Opinions about information security from a risk management perspective
McAfee (via Network World) just updated its “malware bait list” and Cameron Diaz came in number one.
Most anti-malware vendors, including McAfee offer a service to flag risky sites in search results that appear right in the search results, thus helping you avoid malware-laden web pages.
This is just another example of the “inside-out” attack style which, while rather random, is still a major risk considering that the bad guys watch for popular search terms and build sites to bait people.
I was reviewing Zscaler’s State of the Web – Q2 2010 and was surprised to learn that Zscaler is seeing 16% of web traffic is still using Internet Explorer 6! Since Zscaler can be configured to prevent the use of IE 6, my guess is that IE 6 usage in the general population is even higher.
There is good news though – the trend for IE 6 and IE 7 is down and IE 8 is up, but IE 7 is still the most used browser by far at 25%. Firefox is second at 10%.
Apparently, there ought to be. Sophos’ Graham Cluley has a post about the virally spreading malware, Facebook Dislike button. While Facebook has a legitimate “Like” button, the “Dislike” button is malware.
Both Brian Krebs and Andy Greenberg (Forbes) are reporting that Network Solutions’ “parked” domain-default registered sites that have not been updated, which number between 500,000 to 5 million, have been infected with a compromised widget from GrowSmartBusiness.com.
By compromising GrowSmartBusiness.com, the attackers were then able to compromise the widgets deployed on the third party sites controlled by Network Solutions. While a widget gives a company tremendous leverage, so too it gives attackers leverage.
From a site owner’s perspective, no matter how rigorous you are with the security of your own site, you also must monitor all third party software you allow on your site, such as third party widgets and advertising networks.
From a corporate security perspective, URL filtering by itself provides no security. You may use URL filtering to control internet use, but that’s it. You must check all components of every web page being downloaded by every user with web access, all the time, whether the user is on your site or remote.
Finally, if you have users performing high risk transactions or processes, and those users also can browse the web, you must assume that their computers are compromised.
Critical vulnerabilities appearing in both iPhones and Android phones point to the need for third party security products.
Apparently Juniper and McAfee think so. Juniper recently announced that it was acquiring SMobile Systems for $70 million. McAfee acquired TenCube. Another product in this space is Lookout.
Finally, which operating system do you think is more secure? Do you prefer closed vs. open source? Here is a recent article from Network World discussing this issue.
Bruce Schneier recently blogged about his A Taxonomy of Social Networking Data essay in the IEEE Security & Privacy magazine. There are six categories of data: Service, Disclosed, Entrusted, Incidental, Behavioral, and Derived.
It’s also clear that users should have different rights with respect to each data type. We should be allowed to export, change, and delete disclosed data, even if the social networking sites don’t want us to. It’s less clear what rights we have for entrusted data — and far less clear for incidental data. If you post pictures from a party with me in them, can I demand you remove those pictures — or at least blur out my face? (Go look up the conviction of three Google executives in Italian court over a YouTube video.) And what about behavioral data? It’s frequently a critical part of a social networking site’s business model. We often don’t mind if a site uses it to target advertisements, but are less sanguine when it sells data to third parties.
There has been a lot written about the Stuxnet malware in the last several weeks and rightfully so. Stuxnet not only infects Windows computers which supervise industrial control systems, but then goes on to infect the software running on individual Programmable Logic Controllers (PLCs) which control the actual subsystems of those industrial processes. (Each Windows computer controls some number of PLCs which actually run the industrial processes.)
Therefore Stuxnet enables the attacker to remotely cause an industrial automation system to malfunction. It gets even worse – the PLC malware is hidden in a way that PLC software engineers won’t notice the change! Thus Stuxnet is the first known rootkit for industrial control system.
And the vulnerability Stuxnet exploits was zero-day. In other words, the vulnerability was not known at the time Stuxnet began. Stuxnet was first detected in late July 2010, but now information is coming out that it really started in 2009! Some are saying that the sophistication of Stuxnet indicates nation-state involvement.
You can read more details (depending on how technical you want to get) from CNET, SC Magazine, Symantec, Kaspersky, and Mandiant.
There has always been a lot of talk about the need to protect critical infrastructure. Now we are seeing a real threat which increases the risk of industrial control incidents, and therefore heightens the priority to deploy Boundary Defense Controls in these environments.
Via DarkReading, if you are using the latest version of SSL and it’s configured properly, the answer still may be no, based on two presentations at BlackHat last week.
First, according to Ivan Ristic, the Director of Engineering at Qualys, the main problems with SSL are running old versions of SSL and poor configuration management. Ivan said that half the sites running SSL are still using SSLv2 which has known vulnerabilities. In addition, a statistically large number have invalid certificates.
On the other hand, Robert “RSnake” Hansen and Josh Sokol believe that SSL is broken. They presented some 24 HTTPS/SSL exploitation techniques. Their assessment is that “HTTPS simply cannot guarantee confidentiality and integrity in the browser.”
Ristic countered with, “While the state of SSL websites is “average” in terms of security, SSL is rarely targeted by attackers today. “I have a disclaimer: SSL is not a common attack vector today because there’s so much low-hanging fruit out there. I think it’s the time to start fixing things, and they can be fixed.”
Via Network World,
Social engineering hackers — people who trick employees into doing and saying things that they shouldn’t — took their best shot at the Fortune 500 during a contest at Defcon Friday and showed how easy it is to get people to talk, if only you tell the right lie.
Contestants got IT staffers at major corporations, including Microsoft, Cisco Systems, Apple and Shell, to give up all sorts of information that could be used in a computer attack, including what browser and version number they were using (the first two companies called Friday were using IE6), what software they use to open pdf documents, their operating system and service pack number, their mail client, the antivirus software they use, and even the name of their local wireless network.
Now I would understand the ease with which social engineering would work with non-IT workers. But this contest was focused on IT workers whom you would think are more security conscious. But I guess after the Robin Sage story, I am not surprised.
Via ReadWriteWebEnterprise, Cisco’s Mid-Year Security Report notes that:
50% of end users admitted to accessing social media tools at work, in spite of company rules, at least once a week. Another 27% have changed the settings on a company device to access prohibited sites or applications. The report notes the security risks, and potential for lost productivity, Facebook and other social media sites present, but doesn’t recommend enterprises block social media sites entirely.
Citing both worker morale and the potential to use the tools for work-related activities, Cisco recommends better security education and social media policies in the work place instead of technical restrictions that employees would likely route-around anyway.
The article also notes Palo Alto Networks’ social media policy capabilities. We believe that Palo Alto Networks, our partner, by far has the most complete social media policy options available.
