- Badware not pushing users offline
- Web attacks won't stop
- Most sites still hack-able
- Tips on employee monitoring
- Research: IT security maturing, but misaligned
- Clarke sharply criticizes Bush cyber-security plans
- Conference seeks to bridge risk, research
- Core finds new CEO
- Outlook bleak for Phishing defeat
- Exploring the data security quandary
March 31, 2008 | Comments: (0)
Badware not pushing users offline
Malware, spam and a litany of social engineering schemes may haunt nearly every corner of the Web, but that's not stopping most Americans from feeling confident in their ability to do business on the Internet safely, according to a new paper published by StopBadware.org.
The Harvard Law School anti-malware project points out this "security paradox" in its latest report, released just a day before of one of its lead researchers is slated to testify before federal regulators on the growing complexity and financial impact of online threats.
Maxim Weinstein, who manages the StopBadware.org team at Harvard Law School's Berkman Center for Internet & Society, will speak on the continued evolution of phishing -- which Consumer Reports estimates to have accounted for $2.1 billion in related fraud in the last year alone -- before the Federal Trade Commission in Washington on Tuesday.
The new poll, conducted for StopBadware by Zogby International, finds that 88 percent of the Americans interviewed in the study feel secure when using the Web, and that some 84 percent of respondents believe that they have sufficient resources on hand to make informed decisions about protecting their privacy and security online.
In an interesting demographic twist, younger Americans appear to view the Web as even more secure than their older peers -- sort of like driving a car, and you wonder if a lack of experience plays a similar roll as it does with youthful drivers -- with nearly 50 percent of survey respondents under age 30 indicating in the study that the feel "very safe" online.
Only 25 percent of those respondents 65 and older replied the same way -- although to be fair one could similarly guess that older folks are just far more careful than their younger counterparts in general. I myself have older relatives who appear to believe that the Internet was designed by the devil himself for the sake of spreading pornography and enabling widespread terrorism.
StopBadware leaders said that the rift is likely emblematic of the fact that younger users have grown accustomed to having the Web in their lives starting at an earlier age.
"Young people who have grown up in a digital society treat the Internet as part of their world, not as a separate entity with different rules from the physical world," John Palfrey, executive director of the Berkman Center said. "To digital natives, asking if they feel safe online is akin to asking if they feel safe in their own community."
The apparent Internet security paradox appears to transcend most issues of geography, age, politics, and gender, however, based on the replies of the 6,678 Americans Zogby polled in February 2008, as most deferred to some level of online safety.
Perhaps even more disconcerting than the notion that people seem to feel secure on the Web is the fact that few are taking the needed steps to best protect themselves -- at least according to other research reports.
In making its point, StopBadware highlighted the fact that only 24 percent of those people participating in a recent report published by AV vendor McAfee and the National Cyber Security Alliance employ a firewall and update their anti-virus and anti-spyware systems on a regular basis.
Along with other research totals that indicate that more Americans than ever are going online -- such as the Pew Internet Project's most recent estimate that 70 percent of U.S. citizens are Internet users, up from just 15 percent in 1995 -- and StopBadware predicts things are only going to get worse in terms of overall financial losses.
Sixty percent of those people responding to the Pew study said they remain unworried about how much of their personal information resides on the Web, with 61 percent of the adults interviewed for that report indicating that they do not feel compelled to control their digital image to protect themselves from attack.
Until drastic measures are taken and more Americans wake up to the problem of online threats, it appears that online security threats will only intensify, said StopBadware's Weinstein.
"Americans see themselves as safe online, even as we see an ongoing trend of organized criminal elements using the Internet to target unsuspecting users," he said.
Posted by Matt Hines on March 31, 2008 09:15 AM
March 28, 2008 | Comments: (0)
Web-borne malware attacks will continue to flourish in 2008, according to the latest research report filed by scanning and acceleration specialists Blue Coat.
Based on the company's top ten security trends report covering the remaining calendar year, SQL and iframe injection exploits, along with a multitude of other attacks, will continue to spread over the Internet, with a large number of the infections being delivered via compromised Web sites.
Many of the threats will also be planted using drive-by techniques that won't require end user interaction beyond the initial visit to an infected URL, Blue Coat reports. Even popular sites are becoming well-traveled avenues for malware delivery.
"Because these are well-known, reputable sites -- some of the most trusted names in online news and commerce -- URL-filtering and reputation tools won't block users from visiting them," the report summarizes.
Web sites will remain painfully vulnerable to such attacks until developers become more successful in their attempts to secure their work, especially when working with emerging technologies such as Adobe Flex and Microsoft Silverlight, the experts maintain.
Another hot trend in 2008 will be the use of downloadable software widgets, even some of those developed by major vendors including Microsoft and Yahoo, Blue Coat's researchers contend.
"Even hailing from such leading developers as Microsoft and Yahoo, widgets have been found to have insufficient security features, leaving them vulnerable to infection. Because widgets often have access to the host operating system, they pose major risks to users," the paper asserts.
Online videos and social networking sites are also expected to attract a great deal of malware activity in 2008.
In the physical world, laptop computers containing valuable corporate data will continue to make attractive targets for thieves, with Blue Coat estimating the worth of a machine holding records for 10,000 employees as high as $140,000 on the black market.
On the topic of devices, the company cited a 2007 incident in which digital picture frames were found to contain on onboard Trojan virus as emblematic of more attacks to come. Along with picture frames, the report names USB memory sticks as another probable method by which such threats will arrive.
In terms of defense, the company said that more businesses will distance themselves from the use of social security-type identifiers in order to help lower the risk of identity theft, however, Blue Coat also points to lingering problems with network security, gateway appliance throughput challenges in particular, as a continuing issue.
"A dirty little secret of the IT security industry is that most Web security gateway products are architecturally incapable of scaling to meet enterprise needs. Enterprises will continue to find themselves short-changed by products that promise comprehensive network protection but don’t deliver on performance," the company said.
Posted by Matt Hines on March 28, 2008 09:31 AM
March 24, 2008 | Comments: (0)
The latest research report out of Web applications security specialist WhiteHat finds that most sites are still woefully vulnerable to hacker attacks.
Just as in its previous research, WhiteHat estimates that some 90 percent of all pages are hack-able, the same figure that it has attached to several previous reports.
The message? Things aren't getting much better out there!
Over the last two years that WhiteHat has been issuing its paper, the company has reported that the volume and variety of Web site attacks have in fact only continued to rise, with Cross-Site Request Forgery (CSRF) tabbed as the next big thing by the experts this go round.
According to the company, nine out of ten sites still have serious vulnerabilities with an average of seven vulnerabilities per site.
The leading forms of exploit that WhiteHat is observing on the Net haven't budged much in recent months either, with classic techniques including SQL injection, buffer overflows and cross-site scripting (XSS) leading the way. However, the company is predicting that CSRF threats will soon begin to multiply.
Cross-Site Request Forgery (CSRF), as defined by OWASP, is an attack that attempts to fool end users into loading a Web page that contains a malicious request, much like traditional phishing attacks or XSS threats.
Using the technique, hackers then try to misappropriate victims' identities and privileges to carry out activities such as changing their applications passwords to gain entrance to banking sites, or to log into e-commerce sites to make fraudulent purchases in their names. In some cases, the attacks are hidden on the vulnerable sites themselves.
CSRF attacks are also known by a number of other names, including XSRF, Sea Surf, Session Riding, Cross-Site Reference Forgery, and Hostile Linking.
WhiteHat researchers said that attackers using CSRF exploits can "easily" manipulate today's Web browsers to send unintended HTTP requests such as fraudulent wire transfers, change passwords and download illegal content.
And based on its research, the company said that CSRF attacks will eventually move into the number two spot behind XSS exploits in terms of its frequency among the leading site hacking techniques.
The report also tracks site vulnerabilities present on the URLs of companies in specific vertical markets. In those results, the retail sector is performing better than other segments in terms of protecting its sites from attack, according to the study.
Other vertical markets not faring as well included insurance, which headed the list with 84 percent of sites having vulnerabilities that fall into the urgent, critical or high severity status, followed by IT companies at 72 percent, healthcare at 64 percent, and financial services at 60 percent.
However, WhiteHat researchers point out that while the security standing of some industries is better than others, that the difference is "largely insignificant" when it comes to stopping a site from becoming exploited, as attackers only need a single vulnerability to get their hooks in.
In addition to malicious attacks, many companies' lack of site security will also open them up to potential compliance violations, the experts said.
"With the amount of transactions and activities conducted online and upcoming compliance deadlines such as PCI DSS 6.6, organizations need to be more proactive than ever in protecting sensitive data," Jeremiah Grossman, founder and chief technology officer at WhiteHat, said in a report summary.
WhiteHat will be hosting a webinar to reveal more of the report findings on Wednesday, March 26, 2008 at 11:00 a.m. PT / 2:00 p.m. ET.
Posted by Matt Hines on March 24, 2008 04:11 PM
March 21, 2008 | Comments: (0)
Employee monitoring has become an increasingly necessary evil for most organizations as a wide range of factors push companies to expand both their physical and IT surveillance systems.
From greater varieties of compliance regulations, to widespread electronic data theft -- including corporate espionage and other so-called insider threats -- there's a growing list of reasons to keep everything from DLP systems to closed-circuit TV cameras trained on larger numbers of workers.
That said, it's clear that there are rules of engagement that can be followed to protect companies from security incidents while also shielding employees from unnecessary spying. Carefully considering all the involved parameters can also lower the potential for lawsuits if surveillance efforts breach established personal or regional privacy thresholds.
At the CSO Perspectives Conference in Atlanta this week, Dave Morrow, chief security and privacy officer at EDS, the giant consulting and systems integration firm, took the stage to share his thoughts on how to do employee monitoring right.
Along with specific recommendations, Morrow also highlighted some emerging business, technological and ethical questions that companies will need to tackle as they further architect their surveillance strategies.
What follows are some highlights of Morrow's speech to the assembled audience of CSOs:
-Here's why you should do IT monitoring:
"The main reason to do it is for liability purposes; when you go to a parking garage you expect surveillance cameras, it's almost considered due diligence at this point, and new case law shows a developing body of thought that IT monitoring will be an issue of due diligence in the future," Morrow said.
-Keep regional sensibilities in mind:
"We already have a certain level of questioning in our society, and it depends on where you are as to what's considered acceptable surveillance," said Morrow. "In [parts of the U.S.], we're fighting over stop light cameras, whereas in the U.K. there is an acceptance that you're already on TV everywhere; how you do it depends on acceptance of [the concept of] private information; that involves what you think that is and dealing with different sensibilities worldwide."
-Pitching data leak prevention:
"Anti-virus is really DLP in reverse, but if you have a project and don't explain it well to your executives you will be in for world of hurt, because people will think big brother is coming," he said. "And you need to present it in a context where you frame your argument as a business process, of how DLP makes process more effective as opposed to framing it under security; that makes your argument a lot more palatable."
-More regulations to come:
"Everyone knows about data notification laws, and there are a growing number of regional privacy directives," said Morrow. "We expect this to continue to expand in the EU, where they are already talking about standardized breach notifications; and I think we'll see them in APAC as well."
Tying physical access to IT access:
"To IT, this idea makes all kinds of sense, but a lot of people will have a hard time with the idea of big brother, cameras, and being able to be tracked," Morrow said. "We have a have policy not to track [access details] for attendance or HR issues; technically it's easy to do, but you have to ask if is the right thing to do; the other question is how far is too far."
How and what to tell employees about monitoring:
"Coupled with an aggressive security education program, talk about why it is so critical not to have any kind of breach," the CSO said. "Explain it in context of business problems; tell people what you are doing and why; [monitoring] is not just something you jump into, you have to intertwine it with an education process, and business needs."
General advice:
"Surveillance is in the eye of the beholder, you have to think about re-framing the argument from surveillance to monitoring," said Morrow. "Often times we're our own worst enemies for not thinking of interesting ways to communicate to business leaders."
Posted by Matt Hines on March 21, 2008 09:47 AM
March 17, 2008 | Comments: (0)
Research: IT security maturing, but misaligned
Many organizations are doing a better job of creating and managing their IT security programs, but survey results highlight continued disconnect between security shops and the line-of-business teams they support -- according to a new research report published by PriceWaterhouseCoopers and several IDG magazines, and detailed at the ongoing CSO Perspectives Conference in Atlanta.
Based on the results of the 5th annual Global State of Information Security report, produced by PWC and InfoWorld sister publications CSO magazine and CIO magazine, most of the 7200 organizations surveyed for the research showed signs of improving their overall security standing.
If one major problem was exposed by the report, however, it was that security departments often fail to communicate sufficiently with the business people they interact with, researchers said.
That lack of discourse and common understanding of larger security team goals among rank-and-file business workers cuts into the ability of CIOs and other project leaders to do everything from engender stronger data protection to gain funding, said Mark Lobel, chief information security architect at PWC.
"This idea of misalignment and opportunity for better [communication] between security and business workers is one of the top themes coming out of the data," Lobel said. "If senior executives don't understand where funding is coming from, if they don't know who is in charge, that's going to hurt your efforts in the long run."
In terms of why companies are willing to spend money on security, perceptions have changed though, the expert said.
With 60 percent of the CEOs responding to the survey that business continuity is their top driver for security and compliance spending, along with 75 percent of the chief information officers, the idea that security is all about defending perimeters has shifted, Lobel said.
Some 40 percent of the CEOs earmarked the protection of corporate reputation as a top motivation for upping their attention on security, while 50 percent of CIOs agreed.
Deferring to compliance needs is no longer the leading method for defending security spending, with less than 10 percent of either group identifying regulatory action as the best reason to give for opening their wallets.
Meanwhile, over 20 percent of CEOs cited the protection of corporate finances as a motivating factor, along with 15 percent of CIOs. Defending company data was the top goal of over 20 percent of all CEOs and CIOs surveyed, while protecting IT operations was a leading reason for 45 percent of CEOs, and a whopping 75 percent of CIOs.
Overall, 40 percent of CEOs indicated that they plan to boost security spending this year, while 50 percent of CIOs are hoping for larger budgets.
In terms of perceived threats, the potential for insider attacks has clearly resonated with business leaders, with 48 percent of all respondents citing the issue as their primary concern, compared to only 33 percent in last year's report.
Meanwhile, 41 percent said they most fear external hackers, compared to 63 percent last year.
Lobel said the difference in results highlights a significant change in perceptions, driven largely by increased vigilance among IT security departments.
"People didn't get worse year-on-year, what changed in the environment over the last few years was the ability to monitor and detect," he said. "Because of compliance, we've put in controls that we never had before, and the survey points out that this is beginning to work, as we're finding and seeing things we never saw before."
There do remain weak points in many security operations, according to the research.
Over 50 percent of survey respondents indicated that they do not encrypt information on laptop computers, and only 22 percent said that they have hired a chief privacy officer.
However, overall the results show slow but increasing maturity in IT security, he said.
Going forward, companies will be best served to spread support for security and compliance operations across their workforce, and to do whatever they can to ensure buy-in from top corporate officials, Lobel contends.
"What spending tells us is that security is splitting, we have multiple reporting lines and multiple masters, which makes sense," he said. "If we have all the management under IT, availability will be the primary concern, and we won't have segregation of duties to be objective, and people outside IT won't get cooperation and coordination they need. We need some sort of split, and support for security at senior executive levels outside of IT to review policies."
Posted by Matt Hines on March 17, 2008 04:38 PM
March 12, 2008 | Comments: (0)
Clarke sharply criticizes Bush cyber-security plans
Former White House cyber-security and anti-terrorism advisor Richard Clarke isn't known as a fan of the current administration, but political loyalties aside, the expert claims that the president's new initiative aimed at bolstering the nation's electronic infrastructure is fundamentally flawed.
Speaking at the inaugural Source Boston security conference, Clarke expressed his concerns over the national electronic security initiative signed by Bush on Jan. 8.
While the measure has yet to be detailed by the White House publicly, the Washington rumor mill is already circulating many details of the strategy and Clarke said the plan won't have the effect that the president's advisors are hoping for.
The two major thrusts of the Bush mandate, according to Clarke, are aimed at better securing the government's own computing and communications networks, and adopting a more proactive approach to engaging in cyber-warfare.
In both cases, the plan may in fact serve to weaken U.S. security and privacy efforts, he said.
As Clarke sees it, the biggest flaw in the portion of the measure devoted to protecting government computing operations is a lack of recognition that most of those systems run on the same infrastructure, and through the same carriers, as the rest of the nation's Internet traffic.
"There's the idea that somehow these are government networks that we're talking about, but they really aren't, all these government sites are running through the same network of routers and the same fiber channels as everything else, there's no segmentation on these carrier networks," Clarke said. "This means that [the plan's authors] either don't know that and merely think they need to reinforce security on state-owned servers, or data in their own facilities, in which case thy are missing most of the problem, or that they plan to do monitoring of everything going through the carriers' systems."
If it is the latter, than Americans will need to prepare for a world where they have far less privacy in terms of their ability to access the Web without the potential for government observation, he said.
"Given this government's performance with abuse of the Patriot Act, and surveillance without warrants, we have to ask questions, because we clearly cannot assume that the government isn't breaking the law and ignoring privacy," Clarke said.
On the topic of cyber-warfare, an area where Clarke isn't afraid to call out entities including the Chinese government for engaging in frequent attacks already, the expert said that trying to go on the offensive to match the efforts of U.S. rivals is not the most intelligent response.
The concept of mutually assured destruction that was employed by the U.S. and U.S.S.R. during the Cold War to discourage nuclear attack doesn't port well to the world of cyber-space, but the president's advisors seem to think that it will, he said.
"In cyber-space, who knows what capability anybody has? It's much more important to know what you could do if someone launched an attack on the U.S., how much could [someone] really shut down and what would be the effect," Clarke said. "I suspect that the U.S. is much more vulnerable than other countries, because we are more wired and dependent on cyber-space. China has structured its infrastructure such that it can shut itself off, and create own environment if it wants to; so it seems that there are asymmetries."
Rather than trying to hack into other governments' networks, as the Bush plan suggests, U.S. strategy should focus more on identifying potential vulnerabilities in common infrastructure and applications, and getting that information into the hands of American organizations and end users as quickly as possible, he said.
"The first duty of the government is to protect and defend its own people," Clarke summarized.
One solution that Clarke maintains could dramatically improve U.S. cyber-security would be to employ new industry regulations aimed at forcing ISPs to better police their traffic, and additional measures that force companies selling technology to the government to put their products through more rigorous security testing.
"To Washington bureaucrats, regulation of any kind is inherently a bad thing, they think any proposal to create new regulations is bad and reject it, but I believe that we could do a lot to achieve cyber-security in the U.S. via smart, light-handed regulation," Clarke said. "If we could do these things, regulate ISPs and create additional regulations about government procurement, a lot of the problems get smaller."
Posted by Matt Hines on March 12, 2008 01:20 PM
March 11, 2008 | Comments: (0)
Conference seeks to bridge risk, research
It's always interesting to see new security conferences appear on the calendar, especially one in my hometown, and such a meeting of the minds is slated to get underway here in Cambridge tomorrow, the Source Boston 2008 show.
The confab bears a noticeable Bostonian fingerprint with a number of local experts among the organizers and presenters, including a handful of people who came out of @Stake, such as Veracode co-founder Chris Wysopal, Verdasys chief scientist Dan Geer, and Yankee Group analyst Andrew Jaquith.
And along with former presidential advisor Richard Clarke, and a collection of industry vendor CEOs and analysts, there will also an array of well-known security researchers including Robert Hansen, Jeremiah Grossman, Rick Wesson and James Atkinson.
Some of the team from L0pht, the group of researchers that rocked Capitol Hill with their revelations on security vulnerabilities and the Internet way back in 1998, will also reunite at the show.
Wysopal is one of those researchers, and one of the organizers and I got a chance to speak with him about what he expects to come out of Source. He told me that he thinks that the meetings may represent an intriguing opportunity for CSO types to mingle with researchers and allow for some actual cross-pollination of their ideas.
The show's program looks to play out somewhere between the research-heavy tenor of Black Hat and the more vendor-oriented RSA Security Conference, which seems like a pretty good idea if that's the type of environment that he and the other organizers are trying to create.
"I think that hopefully people who attend will see the bigger picture, you should have people who are typically down in the weeds see new things as they connect with strategic thinkers," said Wysopal. "Maybe they will see how things being researched as science have a bigger impact across the entire ecosystem, and people at the strategic level will realize that they can talk to researchers and deal directly with them, as opposed to going through layers of reports."
And hey, you know, hopefully some of us writing those reports will find some interesting things to report on to those of you who can't be there, too.
Wysopal said that the makeup of the program should prove relevant to attendees, with a third of the confab dedicated explicitly to the issue of applications security, which is by nearly all accounts a problem that is currently wreaking havoc among businesses.
"It's something that has had growing attention at other conferences, with people adding tracks, but it's a big part of this conference because we think this is where all the new risks are heading, both from the sense of attacking applications themselves and the human element," he said. "Software is everywhere and you have all these little applets spreading all over the place; there are some new paradigms emerging with the ease of installing these tiny snippets of software on a PC or a mobile device, and these new concepts carry risks that we're not really sure about."
The idea for Source actually traces back to Wysopal's own time involved with the L0pht hacker consortium, when he said that people like Clarke would come in and ask the security researchers for advice on what they were seeing in the wild. (And anyone who has read the former advisor's "Breakpoint" novel might venture that he based some of his fictional Cambridge-area hackers on L0pht)
To the extent that it can, the show seeks to bring technical people and strategists together in a similar format for discussion, Wysopal said.
We'll be there tomorrow and Thursday to let you know what comes of it.
Posted by Matt Hines on March 11, 2008 09:27 AM
March 10, 2008 | Comments: (0)
As expected, Core Security Technologies has found a new CEO, naming former Sophos executive Mark Hatton to guide its future expansion plans.
The Boston-based penetration testing company's efforts to recruit a new leader first surfaced last July when Core insiders confirmed that longtime CEO Paul Paget, who had held the role for over five years, was stepping aside as the firm moved into its next stage of development.
Market watchers said they expect Hatton -- who will absorb the titles of president and chief executive officer, and will also join the firm's board of directors -- to work aggressively to expand Core's sales, with the potential to position the company for sale or an IPO in several years' time.
Hatton previously served as the president of North American operations for AV vendor Sophos, which has been credited by some industry analysts for using its rapid malware signature downloads and customer support strengths to steal business away from larger rivals including Symantec and McAfee.
The new Core CEO served as vice president and general manager for U.S. operations at U.K.-based Sophos before becoming the company's top North American executive, and worked previously as vice president of worldwide sales for Tilion, a maker of supply chain management software. Prior to Tilion, Hatton held the post of vice president of North American field operations for EC Cubed, which sold electronic marketplace development tools.
Founded in 1996, Core currently claims over 600 customers, a roughly 25 percent increase since the beginning of calendar 2007, and has previously collected financial backing from Pegasus Capital and Morgan Stanley Venture Partners to the tune of $4.5 million apiece.
Analysts have said that Core's flagship technology, dubbed Impact -- a package of network, applications and social engineering vulnerability testing tools, remains a relatively unique commodity on the market, but will continue to compete against a number of other security testing applications for IT budget dollars.
Company officials have said since the initial announcement of Paget's impending departure that the move to bring in a new CEO was not aimed at facilitating a sale, but rather based on hopes of expanding on the company's existing opportunities as a standalone.
Hatton is credited with helping to lead Sophos during a period in which it significantly expanded its U.S. presence and made inroads with larger customers.
The executive said that he believes Core is ready to experience similar expansion.
"Core Security is already a market leader in the security assurance marketplace and is poised for considerable growth as we continue to demonstrate substantial value to customers worldwide," Hatton said in a statement. "I am excited to be joining the company at this important juncture and hope my experience will help take this already successful organization to the next level."
Posted by Matt Hines on March 10, 2008 10:23 AM
March 06, 2008 | Comments: (0)
Outlook bleak for Phishing defeat
Everyone from the law enforcement community, to ISPs, to the very firms whose names are being tarnished by phishing attacks is trying to pitch in and help find a solution for the problem, but prospects for decreasing the prevalence of the threats remains daunting, according to the leader of one of the most high-profile efforts to do so.
David Jevans, the chairman of the nonprofit industry consortium the Anti-Phishing Working Group (and the CEO of encrypted USB drive specialist IronKey) said in a recent interview that as the phishing problem keeps "changing and getting worse" it has become clear that there are no simple answers to the issue.
Traditional mass-market phishing is still thriving despite the best efforts of ISPs and Webmail companies to filter out as much of the nefarious spam as possible -- as phishers continue to utilize the fast-flux model to evade pursuit, and even worse, targeted attacks are growing in complexity and popularity, Jevans said.
"We see more targeted attacks, spear-phishing and whale phishing, where the attackers have some information about their targets and are using it to create customized attacks," he said. "When they know people's e-mail address and name, and have other information, this type of thing is very hard to track and stop. We also see attacks targeting specific companies where the effort is to get inside a network to plant Trojans and get in and steal intellectual property."
The expert warned that such targeted spear-phishing attacks are taking root all over both the private and government segments. The model of blending malware with targeted attacks is also growing in prevalence, Jevans said.
In another technical turn, phishers are employing more attacks that seek to use some level of phone interaction, either through VoIP-oriented "vishing" or with e-mail messages aimed at tricking people into calling live phone operators who are being paid to talk them out of their data.
At its base, the problem with phishing is that it has become a truly complex set of social engineering techniques, some of which may always be hard to defeat when the attackers have profiled their victims and know how to approach them artfully, according to the APWG leader.
One solution may the broader use of two-factor authentication for e-mail, Jevans said.
"I think things have to go two-factor in some scenarios; if you simply rely on people to look out for the attacks and keep things safe, I think that might be unrealistic," he said. "And even if phishers can steal a password, they still don't have the token."
E-mail signing, long tabbed as a potential salve for spam and phishing, continues to evolve and should help as it becomes more broadly adopted, but that technological means won't solve the problem altogether, said the expert.
"People can still create ways around it, we really need to combine authentication and reputation," said Jevans. "We need for the system to understand how long a site has been up, or does it exhibit malicious characteristics, as well."
Additional laws aimed at stopping phishers likely won't help much either, he said, as the ability to enforce any measures, especially overseas, will likely always prove difficult.
Overall, Jevans said that while APWG and its allies will continue their work and look for new ways to address the phishing epidemic, the outlook does appear fairly bleak, at least in the short-term.
"We thought there would be simple answers several years ago when we started, but people actually have fewer ideas about what to do now as things have progressed," Jevans said. "It's a big problem and getting more sophisticated all the time; industry will really have to work together far more to move toward solving the issue."
Posted by Matt Hines on March 6, 2008 10:56 AM
March 04, 2008 | Comments: (0)
Exploring the data security quandary
Anyone who spends any amount of time around the IT security industry is bound to come across Dan Geer, either in person or by reputation.
He's one of those guys that you soon begin to recognize, always dressed casually and sporting his trademark sideburns, and full of some of the best and most well-informed questions you'll ever hear anyone ask on the trade show circuit. He's someone who doesn't hesitate to ask those frequently tough questions of his peers in front of a live audience -- a techy's techy, if you would.
Geer may be best known for his infamous departure from the well-known company he founded and helped build, @stake, after writing a report that critiqued the state of IT security in relation to the notion of a "monoculture" around the Windows OS in 2003 -- a report that turned out to be accurate in many of its predictions, it is worth noting in retrospect.
But now he's firmly entrenched in the DLP business, serving as VP and chief scientist at Verdasys, one of the more highly-regarded vendors in the space, and one of the few big names left independent after 2007's industry consolidation, as big players including Symantec, RSA and Trend Micro snapped up its closest rivals.
To that end, Geer's latest effort is a new book titled "The Economics & Strategies of Data Security," which explores the increasingly challenging prospect of trying to keep corporate data under control, or at the very least out of the wrong hands. As usual, it seems that for every question he attempts to answer in the book (and admittedly I've only read pieces of it), he is also ready to cast doubt over simple answers and pose subsequent queries over the very nature of the topic at hand.
The thing is, Geer might work for a DLP vendor, but it's clear in his book and in 1-to-1 interviews that he subscribes to the idea that the concept of data security itself remains a very fluid and unsolved issue.
As other smart industry watchers point out, he highlights that information has become the most valuable tool of business, an that efforts aimed at limiting access to it, or trying to set hard boundaries around its distribution, can be in many cases more counter-productive than helpful.
And while companies like Verdasys have created complex technologies that work impressively in terms of creating some controls for preventing inappropriate data use, it remains clear that that he buys into the truth that no one will ever be able to manage the flow of electronic information altogether.
"It's like the common cold, you think by now if this was a solvable problem that we would have it taken care of, but it's still fresh everyday," he said in a recent interview. "What's true yesterday isn't true today and it's hard to tell those people trying to hurt you from those who aren't."
"In business we can't expect people to limit access, maybe to something like the formula for Coke, or maybe in areas of finance such as pre-IPO where there are built-in incentives not to distribute certain information," said Geer. "But the inherent nature of data is such that we will always want to share it with others."
DLP will only work as well as its designers engineer controls for people to protect sensitive data as long as it doesn't get in the way of legitimate business, and it must have the power for users to pre-empt its controls when necessary, he said.
"Any rules you create must be designed so that they can be modified quickly," Geer said. "In a world where attacks propagate quickly our ability to react is best modeled on the human immune system, with new countermeasures on demand, but in a way that doesn't get in the way of allowing other related systems to work."
Now, that doesn't mean that Geer doesn't think that DLP works, he just seems to be realistic in the sense that he contends that in order for information to be protected, we must be willing to give up some level of freedom in terms of its distribution.
In his book, Geer explores all sorts of technologies and scenarios for how data can be exposed and how it may be defended, and far from saying that the data security issue is hopeless, he maintains that we as a society must be willing to allow as much information as possible flow freely, while targeting specific types of data that need to be put under very tight, and sometimes limiting, controls.
In offering a summation that he concedes is neither "pleasant nor fashionable" in many ways, Geer again appears to be banking on his pragmatist sensibilities as both an academic and a practitioner.
"We are kidding ourselves if we think that the attractive benefits of the digital lifestyle, whether for persons or companies, don't come with a price in the form of data control," he writes in the final pages. "As bits replace atoms as the chief constituent of modern life, what those bits represent, data, becomes what we have, what we have to control, and how it is that we achieve that control."
Like any good scientist, the expert continues to pose as many questions as he attempts to answer. Geer will be speaking on data security next week here in town at the Source Boston 2008 conference.
See you there.
Posted by Matt Hines on March 4, 2008 12:29 PM
March 03, 2008 | Comments: (0)
Start-up wins NSF grant, pitches new AV
NovaShield, a new anti-virus startup that is pitching its own brand of behavioral analysis as a stronger salve against cutting-edge malware attacks, has won a significant grant from the National Science Foundation.
The Madison, Wisconsin-based company -- which was cooked up in the labs of the University of Wisconsin by Dr. Somesh Jha, an associate professor at the school and the company's co-founder and chief scientist -- won out over other competitors for a Small Business Innovation Research (SBIR) grant from the NSF.
The Phase II grant arms the nine-person company with $500,000 in additional funding, adding to the $150,000 Phase I SBIR grant awarded to NovaShield in January 2007 by NSF. According to the firm's marketeers, fewer than five percent of applicants are awarded the Phase II SBIR grant each year and NovaShield won out for its unique approach to malware detection.
Company officials said that the influx of funding will help NovaShield create a commercial product positioned for sale to consumers sometime before the end of the first half of 2008. Once that product is finished, the firm may begin work on a version of its technology aimed specifically at business users if it appears there is a market for such a product, company officials said.
NovaShield's technology -- which claims to outdo existing AV programs in finding and blocking more intelligent types of malware including botnets, Trojans, keyloggers and rootkits -- is based on a technique it has labeled as "specification-based monitoring," developed at UW.
The tools claim to "extend" behavior-based malware detection by using "policy specification."
"Specification-based monitoring leverages a tiered architecture to simplify the malware identification process by a factor of ten while maintaining a better rate of detection and fewer false positives than current commercially available anomaly-based approaches to behavior-based detection," the company claims in its literature.
In an interview, Jha told me that the key to the NovaShield technology's higher levels of efficacy in identifying attacks is found in its ability to examine behavior playing out between applications processes and a computer's operating system. (The first version of the product will be aimed at Windows users, of course.)
By looking at an applications' behavior in real-time and any events that a program generates for the OS, at the kernel layer, the technology can look at certain sequences and identify anything unusual, he said.
"The actual interface between a program and the Windows OS is very noisy, you may open a file and see a lot of things that correspond with events at a Windows level and miss attacks because of this," said Jha. "We have a reverse mapping layer that recreates high-level semantics of this activity, such as why was the registry altered; we only look only at high-level events; that allows us to defeat the detection rates of other products using very few policies, usually less than a dozen."
Many other behavioral monitoring technologies fail at similar efforts because they take too many policies to work and then create too many false positives as a result, the inventor maintains.
However, along with its technology, users will also want to continue to use traditional signature-based AV to catch anything that doesn't fall into its range of coverage, Jha said.
NovaShield leaders understand that the road is long for security companies that attempt to tackle one aspect of AV on their own, but they point to the continued success of anti-spyware specialist Webroot as proof that they can survive on high-end anti-malware alone (in terms of going after the truly gnarly stuff).
Of course, maybe they'll just get bought out by Symantec someday.
In the meantime, NovaShield has impressed at least one academic beyond the NSF grant givers.
John Mitchell, a professor of computer science at Stanford University and co-director of Stanford Computer Security lab who has also signed-on to NoveShield's board of technical advisors, endorsed the technology in a quote offered in the company's grant announcement:
"Current technologies are slow to adapt, making it hard to catch newer threats and malware variants," he said. "NovaShield's advanced and powerful specification framework, and the founding team's experience with developing efficient algorithms for building effective specifications give the company a competitive advantage at a time when computer users need first-rate protection."
Posted by Matt Hines on March 3, 2008 10:01 AM
| ZERO DAY PODCAST |
| Listen to the latest podcast: |
MP3
•
•
•
Archive
•
![[VoiceIndigo Mobilize - Listen to podcasts on your mobile phone]](http://www.voiceindigo.com/ht/images/mobilize_logo_sm.gif){kind=logo}
|
TOP STORIES
IBM boosts BlackBerry accessIntel to develop PC with Alibaba
Adobe refreshes Flash Player
Cybercriminals can rent a botnet
Comcast to buy Plaxo social network
Rootkit for Cisco routers
Leopard interface tweaks
Icahn to launch proxy fight
Office VBA and Mac IT
Test your Geek IQ
ADDITIONAL RESOURCES
- Virtualization: A Step by Step Approach to Success
- Dialing up Agility with Business Transformation
- 5 Things You Need to Know About Storage Virtualization
- Is your smaller organization ready for High Availability?
- Is system maintenance doing more harm than good?
- Virtual Test Lab Automation: Manage development infrastructure
