EYE ON SECURITY

The World of Secure Development.

April 2007

You have to hand it to Jim Stickley... Actually, if you don't hand it to him, Jim will probably end up taking it anyway. Jim, you see, just made away with his 1000th successful heist, perhaps making him one of the most successful bank robber of all time.

But Jim isn't after just the cash. What he wants is personal information -- names, addresses, Social Security numbers, credit card numbers, passwords and the like. In the long run, this kind of stuff is way more valuable than a pocket full of change. Jim, you see, is CTO and co-founder of TraceSecurity, a security compliance software firm. And Jim doesn't refer to himself as a "criminal" or "crook" (or even programmer, for that matter). No, Jim is a "social engineer" who financial institutions hire to perform vulnerability audits.

Social engineering has been around the computer security industry for years. Social engineers use guise and subterfuge to prey upon weaknesses in human nature. Social engineers recognize that most people have similar desires, such as the desire to be loved, appreciated or recognized; and similar fears, such as the fear of getting in trouble or the fear of looking stupid. Social engineers prey on these human weaknesses to gain the trust of their victims, then trick their victims into unknowingly becoming the co-conspirators in the social engineer's grand plan, which usually involves stealing something.

"Most banks are surprisingly vulnerable to identity theft," says Stickley. "They spend millions of dollars a year on high tech computer security defenses, but often fail to address the simplest, most critical aspect of information security: the human element. A bank can have the most high tech security, but if they invite me in and allow me to wander their office, I can steal much more than their money."

Stickley and his crew start by impersonating someone of trust or authority, such as an air conditioning technician, pest exterminator, or fire inspector, often by mailing a letter to a bank branch on forged stationary, informing them of a planned "inspection." By the time they show up in their fake uniforms with fake badges and fake identification cards, the front receptionist often welcomes them with coffee. Within minutes, they have free range of the bank as they crawl under desks, steal backup tapes, and install spyware on the computers. In the evening, they return to dumpster dive, an activity that often yields a surprising amount of sensitive customer account information. (And oh yes, they do give it back to the bank.)

"The secret to an effective information security strategy," says Stickley, "is to balance security technology investments with comprehensive employee training, and better policy and procedure enforcement."

Stickley recommends that if banks adhere to the following simple best practices, they can reduce identity theft risk by up to 80 percent:

• Shred bins should be conveniently located near all bank employees
• Logged in computers should not be left logged in and unattended under any circumstances
• Sensitive data, including computer backup tapes, should be encrypted
• To prevent phishing, emails sent from upper management should be verified for authenticity
• All bank employees must be trained on proper policies and procedures and never leave visitors unattended in non general public areas.

The company's TraceSecurity Compliance Manager software automates vulnerability testing and policy management, and is backed by a full range of services such as our social engineering audits.

Posted by Jon Erickson at 04:48 PM  Permalink |

Altiris, a service-oriented management company recently acquired by Symantec, has announced of its developer program with addition of the Altiris Developer Portal and a third-party price list. The Developer Program also now offers software and hardware compatibility testing and certification for Altiris developer partners through AppLabs.

A subscription to the Altiris Developer Program provides SDKs, support services, and developer communities to help extend the Altiris platform. Additionally, the developer program now offers the Altiris Developer Portal as a central resource for the latest SDK and documentation updates, a developer-oriented discussion forum, a library of frequently asked questions, and supplemental sample code.

Technologies created and certified by developer program partners include: CARD Asset Disposal Plug-in for end-of-life asset disposal and tracking for regulatory compliance and cost recovery; Hardware Independent Imaging Solution (HIIS) by Altrinsic Solutions, which provides process automation to support and maintain hardware independent image deployment; and Scense 4.0, which supplements Altiris Software Virtualization Solution with user-based application provisioning and full terminal server and Citrix support.

Altiris selected AppLabs quality assurance services to verify, test and certify developer program hardware and software solutions integrated with the Altiris platform.

Posted by Jon Erickson at 09:35 AM  Permalink |

Gemalto has started providing BASE, a Belgian mobile operator, with the capabilties for performing secure payment via SMS. This service lets users pay with their mobile phones, so that merchants are paid immediately.

Payees enter a payment request into their mobile phone. The payer receives this request, specifying the amount and the name of the payee, on their handset screen and accepts the transaction by entering the code they've selected at service activation. Then both the customer and the merchant receive an SMS confirming the transaction.

Banxafe is the security technique developed by Banksys to guarantee reliability of bankcard payments over the Internet. There are currently 1 million cards with Banxafe in the market. M-banxafe, short for "Banxafe Mobile," is the banxafe implementation for mobile devices. M-banxafe technology enables a link between a SIM card and the subscriber's banking card and account. M-banxafe security is via a public key authentication applet on the SIM card. A bank PIN accesses the applet and generates a digital signature which is authenticated by a PKI certificate. At that point, a link is authorized with the virtual wallet containing duplicates of user's cards. Private card information is not stored at merchant sites.

Gemalto also claims to be the first company with a smart identity credential for U.S. federal employees and contractors that works with both existing HID physical access control systems as well new ones being planned to comply with the federal requirements. Gemalto’s credential supposedly makes it easier for federal agencies and departments to move to the new Personal Identity Verification (PIV) cards required by a Presidential directive. The new credentials also include Gemalto technology for digital security applications like desktop logon, network access, and electronic document signature.

Gemalto’s approach combines on a single credential Gemalto’s dual contact/contactless PIV card technology with proximity technology under license from HID Global Corporation. The new identification card meets the applicable standards for the PIV cards as defined by the Federal Information Processing Standard 201 (FIPS 201) and is listed on the U.S. General Services Administration (GSA) Approved Product List (APL). The GSA APL governs which products and services may be purchased by government agencies.

Posted by Jon Erickson at 10:34 AM  Permalink |

PandaLabs has issued warnings about the rapid propagation of two new members of the Spamta family:

• The Spamta.VK worm worm downloads several malicious files once it is run and connects to several servers to send itself out by e-mail.
• The Spamtaload.DT Trojan has an icon similar to that of text files. When run, it shows an error message and creates a key in the Registry Windows to ensure it is run every time the system is started up.

Both spread together and have accounted for up to 80 percent of malware detections reported to PandaLabs per hour. The Spamta family has been extremely active over the last few months.

When Spamta.VK infects a computer, it connects to several servers to send out massive amounts of emails. These emails include a copy of Spamtaload.DT, generally hidden in an executable file. Spamtaload.DT, in turn, downloads a copy of Spamta.VK to each computer it infects, starting the infection cycle all over again.

"This is a clear example of a combined attack. The worm’s propagation features are used to distribute the Trojan, which, in turn, ensures proliferation by infecting each computer with a new copy of the worm. This technique explains the large number of infections reported to PandaLabs", says Luis Corrons, Technical Director of PandaLabs. "The attacks of Spamta codes usually involve the appearance of several variants in a short period of time. This aims at having security companies and users concentrate on one or a few variants, whereas the rest go completely unnoticed and continue to infect. Users should be on their guard against the possibility of new malicious codes appearing. It is also advisable to have proactive technologies, like TruPrevent, which detect known and unknown malicious codes."

Posted by Jon Erickson at 12:51 PM  Permalink |

Fortify Software has announced that its Security Research Group has documented a vulnerability associated specifically with Web 2.0 and AJAX-style software. Termed "JavaScript Hijacking," the vulnerability lets attackers steal critical data by emulating unsuspecting users.

JavaScript Hijacking appears to be a ubiquitous problem. Fortify examined 12 AJAX frameworks, including those from Google, Microsoft, Yahoo!, and the open source community. Fortify claims that among them, only Getahead's Direct Web Remoting (DWR) 2.0 implements mechanisms for preventing JavaScript Hijacking. The rest of the frameworks do not explicitly provide any protection and do not mention any security concerns in their documentations, says Fority. Even if an application does not use any of the frameworks listed above, it may be vulnerable if it contains AJAX components that use JavaScript as a data transfer format for sensitive data.

"With recent surveys from McKinsey indicating that almost 75 percent of enterprises plan on increasing their investment in Web 2.0 technologies, it is clear that we need to address the issue now," said Brian Chess, Fortify Software’s co-founder and Chief Scientist. "Unlike vulnerabilities that are tied to a specific application or operating system, there is no single vendor to which this issue can be reported and resolved. In fact, many rich Web applications don't use any framework at all. As a result, we need to educate software developers about the risk that Web 2.0 brings."

The vulnerability opens businesses up to malware that can let attackers access proprietary information. JavaScript Hijacking lets attackers pose as the user accessing the Web 2.0 application. Once attackers successfully emulates the victim, they can read sensitive data transmitted between the application and the browser that uses JavaScript as a transport mechanism. These attackers can then buy and sell goods, trade stocks, adjust security settings for an enterprise network or access and manipulate customer, inventory and financial information.

Any framework or application that meets these criteria may be at risk from JavaScript Hijacking and the developers responsible for these frameworks and applications should take immediate measures to prevent the vulnerability, says Fortify. The company advocates a two-pronged approach that lets applications decline malicious requests and prevent attackers from directly executing JavaScript the applications generate.

Posted by Jon Erickson at 04:05 AM  Permalink |