Cybercrime at the Speed of Light

A few years ago our very own James Arlen presented at Black Hat on the security risks of high-speed trading. Today I read in The Verge: Last week’s Federal Reserve announcement made big waves on Wall Street, sending markets skyrocketing and financial organizations scrambling to spread the news – but a new report raises concerns that some were spreading it faster than they should have. The high-speed trading experts at Nanex say they saw simultaneous reactions in both Washington D.C. and Chicago, when the news should have taken at least three milliseconds to travel the 600 miles from the Federal Reserve Building to the Chicago’s commodities exchanges. I await Gunnar’s response, but it seems to me that ordinary people have little chance of surviving the markets as computers take over ‘our’ economy. Share:

Read Post

Data brokers and background checks are a massive security vulnerability

Brian Krebs has done some amazing investigative reporting over the years, but this story is an absolute bombshell. An identity theft service that sells Social Security numbers, birth records, credit and background reports on millions of Americans has infiltrated computers at some of America’s largest consumer and business data aggregators, according to a seven-month investigation by KrebsOnSecurity. … The botnet’s online dashboard for the LexisNexis systems shows that a tiny unauthorized program called “nbc.exe” was placed on the servers as far back as April 10, 2013, … Two other compromised systems were located inside the networks of Dun & Bradstreet, … The fifth server compromised as part of this botnet was located at Internet addresses assigned to Kroll Background America, Inc., a company that provides background, drug, and health screening for employers. In my research for the Involuntary Case Studies in Data Breaches presentation I update every few years, I come across many dozens of breaches of credit check services, data brokers, and other information-gathering services. Go check it out yourself at the DataLossDB and search on Experian, LexisNexis, and so on. What I didn’t know is how many institutions rely on this data for Knowledge Based Authentication, and that it has been broken since at least 2010, according to Avivah Litan of Gartner (who is great – rely enjoyed working with her). I am fascinated because although I always considered this data aggregation a privacy risk – now we see it also as a security risk. Share:

Read Post

Walled Garden Fail

Mailbox is a very popular replacement mail app for iOS that apparently auto-executes JavaScript in incoming emails, according to a post by Italian security researcher Michele Spanuolo (@MikiSpag) Jeremiah Grossman summarized it best: “XSS to account takeover.” Think about it – this app auto-executes any JavaScript received via email. Oops. I emphasize that this is not Apple’s Mail app included with iOS – it is a third-party app called Mailbox in Apple’s Apple App Store. Initially, I thought, hey, they’ll fix it soon – they just got a public report on it from Spaguolo’s blog. But Michele has updated the post – @bp_ posted this issue on Twitter in MAY. So they have been sitting on a big hole for months. This is interesting for two reasons: Apple’s App Store code analysis clearly missed it. Then again, should it have even caught it? The vulnerability doesn’t expose anything on the iOS device itself, and doesn’t violate any of the App Store rules. It also demonstrates that walled gardens, while ‘safer’, aren’t actually ‘safe’. There are entire classes of attacks that likely comply with App Store rules. Like Candy Crush, which is ruining marriages and destroying grades throughout the world. Someone needs to stop the insanity. Enterprises should make damn sure employees aren’t using these services without security vetting. Mailbox is only the start – just look at the many calendar enhancement apps out there. All these little startups use full access to your calendar, mail, contacts, reminders, and social networks to provide a more usable calendar. And almost none of them talk about security in any meaningful way. Rich has been doing some analysis here – they all fail. Mailbox is now owned by Dropbox (confirmed by the Dropbox copyright on the bottom-left of So either Dropbox didn’t do much appsec due diligence when they bought Mailbox, or they found and ignored it, and now they are on the hook and in the spotlight. A spokesperson for Mailbox said the patch for the auto-execution vulnerability is inbound by end of Wednesday (today), according to that article. It is interesting to see how software vendors react to such disclosure, but to me the more interesting aspect is the insight into what Apple’s App Store vetting misses… Share:

Read Post

Incite 9/25/2013: Road Trip

Every so often my mind wanders and I flash back to scenes from classic movies. When I remember Animal House, I can’t help but spend perhaps 15 minutes thinking about all the great scenes in that movie. I don’t even know where to begin, but one scene that still cracks me up after all these years is: Boon: Jesus. What’s going on? Hoover: They confiscated everything, even the stuff we didn’t steal. Bluto: They took the bar! The whole f****** bar! [Otter grabs a bottle of whiskey and throws it to Bluto, who chugs it all.] Bluto: Thanks. I needed that. Hoover: Christ. This is ridiculous. What are we going to do? Otter & Boon: Road trip. ROAD TRIP! Just the mere mention of those words makes me smile. Like most folks, I have great memories of the road trips I took in high school, college, as a recent graduate, and even now when my ATL buddies and I make a pilgrimage to go see a SEC football game every year. There isn’t much better than hopping in the car with a few buddies and heading to a different location, equipped with a credit card to buy decent drinks. Though this past weekend I had a different kind of road trip. I took The Boy to go see the NY Giants play in Charlotte. After a crazy Saturday, we drove the 3.5 hours and even had dinner at Taco Bell on the way. He loves the Doritos shell tacos and since it was Boys weekend, we could suspend the rules of good eating for a day. We stayed at a nice Westin in downtown Charlotte and could see the stadium from our room. He was blown away by the hotel and the view of the stadium at night. It was great to see the experience through his eyes – to me a hotel is a hotel is a hotel. We slept in Sunday morning, and when I asked him to shower before breakfast, he sent a zinger my way. “But Dad, I thought on Boys weekend we don’t have to shower.” Normally I would agree to suspend hygiene, but I had to sit next to him all day, so into the shower he went. We hit the breakfast buffet and saw a bunch of like-minded transplanted New Yorkers in full gear to see the Giants play. He got a new Giants hat on the walk to the stadium and we got there nice and early to see the team warm-ups and enjoy club level. Of course, the game totally sucked. The G-men got taken to the woodshed. Normally I’d be fit to be tied – that was a significant investment in the hotel and tickets. But then I looked over and saw the Boy was still smiling and seemined happy to be there. He didn’t get pissed until the 4th quarter, after another inept Giants offensive series. He threw down the game program, but within a second he was happy again. I kept asking if he wanted to stay, and he didn’t want to go. We were there until the bitter end. After the long trip home, as he was getting ready for bed, we got to do a little post-mortem on the trip. He told me he had a great time. Even better, he suggested we take road trips more often – like every weekend. Even though I didn’t have one drink and the Giants totally sucked, it was the best road trip I’ve ever taken. By far. –Mike Photo credit: “Smoke Hole Rd, WV” originally uploaded by David Clow Heavy Research We are back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, where you can get all our content in its unabridged glory. And you can get all our research papers too. Firewall Management Essentials Quick Wins Managing Access Risk Optimizing Rules Change Management Introduction Continuous Security Monitoring Migrating to CSM The Compliance Use Case The Change Control Use Case The Attack Use Case Classification Defining CSM Why. Continuous. Security. Monitoring? Newly Published Papers Threat Intelligence for Ecosystem Risk Management Dealing with Database Denial of Service Identity and Access Management for Cloud Services The 2014 Endpoint Security Buyer’s Guide The CISO’s Guide to Advanced Attackers Defending Cloud Data with Infrastructure Encryption Incite 4 U Security According to Security Moses: Evidently Security Moses has descended from Mt. Sinai with the tablets of CISO success: the 10 Golden Rules of the Outstanding CISO by Michael Boelen. Most of this stuff is obvious, but it’s a good reminder that your integrity is important and to focus on the fundamentals. I had a chat with a large enterprise yesterday about that very topic. Don’t forget to be the “master of communication” and not to panic. Although it is easy to panic when the house seems to be burning down. Don’t oversell what you can do, and remember that process beats technology. Again, not brain surgery here, but under duress it’s always good to go back and consult the stone tablets. – MR Emphatic Maybe: A simple statement like “We don’t have backdoors in our products” would address the issue. The problem is that every vendor who has released a statement regarding the NSA compromising their platforms has issued a qualified answer. This time it’s RSA, with “We don’t enable backdoors in our crypto products.” Which means exactly what? You have someone else do it? The NSA dropped the code into your product, so you didn’t have to? Was the RNG subsystem weakened to achieve the same result? Those are all accusations being thrown about, and the released statement does not definitively address them. The recommendation to stop using BSafe’s Dual Elliptic Curve Deterministic Random Bit Generator was a step in the right direction. Still, the ambiguity, which looks intentional, is fueling the fire of what has now become the biggest security story of the year. And it is reducing trust in data security vendors. In fact, it’s generating renewed interest in security

Read Post

Totally Transparent Research is the embodiment of how we work at Securosis. It’s our core operating philosophy, our research policy, and a specific process. We initially developed it to help maintain objectivity while producing licensed research, but its benefits extend to all aspects of our business.

Going beyond Open Source Research, and a far cry from the traditional syndicated research model, we think it’s the best way to produce independent, objective, quality research.

Here’s how it works:

  • Content is developed ‘live’ on the blog. Primary research is generally released in pieces, as a series of posts, so we can digest and integrate feedback, making the end results much stronger than traditional “ivory tower” research.
  • Comments are enabled for posts. All comments are kept except for spam, personal insults of a clearly inflammatory nature, and completely off-topic content that distracts from the discussion. We welcome comments critical of the work, even if somewhat insulting to the authors. Really.
  • Anyone can comment, and no registration is required. Vendors or consultants with a relevant product or offering must properly identify themselves. While their comments won’t be deleted, the writer/moderator will “call out”, identify, and possibly ridicule vendors who fail to do so.
  • Vendors considering licensing the content are welcome to provide feedback, but it must be posted in the comments - just like everyone else. There is no back channel influence on the research findings or posts.
    Analysts must reply to comments and defend the research position, or agree to modify the content.
  • At the end of the post series, the analyst compiles the posts into a paper, presentation, or other delivery vehicle. Public comments/input factors into the research, where appropriate.
  • If the research is distributed as a paper, significant commenters/contributors are acknowledged in the opening of the report. If they did not post their real names, handles used for comments are listed. Commenters do not retain any rights to the report, but their contributions will be recognized.
  • All primary research will be released under a Creative Commons license. The current license is Non-Commercial, Attribution. The analyst, at their discretion, may add a Derivative Works or Share Alike condition.
  • Securosis primary research does not discuss specific vendors or specific products/offerings, unless used to provide context, contrast or to make a point (which is very very rare).
    Although quotes from published primary research (and published primary research only) may be used in press releases, said quotes may never mention a specific vendor, even if the vendor is mentioned in the source report. Securosis must approve any quote to appear in any vendor marketing collateral.
  • Final primary research will be posted on the blog with open comments.
  • Research will be updated periodically to reflect market realities, based on the discretion of the primary analyst. Updated research will be dated and given a version number.
    For research that cannot be developed using this model, such as complex principles or models that are unsuited for a series of blog posts, the content will be chunked up and posted at or before release of the paper to solicit public feedback, and provide an open venue for comments and criticisms.
  • In rare cases Securosis may write papers outside of the primary research agenda, but only if the end result can be non-biased and valuable to the user community to supplement industry-wide efforts or advances. A “Radically Transparent Research” process will be followed in developing these papers, where absolutely all materials are public at all stages of development, including communications (email, call notes).
    Only the free primary research released on our site can be licensed. We will not accept licensing fees on research we charge users to access.
  • All licensed research will be clearly labeled with the licensees. No licensed research will be released without indicating the sources of licensing fees. Again, there will be no back channel influence. We’re open and transparent about our revenue sources.

In essence, we develop all of our research out in the open, and not only seek public comments, but keep those comments indefinitely as a record of the research creation process. If you believe we are biased or not doing our homework, you can call us out on it and it will be there in the record. Our philosophy involves cracking open the research process, and using our readers to eliminate bias and enhance the quality of the work.

On the back end, here’s how we handle this approach with licensees:

  • Licensees may propose paper topics. The topic may be accepted if it is consistent with the Securosis research agenda and goals, but only if it can be covered without bias and will be valuable to the end user community.
  • Analysts produce research according to their own research agendas, and may offer licensing under the same objectivity requirements.
  • The potential licensee will be provided an outline of our research positions and the potential research product so they can determine if it is likely to meet their objectives.
  • Once the licensee agrees, development of the primary research content begins, following the Totally Transparent Research process as outlined above. At this point, there is no money exchanged.
  • Upon completion of the paper, the licensee will receive a release candidate to determine whether the final result still meets their needs.
  • If the content does not meet their needs, the licensee is not required to pay, and the research will be released without licensing or with alternate licensees.
  • Licensees may host and reuse the content for the length of the license (typically one year). This includes placing the content behind a registration process, posting on white paper networks, or translation into other languages. The research will always be hosted at Securosis for free without registration.

Here is the language we currently place in our research project agreements:

Content will be created independently of LICENSEE with no obligations for payment. Once content is complete, LICENSEE will have a 3 day review period to determine if the content meets corporate objectives. If the content is unsuitable, LICENSEE will not be obligated for any payment and Securosis is free to distribute the whitepaper without branding or with alternate licensees, and will not complete any associated webcasts for the declining LICENSEE. Content licensing, webcasts and payment are contingent on the content being acceptable to LICENSEE. This maintains objectivity while limiting the risk to LICENSEE. Securosis maintains all rights to the content and to include Securosis branding in addition to any licensee branding.

Even this process itself is open to criticism. If you have questions or comments, you can email us or comment on the blog.