Archiv der Kategorie: Forschung

Internet security by numbers

English, Zahlenspiele

For the collectors and slide producers among you:

SANS Cyber Security Survey 2009
The survey found that Web server-side applications are the target of more than 60% of all Internet attacks and that “Web application vulnerabilities such as SQL injection and cross-site scripting flaws in open source as well as custom-built applications account for more than 80% of the vulnerabilities being discovered. Despite the enormous number of attacks and despite widespread publicity about these vulnerabilities, most Web site owners fail to scan effectively for the common flaw.” http://www.sans.org/top-cyber-security-risks/

(See Making Sense of the SANS “Top Cyber Security Risks” Report at The New School of Information Security for a critique of the report.)

X-Report von IBM 2009
According to the report, criminals are leveraging insecure Web applications to target users of legitimate Web sites. These attacks intended to steal and manipulate data and take command and control of infected computers. The report states that SQL injection attacks rose 50 percent from Q4 2008 to Q1 2009 and then nearly doubled from Q1 to Q2.
http://www-935.ibm.com/services/us/iss/xforce/trendreports/

Sophos Security Threat 2009
23,500 new infected webpages are discovered every day. That’s one every 3.6 seconds, four times worse than in 2007.

http://www.sophos.com/sophos/docs/eng/papers/sophos-security-threat-report-jul-2009-na-wpus.pdf

Swiss Cheese Security

Classifier Security Model, English, Forschung, IT, Security, Unterwegs, , , , ,

I’m off for the New Security Paradigms Workshop in Oxford, where I will present what I currently call the Swiss Cheese security policy model. My idea is to model security mechanisms as classifiers, and security problems in a separate world model as classification problems. In such a model we can (hopefully) analyze how well a mechanism or a combination of mechanisms solves the actual problem. NSPW is my first test-driving of the general idea. If it survives the workshop I’m going to work out the details. My paper isn’t available yet; final versions of NSPW papers are to be submitted a few weeks after the workshop.

Production-safe Testing

English, IT, Safety, Security, Testlabor, , , , , ,

[See only posts in English]

Software testers increasingly have to deal with production systems. Some tests make sense only with production systems, such as Nessus-style vulnerability scanning. And an increasing number of systems is hard to reproduce in a test bed as the system is really a mashup of services, sharing infrastructure with other systems on various levels of abstraction.

Testing production systems imposes an additional requirement upon the tester, production safety. Testing is production-safe if it does not cause undesired side-effects for the users of the tested or any other system. Potential side effects are manifold: denial of service, information disclosure, real-world effects caused by test inputs, or alteration of production data, to name just a few. Testers of production systems therefore must take precautions to limit the risks of their testing.

Unfortunately it is not yet very clear what this means in practice. Jeremiah Grossman unwittingly started a discussion when he made production-saftey a criterion in his comparison of Website vulnerability assessment vendors. Yesterday he followed up on this matter with a questionnaire, which is supposed to help vendors and their clients to discuss production-safety.

The time is just right to point to our own contribution to this discussion. We felt a lack of documented best practice for production-safe testing, so we documented what we learned over a few years of security testing. The result is a short paper, which my colleague and co-author Jörn is going to present this weekend at the TAIC PART 2009 conference: Testing Production Systems Safely: Common Precautions in Penetration Testing. In this paper we tried to generalize our solutions to the safety problems we encountered.

The issue is also being discussed in the cloud computing community, but their starting point is slightly different. Service providers might want to ban activities such as automated scanning, and deploy technical and legal measures to enforce such a ban. They have good reason to do so, but their users may have equally good reason to do security testing. One proposal being discussed is a ScanAuth API to separate legitimate from rogue scans. Such an API will, however, only solve the formal part of the problem. Legitimate testing still needs to be production-safe.

Car-Security

English, Erich fragt, Forschung, Freundlich zum Nutzer, Safety, Security, Vertrauen

Yesterday I visited the CAST-Workshop on mobile security for intelligent cars, which ended with a very interesting discussion that illustrated the complexity of the problem and raised many interesting questions. First the speakers gave a good overview over the main research areas and important projects like Evita or SIM-TD, which is said to be the biggest field test world wide, that focusses on car-2-x-communication. Everybody agreed on the main distinctions (Safety vs. Security; in-car communication, car2car communication, etc.) and privacy issues were the main topic. As Frank Kargl  from the University of Ulm pointed out, the car has a strong connection to its owner and its movements might tell a lot about the individual. Already privacy concerns have entered the car world, because navigation tools send home gps information and companies like Tom Tom generate a large data collection.

Car-Security weiterlesen

50 Euro

Preisschild, Zahlenspiele

Falls das stimmt, ist es überraschend. Wir machen uns Sorgen über den möglichen Handel mit personenbezogenen Daten, während die bösen Jungs ihr Geld mit Online-Spielen verdienen:

»Für gekaperte Onlinespieler-Profile blättern Kriminelle derzeit jeweils bis zu 50 Euro hin. Das haben Experten vom Unternehmen G Data aus Bochum ermittelt.

Sie beobachteten im Juni und Juli die Aktivitäten auf dubiosen Börsen im Internet, wo die Accounts gehandelt werden. Am lukrativsten ist es demnach, Profile bei der Onlinespiele-Plattform Steam zu knacken. Aber auch Accounts von ‹World of Warcraft›-Spielern wurden für bis zu 30 Euro angeboten.«

(LVZ, n-tv, SZ)

Formal fällt auch ein solches Profil unter den Begriff der personenbezogenen Daten. Aber Hand aufs Herz, wessen Phantasie hat so weit gereicht, die scheinplausiblen Szenarien des Datenmissbrauchs zu verwerfen und an so etwas zu denken? Meine jedenfalls nicht. Wir brauchen dringend objektive Maßstäbe für den Schutzbedarf sowie Methoden zum Risikomanagement, die tatsächlich das Risiko einschätzen.

Strategischer Datenverlust

Archivierung, Forschung, Fundbüro, Risiko, Security

Ob das eine großer Vertuschung ist oder nur eine aufgeblasene Nebensächlichkeit, möchte ich nicht beurteilen, ebenso wenig ob es sich um Schlamperei oder Absicht handelt:

»The world’s source for global temperature record admits it’s lost or destroyed all the original data that would allow a third party to construct a global temperature record. The destruction (or loss) of the data comes at a convenient time for the Climatic Research Unit (CRU) in East Anglia – permitting it to snub FoIA requests to see the data.«

(The Register: Global Warming ate my data)

Eine interessante Anregung zum Risikomanagement ist es allemal. Vielleicht ist der erwartete Schaden ja geringer, wenn die Daten einfach weg sind.

Spione und Nähkästchen

Datenschutz, Erich fragt, Fundbüro, Geschäft, Propaganda, Regierungsviertel, Risiko, Sicherheitshinweise, Studien, Zahlenspiele

Das schöne am digitalen Diebstahl ist ja, es fehlt den betroffenen nix. Wenn aber in die Firma analog eingebrochen wird und die Diebe ignorieren offensichtliche Wertgegenstände wie Bildschirme,  dann war’s vielleicht ein Datendieb.  Woran man einen Griff in die Datenkasse des eigenen Unternehmens bemerken kann, erzählt Wilfried-Erich Kartden von der Spionageabwehr  des Innenministeriums von NRW in der aktuellen IT-Sicherheit. Im Wikipedia-Stil trennt er erstmal zwischen Wirtschaftsspionage (staatliche Aktivitäten) und Konkurrenz-/Industriespionage (Spionage durch Unternehmen). Nach einem Exkurs über korrupte Übersetzer, Bauarbeitern mit WLAN-Routern und Keylogger-Funde kommt die Existenzberechtigungsstatistik von Corporate Trust (2007): 35,1 Prozent der deutscheun Unternehmen glauben, sie seien schon Opfer von Wirtschaftsspionage geworden. 64,4 Prozent hätten auch einen finanziellen Schaden zu verzeichnen. Die Schäden reichen von 10.000 bis 1 Millionen und das Wichtigste – die Schadensfälle steigen – laut Umfrage um 10 Prozent pro Jahr.  Sagt alles wenig aus, hört sich aber gut an.

Spione und Nähkästchen weiterlesen

SOX – the new security standard

English, Forschung, Freundlich zum Nutzer, Fundbüro, Gadget, Propaganda, Security

Sock security has been troubling me for a long time. Endless sundays I have spent with the fight against the single sock syndrom. But those days are over. Thanks to a colleague I have discovered sockstar, the revolutionary tool to improve the lower department of your wardrobe-BCM – a simple thing that just does what it should, if you manage to integrate it into your business processes… [end of commercial] http://www.sockstar.de/