Tag Archives: hackers

Information Security Best Practices

What is more important – patient safety or hospital IT?

What is more important – patient safety or the health of the enterprise hospital Windows network?  What is more important – writing secure code or installing an anti-virus?

A threat analysis was performed on a medical device used in intensive care units.  The threat analysis used the PTA (Practical threat analysis) methodology.

Our analysis considered threats to three assets: medical device availability, the hospital enterprise network and patient confidentiality/HIPAA compliance. Following the threat analysis, a prioritized plan of security countermeasures was built and implemented including the issue of propagation of viruses and malware into the hospital network (See Section III below).

Installing anti-virus software on a medical device is less effective than implementing other security countermeasures that mitigate more severe threats – ePHI leakage, software defects and USB access.

A novel benefit of our approach is derived by providing the analytical results as a standard threat model database, which can be used by medical device vendors and customers to model changes in risk profile as technology and operating environment evolve. The threat modelling software can be downloaded here.

Continue reading

Tell your friends and colleagues about us. Thanks!
Share this
Kolmogorov

Russian cybercrime – pride or prejudice?

Mark Galeotti has a piece on the online Moscow News  today entitled Why are Russians excellent cybercriminals?  Mr Galeotti seems to have most of his facts right as he wonders:

“Why does every hacking and cyberscam story – real or fictional – seem to have a Russia connection?In part, it is prejudice and laziness. The stereotype of the Russian hacker has become such a common media trope that it gets recycled again and again. It also offers a handy update for those looking for new ways to perpetuate the ‘Russian threat.’

True, the FSS has a a hacker training program and true there is a pool of skilled but under-employed programmers who embrace the hacker world for fun, out of disillusion, or for profit.

I would put the conspiracy theories and Western prejudice (or as it sometime seems romantic infatuation with Russia) aside and consider the quality of Russian human capital.  Russia has outstanding universities with world class specialists in mathematics, physics and computer science. The list of notable Russian mathematicians goes on and on, just see http://en.wikipedia.org/wiki/List_of_Russian_mathematicians.  Russia, very simply, has very very good raw material for hacking.

Having great talent is a great start for getting world-class results in any field.

The Americans have the NBA, the Russians have hackers and the Palestinians – well that’s another story and not a happy one.

Several years ago, doing reserve duty at the Allenby Bridge, Efi Zuroff and I had cushy job of escorting Palestinian VIPs back and forth across the bridge. One day – I traveled in a cab from the bridge with a math professor from Bir Zeit University in Ramallah.  I asked him what his specialty was and he replied “Statistics, I got my PhD from Kolmogorov himself”. I admit – I was impressed, and a little sad that our cousins from the other side of the street seem to feel that violence is better alternative than mathematics.

Tell your friends and colleagues about us. Thanks!
Share this

Why Microsoft shops have to worry about security

I am putting together a semester-long, hands-on security training course for a local college.   The college asking me for the program showed me a proposal they got from a professional IT training company for a 120 hour information security course. They are trying to figure how to decide, so they send me the competing proposal and lo and behold, 92 out of 120 hours is about certifying people for Checkpoint firewalls and Microsoft ISA server. Here is what I told the college:

This course focuses on two Checkpoint courses CCSA and CCSE – which counts for 80 hours out of a total of 120.   Then they spend another 12 hours on Microsoft ISA server. The course only spends 8 hours on Information security management and 8 hours on application security.   From a marketing perspective, the course brochure looks slick. But not more than that.

Because of courses like this – companies have so many data breaches. After the course, the students  will know  a few buzz words and how to click through the Checkpoint UI, but they won’t understand anything about hacking software.

If you want to understand data security you have to get down into the dirt and roll up your sleeves instead of learning how to click through the Checkpoint user interface. Microsoft system administrators in particular, need to understand security and how to think about threat response and mitigation, because their thought processes have been seriously weakened by the Microsoft monoculture. They need to think about network , data security and software security threats and how to tie it all together with a practical threat analysis and Information security management approach. They can always train on Checkpoint afterwards….

This reminds me of what Paul Graham writes in his article Beating the averages

The first thing I would do… was look at their job listings… I could tell which companies to worry about and which not to. The more of an IT flavor the job descriptions had, the less dangerous the company was. The safest kind were the ones that wanted Oracle experience. You never had to worry about those. You were also safe if they said they wanted C++ or Java developers. If they wanted Perl or Python programmers, that would be a bit frightening– that’s starting to sound like a company where the technical side, at least, is run by real hackers. If I had ever seen a job posting looking for Lisp hackers, I would have been really worried.

So – if you are a real hacker, look for companies with security administrators who are certified for Microsoft ISA server and you will have nothing to worry about. But if  your targets security administrators  are facile with Wireshark, Ratproxy and Fiddler and Metasploit, then you should be really worried.

Tell your friends and colleagues about us. Thanks!
Share this

Charged for stealing 130 million credit card numbers

A Miami man has been charged with the largest data theft ever.

Less than 5 years ago, the main modus operandi for stealing identity information was dumpster diving.  If you shredded your statements, you were safe.   However – today, it’s much more effective to steal the data directly from large retailer databases. Once you’re in – you can steal large quantities of credit card numbers and other personal information.

The interesting thing is that the perp, Albert Gonzales, was an FBI informant who worked both sides of the fence informing the Feds, notifying the bad guys and wardriving wireless networks to inject sniffing software and steal credit card numbers.

See – US Hacker charges on Yahoo.com.

Tell your friends and colleagues about us. Thanks!
Share this

What do hackers want?

What do hackers really want?

No question is more important for mounting  effective security countermeasures. The management, IT and security practitioners cannot expect to mitigate risk effectively without knowing the objectives and cost of potential attacks on their organization.

We all depend on transaction processing to run our business and make decisions, no matter how big or small we are. We all use business applications (most of them Web-based these days) to buy, sell, pay vendors and collect from customers.

The prevailing security model predicates defense in depth of transaction systems. The most common strategies are to mitigate risk with network and application security products that are reactive countermeasures; blocking network ports and services, detecting known application exploits, or by blocking entry of malicious code to the network.

Are any of these security countermeasures likely to be effective in the long-term? Can attacks on a business be neutralized with defensive means only? In other words, is there a “fire and forget” security solution for the business? The answer is clearly no.

This is for three reasons:

  1. You must understand the attacker. If you understand what a terrorist wants (suicide bomber in a shopping mall sometime next week),  you can save lives with a preemptive attack. In the physical world – we defend the citizens of our country with both defensive and offensive means.  Often a political decision that is up for public scrutiny and criticism, nonetheless we do attack our enemies – with military action; commando raids, precision bombing or carpet bombing.
  2. You must understand yourself. Defensive “fire-and-forget” security countermeasures such as an IPS are not a replacement for understanding of where the threats lie and how much your assets are worth. A  Checkpoint SmartDefense firewall can help protect against malformed IMAP commands but  it cannot detect extrusion of proprietary company assets in a gmail attachment. An application firewall can help mitigate well-known XSS vulnerabilities but won’t fix bugs in customized application source code or mend system configuration problems.
  3. You must consider the alternate cost. There is no reason for us to attempt to take rational decisions in the real world but abstain from cost-benefit calculations in the cyberspace.  The cost of mounting a cyber attack on a company, bribing/social-engineering an employee to mail a file with all employee details is far less than what the company spends on its information security systems. With  inherently asymmetrical costs of cyber defenses versus cyber attacks, it’s high time to change the rules. Robert Bejtlich has a fascinating discussion on his blog – Mutually Assured DDOS. It’s a catchy title with a lot of interesting insights – but personally – I am not sure that projection of power and deterrence and mutually assured destruction is an acceptable corporate or government business objective.
Tell your friends and colleagues about us. Thanks!
Share this