Technological Upheaval
Ground breaking innovations often causes some form of upheaval. Most folks are familiar with the story of Robin Hood and his band of merry men. Another group living in the Sherwood Forest area, though later around 1811, were the Luddites. These men from the past have a great deal to teach us concerning the ramifications of revolutionary technological change. The Luddites were highly skilled and quite well paid croppers (men who worked cloth). Their job was to cut the cloth after it had been raised with shears. These shears weighed 40 lb and were 4 feet long. Their world was turned upside down by the introduction of the water powered shearing frame. This new technology was simple enough that it could be operated by an unskilled worker, taking under a quarter of the time.

Luddites fought back by breaking into factories at night and destroying the new machines. In a three-week period, for example, over two hundred stocking frames were destroyed. While this may not be as exciting as Robin Hood, just as in that story the heavy hand of the government came down on the Luddites. The Frame Breaking Act made machine-breaking a capital offense. In Yorkshire in 1812, over 12,000 soldiers were brought in to keep order. Roundups of hundreds of men occurred. Some were deported to penal colonies and others were executed. At one point seventeen men were executed. In the end, the Luddites could not stop technology from advancing. By the 1820s the Luddite movement had ceased to be active and few croppers could find work in the woolen industry.

It’s All About Risk
The moral of the story is that technology does not exist in a vacuum. Not if it is useful technology. It ends up being integrated into the environment in which it operates. This integration can be peaceful, or not. Either way, it will occur. Policy based compliance tend to have policies dictating discrete, predefined information security requirements along with associated safeguards and countermeasures. There is minimal flexibility in implementation and little emphasis on explicit acceptance of mission risk. Compare that to risk based protection where the enterprise missions and business function drive security requirements, associated safeguards, and countermeasures. It is highly flexible in implementation and focuses on acknowledgment and acceptance of mission risk.

Today, organizations are taking a serious look at their information technology (IT) groups and questioning the governance models necessary to minimize risks and maximize returns. Taking the definition from the Control Objectives for Information and related Technology (COBIT) executive summary, IT governance is “a structure of relationships and processes to direct and control the enterprise in order to achieve the enterprise’s goals by adding value while balancing risk versus return over IT and its processes.”

Command and Control
Business managers and stakeholders, in order to trust and rely on IT must have some sense of reliability and control. Add to this business mix the constant pressures to decrease cost, increase reliability, and meet requirements to comply with local and federal regulations. Communication between different groups within an organization is essential, whether that be technical folks, auditors, finance, managers, etc. Innovation cannot exist only in the IT arena. It must translate into overall business process improvements. To help do this, companies are showing greater interest in best practices and in frameworks such as Information Technology Infrastructure Library (ITIL), International Organization for Standardization (ISO/IEC ) 17799, and COBIT. Government organization need to follow the DoDI 8500.2 “Information Assurance (IA) Implementation” document or National Institute of Standards and Technology (NIST) SP 800-53A “Recommended Security Controls for Federal Information Systems.”

As organizations attempt to implement these frameworks/recommendations/requirements questions concerning how to bring these standards together arise along with difficulties in helping organizations get from where the company current is to where the company needs to be? Government does not get a free pass. Government agencies are faced with the daunting task of having to work together to combat security risks. That includes federal information systems that support defense, civil, and intelligence agencies along with private sector information systems supporting U.S. industry and businesses and information systems supporting critical infrastructures within the U.S. It would be helpful if we could start talking the same language. Or at least develop a dictionary so we can understand each other. Winston Churchill once said, “Out of intense complexities intense simplicities emerge.” By bringing together the seemingly diverse security best practices and controls from COBIT, ITIL, DoDI 8500.2, and NIST SP 800-53A, we hope intense simplifications emerges.

Battle Plans
First, a little background. The Department of Defense Information Assurance Certification & Accreditation Process (DIACAP) and NIST both address the Federal Information Security Management Act (FISMA) of 2002 requirements. FISMA is a United States federal law which recognizes the importance of information security to the economic and national security interest of the United Stats. FISMA tasked NIST with the responsibility of “providing standards and guidelines, including minimum requirements, for providing adequate information security for all agency operations and assets, but such standards and guidelines shall not apply to national security systems.” While DIACAP establishes “the standard DoD process for identifying, implementing and validating information assurance (IA) Controls for authorizing the operation of DoD information systems and for managing the IA posture across DoD information consistent with Title III of the E-Government Act, FISMA, DoDD 8500.a and DoDI 8500.2.” A major part of the DIACAP process is testing to make sure compliance with regulations occurs. The testing is based on security controls set out in DoDI 8500.2. The NIST SP 800-53A also “provides guidelines for assessing the effectiveness of security controls employed in information systems supporting the executive agencies of the federal government.” As you can see, NIST 800-53A and DoDI 8500.2 are fairly similar in definitions and methodologies.

COBIT’s original purpose was to link IT process and controls to business requirements. Management guidelines were later added, providing management tools such as metrics and maturity models. ITIL is effective IT service management focused. It consists of 10 processes, which break down into service support (operational) and service deliver (tactical) processes. ISO/IEC 17799 focuses on security and attempts to aid an organization in the creation of an effective IT security plan.

Strengths and Weaknesses
The Information Systems Audit and Control Association (ISACA) has put a great deal of effort in mapping COBIT to other standards. In part, this is because of COBIT’s focus is on business requirements. COBIT can be used as the framework and governance model under which other best practices integrate. Take a look at these mapping guides:

• COBIT Mapping: Mapping of NIST SP800-53 Rev 1 With COBIT 4.1
• COBIT Mapping: Mapping of TOGAF 8.1 With COBIT 4.0
• COBIT Mapping: Mapping of CMMI for Development V1.2 With COBIT 4.0
• COBIT Mapping: Mapping of ITIL With COBIT 4.0
• COBIT Mapping: Mapping of PRINCE2 With COBIT 4.0
• COBIT Mapping: Mapping of ISO/IEC 17799: 2005 With COBIT 4.0
• COBIT Mapping: Mapping PMBOK to COBIT 4.0
• COBIT Mapping: Mapping SEI’s CMM for Software to COBIT 4.0
• COBIT Mapping to ISO/IEC 17799:2000 With COBIT, 2nd Edition
• COBIT Mapping Overview of International IT Guidance, 2nd Edition
• Aligning COBIT, ITIL and ISO/IEC 17799 for Business Benefit

Coming Together
To keeps things somewhat simpler, let us only focus on the mappings that exist for ITIL with COBIT and NIST SP800-53 with COBIT. Through this approach, we will develop a path from DoDI 8500.2 to ITIL. The mapping should be helpful not only in understanding but also in organization. Keep in mind, DoDI 8500.2 is the catalog of controls and can be matched against NIST SP 800-53A. Appendix G of NIST SP 800-53A does match up ISO/IEC 17799 and DoDI 8500.2.

When we combines these mappings, we do begin to see both the strengths of certain standards. We also gain depth of coverage. Take a look at the following mapping for configure and implement acquired application software to meet business objectives.

The complete mapping can be found from this link. This is a work in progress and is meant only as a first attempt to produce something that might clarify and help.

Building Trust
Dr. Ron Ross, project leader for the FISMA Implementation Project, has been doing some talks on transforming the certification and accreditation process through a unified risk management framework. He also wants us to be able trust each other. One of his recent presentation from November 14, 2007 to the ACT/IAC Information Security and Privacy Shared Interest Group titled “Building Trust Relationships Among Organizations” makes some very important points. In the presentation Ross states that there is an information security paradigmatic shift occurring from a policy based compliance model to a risk-based protection model. This is of key importance because the responsibility of security to provide information will depend on a trust relationship established among partners. This is applicable to both the government and industry. Trust can occur only when an organization understands the security state of their partners. Government and industry must be able to trust and understand each other’s security state.

Michael Smith, manager in the Audit and Enterprise Risk Services organization of Deloitte & Touche LLP, makes the following important point about the unified catalog of controls in his post, “One Catalog to Rule Them All“:

What a unified catalog of controls means is that we now have something that is standardized across the board so that I can take an IA practitioner from the DoD side, put them into a civilian agency, and have a reasonable expectation that they will succeed there. In other words, I’ve decreased the switch costs for personnel transfers. I’ve also made it easier for agencies to share data with each other (conspiracy buffs here can think things about Census data feeding the Total Information Awareness program and corroborated against your classified file) and to support each other as vendors under Lines of Business, which the government needs desperately.

Eustace D. King has an article in the July issue of CrossTalk titled “Transforming IA Certification and Accreditation Across the National Security Community.” In the article King discusses the DoD and DNI CIOs seven goals for transforming C&A processes across the DoD and the IC. These goals can be found off the director if National Intelligence CIO’s “Re-Vitalizing Certification & Accreditation Initiative” page and include (quoting from King’s article):

1. Define a common set of impact levels and adopt and apply them across the DoD and IC.
2. Adopt reciprocity as the norm, enabling organizations to accept the approvals by others without retesting or reviewing.
3. Define, document, and adopt common security controls, using NIST SP 800-53 as a baseline.
4. Adopt a common lexicon, using CNSSI 4009 as a baseline, thereby providing both the DoD and IC a common language and common understanding.
5. Institute a senior risk executive function, which bases decisions on an enterprise view of risk considering all factors, including mission, IT, budget, and security.
6. Incorporate IA into enterprise architectures and deliver IA as common enterprise services across the DoD and IC.
7. Enable a common adaptable process that incorporates security within the lifecycle processes and eliminates security-specific processes.

I do like the idea of “define, document, and adopt common security controls, using NIST SP 800-53 as a baseline.”

At the last month’s Infosecurity Canada Conference & Exhibition, Al Purdy, now principal of DRA Enterprises Inc. addressed the importance of a establishing an risk management framework. “The most likely way to address some of the risks is a public-private sector collaboration based on an established risk management framework“, Purdy said. Purdy points out that the IT Governance Institute (ITGI), developers of COBIT is reported working on a risk management framework for release later this year. Herr Urs Fischer, who is leading a steering committee that is developing the framework, admits, “While COBIT does contain some discussion of risk management, ITGI realized that it needed to provide more depth and guidance as technology professionals struggle with issues around compliance with regulations such as Basel II.” Fisher goes on to say, “It’s more of an add-on (to COBIT) than a new one.” Fisher explains, “It’s not a checklist. It’s more about the way you should do risk management.”

Parting Words
I started this post wondering if a shift is beginning towards the risk-based protection model. We see elements in play. There is a definite need for establishment of a common language between all our standards, best practices, and requirements. Recent research published in the IT Governance Global Status Report 2008 found a six percent increase from 2005 in the importance of IT to business strategy. IT is increasingly playing a more vital role in business and government. Help is needed that will allow different groups within an organization to understand IT. This need to communicate goes beyond the boundary of an organization. Governments and industry need to properly be able to evaluate the risk of working with their partners and they can only do this if they can evaluate their partner’s security readiness. Partnerships do not end within one’s own country. It is not surprising to see the push for a common risk management framework.

Jacob August Riis, an Danish-born American journalist and slum reformer who created new standards in civic responsibility regarding the poor and homeless in his reporting of New York City slum conditions, once wrote, “When nothing seems to help, I go and look at a stonecutter hammering away at his rock perhaps a hundred times without as much as a crack showing in it. Yet at the hundred and first blow it will split in two, and I know it was not that blow that did it, but all that had gone before.” Sometimes the hands of change seem to move at glacial speeds, but change will come. When all the elements are in place, change can come like a flash flood. The best we can do is be patient and then make sure we are not caught like the Luddites, on the wrong side of technological advancements.

Special Thanks
I wanted to add a note of special thanks to Michael Smith over at the Guerilla CISO. Michael is quoted above. I have been a long time reader of Michael’s blog and when I came across questions concerning DIACAP, I dropped him an email. He was most helpful and informative with his responses, shared with me some pdfs, and pointed me to some great sites. If you want to know more about Michael, Martin McKeay did an interview with him a few months back. Of course, any mistakes in this post are my own, and the correct information is due to the help that Michael provided.

Google represents a challenging environment consisting of many very intelligent users who are operating in a diverse development environment. It is also an environment where if anyone tried to impede the developers’ work, these inventive employees would find ways to go around. Heavy handed policies will not work. A technical solution that helps developers get their work done is the only possible workable solution. Along this line, check out James Governor’s post, “You have to treat your employees like customers.”

Staying with Google, for my second major mention, Google has made available the videos and slides from Google I/O. This gathering occurred May 28-29th and consisted of “in-depth, technical sessions on how to build the next generation of web applications with Google and open technologies.” I have added these sessions to the “Presentations” section of this blog. To save some clicking, and pique your interest, the sessions are listed below.

If you are interested in additional slides and videos for training, please check out my previous post, “CERT, CERIAS, the Academy, and Google Video: Training Online.”

In the end, an effective Distributed Denial of Service (DDoS) attack will likely be done in a manner making it difficult to block the involved IPs without shutting down services to the victim’s customers. In cyberspace, attackers do not wear uniforms, nor do they necessarily come from a particular domain. It is not so easy to identifying the enemy. The intelligent attacker makes all effort to blend into the population.

With that in mind, I wanted to post some sites that can help identify from where attacks might originate. Please do remember that IPs used in an attack do not necessarily identify who is behind the attacks.

Overview

I agree with Col. Charles W. Williamson III that that cyberspace is a dangerous place. The idea of going on the offensive and striking back is appealing. Since early childhood, I can remember my dad always saying, “The best defense is a good offense.” The problem with a offensive military botnet is that it will run into problems when it comes to locating the base of the enemy. To understand why this is the case, we will start by defining some of the favorite cyberspace weapons used by the bad guys. We will then examine the countries where attacks are occurring. Sources of publish information will be examined, which should help the reader continuously monitor activities in their network. We will end by discussing Carnegie Mellon’s attempt to establish international communication and coordination.

Definitions

Let us defines a few of the favorite tools being used in carrying out attacks in cyberspace.

Malware

Malware is short for short for malicious software. It is any software written for malicious reasons that infiltrates or damage a computer without authorization. Some common malware types are trojans, worms, viruses, bots, rootkits, and spyware/adware. Below are definitions taken from the links above.

• Trojan - a package disguised as something useful or popular, but actually carrying a malicious payload that will damage the victim machines or threaten data integrity, or impair the functioning of the victim machine. Trojans can be classified according to the actions which they carry out on victim machines: backdoors, PSW trojans, trojan clickers, trojan downloaders, trojan droppers, trojan proxies, trojan spies, trojan notifiers, and arcbombs.
• Virus - will attach itself to a program or file so it can spread from one computer to another, leaving infections as it travels. Viruses can be classified according to their environment and infection methods, such as file viruses, boot sector viruses, macro viruses, and script viruses.
• Worm - are considered a subclass of virus and take advantage of file or information transport features on systems allowing it to travel unaided. Worms includes programs that propagate via LANs or the Internet with the objective to penetrating remote machines, launching copies on victim machines, and spreading further to new machines. The key difference to a trojan is that worms can propagate on their own. They self-copy and infect other machines through penetrate and infect purely through vulnerabilities that are inherent to the system itself. No human intervention is required.
• Rootkit - a program (or combination of several programs) designed to take fundamental control (in Unix terms “root” access, in Windows terms “Administrator” access) of a computer system, without authorization by the system’s owners and legitimate managers.
• Spyware - is computer software that is installed surreptitiously on a personal computer to intercept or take partial control over the user’s interaction with the computer, without the user’s informed consent.
• Adware - advertising-supported software is any software package which automatically plays, displays, or downloads advertising material to a computer after the software is installed on it or while the application is being used. Generally, addware is classified as privacy-invasive software.

Botnet

A botnet is a collection of Internet connected computers running autonomously and automatically in order to accomplish some distributed task. Distributed computing can be used for useful and constructive applications, while the term botnet typically refers a system designed and used for illegal purposes. The individual compromised machines (drones or zombies) run malicious software (bot) and are assimilated and used without the owner’s knowledge. The machines operate under the Command and Control (C&C) of the botnet owner (herder). Botnets are used for (definitions taken from the accompanying links):

• Click Fraud - click fraud is a type of internet crime that occurs in pay per click online advertising when a person, automated script, or computer program imitates a legitimate user of a web browser clicking on an ad, for the purpose of generating a charge per click without having actual interest in the target of the ad’s link.
• DDoS - one in which a multitude of compromised systems attack a single target, thereby causing denial of service for users of the targeted system. The flood of incoming messages to the target system essentially forces it to shut down, thereby denying service to the system to legitimate users.
• Keylogging - a method of capturing and recording user keystrokes.
• Warez - refers primarily to copyrighted works traded in violation of copyright law.
• Spam - is the abuse of electronic messaging systems to indiscriminately send unsolicited bulk messages.

Phishing

Phishing is the practice of sending out fake emails, or spam for purpose of gathering personal information and/or identity theft.

Source Countries

Now that we know a few of the weapons used in cyberspace, we are ready to examine countries where these various attacks are occurring. Once more, please remember that those behind the attacks might not be at the same location as the machines that are launching the attacks.

The Shadowserver Foundation (see below) collects and provides some very interesting statistics. The below map shows the locations of infected machines (drones) that Shadowserver has observed in the past 24 hours. Please note that this information is not complete. It cannot be. If we knew all infected computers and C&C machines, we could shut them down easily. The challenge is in the ever changing landscape. The Shadowserver Foundation does a commendable job continuously monitoring this dynamic landscape.

The below map shows the last 24-hours worth of tracked C&C servers.

The below graph shows the count of all the network scans into routed CIDR blocks that occur from the botnets that Shadowserver is aware of:

The below map shows the last 24-hours worth of tracked existing C&C and the target of scan attacks.

The below graph shows the count of all the DDoS attacks that occurred from the botnets that Shadowserver is aware of:

The below most recent 24 hour period map shows the C&C and the target of the DDoS attack.

The below map shows the machines suffering DDoS attacks and the C&C sources in 2007.

The PhishTank (see below) provides daily verified phishing attempts. Below is a map of the countries generating the most reported verified Phishing attempts for April 2008.

Sources for Information

As previously mentioned, the Shadowserver Foundation gathers, tracks, and reports on malware, botnet activity, and electronic fraud. It is a great source of information concerning cybercrime. Richard Perlotto, the gentleman who runs the technology and operational side of the Shadowserver Foundation, presented last week at the Asia Pacific Information Security conference (AusCERT2008).

PhishTank provides information on phishing attacks. While OpenDNS created and operate the site, PhishTank is a community effort with the information being provided by companies and people submitting phishing e-mails and Web sites. The data is totally open and a free API exist. The API documentation is available for developers wanting to use PhishTank’s community data to integrate anti-phishing elements into their applications.

If you have anything in your security arsenal that is monitoring for certain IPs or domains, the DNS-DB Malware Domain Blocklist and the Global Watchlist provide invaluable up-to-date information. The DNS-DB Malware Domain Blocklist site maintains a list of domains, pulled from various sources, that are known to be used to propagate malware and spyware. The Global Watchlist was created after a discussion between C.S. Lee and Spoonfork. C.S. Lee describes the purpose of this list in his posting “The Harimau Watchlist” What they have done, in their own words is to “pull the list of suspected malicous IPs/Net ranges from different sources such as Sans dshield, Arbor atlas and so forth, then putting all of them in one place.” You can search through a web interface or set up processes to search automatically via URL. They have also made all the IPs and data available in one file. Helping detect and possibly prevent access from these IPs and domains through Snort, Dragon, and other IDS/IPS signatures is the Emerging Threats site.

The Spamhaus Project attempts to “track the Internet’s Spam Gangs, to provide dependable realtime anti-spam protection for Internet networks, to work with Law Enforcement Agencies to identify and pursue spammers worldwide, and to lobby governments for effective anti-spam legislation.” The project offers a realtime database of IP addresses consisting of a combination of the Spamhaus Block List (SBL), the Exploits Block List (XBL) and the Policy Block List (PBL). If you desire a data feed, the service is not free. You can try it out for 30 days free. They do operate DNSBL servers spread across 18 countries. You may qualify for free access via DNS queries.

The SANS Internet Storm Center (ISC) provides a free analysis and warning service to fight back against the malicious attackers. The ISC gathers millions of intrusion detection log entries every day, from sensors covering over 500,000 IP addresses in over 50 countries. It is a a free service to the Internet community. After removing identifying information, the ISC sends send intrusion detection and firewall logs to the DShield distributed intrusion detection system.

The National Vulnerability Database (NVD) is a fantastic source of free information enabling automation of vulnerability management, security measurement, and compliance. While it might not help with filtering of IPs, the data can be used in combination when automating your security. To quote the site, “NVD includes databases of security checklists, security related software flaws, misconfigurations, product names, and impact metrics.” NVD is the repository for Information Security Automation Program (ISAP) and the Security Content Automation Protocol (SCAP). Here are a few of the major sources of information NVD provides:

1. CVE Vulnerabilities - a dictionary of publicly known information security vulnerabilities and exposures. Allows you to download the entire CVE List in various formats.
2. Checklists - repository of publicly available security checklists (or benchmarks) that provide detailed low level guidance on setting the security configuration of operating systems and applications.
3. US-CERT Alerts - provide timely information about current security issues, vulnerabilities, and exploits.
4. US-CERT Vuln Notes - include technical descriptions of the vulnerability, as well as the impact, solutions and workarounds, and lists of affected vendors.
5. OVAL Queries - an international, information security, community standard to promote open and publicly available security content, and to standardize the transfer of this information across the entire spectrum of security tools and services. OVAL Repositoty downloads include Data Files of all vulnerability, compliance, inventory, and patch definitions for supported platforms.

There are a few good sources for security statistics in the form of a reports. The Anti-Phishing Working Group (APWG) is the global pan-industrial with over 3000 members in over 1700 companies and agencies worldwide. The group’s purpose is eliminating the fraud and identity theft that result from phishing, pharming and email spoofing of all types. They produce an interesting Phishing Activity Trends report which was last updated in January 2008.

WhiteHat produces a Security Statistics Report. The report presents a statistical picture of current website vulnerabilities focused solely on previously unknown vulnerabilities on public websites. The report also contains expert analysis and recommendations. Jeremiah Grossman, founder and CTO, does maintain a very informative blog where additional information can be found. You can hear Jeremiah on a recent episode of Risky Business where he discussed with host Patrick Gray Cross Site Request Forgery attacks.

Microsoft produces a “Security Intelligence Report.” Currently the fourth volume is available covering July through December 2007. You can also watch the video cast of Bret Arsenault, GM US National Security Team and Vinny Gullotto, GM Microsoft Malware Protection Center, discuss the trends and findings in the latest SIR.

There are a few final additional sources of information that I have found useful when trying to understand security trends. Dan Geer did a presentation, “A Quant Look at the Future Extrapolation via Trend Analysis.” The state-of-the-art report (SOAR) published by the Information Assurance Technology Analysis Center (IATAC) provides observations about noteworthy trends in software security assurance as a discipline. The Computer Crime and Security Survey is conducted by CSI annually. The aim of this effort is to raise the level of security awareness, as well as help determine the scope of computer crime in the United States. They use to issue the report with the FBI. Registration is required.

Blogs can also be a valuable source of information, and may occasionally post IPs to be concerned about. SunBelt Software just did a posting titled “Fresh new rogue antispyware programs.” Dancho Danchev recently posted “Malware Domains Used in the SQL Injection Attacks.” The F-Secure folks maintain a very informative site concerning the latest news from their labs. There are many excellent sites for information on malware, botnets, and phishing. For example, Kaspersky Lab maintains the blog VirusList and the AVDefender. SANS ISC has the Handler’s Diary.

International Incident Coordination

Security on international projects is complicated. Take a look at my previous post, “Information Security and the Law.” Different countries have different laws impacting what can and cannot be done. Many CEOs may not know a great deal about information technology, but they know they have no desire to break the laws of other countries. This can pressure managers to prefer to implement light security. Heavy on the data protection, but light on the detection. We have established cyberspace can be a dangerous place, especially when you are playing in international waters. Defenses will fail. If an organization cannot detect nefarious activities in a high risk environment, that is a bad combination. Even when you have fully supportive management, it is easy to run into a road block when dealing with other countries.

Carnegie Mellon University Software Engineering Institute (SEI) is trying to help establish some coordination between the white hats working in international security. First, a little history in order to understand the players involved. SEI was charged by the Defense Advanced Research Projects Agency (DARPA) with setting up center to “coordinate communication among experts during security emergencies and to help prevent future incidents.” This center was named the CERT Coordination Center (CERT/CC) and is an amazing source for cutting edge security research and information.

With the establishment of incident response team both within the United Stated and Internationally, soon difficulties developed due to differences in language, timezone, and international standards or conventions. It became apparent that better communication and coordination between teams were needed. The Forum of Incident Response and Security Teams (FIRST) was established. Membership consists of teams from a wide variety of organizations including educational, commercial, vendor, goverment and military.

CERT/CC also began a program to help Computer Security Incident Response Team (CSIRT) development and establish CSIRTs around the world. National CSIRTs deal with security at the macro level. Large-scale incidents can affect the economy, critical infrastructure, government operations, and/or national security. If the incident ends up being a worldwide event, National CSIRTs can coordinate with CSIRTs in other countries to establish communications and cooperation among those countries.

To hear more about CSIRT, in August Jeff Carpenter talked with Julia Allen on the CERT podcast titled, “Tackling Security at the National Level: A Resource for Leaders.” Jeffrey J. Carpenter is the technical manager of the CERT/CC and has assisted with the formation and development of CSIRTs. Julia Allen is a senior researcher within the CERT Program and is engaged in developing and transitioning executive outreach programs in enterprise security and governance, and works extensively with the IT operations and audit communities. She is one of my favorite sources for enterprise security information.

Below is an interactive map to locate CSIRTs with national responsibility around the world. From the map, additional information can be pulled up on the individual sites.

Final Words

I understand the frustration Col. Charles W. Williamson III feels. The problem is that in cyberspace, the enemy is all around us. It is within us. If we lash out, our first target must be ourselves. In the end, we are fighting blind. Edmund Burke once said, “All that is necessary for evil to succeed is that good men do nothing.” I do not think good men attacking each other was the something Edmund had in mind. That is what will occur if we fight blind. We can’t even withdraw into the safety of our own silos for the perimeters are being continuously breached. Retreat is not an option. The delusion that isolationism will bring safety has been shattered. The only solution is for the good guys to band together. There is strength in unity. Only when working together will we be strong enough to take on those who bring destruction.

The next day, April 27th, marked the one year anniversary of the cyber attack on Estonia. The incident began when Estonian government moved a war memorial honoring Russian-Estonians who died fighting the Nazis. Gadi Evron, the former Israeli Government CERT manager who was in Estonia at the time of the attacks, has published an article titled, “Battling Botnets and Online Mobs” in the Georgetown Journal of International Affairs. Evan explains the attack:

Once bloggers started reporting their small-scale attacks, more experienced players became involved. Before long, botnets were being used. The involvement of the Russian government in the affair cannot be confirmed. What raised speculation, however, is the failure–or unwillingness–of the Russian authorities to stop the cyber riot against Estonia for over three weeks after the initial attack.

In an attempt to deal with future attacks, seven NATO countries are backing the establishment of the Cooperative Cyber Defence (CCD) Centre of Excellence (COE) in Estonia. General James Mattis, NATO’s Supreme Allied Commander Transformation/Commander, at the signing ceremony stated, “The need for a cyber defense center to be opened today is compelling…It will help NATO defy and successfully counter the threats in this area.” The center will be tasked with conducting research and training on cyber warfare. The US showed its backing by agreeing to send an observer.

Cyber attacks are occurring in every country. Last month Chinese hackers called for a DDoS against CNN.com in retaliation for news coverage of Tibet protesters. The organizers felt the news coverage was skewed against China. The attack was reported called off because the amount of coverage of the approaching attack expected to limit its effectiveness. Still, on the day of the planned attack, CNN was knocked offline for three hours. The Internet research website Netcraft reported, “CNN’s website suffered downtime within a three hour period on Sunday morning, followed by other anomalous activity on Monday morning, where response times were greatly inflated.”

Providing information on scale of compromised servers, malicious attackers, and the spread of malware is the Shadowserver Foundation. The organization gathers, tracks, and reports on malware, botnet activity, and electronic fraud. It is a great source of information concerning cybercrime. Richard Perlotto, the gentleman who runs the technology and operational side of the Shadowserver Foundation, spoke last week at the Asia Pacific Information Security conference (AusCERT2008). Additional presentations and interviews from the conference can be accessed through ITRadio. Below is a sample map showing DDoS attacks in 2007.

In the old days, countries controlled information through clamping down on the press and shutting down television stations. Pakistan meant to exercise country wide censorship February, when the the telecommunications ministry order access to YouTube blocked. According to Danny McPherson, Arbor Networks’ Chief Research Officer, in his posting “Internet Routing Insecurity::Pakistan Nukes YouTube?” Pakistan Telecom had three options:

1. deploy access-control lists (ACLs) on all your router interfaces dropping packets to or from these IPs
2. statically route the three IPs, or perhaps the covering prefix (208.65.153.0/24), to a null or discard interface on all the routers in your network
3. employ something akin to a BGP blackhole routing function that results in all packets destined to those three specific IPs, or the covering prefixes, being discarded as a result of null or discard next hop packet forwarding policies, as discussed here

Pakistan Telecom selected option three. Because Pakistan’s BGP traffic was offering very precise routes to what it declared were YouTube’s Internet servers, routers took it to be more accurate than YouTube’s own information about itself. That data was supposedly accidentally shared with Hong Kong’s PCCW, who failed to validate the BGP data. PCWW then shared the data with other ISPs throughout the Internet. Believing Pakistan Telecom had faster routes to YouTube, service provides started sending their YouTube traffic requests to Pakistan.

McPherson spoke with ITRadio on the topic, “How to destroy the Internet.” In the interview, McPherson discusses what occurred in Pakistan and how, “the control path, in general, on the Internet (DNS and routing, in particular) are two of the most fragile pieces of the Internet infrastructure.”

Kimberly Zenz, Senior Threat Analyst at VeriSign iDefense, pointed out that times have changed and blocking a site from an ISP is an increasingly unreliable way of censoring the Internet. Bringing down a site with a DDoS or shutting down the Internet completely are more effective options. For example, faced with a major protest movement for the first time since 1990, the government of Myanmar cut off the country’s Internet access completely. The actions of the Myanmar government are not unique. The OpenNet Initiative (ONI) tracks Internet censorship with the aim “to investigate, expose and analyze Internet filtering and surveillance practices in a credible and non-partisan fashion.” The site has a intriguing global filtering map and can provide valuable non-partisan information on Internet censorship throughout the world.

RFE/RL President Jeffrey Gedmin raises the concern that the number of cyberattacks will only increase, when he stated:

The Belarusians, the Iranians — they all have basically the same objective. They see free information — flowing information of ideas and so forth — as the oxygen of civil society. They’ll do anything they can to cut it off. If it means jamming, if it means cyberattacks, that’s what they’ll do.

Providing additional insight into the conditions that are helping foster hacking, Zenz was interviewed and presented at AusCERT2008. For additional information, Zenz co-authored with Eli Jellenc the fascinating report “Global Threat Research Report: Russia.” While the report is focused on Russia, the conditions exist in may countries.

Remember the good old days when our view of hacking was mostly based on the movie War Games? Hackers where misunderstood high school kids who might break into a government site just for the thrill of it, or maybe to play games. Who can forget the famous lines, “Greetings Professor Falken, Shall We Play a Game?” If you don’t recall the movie, or that line, you really need to work on your geek culture. While life and hacking may have appeared simple in those days, one cannot deny that today’s Internet offers the most interesting challenges. It is an exciting time to be a security monk. In the end, what’s not to love?

OpenSSL 0.9.8c-1 up to 0.9.8g-9 on Debian-based operating systems uses a random number generator that generates predictable numbers, which makes it easier for remote attackers to conduct brute force guessing attacks against cryptographic keys.

Hubert Seiwert, Internet Security Specialist at Westpoint Ltd., released debian_ssh_scan.py on May 16th. The code does remote check for weak Debian sshd host keys as identified in CVE-2008-0166. The fingerprints are taken from keys generated by HD Moore’s common and uncommon keys. Mr. Seiwert also used Justin Azoff’s multi-threading code. While it is not the only scanner, Mr. Seiwert did a very nice job.

For those who might be less familiar with Python, I thought I would walk through getting debian_ssh_scan.py installed. Most distributions of Linux and Unix have Python installed and with a few additional steps you will be ready to scan your hosts for vulnerabilities.

Set HTTP_PROXY

If you need to access the Internet through a proxy server, the HTTP_PROXY environment variables should be set. This will allow wget, Python’s urllib module, and other applications (yum, apt-get etc) to use this environment variable to access http/https through the proxy server.

# export HTTP_PROXY="http://<proxy-server-ip>:<port>"

Replace “<proxy-server-ip>” with your proxy server name/ip and “<port>” with the proxy’s port.

Install setuptools

The setuptools module is a way to allow developers an easy way to build and distribute Python packages in a single-file archive called an “egg.” The steps to get setuptools installed are:

1. Download the appropriate egg for your version of Python (e.g. setuptools-0.6c8-py2.3.egg). Do NOT rename it.
2. Run it. Setuptools will install itself using the matching version of Python (e.g. python2.3), and will place the easy_install executable in the default location for installing Python scripts (as determined by the standard distutils configuration files, or by the Python installation).

To install:

# cd /home/ger/software
# wget http://pypi.python.org/packages/2.3/s/setuptools/setuptools-0.6c8-py2.3.egg
# sh setuptools-0.6c8-py2.3.egg

Install paramiko

The python module paramiko implements SSH2 protocol for secure (encrypted and authenticated) connections to remote machines. Below, the easy_install executable is used. The Python module easy_install is bundled with setuptools and allows for automatically download, build, install, and management of Python packages.

# cd /home/ger/software
# wget http://www.lag.net/paramiko/download/paramiko-1.7.3.tar.gz
# tar xzf paramiko-1.7.3.tar.gz
# cd paramiko-1.7.3
# easy_install ./

Pull Down debian_ssh_scan_v4

The python script debian_ssh_scan_v4 can now be installed.

# cd /home/ger/software
# wget http://itsecurity.net/debian_ssh_scan_v4.tar.bz2
# bzip2 -cd debian_ssh_scan_v4.tar.bz2 | tar xvf -
 # cd debian_ssh_scan_v4

Start Scanning

You are now ready to start scanning. The below IP is used only for demonstration purposes. Use your own site’s IPs.

#  ./debian_ssh_scan_v4.py 127.0.0.1:22
201691 fingerprints loaded.
127.0.0.1:22 sshd fingerprint 97382c98fe3d45fa779abd34bb65fb73 VULNERABLE (RSA 2048 bit key, pid 5214)

Modify targets.txt, if you want to create a file of IPs. Run the file of IPs through the scan program using the command:

# cat targets.txt | ./debian_ssh_scan_v4.py

Final Words

Debian has issued an update for OpenSSL. For affected systems, the software packages need to be updated and all cryptographic key material must be recreated. Please see Security Focus references for more details.

International Cybercrime (Of The Horse)

via The Center for Internet and Society on 5/8/08

A colleague and I were just discussing a new international working group, chaired by the FBI, which has “band[ed] together to fight cyber crime in a synergistic way.” The group is called the Strategic Alliance Cyber Crime Working Group; it even has a tagline: “Cyber Solidarity: Five Nations, One Mission.”

read more

Warping court memories with subtle suggestions

via Mind Hacks on 5/8/08

The legal system works on a principal of innocent until proven guilty by the evidence presented in court, but Cognitive Daily covers several studies that shown our memory of the evidence is affected by moral judgements of the person in question.

With their trademark clarity, CogDaily discuss a study [pdf] by psychologist David Pizarro that found if participants were told about man leaving a restaurant without paying, they remembered the unpaid bill being more expensive if they were told he treated the waiters rudely, than if they were told he was generally a responsible person.

The study is reminiscent of a famous experiment by a young Elizabeth Loftus called Reconstruction of Automobile Destruction.

It was simple but elegantly designed. Groups of people were shown clips of cars crashing and then asked how fast the cars were travelling, but with different verbs in the question.

For example, some people were asked how fast the cars were travelling when they “smashed” into each other, others how fast when they “bumped” into each other, others how fast when they “contacted” with each other, and so on.

Loftus found that simply asking the questions with a different verb altered people’s memories of the speed of the crash - like so:

“smashed” : 40.8 miles per hour
“collided” : 39.3 miles per hour
“bumped”: 38.1 miles per hour
“hit” : 34 miles per hour
“contacted” : 31.8 miles per hour

Needless to say, these sorts of tricks have been used by lawyers ever since.

Link to CogDaily on moral blame can change the memory of a crime.
pdf of full-text paper.
Link to Wikipedia page Loftus’s car crash study.

Reducing costs not as easy as security, say ANZ CIOs

via The IT Skeptic’s ITIL Pipe on 5/8/08

Computerworld New Zealand - Auckland,New Zealand The top five hottest skills, according to respondents, are networking, IT service management, help desk, and enterprise applications. … (more)

Egypt shuts off cell anonymity

via ZDNet Government on 5/8/08

As protests continue to mount over rising food prices, Egypt is moving to keep close tabs on cellphone users. The government wants cellphone companies to close down anonymous subscribers, Reuters reports.
“Everyone who uses the telephone must be known,” Trade Minister Rachid Mohamed Rachid told a news conference, adding that the move was needed for “public [...]

The Art of the Business Card

via How to Change the World on 5/8/08

A few weeks ago I was in Charlotte to make a speech for Network Solutions, and I met Justin Ruckman. He handed me his business card–which I just loved. For once, a business card that cuts to the chase and is readable. Hallelujah! So I asked him to make business cards for me. Take a look at your business card: Can people really read the 8 point type? If you want Justin to make business cards for you, his site is here.

Web Oriented Architecture Webinar Series

via Real World SOA | David Linthicum on 5/8/08

I’ve had a number of you who have asked me to bring back the Webinar series I was doing a year or so ago. So, I’m going to start on 5/13, next week, delivering the first of many Webinars around the notion of Web Oriented Architecture, or WOA. The description is below, and you can register here. It’s free, with very little commercial interruption. Come learn about WOA and SOA in the real world. David Linthicum: Delivering Enterprise Data to the Emerging Web Data is the driving force behind the emerging Internet. While the Web used to be a collection… READ MORE

The man who defied Milgram’s conformity experiment

via Mind Hacks on 5/8/08

Jewish Currents has an interesting first person account from one of the people who took part in Stanley Milgram’s famous conformity experiment where 65% of participants were ordered to fatally shock another participant. This article is written by one of the 15% who refused to continue.

The learner, said the professor, would be in an adjoining room, out of my sight, and strapped to a chair so that his arms could not move — this so that the learner could not jump around and damage the equipment or do harm to himself. I was to be seated in front of a console marked with lettering colored yellow for “Slight Shock” (15 volts) up to purple for “Danger: Severe Shock” (450 volts). The shocks would increase by 15-volt increments with each incorrect answer.

I was very suspicious and asked a number of questions: Isn’t it dangerous? How do you know the learner doesn’t have a bad heart and can’t take the shocks? What if he wants to stop, can he get out of the chair? The professor assured me that the shocks were not painful or harmful since the amperage was lowered as the voltage increased. He let me feel what a 45-volt shock would be like: a slight tickle. I asked the learner if he was willing to do this and why he didn’t have any questions. He said, “Let’s try it.” With some trepidation on my part, we began the experiment.

Link to ‘Resisting Authority’ (via MeFi).

Visualizing Nessus Working Harder For You

via Tenable Network Security on 5/8/08

Recently, several images were uploaded to the SecViz - Security Visualization web site which visualize how hard the Nessus, Saint and Retina vulnerability scanners actually work. Default scans for each scanner were performed in full view of a Snort sensor and the alerts from Snort were sent to Prelude for visualization with “pig“. The visualization allows understanding of how many different and unique techniques are performed by each scanner. Below are screen shots for the results from each scanner:

Saint Results	Retina Results	Nessus Results

When I first saw these results, I didn’t think they were entirely relevant. The visualization is using Snort events, which means that all of the scanners might be trying techniques that Snort might not detect. For example, when Nessus performs a variety of non-credentialed Windows checks over ports 445 and various Windows RPC services, Snort generates some events, but it does not generate a unique event for every custom probe. However, after the author of these posts to SecViz contacted me and pointed out some of the test results, I thought it was a good blog topic. The raw results for Nessus included 1019 alerts, 166 alerts for Saint and 76 alerts for Retina which was fairly significant.

read more

US State Department Loses 1,000 Laptops

via Liquidmatrix Security Digest on 5/8/08

Ouch!

From vnunet:

An audit at the US State Department has revealed the loss of over 1,000 laptops, some of which held security information.

Around $30m worth of computing hardware is “unaccounted for”, the bulk of it laptops. These include over 400 from the Anti-Terrorism Assistance Program, some containing security material.

Nita M. Lowey, a representative on the House Appropriations subcommittee that oversees State Department operations, told Congressional Quarterly that she is “concerned” about the security revelations.

Sigh.

Article Link

See more of John’s shared items …

]]> http://blog.securitymonks.com/2008/05/08/google-reader-share-with-notes/feed/ http://blog.securitymonks.com/2008/05/05/security-pessimists/ http://blog.securitymonks.com/2008/05/05/security-pessimists/#comments Mon, 05 May 2008 23:45:09 +0000 abbot http://blog.securitymonks.com/2008/05/05/security-pessimists/ “A pessimist is one who feels bad when he feels good for fear he’ll feel worse when he feels better.” — Anonymous

Today, I wanted to take a break from the technical postings I have been doing lately and discuss a splintering that is occurring within organizations that can result in operational road blocks. With the introduction of different groups, a counterproductive “us” verses “them” attitude may develop. The possible problems occur when the various groups end up seeing all the problems of the organization being the result of the other groups. For example, at some point we have all encountered those security folks who seem to do nothing but use their position to be obstacles. “No” is their favorite word, and possibly the only word they know. At this point, many developers are probably nodding their heads. Well, folks have also experienced that group of developers who resist with all their ability working with security, claiming that security just hampers development. Does this sound familiar within your organization?

While security may at times cause problems in deploying a service, one has to ask is that always a bad thing? On Thursday the Guardian reported that the Italian government just published every citizen’s declared taxable income on the Internet. Why would they do this? The finance ministry claimed it was part of a crackdown on tax evasion. The tax minister, Vincenzo Visco, was quoted in Italy’s Corriere della Sera saying: “It’s all about transparency and democracy. I don’t see the problem.” So, what is the problem? First, the government did not have consent to make the information public. Second, it was one of the last acts of Prodi’s centre-left government before it leaves office this week. People have agendas that may not be in the best interest of the organization, or in this case the country. Could the act have been motivated by spite? ADOC, the Italian consumer group disagrees with Vincenzo Visco, claiming “It’s a clear violation of privacy law.” They go on to point out, “The forms for the tax return do not contain a warning about the publication of data or a specific clause authorising publication, which is a further violation of the same law.” Just because something can be done technologically, does that mean it should be done? Security professionals sometimes need to step up and say, “heck no!” If they are unwilling or unable to make their voices heard, they have failed the organization.

Security can serve many purposes. It can be a time saver, helping to avoid major delays while keeping services running. The United Press ran a story on Saturday titled, “Students accused of hacking into grades.” Key points:

• Four Texas high school students are accused of hacking into school district computers to change the marks of at least 60 pupils, school authorities said.
• The Fort Bend Independent School District has suffered a monetary loss of at least $190,000 because of the incident, which makes it a potential felony, investigators said.
• Court documents reportedly do not give details explaining how investigators calculated the losses.

One is left questioning where the $190,000 loss would come from? Good security procedures include backups procedures along with other steps that may have prevented the changing of the grades. Maybe the Fort Bend Independent School District should take a look at the ISO 27001 security site, which promotes the ISO/IEC 27000-family information security standards. What might be real helpful is the site’s checklist for implementing ISO/IEC standards. Implementing a backup and recovery procedure is on the checklist. The school district would find the site a very good starting point. Following good security practices, at the very least, could have made recovery easier and thus less expensive.

If upon hearing standards and procedures, you started wondering about time overruns, I would point out that in many instances time is saved in the long run. We have all heard people expressing how it is sometimes faster to do things oneself than telling someone how to do something. The same principle applies. Lao Tzu summed it up well when he wrote the famous lines, “Give a man a fish; you have fed him for today. Teach a man to fish; and you have fed him for a lifetime.” One of the greatest lesson a person can learn is that we all have limits. It is part of the human condition. Once you have reach your limit, you have to reach out to the community to come together and work towards a common goal. The Amish have a tradition known as barn raising, where the community comes together to assemble a barn for a newlywed couple or to replace a barn destroyed by wind or fire. In one to two days the community is able construct what an individual could not hope to build by themselves without great effort and time.

IT Conversations posted a talk given by Anthony Ravitz, Project Coordinator, Real Estate & Workplace Services, Google, Inc., titled, “Google’s Solar Photovoltaic System.” It was very interesting to hear all the innovative thinking that goes on at Google. What I really found fascinating came during the question and answer phase. Anthony was asked about Google telecommuting policy. Anthony answered that Google does not have a telecommuting policy. Google feels that it is essential that their employees are able to come together and exchange ideas. This is currently done by the old fashion method of coming into work and talking to your coworkers. This amazed me to hear, but the justification was not surprising. Michael Santarcangelo, founder and Chief Security Catalyst, did a podcast titled “Why Virtual Teams Fail (and how to avoid it)” which explored why virtual teams fail, based on research from a group of graduate students at Johns Hopkins Carey School of Business. To quote from the podcast, virtual teams were threatened by:

• Concerns regarding the ability to protect sensitive information
• Lack of a single platform that provides all the tools necessary to optimize
• The struggles of virtual communication
• Poorly or under-trained users
• The challenge of building trust without the use of face-to-face communication

While a whole posting, or podcast, could be done discussing each of these challenges, the bottom line is that these challenges end up impacting workers abilities to come together as a team. Eliezer Yudkowsky posted “The Robbers Cave Experiment” where he discussed the book “Intergroup Conflict and Cooperation: The Robbers Cave Experiment” by Sherif, Harvey, White, Hood, and Sherif (1954/1961). It is a fascinating study involving 22 boys between 5th and 6th grade, selected from 22 different schools in Oklahoma City. The boys came from stable middle-class Protestant families, and they were doing well in school with a median IQ 112. The boys were as well-adjusted and as similar to each other as the researchers could manage. The purpose of the study was to investigate the causes, and possible remedies, of intergroup conflict. The 22 boys were divided into two groups of 11 campers. To quote Eliezer:

In Stage 1, each group of campers would settle in, unaware of the other group’s existence. Toward the end of Stage 1, the groups would gradually be made aware of each other. In Stage 2, a set of contests and prize competitions would set the two groups at odds.

They needn’t have bothered with Stage 2. There was hostility almost from the moment each group became aware of the other group’s existence: They were using our campground, our baseball diamond. On their first meeting, the two groups began hurling insults. They named themselves the Rattlers and the Eagles (they hadn’t needed names when they were the only group on the campground).

Eliezer goes on to report:

Each group developed a negative stereotype of Them and a contrasting positive stereotype of Us. The Rattlers swore heavily. The Eagles, after winning one game, concluded that the Eagles had won because of their prayers and the Rattlers had lost because they used cuss-words all the time. The Eagles decided to stop using cuss-words themselves. They also concluded that since the Rattlers swore all the time, it would be wiser not to talk to them. The Eagles developed an image of themselves as proper-and-moral; the Rattlers developed an image of themselves as rough-and-tough.

I have sometimes wondered if managers and top level executives might be carrying out their own version of this experiment. Security professionals need to work together with everyone within an organization. As in the Robbers Cave Experiment, groups within an organization can choose to view others with suspicion, and blame all their problems on Them. In so doing, they reinforce their own mistaken opinions to the detriment of the organization.

One can see this reinforcement occurring, for example, when one encounters security folks who act like road blocks. Those employees will find people going around them in order to implement services. Those services will not be implemented in a secure manner. When those services get compromised, the security folks may point to how developers are cowboys and conclude that developers are the biggest security risk to an organization. Developers might leave security folks out of the planning and developing phases, only bringing them in at the tail end the day before the service is to go into production. Security will likely find so many problems that they will cry out, “You can’t put that into production!” The developers will sigh and say, “You see, another case of how security drag us down.” Policy people may leave everyone out when writing policy, resulting in them operating in their own separate world where the rest of the organization ignores policy. When an incident occurs, policy folks will say, “Not our fault. We wrote the policy but no one followed it.” Technical folks will say, “Not our fault. We were not aware of that policy. Even if we were aware, the policies were bureaucratic obstacles we had to bypass to get our job done. Besides, there is no way to implement the policies without a huge budget increase.” The finance folks will say, “There is no way the business can afford putting all that money into IT. We need more controls, metrics, etc. so we can see a return on investment.” Round and round it goes.

Segmentation and division seem almost built into an organization. As groups divide, drawing distinction between “us” and “them,” there is another interesting aspect at play. People bring to life their own impression of the world.