Ranum's Rants

Ranum's Rants - The Anatomy of Security Disasters

by Marcus J. Ranum on March 26, 2009

( PDF version of this is available from my personal website, PDF of Powerpoint handouts from Source Boston 2009) Introduction: Truth Since I started in security, 20 years ago, "they aren’t taking security seriously" has been the constant complaint of the security expert. Even in organizations where security is taken seriously, it has been at the expense of living in a constant relationship of opposing management or other business units. Some of us enjoy the strife; most don’t. In fact, most of us enjoy being employed more than we enjoy being right .

AfterBites - Man Must Decrypt Hard Drive

by Marcus J. Ranum on March 8, 2009

The original article: --Judge Says Man Must Decrypt Drive (February 26 & March 3, 2009) A federal judge has ruled that a man suspected of having child pornography on an encrypted drive on his laptop computer is not protected by the Fifth Amendment. US District Judge William Sessions ruled that Sebastien Boucher surrendered those rights when he allowed his laptop to be searched the first time, and ordered Boucher to provide the court with an unencrypted version of the drive in question. The ruling reverses an earlier decision in which a judge ruled that Boucher was protected from incriminating himself under the Fifth Amendment. The original request from the US department of Justice had been to make Boucher surrender his encryption passwords; the appeal asked only that he decrypt the drive in view of the grand jury. Boucher's laptop was searched in December 2006 while crossing the border into the US from Canada. Agents claim to have seen the offending content, then shut down the computer. When they tried to access the images after Boucher's arrest, they were unable to because of his PGP program. http://news.cnet.com/8301-13578_3-10172866-38.html?tag=pop http://www.theregister.co.uk/2009/03/03/encryption_password_ruling/ http://www.wcax.com/Global/story.asp?S=9909241 There are several things about this particular article that really bother me - and they're all about the rights of citizens to be free of government interference.

AfterBites: Incident Reporting and Science 101

by Marcus J. Ranum on February 21, 2009

I need to preface this with a disclaimer: I am not criticizing SANS for carrying the article. It's instructive, and that's always useful. I wish, however, that technology journalists were a bit more skeptical or clueful - and - as they say, "that's our story." The article: Reports of Cyber Incidents on the Rise (February 17, 2009) The number of cyber security incidents at federal civilian agencies reported to the US Department of Homeland Security's US-CERT has tripled since 2006. In fiscal 2008, 18,050 incidents were reported, compared with 12,986 in fiscal 2007 and 5,144 in fiscal 2006. Agencies are required to report cyber security incidents under the Federal Information Security Management Act (FISMA); such incidents include unauthorized access, denial of service, malicious code, improper use, scans, probes and attempted unauthorized access. The significant increase over the last several years can be attributed to both an increase in malware and a heightened awareness of and ability to detect incidents. http://fcw.com/Articles/2009/02/17/CERT-cyber-incidents.aspx http://www.usatoday.com/news/washington/2009-02-16-cyber-attacks_N.htm And Small Businesses Want Centralized Cyber Incident Reporting Organization (February 19, 2009) A report from the Federation of Small Businesses says that 54 percent of small businesses have experienced fraud or cyber crime over the last year. Although more than one-third of respondents do not report the incidents to police or to banks because they believe it would not make a difference, 53 percent of those surveyed would like specific information about how and where to report the incidents. Eighty-five percent of respondents said that they would make use of organizations established specifically to gather the information and use it to combat fraud. The average annual cost of cyber crime and fraud to small businesses in the UK is GBP 800 (US $1,140). http://www.scmagazineuk.com/Small-businesses-hit-by-cybercrime-do-not-in... http://www.theregister.co.uk/2009/02/19/cybercrime_small_business_survey/ Let's start with the second article first, because it's less interesting. The headline should have said "UK small businesses" but that's a minor detail. Does this set off your stealth marketing alarm? It pegged the needle on mine; so I'd like to make a prediction: someone is out beating the bushes, right now, to start up that reporting center. Let's see if I'm right and, within the next year, someone announces that they're either member-funded (in which case they will quickly vanish) or government-funded and are offering that capability. Those of you who've been around information security since the early 1990's will remember the spectacular rise and fall of break-in reporting in the US, with attrition.org, CERT, and CSI/FBI publishing various statistics that meant - uh - various things. Usually, what they meant, to me, was "security reporting is a hard problem." ... And that's the topic of the first article.

AfterBites - 160 Illustrations of Transitive Trust

by Marcus J. Ranum on February 16, 2009

The article: Number of Banks Affected By Heartland Breach: 160 and Growing (February 6 & 12, 2009) According to the Bank Information Security website, nearly 160 financial institutions have acknowledged that they were affected by the Heartland Payment Systems data security breach. Banks in 40 US states as well as in Canada, Bermuda and Guam have reported that some of their customers' cards were exposed. It is not known how many card accounts were compromised; Heartland says it processes 100 million transactions a month. http://www.computerworld.com/action/article.do?command=viewArticleBasic&... http://www.bermudasun.bm/main.asp?SectionID=24&SubSectionID=270&ArticleI... http://www.theregister.co.uk/2009/02/12/heartland_data_breach_latest/ http://www.bankinfosecurity.com/articles.php?art_id=1200&opg=1 One of the underlying realities of computer security is the problem of transitive trust.

AfterBites: Cyberwar Hypewatch

by Marcus J. Ranum on February 11, 2009

The article: --German Magazine Says Armed Forces Establishing Cyber Warfare unit (February 9, 2009) German magazine Der Spiegel Reports that the country's armed forces are in the process of establishing a unit dedicated to cyber warfare. The unit will take on responsibility for protecting German IT infrastructure from attacks as well as conduct reconnaissance and interventions on foreign and "enemy" computer networks. http://www.heise-online.co.uk/news/Report-claims-German-armed-forces-set... I'm sure there are lots of countries setting up "cyberwar" units. Why? Because they're so very, very l33t!

AfterBites: Parking Ticket Social Engineering

by Marcus J. Ranum on February 6, 2009

(This column is one of what I am going to call "afterbites" - extended random commentary on topics raised in SANS' Newsbites column. As some of you know, I am one of the volunteer editors/commenters on the weekly Newsbites and it probably won't surprise you to discover that sometimes the discussions we have on the editors' mailing list can get - interesting. Usually, there's not enough space to rant at length, so I'm going to periodically fire unaimed salvoes from the safety of my blog, here.) The story: Parking Tickets as Cyber Attack Social Engineering Vector (February 4 & 5, 2009) Cyber criminals in Grand Forks, North Dakota planted phony parking violation notices on cars. The notices direct the users to a website for more information, which leads the users through a set of links that downloads malware onto their computers. That malware then urges users to download an anti-virus scanner that is worthless. http://www.techweb.com/article/showArticle?articleID=213200005&section=News http://news.bbc.co.uk/2/hi/technology/7872299.stm http://isc.sans.org/diary.html?storyid=5797 A few years ago, I was sitting in a hotel bar at a security conference, matching my tequila-drinking skills against all comers, when we got to discussing the next generations of identity theft attacks. One of the ideas I suggested was related to what we see above, and I'm really unhappy to see that The Bad Guys are showing no sign of stopping their creative engines.

AfterBites: My Hospital Robo-Surgeon Has a What?

by Marcus J. Ranum on February 3, 2009

(This column commences what I am going to call "afterbites" - extended random commentary on topics raised in SANS' Newsbites column. As some of you know, I am one of the volunteer editors/commenters on the weekly Newsbites and it probably won't surprise you to discover that sometimes the discussions we have on the editors' mailing list can get - interesting. Usually, there's not enough space, nor would it be appropriate for the editors to engage in hand-to-hand combat, so I'm going to periodically fire unaimed salvoes from the safety of my blog, here.) The story: --London Hospitals' Worm Infection "Entirely Avoidable" (February 2, 2009) A review of the worm infection that affected three London hospitals last November found that the incident was "entirely avoidable." The Mytob worm infected 4,700 PCs at St. Bartholomew's, the Royal London Hospital in Whitechapel and The London Chest Hospital; as a result, some ambulances were rerouted and some recordkeeping had to be done with pen and paper. While administrative systems were running again within three days, it took two additional weeks to scan all the machines to ensure they were clear of infection. The review determined that the initial infection resulted from misconfigured anti-virus software and spread so widely due to a decision by administrators to disable security updates because they had caused some computers to reboot while surgery was underway. http://www.theregister.co.uk/2009/02/02/nhs_worm_infection_aftermath There is so much wrong with this picture, that it's hard to know for sure where to start. "Ambulences rerouted" could be extremely unpleasant if you were, say, waiting patient ly for help after a car crash, or something. "Recordkeeping with pen and paper" is, perhaps, a useful survival drill. The part that makes my blood run cold is "caused some computers to reboot while surgery was underway." I know that if I were a patient and heard the distinctive "cdrom-whirr, beep" of a computer rebooting, I would leap off the table and make a bloody trail toward the taxi stand, if I had working legs.

Marcus Ranum PaulDotCom Interview on Penetration Testing

by Ron Gula on December 14, 2008

Tenable's CSO, Marcus Ranum, was recently interviewed on the PaulDotCom Security Weekly podcast. They discussed a wide range of topics regarding penetration testing, secure coding, Marcus's "6 Dumbest Ideas" in computer security and much more. Full PaulDotCom show notes . Direct link to the show's MP3 audio recording . Tenable podcast and slides on Marcus's "6 Dumbest Ideas in Computer Security" presentation from from 2006. Very cool image of Marcus Ranum demonstrating cutting edge computer security practices.

CSO Online interview with Marcus Ranum

by Ron Gula on November 11, 2008

Tenable's Chief Security Officer, Marcus Ranum, was recently interviewed by CSO Online for their " What Happens Next " security predictions series. Previous interviews included Whit Diffie, Chris Hoff and many other security experts. Read the full interview here .

Cyberespionage (Part III of a series)

by Marcus J. Ranum on September 19, 2008

Hello again! In my last column, we looked at cyberterror and puzzled aloud about "if it's so horrible, why isn't it happening?" In this episode, we're going to tackle the most straightforward aspect of cyber-badness: espionage. While it's straightforward, it scares me more than any of the other cyber-badness. This series of columns is based on a set of talks I gave as the keynote for IDC's CEMA Security Roadshow in 2008, with additional material and commentary. As always, I welcome constructive feedback at mjr@tenablesecurity.com . CyberEspionage Perhaps the salient point about espionage -...