Financial Applications Security Weblog

Experts: Insider threat may be harder to detect

This article from Computer World is quite interesting, if initially slightly confusing. The headline seems to mirror the content but it sems to be challenged by the summary:

Recent findings that insiders constitute the primary threat to enterprise security are being challenged by experts who insist the greater threat to security remains external.

The article cites the CSI study and quotes NASA and US Dept. of Labour CIO's as saying that their main threats are external. However as a few security experts later in the article state the problem is probably that the internal threat isn't detected.

"I don't believe that many corporations know that the majority of attacks occur behind the firewall," said Mike Hager, vice president of network security and disaster recovery at OppenheimerFunds Distributor Inc. in New York. "And most still believe the firewall will stop them."

I think this rings particularly true with Financial companies. There might not be many such incidents yet, but when they happen they happen big and hurt alot more than an external attack through the firewall.

In addition I think we will start seeing much smarter hacker groups around, who will build up much greater inside knowledge of financial institutions. Just look at the hackgroups of the 80's who often had greater knowledge of the phone companies internal computer systems, than most people within.

Contracts Getting Tough on Security

Enterprise IT managers and CIOs, growing impatient with security vulnerabilities, are fighting back with language in contracts that holds software companies liable for breaches and attacks that exploit their products. ...

... For example, a Fortune 50 company recently wrote a clause into a contract with a major software company that holds the vendor responsible for any security breach connected to its software, according to sources familiar with the deal. [eWeek]

This is definitely a trend we will see continue. Not just for commercial software but also in internal and external agreements for software development or service providing.

For service providers, I would imagine that this would become addendums as part of their existing Quality of Service agreements. Some of these current agreements might already be good enough as they are to cover such events. But ofcourse as the service providers get hit by more and more of these issues, they will naturally want to pass the buck onto the software providers.

MS to drop Hailstorm

Microsoft is slowly killing of Hailstorm according to an article by John Markoff of the New York Times. He claims that MS has been slowly devesting their My Services (formerly Hailstorm) Consumer Web Services platform over the past few months, with a goal of eventually releasing "My Services" as a package for Corporates to use.

I don't know how this will affect Passport yet, but I can't imagine them halting that service for the time being, regardless of its problems. I wonder if the Citibank announcement last month will be affected by it as they were to be the prefered financial services provider for My Services.

IBM, MS and Verisign announce new Web Service Security Architecture

I haven't had time to read the full whitepaper yet. This Whitepaper describes their new WS-Security proposal.

This document describes a proposed strategy for addressing security within a Web service environment. It defines a comprehensive Web service security model that supports, integrates and unifies several popular security models, mechanisms, and technologies (including both symmetric and public key technologies) in a way that enables a variety of systems to securely interoperate in a platform- and language-neutral manner. It also describes a set of specifications and scenarios that show how these specifications might be used together.

I'll have a quick read and come back with any comments.

New IIS Patches from Microsoft

Microsoft yesterday released a new set of Patches for IIS. The patch and the security holes it fixes are described here. While you're at it you might want to run the IIS Lockdown tool, which checks for common (read default) insecure configurations. I do hope they make this part of the standard setup procedure in future versions.

SOAP security and external underwear.

Jon Udell discusses the SOAPAction header and its uses for filtering SOAP requests through a firewall. The concept of the header is that the client making the SOAP Request, places a SOAPAction header in the HTTP request describing what it is they are going to be doing. For example what method they will be invoking. When I first read this a few years back it did send question marks buzzing up through my head, as you cant really on an external description of what is going to happen. Jon put's it great with his analogy of External Underwear:

Did the notion advanced in DevelopMentor's FAQ -- that SOAP packets would declare intent by publishing interface and method names in the HTTP header -- make sense? At the time it seemed reasonable to me. But now, I wonder if a SOAPaction policy isn't rather like the scene in Bananas where the newly-installed dictator declares that "everybody must wear their underwear on the outside, so we can check." The interfaces that a company chooses to expose to the world are, in the end, a policy that will or won't be enforced, regardless of the SOAP toolkits in use or the translations performed in a request pipeline. Enforcement will always require more than checking for underwear on the outside. [Jon's Radio]

Those of us who were writing perl CGI apps way back in the early days of the Web learnt that you can't rely on the format of a request. You really do need to verify all data before you make any assumptions about it, so a http SOAPAction header specifying a Stock ticker lookup interface, can just as easily have a Stock trading message within.

All of this discussion though assumes that you only have one single SOAP gateway/router on your web server. This strikes me as a bit naive from a security standpoint. I think that only interfaces with the EXACT same security properties should be exposed in the same router. This way you can use the underlying web servers security as well as external firewall's to provide access control and authentication. Lets not reinvent the wheel here.

A quick intro to Buffer Overflows Attacks

Robert Vamosi over at ZDNet provides a great little not too technical introduction to buffer overflow attacks. You might use this to explain buffer overflow attacks to nontech personell etc.

Issues with CSI Cybercrime Survey

Jiri (?) from the brand new Security Weblog commented on my issues with the CSI survey and pointed out two great papers by Mich Kabay about the inherent flaws in computer security studies.

Agree. There is an old saying that goes something like statistics is just a sientific way of fooling people. Pelle points out that the interpretataion of CSI survey is dubious. What's more, sampling on which the survey was based is funny as well. Survey is responded to by security professionals from large organisations. This inevitably affects the results (that are then interpreted in the way outlined by Pelle). And BTW, there are two relevant papers on cyber crime surveys from Mich Kabay who happens to be a security professional and at the same time holds PhD in statistics.[Security weblog]

Open for Business (Identity management & open networks).

Nikolaj at Digital Identity mentions Consult Hyperion's whitepaper on identity management. Big points to him for also posting a link in the same article to Carl Ellison and Bruce Schneiers classic: What You're not Being Told about Public Key Infrastructure. Nice one.

[Digital Identity]

Cyber crime bleeds U.S. corporations, survey shows

Many sources have commented on the latest Computer Security Institue (CSI) survey, which was done in cooperation with the FBI. These surveys are quite interesting but I question the methodology used by the various respondents to the survey to get their answers.

For example the survey counts non work related web surfing as a Cyber Crime. It specifies that in the past year the average cost per respondent has gone from $357,160 to $536,000 a year. The survey claims the two main issues here being productivity and liability. While I can definitely see liability as being a potential issue, I'm quite unsure of the methods they use to quantify their loss of productivity. Howabout the increase of productivity of employees who are happy because their employer doesn't chose to treat them like children.

Another area that might raise a few eyebrows is the losses based on theft of proprietary information. The report says that respondents reported a total loss of $170,827,000 last year. Yet only 20% of respondents reported such infractions. Granted these can be serious issues, however the Tech industry has a history of overreporting the value of such crimes. Just remember the Kevin Mitnick case where companies such as Sun, Nokia etc. made outrageous claims on losses caused by him.

Much more serious in my view is Financial Fraud. The survey states that 12% of respondents had a loss on average of $957,384. Most of this from what I can acertain is basically traditional credit card fraud. However I do believe we will see a growth over the next year or two in losses based on investment banking systems. Just imagine how much money could be made if someone managed to create large false trades or spread disinformation on trade/news feeds. Not covered under Financial Fraud but equally an issue would be the cost of DOS attacks targeted at realtime trade feeds.

Quick 5 minute intro to JCE for Developers

All enterprise java developers should have at least a passing knowledge of JCE. If you've never tried it before try this quick little intro to sample it: Master the basics of Java Cryptography Extension (JCE). [builder.com]

DigitalIdWorld, an industry 'portal'.

Phil Becker has started DigitalIdWorld, "the hub of the digital identity industry", in the model of ISPCON the independant ISP industry resource he founded in 1992.
Several interesting articles have already started appearing, and rumours are of an industry conference in the fall. Bahamas, anyone? ;) [Digital Identity]

While we're on the subject of MS holes...

I'm not going to be covering these IE holes regularly as they are already heavily published elsewhere and MS are doing a pretty good job now a days at getting them out to users. But a couple of new problems are now covered by their latest IE Cumilative Patch. If you are using any IE5 or up on your machine or as part of the standard windows build in your company, you probably should install the patch.

I'm not blaming MS for these holes, as I've said they've started to do a pretty good job. They did have some stupid ones in the past, but we can work with them now. In a complex piece of software like IE6, which consists of many different subcomponents its hard to find all of the problems up front.

That said, these problems together with last years email panics, should help to underline why we need to protect our systems more than ever. The default approach I see many places is that companies panic and shut down net traffic all together. Thats not good for the business, the employees or the customers of the company. We are all part of the net now, and we should embrace that fact as an opportunity rather than a threat. What that does call for though is well thought out business applications and procedures.

Local Security Vulnerability in Windows NT and Windows 2000

DebPloit uses a hole in the NT/2000 debugging subsystem and allows ANY user
with ANY privileges (even Guest and Restricted user) to execute processes in
the security context of an administrator or a local system (SYSTEM) account.
In other words, any person who have an access to the local computer can
became an administrator and do everything he/she wants. [Bugtraq]

This could obviously be an issue anywhere where NT Servers are used. I've verified it and it appears to work. The Authors of the exploit have an intermediate fix as well untill MS comes out with a bugfix. The source is available for the fix, so you might want to check it and compile it yourself. The risk of installing a third party fix like this might be even greater than the hole itself. You call the punches.

Wall Street Embraces Linux

Merrill (nyse: MER - news - people) is one of many Wall Street brokerages doing a large-scale Linux deployment in an effort to cut their costs and boost revenue...

... Merrill's plans, and others like it, are very significant because they are the first companywide--rather than departmental--Linux implementations. While not without risk, this lends an enormous amount of credence to the argument that Linux can be used in place of more established technologies like Unix. [Forbes]

Exploring XML Encryption

IBM Developer Works are running a good article on XML Encryption. Over the last year or so almost all the new feeds and systems I've linked in with on projects have used XML for interop. XML Security is going to be extremely important over the next year or two. It is particularly useful, because you can encrypt and sign individual elements rather than only full messages. The signatures will ofcourse verify the integrity of a message or element and the element by element encryption is useful for only allowing access to the part of the message you need in your subsystem.

Increased Security Spending Includes Personnel

During the past year, Giga found that organizations appeared to appropriate larger portions of the budget for senior security managers, including chief security officers (CSOs) than before. Spurred by Sept. 11 and a heightened awareness of the need for security, the time of "jungle rules" for security management is at an end. [Internet News ]