Tuesday, 8 April 2014

Windows XP Put to Rest; The Beginning of "Forever Days"?

Microsoft will no longer provide software updates and technical support for Windows XP as of April 8, 2014. The end of Windows XP support should not come as a surprise to most users. Microsoft has a long history of ending support for variations of its operating systems. Although the company published a lifecycle chart showing the anticipated end-of-support dates for their OS, and despite the somewhat feverish rush to upgrade systems in many industries, Websense Security Labs telemetry indicates that XP is still widely deployed. Research suggests that Windows XP remains the second most popular operating system globally.
What does this mean for the threat landscape?
Any complex piece of software will contain vulnerabilities for cybercriminals to exploit. Operating systems and their associated applications are particularly prone to vulnerabilities because:
1.   It is incredibly challenging to conduct testing on all code routes due to the sheer complexity and vastness of the code.
2.   After a vulnerability is identified, a fix needs to be created and patched.
Malware authors often look to discover vulnerabilities, known as zero-day exploits, before software vendors or the security community are aware. Microsoft has been enhancing, updating and supporting Windows XP for close to 13 years. Over time, the industry identified hundreds of Windows XP common vulnerabilities and exposures (CVEs), including a new zero-day last week. Affecting Windows XP, it allowed remote code execution through a rich text format (RTF).
I am sure we will continue to see new Windows XP vulnerabilities. The only way to previously address Windows XP vulnerabilities was through the updating and patch process. Now that important line of defence is gone. With Microsoft ending support for Windows XP those patches will not be available.
Opportunistic cybercriminals have shown a penchant for pwning the low hanging fruit. If XP is the fruit, after April 8 this plum is effectively sitting on the ground. End-of-support means no new software updates. The term "forever-day" reflects the fact that zero-day vulnerabilities will remain unpatched forever more.
Websense Security Labs Recommendation
We have always recommended that organisations not rely on software patches alone to protect themselves. We highly recommend upgrading your operating system at your earliest convenience.
Malware authors know that businesses and consumers are still running Windows XP. These systems are especially vulnerable after April 8. We don't expect malware authors to unleash exploit code targeting these zero-days in the first few days after April 8. Instead, we believe they will wait to release exploit code selectively (think targeted attacks) and gradually (over a period of years).
The Websense Security Labs will continue to monitor for developments related to Windows XP, including monitoring for new zero-day exploits and vulnerabilities. Please follow us on Twitter (@websense‎ and @websenselabs). Also check out the Websense Security Labs' blog for breaking research alerts and further details of how Websense can help to protect you from all stages of the threat lifecycle.

U.S. States Investigating Breach at Experian

An exclusive KrebsOnSecurity investigation detailing how a unit of credit bureau Experian ended up selling consumer records to an identity theft service in the cybercrime underground has prompted a multi-state investigation by several attorneys general, according to wire reports.
Ngo's Identity theft service, superget.info
Ngo’s Identity theft service, superget.info
News of the breach first came to light on this blog in October 2013, when KrebsOnSecurity published an exclusive story detailing how a Vietnamese man running an online identity theft service bought personal and financial records on Americans directly from a company owned by Experian, one of the three major U.S. credit bureaus.
Hieu Minh Ngo, a 24-year-old Vietnamese national, pleaded guilty last month to running an identity theft service out of his home in Vietnam. Ngo was arrested last year in Guam by U.S. Secret Service agents after he was lured into visiting the U.S. territory to consummate a business deal with a man he believed could deliver huge volumes of consumers’ personal and financial data for resale.
But according to prosecutors, Ngo had already struck deals with one of the world’s biggest data brokers: Experian. Court records just released last week show that Ngo tricked an Experian subsidiary into giving him direct access to personal and financial data on more than 200 million Americans. 

According to U.S. government investigators, the data was not obtained directly from Experian, but rather via Columbus, Ohio-based US Info Search. US Info Search had a contractual agreement with a California company named Court Ventures, whereby customers of Court Ventures had access to the US Info Search data as well as Court Ventures’ data, and vice versa. Experian came into the picture in March 2012, when it purchased Court Ventures (along with all of its customers — including Mr. Ngo). For almost ten months after Experian completed that acquisition, Ngo continued siphoning consumer data and making his wire transfers.
A transcript (PDF) of Ngo’s guilty plea proceedings obtained by KrebsOnSecurity shows that his ID theft business attracted more than 1,300 customers who paid at least $1.9 million between 2007 and Feb. 2013 to look up Social Security numbers, dates of birth, addresses, previous addresses, phone numbers, email addresses and other sensitive data on more than three million Americans.

The Youngest Security Researcher

"Microsoft came up with a fix, even acknowledged Kristoffer on its website as a security researcher", reports Michael Chen for KGTV, ABC News
A five-year-old boy who worked out a security vulnerability on Microsoft's Xbox Live service has been officially thanked by the company.
Kristoffer Von Hassel, from San Diego, figured out how to log in to his dad's account without the right password.
Microsoft has fixed the flaw, and added Kristoffer to its list of recognised security researchers.
In an interview with local news station KGTV, Kristoffer said: "I was like yea!"
The boy worked out that entering the wrong password into the log-in screen would bring up a second password verification screen.
Kristoffer discovered that if he simply pressed the space bar to fill up the password field, the system would let him in to his dad's account.
"I got nervous. I thought he was going to find out," Kristoffer told television station, KGTV.
"I thought someone was going to steal the Xbox."
Free games Dad Robert - who works in security - sent details of the flaw to Microsoft.
In a statement, the company said: "We're always listening to our customers and thank them for bringing issues to our attention.
"We take security seriously at Xbox and fixed the issue as soon as we learned about it."
Kristoffer's name now appears on a page set up to thank people who have discovered problems with Microsoft products.
The company also gave him four free games, $50 (£30), and a year-long subscription to Xbox Live.

Google kills fake anti-virus app that hit No. 1 on Play charts

"Virus Shield", an app that briefly shot to the top of the charts on Google Play, has turned out to be a complete fake and has therefore been pulled by Google.
The scam, turned up by Android Police, is as simple as a con-man could wish for: the app includes almost no functionality whatever, yet it was briefly a chart-topper on Google Play, something that at $US3.99 for the download.
According to Appbrain, the software sailed past 10,000 downloads, putting its take at close to $US40,000 for nothing at all. The Register says “almost no functionality” because the app does just one thing: it changes its icon when you tap it, pretending to be checking your phone for viruses.
As Android Police says: “this is such a brazen and expensive fake that we felt the need to give it some special attention. It's somewhat disheartening that an app so obviously fake could rise to the top, especially considering that it's paid, and possibly hundreds or thousands of people have been defrauded already.”
To prove the point, they've posted the decompiled Java code at github.
El Reg would note that at least two of the claims made by the software – low battery consumption and no ads – are true. Along with the legitimate complaint that a scam app like this should never have made it onto Google Play, The Register would also ask why a developer could get away with apparently operating under a fake identity.

How to build and maintain security culture-- Kai Roer

Slide 1

How to build and maintain security culture in any organization.
How to build and maintain security culture in any organization.
In this presentation, you will learn about the building blocks of security culture, and how to organize your security culture program to create success.

Slide 2

Security Culture eats strategy for breakfast
Security Culture Eats Strategy for Breakfast!
Why should we care about culture, you may ask. In leadership, here represented by Petter Stordalen, the Choice hotel chain owner, the realization that culture eats strategy for breakfast is the understanding that you can have the best of plans and the best of execution, but without an organizational structure and a common set of values, you will fail. Culture is the building blocks of society.

Slide 3

What is security culture?
What is security culture?
Security Culture – what are we talking about? Is this just another one of those marketing tricks? Another fancy name? Let us examine what security culture is. To do that, we need to understand what culture is.

Slide 4

Definition of Culture
Definition of Culture
The Oxford Dictionary defines culture as: The ideas, customs and social behavior of a particular people or society.
Take a moment and think about that. Ideas. Customs. Social behavior. Those are common things every individual shares. You have them – and I do too! And when we meet, we form groups that end up sharing some or all of those ideas, customs and social behaviors. Let us examine culture a little more!

Slide 5

Meet Red, Orange and Green!
Meet Red, Orange and Green!
Meet Green, Orange and Red. These are individuals as you can see, and they come with their own ideas, customs and behaviors – you can see Green is the positive, including guy, and Red is, well, on the other end of the scale.
We all know these people, don´t we?
Which one are you?

Slide 6

A group of Orange people, forming Orange culture.
A group of Orange people, forming Orange culture.
Here we have a group of people – they share the Orange values, they form a culture. This could be your work-group, your organization, your soccer team and even your country! They are all examples of groups of people, who together share a set of ideas, customs and social behaviors. In Norway, for example, we share the custom of enjoying Brown Cheese (brunost), which as far as I know, no other country does.

Slide 7

Orange meet Red.
Orange meet Red.
Now, let us introduce Red to this group. Red is, as we remember, the negative person who always gets in your way, looking for the worst, expecting a disaster in every project. The question becomes – will the group change Red? Or will Red change the group? Both are valid questions, and valid outcomes.

Slide 8

Spreading Red.
Spreading Red.
In the Orange group, however, we do not have a strong culture, which allows a stronger influence from one individual towards the group. And we see the Red ideas, customs and social behavior spread.

Slide 9

Red culture conquer the Orange.
Red culture conquer the Orange.
As we see here, Red is changing the group, by spreading the negativity, the pessimistic outlook. All that is needed is a group who is not focusing on building a strong culture to support itself. When someone new arrives, they are able to change the ideas, customs and social behavior of said group, and can create devastating results.

Slide 10

The devastating results of bad culture, creating fragmentation and negativity.
The devastating results of bad culture, creating fragmentation and negativity.
A result where other members of the group no longer want to be a part, and start leaving. What is left of your team, your department or your organization, is the negativity, the pessimistic outlook and the general consensus that nothing is possible, nothing can (or will) ever change. What is worse, is that this new culture will scare away possibly great additions to the team – or they will leave after only a very short time with the company.
Why should you care as a security officer, you may be wondering?
Remember the Insider Threat, so famously named because it is someone from within your organization who leaks your data, or who introduces malware? An organization, department or team with this negative culture is more likely to create an environment where the insider willingly starts exploiting the organization. And that, my friend, that is your problem!

Slide 11

Definition of security.
Defining Security.
Let us take a look at the definition of security, again according to the Oxford dict. Being secure, is the state of being free from danger or threat and/or the state of feeling safe, stable, and free from fear or anxiety
Using this definition, we can see how culture and security walks hand in hand – it is about individuals, people, and groups of people, and it is about creating an environment where people can be free from danger or threat, and where they can feel safe, stable and free from anxiety.
So I claim that your job is to make your colleagues feel safe, and free from fear – which means we should ditch FUD right away! It also mean you may have to reconsider how you do your job.

Slide 12

Red, Green and Orange - who are more secure?
Red, Green and Orange – who are more secure?
Many security officers I know, tend to act like Red by alienating their colleagues, by expecting employees to understand security, without ever trying to understand the employees real job. Over the years, the Red´s get disappointed by poor results, lack of support and becomes more and more negative and destructive – for himself, and for the organization.
Is this how you feel, perhaps?

Slide 13

Introducing Green to the Orange group.
Introducing Green to the Orange group.
So let us take a different approach. Let us introduce Green to a group, and see what happens! At first glance, this look so much happier, I can feel the warmth all the way here! How will this go?
Remember that Green is introduced to a group without a strong, supporting culture, so he is able to more easily change its ideas, customs and behaviors.

Slide 14

Green Joy!
Green Joy!
Just like negativity, being positive is contagious. Being optimistic and looking for solutions instead of problems helps yourself, your team and your organization realize there may be a way out of whatever challenge you are facing. And as this notion spreads…

Slide 15

Growing positivity and care!
Growing positivity and care!
…more and more people will join the new culture.

Slide 16

A positive culture attracts more positive people.
A positive culture attracts more positive people.
And as the culture grows, word is spread outside the organization too, attracting other individuals and groups with similar mindsets, with similar ideas, customs and social behavior. And you have created a magnet of positive attraction!
Why this matters to you as a security officer? Well, the insider threat have been reduced to the accidental incident of forgetting the Smartphone on Flytoget, a behavior that training and education can reduce – because this culture wants to learn, to grow, to succeed. This culture care about the group, and security becomes an integrated part of that culture. This groups social behavior allows it to build a better security through understanding why, by being motivated for success, and by caring for each other and the group!

Slide 17

Red, Orange or Green - which one do you want to be?
Red, Orange or Green – which one do you want to be?
So the question is: Which security officer do you want to be?
  • The negative, destructive force that is Red?
  • The indifferent, easily changeable Orange?
  • Or the positive, secure Green?
Let´s choose the Green, and let us build great security culture!

Slide 18

The definition of security culture.
The definition of security culture.
Which brings us to the question – how do we define security culture? Using the Oxford definitions of Culture, and of Security, I have come up with this definition of security culture: The ideas, customs, and social behavior of a particular people or society, that helps them being free from danger or threat.
This in turn makes the job of the security team into the job of creating an environment that helps the group to being free from danger or threat. And we can do that by working with the ideas, customs and social behaviors of our team, department and organization.

Slide 19

Go from Orange...
Go from Orange…
So we can make our goal, our purpose, to transform this…

Slide 20

...to green, positive culture!
…to green, positive culture!
…into this!
The good news is that we have already seen how culture can be transformed, and that should lead to the realization that we can curate that transformation. So let us do just that!

Slide 21

How to create a security culture program
How to create a security culture program
Let us see how we can create a security culture program. It may sound like a daunting task, I know. Done correctly, using readily available tools and resources, it can be done!

Slide 22

The Security Culture Framework, a holistic approach to building culture!
The Security Culture Framework, a holistic approach to building culture!
One such tool is the Security Culture Framework. The Security Culture Framework consists of four building blocks:
  • Metrics, where you define a baseline, set your goals, and define your metrics;
  • Organization, where you organize your security culture workgroup, define target audiences and build organizational wide support;
  • Topics, which are the activities your choose to implement in order to reach your defined goals; and the
  • Planner where you plan your efforts, your revisions and your metrics.
Four areas that needs to be covered, each fulfilling individual tasks, while being connected to each of the others. You cannot have one without the others, and expect results – which is why most awareness trainings fails – they would sort under the Topics part, while being an important element, it is unable to create lasting change without the support of the other three building blocks required to transform culture.
With a framework like the Security Culture Framework, we can get to work:

Slide 23

A step-by-step guide
A step-by-step guide
If you want to walk a thousand miles, you start with one step.
When building security culture, we have found that these steps are a great first step.
Setting up your team is where you build a security culture work group. You want to include the kind of expertise you are unlikely to have yourself – especially from HR (training and organizational knowledge), and from Marketing (creating the story+presenting it).
Together with your team, you define your goals, and decide how you know that you have reach them (or missed). You need to measure your current status too, so you know where you are. You will use the Current situation and compare it with the desired goal to make a GAP-analysis to help you determine which elements, topics and activities you will use in your security culture program.
Then you define your target audience. Again, here the marketing guys can help. Why, you may ask? Consider the differences between the IT-department and the sales people. They are quite different, right?
Then you start choosing the topic(s) you want to focus on (remember your goal), and activities that will support your message. Again, Marketing Dept.!
Plan your efforts – think of each effort as a campaign, make it last a limited time, which will allow you to measure before- and after-effects. Which is the next you do – measure, learn, change and do it all again!

Slide 24

A program is required.
A program is required.
Now that you know why culture matters in security, and how to organize your work, let me explain why you need to create a security culture program.
Culture is changing and evolving all the time. As we saw earlier, individuals impact culture, and culture impacts individuals. We need to run an on-going program to nurture and control the change we want.
Also, when so many security officers complain that their awareness trainings fail to yield results, one of the reasons is that they fail to see the need for a holistic approach, a program where a training is one part of the whole, not the Silver Bullet to solve it all!

Slide 25

And there are no silver bullets!
And there are no silver bullets!
So to create successful security culture, a positive one, driven by the Green, you need to nurture the culture. Make it support business, your job is to secure the business, right? Create both understanding and awareness, and a support structure where your colleagues knows what to do, and whom to turn to, when they make a mistake.
A security culture program is an on-going effort, one that never stops. We can say that security is built-in to culture, that culture is a security measure to create a stable, safe environment where we are free from threat. At least we shall consider that our goal!
And remember that every walk starts with one small step! You can do it too!

Slide 26

Red, Orange, Green: Your choice, your responsibility.
Red, Orange, Green: Your choice, your responsibility.
So the question remains: Which security officer do you want to be?
I know who I want to be!

Slide 27

Thank you ISACA Nordic Conference 2014 for inviting me.
Thank you ISACA Nordic Conference 2014 for inviting me.
Thank you very much! I will be available for questions this afternoon. You can also reach me on Twitter, and my blog.
Of course, you can buy some of my books too – they are on amazon.com!
Thank you!

Slide 28

Bonus: Where to find more information!
Bonus: Where to find more information!
These are some sources of information you can use to learn more about security culture, how to build and maintain it, and ideas of content.

The Day Windows XP Died!

XP Tombstone 
Tuesday 8th of April 2014, a page of the computer industry has been turned! Windows XP is dead! Of course, I had to write a blog post about this event. For months now, Microsoft warned its customers that XP won’t be supported starting from today. Do you remember: Windows XP was available on floppies and had – in the beginning – no native USB support! What does it mean today? From a end-users’ point of view, their computer will not collapse! No need to repeat some voodoo formulas, it will boot again and work like yesterday… Except if something bad happens. In this case, Microsoft won’t help you (instead they will be very happy to propose you an upgrade to Windows 8.1). Well, this is not 100% true: Microsoft is still ready to “offer” you some support if you subscribe to their Premium Service program! (Business is business)
Things are more nasty from a security point of view! Your computer will still run but will be vulnerable to new attacks. By “new” I mean the ones that will be discovered (because XP will be a very nice target seeing its installed base – see the graph below). But I’m also pretty sure that some vulnerabilities have been discovered for a while and kept below the radar ready to be used in the wild. And this may occur very soon tomorrow. People are still migrating to a newer operating system and the surface attacks will reduce itself with time. For an attacker perspective, this is the right time!
But, is this old Windows XP still a problem? People had quite a long time to switch to alternative OS rights? Have a look at the following statistics. They come from the blog and are based on the last 30 days:
Windows Statistics
Based on Google Analytics, 11% of my visitors are still using Windows XP! Based on my regular audience and the content of this blog, I could expect people to have a “high-level profile” like IT professional, infosec people, etc. Those people should have get rid of XP for a while. Ok, let’s reduce this number by a few percents due to fake User-Agents used by some of you or bots and crawlers. Let’s make a final estimation to 7-8%? This remains a huge amount of vulnerable computers (my blog does not generate a lot of traffic). I’m curious to see statistics for big players on the web… Somebody can share?
If you’re still using XP today, have a look a top of your head, there is sword of Damocles! Windows XP was not only used on desktop computers. They are plenty of services still running on top of it:
  • Bank ATM’s
  • Medical devices
  • SCADA systems
  • PoS
  • Kioks
 What can you do against this? First reaction: upgrade as soon as possible (for laptops & desktops). Installation like medical devices have the bad reputation to not be easily upgradable (or not at all). In all other cases, security best practices apply as usual:
  • Locate devices running XP on your network! Could be stupid but many companies don’t know what devices are connected on the LAN!
  • Prohibit those devices or isolate them in a separate network zone. NAC (“Network Access Control“) solutions can be useful to put them in a dedicated & hardened VLAN
  • Disconnect them from the Internet
  • Don’t run “services” on them
  • Don’t surf from them
Finally, if you have old applications, test them on a newer OS in the “Windows XP” compatibility mode. Please take actions today!

Few European ATMs upgraded to Windows 7

A research report from RBR in London shows that 89 percent of European ATMs are still running Windows XP. This is a larger proportion than in the United States, but what is perhaps even more shocking is that eight percent of ATMs still run operating systems older than XP: Windows NT, Windows 2000 and even OS/2.
The report attributes the lack of movement away from old and unsupported operating systems to a desire for stability on the part of the banks. Instead of upgrading the operating system, which would likely require upgrading a good deal of the computing hardware in the ATM, the banks would rather lock down the devices and practice other risk mitigation techniques.
I discussed this factor in a recent story on the lesser continued dominance of Windows XP in US ATMs. ATMs are isolated on the network and have a well-defined and stable function. They are excellent candidates for lock-down techniques such as software whitelisting and strong authentication for any user access.
An ATM so-protected is still at greater risk than one running a modern OS, but it is still heavily defended against software attack. Getting malicious software to such an ATM and executing it is a daunting task. This is why nearly all attacks on ATMs are physical attacks, such as skimming devices and smash-and-grab of the entire ATM.
Furthermore, as the report notes, many banks have opted to purchase extended support for Windows XP from Microsoft — the report specifically names JP Morgan Chase as one of these banks, but probably all the larger banks have. Such support is expensive and available for a maximum of two years, so banks absolutely need to have a migration plan in place anyway.
Looked at this light, banks' lazy attitude towards OS upgrades seems defensible. If ATMs running Windows NT are running without software attack, there's little reason to fear for Windows XP ATMs after today.

#OpIsrael: Anonymous attacks hundreds of Israeli websites

Hundreds of websites of Israeli ministries and organizations came under attack by Anonymous early Monday as part of the hacktivist group's anti-Israel operation, dubbed #OpIsrael.
“On April 7, 2014, we call upon our brothers and sisters to hack, deface, hijack, database leak, admin takeover, and DNS terminate the Israeli Cyberspace by any means necessary” the group said in a statement.

The move is an act of protest against Israel's policies, including those against Palestine.

“The further assault on the people of Gaza, who have been flooded by your sewage, terrorized by your military apparatus, and left to die at the border while waiting for medical attention will NOT be tolerated anymore,” the statement read.

“We will not stop until the police state becomes a free state and Palestine is free.”
On a website dedicated to the event, another hacker group – AnonGhost – posted a video saying that the attack will target every possible Israeli website in order to show solidarity with Palestine.

In March, hackers united under the AnonGhost banner claimed to have crashed the website of Israel’s Ministry of Agriculture and Rural Development. The group posted the logins and passwords of the website’s users online.
The first cyber-attacks under the name OpIsrael were launched by Anonymous during and Israeli assault on Gaza in November 2012. Around 700 Israeli websites, including high-profile government setups such as the Foreign Ministry and the Israeli President's official website, were taken down. Following the attack, Anonymous posted the personal data of 5,000 Israeli officials online.
The websites of the Israeli parliament, ministries and other government organizations stopped operating for some time after last year's attack, which also took place on April 7.
A Middle East hacker who participated in the operation told RT that the “aim of the attack was to show the world the true face of Israel and its armed forces.” He said that last year’s attack was a warning for Israel to be ready for new, larger “surprises.”
In retaliation against the massive assault, Israeli hackers allegedly broke into the website OpIsrael.com and posted pro-Israeli content. The site was allegedly being used to coordinate cyber-attacks on Israeli sites.