Context Security

I have often scoffed at some of the numbers used to cost justify Data Leakage Prevention (DLP) purchases.  While I agree there is a pretty serious need for redoubled efforts at preventing (and moreover detecting) sensitive data leaving an organization’s control, I haven’t found myself persuaded by most of the “studies” that show crazy high $$$/record costs.  Perhaps I am jaded, but often these reports feel as if they were  funded by those with a vested interest in the results pointing in a particular direction (that of “buying our product makes cents” [sic]).

Fast forward to the DarkReading article that I first noticed this past weekend.  In 2008, California passed two laws Assembly Bill 211 and Senate Bill 541, which were aimed at further incentivizing health care providers to ensure the privacy of medical records.  The laws went into effect 01/01/2009, but last week marks the first time that the California Department of Public Health (CDPH) has wielded its expanded power of  fining facilities up to $25,000/per record for allowing unauthorized access to a patient’s medical record.  CDPH has published the details here.

Five separate facilities were fined a total of $675,000.  In total, the confidentiality of 245 medical records were breached.  Although the fines varied (sometimes based on the number of people that accessed the records), in aggregate, that puts the cost/record breached at $2,755. A far cry from the $25,000/record mark (though some instances did receive that level of penalty), but still a substantial cost.  Given the relative low volume (when compared to the numbers frequently seen in credit card breaches), it is hard to anticipate if thousands or tens of thousands of records were breached whether the penalties would remain this high.

While I welcome the increased penalties that might help persuade organizations to make further strides in ensuring the confidentiality of sensitive data, I am worried about the (un)anticipated side effects.  The CDPH has made the sanitized reports available on their website.  One phrase seems to be a fairly common theme, “the facility reported the breach”.  I applaud the facilities for reporting these breaches of medical privacy, but will every facility be so forthcoming given the potential for fines.  Would a private for-profit hospital be hesitant to report the breach of 1,000 records knowing that it could  result in $25,000,000 in fines?  I hope so, but something tells me that not every health care provider would reach the conclusion that self-reporting is in their best interest.  As a parting shot, know what the cost/day fine is if it is found that a facility didn’t report a breach? A hundred bucks…  Seriously?  Not sure a benjamin is a strong incentive for early reporting…

Just wanted to let everyone know that Stephen Northcutt has a quick section by section 1-3 sentence review of the Cybersecurity Act of 2009 legislation (a.k.a Rockefeller-Snowe Bill) that was recently proposed.

http://www.sans.edu/resources/musings/1439.php

I just got my hands on a copy of the bill, and am gonna try to read through it while waiting at the doctor’s office this afternoon…  Hopefully can cobble some thoughts together this weekend.

Even if it doesn’t pass or gets completely rewritten, I expect this bill will be important for our field.

Just wanted to let you all know that I will be a guest on the PaulDotcom Security Weekly podcast tonight.  I will be leading a technical segment on w3af, which is a very nifty free/open source tool for web application scanning/exploitation.  Should be loads of fun!

The live stream should go up around 1845 EDT with the show starting around 1900EDT.  Further details can be found here: http://pauldotcom.com/security-weekly/

Hope to see you there.

Seth Misenar

SANS Protecting Your Web Apps: Two Big Mistakes and 12 Practical Tips to Avoid Them

Not sure when this was released, but I am sure that it was pretty recently.  From the title I wasn’t really expecting much, but was pleasantly surprised by the clarity with which the tips were explained.  Frank Kim and Ed Skoudis co-authored this pithy 6 page paper.

Here is the description from the SANS Reading Room:

Many web application vulnerabilities are a direct result of improper input validation and output filtering, which leads to numerous kinds of attacks, including cross-site scripting (XSS), SQL injection, command injection, buffer overflows and many others. This article describes some of the best defenses against such attacks, which every Web application developer should master.

This offering looks to be part of a new series from SANS entitled, Working Papers in Application Security. I am looking forward to future papers if they are written as lucidly as this one.

Good work, Frank and Ed.

Here is the link to get the document: http://www.sans.org/reading_room/application_security/protecting_web_apps.pdf

Stumbled upon AWLG over at Darknet: http://www.darknet.org.uk/2009/01/the-associative-word-list-generator-awlg-create-related-wordlists-for-password-cracking/

This seems to follow nicely with the previous post referencing, CeWL.  Also dovetails nicely with me currently listening to Day 4: Password Attacks of SANS 560: Network Penetration Testing and Ethical Hacking …

So what does AWLG do?

“The Associative Word List Generator (AWLG) is a tool that generates a list of words relevant to some subjects, by scouring the Internet in an automated fashion.”

The about page indicates that MySpace pages, Wikipedia articles, etc. are searched.  That etc. is pretty important, but it is a fun tool to play around with.  Although the same Darknet article makes mention also of Wyd, but I think AWLG is a nice addition as you don’t have to have already downloaded the files to be searched, and can instead rely on internet search engines.  Likewise this tool has some facility beyond CeWL also, again because you don’t have to already know where the associated content can be found.  All in all a nice addition to my kit.

Also worth mentioning is that the stated privacy policy for AWLG to “not record any transmitted search strings or user information”

Definitely check out the cute stick figure animated explanation of AWLG – pretty funny: http://www.awlg.org/whatis.gen

SANS posted their log management survey the other day.  If you/your company deals with enterprise log management, then please participate in the survey.  Results will be detailed in April at SANS Log Management and Analysis Summit in DC (http://www.sans.org/logmgtsummit09/).

Here is the link to the survey:

https://www.surveymonkey.com/s.aspx?sm=FCwjvfHzkGml4stgnYQ7rg_3d_3d

Shortly after flipping through Ed’s slide deck for Secrets of America’s Top Pen Testers yesterday, I noticed a fortuitous tool annoucement come across the SANS GIAC Alumni mailing list.  Robin Wood emailed to announce the release of a tool called CeWL: Custom Wordlist Generator (which is of course pronounced ‘cool’).

http://www.digininja.org/cewl.php

CeWL “spiders a given url to a specified depth, optionally following external links, and returns a list of words which can then be used for password crackers such as John the Ripper” (from the website).

Very nice. This tool dovetails nicely with Ed’s first tip from SATPT, “Build Password Guessing and Cracking Dictionaries”.  In fact, it turns out that the tool was based on a PaulDotCom discussion, http://pauldotcom.com/2008/11/creating-custom-wordlists-for.html, which was in turn based upon content provided in Ed’s SEC560: Network Penetration Testing, which I will be teaching in Atlanta in February, https://www.sans.org/atlanta09_cs/description.php?tid=1717.

Wshew…did you follow all that.  Regardless of its origins, CeWL definitely looks like something I will be adding to my tool arsenal.  Check it out.

Ed Skoudis sent a tweet yesterday announcing the immediate availability of his presentation from SANS CDI: Secrets of America’s Top Pen Testers. Obviously you will not get the full effect without Ed’s contagious excitement, but the 38 slides do stand on their own well. He is quick to point out (via the subtitle) that he did not name the presentation…

10 nicely presented tips (with Ed’s signature black hat red screened goodnes) at no charge…

http://www.inguardians.com/research/docs/Skoudis_pentestsecrets.pdf

Just received an email pitching the Community SANS SEC560 course that I will teaching in February 2009.  Glad I opened and read it, as I was informed that I will be giving a one hour webcast on 2009 Trends in Network Security.  Good to know

Here are the details:

SANS would like to give you a free sample of the training you will receive from the Community SANS Atlanta event.  On Wednesday, January 14, we will host a free one hour webcast delivered by Community SANS instructor Seth Misenar entitled “2009 Trends in Network Security”.  To register for this free webcast, please email community@sans.org and we will provide you with the registration details.

As always, please feel free to use my discount code, COINS-SM, for an upto an additional 15% off the cost of this or any Community SANS class.

The folks at Websense Security Labs have found some malware that is leveraging users’ trust in Google to undermine them.  Specifically, Google’s “Sponsored Links”, where folks pay Google for advertising there link at the top for specific search terms.  In Google We Trust…?

A thorough walkthrough can be found at the link below:

http://securitylabs.websense.com/content/Blogs/3264.aspx