30. September 2009 · Comments Off on Twitter is dead · Categories: Application Security, Breaches · Tags: , , ,

According to Robert X. Cringeley, long time computer industry pundit, Twitter is dead. Why?

"Twitter is dead because it is now so popular that the spammers and
the scammers have arrived in force. And history tells us that once they
sink their teeth into something, they do not let go. Ever.

Twitter scams aren't new. But I've never seen so many hit in a single week or with such rigorous precision."

Symantec has a nice blog post about one of the underlying problems with Twitter, i.e. since Twitter is limited to 140 characters, people use "URL shorteners" instead of the actual URLs to which they are referring. Therefore you have no idea where you are going when you click on the shortened URL.

Cringely closes with this:

Spam will kill Twitter's usefulness for everyone but relentless
Internet marketers, unless the brainiacs at TwitCentral can figure out
a better way to block it. Smart people have tried and failed everywhere
else, though. I don't hold out much hope.

My view is that just as with any new technology, if there are real benefits people will tolerate the risks for some period of time and third parties will develop solutions to mitigate the risks. This is the history of the whole IT security industry.

Take email for example. Email has been so valuable that people tolerated spam for some time. Then third parties developed anti-spam solutions for which enterprises were willing to pay and consumers got as a feature of either their email client or anti-malware product.

On the other hand, there is still a huge amount of email spam, which means that email spamming is still profitable. Therefore there are tons of people who either are not availing themselves of anti-spam filters or for some reason still fall for spam scams.

Yet with all that spam, there is no sign of email dying due its immense value.


30. September 2009 · Comments Off on Popular social news site infected with XSS exploit · Categories: Application Security, Breaches, Malware, Secure Browsing · Tags: , , ,

The popular social news site Reddit was breached with an XSS exploit. Of course, the article does not indicate what, if any, protection methods Reddit was using to prevent this most popular of web site exploits. I wonder how they would do if an auditor showed up tomorrow using CSIS's Twenty Critical Cyber Security Controls (I previously posted) as a reference.

28. September 2009 · Comments Off on All enterprises have infected hosts controlled by botnets · Categories: Botnets, Breaches, Compliance, Malware · Tags:

If you think your organization is free of botnet controlled hosts (aka zombies), it's only because you don't have the right detection tools! For example, Damballa, a botnet detection company claims that every organization it has tested was infected. And the number of infected hosts is rising – from 5% to 7% last year to 7% to 9% this year.

In one sense, this is a shocking number, i.e. almost 10% of the hosts in your network are controlled by botnets. On the other hand, not so much because I have yet to find an enterprise with hosts not running non-compliant or non-monitored software. 

Another interesting finding from Damballa's research is the proliferation of small, customized botnets. Here is a quote from the Dark Reading article:

"The bad guys are also finding that deploying a
small botnet inside a targeted organization is a more efficient way of
stealing information than deploying a traditional exploit on a specific
machine. And [Damballa VP of Research Gunter] Ollmann says many of the smaller botnets appear to have
more knowledge of the targeted organization as well. "They are very
strongly associated with a lot of insider knowledge…and we see a lot
of hands-on command and control with these small botnets," he says.

There are several advanced security tools that can be easily deployed in a couple of days that will pinpoint non-compliant and non-monitored software and network communications.

NSS Labs the well-respected UK-based security product research and testing service, just published the results of its consumer anti-malware test. The most popular products, Symantec and McAfee, both came it at only 82%. Therefore you cannot rely on this single security control to protect you against malware. A layered, defense-in-depth strategy is a must.

While all organizations are different, complementary technologies include Secure Web Gateways, Intrusion Prevention, Data Leak Prevention, or an advanced firewall that performs all of these functions,  and possibly a Security Information and Event Management System. If you are running web applications, you will also need a Web Application Firewall. I wrote about this in my post about the 20 Top Security Controls.

The top vendor was Trend Micro with a 96% success rate when you combine the 91% caught at download time and the 5.5% caught at execution time. I also read about this report in an article at Dark Reading written by Tim Wilson. However, Tim said Trend Micro only blocked 70% of the malware. I am not sure where he got his number.

22. September 2009 · Comments Off on Twenty Critical Cyber Security Controls – a blueprint for reducing IT security risk · Categories: Risk Management, Security Management, Security Policy · Tags: , , , ,

The Center for Strategic & International Studies, a think tank founded in 1962 focused on strategic defense and security issues, published a consensus driven set of "Twenty Critical Controls for Effective Cyber Defense." While aimed at federal agencies, their recommendations are applicable to commercial enterprises as well. Fifteen of the twenty can be validated at least in part in an automated manner.

Also of note, the SANS' Top Cyber Security Risks report of September 2009 refers to this document as, "Best Practices in Mitigation and Control of The Top Risks."

Here are the twenty critical controls:

  1. Inventory of authorized and unauthorized devices
  2. Inventory of authorized and unauthorized software
  3. Secure configurations of hardware and software on laptops, workstations, and servers
  4. Secure configurations for network devices such as firewalls, routers, and switches
  5. Boundary defense
  6. Maintenance, monitoring, and analysis of Security Audit Logs
  7. Application software security
  8. Controlled use of administrative privileges
  9. Controlled access based on need to know
  10. Continuous vulnerability assessment and remediation
  11. Account monitoring and control
  12. Malware defenses
  13. Limitation and control of network ports, protocols, and services
  14. Wireless device control
  15. Data loss prevention
  16. Secure network engineering
  17. Penetration tests and red team exercises
  18. Incident response capability
  19. Data recovery capability
  20. Security skills assessment and appropriate training to fill gaps

I find this document compelling because of its breadth and brevity at only 49 pages. Furthermore, for each control it lays out "Quick Wins … that can help an organization rapidly improve its security stance generally without major procedural, architectural, or technical changes to its environment," and three successively more comprehensive categories of subcontrols.

21. September 2009 · Comments Off on London TimeOnLine report on Clampi thin on facts · Categories: Breaches, Funds Transfer Fraud, Malware · Tags: , , ,

The London-based Times OnLine had a story today entitled, "New Trojan virus poses online banking threat." With all due respect, Mike Harvey, their Technology Correspondent, appears to have gotten a few things wrong as follows:

  • The headline is referring to the Clampi Trojan, which is not new. It was first discovered in 2006 according to McAfee and 2008 according to Symantec. In fact as late as July 23rd, Symantec classified Clampi as "Very Low" risk. Since then, Symantec has raised the risk level to "High."
  • The Clampi Trojan is just one of many trojans that cyber criminals are using to steal people's online banking credentials. What these trojans have in common is the keylogging capability, i.e. the ability to capture all of your keyboard clicks.
  • The real story is that sophisticated cyber criminals are focusing on stealing money directly out of small and medium business accounts.

For more details on Clampi and funds transfer fraud, see my earlier blog posts here and here respectively.

21. September 2009 · Comments Off on Empirical evidence shows that the top cyber security risks are related to Web 2.0 · Categories: Application Security, IT Security 2.0, Risk Management · Tags: , , ,

Every consultant and vendor has a theory about the top cyber security risks. But what's really going on? SANS has the answer. Last week they released their analysis of threat and vulnerability data collected from 6,000 organizations and 9 million systems during the period from March 2009 to August 2009.

SANS says that two threat types dominate the analysis, both of which are tied to Web 2.0:

  • Threats associated with people using Web 2.0 applications, i.e. their workstations' vulnerabilities that are not patched and are exploited when they visit web sites.

My take: While the hype around NAC has definitely waned, the importance of comprehensive and continuous end point discovery, vulnerability analysis, configuration compliance checking, and patching at the application level as well as the operating system level is increasing.

  • Organizations' Internet-facing web sites remain vulnerable to threats like SQL Injection and Cross-Site Scripting.

My take: It's clear that using a rigorous Software Development Life Cycle process is just not getting the job done. Web application firewalls are a must have.

17. September 2009 · Comments Off on How to leverage Facebook and minimize risk · Categories: Application Security, IT Security 2.0, Network Security, Web 2.0 Network Firewalls · Tags: , , , ,

Marketing and Sales teams can benefit from using Web 2.0 social networks like Facebook to reach new customers and get customer feedback. It's about conversations rather broadcasting. So simply denying the use of Facebook due to security risks and time wasting applications is not a good option, much as in the 90's denying access to the Internet due to security risks was not feasible.

IT Security 2.0 requires finer grained monitoring and control of social networks like Facebook as follows:

  1. Restrict access to Facebook to only those people in sales and marketing who legitimately need access.
  2. Facebook is not a single monolithic application. It's actually a platform or an environment with many functions and many applications, some of which are pure entertainment and thus might be considered business time wasters. Create policies that restrict usage of Facebook to only those functions that are relevant to business value.
  3. Monitor the Facebook stream to detect and block incoming malware and outgoing confidential information.

Palo Alto Networks, which provides an "Application/User/Content aware" firewall (is that a mouthful?), appears to be able to provide such capabilities. Perhaps we might call it a Web 2.0 network firewall.

Is anyone aware of another firewall that can provide similar functionality?

14. September 2009 · Comments Off on Two more high profile Web 2.0 exploits – NY Times, RBS Worldpay · Categories: Breaches, IT Security 2.0, Malware, Secure Browsing · Tags: , , , , , , , , ,

Two more high profile organizations have succumbed to Web 2.0 based exploits, New York Times and RBS Worldpay. These highlight the shortcomings of traditional IT security. I have no doubt that both of these organizations had deployed traditional firewalls and other IT Security tools, yet they were still breached by well understood exploit methods for which there are are proven mitigation tools.

I discussed this issue, Web 2.0 requires IT Security 2.0, at some length recently.

The current RBS Worldpay problem was merely a hacker showing off a SQL Injection vulnerability of RBS Worldpay's payment processing system. Late last year RBS Worldpay suffered a more damaging breach involving the "personal and financial account information of about 1.5 million
cardholders and other individuals, and the social security numbers
(SSNs) of 1.1 million people."

The New York Times website itself was not breached. A third party ad network vendor they use was serving "scareware" ads on New York Times site. Martin McKeay points out on his blog:

"it appears that the code wasn’t directly on a NYT server, rather it was
served up by one of the third-party services that provide ads for the
NYT.  Once again, it shows that even if you trust a particular site
you’re visiting, the interaction between that site and the secondary
systems supporting it offer a great attack vector for the bad guys to
gain access through."

On the other hand, the average user coming to the New York Times site is not aware of this detail and will most deservedly hold the New York Times responsible. Web sites that use third party ad networks to make money, must take responsibility for exploits on these ad networks. For now, as usual, end users have to protect themselves.

I recommend that Firefox 3.5 users avail themselves of Adblock Plus and NoScript. Adblock Plus obviously blocks ads and NoScript by default prevents JavaScript from running.

What's particularly interesting about NoScript is that you can allow JavaScript associated with the site to run but not the JaveScript associated with third party sites like advertising networks. Based on my reading of Troy Davis's analysis of the exploit, if you were using Firefox 3.5 and running NoScript with only New York Times JavaScript allowed, you would not have seen the scareware ad.

12. September 2009 · Comments Off on Protect yourself – Anonymized data really isn’t · Categories: Identity Theft, Privacy · Tags: , ,

Just in case you thought there was any hope of maintaining personal privacy, forget it. In fact you must assume your personal information is exposed and take steps to prevent identity theft.

Ars Technica reported this week that law professor Paul Ohm published a paper describing how easy it is to identify specific individuals from "anonymized" data that is released for research purposes and his recommendations for minimizing this type of abuse.

Ars Technica, quoting from Paul Ohm's paper, described the process a graduate computer science student used in the mid-90's to identify then governor William Weld of Massachusetts from "anonymized" health records released by the Massachusetts Group Insurance Commission.

Data is anonymized by removing "personally identifiable information" like name, address, and Social Security number. The anonymized data is useful for further statistical analysis by a variety of researchers.

The graduate student showed that she could "reidentify" individuals 87% of the time with only three pieces of information – zip code, date of birth, and sex. The key to her process is the availability of voter rolls, which you can buy for a small fee from any town, at least in Massachusetts. These voter rolls provide the name, address, zip code, birth date, and sex of every voter.

Professor Ohm's call for a reexamination of privacy laws and tougher regulation is admirable as this may protect you against disclosure of medical conditions and the like that can be used against you.

However, the biggest threat right now is identity theft. You must assume that your personal information is out there for anyone who wants it. Therefore you must take steps to limit the risk of identity theft. Start by reviewing the offerings of the three credit agencies Equifax, Experian, and TransUnion.