Network World's reporter Ellen Messmer published an article today about an Oracle vulnerability identified by David Litchfield for the purpose of refuting Larry Ellison's claim that his database was "unbreakable".

David Litchfield, a researcher at NGS Consulting, demonstrated how a user can subvert security to elevate his privileges to take complete control over Oracle 11g and also showed how to bypass the Oracle Label Security used to set mandatory access controls over information depending on security level.

The security-industry veteran said ever since he heard Oracle's chief Larry Ellison touting his database as being "unbreakable, I took umbrage at that." Litchfield noted he and Oracle have had a "rocky relationship" for a long time.

Mr. Litchfield is targeting Oracle in this case, but most database vendors make similar efforts to calm their user's fears of vulnerabilities.  The DB attack discussed is an example of the challenges that database vendors face when trying secure their own code.  Databases are large complex software packages and to expect them to be inherently secure from the vendor, regardless of CEO comments or promises, is risky.

Terry Ray Imperva Senior Director of Technical Services- Americas and APJ

The NY Times published an article today about China's underworld.

The reporter - David Barboza - interviews a Chinese hacker that goes by the handle - Majia.

Internet security experts say China has legions of hackers just like Majia, and that they are behind an escalating number of global attacks to steal credit card numbers, commit corporate espionage and even wage online warfare on other nations, which in some cases have been traced back to China.

In addition to independent criminals like Majia, computer security specialists say there are so-called patriotic hackers who focus their attacks on political targets. Then there are the intelligence-oriented hackers inside the People’s Liberation Army, as well as more shadowy groups that are believed to work with the state government.

Just about every major country has at least one government-sponsored "cyber warfare" group - including the United States. In fact, there has been speculations that North Korea graduates about 500 "cyber warriors" every year from their training programs. 

Computer hacking is illegal in China. Last year, Beijing revised and stiffened a law that makes hacking a crime, with punishments of up to seven years in prison. Majia seems to disregard the law, largely because it is not strictly enforced. But he does take care to cover his tracks.

He even claims to know details of the Google attack. “That Trojan horse on Google was created by a foreign hacker,” he says, indicating that the virus was then altered in China. “A few weeks before Google was hijacked, there was a similar virus. If you opened a particular page on Google, you were infected.”

When asked whether hackers work for the government, or the military, he says “yes.”

Does he? No comment, he says.

In a Federal Computer Week article today titled "New threats compel DOD to rethink cyber strategy" they explore the DOD's shift from Network Security (information assurance) to Risk Management (mission assurance).

There have been a number of high profile incidents over the last few years - mostly involving the theft of sensitive data.  For example: Titan Rain (starting in 2003):  Several govern ment agencies and defense contractors had a level of information stolen equivalent to the Library of Congress. In 2009 the Pentagon’s $300B Joint Strike Fighter Project for the F-35 Fighter had its plans stolen. Also in 2009 hackers reportedly stole a classified PowerPoint slide deck that details South Korean and U.S. strategy for fighting a war with North Korea.

Data protection technology and insider threat protection are another area in which the technology is already available to help reduce the risk of confidential data loss or the undermining of data in critical information systems.

“The tradecraft of the attackers has really advanced in the last few years,” said Thomas Fuhrman, senior vice president at Booz Allen Hamilton. “And they're also very agile. There’s a whole range of threats, but the threats that matter — where we see exfiltration, threats of compromising national security command and control systems — this comes from a very sophisticated adversary.” And based on what analysts see, he said, “They respond to fixes we implement very rapidly.”

In addition, Fuhrman said, there is the proliferation of tools that make it easier for adversaries to attack DOD and other networks — as evidenced by the Iraqi insurgents’ interception of Predator video. “So you expand the range of people who are in this space by the availability of the tools to the work.”

“Security isn't the mission,” Conway said. “Security is an enabler of the mission. That's one of the things Cyber Command is hopefully going to get their arms around to present a choice to the operator: Here's your risk if you don't do any security, here's your risk if you do everything secure, and here's a spectrum of everything in between. That’s a really complicated thing, but the operator needs to know how dependent they are on cyber” and make a decision on what risks are acceptable, he said.

Industry News reported in an article titled:  Clinton Asks China to Probe Cyber-Attack, Says Censorship Should Be Fought -

By Indira A.R. Lakshmanan Jan. 22 (Bloomberg) — Secretary of State Hillary Clinton called on U.S. technology companies to resist censorship of the Internet and said perpetrators of cyber attacks such as those who targeted Google Inc. must face consequences. “Censorship should not be in any way accepted by any company from anywhere,” Clinton said yesterday in a speech at the Newseum , a media history center in Washington. “American companies need to make a principled stand. This needs to be part of our national brand. I’m confident that consumers worldwide will reward companies that follow those principles.” Clinton’s long-planned address on Internet freedom laid out the Obama administration’s view of an uncensored global Internet where everyone has access to the same information, and governments and corporations don’t block knowledge or steal intellectual property.

The U.S. government is looking “to Chinese authorities to conduct a thorough investigation of the cyber intrusions that led Google to make this announcement” Clinton said. The Chinese government has denied involvement in the cyber attacks. Foreign Ministry China’s Foreign Ministry didn’t have any immediate reaction to the speech today. In a statement released yesterday before Clinton’s address, Vice Foreign Minister He Yafei was cited by the official Xinhua News Agency as saying the Google case shouldn’t affect relations between China and the U.S. and any attempt to draw such conclusions would be “over-interpreting” the issue. Google said its investigation found hackers from inside China also targeted the intellectual property of dozens of other U.S. companies. Those firms haven’t publicized the alleged attacks, a silence that analysts have attributed to a fear of worrying investors and depressing their stock prices. “Countries or individuals that engage in cyber attacks should face consequences and international condemnation,” Clinton said.

The NY Times just published an article - If Your Password Is 123456, Just Make It HackMe.In this article Amichai Shulman - Imperva CTO was quoted.

“I guess it’s just a genetic flaw in humans,” said Amichai Shulman, the chief technology officer at Imperva, which makes software for blocking hackers. “We’ve been following the same patterns since the 1990s.”

Also mentioned is an Imperva-produced report available for free download - which analyzes the hacked passwords statistically and provides best practices for users and administrators which is levering some of the research Imperva has done around the RockYou SQL Injection password hack.

Imperva will also be hosting a Webcast on this topic with the very Imperva researchers that did the analysis on 02.10.2010 at 11AM PT (2PM ET).

Data Security Study: Consumer Password Worst Practices

Imperva's Application Defense Center (ADC) analyzed the strength of 32 million passwords to help consumers and website administrators identify the most commonly used passwords they should avoid when using social networking or e-commerce sites. This Webcast will:

• Review the results of the study
• Describe current password cracking attacks and how to avoid them
• Give recommendations for users and administrators when choosing strong passwords or implementing an effective password policy

Register Here

Imperva has released a new glossary term:  Business Logic Attacks.

A Business Logic Attack (BLA) is an attack which targets the logic of a business application. The business application may be an online clothing shop, an online ticketing service for a theater, or even an Internet poll. As opposed to “traditional”, technical, application attacks, for example, XSS or SQL Injection, business logic attacks do not contain malformed requests and include legitimate input values making this sort of attack difficult to detect. Furthermore BLAs abuse the functionality of the application, attacking the business directly. A BLA is further enhanced when combined with automation where botnets are used to challenge the business application. These automated attackers are called Business Logic Bots (BLBs).

It's not surprising to most, but according to Washington Technology

Successful hacks into large enterprises are growing more frequent, more sophisticated, more difficult to detect and more costly. 

And despite a pile-up of government regulations and billions of dollars in technology, the attacks often go undetected, leaving a wide-open back door through which data flows unimpeded for between six and eight months. Indications are that the unplugged hole may endure even longer for government than for private sector enterprises.

In a Ponemon Institute study, they sited that: 

35 percent of federal IT execs acknowledged that their systems had been infiltrated in the previous year. And more than 75 percent of respondents experienced one or more data breach incidents sometime over the past year.

And, according to Melissa Hathaway former National Security Council Acting Director, "Attacks on private sector systems may be at or approaching an epidemic level.”

Organizations are doing a better job of collecting and aggregating data these days, but aren't doing a good enough job analyzing it - which requires automated, purpose-built solutions in most cases. Further, sometimes they are watching the wrong data. For example, what do people attack - applications, databases, file servers and the like. Why? Because the information there has value. What data sources are most organizations analyzing - firewalls, routers, VPNs, etc. While that's important, it does little to answer the "really" important questions like:

• What data was accessed and how
• Who did it and from where
• What was done with the data (modified, copied, deleted, downloaded, etc)

This requires monitoring applications, databases and file servers.

“The uncontested technique of choice” to hack into a system is SQL injection, Verizon’s Data Breach report said. The attacker uses input fields on the target’s Web site to issue commands (as SQL statements) to a database.These attacks accounted for 79 percent of stolen records in their study.

Some have the right key, but the wrong keyhole. Network-centric controls are great for network-centric attacks, but not data-centric attacks. What made us secure for the last ten years isn't going to work for the next ten year. Data is the target; protect it.

It's not any kind of stretch to think that malicious insiders took part in this incident. If it was an outsider, wWhy hack when you can recruit? Were employees behind China's repeated attempts to hack into Gmail accounts for Chinese Human Rights Activists?

According to Reuters, who cited two unnamed sources, Google is looking into the notion that their own employees helped instigate the attack on their infrastructure last week. If true, then the previous rumors hold a little more weight.

Reuters said that their sources told them that the attack, which targeted people with access on Google’s network and led to the reported Intellectual Property (IP) theft, might have originated within Google’s offices in China, by their own people. In addition, Reuters cited local media in China that reported that some local Google staff were denied access to internal network resources in the wake of the attack, while others were transferred or put on leave.

When Google first announced the attack, early speculation centered on insider threat, mostly because of what was accessed, namely Google IP. Google would not comment on the Reuters story, the agency said, citing a spokesperson who said, “We're not commenting on rumor and speculation. This is an ongoing investigation, and we simply cannot comment on the details.”

More details here.

On the front page of today's Silicon Valley Mercury News they dive deeper into this incident.

Gary Locke, the secretary of commerce, called on the Chinese government "to work with Google and other U.S. companies to ensure a climate for secure commercial operations in the Chinese market."

A successful attack on a network with defenses as sophisticated as Google's requires a well-financed, highly skilled team and time, said Tal Beery, a researcher at Redwood City-based Imperva's Application Defense Center in Israel. "You need a lot of patience, and you have to have a lot of money in your bank in order to do it. It's not this thing of a few minutes, bang and you go home," he said.

"There aren't so many hackers that could outmaneuver the Google defense mechanisms," Beery said. "You have to be a very good hacker and you have to have a lot of different skills to do it. You need a team of someone that knows browser vulnerabilities to launch malware and you have to have someone that could break into Web servers," Beery said.

 

In a Wall Street Journal article Google Inc. said it may pull out of China because of attacks sourced from China against Google's systems. This event is so high profile that the NSA has gotten interested.  The attacks and theft of IP occurred in December 2009.  Further, it appears that the target of the attacks were accounts for various human-rights activists. 

The attacks appear to have been launched from at least six Internet addresses located in Taiwan, which is a common strategy used by Chinese hackers to mask their origin, said James Mulvenon, director of the Center for Intelligence Research and Analysis at Defense Group Inc. a national-security firm.

They siphoned off the stolen data from Google and other companies...overseas.

The attackers used at least seven different types of attack code in their effort to identify and steal data from Google, said Rafal Rohozinski, a principal at the SecDev Group, a Canadian security consulting firm that discovered a major Chinese spying operation on the Dalai Lama last year.

There have been existing issues between Google and the Chinese government regarding censorship over the past couple years.  So this tension is nothing new. It will be very interesting to see how far this goes, and if Google will in fact be closing down Google.cn. Ebay and Yahoo have already scrapped operations in China by selling off their in-country services to local players - but neither was as critical openly critical of the Chinese government.