- How to catch a spy or insider threat
- Security guru Clarke: safe networks don't exist
- Mobile hacker gets sacked
- Nasty malware toolkit making the rounds
- RSA: Encryption plugging wireless security leaks
- CSIA backs national data breach laws
- SonicWall buying Aventail
- Spyware for your cell phone
- Google ads site authentication to AdWords
- Is Watchfire deal bad for SPI?
June 28, 2007 | Comments: (0)
How to catch a spy or insider threat
The Office of the National Counterintelligence Executive (ONCIX) -- part of the federal government's Office of the Director of National Intelligence -- has released a set of guidelines meant to help agencies identify potential insider threats to information security, including spies.
The ONCIX -- which is led by Joel F. Brenner, the United States National Counterintelligence Executive and Mission Manager for Counterintelligence -- said that it produced the guide to help government workers understand their responsibilities for reporting suitability issues and potential espionage indicators" in their colleagues' behavior patterns.
While the list of suspicious acts is no panacea for ferreting-out government workers who may be involved in some form of espionage or IT attack, the agency said that it believes that by watching-out for the warning signs of inappropriate activity government employees can help deter some potential threats to national security.
"There is no established formula for recognizing that someone is involved in espionage; this much can be seen even in a brief review of many of the espionage cases against the United States, which have occurred over past years, the ONCIX said in a forward to its guide. "However, certain situational factors or suitability issues can make an individual predisposed to volunteer to spy or vulnerable to exploitation by foreign intelligence officers."
According to the government's research, most known American spies (roughly 80 percent) demonstrated one or more of the listed conditions or behaviors of security concern before they engaged in espionage.
"Reporting suitability issues is a protective or preventive measure that can help to head-off a developing problem that could lead to spying for a foreign government," the report reads. "While reports of behaviors of security concern or personal crises by co-workers have led to the apprehension of some American spies, reluctance to report these issues has also allowed other spies to persist in their crimes."
The ONCIX further stated that government researchers have deduced that one-third of all espionage carried out against the U.S. since 1945 was executed by individuals with security clearances who worked in either the intelligence or communications fields.
"In many cases of insider espionage, an individual's colleagues or friends did not act on indicators and the case went on for longer than necessary," the guide contends.
Among the lists of behavior patters it warns employees to watch out for are so-called "suitability issues," or evidence of personal problems outside of the workplace.
Those include:
-Drug or alcohol abuse.
-Repeated irresponsibility.
-An "above the rules" attitude.
-Financial irresponsibility.
-Repeated impulsive behaviors.
-Extreme immaturity.
-Willingness to violate the rights of others to achieve one’s own ends.
-Accumulating or overwhelming life crises or career disappointments.
-Willingness to break rules or violations of laws and regulations.
In terms of "potential espionage indicators," the report lists:
-Unexplained affluence
-Failing to report overseas travel
-Showing unusual interest in information outside the job scope.
-Keeping unusual work hours.
-Taking classified material home.
-Unreported or concealed contacts with foreign nationals
-Unreported contact with foreign government, military, or intelligence officials.
-Attempting to gain new accesses without the need to know.
-Unexplained absences.
Such actions are to be considered particularly questionable for people who have access to classified data, according to the report.
In the arena of misuse of classified information and computers, the document advises to beware of people who violate the need-to-know principle commonly espoused in the federal sector, or those who repeatedly make inquiries about "operations and projects to which they no longer have access.
Among the specific acts it lists as cause for concern in the area of mishandling information are:
-Revelations to unauthorized persons.
-Leaks to media. (Boo, hiss….)
-Unauthorized contact with media.
-Unauthorized removals, including magnetic media.
-Collecting/storing classified material outside approved facilities.
-Lax security habits that resist management counseling
-Statements or actions that demonstrate an individual believes that the rules do not apply to him/her.
The report specifically warns workers to look out for activity such as discussing classified information on non-secure phone, improperly securing classified information or areas, and working on classified material at home. (Hello VA data breach!)
In the area of misusing computers the guide lists sins including:
-Accessing databases without authorization.
-Unauthorized searching/browsing through computer libraries.
-Unauthorized purposeful destruction of information on agency computers.
Posted by Matt Hines on June 28, 2007 01:53 PM
June 26, 2007 | Comments: (0)
Security guru Clarke: safe networks don't exist
Remember that 80's classic War Games? You know, the one with Matt Broderick and Ally Sheedy about a California teen who hacks into a Pentagon war simulation computer WOPR (for War Operation Plan Response)? Well, former White House cyber-security expert Richard A. Clarke told a gathering of enterprise executives and data protection specialists that they should load it up in their NetFlix queue and watch it...very carefully. Why? because the movie gives a good depiction of how porous most enterprise networks are these days, Clarke said.
Speaking to the assembled crowd at the ongoing InfoWorld Enterprise Data Protection Forum in New York, Clarke said that IT leaders have to accept the fact that their IT systems are being infiltrated -- no matter how well they are being defended -- even if they can't yet detect the means by which they're currently being hacked.
Clarke said that his years in the federal sector convinced him that there is no such thing as an IT network that cannot be penetrated by outsiders or manipulated by insiders.
After showing military leaders at the Pentagon that their most valuable systems were being violated during the 1990s and convincing the government to adopt arly intrusion detection systems (IDS), the problem has only grown more severe, said Clarke.
"If you're on a network, someone can get in, no matter how much you spend on firewalls and intrusion detection systems, if you're connected to the Internet someone can get in," Clarke said. "I used to have a hope that all we had to do was come up with the perfect architecture and the best series of best practices and force government agencies to adopt it; it's been proven to me that no network is secure, there are amazing and surprising ways to get onto any type of network."
"All of the information on your network is available to someone who wants it or is willing to pay the price for it, even if there is no evidence they can do it," he said. "That's hard to prove but I think it's true."
Clarke said that the data breaches that get reportedly publicly are merely the "tip of the iceberg," with many more happening without even being noticed by the firms that are being victimized.
He encouraged chief information security officers (CISOs) and other security workers to go to extreme lengths to show business leaders that they are not sufficiently protected by most technologies available today, no matter how much money they've spent.
(Among the teaching tools Clarke recommended were his own novel "Breakpoint," and a newly re-released version of the 1980s computer hacking/sci-fi classic "War Games," to which he contributed to a new introductory segment.)
The expert said that going to any length available to demonstrate the porous nature of today's technologies will help security workers gain the attention and budgets they need if the efforts help convince business how dire the data security problem has become are successful.
"There's a need to find non-traditional ways of telling the story to your CEO, CFO, and the board about what a data breach means, that it is going on even if you can't prove it, that the most valuable information on your network is getting to your competition," said Clarke. "When they are convinced, have a solution kit in pocket of what you need and want them to do; encrypt data on the network, encrypt e-mail, encrypt data at rest, and use egress filtering as belt and suspenders approach; have some sort of role-based two- factor authentication."
"Otherwise, tell them they will end up not knowing when this happens and that they are becoming a victim of what I'm convinced is going on, on any corporate network of significant value," he said.
"Don't tell business leaders that you can solve the problem, that you can make the network completely secure," said Clarke. "That's not true, whether or not you can persuade people it's true, you shouldn't try, because someday somebody will see through it."
"If you're simply trying to protect endpoints, there will still be a breach on your network," he said. "The message has to be - 'we'll try to secure the network, but never fully succeed;' we need to start securing what's on the network."
"Not everything is equally important," said the expert. "Not everything on the network is as important as everything else, there is a point of diminishing returns; begin protection with what is important, even though the cost of encrypting everything still fairly minimal."
Posted by Matt Hines on June 26, 2007 10:48 AM
June 25, 2007 | Comments: (0)
Spanish authorities are reporting the arrest of a hacker believed to be responsible for creating several well-known threats designed to attack mobile devices.
According to a statement released by Spanish police (and passed along by researchers working for security software maker Sophos), authorities in Valencia have taken custody of a 28-year-old man after pursuing him during a seven-month-long investigation for carrying out mobile malware attacks.
The individual, whose name has not been released, is specifically being held on the suspicion of creating the Cabir and Commwarrior worm viruses, which specifically targeted users of wireless devices running on the Symbian OS.
Spanish police estimated that as many as 150,000 phones were eventually laced with the threats.
Alas, love appears to have played a role in the ingenious hacker's downfall, as part of the manner in which he was identified was through the repeated use of the name "Leslie" in his malware code -- purportedly the name of his fiancé.
While mobile viruses are still considered to be far less prevalent than desktop computer threats -- with Cabir and Commwarrior among the few attacks that have actually been discovered and publicized by security experts -- researchers contend that the hacks will become far more prevalent in the coming years, especially as more powerful handhelds such as smartphones gain adoption, along with wireless-based payment systems, and users subsequently carry more valuable data on the devices.
In a 2007 survey conducted by Sophos, some 81 percent of business IT administrators said they were nervous that malware and spyware aimed at attacking mobile devices would become a significant threat in the future. Some 64 percent reported that they currently have no technology in place specifically aimed at defending smartphones or PDAs.
"The concept of mobile viruses is very real. As most mobile devices connect via the desktop to network computers for syncing purposes, these viruses present a very dangerous risk to the network as a whole," Ron O’Brien, senior security analyst for Boston-based Sophos, said in an e-mail.
Perhaps unsurprisingly, and in light of the fact that desktop threats remain a much bigger problem, Sophos is recommending that customers buy into integrated security applications that offer extended protection for mobile devices -- such as the one that it currently markets.
Despite a lack of well-known mobile threats, some experts have said that as more end users adopt devices that run on the same operating systems -- versus the hodge-podge of smartphone OS software on the market today -- there inevitably will be more attacks leveled at the handhelds.
"As the addressable market for smartphones expands, there will be more attacks, as malware activity always moves to the areas of greatest impact, but the activity isn't comparable to the desktop today," said Jan Volzke, head of marketing for Mobile Security at San Jose, Calif.-based McAfee. "The number of operating systems in use today has likely had an effect on slowing attacks, as there is no single platform to write malware code to."
Posted by Matt Hines on June 25, 2007 09:03 AM
June 21, 2007 | Comments: (0)
Nasty malware toolkit making the rounds
Security researchers at VeriSign are tracking the emergence of a dangerous malware development kit being sold on the Russian underground that is being used to level many different types of threats at unprotected computers.
Dubbed MPack, the kit -- which is trading hands for roughly $1,000 -- is empowering stealthy malware attacks on Web browser vulnerabilities, and claiming roughly a 50 percent success rate, according to Ken Dunham, senior engineer and director of the Rapid Response Team in VeriSign's iDefense security unit.
Dunham said in an e-mail that MPack is using multiple exploits "in a very controlled manner" to infect vulnerable computers.
Among the specific exploits that the MPack kit is using to assault end user machines are those that attack the Windows animated cursor (ANI) flaw, WinZip ActiveX overflow problem, and issues in QuickTime multimedia framework -- which was originally authored by Apple. The malware package is also being used to assault a range of additional security vulnerabilities already identified and patched by Microsoft.
Dunham said that VeriSign has observed the MPack kit being sold by an individual operating on the Russian malware scene known as "$ash" who has also been offering a so-called "loader" version of the code -- used to deliver executable files -- for $300. In his marketing materials, $ash is claiming that attacks using the kit are 45-50 percent successful.
VeriSign reports that threats derived from MPack -- which has also been coined by researchers as WebAttacker II -- date back as far as Oct. 2006 and have accounted for as much as 10 percent of all recent Web-based exploits.
The company contends that over 10,000 Web domains were utilized for referral in a recent MPack attack that was aimed largely at users in Italy and affected as many as 80,000 unique IP addresses.
"It is likely that cPanel exploitation took place on host provider leading to injected iFrames on domains hosted on the server," Dunham writes. "When a legitimate page with a hostile iFrame is loaded the tool silently redirects the victim in an iFrame to an exploit page crafted by MPack. This exploit page, in a very controlled manner, executes exploits until exploitation is successful, and then installs malicious code of the attacker's choice."
The VeriSign security researcher said that MPack attacks have indeed been very successful, according to the log files the company has reviewed. The threats recently victimized over 2,000 new machines in a period of only several hours according to its analysis of a command and control (CNC) Web site associated with the threats, Dunham said.
MPack uses a CNC Web site interface for reporting of MPack success back to hackers, the researcher said.
One of the payloads being served up in MPack-driven attacks is the Torpig spyware program. VeriSign associates that threat with a hacker group known as the Russian Business Network (RBN), which Dunham labeled as "one of the most notorious criminal groups on the Internet today."
The company has observed MPack attacks installing Torpig malware code that was hosted on what it has identified as an RBN-controlled server.
"RBN is closely tied to multiple attacks including Step57.info cPanel exploitation, VML, phishing, child pornography, Torpig, Rustock, and many other criminal attacks to date," Dunham writes. "Nothing good ever comes out of the Russian Business Network net block."
Based out of Saint Petersburg, Russia, the researcher said that RBN represents "a virtual safe house for attacks," and indicated that the group is also responsible for distribution of phishing attacks and child pornography.
Posted by Matt Hines on June 21, 2007 12:51 PM
June 18, 2007 | Comments: (0)
RSA: Encryption plugging wireless security leaks
According to a new report published by EMC's security business unit -- RSA -- more companies are adopting wireless encryption and successfully defending their airborne networks.
Based on an experiment carried out by an unnamed independent security firm hired by RSA to look for unprotected wireless networks in major financial hubs (New York, London and Paris), the security company said the test found fewer open access points from which business data could be easily scooped than it has discovered in its previous tests.
(RSA said the experiment was carried out using a laptop and commercial software that was set to search for both broadcasting and non-broadcasting access points in the 802.11a, b and g frequencies. When networks were detected, the software identified the channel and service set identifier (SSID) before disconnecting from the source. The company said the software it used had no way of capturing or retaining the data content it scanned on any networks.)
According to the test, the largest year-over-year increase in sheer wireless network usage was found in London, where there were 160 percent more access points transmitting in 2007 than it found in similar experiments in 2006.
Wireless network use in New York jumped by a sizeable 49 percent, while in Paris it rose by 44 percent.
In terms of growth of wireless access points under use by businesses, RSA said that London also had the most significant increase, with a 180 percent gain over 2006, compared to an increase of 57 percent in New York, and 45 percent in Paris.
The key determinant in observing the security standing of any networks discovered under the test was to scan them to check for use of either advanced encryption or Wired Equivalent Privacy (WEP).
According to RSA, London experienced a "notable improvement" in the securing business wireless networks over the last year, with 81 percent of corporate access points armed with some form of encryption, compared to 74 percent in 2006.
However, the wireless security gains in New York and Paris were less dramatic, RSA reported. In New York, some 76 of wireless networks were protected using encryption, compared to 75 percent one year ago. In Paris, roughly 80 percent of networks were encrypted, compared to 78 percent in 2006.
While there are well-known concerns with the overall security of WEP (namely that it has been cracked by hackers and researchers alike), RSA said the increased use of any type of encryption should be viewed as encouraging as it makes it look like businesses are finally "getting it."
Across all three cities, the experiment also found evidence of growing use of advanced encryption, based on the number of networks it found protected by 802.11i and Wi-Fi Protected Access (WPA) systems.
In London, some 48 percent of the secured wireless business access points RSA detected were using advanced forms of encryption, and in New York roughly 49 percent were similarly protected. In Paris, only 41 percent of the access points scanned in the experiment used any form of advanced encryption.
The test equipment also recorded the number of wireless networks it found that were still configured according to default, using out-of-the-box settings that can make such access points far more susceptible to attack.
According to the test results, in London some 30 percent of wireless access points utilized default settings, a significant falloff from the 22 percent discovered in 2006. In New York, 24 percent of access points were found to use default settings, down from 28 percent in 2006. In Paris, some 13 percent of access points had default settings enabled, down from 21 percent last year.
Another risk vector included in the experiment were public Wifi hotspots, seen as an increasingly strategic venue for hackers to ply their trade, as otherwise well-protected business users may forget themselves and log on unprotected while buying a cup of coffee or sitting in an airport.
RSA said that the sheer number of Wifi hotspots has increased noticeably. In 2006, the company found 364 public wireless access points in London, compared to 461 in 2007, or a 27 percent increase. In New York the annual growth rate was 17 percent, and 15 percent of all wireless access points were found to be hotspots –the highest percentage across the three cities. In Paris, the volume of hotspots increased 37 percent and represented 11 percent of all access points.
Overall, the wireless security outlook is improving said Toffer Winslow, vice president of product marketing at RSA, but there is still a learning curve for business users who are adopting wireless into their workdays.
"Some might say that since WEP has been defeated so publicly it hardly qualifies as secure access anymore, but when you consider that about 25 percent of all business access points are using no form of encryption, it's a start," Winslow said. "The good news is that we are seeing a decent number of companies using WPA or 802.11a, but there are still a shocking number of unprotected networks outthere."
Just as wireless access remains nascent, so does the adoption of protection for the systems, said the expert.
"Often times the people putting these things up are not very sophisticated about managing security, that's why you see so many access points with out-of-the-box settings, people broadcast the SSID without knowing the implications," he said. "However, as we have learned in other areas of security, it will likely only take a few high-profile incidents where wireless is the entry point to convince some of the less sophisticated users to get savvier about protecting themselves."
Posted by Matt Hines on June 18, 2007 12:04 PM
June 14, 2007 | Comments: (0)
CSIA backs national data breach laws
When I had the chance to question Massachusetts Attorney General Martha Coakley about the debate over whether it should be individual states or the federal government who create and enforce consumer data protection and breach reporting laws, she sort of straddled both sides of the argument.
While Coakley clearly indicated that she wished the feds would get their act together and pass stricter laws that established national guidelines that address the issues -- as many business leaders have called for -- she also pointed out that any law that essentially strips states' abilities to exercise their own legislation wouldn't be in anyone's best interest.
"We need to revisit what the fed has or hasn't done. As AGs have stepped into consumer protection issues, most of us have felt that if the fed was doing its job we wouldn't be as organized," Coakley said at the Authentication and Online Trust Alliance (AOTA) Summit 2007 in Boston in mid-April. "Many people believe that we shouldn't need to go state-by-state, but we don't want federal pre-emption that abdicates the state's ability to do anything."
Despite the fact that Coakley's comments echo those of many other concerned parties, including experts at the Electronic Privacy Information Center (EPIC) and other industry watchdogs who would prefer to see states retain the power to dictate data-handling and breach reporting requirements, some advocates remain in favor of more powerful national laws -- including the Cyber Security Industry Alliance (CSIA).
The CSIA -- an advocacy group "dedicated to ensuring the privacy, reliability and integrity of information systems through public policy, technology, education and awareness" -- maintains that consumers will be better served if federal lawmakers move forward and create national breach reporting requirements.
"Consumers need to have a consistent experience about receiving a notice and how they are told about whether their data is likely to have been misappropriated as a result of a data theft or some other form of loss," said Geoff Gray, a legislative consultant for CSIA, which counts CA, F-Secure, IBM, PGP, Symantec and Vontu among its members.
"People need to know whether the data involved was encrypted or usable, if it was merely lost, or if it was stolen by sophisticated criminals," said Gray. "They need to know that, depending on where they live, that any notification they receive has the same meaning as a notice received in another location."
Gray said that CSIA's members feel that the uniformity of such federal legislation would vastly improve the situation for companies that operate in multiple states, or Web-based players such as e-commerce shopping sites.
"Our constituency is all for setting clearer consumer expectations, and for the private sector and government to implement these requirements," said Gray. "However, the government also needs to be conscious of giving companies a roadmap to compliance with any laws it passes; in the end we want a safer environment where people are not afraid and can do business online with more confidence that their information is being protected."
While Gray said that states should play a significant role in helping to apply any national laws, he indicated that CSIA believes that any form of legislation that dictates oversight of the Internet, and e-commerce in particular, should be left to federal lawmakers.
"Clearly this is a fed-related issue to me, the Internet is a uniquely national and global system, and the burden of primary enforcement has to fall on fed and other nations' governments," said Gray. "The federal government needs to devote more resources to this problem, and we believe that it is critical for this issue to be a priority; e-commerce is the future, and if people are afraid that data won't be protected, they will shy away from doing business online."
Posted by Matt Hines on June 14, 2007 11:46 AM
June 13, 2007 | Comments: (0)
Network security specialists SonicWall announced a deal to buyout SSL VPN appliance maker Aventail for $25 million in cash on June 13.
Expected to close in July 2007, the companies pitched the deal as a transaction that "brings together complementary technologies to serve a broader customer set."
The deal validates what many industry analysts have been predicting in terms of continued consolidation in the network security space, with Aventail's remote access hardware fitting in alongside SonicWall's UTM, e-mail and content filtering devices.
SonicWall also makes its own SSL VPN appliances.
By combining the two firm's remote access product lines, SonicWall executives said that they will now be able to target more enterprise customers, as its own VPNs had been aimed primarily at the SMB set.
"The Aventail acquisition is an important step in our growth strategy. We will compete more effectively in the remote access space, building on complementary elements in our two organizations, and offer new solutions that enhance our relevance for today's dynamic enterprise," Matthew Medeiros, president and CEO at SonicWall, said in a statement. "The addition of Aventail's capabilities significantly advances our ability to serve the evolving needs of [customers]. We will continue our investment in leadership across all price points of the SSL VPN space."
Evan Kaplan, Aventail's president and CEO, called the deal "an exciting move," and praised the ability for his company to expand its customer base as a result of being acquired. Both companies also stressed new channel opportunities that will result from the cross-fertilization of their respective distribution partners.
"SonicWall has a strong history of innovation and a successful go-to-market strategy through its worldwide channel, which offers a wide variety of products relevant to Aventail’s customers and channel partners," said Kaplan in a news release. "Our combined product sets and expertise offer great potential for future cross-development and growth."
The companies said that SonicWall plans to augment the current feature sets of both providers' products in the near future.
Posted by Matt Hines on June 13, 2007 12:47 PM
June 12, 2007 | Comments: (0)
Who said that wireless devices can't be easily hacked?
Well, maybe it's still not that easy to drop spyware on a stranger's cell phone, but apparently it's not quite as difficult to sneak a peek at whatever it is that your child, spouse or employee -- or anyone else who is dense enough to pass you their phone for a few minutes -- has been up to on their handheld.
A Taiwanese company named Vervata released a new version of a program named FlexiSPY on June 12 that promises the ability for people to track a wide range of usage details on Blackberry, Windows Mobile, and the Nokia Series 60 phones, among many other models.
Unlike computer-borne spyware or most real-world computing hacks, the system can only be downloaded by someone who has physical access to a device -- but the implications are pretty scary and give you an idea of what types of spying mobile malware may be capable of someday soon.
Among the many capabilities of the program -- advertised as a legitimate product for use by concerned parents, jilted lovers or suspicious bosses -- FlexiSPY promises the chance for users to silently view all of the SMS text messages and e-mails that have been sent from and received by a phone carrying the application, as well as view their call logs and pinpoint device usage locations.
So much for any hope of privacy kids.
After someone has installed the program on a device it can only be accessed using a password and the software uploads any information it gathers to a secure server via GPRS. This allows for remote viewing and analysis of such contents, essentially giving that person everything but the ability to eavesdrop on the device owner's phone conversations.
The data can be viewed using either a PC or another handheld device once it is collected, according to the manufacturer. A Pro version of the product also claims the ability for users to secretly turn on an infected device's microphone from any other phone and listen to their surroundings for clues where they might be, or perhaps who they might be with.
Vervata claims that FlexiSPY has already been employed by large numbers of people worldwide to uncover extramarital affairs, disloyal employee activities, and to allow parents to track their children's device use.
The company said that the product is also being used by law enforcement officials -- presumably to spy on potential suspects -- and said that it is similarly helpful as a cost control mechanism, and for supporting compliance and mobile data backup efforts.
"We've received numerous testimonials from customers who have caught their spouses cheating on them, their children behaving inappropriately, and from company executives who have used FlexiSPY to nab disloyal employees," Atir Raihan, managing director of Vervata, said in a statement.
The company stresses repeatedly that FlexiSPY is neither a Trojan nor a virus and doesn't attempt to hide itself as some other type of program once it is downloaded onto a device.
Rather, the firm is pitching it as more of a parental controls enforcement tool for wireless devices.
"While spying on people may seem unethical, cheating spouses, rogue employees sharing private company data, or unsuspecting children receiving SMS messages from pedophiles are all activities nobody wants to see happen," Raihan said. "FlexiSPY is just like the various software applications that have been around for years that you can install on your PC to monitor inappropriate activities; we've brought that technology to the mobile platform."
So, the lesson is -- watch what you say or write on those cell phones people, you never know who may be watching or listening.
Posted by Matt Hines on June 12, 2007 12:43 PM
June 06, 2007 | Comments: (0)
Google ads site authentication to AdWords
Google's AdWords advertising technology has been an blow away success for the company almost from the day it was introduced. For proof of that, look no further than GOOG's latest quarterly statement,where Web based advertising accounts for 99 percent of Google's revenue, to see that Adwords is the goose that laid the golden egg. So, despite occasional scandals -- such as the recent reports about AdWords being used as bait for attack Web sites, Google has added a new feature that allows its crawlers to go even deeper into the Web sites that display AdWords. Site Authentication is a new option for AdSense customers that allow them to provide site authentication information and let Google's crawlers dig deep into pages that are protected by a username and password.
Posted by Paul Roberts on June 6, 2007 10:27 AM
June 06, 2007 | Comments: (0)
Is Watchfire deal bad for SPI?
When I met with SPI Dynamics CEO Brian Cohen last week, we talked a great deal about the ongoing shift among internal development teams who are now finally adopting his company's Web applications vulnerability scanning tools.
This shift -- detailed in my analysis of the trend posted earlier today -- is a sharp transition from the past several years when developers primarily accessed SPI's Assessment Management Platform (AMP) -- used to track and measure Web applications security risks -- via integration with major software development platforms.
Prior to seeing the emergence of a direct market through which it is now reaching developers over the last 6-9 months, SPI was largely dependent on its integration via partnerships with Microsoft, Mercury Interactive (owned by HP) and, you guessed it, IBM, to get its tools into software coders' hands, Cohen said.
"The message just didn't resonate with end users unless it was something built directly into one of the popular development platforms," Cohen said. "Now we're finally seeing more development groups ask for this technology for themselves; at a high level, organizations would prefer just to block vulnerabilities after the fact, but they've finally learned that they can't afford to maintain that type of approach."
As part of our conversation, which had been spurred with a discussion on the same topic with Mike Weider -- founder and chief technology officer of rival Watchfire, Cohen stated his belief that Watchfire's move to add developer-specific tools to its own AppScan 7.5 product line was inspired by SPI's move to do so several years ago.
(Although some might argue that Watchfire's acquisition of apps security pioneer Sanctum in mid-2004 gave it a pretty early stake in the business.)
With today's news that IBM is buying Watchfire, one has to wonder how the deal affects SPI and other providers.
IBM is known for maintaining long rosters of partners, even when it owns technologies that compete with some of those companies' products. But, will the company integrate Watchfire into its development platforms, potentially displacing SPI for those deals, or continue to market it as a standalone product, or both?
Based on the idea that developers are beginning to buy applications vulnerability scanning tools direct, it would seem that SPI shouldn't have much to worry about. But if the market tilts back toward integration, SPI might be losing one of its largest OEM partnerships, or at least losing some of its status position inside Big Blue.
For his part, Weider -- who kept the IBM deal under wraps so tightly his PR agency claims they had no idea it was being drawn up -- said that he expects development teams to increasingly "weave security testing in as a critical requirement along with quality assurance, functionality and performance."
Could this be a not-so-subtle pitch for integration with other development tools?
"These have been key requirements for applications developers for years and security is finally making it in, companies are seeing it as a fundamental element of their software development lifecycle," Weider said. "The quality assurance engineer needs to do applications testing to play their role in ensuring security."
According to a May 2007 report from Gartner:
-By 2008, leading source code security vulnerability scanning vendors will combine features of source code vulnerability detection with Web application vulnerability detection into a single tool.
-By 2010, 40% of organizations will use a single vendor that provides both source code security scanning and Web application security scanning features along the software development lifecycle (SDLC).
-By 2009, 80% of the major SDLC vendors will offer source code security scanning tools as part of their platforms.
-By 2010, 60% of IT organizations will make security vulnerability detection an integral part of their SDLC processes.
Gartner said that the market for source code security vulnerability testing (SCSVT) tools will experience "significant changes" in the coming years, with the commoditization of some capabilities, features and products, and the delivery of scanning as a service on tap.
The research company also predicted that emerging integration of SCSVT "at little or no cost" into development platforms should drive a tightening of the sector.
"Vendor selection should be tactical and contract terms shortened to reflect this turmoil," said the report. "The SCSVT market risks disappearing as a stand-alone market during the next five to seven years as the major platform providers supply their own technologies or acquire existing products."
It should be noted that Web scanning applications -- SPI's forte -- are not the same thing as pure SCSVT tools.
However, if SPI is losing one of its biggest OEMs, and the market doesn't embrace the non-integrated model as expected, you have to wonder how this deal will affect them and other standalone applications testing technologies.
Stay tuned.
Posted by Matt Hines on June 6, 2007 09:41 AM
June 05, 2007 | Comments: (0)
Brokerage to give out McAfee AV
Security industry watchers have been predicting for years that financial services companies and e-commerce vendors would begin sourcing anti-malware technologies for their customers to help keep their online businesses chugging along in the face of so many attacks.
In a move that gels with such forecasts, online brokerage Scottrade announced on June 5 that it has partnered with security specialist McAfee to provide the software maker's integrated security technologies to its customers, for free.
According to Scottrade, which presently claims 1.6 million users, each of its investors will receive McAfee's flagship all-in-one package of firewall, anti-virus, anti-phishing and anti-spyware software to extend security protection to all of its customers as a free service.
"Our customers are concerned about spyware, phishing, and other online security threats. The threat landscape is changing and it is vitally important that Internet users adequately protect themselves against these threats," Rodger Riney, president and CEO of Scottrade, said in a statement announcing the deal. "McAfee has been a trusted advisor, keeping Scottrade's systems protected against both new and emerging security risks. Partnering with McAfee allows us to provide our customers with McAfee's expertise in security software with the latest updates at no charge."
Scottrade customers will specifically receive McAfee VirusScan Plus -- which typically retails for $39.99 -- along with its free SiteAdvisor Web surfing protection tools, under the agreement.
Other technologies will include McAfee SystemGuards -- which monitors PCs for suspicious behavior -- and McAfee X-Ray for Windows -- which is meant to find and remove pernicious root kits that attempt to hide from security applications.
Through the partnership, the companies said that Scottrade customers will also receive McAfee's security updates for one year and gain access to interactive security resources including articles, demos, quizzes, tips, podcasts, blogs and videos provided by the security vendor.
For its part, Scottrade claim to be the first major financial services company to create such a program.
"Continually enhancing Scottrade's own security systems is a big part of the battle, but we believe a dual approach is most effective in protecting our customers," Grant Bourzikas, director of Information Security and Business Continuity. "Sensible precautions taken by our customers through this partnership with McAfee provide a very safe online environment. We are making a significant investment in security – both with our new, state-of-the-art data center and by offering McAfee's latest solutions for our customers' PCs."
Posted by Matt Hines on June 5, 2007 12:26 PM
June 04, 2007 | Comments: (0)
McAfee - Search engine surfing still risky
McAfee has released the second installment of its annual State of Search Engine Safety report, which is based on threat data gathered by the company's SiteAdvisor Web site reputation ranking service.
According to the software company, the severity of some search engine-oriented security issues appears to have improved over the last year (infected sponsored links), while several others have only gotten worse (infected multimedia and adult sites).
Overall, McAfee estimates that search engine use has actually gotten slightly less dangerous over the last twelve months, with roughly 4 percent of all search results linking to Web sites it labels as "risky," compared to 5 percent one year ago.
However, with a large number of malware and virus-infected Web sites still populating the Web, the company estimated that consumers in the United States executed approximately 276 million monthly Web searches that led to troublesome sites in the last year.
"We're encouraged to see some improvement in search engine safety this year, but with four out of five Web site visits starting with a search engine query, consumers are still exposed to hundreds of millions of risky searches per month," Tim Dowling, vice president of Consumer Growth Initiatives with McAfee SiteAdvisor, said in the report. "In fact, an active search engine user, one that performs more than 10 searches per day, is likely to visit a dangerous site at least once a day."
To conduct its research, McAfee (with the help of Harvard professor and malware researcher Ben Edelman) studied search engine results generated by Google, Yahoo, MSN, AOL and Ask.com -- which it said account for roughly 93 percent of all search engine usage -- and then tested the top 50 search results returned by each site for queries run on 2,300 popular keywords.
(McAfee said the keywords it used were chosen from lists including Google Zeitgeist and Yahoo Buzz, among others.)
After examining the results and comparing them to data stored in SiteAdvisor:
-AOL charts as the safest search engine around, with only 2.9 percent of the URLs dredged up by its engine accounting for potential threats. Some 5.3 percent of the sites retrieved by AOL had accounted for suspicious sites one year ago.
-Yahoo ranked as the least secure engine, with some 5.4 of the site it found labeled as risky by McAfee.
Ad results generated by search engines have recently come under increasing scrutiny as schemers have tapped into keyword bidding systems to help promote their infected Web sites (as evidenced by a recent attack carried out against Google users).
In testing search engine "sponsored ads," or those served up directly by the sites to customers with query results, McAfee found that:
-Sponsored results contain 2.4 times as many risky sites as sites found via manual searches, with 6.9 percent of all sponsored results identified as potentially dangerous, compared to 8.5 percent one year ago.
-While down in volume, pure scam sites still account for 3.2 percent of all sponsored listings, McAfee said, with popular scams including download sites selling free software, ringtone sites with misleading billing practices, and work-at-home sites with deceptive terms.
(Despite the recent spate of threats running through AdWords, McAfee credits Google for vastly lowering the number of attacks carried out via its sponsored ads, which also run on AOL and Ask.com via syndication partnerships.)
In terms of the site categories most likely to return risky hits:
-Music and technology pages continue to be among the most dangerous search terms, with searches for "digital music" garnering the highest percentage of suspicious sites at 19.1 percent of all results, followed by "tech toys" and popular keywords including "chat" and "wallpaper." (or exactly the sort of things most inexperienced computer users might be searching for online)
-File sharing programs were also among the most risky key words to search online, with queries for known file-sharing networks culling large numbers of infected URLs including "bearshare" (45.9 percent suspicious results), "limewire" (37.1 percent), "kazaa" (34.9 percent) and "winmix" (32 percent).
-Adult-themed keyword searches remain risky, with the volume of suspicious sites found by such queries rising 17.5 percent since December 2006 to represent 9.4 percent of results. Driving this growth was a sharp 72.2 percent uptick in the percentage of risky adult sites within sponsored results.
Posted by Matt Hines on June 4, 2007 11:47 AM
June 01, 2007 | Comments: (0)
With the nation at war, I've made a conscious effort to avoid going overboard in the use of words like battle, fight or weapons in my coverage of IT security, in respect of the fact that no matter how crazy the cyber-crime landscape gets, it's still pretty innocuous compared to the real deal.
As someone who watched the events of 9/11 unfold in person after the Silicon Alley .com I'd been working at tanked, the thing I'll always remember most clearly is standing on the shores of the Hudson in Hoboken, N.J., watching fighter planes fly low overhead and converge on the burning towers across the river. Somebody's radio announced that the Pentagon had been hit as well.
For that brief moment in time, it was very hard not to feel under attack.
Last night I was sitting in my living room in Boston with the front door open and the screen door locked to let the breeze in, as usual, when I heard a cry for help.
Running out into my front yard I found a young woman struggling with a man outside of a car in the middle of the street. As I, a neighbor, and another passerby who'd stopped his car to see what was going on, all confronted the situation and asked what was happening, the woman screamed that she was being assaulted and struggled to free herself from the man. He let go and pleaded innocence.
After getting her into my house, where my wife was already on the phone with the police, we were confronted with the task of stopping her large assailant from trying to follow us inside. We did so, and locked him out, whereupon he took off, leaving his car in the middle of the street.
The girl told us she'd met the man and gotten into his car for a ride only to have things go very bad. As part of her struggle to free herself from the attacker she had attempted to call 9-11 and he had merely broken her cell phone into pieces.
The cops were on their way and we were all locked safely in my home, but it was hard not to worry that if this guy was loose he might try to return, or wonder if he was armed, or hiding somewhere close by.
Luckily for everyone, the Boston Police Department appeared to do a terrific job, catching the attacker and an accomplice who had fled the vehicle before we came upon the situation.
Other than a horrific shakeup and a smashed cell phone, the victim seemed to make out OK as well.
I'm loathe to correlate such a dramatic, real world experience that had such dire implications to the malware, fraud and cyber-crime events we write about every day, but it is true that both types of events involve the innate human process of responding to unexpected threats.
If I was a systems administrator or a CSO at a company being assaulted by cyber gangs, I'd likely be worried how my reactions would affect my employer, my job security and my ability to provide for my family -- just as I was worried about some armed psycho trying to bust down my door last night.
When you're put into an attack situation without warning, it's hard not to be overwhelmed by all the adrenaline rush and synaptic overdrive set in action by the human physiological defense mechanism.
Anyways, props to all of you who spend most of your time warding off scumbags, online or offline. It's not a job that I think I could relish on an everyday basis.
Posted by Matt Hines on June 1, 2007 09:15 AM
| ZERO DAY PODCAST |
| Listen to the latest podcast: |
MP3
•
•
•
Archive
•
![[VoiceIndigo Mobilize - Listen to podcasts on your mobile phone]](http://www.voiceindigo.com/ht/images/mobilize_logo_sm.gif){kind=logo}
|
TOP STORIES
Top 10 stories of the weekA new place to hide rootkits
Sun exec on OpenSolaris, Linux
AT&T: No free iPhone Wi-Fi info
MS to appeal E.U. fine
XP SP3 causes endless reboots
Vista as insecure as Win 2000
Google grilled on human rights
Java ubiquity an edge in RIA battle
The InfoWorld news quiz
ADDITIONAL RESOURCES
- Virtualization: A Step by Step Approach to Success
- Dialing up Agility with Business Transformation
- 5 Things You Need to Know About Storage Virtualization
- Virtual Test Lab Automation: Manage development infrastructure
- Improve Resource Utilization and Lower Operating Costs
- Protect Your Data with SSL
