Thursday, December 16, 2010

Security Review: Valve Software's Steam Platform

Digital distribution has become a more and more popular method of receiving items in modern days, and when it comes to PC games, look no farther than Steam. With an estimated 70% share in the PC game digital distribution market, it's easily the biggest and most well-known provider today.

Steam began when Valve, a Seattle-based game PC game publisher started by former Microsoft employee Gabe Newell, was having issues constantly keeping their online games (like the wildly popular FPS, Counter-Strike). Patches would ripple through the community, leaving large parts of the user-base disconnected from others if version weren't matching. The decided to make a platform that would update games automatically and provide anti-piracy measures. It was publicly released in 2003, and by 2005, was selling third-party games as well. Today, in 2010, the Steam library has over 1,200 games (both from boxed games and from digital distributed games), and services over 30 million active users. It also has social-networking functions, and a friend-list service with IM to allow users to create games and talk with other users all within the platform itself.

Since it has become such a big seller in the PC game market, and since games can be bought directly through the client itself, multiple security measures need to be enacted to keep the accounts of legitimate users safe from phishing scams and data leaks.

First off, Steam handles credit cards, which means they must comply with basic credit card safety procedures. They do not reveal much about the workings of their company, but their privacy policy does say
"Personally identifiable information will be processed and stored by Valve in databases hosted in the United States. Valve has taken reasonable steps to protect the information users share with us, including, but not limited to, setup of processes, equipment and software to avoid unauthorized access or disclosure of this information."
This, vague as it is, does seem to generally meet the needs that something like PCI-DSS would call for, and therefore seems to show that they are taking proper steps to secure credit card and all other user data. Additionally, they allow payments through third-party vendors, like PayPal, which has well-established security measures as well.

But the more likely threat with a platform like Steam, is account phishing. Since someone's account holds all their game licenses, scammers are always looking for ways to steal someones info and hijack their account for their own use. One of the most notable measures against scamming comes built into the IM service. Whenever a chat window is opened, a reminder to "Never tell your password to anyone" with a link to an account security page comes up. This helps stop scammers who pose as Valve employees and ask for account details through the IM service. In addition, to change any account info, even an email address, one must verify their current email and retrieve an verification code that allows users to make the changes they desire. This measure helps the real user retrieve his account even if he loses his information, as it is likely that he will be the only one that can access his email (provided they have diversified passwords). Steam also allows a user to be signed in at one location at a time, which can be helpful in locking out a scammer if they have account details--though this is double-edged sword, as it could allow a scammer to lock out legitimate user. And lastly, if all else fails, steam has a support system which focuses heavily on account recovery. If one loses their account, the support team will work quickly on recovering it for the valid user (which can only be proved by credit card ownership or the serial of any boxed game owned), and will restore any damage done to accounts (fraudulant purchases, removals of currently owned games) so that the user can have their account as it was before hijacking.

So, overall, Steam experiences many of the threats that any large online distributor will, but it seems to manage them very securely. It meets standards for purchases, and has many safeguards (and blatant reminders) in place to provide multiple levels of security for user accounts. Is there room for improvement? Always. But Valve is doing a thorough job of protecting its users regardless.

Wednesday, December 15, 2010

Pen Testing Software

Core Security has recently launched new software named Core Insight Enterprise that can help keep a company’s computer systems more secure. Called penetration testing software, this product is designed to detect potential risks to computer systems by attempting to gain access to them. The company claims that this product will be better than the current scanners and security products that are on the market today because of the amount and quality of information that it will provide. As Core Security CEO Mark Hatton said, “You're not just going out and hiring a crazy guy with earrings to do pen tests anymore. We're giving you actionable information and solving that disconnect between what security teams are doing and what the business side wants them to do."

The Insight software will give users detailed information through a dashboard which will display a system’s basic security status and the progress of current penetration tests as well as store this information over time. The device will get this information by, like a white hat hacker, checking for access points to sensitive data in the system. If a path to the data is found, the dashboard will display the steps that were taken by the software to steal the data, hopefully giving the company the information that they need to fix the problem. As Hatton explained, the “tool was designed to make it easier for security professionals to create understandable metrics out of vulnerability data for executives and auditors.” Core Security hopes that their software will be able to detect more than the average scanner, checking things such as network configuration and server connections.

In the future, Core Security hopes that their software will be able to work together with information from security logs and vulnerability and patching data from other vendors. It will be interesting to see how this software fares in the market and if it really does have a significant impact on the security of computer systems.

http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1525167,00.html

Tuesday, December 14, 2010

WikiLeaks scandal leads to fear-mongering over information security

“The recent response of the White House’s Office of Management and Budget (OMB) to the WikiLeaks document dump gives us a peek at the sometimes surreal standards for dealing with classified information and at the fear-mongering in which some government officials are engaging,” says Kathleen Clark, JD, professor of law at Washington University in St. Louis School of Law.

Clark teaches and writes about government ethics, national security law, legal ethics and whistleblowing.

According to CNN, on Dec. 3, the OMB instructed executive branch agencies to notify all government employees and contractors that they should not view any documents that are marked as classified using their work computers that access the web via non-classified government systems.

The OMB distinguished “documents that are marked classified” from “news reports . . . that . . . discuss the classified material.” Apparently, employees are permitted to use non-classified government systems to access news reports that include classified information, but must not use those systems to access the classified documents themselves.

“This distinction might seem silly to an outsider, but the government imposes special security measures for its computers that store classified documents, and takes pains to ensure that its computers without these security measures do not have any classified documents,” Clark says. “This system of segregating classified documents is complicated and costly. But so far, so good.”

She notes that the OMB also suggested, somewhat ambiguously, that federal employees and contractors without the proper clearances and the “need to know” the information should not access Wikileaks’ classified information.

Additionally, at least one agency has gone further, asserting that government employees ― and prospective employees ― should not access WikiLeaks classified documents even from their home computers. According to Democracy Now, the State Department instructed employees of the U.S. Agency for International Development as follows: “Accessing the Wikileaks website from any computer may be viewed as a violation of the SF-312 agreement (a non-disclosure agreement)”

Clark says that it is not at all clear how accessing the WikiLeaks documents on a personal home computer would constitute a violation of an agreement not to disclose classified information.

“This does not appear to be a one-off mistake by an overzealous State Department official since at least one government contractor similarly warned its employees against accessing WikiLeaks both on company-issued and on personal equipment,” she says.

“Indeed, Career Services offices at Columbia University and Boston University also reportedly warned students and alumni about the risks of posting links to the documents and/or commenting on them through social media.

“Are these just over-reactions by people who are not familiar with the government’s information security standards?” Clark asks. “Or do these warnings reflect a concerted effort to prevent Americans from accessing and discussing the WikiLeaks documents that are now available on the web?

“I sincerely hope that someone in government will provide some clarification ― and some sanity ― on this issue soon.”

3 more companies hacked! How secure is your online information?

In a sign that cyber security needs rapid quality improvements, two more U.S. companies, McDonald's Corp and Walgreen Co, said they had been hacked in the past week, along with U.S. media company, Gawker.

After reports of Mastercard and Visa being hacked last week by a pro-Wikileaks group, which called itself 'Anonymous,' McDonald's said its system had been breached and customers' "email and other contact information, birthdates and other specifics" had been compromised on Monday.

Much of this information was supposedly provided by a customer when they were signing up for online promotions or subscriptions.

The fast food company did not specify how many accounts had been compromised.

On Friday, Walgreens said hackers had gained access to its customers' email database and spammed these accounts with instructions to enter personal information on other websites.

Though the recent bouts of hacking are unrelated to the Mastercard, Visa and Paypal breaches, these new hackings seem to be forming a chain reaction through information gained from a previous breach.

Twitter said hackers broke into an unspecified number of users' accounts and sent spam promoting acai berry drink, according to an AP

The passwords used to gain access to these accounts were apparently taken from the breach on Sunday at Gawker Media, the parent company of Gawker, Gizmodo and Jezebel.

McDonald's and Walgreens stated that no personal information, data related to finances or social security numbers had been compromised.

While this is a relief, it is unsettling that most companies are still scrambling to figure out how their security systems were breached.

Many security experts are proving various commentaries about how to make your accounts more secure - including using complicated passwords with a combination of alphabets and numerals, or changing the passwords at regular intervals.

McDonald's stated that it is working with its business partner, Arc Worldwide, an email database management firm whose system was breached, to figure out the breach.

Anonymous, the group responsible for bringing down a part of Mastercard and Visa's website, used a simple software to flood these websites. Initially, supporters had to download a particular software to launch the attack.

But the group soon created an online page that would turn one's browser into an attack tool.

The webpage would repeatedly and rapidly ask the target's webserver for a given file, maybe a large image, once a user pressed the attack button, Wired.com repeated.

"The tool's author is unknown and a quick perusal of the JavaScript shows that it is a fairly basic bit of programming," the website reported.

Most companies initially ignore the warning signs of a possible breach.

About 63 percent of organizations reported experiencing at least one security incident or breach during the last 12 months, according to the Global Information Security Trends study by the Computing Technology Industry Association, a nonprofit trade group, the LATimes reported.

For instance, Gawker has only itself to blame for the attack, according to some media reports.

The online blog, known for bringing gossip nuggets about celebrities, had apparently seen some 'suspicious' activity during November but 'did nothing'.

Emails and passwords from the hacking over the weekend were posted on PirateBay by Gnosis, a group that claimed responsibility for the attack.

"We went after Gawker because of their outright arrogance. It took us a few hours to find a way to dump all their source code and a bit longer to find a way into their database," the group told the website Medialite.

Security Review: Microsoft December 2010 patches

Microsoft December 2010 patches

Today, the December 201 Bulletins for Microsoft will be launched. The 17 bulletins will patch 40 flaws in various versions of Microsoft Windows and Office, Internet Explorer versions 6, 7 and 8 as well as SharePoint server and Exchange. Of the 17 bulletins, two are rated “critical”, while 14 are rated “important” and 1 rated as “moderate.” These patches are addressing a variety of important and moderate-level remote code-execution, denial-of-service and privilege-escalation problems.

From Microsoft’s point of view, the goals behind releasing these bulletins are fairly obvious. After studying the Microsoft Response Center case study, we all saw the importance of handling security vulnerabilities in its software and operating systems (especially for a company under constant attack like Microsoft). Not only is it important for Microsoft customers to be able to access their information when they need to, but it is also of the utmost importance for the people running Microsoft software to have confidentiality and integrity.

As a black hat hacker, I would meet this slight increase in Microsoft vulnerability reports with open arms. After including these 17 bulletins, 2010 will mark a record-breaking 106 patches released by Microsoft this year alone. A hacker might want to expose a Microsoft software user web site, server, etc. Another tactic could be to find a hole and change the data of the Microsoft users. Finally, a hacker could perform DoS attacks on these users or take over their systems.

There are inherent vulnerabilities within Microsoft’s software, which is why they are constantly coming out with these patches. There is no overarching solution to this problem because there will always be holes that need to be fixed. Therefore, there will always be hackers (like CyP in the Microsoft Response Center case study) who are trying to stay one step ahead of the Microsoft engineers and exploit these vulnerabilities. Microsoft engineers have been and need to continue to meet the challenges posed by these outside threats.

As I mentioned before, Microsoft simply needs to mitigate the risks posed to their operating systems by hackers. Microsoft Security Response Center blog writer Mike Reavy said, "Older products meeting newer attack methods, coupled with overall growth in the vulnerability marketplace, result in more vulnerability reports." With technology constantly changing, the best thing Microsoft can do is continue to meet the demands of the customers and stay one step ahead of those looking to exploit vulnerabilities.

http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1524889,00.html

see also: http://blogs.technet.com/b/msrc/

Monday, December 13, 2010

Amazon European Outage and More WikiLeaks Controversy

Amazon.com's European websites went down last night for about a half hour, which Amazon claimed was a result of a hardware failure in a European data center, and not a result of a hacking DoS attack, as some have suggested.

The hacking theory comes from the recent Wikileaks controversy, where Amazon servers--which had originally been hosting the site for some time--decided to stop providing cloud service for the popular information leak site. Because of the controversy, many claims that "hacktivists" in support of Wikileaks--the group "Anonymous"--were behind a DoS attack that brought down the website for a brief time last night. However, the plans and claims to attack Amazon by the group were reported as abandoned, due to lack of resources (Amazon is a highly visited website, one can imagine that it would be quite difficult to cause a DoS attack).

The worry that Amazon had been effected by a DDoS attack also comes from the recent attacks against Mastercard, Visa, and PayPal for also abandoning WikiLeaks (which someone has already detailed in this blog ). However the group has more plans, such as attempting to access the diplomatic cables which were unpublished in the recent leak, and distribute the most dramatic ones across the internet

But again, the resulting downtime was only due to a hardware failure in the main European Data center, and Amazon's UK, German, Spanish, and French sites were all restored less than 30 minutes after the failure.

Sunday, December 12, 2010

NASA Sold Computers with Sensitive Data

Though it is hard to imagine world class organizations being unable to handle the security tasks appointed to them, NASA has recently identified 10 computers that have been sold with sensitive material still on them. The standard procedure for disposing of computers is to remove the hard drive with the sensitive data on it. This leaves the computer relatively harmless. However, because of complications and misinformation, these computers were sold with the information still on them. Examine this excerpt from the article, “Specifically, the audit discovered that 10 computers from the Kennedy Center were released to the public even though they still contained sensitive NASA data and had failed verification testing as part of their disposal process. Another four computers with data were confiscated before they were sold.” The fact that these computers failed the process yet were still sold highlights a lack of understanding of security within the organization.

It is unfair to accuse the entire organization of lacking in security. I would imagine that NASA has one of the most strict and redundant security measures in the world. However, it only takes one mistake, one security measure forgotten or one plan that is outdated for a catastrophe to happen. In this case, the article highlights a number of employees who were ill informed of proper security measure as well as a number of the measures being outdated. As mentioned before, I would imagine that NASA has some of the strictest and most redundant measures in the world but this means little if they are outdated or no longer apply to the current level of technology.

NASA’s inability to appropriately protect its confidential information is perhaps a sign of its current underfunded situation. This can perhaps be linked to the fact that many of its supporters no longer see space as a noble venture for humanity. Nevertheless, the security administration at NASA has an obligation to make sure that there are as few security breaches as possible. This goal was not accomplished with the most recent breach of confidential information. As such, NASA must take steps to secure its information from potentially malicious users. This involves updating its security policies to better cope with the technology and vulnerabilities of the current era. This also involves the education and continued testing of its entire staff that has access to information that would be considered confidential. Unless adequate measures are taken to secure its information, NASA may have an unfortunate future of breaches and security violations in its future.

In addition to these breaches NASA has also released a backdoor that could allow people with malicious intentions into their system, “Further, computers at the Kennedy Center's disposal facility being prepped for sale displayed NASA IP (Internet protocol) information, which could easily give a hacker a way to break into a NASA network.” As discussed in class, this information could allow a hacker to bypass the firewall protocols and give them access to NASA’s system. This is a more pressing problem as a hacker could have already breached NASA’s system and made off with a great deal of confidential information. I believe that the best option for NASA now would be to find out which IP’s were lost and block them as each computer must have been given an independent IP that can be brought up and blocked. However, this does not address the problem of information already lost. Truthfully, I see no possible way to account for this lost information.

NASA currently faces a potentially massive security situation on its hands. "Our review found serious breaches in NASA's IT security practices that could lead to the improper release of sensitive information related to the Space Shuttle and other NASA programs, NASA Inspector General Paul Martin said in a statement.” This statement adequately highlights the situation that NASA currently faces. However, it should be noted that, because of releases of information and statements such as these, NASA is currently on a short time-line to get its system secure. Because the knowledge of a vulnerable system has been released, it will only be a matter of time before hackers are actively attacking the system looking for vulnerabilities to exploit. It may already be too late yet, it is better to minimize the damages done. However, continuing statements in the article that highlight lax standards may only add to the number of problems that NASA is facing with its system.

http://news.cnet.com/8301-13639_3-20025161-42.html