Evolution and Future of Cybercrime

You can put the word ‘cyber’ on the front of just about anything and make it sound more “cool”, or “ominous” as the case may be. You don’t need to travel to Ethiopia when you can just visit CyberEthiopia. Instead of having sex, you can have cybersex. Why just commit a crime, when you can commit a cybercrime? No. Really. Why would you?

If you need to acquire $50,000 you would need to find a target with a fair net worth. You would probably need to be armed, risking the lives of others whether you have an intent to do harm or not. Your own life will be at risk. The obstacles to success, and the odds of failure are both high- most likely resulting in your incarceration or death. At least in jail or 6 feet under, you probably won’t need that $50,000 any more.

What if you could just sneak $1 out of the wallet of 50,000 different people? They probably won’t notice. If they discover the $1 missing, they probably won’t care, or may even assume they just lost it or mis-counted. If they catch you in the act, odds are good that they will be disgruntled, however it is highly unlikely that the theft of $1 could result in physical harm, never mind death. Hell, if you simply ask 50,000 people to give you $1, you may be successful. Look at the kid that created the $1 Million Web Page. A little corny and very hard to read, but people lined up to give the kid $1 (I’ll bet he’s kicking himself for not thinking to make it the $10 Million Web Page). It could take some time to find 50,000 victims though.

Now, what if you could sneak $1 from 50,000 different people while sitting at your laptop in the local coffee shop? What if you never have to physically confront a single person, nor risk physical harm in any way? What if you could perpetrate a virtual crime, cyberpickpocketing? It has the word ‘cyber’ at the front, so it must be cool! How about if your cyberpickpocketing could net $50,000 today? How about in the next hour or two? That definitely sounds like a more solid business plan than the “Pickpocketing Across America” approach cited above.

That is the allure of cybercrime. As Marcus Ranum, CSO of Tenable Network Security and author of The Myth of Homeland Security, discusses on Tenable’s blog, cybercrime provides a criminal with a means of automation and anonymity, requires very little in terms of information technology knowledge or equipment, and can cross global borders in a heartbeat, making it easier to hide and harder to be prosecuted. Ranum’s post is an excellent read. For many of the same reasons: automation, efficiency, lack of potential for physical harm, mass-impact, anonymity, and difficulty finding and prosecuting an attacker internationally- cyberterror will also gain appeal (at least to those likely to find ‘appeal’ in committing acts of terror in the first place) in my opinion. But, we’ll save that issue for a future post.

_________________________________________

Tony Bradley
www.tonybradley.com
Essential. Computer. Security.


Live Virtual Roundtable Discussion of Windows Vista

On March 5th, I will be joining recognized Windows guru and Microsoft Technical Fellow Mark Russinovich and others to panel a virtual roundtable discussion regarding Windows Vista deployment. Are you still undecided about Windows Vista? Join us at 9am Pacific time on March 5th for a live, interactive discussion on adopting and deploying Windows Vista. The panel will feature subject-matter experts and IT pros from around the world who have tackled Windows Vista deployment, allowing you to hear about the challenges, workarounds, and tips & tricks we have learned along the way. You can ask your questions live during the event or e-mail your question in advance to vrtable@microsoft.com. The panel will answer as many questions as we can during the 60-minute event so take advantage of this opportunity to find out what you want to know about Windows Vista adoption. Click here to mark your calendar and save the date. You can also visit the Springboard Series for Windows Vista for access to guidance, resources, tools, and straight-talk articles today.

_________________________________________

Tony Bradley
www.tonybradley.com
Essential. Computer. Security.


New Functionality in Windows Server 2008

Windows Server 2008 is set to hit the streets at an official launch on February 27. Many organizations are very excited about the latest and greatest server operating system from Redmond. There certainly seems to be greater anticipation for Windows Server 2008 than there was, or even still is, for Windows Vista. If you think that Windows Server 2008 is just Windows Server 2003 with a makeover though, think again. Microsoft has published a document titled Windows Server 2008: Changes in Functionality from Windows Server 2003 with SP1 to Windows Server 2008 which is 341 pages long. That is not everything there is to know about Windows Server 2008, but almost 350 pages just describing how Windows Server 2008 is different than Windows Server 2003. Download the document from Microsoft and take a look through it to see what you have to look forward to. If you haven’t already, you should get a hold of a Beta or Evaluation copy of Windows Server 2008 so you can install it on a test machine and check it out for yourself.

_________________________________________

Tony Bradley
www.tonybradley.com
Essential. Computer. Security.


New Self Assessment Questionnaires Released for PCI

The PCI Security Standards Council already had an SAQ (Self Assessment Questionnaire), but it was confusing and intimidating for some organizations. In an attempt to simplify and streamline PCI DSS compliance, they have released a set of 4 new SAQ’s designed for specific scenarios:

  • SAQ A: Addresses requirements applicable to merchants who have outsourced all cardholder data storage, processing and transmission.
  • SAQ B: Created to address requirements pertinent to merchants who process cardholder data via imprint machines or standalone dial-up terminals only.
  • SAQ C: Constructed to focus on requirements applicable to merchants whose payment applications systems are connected to the Internet.
  • SAQ D: Designed to address requirements relevant to all service providers defined by a payment brand as eligible to complete an SAQ and those merchants who do not fall under the types addressed by SAQ A, B or C.
  • For more information, and to download the SAQ’s, visit the PCI Security Standards Council site.

    _________________________________________

    Tony Bradley
    www.tonybradley.com
    Essential. Computer. Security.


    TSA Opens Blog Site

    The TSA have been the butt of jokes and the bane of airline passengers’ existence since the infamous Al Qaeda attack on 9/11 of 2001. I will admit that I don’t hold them in high regard. Actually, I am sure they think they’re doing a good thing, and I don’t have any hard feelings toward the individual TSA agents per se. I just tend to side with Bruce Schneier about the logic of the TSA rules. I understand that the terrorists used airplanes in the 9/11 attack. However, their success in commandeering the aircraft was more a function of a flaw in the standard operating procedured for dealing with hijack attempts than it was related to screening passengers.

    So, now we all shuffle like cattle through airport checkpoints, bare foot and carrying a ziplock bag with cute little travel-sized versions of all of our personal hygiene products, and we’re supposed to feel more secure? First of all, Al Qaeda already ran this play. There are a million other methods of attack and potential targets. I don’t think we’re giving them proper credit for creativity or initative if we think they’re going to use the same plan again. Second, how do the TSA rules and security screening make us more secure? I can’t take a box cutter (works for me- I wasn’t planning on breaking down any packing materials on board the plane), but I can take a pen or pencil and stab someone with that. Nail clippers are a no-no, but I could file down or sharpen a credit card that could potentially cut someone and not raise any suspicions at the checkpoint. The items being banned and allowed seem arbitrary and capricious and do nothing to make me feel safer.

    Add to that all of the stories of fake bombs or bomb materials making it through screening points when they are being tested and it doesn’t make me any happier about wasting an extra hour getting screened. For what? Coming through LAX on a trip, I was actually detained as a part of the random searches. They checked my passport, and went through my bags. I made it through just in time to catch my plane. Once on board, I realized that they had actually *missed* the dangerous ziplock of mini-toothpaste and trial-size shampoo. I had it in the ziplock, but forgot to take it out and “claim” it. Well, I sure am glad they stopped and took the extra 15 minutes to go through my stuff only to miss what they were looking for and let me through. Thankfully for them, and everyone on board my flight, my toothpaste really was toothpaste and my shampoo really was shampoo and I did not sneak through illicit chemicals that could be combined to blow a hole in the plane. Actually- I’m not a chemist and my name is not MacGyver. For all I know, you *can* blow up a plane by mixing toothpaste and shampoo- as long it is whitening toothpaste and dandruff-control shampoo. But the point is, I didn’t. And thankfully the fact that the TSA couldn’t even enforce their own screening rules did not result in an attack. I am sure my experience is not all that isolated. On any given day, how many banned items do you guess make it through a checkpoint?

    Well, the TSA doesn’t like the negative feelings or bad reputation, so they have started a new blog site. They want our feedback and they want to work *with* us as partners in safe air travel. They had the audacity to name the blog Evolution of Security, somehow implying that what they do is evolving security in some way. The blog allows comments on the posts, and they are getting plenty of them. To be fair, they are asking for the good, the bad, and the ugly. They want to hear your gripes and complaints. The problem for me is the idea that they are going to address the gripes and complaints and fix things. For me, the whole thing is smoke and mirrors with no real security substance- “Security Theater” as coined by Bruce Schneier. The “solution” is to give up the illusion of security instilled by a lengthy and tedious screening process and devote our DHS and TSA resources to more legitimate security concerns.

    _________________________________________

    Tony Bradley
    www.tonybradley.com
    Essential. Computer. Security.


    Metasploit 3.1 Released

    Metasploit 3.1 was unleashed on the world today. According to the press release posted on the metasploit.com site, this “latest version features a graphical user interface, full support for the Windows platform, and over 450 modules, including 265 remote exploits.”

    The legitimate value of the Metasploit Framework has been debated. Some security experts feel it is little more than a tool for script-kiddies and wannabe hackers to use to wreak havoc on unsuspecting targets. On the other hand, tools such as Canvas, or Core Impact, do essentially the same thing and are considered valuable tools for security researchers. The main difference between the products is that Canvas and Core Impact cost a lot of money, and Metasploit is free.

    I was originally of the opinion that it was simply an attack tool cleverly disguised as a security tool, but I have since jumped the fence and consider Metasploit to be one of the best tools available. Security administrators can use it to to test the strength of their computer and network security. Security researchers can use it to try and poke holes in software applications and services. In the most recent Top 100 Security Tools survey, Metasploit came in at #5 behind such well-known category-dominating products as Nessus, Wireshark, and Snort.

    You can download the latest version for free from the Metasploit.com site.

    _________________________________________

    Tony Bradley
    www.tonybradley.com
    Essential. Computer. Security.

    Vista Declared Most Secure OS

    Microsoft’s Director of Security, Jeff Jones, published the One Year Vulnerability Report for Windows Vista, in which he demonstrates that Vista is the most secure OS ever measured (based on the criteria used to calculate the first year vulnerability report).

    Granted, the declaration came from Microsoft, so many will take it with the proverbial ‘grain of salt’, or discredit it entirely. For example, Eric Shultze, the CTO of patch management company Shavlik Technologies, was quoted in an InfoWeek article stating “When you start counting vulnerabilities, it’s a matter of defining vulnerabilities. For example, if a bulletin is released for Internet Explorer, that’s one patch for IE. Microsoft may have broken it out to say there are five distinct issues fixed in this patch. Is that five vulnerabilities or is that one vulnerability because it’s one patch?”

    Of course, any time Microsft claims that their software is secure, particularly if they claim it is more secure than anything else, it is going to generate a fair amount of controversy. Some of the accusations have been that Microsoft bent or invented statistics that make them look good, or that the picture they painted is only true of a narrow configuration of Windows Vista and not the operating system as a whole.

    Well, my fellow Microsoft MVP, Jesper Johansson, takes an in-depth look at the various claims and backs them up with hard data on his blog. As co-author of Windows Vista Security, I think Jesper is more than qualified to analyze the issue. Check out Do Vista User’s Need Fewer Security Patches Than XP Users? for a fairly detailed breakdown of the data.

    _________________________________________

    Tony Bradley
    www.tonybradley.com
    Essential. Computer. Security.


    Sneak Peak at Next Generation Windows

    While the debate rages on about whether Vista is worthy of being Microsoft’s flagship operating system, development marches on to replace it. It is still very early in the process. The screenshots that were leaked by ThinkNext reveal an interface that is strikingly similar to Windows Vista. The version shown in the leaked screenshots is Windows 7 Ultimate version 6.1 (Build 6519.1.x86fre.winmain.071220-1525). This is version M1. There will supposedly be an M2 by this summer, and an M3 before the end of 2008. Assuming that schedule is maintained, the product would still need to go through various stages of Beta testing, Release Candidate reviews, and then finally the RTM (released to manufacturers) version before it hits the shelves. My guess is that we won’t see this next generation Windows operating system until late 2009 at best. It is so early in the process, I am not even aware if this product has a codename beyond ‘Windows 7′. I don’t know about codename, but I think that the final release should be Microsoft Windows Horizon. It seems to flow well as a follow-up to ‘Vista’. By definition, ‘horizon‘ means “range of perception or experience, or something that might be attained”. Microsoft hasn’t asked my opinion (yet), but if when they do I will recommend they go with Microsoft Windows Horizon. When it hits the streets, you will remember this post and think “hey! that is the name that Tony Bradley guy said they should use” and reminisce about how “you knew me when…”

    _________________________________________

    Tony Bradley
    www.tonybradley.com
    Essential. Computer. Security.


    My Secret Identity

    I think I know what Superman, Batman, and all those other superheroes feel like while masquerading around as their alternate identities. Maybe not. First of all, I am not a superhero (just so we clear that right up). Secondly, they chose to have a mild-mannered alternate identity. I did not.

    Here is the issue. I lead 2 lives. There is my ‘day job life’, where I am just another security consultant in a consulting firm. My managers within the company are aware of my ’superhero life’, but it doesn’t seem to hold any actual weight with regard to anything in my ‘day job life’. I get assigned to mundane projects like everyone else. I go work for clients who don’t know about my ’superhero life’. You wouldn’t know I even had a ’superhero life’ by watching me in my cubicle all week.

    Ironically, I sometimes find that people follow my ’superhero life’, but don’t put 2 + 2 together to realize I am the same person. Its sort of like Lois Lane lusting for Superman and talking about Superman all day…with Clark Kent, while having lunch with Clark Kent. They may read my blogs and articles, or may even have a book I have written or co-authored sitting on their desk, but fail to realize that I am THAT Tony Bradley.

    For the most part, it works out OK. ‘Day job life’ pays the bills and provides benefits. ‘Superhero life’ is fairly lucrative. It does get a little frustrating at times though. It seems to me that my notoriety, never mind my knowledge and skills, could be put to better use in ‘day job life’ if they would embrace my role in ’superhero life’ and leverage that. How popular do you think The Daily Planet would have been if everyone would have known that the 2nd-string reporter hanging out with Lois Lane was actually Superman? I’m guessing it would have boosted sales a tad.

    _________________________________________

    Tony Bradley
    www.tonybradley.com
    Essential. Computer. Security.


    The Sky Is Falling….Again

    Remember the IT apocalypse commonly referred to as ‘Y2K’? That was when every computer system in the world was going to shut down or fail in some way because the internal date would not be able to comprehend that the year ‘00′ was the year 2000 rather than 1900. Of course, the troops were mobilized and the crisis was averted.

    Then there was last year’s Daylight Savings Time apocalypse. This one was going to wreak havoc around the world as a result of the change in the beginning and ending of Daylight Savings Time in the United States. Computer systems and software applications would be confused about what time it really was in the United States and all kinds of chaos would ensue. This crisis did not quite live up to the hype either.

    Let’s hope the latest and greatest “sky is falling” apocalypse is as anticlimactic as the first two. The new one is the Y2K38 bug. As of 2038, [Read more →]