7 posts from February 2010
February 26, 2010
 Asia IT Security Governance?
Pin It

On a recent visit to Asia I had the opportunity to sit with many of our regional partners to discuss IT security regulations specific to web applications and databases.  There was no surprise that PCI was at the top of the list followed by SOX for some international companies, primarily American, and then a short list of ISO and country specific regulations.  Each partner I spoke with talked about a different local requirement usually still being defined or just about to become officially enforced.  In each case I received the same question, "Will SecureSphere support the legislation?"

The short answer I gave them all was the same.  If the legislation requires web application security and/or monitoring, and/or defines requirements for securing and/or monitoring database and data access, the answer is 'yes'.  The reality that I have experienced so far has been that while there are various data security regulations, they all typically require the same fundamental output.  Data privacy regulations, regardless of the industry or country, at a minimum, require complying organizations to restrict and/or monitor (audit) who has access to, and to what degree they have access to, the data that must be regulated.

  Jimmy Private Data

This, of course, is quite easy for SecureSphere since it has the ability to secure and monitor (audit) any aspect of database and application activity.  All that is required of the administrator is to know what elements of data access should be monitored to comply with the regulation and to configure SecureSphere to secure and/or monitor that activity.  Of course, SecureSphere is pre-configured with the most common regulations, but as I say, it can be easily configured to meet even the most obscure legislation.

The most common current Asia regulations I identified are below:






As I stated above, there are some regulations in development for various countries, but they have yet to be ratified.  Additionally, some countries have existing regulations, but have yet to include IT data to the requirements and are still very much focused on the 'paper' books rather than electronic data.  Having worked extensively in various locations around the globe, it's always interesting to see the considerable differences from region to region and country to country.


February 22, 2010
 When Idle Hands Find Holes in Security – Posting Porn on Moscow Billboard
Pin It

Ellen Messmer, at Network World, published a short, entertaining article about an unemployed Russian system administrator who hacked into a giant public billboard on a Moscow street, replacing the advertisement with a pornographic movie.

…Interior Ministry's high-tech crime unit says the suspected billboard hacker is a 41-year-old unemployed man who police believe used the IP address of an organization based in Chechnya to breach a Moscow server…

Needless to say, this stopped traffic both on the street and on the sidewalks stuffing them with gawkers and cell phone videophiles.  Considering the ‘rubber-neck’ traffic created by someone changing a tire where I live, I can only imagine the backup caused this incident.  Taking the security of the billboard server and public safety issues of stopping traffic aside, this article underscored for me the idle hands environment we find ourselves into today with unemployment rates steadily rising. 

Statements attributed to police sources says the hacker was breaking into computers out of curiosity and had admitted to the stunt, which he allegedly said was an effort to entertain

At least in this case, the alleged intent was curiosity and entertainment rather than data theft or destruction. I also consider the distribution method in this case and how the billboard could have been made to show healthcare information, credit card numbers, private financial data, etc…



February 11, 2010
 OWASP Talks about the Attack on RockYou and the Imperva Password Study
Pin It

OWASP just released episode number 59.  They discuss a number of topics, but during the last third of the podcast they focus on the 32 million clear text passwords that were stolen from RockYou and later posted on the Internet. They also explore Imperva's research paper that explores the strength of those passwords.

The report identifies the most commonly used passwords:

   1. 123456
   2. 12345
   3. 123456789
   4. Password
   5. iloveyou
   6. princess
   7. rockyou
   8. 1234567
   9. 12345678
  10. abc123
"Everyone needs to understand what the combination of poor passwords means in today's world of automated cyber attacks: with only minimal effort, a hacker can gain access to one new account every second—or 1000 accounts every 17 minutes," explained Imperva's CTO Amichai Shulman. "The data provides a unique glimpse into the way that users select passwords and an opportunity to evaluate the true strength of passwords as a security mechanism. Never before has there been such a high volume of real-world passwords to examine."

Some key findings of the study include:

  • The shortness and simplicity of passwords means many users select credentials that will make them susceptible to basic forms of cyber attacks known as "brute force attacks."
  • Nearly 50% of users used names, slang words, dictionary words or trivial passwords (consecutive digits, adjacent keyboard keys, and so on). The most common password is "123456".
  • Recommendations for users and administrators for choosing strong passwords.


February 10, 2010
 Cookie Poisoning Resource
Pin It

Imperva has launched another resource:  Cookie Poisoning. This resource contains information about Cookie Poisoning as well as related White papers, Webcasts, and videos.

Cookie Poisoning attacks involve the modification of the contents of a cookie (personal information stored in a Web user's computer) in order to bypass security mechanisms. Using cookie poisoning attacks, attackers can gain unauthorized information about another user and steal their identity.


...or is there?


February 09, 2010
 China Closes Hacking Academy: Reality or PR Stunt
Pin It

Today The Los Angeles Times ran an article about China shutting down a hacking academy.Called Black Hawk Safety Net, their advertisement read:

Just a little training and you too could hack websites, earning thrills, power and, in many cases, money. "Guaranteed successful attack tools!"

Police in Hubei province announced to the Chinese media over the weekend that they had closed down the operation, which state media said was the largest training site for Chinese hackers, and arrested three of its ringleaders. Black Hawk is accused of collecting more than $1 million in tuition from 12,000 subscribers and 170,000 others who took its online courses, according to Chinese media.

With all the global scrutiny on China regarding IP theft - Ford, DuPont, CyberSitter, etc and attacks against government organizations and critical infrastructure, as well as recent events at Google, and pressure from the US Secretary of State, is this just a PR exercise?  Or, is China getting serious about mitigating cyber crime? If it is real, it seems like a small victory in a long and growing line of incidents.

Although Black Hawk's original website was taken down, it appears that a new one has been set up under a different address. And memberssay they don't believe the bust will make a dent in China's hacking culture.

China wouldn't be the first to try and create a false sense of security.



February 04, 2010
 Oracle 11g Security: Breakable
Pin It

Network World's reporter Ellen Messmer published an article today about an Oracle vulnerability identified by David Litchfield for the purpose of refuting Larry Ellison's claim that his database was "unbreakable".

David Litchfield, a researcher at NGS Consulting, demonstrated how a user can subvert security to elevate his privileges to take complete control over Oracle 11g and also showed how to bypass the Oracle Label Security used to set mandatory access controls over information depending on security level.

The security-industry veteran said ever since he heard Oracle's chief Larry Ellison touting his database as being "unbreakable, I took umbrage at that." Litchfield noted he and Oracle have had a "rocky relationship" for a long time.

Mr. Litchfield is targeting Oracle in this case, but most database vendors make similar efforts to calm their user's fears of vulnerabilities.  The DB attack discussed is an example of the challenges that database vendors face when trying secure their own code.  Databases are large complex software packages and to expect them to be inherently secure from the vendor, regardless of CEO comments or promises, is risky.

Terry Ray Imperva Senior Director of Technical Services- Americas and APJ


February 02, 2010
 Hacking for Fun and Profit in China’s Underworld
Pin It

The NY Times published an article today about China's underworld.

The reporter - David Barboza - interviews a Chinese hacker that goes by the handle - Majia.

Internet security experts say China has legions of hackers just like Majia, and that they are behind an escalating number of global attacks to steal credit card numbers, commit corporate espionage and even wage online warfare on other nations, which in some cases have been traced back to China.

In addition to independent criminals like Majia, computer security specialists say there are so-called patriotic hackers who focus their attacks on political targets. Then there are the intelligence-oriented hackers inside the People’s Liberation Army, as well as more shadowy groups that are believed to work with the state government.

Just about every major country has at least one government-sponsored "cyber warfare" group - including the United States. In fact, there has been speculations that North Korea graduates about 500 "cyber warriors" every year from their training programs. 

Computer hacking is illegal in China. Last year, Beijing revised and stiffened a law that makes hacking a crime, with punishments of up to seven years in prison. Majia seems to disregard the law, largely because it is not strictly enforced. But he does take care to cover his tracks.

He even claims to know details of the Google attack. “That Trojan horse on Google was created by a foreign hacker,” he says, indicating that the virus was then altered in China. “A few weeks before Google was hijacked, there was a similar virus. If you opened a particular page on Google, you were infected.”

When asked whether hackers work for the government, or the military, he says “yes.”

Does he? No comment, he says.



Find Us Online
RSS Feed - Subscribe Twitter Facebook iTunes LinkedIn YouTube
Monthly Archives
Email Subscription
Sign up here to receive our blog: