Tuesday, May 12, 2009

May I have your life, please?

Identity theft is far from new, but with the growing popularity of online accessibility, this has become a major risk that affects pretty much everybody. While most Americans are well aware of this risk and are taking several measures to prevent it, for others this is not so simple.

For Americans, the most common type of identity theft is a stolen password to an online service. If someone was clever enough to get you to hand over your password (with Phishing, for example), he can login to your account and if it's a bank account or PayPal, steal all your money. Another type of identity theft is stealing a person's Social Security Number. With that, a thief can gain access directly into things like medical records, bank accounts and much more. Most people are aware of this, and safeguard their SSN closely, but in other countries, this is not the case.

In Israel, for example, the equivalent of a SSN is the Identity Number, which is a 9 digit number assigned to each person when he/she is born. This number is unique, and will follow that person to the grave. It's printed on each citizen's Identity Card and drivers license and is the primary means of authenticating a person's identity. Unfortunately, the national identity card is notoriously easy to forge, which is why the Israeli government has been working on a smart-card based replacement. What's even more unfortunate is that the entire database of the Israeli population has been leaked to the public, and is freely available to anyone who knows how to download pirated music. In fact, this database, known as "Hipuson", "Shimoshon" or "Mirsham", has been going around for many years now. It's available on the Emule network, as well as many file hosting services, although the plethora of versions in the wild make it a little hard to find the most updated version. This database contains not only the full names and ID number of every living citizen in the state, but also their full address, birth date and parents name. With simple correlation, one can locate his parents, siblings, children and even his neighbors, and some versions of the database even have this function built in. Politicians, singers and other celebrities are not exempt, and their info is also included even if it was specifically redacted from the national phone directory. Using this database, anybody can choose a random person, or his enemies, and create a fake ID with their details and his/her picture. As I said, it is rather easy, and anyone with color laser printer, bitmap editor and laminating machine can do this. Once you have an ID card, you can access the targets bank account, his medical records and even sell his/her house and disappear with the money.

What can the Israeli citizen do? Basically, nothing. No one knows exactly how the database is leaked, but there are many parties who have access to it. When the Israeli Police started investigated this issue in March 2008, multiple breaches were detected, from unpatched servers to server-rooms left unlocked and unsupervised. Changing your ID number is not possible for a citizen, and this has been done only in rare cases where serious damage has been done to a person. In the recent report filed by the Auditor General exposes this outrageous conduct, but like most of these reports, it is likely to be completely buried or acted-upon very slowly. Perhaps the best solution is to keep your cash under the mattress?

Monday, May 4, 2009

Tunnel Vision

When waging our battles on the security front, most organizations just put all the big guns on the front line. We buy expensive load balancers to prevent D.O.S attacks, state of the art firewalls to prevent penetration, VPN products to secure our backdoors etc. Whenever some major threat comes along, everybody jumps out of bed, and rushes over to plug the hole, but at time like that, we often forget one of the oldest tricks in the burglars book - the diversion (a.k.a "Steaks for the dogs").

Unlike the movies, hacking into a network is not a wham-bam, thank you, ma'am deal. A hacker spends a long time conducting surveillance and gathering intelligence, and when he does move in, it will hardly seem like a commando attack. There won't be alarms ringing or security-doors closing and sealing people off in safe rooms, and no SWAT teams will show up with mega-phones yelling. More often than not, some minor file will be found to be missing or altered several days, weeks or months later, and that will lead to investigation that will show the break in. If you get that dreadful 4 AM phone call, telling you that the Firewall's alerts are all over the place, or that your security center detects multiple attacks, that doesn't mean that someone is actually attacking your firewall.

Just like a commando unit trying to break into an army base will distract the guards with some explosions at the front gate, while trying to sneak in through the back, a computer attacker will most likely try to get the entire security team to focus everything on the very visual notification mechanisms. He will use multiple mechanisms to trigger every possible alert on your security devices, and he will do it at past-midnight so that you and your security team will be tired, angry and less-effective. He will try to get you guys to spend as much time as possible blocking the DOS attack and plugging the holes, while he quietly sneaks in through some back door that's less obvious and less protected. You will find yourself running from server to server, trying to find your hands and feet in gigabytes of logs, and chances are you'll spend days on it. When things quiet down, you might find the actual leak or penetration, but by that time, the attacker will be long-gone.

If this has happened to you, don't be surprised. After all, most information security people are technology gurus, not military-trained commanders, and it's only normal to focus our attention on the most visible threat, just like a driver would focus his attention on the tree he's about to crash into rather than another car that's about to crash into him (that is referred to often as "Tunnel Vision"). However, there is a way to handle this, and that is by preparing properly. Your organizations security policy should have this scenario specifically laid out, and the team needs to be trained not to treat any alert as an alarm. One way is to assign responsibilities to people, and sticking to them. If there is a virus rampant on the network, the backup administrator shouldn't be told to forget about the backups "for now" and help clean up machines. On the contrary! He should continue his work and keep an eye out for anything suspicious or wrong with the procedure. If the firewall appears to be breached, the PC-Technician crew shouldn't be assigned to reviewing logs, but should continue to monitor the user-request queue. Maybe an innocent account lockout request could reveal an account breach that is masked by the pointless firewall attack? Perhaps the virus was unleashed intentionally on the network so that the attacker could have uninterrupted access to the data on the backup server?

Another technique that has worked well for the physical security industry is the emergency level system. A company could create an emergency level scale, and assign specific duties to each. If a file was found to be altered, that would raise the threat level, which would have people deflect some duties and investigate, but wouldn't throw the entire IT group into chaos and mayhem.