Category Archives: Business

Do Organizations Take Care of Their Online Presence?

September 5, 2012 19:57 | Leave a Comment |

Online ReputationFor a few months now, my toy leakedin.com is back online. When I brought the website up again, a question immediately popped up in my mind: “How to protect myself against angry users or organizations not happy to see potentially sensitive data disclosed?“. The website compiles interesting data like credit card numbers, configurations, login/password lists, etc. After all, the data grabbed from pastie websites are already publicly available, I’m just compiling my findings in a central place. Just to prove my good faith, I decided to add an abuse page where people could find some help to ask for a removal of their data. Was this helpful? I think it’s time for a small review of the abuse reports received!

The blog was announced and started to collect data on March 16th 2012. The first request came into the abuse mailbox on March 23rd! Up to now, 14 requests have been received. For which type of data?

  • Leaked emails / SMTP headers (1 time)
  • Social Security Numbers (1 time)
  • Defamation via a website (1 time)
  • Personal information (1 time)
  • Configuration files (2 times)
  • Credit Card Information (3 times)
  • Email / Password dump (4 times)
  • Database dump (1 time)

What about people vs organizations?

  • Individuals (11 times)
  • Organizations (3 times)

Amongst the three organizations, one of them was a big European bank which detected several references to its brand or to customers. Good catch! Of course, all the requests to delete the offensive content was processed as soon as possible.

What can we conclude? leakedin.com is heavily indexed by most search engines. The Google crawler visits the pages at regular intervals. Even if the website is not well-known (approximately 500 visits per day), it’s easy to find references to my site via Google. Based on the very-low amount of abuse requests I received, I can conclude that organizations don’t take care much of their brand or information published about them. Note that the same applies to individuals. Who’s monitoring his domain names, logins, IP addresses? I do!

Posted in: Business, Social Network, Websites | Tagged: , , ,

Everything Can Be Outsourced But Not Your Responsibility!

January 9, 2012 18:22 | Leave a Comment |
Outsourcing

(Source: rylanclayne.com)

Today almost all organizations outsource some of their IT projects to third party partners. Due to the ever changing landscape in information technology, it is virtually impossible for an organization to have internal knowledge in all domains of technology. The web presence is maybe one of the most domain where projects are outsourced to “web agencies”. Today, organizations must have an on-line presence and look attractive to customers, investors and more. You know all what we put under the term “Web 2.0″. Hélas, still today lot of web agencies don’t have a clue about security or do not give the right priority to security.

The recent attack  against the Arcelor Mittal website is a very good example! They were compromised by Anonymous Belgium and some data were posted on pastebin.com. My goal is not to debate about the Anonymous Belgium’s actions (which remains illegal in Belgium as in most countries). Hacktivism has pro and cons.  But when data are posted, it’s always interesting to have a look at them to learn more about the attack. In this case, the website Achille’s hell was a Perl script:

http://www.arcelormittal.com/distributionsolutions/prg/selfware.pl?id_sitemap=1

http://www.arcelormittal.com/fce/prg/selfware.pl?id_sitemap=1


http://www.arcelormittal.com/automotive/prg/selfware.pl?id_siremap=1


http://www.arcelormittal.com/distributionsolutions/prg/selfware.pl?id_sitemap=1

First, is the script common or is it part of a well-known CMS? Google gave me the answer. The query “inurl:selfware.plreturned only 2960 hits! Most of them referring to Arcelor Mittal websites but also other domains of activity:

  • arcelormittal.com
  • arcelormittalgent.com
  • constructalia.com
  • prepaintedmetal.;eu
  • prepaintedmetalacademy.eu
  • prelaque.com
  • ziekenhuiswaregem.be
  • seniordepartment.be
  • prelague.com
  • aep-group.eu

Of course, the same script makes other websites vulnerable to the same SQL injection. No need to fire your sqlmap, just by adding a single-quote (‘) to parameter, you get this error:

  Software error:

  SELECT id_sitemap, s_type FROM sitemap WHERE base = 14' AND active = 'Y' ORDER BY s_order LIMIT 0,1
  You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' AND active = 'Y' ORDER BY s_order LIMIT 0,1' at line 1 at libs/selfware.pm line 591.

By checking the primary name servers and whois registration data, it’s easy to discover that all the sites mentioned above were developed by a unique web agency located in Belgium. I won’t give the name here (such companies are sometimes more reactive on the legal aspects instead of fixing their crappy code). And my goal is not destroy their image, they are big enough to do it by themselves!

Let’s put the technical stuffs aside now. What are the conclusions of this story? If you outsource some (web) development tasks to an external partner, don’t forget that YOUR name will in front of the stage! The data breach had a big impact for Arcelor Mittal. Their name was present in all media (social and classic). It’s up to you to take the appropriate measures to avoid this situation. Everything can be outsourced but not your responsibility. The written code is used by your customers or team-members and process your data! How to address this issue?

Scenario 1: You delegate the full development life-cycle to your partner. In this case, you must implement controls to verify the compliance with the original requirements during the complete development cycle.

Scenario 2: You delegate the development part to your partner but you perform the compliance controls (code review, penetration testing). This can be done internally or by a third-party partner.

In both cases, a close relation must be established with the partners. Finally don’t put all the eggs in the same bag: Some people are good developers, others are skilled system administrators. Is it a good idea to host your websites on an external server maintained by your web agency? Do they apply patches? Do they monitor the servers? Do they keep an eye on the logs? Like cloud services, the primary goal is often costs reduction. But it must be properly implemented otherwise, the costs could be… worse! Like a simple SQL injection in crappy code…

Posted in: Business, Security | Tagged: , , , , ,

Are You “NG” Ready?

March 23, 2011 08:35 | 1 Comment |

Next GenerationNext Generation” or “NG“… Two magic letters used by more and more v€ndor$ to promote new versions of their products… Next Generation firewalls, Next Generation SIEM, Next Generation IDS. They are many examples. Google reports 34M of hits while searching for “next generation security“! In my humble opinion, “next generation” security products can be compared to the “bio” consumer products. “Next Generation” is a pure marketing term. Security must always evolve. New threats are discovered every months (days?) and security products must adapt to protect our assets. Will you buy a product just because it is stamped “Next Generation”?

Your security issues must be properly analyzed and only after you choose the right solution which matches your technical, business and all different types of requirements. After a review of the different available solutions, if a Next Generation device is the best solution, go for it! Example: if you’ve a lot of mobile users and you need to deploy granularity in your policies like “users belonging to group A may surf the web” or “users belonging in group B may access this mail server“, chose a Next Generation firewall which can be linked to a users directory. Otherwise, they are risks to introduce complexity.

This post was in my draft folder for a while. I released it just before the opening of infosecurity.be in Brussels. This is a very commercial/marketing event where all security actors are parked in one place. All v€ndor$ will promote they new “revolutionary” products. Don’t be fooled, if you’re looking for a security solution, take your time, grab some docs, come back to home and take some reflexion time! Just my $0.02.

Posted in: Business, Humor, Security | Tagged: ,

Zen Attitude!

December 23, 2010 17:16 | 1 Comment |

Zen Attitude The coming days will bring a special atmosphere. Christmas and the New Year days are a good occasion to relax and… to take good resolutions! For people involved in information security, a good one could be to adopt the “zen attitude” and try to establish more diplomatic relations with the business.

I just finished a security audit. Apart small security issues and some procedures to be improved, no major threats. The teams know their environment and how to manage it. The biggest concern was the relation between the “business” and the “security”. In the report conclusions, one of my recommendations was to invite both parties around a table and … discuss!

A classic scenario: the “business” wants to access a specific resource or to deploy a new “free-killer-application”, despites any security consideration. For the majority of us, the first reflex is a negative reaction (from the business point of view). We know what could be the consequences of such changes at security level. But the business does not care! And we can’t blame them for this…

Information security is a fascinating topic, constantly renewing! And we, infosec professionals, like this. Unfortunately, a lot of us (include myself honestly!) lack of contacts with the reality business. Don’t forget that the assets we are protecting do not belong to us. They are maintained by the IT and used by the business for the business. We can’t stop the business. Does it mean that we can accept all requests? Certainly not.

Back to the example above, it sounds logical that people require more access to assets or new tools. And it’s also our job to warn about the potential security issues… How to successfully deliver your message? Here are some tips:

  • First, stay zen, breathe deeply and avoid any non pondered answer.
  • Infosec guys are seen as “geeks” with their own vocabulary. They speak “bits & bytes”, “TCP/IP”, “CVE” or “buffer overflow”. Adapt your language to the people standing on front of you.
  • Translate the “security” risks into “business” risks. How they can affect the organization: loss of profit, loss of credibility, etc.
  • Do not discuss about hot topics next to the coffee machine. Reserve a meeting room and prepare your arguments.
  • Don’t close the discussion, propose alternatives, be constructive!
  • Propose to perform a risk assessment. Explain the risks, impacts, how to avoid or reduce them. If a risk must be accepted, at least it’s know by all parties.
  • Finally, if the situation seems blocked, ask to the top management to take part in the conversation.

As you see, a good communication is the key to success! This was my reflexion just before Christmas! Comments are welcome! Merry Christmas to you all and your families!

Posted in: Business, People / Places, Security | Tagged: , ,

Address the Security Threats at Source

November 25, 2010 17:17 | Leave a Comment |

Newton CradleInformation security  is a recurrent process. New threats arise and must be properly handled.

In Augustus 2009, I already reported a story and came to the following conclusion: The principle of “action – reaction” as described by Newton is not applicable in information security!

Here is another good example with the following post I read in a forum:

Here’s a interesting delima that I just came across, scanned pdf attachments that have privacy information, within the document.

Have anybody seen any solutions that will detect this and alert or block on this information?

I’ll post a sample of what I found during a audit so you can get an ideal of what I’m seeing. Most of the DLP solutions that I’ve seen has no engine to detect SSN/DOB within a graphical attachment or pdf for example.

A standard DLP (“Data Loss Prevention“) solution in this case will be helpless! Most DLP solutions are able to search across text documents for sensitive data. But in this case, a scanner produces a graphical representation of the data and would require the help of OCR (“Optical Character Recognition“) technologies. This would consume a huge amount of resources!

Instead of using the “action – reaction” principle, a better approach would be to analyze the data used inside the organization. When I read this post, the first question which popped out of my mind was “WTF, Why people tried to send SSN within attached scans?“. Organizations are responsible of data processed inside their perimeter and have to implement data management procedures following well-known principles like:

  • CIA (“Confidentiality – Integrity – Availability“)
  • Least privileges access
  • Define data owners
  • etc

With the help of  a deep analyze and by implementing correct upstream procedures (“at the source of the problem“) most threats could be fixed or greatly reduced. Deploying a software or hardware solution in emergency is never the right solution:

  • It adds complexity to the existing infrastructure
  • It could introduce performance bottlenecks
  • It often has huge costs! ($$$$)

To conclude, my message is certainly not that DLP solutions are useless, certainly not! (Dear DLP v€ndor$ don’t shoot me! ;-) ) They could be very useful to detect suspicious activities but do NOT entirely rely on them! They goal is not to be used as a first layer of defense! Have a clear view of the data types used by your business and how they are processed by your IT infrastructure.

Posted in: Business, Security | Tagged: , , , ,

Be the Conductor of Your Security!

November 22, 2010 21:36 | 4 Comments |

ConductorI’m visiting organizations and companies for miscellaneous projects and I’m often scared by the lack of “visibility” they have on their infrastructure. For years now, new components have been deployed by pure requirements or (honestly) by the business “pressure”: Firewalls, IDS/IPS, (reverse)proxies, WiFi, SSL VPNs, etc. All those solutions, hardware as software, are deployed with their own management tools and sometimes protocols! Once, all these security toolboxes are in place, the next question arise soon: “That’s cool but… How can I be sure that all security components work together?

A good example is the buzz around the AET or “Advanced Evasion Techniques” released by Stonesoft a few weeks ago. If you are interested in evasion techniques, Stonesoft presented a first research during the 2009 edition of hack.lu. At the moment, their announce looked indeed a major flaw regarding IDS systems, but I decided to  not blog about it and left some time run. Why? First, do you have an IDS? Not sure! Small organizations do not have resources (money, time, people) to maintain an IDS. You’re lucky and you have one? Do you rely on your IDS? I hope not! Let’s imagine that your IDS does not detect a malware injected in your network via an advanced evasion technique, your anti-virus solution should do the job… in a perfect world…

This example of flaw could also affect other devices. To prevent this, your security must be based on multiple layers of defense. Adding multiple layers increases also the complexity of their maintenance. To increase your security even more, you have to be the conductor of all those solutions and make them work in a convenient way! How to achieve this?

  • Keep them up-to-date (apply the released patches)
  • Keep the configurations clean and simple (perform regular “spring cleanups”)
  • Centralize all the logs in a unique secured place
  • Use tools to analyze the logs and create security incidents
  • Keep a documentation of your infrastructure
  • Keep your data flows under control
  • Keep strong access policies to your data (“least privileges”)

And remember, you don’t need the latest killer-SIEM-solution to achieve this. They are plenty of free tools to build a simple and effective log management solution. Remember, visibility is the keyword!

Posted in: Business, Privacy, Security | Tagged: , ,

Is the SIEM Landscape Changing?

September 13, 2010 21:32 | Leave a Comment |

Log-Management-DiagramIf you follow the IT news feeds, you probably learned today that HP bought ArcSight for $1.5 billions. ArcSight is not a known public name but is a leader on the SIEM (“Security Information & Event Management“) market. This announce already generated lot of comments, positive as negative.

Log management, security incidents and such related stuffs are of a great interest to me and (why keep it secret?), I work with ArcSight products. This news directly interested me. What could change in the security landscape from my little point of view?

ArcSight is was a stand-alone, profitable company which focus on SIEM solutions. This means that they MUST stay at the state of the art in their domain. They do not have alternative revenues. They have to pull the market upwards.

Now that they will be integrated into the HP “products portfolio”, they are risks to see the SIEM products proposed between other security tools. But a SIEM is first of all a process! It’s not just a few boxes with licenses and maintenance contracts. Will there be the same story as EMC² which took control of RSA which previously took control of Network Intelligence and their enVision product? The decision of HP sounds logical, they don’t have a SIEM nor log management solutions right now and, as the market is growing, they have to propose a solution to their customers. But, dear HP, please do NOT consider ArcSight as a new component of your HP OpenView suite. Please!

From a positive point of view now, it’s a big win for ArcSight, congratulations Guys and keep up the good work! Personally, I don’t care of the boxes. Delivered with blue covers instead of red ones, running on Dell or Proliant hardware, who cares? We don’t see them in the data centers but please don’t loose your identity and stay in the upper-right part of the magic quadrant!

Posted in: Business, Security | Tagged: , , , ,

My First Visit @ FIC2010

April 1, 2010 20:59 | 1 Comment |

FIC2010 I’m back from Lille (France) where was organized the 4th edition of “FIC” – “Forum International sur la Cybercriminalité” – during two days. This was my first edition and I was pleasantly surprised: I was a bit afraid to attend an event organized in France for French speaking people about French topics. Certainly not! It was multi-national and people visiting the event came from a lot of different countries. The FIC is not a “technical” event (New exploits or new attack vectors are not presented by hackers like common security conferences). Visitors and speakers are: police departments, authorities, mayors of cities, politicians, etc… and the topics were oriented to legal aspects. There was a lot of interesting sessions and it was difficult to attend all them as usual.

My first choice was an open discussion organized by the OSCE about “A comprehensive approach to cyber-security”. The OSCE (“Organization for Security and Co-operation in Europe“) is an organization which has a lot of different activities around security and one of them is more and more cyber-security. After a presentation of the OSCE, six speakers had ten minutes of presentation about their view of the cyber-security to end with a questions-answers session. Some facts given during the talks:

  • The Council of Europe is involved in lot of project to address the move to a trans-national dimension of cyber-crime (with a lot of juridictions issues).
  • A good balance must be kept between security and freedom of speech.
  • Problem with electronic evidences: they are often “volatile” (quick reaction needed)
  • More cooperation between countries is a requirement.

Another potential issue: critical infrastructure (like power-plants) are controlled by computers. They are prone to failures, human errors. But computer help us to find evidences (ex: with DNA and fingerprints databases). Cyber-crime activities occur below the radar and are automated. It’s easier to steal 100000 x 1€ instead of 1 x 100000€. A member of Scotland Yard (Keith Verralls) spoke about the operation “Mazhar” and explained how evidences were used to track criminals. Finally the EuroISPA (“European Internet Service Providers Association“) explained the role of ISP in the fight against online crime. The conclusions of this discussion were:

  • To have a global vision of the issues.
  • To keep to police dept updated with new threats and new technologies.
  • To never underestimate the cyber-criminals.

After a break, I followed a presentation of 2centre (“Cybercrime Centre of Excellence Network for Training, research and Education“). This organization defines methods of training law enforcement in forensics investigations. At the moment, they are two members: the University College Dublin Centre for Cybercrime Investigation and the University de Technologie de Troyes. But others could join in a near future (they spoke about Belgium?).

The next talk was the most interesting: Fighting the download of illegal material. It started with a presentation of the current status in France (you know the famous “HADOPI” law). A member of the Japanese cyber-police explained how they fight the download of illegal files on P2P networks. I learned that the first P2P application used in Japan is: “Winny“. The countermeasures applied in Japan are:

  • Crackdown
  • Act amendment
  • Communication (“We are watching what you are sharing”)

A representative of Advestigo explained how they track the files on P2P networks using hashes. But new techniques will allow to generate a finger print of the data. Tests on video files reported a successful detection in 96% of the checks). Then, the legal aspect of the HADOPI law was explained and of course the major issues the authorities are facing. To resume: it’s impossible to apply this law in a correct way. And of course, IP addresses are still the focus of debate: are they considered as private data or not? But, one thing is clear: they cannot identify a user with a 100% accuracy.

After the HADOPI fun, a talk covered the future of the Internet (what else after the Web 2.0?). The speakers reviewed the differences between the Web 1.0, Web 2.0 and explained that people change! And the mentality of young people is not the same as 20 years ago. Teenagers found normal to put private pictures on Facebook and do not realize that those pictures could be reused against them in a few years.

To end the day, the closing plenary conference spoke about the rights to see its wrongdoings erased from the Web. All speaker agreed on a golden rule: the right to keep our privacy. And this must enforced via education. Interesting statistic: In the USA, 70% of the recruiters already decide to not hire a candidate based on the information found on social networks. New applications must be developed using the principle of “privacy by design”.

The talks were interesting and listening to legal aspects of cyber-security is interesting . It changes from the classic “bits & bytes” presentation. In the main room, there was some exhibitors which presented some technical solutions (I saw nice devices to perform forensics investigation on mobile phones)! or legal services. BTW, there was a huge presence of policemen in the area and on the exhibition. For sure, the place was safe ;-)

Posted in: Business, Event, Security | Tagged: , , , , , ,

Close the Security Holes in your Firewalls!

March 29, 2010 20:38 | Leave a Comment |

Who is not protected by a firewall today? Nobody! Our Internet (as well as local) traffic is inspected by multiple firewall layers. They are present everywhere: on Internet gateways, in front of data-centers, between departments, even your workstation is running a firewall. For a few years, a new type of firewalls has emerged, called “Next Generation” firewalls. What’s the difference with classic ones? Roughly, new players are really filtering packets up to the 7th layer. Instead of old-fashion rules like “IP a.b.c.d is allowed to connect to IP e.f.g.h on port xxx“, Next Generation firewalls understand: “User JohnDoe is allowed to use MSN but he cannot transfer files“.

Regardless the firewall types deployed, all of them have security holes! Just because firewalls are maintained by human and we are… well known to make mistakes! Today’s organizations are protected by plenty of firewalls developed by multiple vendors. They are managed by multiple teams working in shifts, in different countries or outsourced. One of the biggest issues is to assume that firewalls are bullet-proof. Good examples are some risks assessment frameworks. Auditors are mandated to audit an organization security perimeter and base their job on checklists:

  • Do you have a firewall? [Yes|No]
  • Does your firewall have a high-availability configuration? [Yes|No]
  • Does your firewall implement state-full inspection? [Yes|No]

If you answered “Yes” to those three questions, there is absolutely no warranty that your business is safe! The firewall policies (security, NAT, etc) must be regularly reviewed to avoid common errors. They are often not committed to harm the organization security but are just the result of human mistakes. Here are some examples:

  • Errors while calculating subnet masks
  • Typo-errors (so dumb!)
  • Deleted allowed protocols in a rule which became “Any”
  • Bad anti-spoofing (no knowledge of the topology)
  • Too permissive rules

Any change applied to a firewall policy might have a bad impact on the business: servers can be temporary disconnected from the Internet, from the rest of the network or (worst!) dangerous protocols can be allowed from the Internet. That’s why regular firewall audits must be performed and tools exists to help auditors in this way. From my point of view three big axes must be audited:

  • Security on the firewall itself (using the “W^4″ principle: Who did What, When and Why?)
  • Policy compliance (with the organization rules, the legal rules or business compliance requirements)
  • Performance

Why performance? Security rules are processed in a sequential order (top-down). Unused rules must be removed and the most used must be moved on the top of the policy. Some available tools are commercial and others are free. Let’s have a look at Flint. It is a free (open source) tool provided by Matasano (they also developed Playbook, a tool for synchronizing firewalls configurations from a web-based console). Flint will analyze your firewall policy and report detected issues:

(Click to enlarge)

From the different axes describe above, Flint will only address the security but it does it quite well. It examines your firewall rules (via a file upload or a copy-paste in a text area) and highlights the discovered problems like rusty configurations, permissive rules. It’s a nice tool to perform a sanity check of your new rules before their implementation. Flint could also help you to put your hands in complex configurations. At the moment, the following firewall models are supported (in version 1.0.4):

  • Most Cisco devices, including the PIX ASA
  • Open source firewalls, including BSD’s excellent PF and Linux iptables (“soon”)

As Matasano supports Netscreen/Juniper in Playbook, I hope that the support for those firewalls will be added soon. I downloaded and played with the VMware version and it seems that PF firewalls are already supported. For sure, the tool lacks of documentation at the moment. Keep an eye on the product, once more firewall supported, it could be a nice audit tool! But using free or commercial tools, keep an eye on your firewalls!

Posted in: Business, Security, Software | Tagged: , , , ,

InfoSecurity, (ISC)2, ISACA, My Security Marathon

March 24, 2010 23:10 | Leave a Comment |

This week is a real security marathon. I was in London yesterday but came back to Belgium too late to attend the ISSA Belgian Chapter meeting. The invited speaker was a great one: Chris Hoff. According to friends, it was great! Today was also the first day of the InfoSecurity.be event. This is the main security oriented organization (on a commercial point of view) in Belgium. Too much commercial in my opinion but, the security landscape being small in Belgium, it’s THE place to meet everybody, to have great discussions and to have some drinks.

The 2010 edition saw an cool initiative from (ISC)2: they organized a Professional Development Cafe where CISSP’s could meet other CISSP’s but also people interested into the certification process or a career in the security field. The organizer announced a huge number of registrations but a lowest number of people attended. Less people but quite interesting point of view. It’s always nice to ear feedback from “colleagues”. Several topics were covered: audit, risks assessment, BCP, pentesting, legal, etc.

In the evening, I attended another event organized by the ISACA Belgian Chapter, they also invited a great speaker: Dr Eugene Schultz. He’s a security expert, wrote several books and papers, held several critical positions. This is the typical guy who will be able to keep the word for an unlimited amount of time once a discussion started. The event was original: no slides, no media support, just an open discussion with him, a big “questions & answers” session. Eugene covered several topics like the role of the CISO inside the organizations, mobile security, the coming threats, cloud security and so many topic. It was a great talk.

Now back to home, I still need to process my backlog of RSS feeds, e-mails and tweets, to sleep a few hours and let’s go for the second day at InfoSecurity. I’ll try to attend some conference and make a tour of the exhibitors. The first day looked promising: a lot of visitors and interesting questions. It looks that the crisis did not affect too much the security area and companies still have big projects to be launched.

Posted in: Belgium, Business, Event, Security | Tagged: , , , , , ,