Wednesday, 22 May 2013

#DDoSjoke

Brian Krebs recently wrote articles about a disturbing trend: legitimized Denial of Service. The first story, DDoS Services Advertise Openly, Take PayPal,  exposes the emerging industry. The second story, Ragebooter: ‘Legit’ DDoS Service, or Fed Backdoor?, relates an interview with Justin Poland, who admits to operating this DDoS Service and who claims that the site "includes a hidden backdoor that lets the FBI monitor customer activity." (This admission, if corroborated, partly answers my question, "if denials of service are not illegal, then why the hell not!")

I read Brian's articles, then found a referrral article at Sophos, DDoS-for-hire service is legal and even lets FBI peek in, says a guy with an attorney. Running a business based on disrupting other businesses is anethema to me, but for whatever reason, the image of  "a guy with an attorney" gnawed at my imagination and I could not help but construct and post a DDoS joke to Twitter.  Transcribing it here:

A guy with an attorney DDoSs a bar.

The bartender asks "Is this legal?"

Guy says "Pour me a beer and I'll tell you".

Bartender replies "I reserve the right to deny you service."

Attorney says "Are you one of my clients?"

It was either this or return to bed sobbing...

 

 

Posted by at 11:46 AM in All matters security | | Comments (0)

| |

Thursday, 09 May 2013

Top Takeaway from the WhiteHat Website Security Statistics Report (May 2013)

WHWebStats

WhiteHat Security surveys customers and examines terabytes of data collected from websites and applications it monitors to annually produce a report that concentrates on unknown vulnerabilities in custom Web applications. Custom has the same meaning here as a "custom made suit": organizations may operate websites using commercial or open source operating systems, web server software and content management systems, but nearly every site of meaningful size has code that is unique to that organization.

Unique code doesn't necessarily translate to unique vulnerabilities: software developers worldwide make similar assumptions, use similar dev languages and tools... and being human, some make errors in logic, poor or uninformed assumptions about program execution or user behavior, and test in haste or without rigor. These are the causes of unknown vulnerabilities that attackers discover and exploit. 

While much of the WhiteHat Security's Report is devoted to sharing the numbers - and most of the numbers are unsurprising confirmations of what OWASP reports or what front line infosec professionals see every day - the WhiteHat Security team looks past the numbers, consider factors that are not always obvious to audiences of this kind of report, and most usefully, share their opinions. Read the Report, not just the Executive Summary. Perhaps you'll conclude, as I did, that this one finding is the important takeaway if you want improve your website security profile:

What's needed is secure software NOT more security software

Not a believer? If your organizations' strategy to prevent leakage, exploitation or abuse relies on deploying firewalls and intrusion detection systems, consider these findings:

  • Organizations that provide software security training had 40% fewer vulnerabilities and resolved them 59% faster.
  • Organizations that use web application firewalls had 11% more vulnerabilities and resolved them 8%  slower.
  • Organizations that make use of application libraries or frameworks to centralize and enforce security controls experienced 64% more vulnerabilities, resolved them 27% slower.

Those who read the Report will note that I've discounted remediation rate when citing findings. As the Report notes, developers have little control over which bugs are fixed or when. These decisions are made based on other business considerations and in my opinion lend little to this conversation; in particular, I suggest you see how your organization fares as you read the section entitled Factors Inhibiting Organizations from Remediating Vulnerabilities.

I'm not suggesting that you toss security software and systems aside and only invest in software security training and disciplined secure code development. I am suggesting that (a) here's good evidence that you ought to invest in software security training and (b) if you want to improve website security, you must recognize that security software and systems at best provide complementary measures. These are additional lines of defense at best; at worst, they sap talent and funding away from secure software projects.

Custom application code is the primary target for website attackers. Focus your security budget on mitigating this problem.

Still not convinced? The Report also finds that organizations whose web site experienced a data or system breach as a result of an application layer vulnerability had 51% fewer vulnerabilities and resolved them 18% faster.

While there is still nothing that makes believers quicker than a breach, you can wait until you become a victim or use this Report and begin to effect change.

Note: I want to thank Jeremiah Grossman for taking time to respond thoroughly and candidly to questions I had after my first read of the Report.

Posted by at 02:49 PM in All matters security, Web/Tech | | Comments (0)

| |

Wednesday, 08 May 2013

Are Party Affiliation and Educational Social Impact Related?

U.S. politics are dominated by two parties: Republican and Democrat. Republicans are popularly perceived as believing in having a small Federal government and empowering state governments, whereas Democrats are popularly preceived as believing that a larger Federal government is better suited to ensuring that all Americans receive the same (equal) benefits of a governed nation.

Montana State University Billings examined Montana school quality in response to a less than enthusiastic reaction by Montana educators to a Thomas Fordham Foundation ranking of state education quality. For their study, the MSU Billings folks compared fiver measures of education quality: Teacher Quality, Education Input, Education Output, Education Social Impact, and Education Efficiency.

Of these, the measure that might lend some insight or at least lively discussion about education and party affiliation seems to be Education Social Impact, which is derived from the standardized average of: (1) per capita income, (2) percent of population with college degrees, and (3) the average number of books checked out of libraries per capita. This is the only measure among the five that considers the voter age population, an adult education outcome and (my interpretation) a measure of a desire to be literate and informed (i.e., read books).

This table takes the ranking of states by Education Social Impact, and then notes the party that each state voted for in the 2012 Presidential Election, the party that currently holds the governor's seat, and the party that has a majority in the state legislature.

As an exercise for the reader, open Excel and repeat this exercise using the rankings according to  Education Efficiency ("Bang-per-buck" in education spending). The ranking, while not quite inverted, is very different. The MSU Billings makes an observation in defense of Montana that seems to apply more broadly:

"The positive outputs of the state education system... have not manifested themselves in increased positions that will attract college graduates or in corresponding incomes."

This may not be exactly the same as saying, "give 'em a good education and they move to a liberal state" - but it's close.

Posted by at 10:00 AM in Personal | | Comments (0)

| |

Monday, 29 April 2013

Highlights from the APWG Global Phishing Survey 2H2012

Colleagues Greg Aaron (Illumintel) and Rod Rasmussen (Internet Identity) have published another comprehensive survey on phishing patterns, behavior and impact. With Greg's permission, I'm posting his summary of highlights from the Report.

The APWG Global Phishing Survey Report (2H2012) contains key stats and analysis for the time period July-December 2012, including what top-level domains were used, phishing site uptimes, and at what registrars phishers registered domain names.  

Highlights from the Report:
 

  • Attacks made by compromising virtual hosting accounted for 47% of all phishing attacks in the period.  Breaking into hosting providers has been a high-yield activity of the bad guys, since it allows them to mount phish on hundreds of domains at a time.   Those compromised sites also have higher reputations than new domains.   This activity fits into a larger criminal trend: the targeting of shared hosting environments (notably WordPress, cPanel, and Joomla installations) to create botnets, wage DDoS attacks, etc. (pages 5-6)
  • The number of domain names registered by phishers has dropped by 60% since 2011.   Instead, phishers are using alternatives that are more attractive – such as those mass compromises on shared hosting platforms,  and registering subdomains -- which can be cheap and are often not well-managed by their registrar/registry.   Phishers registered more subdomains than “regular” domain names (pages 16-17).

  • On the other hand, Chinese phishers generally prefer to make domain registrations, as they continue their attacks on Chinese targets such as Taobao.com and CCTV.   Some Chinese phishers are also going after gaming site Battle.net a lot.  A set of small Chinese registrars has prevalent phishing registrations (pages 14-15).

 Skeptic: The report, as always, is well worth reading and sharing.

Posted by at 05:02 PM in Anti-Malware and Anti-phishing, Domain names and DNS | | Comments (0)

| |

Next »

Search

My Photo
The Skeptic's email address

Categories

Recent Posts

Worth A Look

The Skeptic recommends:

Fred Avolio's Blog
Anton Chuvakin's Blog
CyberCrime & Doing Time
Jeff Jonas' Blog
Krebs on Security
Paul Melson's Blog
MooSoft Musings
Lisa Phifer's WLAN CORner
Marcus Ranum's Website
Security Bloggers Network
Stop.Think.Connect.
Silver Tail Blog
Schneier on Security
Newsodrome - Security News
BlogCatalog
Related Posts Plugin for WordPress, Blogger...