Rick’s Playground

In an era when newsletter from vendors are almost the equivalent of spam emails, I am pleasently surprised by the content of Microsoft Security Newsletter - at least for this issue volume 6, issue 10.

First of all it is of the right length, no chunky huge paragraph and with proper links - it is an absolute turn-off when you see something interesting and yet no links or even worse - the content is for restricted groups.  Next, related articles give the interested readers full picture of tools and their relevant usage - For example, BinScope is introduced in this newsletter together with a how-to article. (BinScope Binary Analyzer and Security Tip of the Month: Using BinScope Binary Analyzer to Improve Code Security ). In the Business Security session, Andreas Wuchner speaks out the exact thought in my mind of “What I Look for When Hiring IT Security Staff “. It is short, precise and very accurate summary of the reality in hiring of IT security staff.

This is the 2nd time in the week I am impressed by Microsoft (the first one is the Microsoft Security Development Lifecycle blog). Probably it’s time to get a copy of Windows 7 ..LOL

I can’t believe this is the first entry in my blog for the past 6 month and we are more than half way through year 2009. It has been … ‘busy’… (err.. i tend to not use this word because everyone is busy and it’s not really justifiable due to the very diverse scale of measurement ..) Anyway I have been travelling around the Asia Pacific region, meeting people from very different cultural background, professions, ways of thinking and life styles. It is fun although there is frastration, boredon and stress. That’s part of parcel for life anyway.

The only reason which triggers me to sit down and write down this post is the inspiration after reading a couple of articles in one of the backlog ISACA Journals. In the “HelpSource Q&A” session, there is a question on how to fight phishing attacks for online banking applications.  Although I have been dealing with process-level controls for the past year, the words “attacks”, “applications”, “phishing” just trigger the technical geeky style of problem-solving thinking in me and ideas of strong 2-factor authentication, SPF (Sender Policy Framework), gateway spam filtering etc immediately come into the picture.

However the very first key control suggested is to have a properly defined e-mail communication policy for both sending and receiving emails to and from customers. Subsequently the advice mentioned a number of very good business process improvement which take fighting spam/phishing emails into consideration. A few small changes to a business process will easily mitigate bunch of relevant security issues which technology alone finds them difficult to tackle. It reminds me of those days when great amount of efforts and resources were spent on network level controls in order to fight application level security issues.  Are we in the same situation nowadays while we are spending too much efforts in creating application level or even information security process level controls in order to tackle business process level security issues?

I believe it’s time to introduce business process security into the information security model and make it a layer-8 practice. It just like buiding security into SDLC and we shall build security into a business process from the very begining. The thought of having a whole new paradigm in the information security model is really exciting. I am sure this will bring drastic changes to the infosec industry - probably soon we will see business process level security penetration testing, business process hardenning etc .

It’s probably the most [discussed,argued,rumured ...] topic in the infosec field for the past few weeks. Starting from all the media hype of “largest synchronized internet security efforts“, “Most serious security vulnerability” etc and tons of speculations on what exactly is wrong, and just a couple of days ago, the security researcher Halvar Flake revealed some educated guess (exact term used by securityfocus) about this flaw and H D Moore put up some POC exploit in Metasploit as well. For geeks who need more information, there are tons of materials on various mailing list, forum, underground articles. 

But for man on the street, Why so serious?  here is an interesting video from the researcher Dan Kaminsky who discovered this vulnerability and is going to present the details in the coming BlackHat 2008 Vigas.

Recently we have seen some rapid growth of information security topics in virtual world, typically relating to MMORPGs and both good and bad. For example World of Warcraft is getting bank-like security while Game Trojans outscore Storm worm.  It has been almost a year since I kicked off my part-time hobby research project on MMORPG security. The progress is rather slow but I am really enjoying the exploring process. It’s really amazing to witness the evolving process of all the virtual worlds. Here are a couple of MMORPG security discussion topics I have raised among the local infosecurity interest groups.

• MMORPG - InfoSec Research Nov 2007
• MMORPG - InfoSec Research Mar 2008

Based on the current trend, more and more MMORPGs are no longer “game” and they become a special type of social communities. There is a newly published research survey from CNNIC(China Network Information Centre). Majority of the users consider the virtual world is a community and have a sense of identity and belongings.

Fig 1. The meanning of a MMORPG to users

Fig 2. What are the factors of an MMORPG most valued by the users

This change of users perception towards MMORPGs also reflect the growing importance of information protection to the virtual world and remind the gaming industry to take it very seriously.

Information security is critical to the financial industry and yet it is not a revenue generation functions - not the core business process. This complex relationship between information security and business put security leaders in a position requiring significant communication skills. A very good article from www.csoonline.com and a few lines which are particular true for Information security professionals in the financial industry.

1. Sensitivity to the audience and its context is a cornerstone of excellent communication.
2. Companies are no longer willing to forgive a lack of excellent communication skills.
3. In short, when a company says it’s looking for a security executive, it’s seeking someone with the same business skills as any other departmental leader in the organization, who also just happens to know how to prevent, identify and thwart threats to that company and its employees.
4. Security people tend to focus on what could go wrong and how to avoid it. This is often not only off the radar for many businesspeople, but it is often demoralizing and can tend to get tuned out. “When you just talk about bad things, and bad things don’t happen, you just lose your credibility.”

The full article: Security and Business - Communication 101

Crowd Control Productions (CCP) has had its Eve Online client code hacked and mass distributed via torrent. Here’s the Official CCP statement on the incident:

We are aware that an individual claims to have access to the source code of the EVE client, but this access is not a security risk to CCP or our customers in any way. The Python scripting language that is used by the client can be easily decompiled to generate readable code, and we have designed our server-side systems with that understanding. Therefore, there is no reason to believe that the code was leaked by an employee and our internal investigations confirm that.

Access to the source code for the EVE client exposes no security vulnerabilities, has no privacy protection issues, and poses no threat to our customers billing information. The server-side interface used by the client is carefully protected to ensure that no abusive or unwanted information is transmitted to or from the EVE system.

Nothing the EVE client can do can affect the game state, a manipulated EVE client cannot affect the server, no advantageous or disadvantageous information can be transmitted to other EVE users by altering the EVE client. The EVE client is signed with a security certificate registered to CCP. Hashes are available on our web site for those who wish to ensure the integrity of EVE client download files they may have received from a source other than direct download from CCP’s web site.

Finally, there have been no mass bannings, as reported in some news articles, though we do remove all message board posts regarding violations of our EULA and Terms of Service as per standard policy and procedures. We consider any alterations of the client software, including decompilation, or discussions thereof, to represent such a violation.

Let’s just cross our fingers and pray that EVE-online was truly developed with Server-side security in mind and follow the principle of “Whatever client-side submitted is unreliable”.