Sunday, May 27, 2012

On the Recent Blizzard and Diablo 3 Account Compromises

As an avid Diablo fan, I eagerly watched and waited for Blizzard to create Diablo 3. My first impression is that they did a masterful job creating it. Yes, there are some initial frustrations, but it definitely has that Diablo feel to it and despite the running jokes about Error 37 as a new prime evil, I've found that the most powerful boss enchantment has been Time Thief - the ability to suck hours off the clock without me realizing it. Bravo, Blizzard, Diablo 3 is a triumph!

But recently there has been a lot of controversy around compromised accounts in Diablo 3. Many players have found that their characters have been stripped of gold and high-level gear. That's as much a tragedy as being robbed in the physical world - the possessions you've worked for so long and felt so happy to acquire are taken from you by an unknown assailant. People feel violated and angry, which is understandable and which is our nature. Many have lashed out at the closest target. 
The most common and convenient target of anger has been Blizzard's security and practices. Many accusations have sprung up that Blizzard, its servers, the game or other technology has been "hacked" and that essentially any player or account could be compromised because of that. In an interesting parallel, this is commonly the first thing people assume when their bank account has been compromised. 
 
The banking world has long confronted security challenges for online services. For as long as online banking has been a reality, malicious individuals have been hoping to compromise accounts and steal money from them. And so banking has come a long way in combating those threats. I've performed dozens of audits for financial institutions around their information security practices, including a component dealing with authentication in online banking (FIL-103-2005, FIL-77-2006 and FIL-50-2011 if you want to look it up). 
Today, banking is one of the safest activities you can engage in online, although it is also one of the most targeted. Cybercriminals from around the world target banks, banking sites and accounts and it has become every bit as disciplined and efficient as any business. The complexity and innovation is staggering. Yet excellent security measures taken by banks effectively thwart almost any attack out there, when used as intended on both the bank's side and on the account holder's side. 

Most bank account compromises in the last decade or so haven't happened because the bank was hacked - they've happened with legitimate account credentials. It used to be that most online banking accounts were compromised by the victim giving away their username and password or other sensitive information after clicking on links in fake emails. But banks improved the security and attackers responded by becoming more sophisticated. Now most of the time compromises happen because the account holder logs into their account from a computer that has malicious software installed. And it's highly likely that this is what has happened with most of the Diablo 3 account compromises. 
So how does this relate to Blizzard and to Diablo 3?
Blizzard has, in fact, said that malware has been the root cause in nearly all of their compromise investigations. Today's cybercriminals have become very sophisticated in their methods. As Blizzard has also pointed out, there is no one way that they get the information and access necessary to compromise accounts. Essentially they use whatever means they need to, in order to get what they want. In practice, this means there are likely multiple groups, each using many different types of attacks to get as many accounts as they can. 

As with bank account holders, gamers have gotten more savvy about giving away information which would allow someone else to access their account. But the attackers have adapted as well and use other ways of getting that information than by sending fake emails. Here are some of the more creative and sophisticated ways the thieves operate.
  • By calling you, if you can believe it! There's a good video walking through a typical attack where a cyber criminal may call you on the phone
  • Text messaging or emails directing you to call a phone number, usually about account compromise, expiration or closing. The phone number then has a recording asking you to enter your information. You never even have to talk to a person and you've given up too much information.
  • If you are using the same email address and password on another site, if that site is compromised your Diablo 3 account may be too. These compromises happen somewhat frequently, such as the Gawker Media account compromise a couple of years ago. 
  • It's possible to buy compromised systems from cybercriminals. Many of the more sophisticated networks have millions of computers that are infected - far too many for the original criminals to take advantage of. So they sell access to others.
  • It's also possible to buy accounts from cybercriminals. Often they have account credentials for systems they don't typically target - for example if they only target bank accounts, they may sell gaming accounts for some additional profit.
  • Newly compromised accounts are prioritized. The criminals have so many accounts they target the ones that have the highest net worth first. There are stories of operations centers with account queues where each new account is evaluated and ranked according to the amount of money the thieves can get. 
By far the most common way most bank accounts are compromised, and likely Diablo 3 accounts, is simply by installing malware on your computer without you knowing it. Without going into the myriad ways that this can happen, it's sufficient to say that you don't have to visit the shadier side of the Internet to run into malware. Most sites that distribute malware are legitimate. In fact, more than 90% of infected sites find out that they're compromised from someone else. Even some of the most mainstream sites have become malware distributors at times - ESPN, NASA and the Wall Street Journal have all infected their visitors with malware. Many of these sites use standard malware toolkits which exploit dozens of vulnerabilities, generate new malware package for each site visitor and test it against the common antivirus suites before sending it along. It sounds like science fiction, but it's not.
How to protect yourself? 
Security is hard. That's what makes it so hard for an organization like Blizzard to give you one simple answer. But that's not what a lot of people want to hear - even the people in charge of security for companies with huge budgets to protect their information assets often ask "What's the one thing I should do?" So it's not a surprise that most individuals would look for the "silver bullet" solution, if you will.
It's hard to describe how to protect yourself much better than Blizzard themselves did. So instead of rehashing it, I'll just link to Blizzard's excellent article on keeping yourself safe from account theft. But if you're in a hurry I'd say the top 3 things you can do are:
  1. Use the authenticator. Banks use similar technology to protect millionaires and billionaires. If you value your stuff, you can't get a better bargain than this! Even the cost of the physical token is inexpensive compared to what it's worth. Blizzard modestly says they're selling these at cost, but that really means they're taking a loss because of all the infrastructure and personnel resources they deploy on the back end. If you're looking for a "silver bullet" to protect your Diablo 3 account, this is the closest you'll come.
  2. Don't reuse passwords. If you use the same password for your email, battle.net and bank, odds are you're practicing poor password security. My recommendation is to use something like LastPass or KeePass, which make good password security easy.
  3. Update your OS, browser and plugins. Most modern operating systems and browsers will automatically update for you. But it's easy to see the update notification and procrastinate. Don't. Don't wait more than a day or two to update, once you see the notification. For plugins, it's sometimes harder because they don't often announce their updates. Adobe Flash, Adobe Reader and Oracle/Sun Java are the main attack vectors used of all the plugins out there, and they're getting better about notifying you of updates.
How can Blizzard do more to protect you?
I want to preface this section by saying that I don't know the details on what Blizzard is doing on their end to protect player accounts. I'd guess there's a lot going on that they don't talk about, or at least that I haven't read about. But that doesn't mean they can't improve. But I know they're already doing a lot to secure accounts. In many cases, more than your bank does! Things like forcing stronger passwords, investigating many of the reported instances of theft, publishing and linking to a great deal of information, giving you the authenticators, proactively communicating security steps. It even seems like they're refunding money to some gamers whose accounts were compromised, even after determining that Blizzard wasn't at fault - that's got to be some of the best response ever from a gaming company!
What follows is a few ideas I've taken from other industries that may help Blizzard improve. (Or not - again, I don't know for sure what they're doing on their end.)
  • Look at metadata associated with each previous login for the account. Often this metadata will differ between legitimate and malicious login attempts. Things like geolocation, keyboard layout, OS or game language or other data will be significantly different between a player and a thief.
  • Watch the common locations where compromised accounts are publicly posted for any gamer accounts that use the same account name or email address.
  • Drop a unique "cookie" that identifies the system a player logs in from. If the cookie has changed since the last login, or the cookie has been used with multiple accounts, this should raise a flag.
  • If there are multiple logins in rapid succession from a single IP or IP block, this should raise a flag.
All of these items can be indicators of a potentially compromised account or of a potential cybercriminal. Of course these measures consume personnel and system resources, meaning it will cost more to administer - but then how much do the reputation damage and time spent answering questions cost? And it will also result in frustrated players unable to login - but then you can take the stance of "we're sorry that you're unable to login, but it's for your own security" which is hard to argue with. And in conjunction with an email address, phone number, Skype or Twitter account, or other contact mechanism these false positives can be resolved very quickly.
And for our part, players should really be more tolerant of security measures. Again, adding an authenticator to your account takes an additional 5 minutes to set up and 5 seconds to use in practice. But it cuts the probability of compromise to nearly zero even if your system is fully compromised! And if you're like most people I know today, you appreciate it when your bank stops an apparently fraudulent transaction, even if it turns out to be legitimate. So do what's needed to help yourself be more proactive with security. A little initial setup can save you a lot of frustration in the end.

Is there anything I've missed? Do you have a different opinion? I'd love to hear about it so I can address the concern or amend my article. Constructive feedback is always welcome.

UPDATE: In an interview, a Chinese gold farmer claims to know the source of compromised accounts. According to him, forums are being compromised and the email addresses and passwords from there are used to try to log in to Battle.net. This is a pretty common tactic and underscores the importance of using unique passwords across sites and games. And if you're not willing to do that, get the Authenticator which will prevent this.

Wednesday, May 23, 2012

New Research Published on Mobile Malware

Researchers at NCSU have started the Android Malware Genome Project, which is designed to identify and classify known malware samples for study. The researchers' results were recently presented and published at the Proceedings of the 33rd IEEE Symposium on Security and Privacy in San Francisco, California. The paper, entitled Dissecting Android Malware: Characterization and Evolution (PDF link), analyzes the 1,200 samples collected between August, 2010 and October, 2011. The research analyzes the samples to attempt to determine how it is installed (infection vector), how it updates and its primary activities on the mobile device, as well as the sample's relation to other samples.

The research groups infection vectors into several categories. Far and away the largest infection vector is through repackaging and redistributing modified versions of legitimate applications. The second group is spying applications - that is, software for one person to watch another person's activities. Some malicious software purports to do something (which it may or may not), but installs malware in addition - these are so-called Trojan Horses.

There were also several primary types of activity that the samples performed. Many of the samples attempted to elevate privileges on the device by taking advantage of a flaw in the Android operating system. The goal with this action is to allow the application to have greater access to the functionality of the device. Nearly all of the samples attempted to connect the device to a larger group of compromised devices controlled by the malware authors - a so-called Botnet. Researchers found that another common activity was contacting premium services, such as SMS text messaging. Many of the malware samples also collected information, such as user accounts, text messages and phone numbers.

The researchers also looked at the evolution of the malware samples and families over time. Specifically they looked in depth at two malware families to illustrate the rest, DroidKungFu and AnServer Bot. These two malware families show that authors have incorporated many sophisticated features to help circumvent detection and frustrate researchers attempting to study the samples, among other things. And their analysis showed that mobile malware is rapidly maturing.

Some other interesting analysis was performed on the samples. The researchers ran all the collected samples against four mobile anti-virus packages Detection rates ranged from 20-80% effectiveness, with a big name A/V company firmly at the back of the pack. Unknown malware is likely much more successful than these results indicate, meaning anti-virus software really needs to catch up.

Wednesday, May 09, 2012

Securely Deleting Data Before Donating or Recycling Your Devices

Katherine Boehret has a good article over on All Things D about recycling your technology. But it overlooks one crucial point - you need to make sure your information is deleted before you hand it over. If you don't, your information, including financial data, could wind up in someone else's hands. A recent case-in-point was made when many refurbished Motorola Xoom devices were sold with their old owners' data still on them. When that happens it can lead to embarrassment (think private photos, videos), identity theft, financial fraud or other unpleasant things.

To avoid any of these calamities, you'll want to take steps to wipe out your data. You should do this regardless of what the company or person you're giving it to tells you. But don't worry, securely erasing your information has never been easier! Many devices have mechanisms built in to do just that. And there are some good tools out there for your desktops and laptops.

Securely Erasing your iPhone, iPod Touch or iPad

Apple's website has simple instructions on how to securely erase an iPhone, iPod Touch or iPad. Here are the steps from Apple's support site:
You can remove all settings and information from your iPhone, iPad, or iPod touch using "Erase All Content and Settings" in Settings > General > Reset.
For even more security, plug your device into your laptop and use iTunes to restore the device to its factory settings (but do not restore from a previous backup) before using the Erase All Content and Settings feature. Here are the steps from Apple's support site:
  1. Verify that you are using the latest version of iTunes before attempting to update.
  2. Connect your device to your computer.
  3. Select your iPhone, iPad, or iPod touch when it appears in iTunes under Devices.
  4. Select the Summary tab.
  5. Select the Restore option.
  6. When prompted to back up your settings before restoring, select the Back Up option (see in the image below). If you have just backed up the device, it is not necessary to create another.
    Prompt text: "Do you want to back up the settings for the iPod before restoring the sofware?"
  7. Select the Restore option when iTunes prompts you (as long as you've backed up, you should not have to worry about restoring your iOS device).
    Prompt text: "Are you sure you want to restore the iPod to its factory settings? All of your mnedia and other date will be erased."
  8. When the restore process has completed, the device restarts and displays the Apple logo while starting up:
    Prompt text: "Your iPod has been successfully restored to factory settings, and is restarting. Please leave your iPod connected. It will appear in the iTunes window after it restarts."
    After a restore, the iOS device displays the "Connect to iTunes" screen. For updating to iOS 5 or later, follow the steps in the iOS Setup Assistant. For earlier versions of iOS, keep your device connected until the "Connect to iTunes" screen goes away or you see "iPhone is activated."

Securely Erasing your Android Device

If you have an Android phone or tablet, you also have an easy option to securely erase the data. Though it's not quite as simple as with Apple devices, since Android has many versions and many devices that it supports. On Android, within the Privacy Settings dialog there is an option to delete all the data. The Google online manual for Android describes the option this way:
Opens a dialog where you can erase all of your personal data from internal tablet storage, including information about your Google Account, any other accounts, your system and application settings, any downloaded applications, as well as your music, photos, videos, and other files.
You should make sure that you have selected the options to delete internal memory and any memory on a SD card. If you don't have that option, the easiest thing to do would be to simply remove the SD card before donating, recycling, selling or giving it away.

Securely Erasing your Blackberry Device

Research In Motion's Blackberry devices differ in the steps to wipe them. Instead of trying to mention all versions and models, I'll suggest you look through Settings, Options or Device Settings to find something that mentions Security. In there, you should find something that says Security Wipe or Wipe Handheld. For specific directions you may be able to search the web and find help.

The same advice for SD cards applies to the Blackberry as to the Android phones. If it doesn't offer you the option, you should probably just the card.

Securely Erasing your Windows Mobile Device

Microsoft Windows Mobile also has multiple versions with different ways to securely erase your data. And again, my advice is to explore on your own. Look through Settings or Options until you find something called System Tab, Security, or About. In there you should see Reset, Reset your Phone or Clear Storage. Again, for specific directions you may be able to search the web and find help.

And for SD cards on Windows Mobile devices, you should likely just keep it.

Securely Erasing your Desktop or Laptop

There is some great free software called DBAN that will securely erase data from your desktop or laptop. I've personally used it for years and highly recommend it. Simply download the ISO file and burn it to CD or DVD. The method to do this varies across operating systems. If you need help, search the Internet and you'll find lots of information.

Off Topic: Traveling with Technology

There was a Twitter conversation with Martin McKeay and Jerry Gamblin today talking about how geeks handle traveling with all our technology. Jerry suggested that Martin write a blog post, but I decided to beat him to the punch. ;) This is part of an upcoming series of posts to my travel blog under the heading of Traveling Skills: The Art of Packing. In this post I describe how and what I pack as a geek who travels with technology, as well as why. Even though it's a bit off topic, I'm mentioning it here since so many of the folks who read this blog travel a lot.

I hope you enjoy it! Tips for Traveling with Technology

Detecting DNS Changer Infection with CloudFlare and OpenDNS

If you're using CloudFlare to enhance speed and security (it's a great, free service, by the way!), you'll want to check out one of their latest apps, created in conjunction with OpenDNS. The app will notify your website visitors if they are infected with the DNS Changer malware.

If you're not familiar with the DNS Changer malware, it modifies settings of the victim computers, rerouting traffic to banks and other sites of interests through the hands of the bot masters. This means sensitive information could be compromised.

Last year the FBI was able to legally take over the DNS Changer rerouting systems, protecting the victims to some degree. However, the FBI has to relinquish control in July, meaning victim systems which have not been fixed will be unable to access websites as normal. The FBI has an in-depth writeup on the DNS Changer malware (PDF link), along with information on how to find out if you're infected and how to fix the problem.

Enter the CloudFlare application. If you enable this application, CloudFlare will notify DNS Changer infected visitors to your website that are compromised. They also provide a link with instructions on how to fix the problem. Here's what the notification looks like:

Friday, May 04, 2012

Firewalls and Anti-Virus Aren't Dead - Should They Be?

Over the last several years, firewalls and anti-virus have been losing effectiveness. Many in the information security community have recognized this. Unfortunately many of the business and operations people haven't. The threats that these technologies (tools to assist in a solution, not the solution themselves) were designed to solve have changed. That's not to say that they do nothing - they can still be useful - but your organization needs to know what they're meant to counter and how to use them properly.

I was inspired to finally write this down by a story Wendy Nather contributed to Infosec Island, entitled Why We Still Need Firewalls and AV. While I agree with her general premise, I think the article doesn't get to the real heart of the issue. When firewalls and anti-virus were all we had and effectively countered the threats we faced, they tended to be used more as they were designed. But now, firewalls and anti-virus don't counter the majority of the threats and aren't used very well.

Firewalls were invented a couple of decades ago to keep Internet-borne threats out. The firewall has its roots in the early 1990s, a time when commerce was prohibited on the Internet and most companies didn't have any presence there. As computer networking grew in popularity, connecting to the Internet was a way to share information across organizations, as well as internally. However, within a decade, Internet attacks were prevalent and organizations needed a way to protect the devices on their network. The firewall was popularized as a way to enforce a hard separation between the outside and the inside. The major advantage to this approach was that it was much cheaper than securing every single device. And at the time just as effective, since most devices had no need to communicate over the Internet and so a small set of connections were allowed to pass through the firewall.

The Internet landscape has changed drastically since then. And with it, the Internet threats. Modern business processes are highly dependent upon and thoroughly integrated with the Internet. Organizations invite masses of Internet devices into their network to deliver web pages, email content, support mobile devices and dozens of other reasons. At the same time, devices within the network routinely initiate communications to the Internet and pass data back and forth. Firewalls have gotten better, but they simply can't handle the new ways in which organizations work on the Internet, nor the more sophisticated threats. They still have a use as a tool to protect networks, but more tools are needed.

Similarly, anti-virus was first developed to detect, prevent and remove individual viruses. These software packages were simplistic, identifying malicious programs and files by looking for indicators or "signatures" that were unique to each virus. This was, again, before the Internet was widely used and most virus transmission was very slow. The anti-virus industry was easily able to keep up with new viruses and forms of existing viruses. This was a time when the number of specimens was very small and they didn't change very often. Updating the signatures was a task done once a year or so, and in fact when the subscription-based licensing model for anti-virus was initially launched it was widely viewed as somewhat of a betrayal of trust - paying continually for the same software. It was a different time.

But today's situation is vastly different from what anti-virus was designed to deal with. Because of the proliferation of Internet connectivity, malicious software spreads very quickly. Instead of taking months to spread to thousands of systems, it takes seconds to spread to millions. And the malware itself has become much better at avoiding detection, taking steps to hide its signature. Most viruses today are obfuscated a number of times and checked to make sure no anti-virus software can detect it - all in a matter of seconds, and all before it's sent out to its victim. And viruses are often created and distributed in such a way that anti-virus vendors don't get a copy before the malicious software finds its victim. And when it does infect a device, it frequently disables any anti-virus software and hides in such a way that it can't be detected except by sophisticated, usually manual techniques. Anti-virus software largely still relies on signature based detection, which is increasingly growing ineffective and often slows down system performance.

Further decreasing the effectiveness of firewalls and anti-virus in organizations is the way they're used. Because of the massive number of connections in and out of a network, definitions of what is and is not allowed and exactly how to allow or deny network connections have become a sprawling mess. And underneath all this complexity, many organizations don't even do the basics right - properly configuring and managing these tools. And administering anti-virus often means running daily reports of issues and sending a technician onsite to manually investigate what's gone wrong. Firewalls and anti-virus cost many organizations millions of dollars a year and are failing to do what they should.

So why should we keep these things around? In the case of firewalls, they do exactly what they are supposed to do and do it quite well. Organizations just need to get smarter about using them. That means limiting firewalls' purpose to what they do well and handing off other duties to other tools. In addition, organizations need to make sure they have a good firewall management program - even small organizations. And anti-virus should be re-understood as a broader concept of endpoint protection. This includes securing configurations and access, restricting software to that which is known to be safe and putting tools in place to detect anomalous behavior. Anti-virus software packages can help fulfill the last piece - telling systems administrators that a known threat has been detected or that suspicious activity has been happening.

But one thing I think we as security professionals should be advocating is reducing the amount of money and resources spent on these technologies. Instead, shift to more effective ways to secure an organization. For example, by providing better training to IT staff for using with the existing tools and technologies. Or improving security awareness programs so that viruses (not to mention many other types of attacks) are less likely to be effective. In the end, this will allow an organization to maintain the same level of security at a lower cost or to increase security at the same cost.

Wednesday, May 02, 2012

What Infosec Can Learn from Enron

Enron's financial auditors and management conspired against their investors. The system that was supposed to protect against this kind of fraud, instead worked against the people it was supposed to protect. And there was hell to pay when the organizations collapsed and when the fraud was exposed. The Harvard Business Review today makes the point that just because an auditor approves something, that doesn't always mean its right.

Information security professionals, take a lesson from Enron: auditors aren't the sole authoritative voice, and they can be fooled or coerced just like anyone else. Too often internal and external auditors are trusted as the arbiters of what's right and wrong. But this can fail an organization if the executives don't understand what role the auditors should be playing.

Auditors serve as an important check on the system by assessing against a known framework. But there is always room for interpretation in any standard. That's especially true in areas where standards are evolving quickly or where a new field is opening up. That was the case for Enron with the "mark to market" strategy, and that is true today in Infosec.

How do auditors fail the organizations they serve?
Let's use the Payment Card Industry Data Security Standard (PCI-DSS) as an example. The PCI-DSS has done a lot of good over the years it has been around. But as IT, payment systems and threats have changed, it has had a hard time keeping up. As an instructor famously said in a class I attended, the DSS only changes once every two years; but the Security Standards Council (SSC) can change the meaning of the words they use at any time.

The PCI-DSS has also heavily misinterpreted. The standard is meant to be flexible so organizations can find the right security controls, rather than blindly following what's written. However, many auditors stick staunchly to the standard, verbatim. That means the company either has to jump through hoops to get their official compliance stamp, or can game the system to fit within the narrow definitions. Other auditors are so easily influenced or coerced by their client that virtually any control is deemed adequate.

And there's room for abuse of the standards, as well. Some audit companies are well-known for providing "clean" or "green" reports to their clients (sometimes those who spend above a certain dollar level), regardless of what the actual security looks like. Breaches have left several organizations wondering why they paid high fees to auditors who didn't find the security flaws.

So it's important to know how much to trust your auditors and what role they serve. You can't give them authority to make your decisions for you, but you can use them as advisers. In the Enron case, their auditors had huge amounts of business in other areas, meaning there was a conflict. In your organization the auditor may be trying to get a big contract, unseat a competitor, make a name for himself or whatever. In these cases the bad advice is almost always unintentional, but still present.

Probably once every month or two I speak with a high-level executive looking to hire someone to check behind their auditor. It's usually because the executive suspects of one of the failures above. In reviewing the work done by the auditor I usually find that the executive's instinct is right.

How can you help your audit succeed?
Choose your auditors carefully and use the right process. I helped write the SANS whitepaper How to Choose a Qualified Security Assessor (PDF link) and there's other good questions to ask for choosing an auditor elsewhere. But it goes beyond just choosing the right auditor, you have to have the right audit process in place. Here are some tips to avoid the pitfalls that got Enron into trouble.
  • Evaluate Reputation. Not just whether they've done a lot of audits before, or whether all their clients pass, but whether they are perceived to have high integrity, technical capabilities and security knowledge. Don't get this from the auditor or their hand-picked references, ask around. Reputations follow companies and people and are spread quickly.
  • Evaluate Skillset. Auditors falling too far toward leniency or rigidity often do so because they are not well-versed in IT and security. That means they don't understand the intent of the standards they're auditing against, which means they can't possible give you good advice that's outside of the letter of the standard.
  • Oversight. Make sure there is good oversight of the auditors that are performing the work. This could be done by an internal audit group, a CISO or even a CIO. The point is that someone needs to make sure the work is not just done, but done right - thorough, accurate and independent.
  • Use Auditors as Checks. Don't forget that auditors should be checks on what you're doing, they shouldn't be telling you exactly how to do it. They've often got a lot of good advice, but you have to weigh that advice carefully within the context of your business and your ethics.
But even going through a thorough diligence process can get you stuck with a bad auditor. That happens. But when it does, you've always got the option to get a second opinion. And I'll leave you with a great video on some signs you've got a bad auditor.