Tuesday, December 13, 2005

Non-Technical Means Unearth Best Intrusions

Thanks again to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 latest SANS NewsBites, I learned of an interesting trade secret cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ft case. From cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 CNET News story:

"John O'Neil, former CEO of Business Engine Software, pleaded guilty in a San Francisco federal court on Wednesday to conspiracy to download and steal cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 trade secrets of software competitor Niku over a 10-month period...

From October 2001 until July 2002, Business Engine used cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 passwords to gain unauthorized access to Niku's systems more than 6,000 times and downloaded over 1,000 confidential documents containing trade secrets, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 complaint alleged. The stolen documents included technical specifications, product designs, prospective customers, customer proposals, client account information and pricing.

Niku discovered cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 break-in after a Business Engine salesman made an unsolicited call to one of Niku's prospective clients, a Nike employee who happened to be related to Niku's chief information officer, Warren Leggett. The call raised suspicion because cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Nike employee was not ordinarily responsible for software purchasing decisions, had never heard of Business Engine and had no idea how cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 salesman had obtained his contact information, according a declaration by Leggett.

The incident prompted Leggett to examine his company's computer logs and files from his recent meeting with Nike. He quickly determined from a trail of Internet network addresses that someone from outside cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 company had been stealing files. Leggett was able to trace cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 intrusions back to Business Engine by using Internet domain registration information and publicly available Internet tools." (emphasis added)

Whoa. Niku has been 0wn3d for 10 months, and accessed "more than 6,000 times," before a freak family relation caused cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 right gears to mesh. What kind of security did Niku have (or not have) that would let a compromise continue undetected and unimpeded for so long?

The sad fact is that many of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 most interesting intrusions (i.e., not worms, or bots, or viruses) are discovered by non-technical means. Once a company is clued in to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 fact cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y have a breach, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 question becomes one of scoping cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 incident. For example:

  • What happened/is happening?

  • What systems are or may be affected?

  • What information did cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 intruder copy, change, or destroy? (violations of confidentiality, integrity, or availability)

  • When did cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 intruder first gain unauthorized access?

  • When was cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 last time cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 intruder accessed victim systems?


Most organizations are not collecting cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 NSM data cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y need to answer cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se questions. Is yours?

8 comments:

Anonymous said...

Article I read on this said cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y had a training web site with braindead usernames/pws and which (it would seem) was not separated adequately from cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir production data/systems.

Trevor said...
This comment has been removed by a blog administrator.
Trevor said...

I'm not so sure that network security monitoring would have helped you here. Enterprise computing is moving everything to application level transactions. Most critical business information is already passed via HTTP/SSL/XML/SOAP. Many application attacks do not use a technique that would even produce an attack signature that could be seen by network level monitoring. Even if it did, you’d have to figure out how to get it decrypted for a second to look at it. But if you did, what would you see? HTTP traffic… GET’s, POST’s, I guess you could spot obvious SQL injections but what about subversion of application logic?

I’d be willing to bet that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 intrusion here wouldn’t show up in an IDS or any ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r NSM tool. It would look like normal HTTP (or HTTPS) traffic. I guess you could spend TONS of time writing custom IDS rules to watch for improper application access… but wouldn’t cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 business be better off using that time (money) writing better applications and testing applications?

If someone broke into a company’s CRM software and stole sales information, business plans, etc... that just might end up being far more costly than if a cracker rooted Apache on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 box and setup an IRC bot. NSM would catch cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 script kiddie and his bot, but not your competitor.

I think that NSM is still important to keep and eye on what you can. However I think that NSM must work with applications and correlate (ack!) information to spot malicious activity.

This type of thing is already being seen with Cisco's push into application (XML, SOA, etc.) products.

Anonymous said...

Agree with cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 anon poster. This isn't an IDS/IPS event. There's no way sales documents from cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 recent Nike meeting should have been available via any kind of Internet connected machine. Stealing is wrong in every case. Unfortunately for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 victims, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y could have avoided cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 entire problem by practicing some very basic security 101 principles like network segmentation and token-based VPNs for network access. Anyone who calls cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365mselves a Chief Information Officer *should* have known better.

Anonymous said...

I think this story and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 comments posted deserve a lot more discussion. I will try to keep my comments as brief as I can.

First of all, statements to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 effect that NIDS or NSM simply doesn't work here are VERY common in my experience and unecessarily restrict cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 scope of what cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 term NIDS can be applied to. There seems little recognition that application-level IDS have been envisioned, described, and implemented for many years -- just have a look at Dorothy Denning's 1987 paper, "An Intrusion-Detection Model" and note cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 scope of detection suggested around aucá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365nticated users. Even cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 application security experts are caught up in this thinking to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 extent that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y will also declare that "IDS doesn't work" [for intrusions via web apps] and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n define a completely passive approach to detecting web app intrusions [literally a web-app IDS] to be something called a "web app firewall." This makes little sense to me because I believe a "web app IDS" and a "web app firewall" should be two different things with diffent capabilities.

Secondly, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re is a legitimate difference in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 levels of abstraction required for detection and monitoring of networks versus applications. If what characterizes good NSM is packet-level detection, traffic analysis, full packet capture, and TCP session flows cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n perhaps we need a term like ASM (application security monitoring) to characterize appropriate application-level detection, application analytics, full content capture, and application session flows (not TCP flows). Clearly this suggests a different set of tools from snort + squil for example. In this regard, ASM does not need to be network-based though I think that is cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 best approach to achieve cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 goals. (As an aside, an ASM device deployed to defend a web application can generally decrypt SSL traffic)

Thirdly, as to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 earlier comment pointing out that this case suggests lax security on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 part of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 victims, well that is often cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 case with applications. In application security today cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re is a great deal of emphasis on preventing, discovering, and fixing common vulnerabilities seen in web apps. However, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re is little emphasis on capabilities to detect intrusions, conduct incident response, or properly audit application usage. To quote Richard, "prevention eventually fails," and we still need to be able to answer cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 questions Richard posed, but we also need cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 right application-level and user-level tools to do so.

Anonymous said...
This comment has been removed by a blog administrator.
Anonymous said...
This comment has been removed by a blog administrator.
Anonymous said...

Well you are ALL wrong. Niku published cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir usernames and passwords in a WebEx meeting that was open to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 public.

They published cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 URL to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir server, a username and a password. Then, when logged in, a document listing cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 entire employee directory gave all cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r usernames and passwords.

Still, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 government prosecutes Business Engine for taking advantage of Niku's blundering. That should not have happened. By publishing cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir UN/PW's, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y have forfeited any Trade Secret claims to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir information, and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re is no case as cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 information downloaded was 'worthless'...