Archive for October, 2009

More on Fighting Laptop Theft

I’ve written about the laptop theft problem before, and have recommended some widely-accepted control measures to reduce the risk of laptop-theft incidents. I’ve come up with a few new perspectives since I previously wrote about this issue, and I would like to share them with you.

The laptop I use most often is a Dell Inspiron 600. This computer was issued to me when I joined High Tower Software in July, 2005. Windows XP (now with Service Pack 3) was installed on this laptop, and all things considered, the hardware and operating system have both been excellent. When High Tower folded just about a year ago, all employees with laptops were allowed to keep them. The timing was not very optimal, as my computer was getting older, and I had requested a new one. A number of employees walked away from the High Tower office for the last time with much newer and better machines than mine, but still mine was not (and still is not) really such a bad machine, even though it had gone through all the travails of frequent travel.

Travel is not good for laptops because they get banged around. Airport security staff who inspect them to ensure they do not contain explosives are some of the worst offenders, but I also deserve my fair share of the blame. My laptop really shows the signs of travel-related wear and tear. There are numerous scuff marks on it as well as an ugly gouge, and the paint has faded in a non-uniform manner. This laptop looks as if it has been in a battle zone for a prolonged period of time to the point that sometimes my friends ask me when I am going to get a new one. I will buy a new one some day before too long, but one of the reasons I always take this particular machine with me is that it is not a very attractive target for laptop thieves. Statistics indicate that the major motivation for stealing laptops is to obtain a computer that can be sold in a pawn shop or other place. Most laptop thieves are interested neither in the software nor personally identifiable information and/or financial information. Consequently, I feel that the appearance of my machine is sufficiently ugly that most thieves won’t want to steal it.

How ugly a laptop looks is something that most organizations and individuals never think about, but perhaps they should. I would not rely on laptop ugliness as a major theft deterrent, but I am confident that if a thief has a choice of stealing a brand new, attractive laptop or one that appears old and beaten up, the thief will steal the former nearly 100 percent of the time.

Another measure that I take with my laptop is never allowing any externally-visible information about my employer such as the name of the company, URL for its Web site, and/or the physical location of the company. I figure that if I taped my Emagined Security business card to it, my laptop would become a more attractive target of theft because some laptop thieves are after proprietary and other information. Instead I tape my own personal business card to it. If you read one of my previous blog entries you’ll discover that doing this also saved my neck, so to speak, one time. I left my laptop at San Francisco International Airport security and flew ignorantly and blissfully to Bloomington, Illinois. If my personal card had not been taped to the computer, no one from airport security would have called my home number to report that my computer had been left behind. The ending to this story was good—I was able to recover my computer.

A final, additional non-conventional laptop theft prevention measure is being smart when it comes to storing a laptop when away from home. If I am on travel and I am at a restaurant, I actually take my laptop into the restaurant with me and place it right next to my chair. A few times waiters have almost tripped on it, but no real catastrophes have happened, and I have never had a laptop stolen. I used to leave my laptop in the trunk of whatever rental car I had, but when I realized just how proficient thieves have become in breaking into trunks, I gave up doing this. The biggest dilemma concerning laptop security that I typically face, however, is what to do with my laptop when I am in a hotel and want to go running. I suppose that I could bring a backpack with me, put it on and stick my computer in it, but that seems a little over the top. Consequently, I place my computer in some place that I am fairly sure most thieves would not look, like back of the toilet.

Conventional laptop theft prevention measures are good, but if you really value your laptop, you might consider additional measures. The ones I have mentioned may seem weird, but they definitely work for me as well as for others who have used them.

Categories: Uncategorized Tags:

Revisions to the U.S. Patriot Act

The Patriot Act, passed shortly after the September 11 terrorist attacks in 2001, was designed to give US law enforcement greatly expanded power to conduct surveillance and other activities without the need for warrants and other legal measures. The impending expiration of primary provisions of the Patriot Act has catalyzed considerable legislative activity within the US Congress, particularly within the House of Representatives. Certain House members are greatly focused on introducing significant changes to this law.

At the center of much of the activity surrounding this law is the provision that telephone companies that cooperate with the US government in turning over customer information are granted legal immunity. This particular provision, which is not due to expire at the end of this year, concerns National Security Letters (NSLs), which are defined by Wikipedia as the following:

“… a form of administrative subpoena used by the United States Federal Bureau of Investigation and reportedly by other U.S. Government Agencies including the Central Intelligence Agency and the Department of Defense. It is a demand letter issued to a particular entity or organization to turn over various record and data pertaining to individuals. They require no probable cause or judicial oversight. They also contain a gag order, preventing the recipient of the letter from disclosing that the letter was ever issued.”
The fact that no probable cause or judicial oversight is necessary for NSLs to be issued has been a major concern of civil libertarians. Proposed changes in the proposed House of Representatives legislation (in the Conyers-Nadler-Scott Bill) would greatly limit the conditions under which NSLs could be issued under the provisions of the Patriot Act—namely, only when spy or terrorism activity by someone or a foreign entity were involved. The story in the Senate is completely different. A similar bill sponsored by Senator Richard Durbin of Illinois did not even make it out of the Senate Judiciary Committee. Senator Russ Feingold of Wisconsin has not gotten even that far in getting a bill designed to limit immunity to telecommunications carriers for “turning in customers” to a vote. Clearly, the Senate and House are a long way apart when it comes to views about changing provisions of the Patriot Act.
So where does it all go from here? My gut feeling is that eventually some of the provisions of the Patriot Act will be toned down. As I have said before in my Computers and Security editorials, the Patriot Act, while well-intentioned, aids and abets potential tyrants. This act is not only badly misnamed, but it also has dismal implications for civil rights, personal liberty, and privacy. The overreaction after the events of September 2001 has for the most part come to an end. It is now thus well time to revise the provisions of this act to be much more in accordance with the realities of the current world as well as the ideals and values of America.

Categories: Uncategorized Tags:

Mail Delivery Problems in Google’s Postini Service

Last week users of Google’s Postini message service experienced a major disruption in mail delivery, something that triggered a flood of email and postings from angry customers. Some started examining other alternatives for mail servers, and Google Postini competitors started touting the reliability of their message services. Although there was no problem with outgoing email per se, incoming email was severely delayed, causing everything from minor irritation among customers to disruption of business activity. One of the worst cases stories was from a legal firm that was unable to obtain a critical email message from a client in time for a trial. Even Google Apps Premier customers, who pay a premium of $50 per year for top-end mail services, experienced the same problems as regular users. .

The problem was compounded by a lack of communication on Google’s part. Many customers sent inquires to the Postini Help Forum, but received no response. Later a Google spokesperson said only that Google was aware of the problem and was trying to fix it. Finally, a Google engineer posted a message of apology to the Postini Help Forum, saying that the delivery rate for mail was back to normal and that no message traffic had been deleted or bounced as the result of the problems.
What is most significant about what happened is that it exposed some of the huge cracks in cloud-based services. Google, the inventor of the “cloud computing” term, champions its cloud services, but certainly did not deal with the problem in its Postini mail services very well. People and organizations keep rushing to capitalize on low cost or free cloud services without considering the downsides of doing so. The biggest downside may be reliance on the Internet. Between every cloud service and customer is a common link—the Internet.
I’m not at all knocking the Internet, but it (when it was the NSFnet) started out without built-in security mechanisms by design. It was originally built to provide free and easy access to users. The notion that individuals would deliberately try to cause interruption or corruption of services was not seriously considered at that time. Users were told to build in their own security if they wanted any. And things are not too different now. What the Internet has become over time is a number of backbones that connect Metropolitan Area Networks (MANs). ICANN, the Internet oversight organization, contracts with various service providers to run the Internet’s root DNS servers; security requirements for these servers are specified in contracts with these providers. But other than that, the Internet is still a gargantuan network without inherent security. Consequently, the Internet is vulnerable to massive attacks launched by determined individuals. If you are still skeptical, please recall the three well-known attempts over the years to take down so many root DNS servers that the Internet would become unusable. Two of these three attempts came very close to succeeding.
One day the Internet will be taken out for a prolonged period of time by a massive distributed denial of service (DDos) attack. A very large number of systems infected with bots will flood the Internet. Multiple Internet Service Provider (ISP) networks will be involved. Gigantic pipes along some parts will be able to move traffic, but volumes of packets to routers will overwhelm them. As a result, links and routers that connect the infrastructure will crash or become unresponsive, and/or legitimate traffic will be disrupted such that the quality of Internet service will become intolerable. This will happen at some point in time—trust me.
The impact of those who rely on cloud services will be catastrophic. Having redundant cloud providers will not help. The amount of loss and disruption will be beyond belief, and a fair share of cloud-reliant companies will go out of business.
So I close with an earlier statement— between every cloud service and customer is a common link—the Internet. Realizing this might make some cloud-frenzied individuals and organizations come back to their senses.

Categories: Uncategorized Tags:

The Media and Cybercriminals

I recently read an article in ( in which Gregory Evans, a self-employed information security consultant based in Atlanta, discussed what he does for a living. Describing the job of computer/network security consultant as the “eighth best job in the world,” reported that Evans describes himself as a “cybercrime fighter.” He said that his job is to counter threats against computing systems and networks from threats such as hackers, viruses, worms, and spyware.

From what I read, Evans is a personal and professionally competent individual. At the same time, however, I found out that he has a sordid past, one in which by his own admission he broke into one computing system after another. Here we go again—the media glorifying another individual who has a history filled with criminal activity. Lamentably, this is not the first time this kind of thing has happened, and it will not be the last.

The media is not the only entity that does this kind of thing. I remember that not all that many years ago I was doing some consulting for a very large financial organization. The lead technical person in information security had achieved considerably notoriety from all his previous hacking and phone freaking activity. He was ostensibly very knowledgeable about information security, but when I realized who he was, I got a sinking feeling in my stomach. I did not find out that I would have to work with him until I was on site at this client’s facility. Had I known in advance, I never would have accepted the consulting job. How could an organization with so much at stake have allowed someone with such a background to work there (in information security, yet!) How did this person ever slip through a background investigation? Truly there was something wrong in the state of Denmark.

The media may send the wrong message, and financial and other institutions may make the wrong decisions, but what gets to me the most is when information security organizations have former cybercriminals speak (often for exorbitant prices) at conferences and meetings. I’ve written a previous blog entry on this disturbing trend, so I won’t say anything else here except that no matter what incentives are offered to me, I will not speak for any organization that has at any time brought computer criminals in to speak at any of its conferences and meetings. There are lots of speaking opportunities out there—why serve some organization that is not serving the information security profession well?

So I want to propose what I believe is a new idea. Why not make having professional certification such as CISSP certification a prerequisite for the privilege of speaking at information security meetings and conferences? This would weed out individuals such as Evans who have engaged in previous criminal activity, because having done so disqualifies anyone from becoming CISSP-certified. Additionally, this would preclude having individuals such as product managers and marketers from security vendors from being able to speak at professional information security events. Don’t get me wrong—I have a lot of respect for well-seasoned product managers and marketers, and I love talking to them at trade shows. But these individuals typically have minimum credentials in information security. They are usually neither teachers nor mentors in our field. Furthermore, they typically “hawk their wares” one way or another when they speak. If they do not directly make a sales pitch for whatever product they represent, they often indirectly do so by stating the requirements for a certain type of product and then “mentioning” that their product fulfills these requirements.

I do not know what to do about the media making ex-computer criminals look so good, nor can I really do anything about organizations hiring these criminals. But I know what to do about professional organizations bringing these and other unqualified or undesirable individuals in to speak. You can vote with your feet, as I do, and I hope that you also consider doing this.

Categories: Uncategorized Tags:

A New Milestone for Microsoft

We all know what “Patch Tuesday” is. Every month on the second Tuesday, Microsoft releases a bulletin describing vulnerabilities and hot fixes or descriptions of workarounds in its products. Interestingly, six years have now gone by between the time of the first Patch Tuesday and the one two days ago. Over these six years, Microsoft has distributed nearly 400 bulletins that have described nearly 750 vulnerabilities. Most of these vulnerabilities have not been trivial, either; Microsoft has in fact rated over half of these vulnerabilities as “critical.” And if you look at the trends, you’ll discover that during each year since October 2003 there have been more announced vulnerabilities than in the previous year.

Having worked for a software company for over three years, in a way I pity Microsoft. Simply keeping up with patches for a single product was a bigger task than I ever envisioned, and Microsoft makes many products. At the same time, however, there is something rotten in the state of Denmark, so to speak. Not only is the number of vulnerabilities in Microsoft products increasing every year, but as I have mentioned before, years ago Microsoft told the world that its Trusted Computing Initiative (TCI) was going to substantially raise the quality of Microsoft code. Microsoft programmers were not only going to get training related to secure code development, but they also were going to be held responsible for the quality of the code they produced. It would be very difficult to fault Microsoft for coming up with and implementing its TCI, but if this initiative were truly successful, we would see the number of vulnerabilities in Microsoft decreasing year-by-year, Yet the opposite has happened. Additionally, the same vulnerabilities should not keep resurfacing from one version of product to the next. The good news is that many vulnerabilities are unique to a particular release of a particular Microsoft product. Unfortunately, however, there are numerous, serious exceptions, the most recent (described in Microsoft bulletin MS09-056) of which is a critical, remotely exploitable vulnerability in Microsoft’s Server Message Block (SMB) protocol that could allow unauthorized execution of remote code that runs with elevated privileges. All, and I repeat, all, Windows operating systems from Windows 2000 to Windows 2008 R2 have this vulnerability. I must lamentably thus conclude that although the TCI was a brilliant idea, there is a significant gap between what this initiative promises to deliver and what it has actually delivered.

As an aside, I need to tell you just how much I hate Patch Tuesdays. I use Windows Automated Updates In my Windows workstations, so hot fixes for these workstations are automatically downloaded. Half the patching battle is thus won from the start. I do not allow Windows Automatic Updates to automatically install the hot fixes, however. I was once badly burned when I had this function set to automatically install hot fixes. Something was wrong with a particular IE fix; after it was installed and I tried to reboot the system in question, that system never rebooted. I had to reinstall the system, something that really irked me because I was unusually busy at that time. To Microsoft’s credit, this vendor fixed whatever was wrong with the patch within a few days and released the corrected version to its customers. But the damage to my primary Windows system had already been done. This terrible incident created within me a healthy paranoia about Microsoft hot fixes. Now I normally wait at least ten days to a few weeks, time that I find out if network postings show that people have experienced trouble with new hot fixes, before I ever consider installing them.

Microsoft has reached a huge milestone at the sixth year of Patch Tuesday. But I suspect that there was no celebration for the occasion in Redmond, Washington. Hopefully, higher-level management within Microsoft instead came to a deeper realization that although security in Windows products is not for the most part bad, there is surely a lot of room for improvement.

Categories: Uncategorized Tags:

Financial Trojans: Part 3

After reading the blog entries on financial Trojans that I have recently written, you might get the impression that Trojan horses are the only kinds of malicious code that attempt to obtain financial information to be used in identity theft attempts and other kinds of criminal activity. After all, we know that malware writers have become increasingly motivated to make money. Trojans are covert, making them ideally suited for the perpetrators’ purposes. Other types of malicious code such as viruses and worms are easy to detect and are thus not very well suited for financial fraud and identity theft. Despite this, however, other types of malicious code are also being used for the same purposes.

Believe it or not, financial worms have been spreading on the Internet for some time now. Worms are not well-suited for financial theft and fraud attempts because once they infect a machine, they usually immediately start scanning IP address space to try to find other victims to infect, something that it very easy for anyone who uses intrusion detection, intrusion prevention, network monitoring, and other tools to discover. The best current example of a financial Trojan is the Clampi worm, which gets and uses domain-administrator credentials to login to Windows domain controllers. It then copies itself to all computers on the domain, trying to obtain information from commercial Web sites. It also serves as a proxy server to anonymize perpetrators’ activity when they log into stolen accounts. Despite the fact that this worm first surfaced approximately two years ago and also that it is not all that covert, Clampi has reportedly resulted in widespread financial loss.

Another type of financial malware is financial spyware, of which Rebery is one of the best examples. Rebery is installed through exploitation of vulnerabilities in Web browsers when users visit a malicious Web site. Once it infects a system, it stays dormant until users connect to certain on-line banking or e-commerce sites. It then wakes up and starts stealing customer and transaction data, sending them to a Web site controlled by the perpetrator. To help the perpetrator figure out exactly what has transpired in a banking session, it even captures screen shots throughout the entire session. Furthermore, a considerable amount of rootkit functionality is built into this malware, enabling it to escape detection through normal means such as running anti-virus or anti-spyware tools.

So what does all this mean? If anything, financial Trojans and similar kind of malware are going to become more prolific. Resulting losses for financial institutions as well as individual users are likely to soar to the point that financial institutions will be forced to provide technology that discovers and eradicates malicious code such as financial Trojans. But is it too late. Consider Robert Mueller, Director of the FBI. He recently announced that he will no longer use online banking after he almost fell for a clever phishing attempt. Users who have their financial and personal information stolen during financial transactions are likely to reach the same decision, as are those who hear of friends and family members who have experienced such incidents. One thing is sure—if security in such transactions does not get better before too long, online banking as we know it could very well become a thing of the past.

Categories: Uncategorized Tags:

Consumer Education Is No Longer Enough to Fight Phishing

In Thursday’s Bank Info Security newsletter, Linda McGlasson writes about the need for more consumer education and awareness as the primary strategy a bank should employ against phishing and malware.  I don’t want to in any way criticize the efforts that have been made to date regarding the education of consumers and individuals about malware and phishing attacks. It’s a good start. However, we are fighting a losing battle. When you have such people as FBI director Robert Mueller ending his personal use of online banking after he got burned when thought he could tell the difference between a genuine e-mail and a phishing attack, this should be a giant signal that we have reached the end of our ability to fight this war through consumer education.

Banks have generally innovated and provided reasonably good security concerning the use of websites for online banking. However, this technology continues to depend on the static password and shared secrets for authentication security. In an age when a significant proportion of PCs have been infected by malware, including key loggers, this is a demonstrably inappropriate strategy for banks to take.

Banks need to improve the customer experience so that use of a bank’s website involves less marketing and more assistance. If I think that the next window is geared toward selling me a product I do not want nor have time to consider, I am likely to click any button that will get me past it. The use of a tiny “no thanks” button hidden somewhere on the window plainly demonstrates that banks think marketing is more important than security. And indeed it may be. Banks expect consumers to shoulder a disproportionate burden for resolving fraudulent use of accounts and what banks are spending themselves on security is a tiny rounding error compared to what they are earning as a result of fraud. How about devoting half of the $35 billion banks make each year on overdraft fees to new anti-fraud initiatives?

Next, banks should adopt a much more aggressive and industrial-strength approach to attacking those who misuse the Internet to propagate malware and fraud. Decoy accounts should be used to isolate and provide early warning on fraudulent activity. Aggressive forensic investigation should be used to track back to those responsible for malware and fraud. Aggressive and uncompromising use of cease-and-desist orders against all who prosper or encourage the use of malware and fraud must be pursued by the banking industry.

As anyone who has ever experienced fraudulent use of their bank account knows, banks tend to adopt a rather negative attitude toward customers who identify fraud. The attitude is very much that of “we’ll investigate and come to our own conclusion about whether or not these transactions are legitimate.” Banks need to recognize that their customers are the ones who discover fraud, and who bear the greatest burden for the resolution of fraud. Bank customers are banks’ greatest assets in fighting fraud. Why do banks persist in acting as though customers are somehow responsible for fraud? Yes, they may have allowed a sophisticated malware attack to infect their PC leading to fraudulent use of online banking credentials – but if the FBI Director himself gets fooled, doesn’t that show that consumers may be doing all they can do? Criminals are responsible for fraud, not consumers who’ve been fooled.

Statistics about this are hard to come by, however I have a suspicion that banks are benefiting from fraudulent activity way more than they would care to admit. For example, I recently had $3500 of fraudulent airline tickets charged my account. Thankfully, bank security flagged this on the day the charges were processed and sent me an email which I received on my Blackberry. The following day, I went into my bank to resolve the matter. I was overdrawn and needed to have the fraudulent charges and the $175 of overdraft fees reversed. The manager who helped me had me speak by phone with the bank’s fraud office to get this accomplished. Reversing transactions were put through that took effect on the following business day (a Monday :-)) on a temporary basis until a permanent resolution could be approved by the bank. For this business day the bank had use of my funds and the net effect on its balance sheet was to overstate the bank’s cash position by $3500 until the funds availability was restored in my account. The bank knew it was fraud but waited a day to restore my balance. I could not use this money. Multiply this by the thousands (millions?) of transactions that succeed in a similar way against bank customers every day, and you have a rather significant bit of dirty laundry to add to the already significant pile already accumulated next to the banks’ washer in the basement. In short, this incident — together with such things as overdraft fee abuse — illustrates that there is a significant moral hazard involved in banks handling of fraud related to their accounts.

This article depends on the premise that widespread use of online banking is a significant positive for the banking industry. I believe this to be true. Banks have achieved significant productivity benefits from implementation of electronic banking measures of all types. But if consumers develop the perception that banks don’t care enough about phishing and malware to really work hard to stop it, then the electronic banking revolution will fade before it reaches its full potential. One thing banks have learned over the decades is that customer perception about banks is very hard to change. And for their part, banks are rather clumsy in their own approaches to developing and managing their brands. If consumers believe that banks are content to let fraud take place and leave customers to pick up the pieces, that could turn into a huge negative that could take years for banks to reverse.

Hiding from the reality of organized phishing and malware attacks by pretending that all is well will not be productive. In the current climate of significant mismanagement of risk by banks (sub-prime mortgages, credit default swaps, etc. – dare I say wrongdoing?) banks should realize that the same old “safety and soundness” message they offer regarding handling of fraud creates a real cognitive dissonance among consumers. The notion that banks play the market like they’re in Vegas, then accept taxpayer bailouts, then pay themselves millions while they place a hold on your money as they “investigate possible fraud” should be killed with a stake through the heart by all banks who care about keeping their deposit base.

Banks should be known as the primary fighters against phishing, malware, and fraud that are out there causing consumers to think twice about using electronic banking services. When consumers are facing financial pressures like never before, banks should be their friend and advocate in fighting fraud, taking much more of a “we’re on your side” attitude. I would argue that if one half of the unneeded and unwanted marketing messages I receive from banks were converted to helpful and empowering messages about information security that would be a good start to improving our chances in the war against phishing, malware and fraud. Perhaps banks should offer a bounty to consumers who identify a fraudulent transaction on their online banking statement. I’d like to see more headlines about banks cooperating with authorities, filing criminal and civil complaints against individuals and organized crime who are engaged in criminal activities. Only when banks, together with the credit card companies, take the lead in this war will we stand any chance of stemming the tide of phishing, fraud and malware.

Categories: Uncategorized Tags:

Financial Trojans: Part 2

It would be nice if the Zeus Trojan, discussed in my previous blog entry, were the only financial Trojan that posed a high level of risk. Alas, this is not true. In fact, many experts consider the URLzone Trojan to be even worse than Zeus. Financial Trojans such as Zeus capture users’ financial information and then rely on individuals to “do the rest of the dirty work.” The more dirty work these individuals have to do, the more likely it is that bank account customers will notice that something is wrong, prompting them to report suspicious account activity to bank authorities. In contrast, the URLzone Trojan is programmed to do steps that middle men in fraudulent banking transactions normally have to perform and also uses a number of stealth mechanisms, thereby making fraud detection more difficult. Once this Trojan infects a system, it gleans the user’s banking information and uses this information to transfer funds to the accounts of naïve’ individuals who have been hired for jobs that superficially appear to be legitimate. These individuals then transfer the money to accounts owned by perpetrators. Information posted by Finjan indicates that to avoid fraud detection, each person used to make money transfers is allowed to do so only a maximum of two times.
The nature of money transfers to the hired “mules” varies. Each infected system connects to a server in the Ukraine to learn what to do next. It can, for example, be instructed to steadily withdraw small, random amounts of money from the victim’s account so that the withdrawals are less likely to be noticed. Additionally, the Trojan does not attempt to withdraw money when the balance of the victim’s account is zero. Furthermore, URLzone modifies on-line statements by modifying HTML content rendered by customers’ browsers such that when users view them, the fraudulent transactions do not appear. Another option is that if the banking transactions are listed, the displayed amount for each is less that the amount that in reality occurred. The Internet Explorer (IE) browser has, according to anti-virus vendor Finjan, been involved in this fraudulent activity more than any other type of browser, but other browsers are also susceptible.
URLzone’s methods of infecting PCs is anything but spectacular. Perpetrators send messages designed to entice potential victims to visit certain URLs. If users click on the indicated URLs, they reach malicious Web sites with routines that attempt to exploit a range of vulnerabilities. If the routines are successful, they inject the URLzone executable and then start it.
URLzone is taking a terrific toll; it reportedly resulted in nearly 6,600 fraud incidents last month, and was making the equivalent of nearly USD 18,000 per day for the perpetrators. Last August the perpetrators focused mainly on customers of major German banks; the financial loss then was reportedly around the equivalent of USD 400,000.
How long will URLzone go on making all kinds of trouble? No one is sure, but the fact that so many anti-virus tools fail to detect this malicious code has greatly contributed to its success. Count on more variants designed to accomplish a wider range of sordid actions surfacing in the future. And you can also count on the fact that most users whose systems are infected with URLzone will not notice that anything is wrong until the damage is already done.

Categories: Uncategorized Tags:

TJX and the Problem of Opportunity Cost

When blogging earlier about the aftermath of the TJX breach, I was reminded of something that happened to me years ago that expanded my perspective in understanding the true cost of information security.  I managed a department that included security engineers who operated the global Kerberos based authentication system for the firm.  One day at about 10 AM the system went down around the world.  Sessions already logged in were unaffected but no one could log on anywhere on the planet.  This is a fairly major outage and potentially a career limiting one.  After about 45 minutes, we were able to restore service and began accounting for the impact from this potentially catastrophic outage.  This was a large Wall Street investment bank and as it turned out the most profoundly affected unit included foreign currency futures traders. Had the outage occurred earlier in the day, it would have been much broader and more impactful.  We determined that approximately 75 users around the world were affected by their inability to log onto the system. Armed with this information, I went hat in hand to the managing director in charge of this futures trading unit. This is a person who makes about $20 million a year (somewhat more than I made that year 🙂 ).  He opened the meeting by saying “Jim, this is a very serious outage and we can’t overestimate the impact of such a service problem on the firm.”  I told him I understood this very well and my objective was to try to quantify in dollar terms the actual amount of financial impact that came from this particular outage. We might use this calculation in a variety of ways such as computing the return on investment from an HA cluster or other architectural approach to avoid a global outage in the future.

The managing director reiterated how serious an outage it was and when I pressed him for precise dollar estimates, he said “that morning, when foreign currency traders couldn’t logon they were unable to make certain bets in the marketplace. However, had they been able to make bets, they probably would’ve made the wrong ones given what happened later in the trading day. Therefore, we actually made money from the outage.”  I must’ve blinked my lack of understanding because he went on to say “that’s right, had my people been able to logon they would have made the wrong bets and lost money for the bank.”

It’s kind of hard to build this into the computation of the impact of an outage on the economic success of the firm.  When we made our own economic estimates later, we simply ignored this incident because including a positive number would have implied that it is possible to make money from having a system outage which cannot be a feasible financial outcome upon which a high-availability system can be based.  We did, however, try to calculate how much the outage might have cost had it come two and a half hours earlier and that was a big number…

This illustrates several problems with the computation of business impact of an adverse incident.  Even though statistically there is the possibility that an outage will produce a positive outcome, we ignore those.  By rights we should include them as just as statistically significant as the negative outcomes but our job is to provide protection against the negative outcomes, not the lucky ones.

Justification for information security is heavily biased on “soft dollars”. Attacks that weren’t successful, outages that didn’t happen, confidence that was improved and lower overhead from improved security interfaces are all quantified based on soft dollars. However, soft dollars don’t put food on the table or money into the shareholders’ pockets.  In fact, we always assume that the firm has something useful to do with the money we’d like to spend on information security if for some reason we didn’t need to spend that money.  This is what is behind the concept of “internal rate of return.”   If TJX had not experienced their breach, what would they have done with the extra earnings they made in 2007 and 2008 after all those customers did not desert them and all of those fines and penalties did not need to be paid?  Maybe TJX would have wasted that money on inventory or new stores that would have proved disastrous once the mortgage meltdown and the credit crunch reached their climax. The point is, you have to assume that the money you’d like to invest in security (or any other project for that matter) is precious and would otherwise be put to good use. The way to represent this in an ROI spreadsheet model is to use a middling return on invested capital rather than basing the hurdle rate on the most successful outcomes seen for other projects.  By using a middle range threshold, you build in the chance that some investments will go bad and not pay off.  In business school, the joke was that when you asked the professor about the hurdle rate, the answer was that it was a very complex calculation and unique for each different firm or industry, in short, “10%.”

TJX spent tens of millions of dollars on fines, penalties and damages resulting from its breach of more than 40 million credit card numbers in 2007.  In addition, it spent a lot more money upgrading its security infrastructure and may in fact have overpaid for those investments because they were made under some duress and perhaps lacked the full architectural thoughtfulness that might have attended less pressure filled in investments.  Assuming that excellent security would’ve prevented the breach, one would also have to build in as a benefit to security investments the lost margins, legal fees, and perhaps other softer opportunity costs to add to the total benefit stemming from avoiding a devastating information breach.  The stockholders might even like to get some of that stock price back as well.

TJX did not spend the money to have excellent security and instead suffered a breach.  We do not know if that decision was based upon an underestimate of the actual costs – including the soft dollar costs — of having a breach or real and pressing investments demanded elsewhere in the business that upstaged security.

There are two important lessons for security leaders and architects from this. The first is that there’s always something else to do with the money when considering making security investments. That consideration is more complex when one considers that oftentimes security is part of the overall IT organization and therefore might not substitute for investments made elsewhere in the firm but for investments in other technologies within IT. During the budgeting and planning process — or during a mid-year reallocation — it’s useful to consider the next project on the list and make certain that the opportunity cost from not investing in that project is appropriately figured into the security investment.

The second lesson is that the more you can drive benefits from the soft dollar side of the equation to the hard dollar side (real revenues, margins, or committed cost savings) the more clear-cut the investment decision becomes. This is not to say ignore or otherwise treat soft dollar benefits as trivial — this would be a mistake especially when such benefits can be quite substantial — but it does focus attention on the challenge of actually capturing the benefits after an investment in security infrastructure.  When they are all soft benefits, capturing and documenting financial success is a difficult exercise that can breed cynicism and distrust within the organization when not done well.  When two projects under consideration have equal benefits but one is all soft dollar benefits and the other is hard dollar benefits, the hard dollars or higher revenues or committed cost reductions will trump soft dollars every time.  Employees who can measure their own value to the organization by the  generated profits from their transactions in any given day or month want to see all of the promised benefits from new security infrastructure captured.

We can all think of projects that never reached their full potential.  The PKI implementation that never reached full roll-out.  The voice-activated password self-service tool that nobody uses.  The data from the IDS system that is not aggregated.  Etc.  These are all projects that were justified on substantial soft-dollar benefits and it is likely had untold opportunity costs beyond their out-of-pocket implementation costs.  If the opportunity costs had been included, would we have tried harder to capture the benefits?

Know your opportunity costs. These include the financial costs that we’ve discussed as well as the costs of having people devoted to your project versus other security or non-security priorities. Understanding the depth and character of opportunity costs can significantly improve your ability to justify and win approval for information security projects.  It can also galvanize the organization to drive the project successfully and capture the full measure of benefits.

Categories: Uncategorized Tags:

Financial Trojans: Part 1

The fact that such a large percentage of today’s malware is authored by individuals with profit motives is no secret. What may not be quite so obvious, however, is the way this software has changed over the last few years. Much of the malware written just a few years ago captured all keystrokes or even all traffic (keystrokes, mouse movements, graphic images, and more) going in and out of a computer system. Perpetrators had to comb through a volume of captured data to find what they were looking for. What is genuinely novel about the latest round of malware is that it is more efficient in that it is designed to steal only financial information. Financial Trojans are in fact rapidly becoming one of the greatest if not the greatest current kind of information security threats.

One of the best examples is the Zeus Trojan, also called LDO8, LDnn.exe, LD12.exe, PP06.exe, PP08.exe, Zbot, NTOS, WSNPOEM and PRG. Zeus is designed primarily to steal credentials associated with numerous network services. Once it infects a Windows system, it monitors user activity, particularly logons to Web sites of certain banks and other financial institutions, but also other types of activity such as sending and receiving email. If it detects such activity, it captures the information and relays it to a remote host. Zeus variants also inject HTML content containing among other things URLs of targeted banking and financial sites into pages that browsers render.

Spread primarily through email messages and “drive-by downloads,” Zeus also incorporates a number of measures designed to avoid detection. It encrypts the configuration files that it creates in infected systems. Additionally, it has a very small footprint—only between 40 and 150 KB. And perhaps most significantly, perpetrators who use Zeus have ostensibly been very careful concerning systems to infect. Anti-virus vendors and researchers operate honeynets to detect malware, but Zeus has to a large extent evaded honeynets. When Zeus has been detected, another variant with somewhat different characteristics typically surfaces. According to Trusteer, a malware detection and eradication company, typical anti-virus software detects a dismal 23 percent of all Zeus infections.

Lamentably, the Zeus Trojan is just one of numerous new banking Trojans. It will also by no means be the last. But what is perhaps worst about Zeus is that it is commercially available—worldwide. Anyone willing to pay the purchase price can purchase Zeus and then install it in systems at will. Presumably, law enforcement around the world is monitoring Zeus purchase sites, but there is no indication whatsoever that arrests of individuals who download this malware are being made. Are those who download Zeus are simply malware researchers? Some undoubtedly are, but I also suspect that many are not. In countries such as Germany downloading programs of this nature is illegal, yet German law enforcement appears to be “sitting on its hands.” What will it take for law enforcement to take a more active role concerning the use of Zeus? I suspect that the answer is a greater amount of financial loss. Until then, all we can do is stand by and hope for the better.

Categories: Uncategorized Tags: