- Taking down teen hackers
- Crimeware-as-a-service taking off
- Innovation, regulation and research on tap at RSA 2008
- Researchers uncover 100 VoIP vulnerabilities
- Badware not pushing users offline
- Web attacks won't stop
- Most sites still hack-able
- Tips on employee monitoring
- Research: IT security maturing, but misaligned
- Clarke sharply criticizes Bush cyber-security plans
April 10, 2008 | Comments: (0)
While the problem of teen hacking remains a serious concern -- as highlighted in this previous post on the topic -- infiltrating the networks of kids involved in such activity, taking down their malware distribution Web sites, and convincing them to get out of the cyber-criminal game can be relatively easy, according to FaceTime Labs researcher Chris Boyd, better known in online circles under his Paper Ghost screen name.
The emergence of aspiring hackers among the so-called Echo Generation set continues to move forward, the expert said in his presentation at the RSA Conference 2008 on Thursday.
Growing numbers of teens as young as 12 or 13 years old are becoming actively involved in phishing, online credential theft and nefarious adware distribution, according to Boyd, who is one of the only experts on the planet currently looking into the trend.
However, with a little low-tech research and some relatively harmless scare tactics, many of the teen hackers can be driven to stop their illegal behavior, and in some cases even begin helping to prevent other kids from engaging in e-crime activity, the expert maintains.
The Echo hackers typically get started in the underground world by utilizing and distributing malware programs that can be used to steal account credentials tied to online role playing games such as Worlds of Warcraft, said Boyd.
However, many of the teen attackers then move quickly into far more serious activity, such as stealing credentials for social networking sites including MySpace to flood the electronic message boards with inappropriate content, and creating revenue-generating phishing schemes built around legitimate brands such as PayPal, he said.
One of the reasons why teen hackers are easier to stop than their older, professional counterparts is that most of the kids appear to desire some level of fame and popularity tied to their cyber-crime exploits. This lust for recognition often leads to the teens leaving clues to their real world identities throughout their work, making it far easier to track the individuals down, according to Boyd.
In many cases the Echo hackers become involved in groups of like-minded teens to share information about the programs they use and the attacks they've carried out on underground forum sites.
By tracing the details in those forums to their users' MySpace accounts, YouTube videos and other online resources where the individuals may share additional details about their real-world identities, researchers and law enforcement officials can often gather the hackers' real names, geographical locations and the types of crimes they may have committed, simply by using search engines and some straightforward investigative online footwork, the expert maintains.
"There's typically a paper trail of some kind that allows you to track them down in less than ten minutes; and many of them can be dispensed with to the extent that you know that they're not coming back online to do this sort of thing again anytime soon," said Boyd. "There's a lot of information on these sites such that it only takes a little bit of investigation and you can gather a lot of details about these bad guys."
Unfortunately, even when researchers like Boyd can find Echo hackers who are wreaking serious havoc online, getting ISPs and law enforcement officials to intervene, or even pick up the phone and tell them to stop, is often impossible, he said.
As such, Boyd has begun scaring some of the teens offline himself by showing them just how easily he can piece together their real IDs, and provide evidence of the types of crimes they've been committing.
Often times, once the perpetrators realize how easily their work can be traced to their real identities, they apologize for their malicious activities and bail, he said.
In one case, the researcher notified a teen hackers' mother of her son's exploits, and secretly invited her into an IM chat where her son admitted all the details of the schemes that he had been carrying out online. When the mother identified herself at the end of the chat, it was clear that the teen deeply regretted his actions, said the researcher.
In another instance, Boyd threatened to post an embarrassing and decidedly un-hip YouTube video he discovered of an identified Echo hacker onto the underground message boards that the script kiddie frequented, causing the individual to promise to stop his work as long as the clip never made it onto those pages.
One of the most effective techniques that the researcher has isolated for thwarting the teen hackers is identifying the ring leaders of their online forums, taking those hackers to task, then watching the network of sites and followers they are connected to fall apart rapidly.
"Taking out a forum leader and their sites can have a cataclysmic effect, with their followers and the networks of malware sites falling apart quickly thereafter, often times after the other kids involved begin infighting," said Boyd. "The cumulative effect can be huge; sometimes when you take down the main sites repeatedly sites, you can quickly whittle the users they have down from thousands, to hundreds of users, and then slowly kill it altogether over time. You really can learn a lot of things just by chasing these kids around."
Posted by Matt Hines on April 10, 2008 06:32 PM
April 08, 2008 | Comments: (0)
Crimeware-as-a-service taking off
Online malware threats have taken the next step in their evolution from piecemeal creations to commercialized products, with security researchers charting the arrival of a growing number of hosted data theft services.
In recent years, the level of expertise needed to create highly-targeted threats has dropped dramatically as the marketing of so-called malware toolkits has made it possible for less technical schemers to build and launch attacks using commercialized exploit authoring tools.
Some of the more mature iterations of the toolkits have even offered ongoing automated product updates and customer support capabilities, allowing data thieves to successfully ply their trade with less coding skill necessary than ever before.
However, with the emergence of a newer, hosted "crimeware-as-a-service" model, aspiring cyber-criminals need only an idea of whom they would like to target, or what type of data they seek to steal, as an additional layer of automation has arrived.
Researchers with security appliance maker Finjan said that they have observed a series of the hosted crimeware services being advertised on underground message boards and black hat hacker chat rooms since the beginning of 2008.
Having infiltrated several of the operations, it has become clear that the services have matured quickly in the last four months alone, said Yuval Ben-Itzhak, chief technology officer of Israel-based Finjan.
Customers of the services are able to select a particular type of data they would like to acquire, then merely sit back and wait for the stolen information to pile up, he said.
"Basically we're talking about services where at the click of a button, everything is being done for you, it's taking the toolkit model and turning it into a full-blown hosted service," he said. "You don't need to know how to compromise the server, what type of Trojan to use, or even where the server is; you simply select what type of data you want to get, pay the fee, and then wait for your data to arrive in several days."
Delivered in a manner similar to software-as-a-service (SaaS) business applications popularized by companies like Salesforce.com, the hosted data theft services allow anyone with an Internet connection and an access code to utilize their capabilities, according to the expert.
The services are priced based on the type of content a user desires to steal, and how much of it, said Betan-Itzak, with stolen credit card account details priced at anywhere from $5-$60.
The information being targeted and served-up over the services isn't limited to such widely sought-after consumer data however, the sites are also being used to steal specific types of intellectual property, including engineering drawings and product plans. And much of that data is being taken from large, well-known businesses, according to the expert.
Finjan reports that of the services it has been able to infiltrate thus far, a vast majority of the personal credit account data being transmitted to users has still been valid, with one of the sites promising the ability to create replicas of the original stolen cards for an additional fee.
Traffic on the data theft services that the company has observed has been high, with thousands of users per week in some cases. The physical location of the servers being used to host the services have been distributed throughout locales including China, Eastern Europe, Malaysia and Russia, with users logging on from around the globe, Finjan reported.
"This is emblematic of the continued commercialization of cyber-crime, it has rapidly gone from finding and hacking exploits, to making toolkits to sell to other hackers, to full services for non-technical users," said Betan-Itzhak. "As long as the people behind this are making a lot of money, they can afford to hire top developers, just like the security companies, and the attacks will only accelerate."
Finjan is predicting that the next evolutionary step in the malware distribution community will be similar hosted services that offer users the ability to target specific companies and even specific computers or individuals within those organizations.
One of the most interesting aspects of the hosted data theft service model is that it combines a number of skills that are typically thought to exist among disparate groups of attackers -- including vulnerability research, exploit creation, threat delivery and the actual data theft.
"It's a consolidation of the malware model with the service as the front end, showing their shop and combining the skills of a group of different people to run a business and collect money -- versus trying to do it separately," said Betan-Itzhak. "It's absolutely a business model, one that is moving forward and improving all the time, and one clearly being driven forward by a lot of competition."
Posted by Matt Hines on April 8, 2008 08:33 AM
April 04, 2008 | Comments: (0)
Innovation, regulation and research on tap at RSA 2008
The IT security industry is again preparing for its biggest show of the year, as the RSA 2008 conference is set to go off Tuesday-Friday next week at the Moscone Center in San Francisco.
Roughly 14 months after the last iteration of the show -- which was previously held in mid-February -- conference organizers are putting the finishing touches on a program that will include the traditional mix of security researchers, technology vendors and government lawmakers, but much less focus on infrastructure defense.
Crafted around a theme that aims to recall the boundless curiosity of computer science and cryptography genius Alan Turing, show planners said that they will welcome a record 17,000-plus registered attendees, along with 350 individual technology providers who have reserved demonstration space on the conference floors.
With speakers ranging from little-known researchers to industry leaders including Symantec CEO John Thompson, in addition to a noticeable government presence in the form of Homeland Security Secretary Michael Chertoff and former U.S. Vice President Al Gore, the scheduled events run the full gamut of topics considered most relevant to the IT security and regulatory compliance sectors today.
As a colleague of mine who printed out the online program before realizing its 30-page length remarked to me yesterday, this is not a show that lacks for content.
In addition to the parties already named, executives from RSA parent EMC, IBM, Microsoft, Oracle and a number of other vendors, large and small, will speak, along with representatives from law enforcement, nonprofits including the Center for Democracy and Technology, academics hailing from schools such as UPenn, and generally interesting people like "Tipping Point" author Malcolm Gladwell.
Timely sessions will include discussions on IT security issues surrounding the Olympics, the 2008 presidential election, and questions around warrant-less wiretapping -- giving the show a tangible government flavor, especially considering the presence of Mssrs. Chertoff and Gore.
More light-hearted goings-on will include a daily "Security Smackdown" competition, which will include simulated Web site vulnerability testing and opportunities for audience members to win prizes by demonstrating their ability to either diagnose or solve the presented problems.
One of the major efforts behind planning RSA 2008 was an attempt to make the show more relevant to security researchers, said Tim Mather, chief security strategist for the conference.
A new "Research Revealed" track will take specific aim at drawing more of the experts to the confab than in years past, perhaps in a nod to the growing popularity of the annual Black Hat Conference in Las Vegas.
RSA has traditionally drawn more of a business crowd, but typically also features some bleeding-edge research. On the flip side, the summertime Black Hat show, initially the domain of researchers, has been attracting more of a business crowd in recent years
"The program is designed to help highlight the incredible work researchers are doing, it's not as much focused on attacks and vulnerabilities as they exist in specific instances, and we also have technical presentations on the Storm botnet and how it works, the protocols it uses and the encryption, but in this case the [new track] is looking more at classes of vulnerabilities," Mather said.
Some of the conference may be aimed at politically-charged topics like e-voting, the election and wiretapping, but the show isn't taking sides, even around the most controversial issues, the organizer said.
"There are discussions about security from a law standpoint, and compliance, and e-discovery and electronic evidence -- people are just trying to figure out what all that means," he said. "With wiretapping, we're not looking to bash President Bush, the law is several decades old and there have been significant changes in technology; the issue is whether or not the existing laws can handle those technological changes, or whether we need to move to new framework."
All of the hot topic areas where security is being eyed closely in terms of its relation to emerging technologies will be covered -- virtualization, Web 2.0, social networking, VoIP, SOA, mobility -- the full boat.
Another broad topic of the show will be information assurance, in all its forms, including applications security, data loss prevention, and data classification.
Mather and RSA Conference vice president Sandra Toms LaPedis said that the planning committee has spent more time vetting presentations, reviewing technical programs to ensure high levels of rigor, and generally making things more exciting than in any year past.
It should be fun to see what they've come up with. See you there.
Posted by Matt Hines on April 4, 2008 08:36 PM
April 02, 2008 | Comments: (0)
Researchers uncover 100 VoIP vulnerabilities
We've been hearing for years that widely-used VoIP systems may hold large numbers of exploitable vulnerabilities, but a new report isolates over 100 specific flaws that researchers have found in the applications.
According to VoIPshield Labs -- the research division of VoIPshield, which markets security software for use in protecting Internet calling tools -- the issues unearthed in some of the most popular VoIP software packages, made by companies including Avaya, Cisco and Nortel, represent proof that such technologies require far more scrutiny by security experts and business users.
Among the flaws listed in the firm's new database of VoIP security threats are those that could be used for unauthorized access, code execution, denial of service or information harvesting attacks.
All of the vulnerabilities have already been disclosed to the affected vendors, but while a handful have already been patched, in most cases the VoIP applications providers are still working to fix the issues, according to the report.
At first glance, Cisco accounted for the largest number of the vulnerabilities, with many of the issues -- across all three vendors -- rated as being of either "high" or "critical" nature.
The key is getting ahead of the malware community on addressing the problem, VoIPshield officials claim.
"It's important that companies understand the security risks associated with their VoIP systems," Rick Dalmazzi, CEO of VoIPshield, said in a report summary. "Now is the time to start planning a protection strategy, while the hacking community is still learning about VoIP, not after the attacks begin."
The researchers cited another report recently published by In-Stat that concluded that while roughly 80 percent of all U.S. companies said they have already installed some form of VoIP, only 60 percent are doing anything to secure the tools.
Most VoIP attacks highlighted by the security research community thus far have had relatively limited scope, appearing in proof-of-concept state or being used much like traditional e-mail attacks to harvest end users' lists of contacts.
However, more advanced attacks, such as those that could be used to intercept users' conversations or drill through the applications into other areas of IT infrastructure, are coming, and companies must prepare themselves, analysts said.
"The limited number of high-profile attacks against IP telephony has lulled most chief information security officers and voice/data managers into a false sense of security, with the result that most do not have adequate protection for their converged networks," Lawrence Orans, analyst at Gartner, said in the VoIPshiled report.
"As IP telephony continues to gain momentum, targeted attacks -- and possibly broad-based attacks -- will surface and gain greater visibility, highlighting vulnerabilities and the overall lack of focus on IP telephony security," Orans said.
Posted by Matt Hines on April 2, 2008 08:31 AM
March 31, 2008 | Comments: (0)
Badware not pushing users offline
Malware, spam and a litany of social engineering schemes may haunt nearly every corner of the Web, but that's not stopping most Americans from feeling confident in their ability to do business on the Internet safely, according to a new paper published by StopBadware.org.
The Harvard Law School anti-malware project points out this "security paradox" in its latest report, released just a day before of one of its lead researchers is slated to testify before federal regulators on the growing complexity and financial impact of online threats.
Maxim Weinstein, who manages the StopBadware.org team at Harvard Law School's Berkman Center for Internet & Society, will speak on the continued evolution of phishing -- which Consumer Reports estimates to have accounted for $2.1 billion in related fraud in the last year alone -- before the Federal Trade Commission in Washington on Tuesday.
The new poll, conducted for StopBadware by Zogby International, finds that 88 percent of the Americans interviewed in the study feel secure when using the Web, and that some 84 percent of respondents believe that they have sufficient resources on hand to make informed decisions about protecting their privacy and security online.
In an interesting demographic twist, younger Americans appear to view the Web as even more secure than their older peers -- sort of like driving a car, and you wonder if a lack of experience plays a similar roll as it does with youthful drivers -- with nearly 50 percent of survey respondents under age 30 indicating in the study that the feel "very safe" online.
Only 25 percent of those respondents 65 and older replied the same way -- although to be fair one could similarly guess that older folks are just far more careful than their younger counterparts in general. I myself have older relatives who appear to believe that the Internet was designed by the devil himself for the sake of spreading pornography and enabling widespread terrorism.
StopBadware leaders said that the rift is likely emblematic of the fact that younger users have grown accustomed to having the Web in their lives starting at an earlier age.
"Young people who have grown up in a digital society treat the Internet as part of their world, not as a separate entity with different rules from the physical world," John Palfrey, executive director of the Berkman Center said. "To digital natives, asking if they feel safe online is akin to asking if they feel safe in their own community."
The apparent Internet security paradox appears to transcend most issues of geography, age, politics, and gender, however, based on the replies of the 6,678 Americans Zogby polled in February 2008, as most deferred to some level of online safety.
Perhaps even more disconcerting than the notion that people seem to feel secure on the Web is the fact that few are taking the needed steps to best protect themselves -- at least according to other research reports.
In making its point, StopBadware highlighted the fact that only 24 percent of those people participating in a recent report published by AV vendor McAfee and the National Cyber Security Alliance employ a firewall and update their anti-virus and anti-spyware systems on a regular basis.
Along with other research totals that indicate that more Americans than ever are going online -- such as the Pew Internet Project's most recent estimate that 70 percent of U.S. citizens are Internet users, up from just 15 percent in 1995 -- and StopBadware predicts things are only going to get worse in terms of overall financial losses.
Sixty percent of those people responding to the Pew study said they remain unworried about how much of their personal information resides on the Web, with 61 percent of the adults interviewed for that report indicating that they do not feel compelled to control their digital image to protect themselves from attack.
Until drastic measures are taken and more Americans wake up to the problem of online threats, it appears that online security threats will only intensify, said StopBadware's Weinstein.
"Americans see themselves as safe online, even as we see an ongoing trend of organized criminal elements using the Internet to target unsuspecting users," he said.
Posted by Matt Hines on March 31, 2008 09:15 AM
March 28, 2008 | Comments: (0)
Web-borne malware attacks will continue to flourish in 2008, according to the latest research report filed by scanning and acceleration specialists Blue Coat.
Based on the company's top ten security trends report covering the remaining calendar year, SQL and iframe injection exploits, along with a multitude of other attacks, will continue to spread over the Internet, with a large number of the infections being delivered via compromised Web sites.
Many of the threats will also be planted using drive-by techniques that won't require end user interaction beyond the initial visit to an infected URL, Blue Coat reports. Even popular sites are becoming well-traveled avenues for malware delivery.
"Because these are well-known, reputable sites -- some of the most trusted names in online news and commerce -- URL-filtering and reputation tools won't block users from visiting them," the report summarizes.
Web sites will remain painfully vulnerable to such attacks until developers become more successful in their attempts to secure their work, especially when working with emerging technologies such as Adobe Flex and Microsoft Silverlight, the experts maintain.
Another hot trend in 2008 will be the use of downloadable software widgets, even some of those developed by major vendors including Microsoft and Yahoo, Blue Coat's researchers contend.
"Even hailing from such leading developers as Microsoft and Yahoo, widgets have been found to have insufficient security features, leaving them vulnerable to infection. Because widgets often have access to the host operating system, they pose major risks to users," the paper asserts.
Online videos and social networking sites are also expected to attract a great deal of malware activity in 2008.
In the physical world, laptop computers containing valuable corporate data will continue to make attractive targets for thieves, with Blue Coat estimating the worth of a machine holding records for 10,000 employees as high as $140,000 on the black market.
On the topic of devices, the company cited a 2007 incident in which digital picture frames were found to contain on onboard Trojan virus as emblematic of more attacks to come. Along with picture frames, the report names USB memory sticks as another probable method by which such threats will arrive.
In terms of defense, the company said that more businesses will distance themselves from the use of social security-type identifiers in order to help lower the risk of identity theft, however, Blue Coat also points to lingering problems with network security, gateway appliance throughput challenges in particular, as a continuing issue.
"A dirty little secret of the IT security industry is that most Web security gateway products are architecturally incapable of scaling to meet enterprise needs. Enterprises will continue to find themselves short-changed by products that promise comprehensive network protection but don’t deliver on performance," the company said.
Posted by Matt Hines on March 28, 2008 09:31 AM
March 24, 2008 | Comments: (0)
The latest research report out of Web applications security specialist WhiteHat finds that most sites are still woefully vulnerable to hacker attacks.
Just as in its previous research, WhiteHat estimates that some 90 percent of all pages are hack-able, the same figure that it has attached to several previous reports.
The message? Things aren't getting much better out there!
Over the last two years that WhiteHat has been issuing its paper, the company has reported that the volume and variety of Web site attacks have in fact only continued to rise, with Cross-Site Request Forgery (CSRF) tabbed as the next big thing by the experts this go round.
According to the company, nine out of ten sites still have serious vulnerabilities with an average of seven vulnerabilities per site.
The leading forms of exploit that WhiteHat is observing on the Net haven't budged much in recent months either, with classic techniques including SQL injection, buffer overflows and cross-site scripting (XSS) leading the way. However, the company is predicting that CSRF threats will soon begin to multiply.
Cross-Site Request Forgery (CSRF), as defined by OWASP, is an attack that attempts to fool end users into loading a Web page that contains a malicious request, much like traditional phishing attacks or XSS threats.
Using the technique, hackers then try to misappropriate victims' identities and privileges to carry out activities such as changing their applications passwords to gain entrance to banking sites, or to log into e-commerce sites to make fraudulent purchases in their names. In some cases, the attacks are hidden on the vulnerable sites themselves.
CSRF attacks are also known by a number of other names, including XSRF, Sea Surf, Session Riding, Cross-Site Reference Forgery, and Hostile Linking.
WhiteHat researchers said that attackers using CSRF exploits can "easily" manipulate today's Web browsers to send unintended HTTP requests such as fraudulent wire transfers, change passwords and download illegal content.
And based on its research, the company said that CSRF attacks will eventually move into the number two spot behind XSS exploits in terms of its frequency among the leading site hacking techniques.
The report also tracks site vulnerabilities present on the URLs of companies in specific vertical markets. In those results, the retail sector is performing better than other segments in terms of protecting its sites from attack, according to the study.
Other vertical markets not faring as well included insurance, which headed the list with 84 percent of sites having vulnerabilities that fall into the urgent, critical or high severity status, followed by IT companies at 72 percent, healthcare at 64 percent, and financial services at 60 percent.
However, WhiteHat researchers point out that while the security standing of some industries is better than others, that the difference is "largely insignificant" when it comes to stopping a site from becoming exploited, as attackers only need a single vulnerability to get their hooks in.
In addition to malicious attacks, many companies' lack of site security will also open them up to potential compliance violations, the experts said.
"With the amount of transactions and activities conducted online and upcoming compliance deadlines such as PCI DSS 6.6, organizations need to be more proactive than ever in protecting sensitive data," Jeremiah Grossman, founder and chief technology officer at WhiteHat, said in a report summary.
WhiteHat will be hosting a webinar to reveal more of the report findings on Wednesday, March 26, 2008 at 11:00 a.m. PT / 2:00 p.m. ET.
Posted by Matt Hines on March 24, 2008 04:11 PM
March 21, 2008 | Comments: (0)
Employee monitoring has become an increasingly necessary evil for most organizations as a wide range of factors push companies to expand both their physical and IT surveillance systems.
From greater varieties of compliance regulations, to widespread electronic data theft -- including corporate espionage and other so-called insider threats -- there's a growing list of reasons to keep everything from DLP systems to closed-circuit TV cameras trained on larger numbers of workers.
That said, it's clear that there are rules of engagement that can be followed to protect companies from security incidents while also shielding employees from unnecessary spying. Carefully considering all the involved parameters can also lower the potential for lawsuits if surveillance efforts breach established personal or regional privacy thresholds.
At the CSO Perspectives Conference in Atlanta this week, Dave Morrow, chief security and privacy officer at EDS, the giant consulting and systems integration firm, took the stage to share his thoughts on how to do employee monitoring right.
Along with specific recommendations, Morrow also highlighted some emerging business, technological and ethical questions that companies will need to tackle as they further architect their surveillance strategies.
What follows are some highlights of Morrow's speech to the assembled audience of CSOs:
-Here's why you should do IT monitoring:
"The main reason to do it is for liability purposes; when you go to a parking garage you expect surveillance cameras, it's almost considered due diligence at this point, and new case law shows a developing body of thought that IT monitoring will be an issue of due diligence in the future," Morrow said.
-Keep regional sensibilities in mind:
"We already have a certain level of questioning in our society, and it depends on where you are as to what's considered acceptable surveillance," said Morrow. "In [parts of the U.S.], we're fighting over stop light cameras, whereas in the U.K. there is an acceptance that you're already on TV everywhere; how you do it depends on acceptance of [the concept of] private information; that involves what you think that is and dealing with different sensibilities worldwide."
-Pitching data leak prevention:
"Anti-virus is really DLP in reverse, but if you have a project and don't explain it well to your executives you will be in for world of hurt, because people will think big brother is coming," he said. "And you need to present it in a context where you frame your argument as a business process, of how DLP makes process more effective as opposed to framing it under security; that makes your argument a lot more palatable."
-More regulations to come:
"Everyone knows about data notification laws, and there are a growing number of regional privacy directives," said Morrow. "We expect this to continue to expand in the EU, where they are already talking about standardized breach notifications; and I think we'll see them in APAC as well."
Tying physical access to IT access:
"To IT, this idea makes all kinds of sense, but a lot of people will have a hard time with the idea of big brother, cameras, and being able to be tracked," Morrow said. "We have a have policy not to track [access details] for attendance or HR issues; technically it's easy to do, but you have to ask if is the right thing to do; the other question is how far is too far."
How and what to tell employees about monitoring:
"Coupled with an aggressive security education program, talk about why it is so critical not to have any kind of breach," the CSO said. "Explain it in context of business problems; tell people what you are doing and why; [monitoring] is not just something you jump into, you have to intertwine it with an education process, and business needs."
General advice:
"Surveillance is in the eye of the beholder, you have to think about re-framing the argument from surveillance to monitoring," said Morrow. "Often times we're our own worst enemies for not thinking of interesting ways to communicate to business leaders."
Posted by Matt Hines on March 21, 2008 09:47 AM
March 17, 2008 | Comments: (0)
Research: IT security maturing, but misaligned
Many organizations are doing a better job of creating and managing their IT security programs, but survey results highlight continued disconnect between security shops and the line-of-business teams they support -- according to a new research report published by PriceWaterhouseCoopers and several IDG magazines, and detailed at the ongoing CSO Perspectives Conference in Atlanta.
Based on the results of the 5th annual Global State of Information Security report, produced by PWC and InfoWorld sister publications CSO magazine and CIO magazine, most of the 7200 organizations surveyed for the research showed signs of improving their overall security standing.
If one major problem was exposed by the report, however, it was that security departments often fail to communicate sufficiently with the business people they interact with, researchers said.
That lack of discourse and common understanding of larger security team goals among rank-and-file business workers cuts into the ability of CIOs and other project leaders to do everything from engender stronger data protection to gain funding, said Mark Lobel, chief information security architect at PWC.
"This idea of misalignment and opportunity for better [communication] between security and business workers is one of the top themes coming out of the data," Lobel said. "If senior executives don't understand where funding is coming from, if they don't know who is in charge, that's going to hurt your efforts in the long run."
In terms of why companies are willing to spend money on security, perceptions have changed though, the expert said.
With 60 percent of the CEOs responding to the survey that business continuity is their top driver for security and compliance spending, along with 75 percent of the chief information officers, the idea that security is all about defending perimeters has shifted, Lobel said.
Some 40 percent of the CEOs earmarked the protection of corporate reputation as a top motivation for upping their attention on security, while 50 percent of CIOs agreed.
Deferring to compliance needs is no longer the leading method for defending security spending, with less than 10 percent of either group identifying regulatory action as the best reason to give for opening their wallets.
Meanwhile, over 20 percent of CEOs cited the protection of corporate finances as a motivating factor, along with 15 percent of CIOs. Defending company data was the top goal of over 20 percent of all CEOs and CIOs surveyed, while protecting IT operations was a leading reason for 45 percent of CEOs, and a whopping 75 percent of CIOs.
Overall, 40 percent of CEOs indicated that they plan to boost security spending this year, while 50 percent of CIOs are hoping for larger budgets.
In terms of perceived threats, the potential for insider attacks has clearly resonated with business leaders, with 48 percent of all respondents citing the issue as their primary concern, compared to only 33 percent in last year's report.
Meanwhile, 41 percent said they most fear external hackers, compared to 63 percent last year.
Lobel said the difference in results highlights a significant change in perceptions, driven largely by increased vigilance among IT security departments.
"People didn't get worse year-on-year, what changed in the environment over the last few years was the ability to monitor and detect," he said. "Because of compliance, we've put in controls that we never had before, and the survey points out that this is beginning to work, as we're finding and seeing things we never saw before."
There do remain weak points in many security operations, according to the research.
Over 50 percent of survey respondents indicated that they do not encrypt information on laptop computers, and only 22 percent said that they have hired a chief privacy officer.
However, overall the results show slow but increasing maturity in IT security, he said.
Going forward, companies will be best served to spread support for security and compliance operations across their workforce, and to do whatever they can to ensure buy-in from top corporate officials, Lobel contends.
"What spending tells us is that security is splitting, we have multiple reporting lines and multiple masters, which makes sense," he said. "If we have all the management under IT, availability will be the primary concern, and we won't have segregation of duties to be objective, and people outside IT won't get cooperation and coordination they need. We need some sort of split, and support for security at senior executive levels outside of IT to review policies."
Posted by Matt Hines on March 17, 2008 04:38 PM
March 12, 2008 | Comments: (0)
Clarke sharply criticizes Bush cyber-security plans
Former White House cyber-security and anti-terrorism advisor Richard Clarke isn't known as a fan of the current administration, but political loyalties aside, the expert claims that the president's new initiative aimed at bolstering the nation's electronic infrastructure is fundamentally flawed.
Speaking at the inaugural Source Boston security conference, Clarke expressed his concerns over the national electronic security initiative signed by Bush on Jan. 8.
While the measure has yet to be detailed by the White House publicly, the Washington rumor mill is already circulating many details of the strategy and Clarke said the plan won't have the effect that the president's advisors are hoping for.
The two major thrusts of the Bush mandate, according to Clarke, are aimed at better securing the government's own computing and communications networks, and adopting a more proactive approach to engaging in cyber-warfare.
In both cases, the plan may in fact serve to weaken U.S. security and privacy efforts, he said.
As Clarke sees it, the biggest flaw in the portion of the measure devoted to protecting government computing operations is a lack of recognition that most of those systems run on the same infrastructure, and through the same carriers, as the rest of the nation's Internet traffic.
"There's the idea that somehow these are government networks that we're talking about, but they really aren't, all these government sites are running through the same network of routers and the same fiber channels as everything else, there's no segmentation on these carrier networks," Clarke said. "This means that [the plan's authors] either don't know that and merely think they need to reinforce security on state-owned servers, or data in their own facilities, in which case thy are missing most of the problem, or that they plan to do monitoring of everything going through the carriers' systems."
If it is the latter, than Americans will need to prepare for a world where they have far less privacy in terms of their ability to access the Web without the potential for government observation, he said.
"Given this government's performance with abuse of the Patriot Act, and surveillance without warrants, we have to ask questions, because we clearly cannot assume that the government isn't breaking the law and ignoring privacy," Clarke said.
On the topic of cyber-warfare, an area where Clarke isn't afraid to call out entities including the Chinese government for engaging in frequent attacks already, the expert said that trying to go on the offensive to match the efforts of U.S. rivals is not the most intelligent response.
The concept of mutually assured destruction that was employed by the U.S. and U.S.S.R. during the Cold War to discourage nuclear attack doesn't port well to the world of cyber-space, but the president's advisors seem to think that it will, he said.
"In cyber-space, who knows what capability anybody has? It's much more important to know what you could do if someone launched an attack on the U.S., how much could [someone] really shut down and what would be the effect," Clarke said. "I suspect that the U.S. is much more vulnerable than other countries, because we are more wired and dependent on cyber-space. China has structured its infrastructure such that it can shut itself off, and create own environment if it wants to; so it seems that there are asymmetries."
Rather than trying to hack into other governments' networks, as the Bush plan suggests, U.S. strategy should focus more on identifying potential vulnerabilities in common infrastructure and applications, and getting that information into the hands of American organizations and end users as quickly as possible, he said.
"The first duty of the government is to protect and defend its own people," Clarke summarized.
One solution that Clarke maintains could dramatically improve U.S. cyber-security would be to employ new industry regulations aimed at forcing ISPs to better police their traffic, and additional measures that force companies selling technology to the government to put their products through more rigorous security testing.
"To Washington bureaucrats, regulation of any kind is inherently a bad thing, they think any proposal to create new regulations is bad and reject it, but I believe that we could do a lot to achieve cyber-security in the U.S. via smart, light-handed regulation," Clarke said. "If we could do these things, regulate ISPs and create additional regulations about government procurement, a lot of the problems get smaller."
Posted by Matt Hines on March 12, 2008 01:20 PM
March 11, 2008 | Comments: (0)
Conference seeks to bridge risk, research
It's always interesting to see new security conferences appear on the calendar, especially one in my hometown, and such a meeting of the minds is slated to get underway here in Cambridge tomorrow, the Source Boston 2008 show.
The confab bears a noticeable Bostonian fingerprint with a number of local experts among the organizers and presenters, including a handful of people who came out of @Stake, such as Veracode co-founder Chris Wysopal, Verdasys chief scientist Dan Geer, and Yankee Group analyst Andrew Jaquith.
And along with former presidential advisor Richard Clarke, and a collection of industry vendor CEOs and analysts, there will also an array of well-known security researchers including Robert Hansen, Jeremiah Grossman, Rick Wesson and James Atkinson.
Some of the team from L0pht, the group of researchers that rocked Capitol Hill with their revelations on security vulnerabilities and the Internet way back in 1998, will also reunite at the show.
Wysopal is one of those researchers, and one of the organizers and I got a chance to speak with him about what he expects to come out of Source. He told me that he thinks that the meetings may represent an intriguing opportunity for CSO types to mingle with researchers and allow for some actual cross-pollination of their ideas.
The show's program looks to play out somewhere between the research-heavy tenor of Black Hat and the more vendor-oriented RSA Security Conference, which seems like a pretty good idea if that's the type of environment that he and the other organizers are trying to create.
"I think that hopefully people who attend will see the bigger picture, you should have people who are typically down in the weeds see new things as they connect with strategic thinkers," said Wysopal. "Maybe they will see how things being researched as science have a bigger impact across the entire ecosystem, and people at the strategic level will realize that they can talk to researchers and deal directly with them, as opposed to going through layers of reports."
And hey, you know, hopefully some of us writing those reports will find some interesting things to report on to those of you who can't be there, too.
Wysopal said that the makeup of the program should prove relevant to attendees, with a third of the confab dedicated explicitly to the issue of applications security, which is by nearly all accounts a problem that is currently wreaking havoc among businesses.
"It's something that has had growing attention at other conferences, with people adding tracks, but it's a big part of this conference because we think this is where all the new risks are heading, both from the sense of attacking applications themselves and the human element," he said. "Software is everywhere and you have all these little applets spreading all over the place; there are some new paradigms emerging with the ease of installing these tiny snippets of software on a PC or a mobile device, and these new concepts carry risks that we're not really sure about."
The idea for Source actually traces back to Wysopal's own time involved with the L0pht hacker consortium, when he said that people like Clarke would come in and ask the security researchers for advice on what they were seeing in the wild. (And anyone who has read the former advisor's "Breakpoint" novel might venture that he based some of his fictional Cambridge-area hackers on L0pht)
To the extent that it can, the show seeks to bring technical people and strategists together in a similar format for discussion, Wysopal said.
We'll be there tomorrow and Thursday to let you know what comes of it.
Posted by Matt Hines on March 11, 2008 09:27 AM
March 10, 2008 | Comments: (0)
As expected, Core Security Technologies has found a new CEO, naming former Sophos executive Mark Hatton to guide its future expansion plans.
The Boston-based penetration testing company's efforts to recruit a new leader first surfaced last July when Core insiders confirmed that longtime CEO Paul Paget, who had held the role for over five years, was stepping aside as the firm moved into its next stage of development.
Market watchers said they expect Hatton -- who will absorb the titles of president and chief executive officer, and will also join the firm's board of directors -- to work aggressively to expand Core's sales, with the potential to position the company for sale or an IPO in several years' time.
Hatton previously served as the president of North American operations for AV vendor Sophos, which has been credited by some industry analysts for using its rapid malware signature downloads and customer support strengths to steal business away from larger rivals including Symantec and McAfee.
The new Core CEO served as vice president and general manager for U.S. operations at U.K.-based Sophos before becoming the company's top North American executive, and worked previously as vice president of worldwide sales for Tilion, a maker of supply chain management software. Prior to Tilion, Hatton held the post of vice president of North American field operations for EC Cubed, which sold electronic marketplace development tools.
Founded in 1996, Core currently claims over 600 customers, a roughly 25 percent increase since the beginning of calendar 2007, and has previously collected financial backing from Pegasus Capital and Morgan Stanley Venture Partners to the tune of $4.5 million apiece.
Analysts have said that Core's flagship technology, dubbed Impact -- a package of network, applications and social engineering vulnerability testing tools, remains a relatively unique commodity on the market, but will continue to compete against a number of other security testing applications for IT budget dollars.
Company officials have said since the initial announcement of Paget's impending departure that the move to bring in a new CEO was not aimed at facilitating a sale, but rather based on hopes of expanding on the company's existing opportunities as a standalone.
Hatton is credited with helping to lead Sophos during a period in which it significantly expanded its U.S. presence and made inroads with larger customers.
The executive said that he believes Core is ready to experience similar expansion.
"Core Security is already a market leader in the security assurance marketplace and is poised for considerable growth as we continue to demonstrate substantial value to customers worldwide," Hatton said in a statement. "I am excited to be joining the company at this important juncture and hope my experience will help take this already successful organization to the next level."
Posted by Matt Hines on March 10, 2008 10:23 AM
March 06, 2008 | Comments: (0)
Outlook bleak for Phishing defeat
Everyone from the law enforcement community, to ISPs, to the very firms whose names are being tarnished by phishing attacks is trying to pitch in and help find a solution for the problem, but prospects for decreasing the prevalence of the threats remains daunting, according to the leader of one of the most high-profile efforts to do so.
David Jevans, the chairman of the nonprofit industry consortium the Anti-Phishing Working Group (and the CEO of encrypted USB drive specialist IronKey) said in a recent interview that as the phishing problem keeps "changing and getting worse" it has become clear that there are no simple answers to the issue.
Traditional mass-market phishing is still thriving despite the best efforts of ISPs and Webmail companies to filter out as much of the nefarious spam as possible -- as phishers continue to utilize the fast-flux model to evade pursuit, and even worse, targeted attacks are growing in complexity and popularity, Jevans said.
"We see more targeted attacks, spear-phishing and whale phishing, where the attackers have some information about their targets and are using it to create customized attacks," he said. "When they know people's e-mail address and name, and have other information, this type of thing is very hard to track and stop. We also see attacks targeting specific companies where the effort is to get inside a network to plant Trojans and get in and steal intellectual property."
The expert warned that such targeted spear-phishing attacks are taking root all over both the private and government segments. The model of blending malware with targeted attacks is also growing in prevalence, Jevans said.
In another technical turn, phishers are employing more attacks that seek to use some level of phone interaction, either through VoIP-oriented "vishing" or with e-mail messages aimed at tricking people into calling live phone operators who are being paid to talk them out of their data.
At its base, the problem with phishing is that it has become a truly complex set of social engineering techniques, some of which may always be hard to defeat when the attackers have profiled their victims and know how to approach them artfully, according to the APWG leader.
One solution may the broader use of two-factor authentication for e-mail, Jevans said.
"I think things have to go two-factor in some scenarios; if you simply rely on people to look out for the attacks and keep things safe, I think that might be unrealistic," he said. "And even if phishers can steal a password, they still don't have the token."
E-mail signing, long tabbed as a potential salve for spam and phishing, continues to evolve and should help as it becomes more broadly adopted, but that technological means won't solve the problem altogether, said the expert.
"People can still create ways around it, we really need to combine authentication and reputation," said Jevans. "We need for the system to understand how long a site has been up, or does it exhibit malicious characteristics, as well."
Additional laws aimed at stopping phishers likely won't help much either, he said, as the ability to enforce any measures, especially overseas, will likely always prove difficult.
Overall, Jevans said that while APWG and its allies will continue their work and look for new ways to address the phishing epidemic, the outlook does appear fairly bleak, at least in the short-term.
"We thought there would be simple answers several years ago when we started, but people actually have fewer ideas about what to do now as things have progressed," Jevans said. "It's a big problem and getting more sophisticated all the time; industry will really have to work together far more to move toward solving the issue."
Posted by Matt Hines on March 6, 2008 10:56 AM
March 04, 2008 | Comments: (0)
Exploring the data security quandary
Anyone who spends any amount of time around the IT security industry is bound to come across Dan Geer, either in person or by reputation.
He's one of those guys that you soon begin to recognize, always dressed casually and sporting his trademark sideburns, and full of some of the best and most well-informed questions you'll ever hear anyone ask on the trade show circuit. He's someone who doesn't hesitate to ask those frequently tough questions of his peers in front of a live audience -- a techy's techy, if you would.
Geer may be best known for his infamous departure from the well-known company he founded and helped build, @stake, after writing a report that critiqued the state of IT security in relation to the notion of a "monoculture" around the Windows OS in 2003 -- a report that turned out to be accurate in many of its predictions, it is worth noting in retrospect.
But now he's firmly entrenched in the DLP business, serving as VP and chief scientist at Verdasys, one of the more highly-regarded vendors in the space, and one of the few big names left independent after 2007's industry consolidation, as big players including Symantec, RSA and Trend Micro snapped up its closest rivals.
To that end, Geer's latest effort is a new book titled "The Economics & Strategies of Data Security," which explores the increasingly challenging prospect of trying to keep corporate data under control, or at the very least out of the wrong hands. As usual, it seems that for every question he attempts to answer in the book (and admittedly I've only read pieces of it), he is also ready to cast doubt over simple answers and pose subsequent queries over the very nature of the topic at hand.
The thing is, Geer might work for a DLP vendor, but it's clear in his book and in 1-to-1 interviews that he subscribes to the idea that the concept of data security itself remains a very fluid and unsolved issue.
As other smart industry watchers point out, he highlights that information has become the most valuable tool of business, an that efforts aimed at limiting access to it, or trying to set hard boundaries around its distribution, can be in many cases more counter-productive than helpful.
And while companies like Verdasys have created complex technologies that work impressively in terms of creating some controls for preventing inappropriate data use, it remains clear that that he buys into the truth that no one will ever be able to manage the flow of electronic information altogether.
"It's like the common cold, you think by now if this was a solvable problem that we would have it taken care of, but it's still fresh everyday," he said in a recent interview. "What's true yesterday isn't true today and it's hard to tell those people trying to hurt you from those who aren't."
"In business we can't expect people to limit access, maybe to something like the formula for Coke, or maybe in areas of finance such as pre-IPO where there are built-in incentives not to distribute certain information," said Geer. "But the inherent nature of data is such that we will always want to share it with others."
DLP will only work as well as its designers engineer controls for people to protect sensitive data as long as it doesn't get in the way of legitimate business, and it must have the power for users to pre-empt its controls when necessary, he said.
"Any rules you create must be designed so that they can be modified quickly," Geer said. "In a world where attacks propagate quickly our ability to react is best modeled on the human immune system, with new countermeasures on demand, but in a way that doesn't get in the way of allowing other related systems to work."
Now, that doesn't mean that Geer doesn't think that DLP works, he just seems to be realistic in the sense that he contends that in order for information to be protected, we must be willing to give up some level of freedom in terms of its distribution.
In his book, Geer explores all sorts of technologies and scenarios for how data can be exposed and how it may be defended, and far from saying that the data security issue is hopeless, he maintains that we as a society must be willing to allow as much information as possible flow freely, while targeting specific types of data that need to be put under very tight, and sometimes limiting, controls.
In offering a summation that he concedes is neither "pleasant nor fashionable" in many ways, Geer again appears to be banking on his pragmatist sensibilities as both an academic and a practitioner.
"We are kidding ourselves if we think that the attractive benefits of the digital lifestyle, whether for persons or companies, don't come with a price in the form of data control," he writes in the final pages. "As bits replace atoms as the chief constituent of modern life, what those bits represent, data, becomes what we have, what we have to control, and how it is that we achieve that control."
Like any good scientist, the expert continues to pose as many questions as he attempts to answer. Geer will be speaking on data security next week here in town at the Source Boston 2008 conference.
See you there.
Posted by Matt Hines on March 4, 2008 12:29 PM
March 03, 2008 | Comments: (0)
Start-up wins NSF grant, pitches new AV
NovaShield, a new anti-virus startup that is pitching its own brand of behavioral analysis as a stronger salve against cutting-edge malware attacks, has won a significant grant from the National Science Foundation.
The Madison, Wisconsin-based company -- which was cooked up in the labs of the University of Wisconsin by Dr. Somesh Jha, an associate professor at the school and the company's co-founder and chief scientist -- won out over other competitors for a Small Business Innovation Research (SBIR) grant from the NSF.
The Phase II grant arms the nine-person company with $500,000 in additional funding, adding to the $150,000 Phase I SBIR grant awarded to NovaShield in January 2007 by NSF. According to the firm's marketeers, fewer than five percent of applicants are awarded the Phase II SBIR grant each year and NovaShield won out for its unique approach to malware detection.
Company officials said that the influx of funding will help NovaShield create a commercial product positioned for sale to consumers sometime before the end of the first half of 2008. Once that product is finished, the firm may begin work on a version of its technology aimed specifically at business users if it appears there is a market for such a product, company officials said.
NovaShield's technology -- which claims to outdo existing AV programs in finding and blocking more intelligent types of malware including botnets, Trojans, keyloggers and rootkits -- is based on a technique it has labeled as "specification-based monitoring," developed at UW.
The tools claim to "extend" behavior-based malware detection by using "policy specification."
"Specification-based monitoring leverages a tiered architecture to simplify the malware identification process by a factor of ten while maintaining a better rate of detection and fewer false positives than current commercially available anomaly-based approaches to behavior-based detection," the company claims in its literature.
In an interview, Jha told me that the key to the NovaShield technology's higher levels of efficacy in identifying attacks is found in its ability to examine behavior playing out between applications processes and a computer's operating system. (The first version of the product will be aimed at Windows users, of course.)
By looking at an applications' behavior in real-time and any events that a program generates for the OS, at the kernel layer, the technology can look at certain sequences and identify anything unusual, he said.
"The actual interface between a program and the Windows OS is very noisy, you may open a file and see a lot of things that correspond with events at a Windows level and miss attacks because of this," said Jha. "We have a reverse mapping layer that recreates high-level semantics of this activity, such as why was the registry altered; we only look only at high-level events; that allows us to defeat the detection rates of other products using very few policies, usually less than a dozen."
Many other behavioral monitoring technologies fail at similar efforts because they take too many policies to work and then create too many false positives as a result, the inventor maintains.
However, along with its technology, users will also want to continue to use traditional signature-based AV to catch anything that doesn't fall into its range of coverage, Jha said.
NovaShield leaders understand that the road is long for security companies that attempt to tackle one aspect of AV on their own, but they point to the continued success of anti-spyware specialist Webroot as proof that they can survive on high-end anti-malware alone (in terms of going after the truly gnarly stuff).
Of course, maybe they'll just get bought out by Symantec someday.
In the meantime, NovaShield has impressed at least one academic beyond the NSF grant givers.
John Mitchell, a professor of computer science at Stanford University and co-director of Stanford Computer Security lab who has also signed-on to NoveShield's board of technical advisors, endorsed the technology in a quote offered in the company's grant announcement:
"Current technologies are slow to adapt, making it hard to catch newer threats and malware variants," he said. "NovaShield's advanced and powerful specification framework, and the founding team's experience with developing efficient algorithms for building effective specifications give the company a competitive advantage at a time when computer users need first-rate protection."
Posted by Matt Hines on March 3, 2008 10:01 AM
February 29, 2008 | Comments: (0)
After a brief pause in the buying cycle, consolidation is happening again in the security sector, this time in the data encryption market.
SafeNet, which specializes in disk and file encryption, along with related networking and access control technologies, announced Friday that it has signed a deal to acquire Ingrian Networks, which is focused on encryption devices used in data centers and distributed computing environments.
Financial terms of the deal were not disclosed, but the companies said they expect the transaction to close in less than one month's time.
At first glance it would seem that SafeNet is making the deal in the hopes of becoming more of a soup-to-nuts provider of enterprise data encryption technology.
The move clearly expands its footprint into the market for large customers with the ability to lock-down information in bigger shops, managed services settings and throughout networks of geographically-separated branch offices.
From a high-level, the deal would also seem to help the company move in the direction that analysts are predicting the encryption segment will continue to evolve, with customers seeking providers that can either handle management of all forms of the technology, or via applications embedded into other forms of hardware and software.
SafeNet already has an embedded security product line.
Company executives also played up what Ingrian brings to the table in terms of ID and access management tools.
"This acquisition enables SafeNet to offer enterprise data security for database and server centers, and to become the first enterprise data protection solutions vendor to provide comprehensive offerings for the data centers and client devices," Chris Fedde, SafeNet's president said in a statement.
"Ingrian complements SafeNet's solutions and allows customers already purchasing identity and access management products to add more depth to their protection strategies and enhance their compliance posture," he said.
Cashing in on drivers such as the PCI DSS standard, company executives said that the combined will be uniquely positioned to offer both the database, file and mainframe encryption software provided by Ingrian along with SafeNet's existing products, which also include high-speed network encryption and content rights management tools.
Ingrian also brings along strategic technology partnerships with well-known platform providers including Dell, HP, IBM, Microsoft and Oracle.
Many experts believe that encryption will increasingly be utilized in an integrated fashion in the products built by such companies, rather than being installed and managed as independent technologies.
"As organizations continue to invest in encryption technologies, they are looking to expand the benefits of enterprise data protection throughout the data center and beyond the edge to mobile devices," said Michael Howard, Ingrian's CEO.
In a quote published as part of the press release announcing the deal, the companies quote at least one analyst as looking favorably on the marriage of the two encryption vendors.
Interestingly, Stratecast's Michael Suby observes that the firms should have an opportunity to cash-in on the demand for data leak prevention (DLP) technologies, which tend to use encryption as their de facto form of policy enforcement.
"Threat levels for electronically stored and transmitted data are increasing and it is important for information security vendors to be able to provide comprehensive DLP tools that are designed to work together and close gaps that could otherwise exist in protection schemes," Suby writes. "In this way, SafeNet's acquisition of Ingrian speaks to elements of the DLP synchronization of functionality that [we] believe is important for organizations to deploy."
Posted by Matt Hines on February 29, 2008 10:36 AM
February 28, 2008 | Comments: (0)
Pervasive Web apps flaws under siege
The volume of threats leveled at Web-based applications continues to surge and the sheer number of flaws existent in many such programs is making it easy for attackers to be successful in their efforts to steal data and generating income, according to the latest research report issued by Cenzic.
Researchers with the applications security testing specialist estimate that 71 percent of all the vulnerabilities reported worldwide during Q4 2007 were related to Web apps -- affecting everything from servers to browsers -- representing a three percent increase over the previous quarter.
The biggest issue contributing to the growth in the problem appears to be a lack of secure development skills among those people creating the programs.
For instance, of the reported flaws, applications developed using PHP accounted for roughly 30 percent of the vulnerabilities, a slight dip over Q3 2007 when they represented 31 percent of the security holes.
However, as the number of vulnerabilities found in the PHP programming language itself accounted for less than one percent of the flaws, most of the issues continue to arise purely from insecure code development practices, the company said.
Even worse, Cenzic contends that roughly 70 percent of all the reported Web applications vulnerabilities could be classified as "trivially exploitable."
Unless coders begin to improve their techniques for writing Web applications, the situation is likely to get worse before it gets better, experts said, as the continued demand among business users for new Web-based business tools and a lack of secure development skills fuels the issue.
"Some might look at the trend and feel good about the total number of vulnerabilities stabilizing. Personally, I think it's alarming. In 2007 alone, we had over 4,000 application related published vulnerabilities," said Mandeep Khera, vice president of marketing at Cenzic.
"While attacks through Web applications continue to occur at an astounding pace, very few organizations are doing anything about securing their Web applications," he said. "Corporations have to [put a stop to] this inertia before it's too late."
Cenzic reports that vulnerabilities in server or Web application server technologies accounted for approximately 10 percent of all the vulnerabilities in Q4 2007, a one percent gain over the previous quarter.
Flaws found in Web browsers represented some five percent of all the reported application flaws, down three percent from Q3 2007.
Vulnerabilities in multimedia applications including Microsoft's Windows Media Player and Apple' QuickTime accounted for only one percent of the flaws during the fourth quarter, a four percent reduction compared the third quarter.
Cenzic noted that vulnerabilities discovered in other browser-based tools were also down during Q4, with ActiveX-based issues accounting for less than one percent of the total volume.
The company reported that vulnerabilities that could lead to cross-site scripting and SQL injection attacks remained at almost the same level of frequency as in previous quarters.
However, the percentage of Web application security flaws as highlighted in the Open Web Application Security Project's (OWASP) Top 10 listings grew by almost 8 percent, including more frequent availability of directory traversal and cross-site request forgery (CRSF) problems.
The ability for attackers to utilize cross-site scripting remains a serious problem, Cenzic contends, illustrated by the fact that 21 percent of the reported Web application vulnerabilities during Q4 could be exploited by such threats, a one percent increase over Q3 2007.
The company said that cross-site scripting was the most frequently reported breed of Web application vulnerability during Q4 2007. And in the real world, versus only those vulnerabilities that are reported publicly, the company said it expects that the problem is far more prevalent.
As Khera noted, some of the numbers may appear to make it seem that things are actually improving in the world of Web applications vulnerabilities, but the problem has become so pervasive that the minor gains do not represent much real improvement.
"In 2007, we saw a number of creative and lethal security attacks; Web site hacking continued to gain momentum as hackers had a field day exploiting vulnerabilities across all geographies and across different types of Web applications," Cenzic said in its report summary.
"From SQL Injection Robot to a Russian Malware gang attacking a government site to exploitation of various Google vulnerabilities to various universities – attacks continue," the report states. "Financial gains continue to be the primary goal but we also saw attacks to steal intellectual property, student records, and a few defacement incidents. The bad guys go where the vulnerabilities are and Web applications are certainly appealing and inviting to these constituents."
Posted by Matt Hines on February 28, 2008 11:44 AM
February 25, 2008 | Comments: (0)
VMWare desktop vulnerability exposed
As virtualization is taking off, so are the concerns of security researchers who point out that any vulnerabilities in the software used to underpin the technology could create serious problems for end users.
Case in point, researchers at automated pen testing specialists Core Security passed along an advisory on Monday warning of a newly-discovered flaw in VMWare's increasingly popular desktop virtualization software that the company contends could lead to serious attacks by insiders.
According to the report issued by the firm's CoreLabs group, someone logged onto a guest system running on VMWare's VMware Player, Workstation and ACE products could potentially break out of their walled environment and gain access to the host computer system within which they are operating.
Once exploited, the issue could then allow attackers to create or modify executable files on the host operating system, according to the advisory.
Core researchers said that they found the vulnerability -- which VMWare has already been made aware of -- while looking into a previously-disclosed security issue reported by iDefense Labs in March 2007.
Through the use of a specially-crafted PathName to access a VMware shared folder, Core said, it could be possible to subvert the entire host system running the affected VMWare products, including the ability to create or modifying executable files in sensitive locations.
The company contends that the flaw results from "improper validation of the PathName parameter passed by a potentially malicious program or user in the Guest system to VMware's Shared Folders mechanism," which it said in turn can transfer into the host machine's file system.
"What's most relevant about this vulnerability is it demonstrates how virtual environments can provide an open door to the underlying infrastructures that host them," Iván Arce, Core's CTO, said in a research note.
"Organizations often adopt virtualization technologies with the assumption that the isolation between the host and guest systems will improve their security posture," Arce said. "This vulnerability provides an important wake-up call that virtualization is not immune to security flaws and that 'real' environments aren't safe simply because they sit behind virtual environments."
Core reported further that nature of the reported VMWare flaw, which it tabbed as "a path traversal vulnerability" could be found in many other types of Web server software and applications, and that it involves the specification of pathnames that include the ".." substring to escape out of folder access restriction.
"To prevent this type of attack, it is common to filter out the potentially malicious substring from input received from un-trusted sources," Core said.
Researchers said that affected VMware products that utilize the shared folders feature cannot effectively "sanitize" malicious input in the PathName parameter.
"Although stricter input validation was implemented to fix the vulnerability disclosed previously, the shared folder mechanism still provides complete access to the underlying file system of the Host system due to improper handling of strings with multi-byte encodings," the advisory said.
The vulnerability is only exposed to attack when the shared folders feature is turned on (although it is allowed by default) and at least one folder on the host system is tuned for sharing.
The company advised that customers looking for a workaround to lower their risk should merely disable shared folders in all installations of the vulnerable software. If that is not an alternative, configuring shared folders to allow read-only access to the host folder may also help.
For its part, VMWare said that it will address the vulnerability within the normal update release schedule of the affected products.
In the meantime the company advised customers to disable shared folders for all virtual machines that use the feature, configure the system for read-only access, or implement appropriate file system monitoring and access control mechanisms on the host operating system until they can upgrade to unaffected versions of the products.
Posted by Matt Hines on February 25, 2008 02:26 PM
February 21, 2008 | Comments: (0)
Spammers gaming Google advertising
Security researchers at e-mail and DLP filtering specialist Proofpoint are reporting a new form of fraud being carried out over Google's online advertising network.
According to the experts, schemers are using spam messages designed to send traffic directly to specific banner ads they control via the Google AdWords program in a new method of tricking unsuspecting users into providing them with ill-begotten income.
The idea is that once someone clicks on such a link, many of which are being advertised as URLs representing legitimate online retailers or pornographic Web sites, the responsible parties simply collect the revenue they would garner if someone visiting a Web site they control could be convinced to click on such an ad.
Basically they're cutting out the middleman, or the need to create fake sites to drive clicks to their ads.
Google typically moves quickly to disable any ads on its network that are found to be abusive of its policies, which clearly forbid behavior such as that described by Proofpoint.
Company representatives didn't immediately respond to inquiries regarding the Proofpoint report.
Despite Google's continued efforts to eradicate opportunities for people to commit click fraud via its ad networks, Proofpoint execs said that the system is still rife with opportunities for misuse, even if the scams can only be carried out for short periods of time before the search giant sniffs them out and shuts down the related sites or banners.
Proofpoint said further that it has already observed spammers using generalized redirect URLs to generate income using AdWords. By modifying certain parts of the Google AdWords URLs the scammers attempt to redirect users to sites they control, not those being advertised in the ads.
In some cases, the URLs being seen by the company redirect people to malware-infested sites hosting Trojan-downloaders or botnet programs. In other cases they merely lead to other more general, spam-driven sites, Proofpoint said.
"The [AdWords] system is open to various types of abuse; [the banner ad spam is] a clever obfuscation technique as less sophisticated spam filters, seeing the Google.com URL might interpret the URL as being legitimate and don't filter the message as spam," said Rami Habal, director of product marketing at Proofpoint.
"Our team has been expecting spammers to start exploiting the AdWords system in these sorts of ways," he said. "We've already seen Google searches exploited in a similar way through 'I feel lucky' URLs, and [we] were a little surprised it took [fraudsters] this long to catch on."
Posted by Matt Hines on February 21, 2008 01:35 PM
February 14, 2008 | Comments: (0)
Spam and malware are for lovers
Even if you haven't been infected by the charms and socially transmitted diseases of the CyberLover attack, there's likely plenty of Valentine's Day love awaiting you in your in-box and online today.
As has become their wont to do, the vast array of sleazy cyber-criminals have spent their time sweating through the lonely night by the lights of their computers to create just the right romantic messages to lure the lonely hearted and the love-struck.
Much as they enjoy stuffing our stockings with botnets, rootkits, SQL injections and social engineering gimmicks at that most wonderful time of the year, the V-Day assault has become something of an annual tradition.
So, rather than assuming that some long-lost love, or someone still close to your heart has put together a gripping tribute detailing their affection for you via e-card, e-mail or Web link… think twice before opening anything unsolicited, because there's a good chance that it's a trap.
Not that true love ain't the same -- damn the cynic in me.
And much as the mal-crowd has made it an all out effort to take advantage of the Valentine's season, security vendors from all corners of the globe are sending out warnings about various threats.
In that sense it would seem that love's not blind… at least not for security researchers.
But let's face it, 99 percent of them are dudes, so the ability to cut through the romantic to find the dark inner core shouldn't be too surprising. Perhaps I've had too much dark chocolate already.
So, a roundup of the threats that may assail you on today this day of lovers and lechery:
On the spam front, because nothing says I love you like unsolicited e-mail linking to malware sites, BitDefender is warning of two major campaigns, one of which involves romantically-oriented pharmaceuticals, and another promising "Perfect gifts for Valentine's Day." (Now there's one that's likely to hook some guys at this late hour for shopping)
The pages opened by the included URLs take users to e-commerce sites advertising free gift cards, flowers and music, among other themes. You should know by now that not even love is free.
Particularly devilish iterations of the spam carried adware and are being driven by the promise of love-themed e-cards. By downloading some free smiley avatars along with the e-card, bang, you just got owned.
Over in Russia, the boys at Kaspersky are tracking some large-scale mass mailing Valentine's Day spam as well. The messages currently account for roughly 5 percent of all mail traffic being sniffed by the AV company.
The text of the messages mostly ask the reader to click on a link to view a selection of Valentine's Day e-cards. However, by doing so, users will instead receive the Packed.Win32.Tibs.ic. malware virus. How sweet.
The links included in the messages in question are displayed in the format "http://xxx.xxx.xxx.xxx," where "xxx" is a number, which is unusual for this type of mailing, the company said.
"We presume the peak in Valentine's Day spam is still to come," Andrei Nikishin, director for IT security outsourcing at Kaspersky Lab, reports. Charming!
And if you were worried that the P2P botnet Storm Worm Trojan forgot what a wonderful year you've had together, sharing so many moments, fear not.
F-Secure's research labs reports that the Storm botnet is sending another round of Valentine's Day spam using headlines such as "Love Rose," "Rockin' Valentine" and "Just You," along with the same filename, which directs recipients to a malware-infested Web site.
Because who needs candy hearts when you've got botnet-induced spam runs? Ah romance.
At Sophos, researchers are predicting that millions of e-mails will be sent over the course of St. Valentine's Day, many of which will include malware-ridden attachments or links to nefarious Web sites.
One such example seen by Sophos researchers is a romantically-themed email which directs unsuspecting computer users to a website containing romantic images, alongside a variant of the Dorf malware (W32/Dorf-AW) another Storm variant.
Other e-mails with subject lines including "I Like You", "Powerful Love", "Tower of Love", "You Stay In My Heart", "Hugs And Kisses", "Val-ANT-ines", "Just You", "What is Love?", "The Love Train", "My Heart", "You're My Valentine", "Just You", "My Love For You", "Love Rose", "World Love", "You Stay In My Heart", "A Rose To Say...", "I Love You", "Valentine Friends", "Love Rose", "Thinking Of U All Day", "Valentine Invitation", and "Happy Valentine's Day!" link to a site designed to infect PCs in order to send more spam, launch denial-of-service attacks, or commit identity theft.
Security firm BD-BrandProtect offers some tips for consumers to protect themselves from these threats:
-Do not open any e-cards from someone you don't know.
-Educate yourself on any potential attacks that are already known out there.
-Make sure you have the latest security software installed on your computer.
-Visit legitimate e-card services to se any potential scams they are aware of.
Happy V-Day. Feel the love.
Posted by Matt Hines on February 14, 2008 08:32 AM
February 12, 2008 | Comments: (0)
Even with a robust underground market for stolen personal data being fed by a seemingly endless stream of data leakage events and electronic crimes, new research indicates that incidents of identity theft actually dropped in sheer volume during 2007.
According to the 2008 Identity Fraud Survey Report released by Javelin Strategy & Research, identity fraud fell by an estimated 12 percent in the U.S. during 2007, compared to 2006, representing a reduction of $6 billion in the amount of money stolen through such scams.
Based on the company's estimates, drawn from interviews with 5,000 individual consumers, some 300,000 fewer adults were victimized through identity fraud in 2007 than in 2006. The report projects the total annual cost of identity fraud in 2007 at $45 billion, down from $51 billion last year.
The findings actually reinforce previous iterations of the report, as the number of people affected by ID fraud has dropped significantly since Javelin began conducting the research in 2004.
According to the firm, roughly 4.25 percent of the adult population of the U.S. was hit with ID fraud during 2004. In 2007, only 3.58 percent of adults were targeted by the crimes.
Javelin contends that factors contributing to the decline in ID fraud attacks include far greater public awareness of the problem, and improvements being made among businesses that hold large amounts of sensitive consumer data. As even more work to stay abreast of the issue is completed, the research firm said that it expects the fraud reduction to continue, although likely at a slower pace.
Despite the seemingly positive evidence about the drop in the overall popularity of ID fraud, the dark side of the report is that those individuals who are being victimized by the schemes are getting fleeced for more of their funds.
According to the report, the cost per consumer for ID fraud, derived by estimating all the money individuals lost and spent while being attacked and attempting to regain their credibility, rose significantly during 2007.
The cost per consumer in 2007 averaged $691, an increase of 25 percent, over the figure of $554 reported in the 2006 report.
"The 2008 Report confirmed what we believe to be true: that while fraud is declining, it is still a concern for the American public," James Van Dyke, president and founder of Javelin, said in a report summary. "The good news is the leadership role many businesses are taking in educating consumers about ID fraud risk factors is paying off. Still, fraudsters are getting creat