ISDPodcast Episode 279 for December 15, 2010. Tonight’s podcast is hosted by Rick Hayes, Keith Pachulski, and Varun Sharma.
Announcements:
SANS Cyber Defense Initiative 2010
SANS Community:
Jason Lawrence, Management 414: SANS +S Training Program for the CISSP Certification Exam: http://www.sans.org/mentor/details.php?nid=23493
Wednesday, February 23, 2011 – Wednesday, April 27, 2011
Use the Discount Code: isdpod15 for a 15% discount.
Appalachian Institute of Digital Evidence (AIDE):
AIDE Winter Meeting, Marshall University Forensic Science Center, Huntington, WV
When: February 17 – 18, 2011
http://aide.marshall.edu/default.htm
Intro/Outro Music provided by JimmyZ (http://soundcloud.com/jimmyz)
Stories:
News: http://arstechnica.com/open-source/news/2010/12/fbi-accused-of-planting-backdoor-in-openbsd-ipsec-stack.ars
http://blog.scottlowe.org/2010/12/14/allegations-regarding-fbi-involvement-with-openbsd/
In an e-mail sent to BSD project leader Theo de Raadt, former NETSEC CTO Gregory Perry has claimed that NETSEC developers helped the FBI plant “a number of backdoors” in the OpenBSD cryptographic framework approximately a decade ago.
Perry says that his nondisclosure agreement with the FBI has expired, allowing him to finally bring the issue to the attention of OpenBSD developers. Perry also suggests that knowledge of the FBI’s backdoors played a role in DARPA’s decision to withdraw millions of dollars of grant funding from OpenBSD in 2003.
“I wanted to make you aware of the fact that the FBI implemented a number of backdoors and side channel key leaking mechanisms into the OCF, for the express purpose of monitoring the site to site VPN encryption system implemented by EOUSA, the parent organization to the FBI,” wrote Perry. “This is also probably the reason why you lost your DARPA funding, they more than likely caught wind of the fact that those backdoors were present and didn’t want to create any derivative products based upon the same.”
The e-mail became public when de Raadt forwarded it to the OpenBSD mailing list on Tuesday, with the intention of encouraging concerned parties to conduct code audits. To avoid entanglement in the alleged conspiracy, de Raadt says that he won’t be pursuing the matter himself. Several developers have begun the process of auditing the OpenBSD IPSEC stack in order to determine if Perry’s claims are true.
“It is alleged that some ex-developers (and the company they worked for) accepted US government money to put backdoors into our network stack,” de Raadt wrote. “Since we had the first IPSEC stack available for free, large parts of the code are now found in many other projects/products. Over 10 years, the IPSEC code has gone through many changes and fixes, so it is unclear what the true impact of these allegations are.”
OpenBSD developers often characterize security as one of the project’s highest priorities, citing their thorough code review practices and proactive auditing process as key factors that contribute to the platform’s reputedly superior security. If Perry’s allegations prove true, the presence of FBI backdoors that have gone undetected for a decade would be a major embarrassment for OpenBSD. The prospect of a federal government agency paying open source developers to inject surveillance-friendly holes in operating systems is also deeply troubling. It’s possible that similar backdoors could potentially exist on other software platforms. It’s still too early to know if the claims are true, but the OpenBSD community is determined to find out if they are.
Businesses should prepare for internet traffic hijacking and sophisticated attacks on computerized control systems in 2011, says a security expert from Neustar. These trends are strongly indicated by the discovery of the Stuxnet worm and China’s hijacking of 15% of the world’s internet traffic for 18 minutes early in 2010, according to Rodney Joffe, senior vice-president and senior technologist at Neustar.
Another trend that is likely to carry over from 2010 is the limited use of distributed-denial-of-service (DDoS) attacks for social and political ends such as the recent attacks on WikiLeaks and associated sites, and the 2007 battles between Russia and Estonia. But, it is the hijacking of internet traffic and the use of sophisticated attacks such as the Stuxnet worm aimed at control systems, that businesses organizations are most likely to be up against, said Joffe.
Stuxnet represents a new generation of stealthy and targeted attacks that are likely to become increasingly popular with cybercriminals in 2011 as a way to target financial systems, particularly automatic cash machines. “This is an area that is getting increased attention in the underground forums”, said Joffe, but will not be limited to banking, and could include any computer-controlled systems such as the heating and lift systems in office blocks. Large industrial companies are generally aware of the threat, he said, but mid- and lower-level organizations such as air-conditioner, lift and aircraft manufacturers were oblivious to the relevance of Stuxnet.
Another challenge for IT managers in 2011 will be the theft of intellectual property, both for financial gain by criminals, and industrial espionage through internet traffic re-routing, said Joffe. “IT managers need to have a mechanism in place to help identify when their traffic is being routed through illegitimate third-party infrastructure so they can act swiftly to prevent data from being inspected or manipulated,” he said. The danger is that re-routing can be done by any network engineer and there is currently no way to prevent it, warned Joffe. “We are at least two years away from a commercial solution to this problem, so that is why IT managers need to monitor their traffic beyond their own networks and be prepared to take systems offline if route hijacking is detected,” he said. According to Joffe, taking systems offline, although costly and disruptive, would be infinitely preferable to exposing electronic communications and login credentials to theft and misuse.
The Mountain Vista Medical Center in Mesa, Az., discovered compact memory data cards were missing that contained personal information about patients who had undergone endoscopy procedures between January 2008 and October of this year, according to a report by the Arizona Republic. The data loss included patients’ full names, date of birth, age, sex, medical information, and physician’s name. However, social security numbers, addresses, and telephone numbers were not on the lost data cards, according to the hospital.
I absolutely love this quote: “As noted by security experts in other data loss incidents, the organization would not likely have evidence that the information was being “improperly used” because the criminals would not tell them.”
Keith: Seriously? It is your responsibility to secure the information, monitor the information and provide the appropriate controls for the PII as defined within HIPAA..fingerpointing is getting really old..
Yet another data loss story..20 years of police records including investigation information: A Colorado sheriff’s department mistakenly exposed a sensitive database that contained names, addresses and other details on about 200,000 people, including confidential drug informants. Deputies have used the database for more than 20 years to collect and share intelligence gathered during official police work. Authorities aren’t sure if someone copied it and plans to post it WikiLeaks style online.
A full 94% of large UK businesses are confident their organization is protected against cyber attacks, but 82% said that cybercriminals are innovating faster than businesses, according to Detica’s Cyber Security Monitor survey.
In addition, 92 of those surveyed said that cybercriminals are a growing menace, with 60% agreeing that a successful cyber attack would affect their organization’s competitiveness, according to a survey of large UK businesses conducted by Ipsos MORI for Detica.
“Awareness of the real commercial threat to private industry appears to remain low. It is surprising that the vast majority of those questioned believe themselves to be adequately equipped to deal with a direct cyber attack, as the most commonly quoted forms of IT security in the survey – firewalls and anti-virus software – leave many organizations vulnerable”, said Henry Harrison, technical director for Detica.
“Companies increasingly need to go ‘beyond the firewall’ to guarantee the integrity of their commercial and customer data. This threat isn’t simply going to go away, and cyber risk should be addressed around the board table – it isn’t just the preserve of governments and the military”, he added.
According to the survey, 40% of respondents said their organization’s risk level with regard to targeted cyber attacks was very or fairly low, and another 40% rate the risk as medium. Only 14% said that the risk is high, of which only one business responded “very high”.
In addition, many firms remain unconcerned about the direct commercial risks of a cyber attack; theft of IP and other commercially sensitive data such as pricing, bid information, and strategic plans were identified as a concern by only 18%