as he had only used the ATM card in question at bank location ATMs.  So how did the ATM number end up in a 3rd party database?  There are a limited number of ways immediately obvious:

  1. The bank sold the ATM number
  2. The bank’s ATM network was compromised and this card number was sold
  3. The fraud alert was a fake by VISA or someone masquerading as VISA, designed to cost the bank money to re-issue the ATM cards and to increase consumer fear that their debit transactions are not safe  
Scenario 1 is highly unlikely as it would be a huge GLBA violation for the bank to sell an ATM number, and the bank is liable for any fraud.

Scenario 2 is also unlikely since there were no fraudulent charges and the alert came from VISA, implying the card was used somewhere

That leaves Scenario 3, which is pretty darned stinky.  VISA does make more money on credit cards than debit cards.  Also, in the words of Sherlock Holmes, "when you have eliminated the impossible, whatever remains, however improbable, must be the truth." 

So you have the clues - what do you think really happened?  Who dunnit?  Is there another explanation?   




Thursday, November 7, 2013

Katie Moussouris - Mother of Microsoft Security Bounties - at ISSA Capital of Texas Chapter meeting


Katie Moussouris, Senior Security Strategist at the Microsoft Security Response Center, and Mother of Microsoft bounty programs, presented at our ISSA Capital of Texas Chapter meeting today.   Katie is refreshingly unabashed, putting a fresh new face and positive attitude on Microsoft and security.  She’s absolutely not a stodgy, arrogant guy in an ugly suit being indignant about being a target. It more looks like she is a part of the solution.

Quick version: Microsoft bounty programs are now paying real and significant dollars to ethical hackers who want to do the right thing, which is to use their talents to let the vendor fix security problems before criminals have the pleasure of exploiting them.  Katie described Black Market, Grey Market and White Market approaches.   Enlightened technology providers understand all three, and provide ways for smart hackers to “do the right thing.”  Microsoft is proving itself to be enlightened on this count, with this bounty program.  Good bounty programs scare out targeted attacks out faster, sparing law-abiding users from being hurt.

A few details:
  • Companies like Microsoft have target dominance.   If nobody cares about your company, you’re not a target.  If you are a market leading target, consider a bounty program.  Such a program will benefit your users in flushing out weaknesses and vulnerabilities before they can hurt your users.
  • Bounty programs will not tend to attract bad guys, because they know they will make more money with the Black Market.  Well of course.  However, most smart programmers are intrinsically good, wanting to solve problems and foil the bad guys – hence bounty programs are just good business.
  • Bounty programs can’t take the place of good security programming practices.  Sure, it’s great ad-hoc penetration testing, but it doesn’t take the place of investing in security.


All of that, plus Katie wore boots in Texas style!