Changed jobs

Since January 1st, 2007 I have accepted an new job. To prevent conflicts with my new job, I will be posting a lot less on this blog. Maybe I will pick it up again later.

Take care,

Aart

IBpedia: the Dutch work together on knowledge about Information Security

A group of enthusiastic security professionals have started a platform to document knowledge and visions on topics in the field of Information Security. It is modeled after the popular Wikipedia and thus named "IBpedia". Information security is "Informatie beveiliging"in Dutch, so that's the IB. It's goal is to improve sharing of knowledge and to stimulate discussion on subjects as security management, risk management, etc.

Phishing as a regular job

Symantec has found out that the number of new phishing sites drop with a considerable 30% during weekends. This indicates that phishers are working phishing as their regular job, according to Symantec. Cyber crime has moved from the domain of the lonely students to the professional criminals, making serious money with it and improving efficiency and stealth all the time. The statistics of Symantec shows us that it also moves to day time jobs.

I wonder if they move to office locations, have company parties and social charters.

The lifecycle of a CERT / CSIRT

The Dutch GvIB (Society of Information Security Practioneers) has released a new expertbrief about internal Computer Emergency Response Teams (CERT) or Computer Security Incident Response Teams (CSIRT). Experts of various Dutch organizations have joined efforts to share knowledge and make it available to the public. Organizations may use this insightful article to better set up and run an internal CERT.

Questions adressed are:

• What is needed to set up a CERT within an organization in an effective and efficient way?


• What is the life cycle of an internal CERT?


• Eventually, will an internal CERT become superfluous?
  

Especcially the last question throws a new light on the role of a CERT in an organization. Will a CERT, dependant on the way it is set-up, help to prepare an IT-support department for incidents and make it more responsive? How must a CERT operate to make this happen and will they? Or will it always be the conservative, aiming for repeatable processes IT-department versus the cowboys? Read the paper and let me know what you think.

-- Aart

Update: the paper has been translated in English and published recently.

Did Ubuntu solve the administration problem?

Ubuntu, the Debian based Linux distribution targed at education and easy access, has it's own way of protecting against unwanted effects of using the root account: it dissables it. For me it was the first experience with a UNIX/Linux OS without a root account. Did Ubuntu really solve the handing of root privileges to users for administration tasks?

It starts with a little unusual omission during installation of the desktop version of Ubuntu. I decided to give it a try after I had seen the live disk version of the Linux distribution. This version booted from CD-ROM and gave a promising experience of the desktop. I wanted to know if it was really as easy to use as it advertised.

Ubuntu has the goal to lower the threshold of using Linux and bring it to everyone with limited budget and limited knowledge. The distribution is free and will stay free. There are even no shipping cost attached to the original CD's and you can order a couple of it to hand out. It also strives to provide as much as possible applications and tools in your native language.

I burned the install-image on disk and booted the system. I used an existing Reiserfs partition for the Ubuntu root and everything went smooth. The install-script asked me for my userID and password to create the first user account. After installing from CD-ROM, it continued downloading and installing packages over the internet. Finally a Logon-screen appeared.



In search of the root of all answers

I logged on with my newly created credentials and started to explore the clean and friendly showing desktop. I was not long before a notification called my attention and told me that several updates were available, only one click away. One click and an authentication window that is. Well, I was used to these small authentication boxes from RedHat, Suse and Debian, which popped up to ask the root password whenever you needed the root privileges. But what was the root password? I never supplied one during the installation phase. What to do? Just tapping enter did not work and before trying and locking up accounts, I googled for "Ubuntu root password".

Right. As any new Ubuntu user who switched from another Linux, I did not read the instruction at the authentication box. I said clearly to supply your password and never asked for the root password. A little investigation showed that the root account was disabled and logging on as root is not possible with Ubuntu out-of-the-box. So what's happening?

• The root account is disabled


• At install-time, the first user is put in a group of users who may invoke extra privileges to perform operations with require root permission(sudo-ers)


• This user gets normal user privileges at logon


• Whenever a task is performed which requires extra root privileges, he is prompted for his password or, at a shell prompt, he need to use sudo (Switch User Do, a way to execute a command as a different user) to execute the command with root privileges.

What are the advantages?

• Actions are performed under personalized accounts, which enables auditing of transactions


• No extra accounts are needed, like most Windows admins use: a user named e.g. bob and a user named admin-bob


• It is very clear which users are in the sudo-list and have the to run commands at root-level

What are the disadvantages?

• When you by accident remove your privileges, you have a problem, since you cannot logon as root and solve the problem. You have to do a bit more (not too much, though)


• You need to type a lot of sudo and find yourself soon typing

  sudo -s -H

  in a shell, which gives you root privileges until you type

  sudo -k

  and invokes all risks of logging on as root

I think it works quite nice on a desktop and the advantages are clear. What do you think? Leave a comment below.

I could elaborate a bit more on Ubuntu, waht's in it, wha's good , what's bad, but I think it is better to try it yourself. Download the live disk or request one at Ubuntu and have some fun. At leats you save yourself looking for the root password :-)

Security Metrics

I have done a quick survey on best practices of measuring perfomance of security management. Since it is a quite interesting topic for many professionals in the field of Security Management, I have made a wrap up of what I found out.

General Introduction
Security metrics or key performance indicators try to give an answer to business related questions like:

• How much better is my security relative to last year?
  
• Which differences are in the different security domains
  
• Are my security euros well spent? Which measures were effective?
  
• How do I perform relative to peers?
  

These questions are hardly adressed by security experts, but are needed to justify the investments and build support for new investments.

Today existing approaches to security measures are still abstract. The need to measure and quantify the level of security and spendings are well recognized, but most of the times a security expert is needed to translate an approach to a practice. To implement metrics without a clear control model is good for statistics, but does not add to the business.

A first measurement is needed as a starting point, in case the level of security is not defined in absolute figures. Trends are relative to this first measurement. When absolute figures are wanted a quantative risk analyses will be needed to find out whether loss expectnacies are reduced when controls are implemented.

Auditing
Measuring security can be done by audits against an accepted framework: COSO, CobiT, ISO/IEC 17799-2 . This gives an indication how the implementation of measures improves the level of security in a organization and the amount of control on security processes. In fact this is what certification bodies do at organizations which certify ainst ISO17799:2. An organization is benchmarked against the ISO-norm.

An alternative is the Gartner TCO approach, which provides benchmarks for peer organizations for the complete IT-organization, including security.

A practical approach is execution of penetration tests and security checks with automated tools.Doing this on a regular basis (with updated tools) provides insichts in weak spots and the speed of fixing them. Capgemini provides these services as Vulnerability Assesments or SecuCheck service offerings, but others do, too.

Indicators
There is not one list of handy indicators for security yet. However, there are approaches to get there:

• Top-down: the NIST has published a top-down approach to define and implement KPI's. In this approach, KPI's are targeted at security goals and are viewed in the context of business processes.


• Bottom-up: start with the indicators, which are already available. Get used to report and judge the indicators an improve in several iterations. See Geer/Soo Hoo/Jaquith .

I received some suggestions for indicators: the number of incidents (but what is an incident?), requests for authorizations, requests for password resets, number of infected platforms, etc. Most security managament tool report periodically their statistics.: Symantec Enterprise Security manager, Macaffee ePo Console, Safestone DetectIt, etc. Apart from these, obvious indicators are the financial figures: what is spend on security services, licenses, checks and audits, etc. In the US about 0,5% of the turn over of an organization is spent on security, which is considered low.

Another approach is to measure the perception of security: through questionaires and interviews an indication of the awareness of security incidents and risks and the way these change.

Regular testing
Of course trends can only be found if the indicators are measured and reporter regulary. Co-operate with the internal aditing department where possible, and try to have security indicators in the monthly service level report.

More info

• The Dutch GvIB has published a paper (in Dutch) about security KPI's.


• The site of securitymetrics.org provides papers and backgrounds in English on this subject

Today, I remember Theo

One year ago, on November 2nd 2004, Theo van Gogh was murdered in the Linaeusstraat in Amsterdam. Theo, publicist and film maker, tried to stir and prickle people, emotional and intellectual, by the beauty of his work and the stung of his opinion. Don't fear the consequences when you kiss a cactus. Being afraid or spreading fear is a bad base for growing, either as an individual or as a society. Today, I remember Theo.

Want to block Skype file transfers?

Since one of my colleagues publisched a report about security considerations of Skype in a corporate environment and acknowledged my input for the report, I receive questions from around the world on this topic. People are attrackted to the tool for use a s a convenient and cheap communication channel over the internet, but are worried for consequences in corporate use.

One of the questions I recieved lately is about blocking the file transfer function in Skype. It is possible to send and receive files, using the communication channel set up by Skype. For corporate security officers this is a worry, since the transports are encrypted from end-to-end and no central gateway can scan the files for virusses or confidential information.

Blocking Skype file transfers is a though job. It is not as easy as to close a specific port on your firewall, since Skype can use the same channel for file transfer as the voice channel. So if you allow the use of Skype for VoIP, you implicit create a channel for file transfer an propagation of malware. When no direct connections between peers can be made, the bandwith used for file transfer is very small (about 4k bits per sec), but malware often does not need more than that. Together with the poor user authentication (is the user on the other side really the one you expect he or she is?), it is very easy to trick a user in accepting a file and run it.

This leaves you only one option to block file transfers with Skype: block Skype. There a several ways to block Skype:

• Use a managed personal firewall with a policy to block Skype's access to the network, e.g Symantecs Client Security


• Block traffic to IP-addresses 80.160.91.5 and 80.160.91.13, to bloch Skype authentication (I haven't tried this)


• Block the use of https (port 443). This is very drastic.


• Use a gateway security scanner, which filters traffic that is not proper HTML , like Bluecoat


• Prevent installing Skype in the first place: lock down the workstation, so that users are not able to install software.

It depends on your situation which option suits you best. Of course all workstations should run up-to-date antivirus tools. In case you want to use Skype, this is your single layer of protection against malware using the Skype file transfer function. And train your users!

Threat Report: more focussed attacks

Symantec has released its Internet Security Threat Report for the first six months of 2005. SANS summarizes:

The study found that 74 percent of the top 50 malicious code samples submitted to Symantec were of the sort that exposed confidential data. The report also noted a trend of attackers moving away from attacks on network perimeters and toward targeted attacks. Also noted was an increase in modular malicious code, which downloads additional functionality after initial infection. DoS attacks grew from 119/day to 927/day over the six-month period studied; this marks a 640 percent increase over the same period last year. The average time between disclosure of a vulnerability and the appearance of an exploit decreased from 6.4 days to 6 days, while the average length of time vendors took to release a patch for a vulnerability was 54 days.

The trend that attacks move away from the lonely nerd wanting attention towards criminal activities with the aim to earn money is underlined by this report. Other reports [2] [3] also show a more professional approach to attacks. For white hat security professionals, projects like Honeynet are crucial to keep realistic views on threats.

Changes in ISO/IEC 17799

Standards and norms for information security are on the move. On June 23rd the ISO/IEC 17799:2002 has been replaced by ISO/IEC 17799:2005.

This code of practice for security management has had some visible changes, which impact professional security consultancy. The changes are a further development along the line which was started bij the previuos standard, but include some relevant differences. I have listed the most important changes below.

The number of information security areas has grown to 11 : information security incident management has now a chapter on its own. The controls in the area information systems development and maintenance is now called information systems acquisition, development and maintenance. The complete list of information security areas is now:

• security policy;


• organization of information security;


• asset management;


• human resources security;


• physical and environmental security;


• communications and operations management;


• access control;


• information systems acquisition, development and maintenance;


• information security incident management;


• business continuity management;


• compliance

The numbering of the security controls do not match the numbering used in the BS 7799-2:2002 standard, used for certification. Not earlier than november this year the new ISO 27001 (BS7799-2:2005) will replace the current norm document. The numbering will than be synchronized again.

Seventeen new controls have been added, including vulnerability and patch management, provision of outsourcing and external service
delivery. Other controlls have been joined together or removed completely. The number of controls is now 134. The use of risk assesment as a basis to decide ont security controls and measures is now a requirement. In the new stanard this topic is removed from the introduction and placed in a separate chapter.

ISO is on its way to adapt the set of standards for information security, earlier adopted from the british standard 7799, to the existing standards on quality assuring, like the ISO 9000 set of standards. Information security will be covered bij standards numbered in the ISO 27000 range. The first one in this range will be the update of the requirements standard (now BS7799-2), which will be called ISO/IEC 27001 (BS 7799-2:2005). Later, in 2007, the recnetly released code of practice ISO/IEC 17799 will be renamed to ISO/IEC 27002. A complete new standard, covering the area for security metrics and measurements, will be called ISO/IEC27004. A release date is not defined, yet.

There ar no localized versions of the new standard, yet. E.g. the Dutch NEN 17799 or the adaption to Dutch legislation (ADV7799:2004 nl)

Consequences
If the new BS 7799-2 is released in November, this will be the only basis for certification or recertification. There may be some transition time, but this is decided by the local certification body and this has not been published, yet. Meanwhile, if you need to certify before the release in November, you need to use the current BS 7799-2, but now with the new controls published in ISO 17799:2005. this because of the fact that the old ISO 17799:2000 has been wthdrawn.

Evaluations of security management practice at client sites need to be done on the basis of the new code of practice. This means that the tools used for these evaluations need to be adapted. New formulated security policies, for which the client requires to be in line with the code, need also to be adapted to the new situation.

The impact of the new code is not too big, as attention to patch management and incident response was already paid in practice. But as certification processes are very precise it is good to get a good notion of the new standard when you coach a client to certification.

trifinite.blog: Introducing the Car Whisperer at What The Hack

What The Hack, the hacking conference organized on a campsite in Liempde, The Netherlands, is over and according to participants a success. Many lectures and workshops have been given. An interesting presentation is the one about Car Whisperer: trifinite.blog: Introducing the Car Whisperer at What The Hack:

"After introducing the various Bluetooth security flaws (old and new ones) that were identified mainly by the trifinite.group also a new toool has been released. This new toool is called The Car Whisperer and allows people equipped with a Linux Laptop and a directional antenna to inject audio to, and record audio from bypassing cars that have an unconnected Bluetooth handsfree unit running. Since many manufacturers use a standard passkey which often is the only authentication that is needed to connect."

This is definitely nice playing in a traffic jam. In an office environment, the number of bluetooth headsets within reach is still very low and only geeks run arround with this lump on their ears. But the number of bluetooth car kits is quite high and growing. Remember: always check the PIN-code of a new gadget!!

Phishing uncovered

The Honeynet Project has released several papers in which they uncover techniques and working methods of hackers and spammers. The latest version is about phishing. The papers are based on observations and data collected with so called honeynets, servers that simulate more or less vulnerable networks or services. They attract malware and hackers that exploit vulnerabilities of a service and record the activities during an exploit of the honeynet. The collected data and the following research provide insight in techniques, developments and tactics.

The paper on phishing shows how servers are hacked to provide a base for the phishing mails and web sites and the way personal information is harvested.

Taking off

Why a weblog? And why on security? Personally I think internet publishing is a weird kind of thing. You start with a blank page and think 'what do I have to say?'. Until you realize that in social live this is a killing question for conversation or interaction. I have published my progress on hobby robots since 1999, just because I got inspired by other amateur pages and I did it just a little different. The page is more or less retired, but still I receive now and then questions about how I did this and that.

A couple of years ago I needed to focus on information security management and infrastructure security. Since then I have done some things. Most of which was inspired by others, some things I did in my own way. Publishing opinions on a static web page is not very interactive. That's why I started this blog on security. Let's see what happens. And mind you, these are my personal views.

Aart