Category Archives: People Associated with Information Security

Say Cyber one more time…

IT Security’s love hate relationship with the word Cyber

I attended DefCon 22 and as usual it was great! However, the word Cyber brewed controversy and passionate debates. One presentation by Keren Elazari thoroughly summarized the word’s roots and explained its essence. Others carried flasks embracing liquid alcohol yumminess upon the mere mention of the word.

 

I personally say it’s here as long as it’s used correctly but not too frequently. Do you hate the word? Have you played the Cyber drinking game? Or do you embrace it like a warm Snuggie?

DefCon 22 participant custom made T-shirt

Hospital patient insecurity due to lacking patches or decent passwords

This time only 493,000 patients lost their privacy, systems left wide open for years.

A hospital in Gouda, the Netherlands called Groene Hart Ziekenhuis (Green Heart Hospital) had according to Bonnie at the Nederlands Genootschap van Hackende Huisvrouwen (Netherlands Society of Hacking Housewives) and reported to the journalist Brenno de Winter (@brenno) allowed weakly configured servers which contained confidential information accessible to the internet which contained patient data for almost half a million people. These sensitive systems had been left in an insecure state for several years. This is nothing new in the Netherlands; the same group reported a similar data leak involving over 800,000 Dutch citizens and residents at another facility in July, 2012.

Information which was exposed:

  • Patient Name
  • Date of Birth
  • Address
  • Tax ID number (BSN like US Social Security number)
  • Telephone number
  • Patient number
  • Insurance number
  • Diagnosis
  • Medication
  • Lab results
  • X-rays and similar medical imaging
  • Treatment plans

Why was the information accessible?

  1. Unpatched and outdated versions of Microsoft, Adobe Flash and VMWare. Recently the CSIS Denmark released a report that highlighted 99.8 % of malware or virus infections could be mitigated by patching these applications along with Adobe Reader and Java.
  2. The password for the administrator account was ‘groen2000‘. The password is both easily guessable and extremely weak 40 bit strength. Using Jack the Ripper, and a beefed up system could crack the password in seconds. I wonder if 2000 was the last year the systems were patched?

Why are medical facilities, hospitals, insurance companies and doctor offices seemingly so lacking in security and unsympathetic towards patient privacy?

  • Shockingly, the maximum fine in the Netherlands for data breaches is only 4,500 euro. This is cheaper in some cases then implementing anti-virus or buying a decent firewall. My previous Dutch GP once told me without flinching “Our systems are secure because we use MacOS, no anti-virus is needed.” If the punishment is cheaper, way cheaper that remediation I would take a fine any day.
  • DRA the agency tasked with ensuring data privacy and investigating breaches is staffed with about 80 personnel, which includes all support staff whilst the Dutch Animal Police has over 500 officers.

Link to original story:

http://www.nu.nl/binnenland/2927832/groene-hart-ziekenhuis-lekt-medische-dossiers.html

More proof that patching, keeping systems on supportable versions and strong, secured passwords are a basic requirement for you and all organizations. Lastly, Dank uw wel/thank you very much to Bonnie and the
Nederlands Genootschap van Hackende Huisvrouwen, it is good to know we have highly technical, expert, hacker housewives willing to take a risk and help protect our privacy when governments fail to do so.

 

 

 


 

Security B-Sides Las Vegas 2012 – Big Data’s 4th V (or why we’ll never find the Loch Ness Monster)

What is big data?

There are multiple definitions of big data other than just a buzz word. For the purposes of this talk it is large data sets. More sources are creating more output, phones, smartphones, web, SMS, etc…. For example real people can be identified based on online movie reviews which can be easily traced back due to statistical infrequency based on reviews of more obscure movie titles or items.


What is vulnerable?

Data harvesting tools, overload of data or sharing of too much private data without giving more private summaries or ranges so identification is not so easy.

Mr. Ottenheimer’s example, a request for information of 13 year olds which drink Pepsi. What data would you give to marketing if you wanted to retain privacy?


What now?

Protection of confidentiality, integrity of the data and availability.


The discussion was built on hard learned experiences dealing with large data sets. Mr. Ottenheimer is the author of two books, one of which is Securing the Virtual Environment. How to defend the enterprise from attack” and previously presented at B-Sides with A Cloud Odyssey and Dr. Stuxlove.

If you’d like to see more please watch the entire video or check out his blog.

Presentation Video

Davi Ottenheimer’s blog

Security B-Sides Las Vegas 2012 – Keynote: The State of Security B-Sides

Security B-Sides is a community driven effort a little over 3 years old. In that time it has grown to 5 continents, 9 countries and 34 events. Jack Daniel introduced a brief overview of the history, past and present challenges in an extremely transparent manner. The organizers of Security B-Sides around the world are passionate about growing participation in the security community and deeper engagement in lacking areas in places like Latin America, India, the mid-west and south of the USA. So ardent are the organizers that in many cases they have devoted their own funds in addition to a significant amount of time. This has resulted in a stunningly successful program.

My personal involvement has been a brief encounter with Security B-Sides Berlin in December 2011 and volunteering for the Security B-Sides this year in Las Vegas. The conferences host presentations, workshops, discussions and allow open engagement with others in the community at no cost. Let me repeat that, no cost. The only catch is space is limited due so you must check the wikis and reserve a spot to attend. If you are unable to get a ticket I highly recommend volunteering to assist in this effort as I have this week and plan to for future events. Additionally, if you wish to be a speaker and are new to presenting many of the events have a mentor program to help you get started in sharing.

Line up for Security B-Sides Las Vegas 2012

Security B-Sides Wiki

Last HOPE #9 Keynote The Yes Men

The Million Meme March to fight online censorship and a call to boot hats! Prior to the keynote I had heard of spattering about The Yes Men. I could kick myself for not knowing more in detail about them before. The presentation was both hilarious and highly inspiring. In the first half of the talk we were given an overview of some of their previous works involving disruptive actions which brought international attention to many important yet seemingly ignored issues by the media. One of these issues is very close to my heart, the Bhopal Disaster of 1984 in India. This accident caused so much death and intense suffering but pollutants remain on-site and inadequate medical coverage for survivors continues. The Yes Men commented they didn’t see their actions as “hacking” but from the perspective of a way to protest and do something to address graver injustices currently perpetrated in the world which require media coverage to assist in remediation. The Yes Men have a new mission so to speak, to draw attention to and cease online censorship. The project is called The Million Meme March, headed by the Supreme Ruler Meme and rather fashionable Vermin Supreme. As he puts it a league of memes might be required to cease governments from further SOPA/PIPA/ACTA/CETA type treaties or legislation which adds traffic stops and rumble strips to our freedom on-line. One suggestion, everyone make memes as a form of on-line viral protests against digital censorship. The Yes Men are taking suggestions now and looking for ideas from the public. Please browse some of the videos and explore. Very few of us seem to want internet censorship yet it’s occurring worldwide on varying levels. Start exploring how to make your own Memes and check out some great video and audio: QuickMeme
MemeGenerator #millionmemes Twitter hash tag (Picture from Radio Statler ) The Yes Men Labs Link to some Vernon Supreme videos, When I am President everyone will get a pony (YouTube). Link to the video of WTO Finland Spoof, “Management Leisure Suit” (YouTube) Link to BBC video The Yes Men posing as representatives of Dow Chemical (YouTube). Link to the audio (MP3)

Pleased today to live in a slightly more technologically informed county

Today the Netherlands government department of Veiligheid en Justitie / Safety and Justice is holding a meeting with several information security experts, journalists and business leaders. One of the people included is Brenno de Winter who alerted his network of over 11 thousand followers via twitter of the meeting, his appearance and a link to the agenda. Earlier in the week the Dutch Parliament rejected ACTA and forbade any similar such legislation from being signed. It appears my new chosen home’s government is choosing to more carefully examine information technology related legislation and is willing to consult experts. The list of attendees today is impressive in comparison with the recent decision to un-invite Bruce Schneier from hearings as requested by the USA Transportation Security Agency. It appears that Dutch legislative and judicial bodies are willing to look past assumptions of vacuum tubes and ask someone who knows how to use a computer for more than just email how the whole thing works and how it affects their constituency. Here are today’s attendees (translated):

  • Dhr. Boonstra, Professor of Information Management
  • Dhr. De Bruijn, Director ICTU
  • Dhr. Dijkstra, Chairman of the ICT Practice Group (Pels Rijcken & Droogleever Fortuijn)
  • Dhr. Heeneman, sr. Client Director Government & Defence KPN
  • Dhr. Van Holst, Senior IT-Legal Advisor at Mitopics
  • Mw. Schönfeld, Author of the book How IT Project Success and Failure: Learning from Painful Experiences
  • Dhr. Veldwijk, ICT Entrepreneur and publicist
  • Dhr. Weijman, Founder and Managing Director AET Europe
  • Dhr. Zuurmond, Kafkabrigade
  • Dhr. Broeders, Senior Research Assistant / Project Coordinator WRR
  • Dhr. Hetzscholdt, Cybercrime Specialist
  • Dhr. Kamphuis, IT-Architect & IT-Strategy Advisor
  • Dhr. Prins, Director FOX IT
  • Dhr. Verhoef, Professor Computer Science VU and Advisor IT Innovator Info Support
  • Dhr. De Winter, Investigative Journalist IT-Security and Privacy
  • Dhr. Zwenne, Professor of Law and the Information Society at the University of Leiden Attorney

Link to Brenno de Winter’s Twitter feed for updates and other related news: @brenno

Hack In the Box Amsterdam-2012 13:30 Track 1, Day 2

Bypassing the Android Permission Model, presented by Georgia Weidman, CEO Bulb Security

I have a soft spot for Android OS exploitation discussions and tequila, so this was a sweet little piece of key lime pie from Duck Key, FL for me. Gladly it was after lunch. Georgia Weidman greeted her audience wearing an Amsterdam altered period suit and a bottle of aged yet tender and delicious bottle of tequila, enough for sharing. Beyond making her audience at ease with quite a casual introduction, she had some serious questions regarding Android OS security. Is the permissions model in Android working for both developers and end users and are those end users making intelligent decisions? Ms. Weidman says yes if you’re a malware developer and the average smartphone user is trying. What developers declare as permissions required for installation can be vastly different from reality. Additionally, the permissions are too vague and far reaching for users to make a more informed, intelligent decision. She set the temperature of the presentation to low end user bashing and high on unclear and entirely too encompassing permissions for an acceptable security level for any operating system. Especially one which can leak the owner’s personal information almost invisibly. What permissions are really needed by the vast majority of Android applications? Not many, she gives the example of the Facebook application with requires 11 permissions including creepy ones like Your accounts, Discover known accounts. Conversely, Droid Dream, a known malicious application/root kit required only four permissions, none so creepy sounding. Why would Facebook need or want to discover your non-Facebook accounts on the phone but the same is not required when you log into Facebook over the world wide web? In the first demo, simplicity in pwnage was showcased. In less than 50 lines of code and limited permissions presented to the end user the IMEI (a cell phone unique ID number), read contacts and send an SMS. Inside of a few minutes exploitation and compromise was complete. The second of the series of demos began a dive into malicious bot waters over SMS, the presenter’s specialty. “If you write malware for Linux, Android OS [malware development] is an easy transition.” What mitigation strategies are required? No dangerous functionality directly available in public interfaces. Require user interaction for all activities such as sending and receiving SMS messages. Require the permissions tag in the XML manifest for the interface. End users must keep their operating system updates. But, that means that smartphone owners also need the ability to keep the OS updated in an easy manner. Too often phone manufacturers or cell phone providers delay Android OS updates, if provided at all. If the OS update isn’t available, the vulnerability remains and your private information becomes just another commodity on the data leakage open marketplace. Link to the presentation PDF: Link Links to other presentations by Georgia Weidman and her blog: http://georgiaweidman.com/wordpress/

Hack In the Box Amsterdam-2012 Keynote, Day 1

Getting Ahead of the Security Poverty Line, presented by Andy Ellis, CSO of Akamai

Andy Ellis casually approached the stage in 5 toed running shoes, mismatched blazer and trousers and general open demeanor. He took a cool sip of soda before explaining to us the concepts of cost of security versus return, auditing versus assessors and recognizing your present level of security versus the bare minimum of security required to provide a realistic level of risk. His densely rich presentation expounded upon his blog posting from 13/12/2012 entitled Security Subsistence Syndrome involving a discussion by Wendy Nather of the 451 Group, “Living Below the Security Poverty Line“. Normally the tech in me is slightly apprehensive before attending presentations by “C-level” executives at technical conferences. Fears of 55 minutes of mindless management mumbo jumbo was quickly replaced with a presentation topic which was extremely relevant. The challenge of balancing information security costs and resources in creative ways during an inhospitable financial climate is one most information security professionals face frequently. Mr. Ellis used a mixture of tech, humor and honest communication for the audience to grasp the topic. The “casual chaotic actor” is getting better, more sophisticated with the availability of better tools he stressed, “as Metasploit increases, everyone gets better.” The general tone was that security waits for no one. Besides, “Nobody will implement perfect security” he stated, because businesses make financial gains through leveraging risks. Perfect security is an implausible goal. Major takeaway points:

  • Don’t waste your crisis, use every opportunity you can and learn.
  • Don’t rely on blind luck, it will happen to you! Another way of saying Murphy’s Law.
  • Improve processes and policies for your weakest link such as developers or any production platforms possible.
  • Measure the capabilities of existing staff with a focus on continual improvement over time.
  • If you are for example trying to juggle 17 things and failing, concentrate on three or so you can actually solve and let the rest of the balls drop.
  • Automate in an efficient manner.
  • Spread sheet out your existing and historic risk at the very least, you don’t need fancy tools for this.
  • Don’t stop a business process but make the data owners aware of the risk, advise and get their acknowledgement.
  • In most cases you won’t require top of the line applications or hardware, get creative and think off the shelf and open source.
  • Try and get security involved in the project definition requirements stage and you too could achieve nirvana.

Most organizations during this economic crisis are struggling, mostly with the challenges of lack or budget or skilled human resources. Mr. Ellis presented a formula to explain some of the challenges: (Security) Value=R (Resources)*C (Capabilities) R=Time + Money C=Skill*Effort*Effectiveness Mr. Ellis has successfully achieved a process to hunt malware in Akamai’s 10 PB (yes, petabyte!) cloud on a small budget, using open source tools and a security team of a dozen or less. Each organization or team must add value to their titles in these tight fiscal periods. Justify your position and improve your department while using both in and out of the box thinking to achieve or exceed the security poverty line. This topic is one of the few which can be achieved in information security. Grab hold of a win while you can! More information: Andy Ellis’ Blog: http://www.csoandy.com/ Andy Ellis’ Twitter: @csoandy Link to the PDF of the presentation: Link “Living Below the Security Poverty Line,” Wendy Nather, of The 451 Group: Link YouTube link to video when available