28. April 2010 · Comments Off on Blippy’s security/privacy strategy – do they deserve to survive? · Categories: Breaches, IT Security 2.0, Malware, Phishing, Privacy, Risk Management · Tags: , ,

Earlier this week, the CEO of Blippy posted an extensive explanation of the breach they suffered and the steps he is planning to take to improve the site's security and better protect the privacy of the users. I can only hope his explanation of the breach is accurate.

As to his "Plan" going forward, it reveals a shocking, but not untypical, heretofore lax attitude toward protecting the site's users.

I like their Rules page. The intent is to inform Blippy users of "Inappropriate Content and Use of Blippy," However, if I were considering signing up for Blippy, I might consider some of them the risks of using Blippy. Here are examples: 

Impersonation: You may not impersonate others through our
services in a manner that does or is intended to mislead, confuse,
deceive, or harass others.

Serial Accounts: You may not create serial accounts or
relationships in order to evade the block tools or to otherwise disrupt
the Services.

Name Squatting:You may not engage in name-squatting (creating
accounts for the purpose of preventing others from using those account
names or for the purpose of selling those accounts). Accounts that are
inactive for more than 9 months may be removed without further notice.

Links: You may not publish or post content
that disguises the content of a link in a misleading or deceptive way.

Malware/Phishing: You may not publish or link
to malicious content intended to damage or disrupt another user.s
browser or computer or to compromise a user's privacy.

Social Network Spam: Blippy provides a
variety of ways for users to interact with one another. You may not
abuse these tools for the purpose of spamming users. Some of the
behaviors we look at when determining whether an account is spamming
include:

  • The user has followed and unfollowed people in a short time
    period, particularly by automated means.
  • A large number of people are blocking the profile.
  • The number of spam complaints filed against a profile.

And I can only hope that Blippy is taking steps to reduce the risks of these actions and worse. How long will it be before Koobface infiltrates Blippy, or there is a new botnet specifically targeting Blippy called "ypblip?"

13. March 2010 · Comments Off on Verizon Business extends its thought leadership in security incident metrics · Categories: Breaches, Research, Risk Management, Security Management, Theory vs. Practice · Tags: , ,

The Verizon Business Security Incident Response team, whose yearly published Data Breach Investigations Reports I've written about here, has has extended its thought leadership in security incident metrics with the release of its Incident Sharing Framework. Their purpose is to enable those responsible for incident response to "create data sets that can be used and compared because of their
commonality. Together, we can work to eliminate both equivocality (sic) and
uncertainty, and help defend the organizations we serve." The document can be found here.

Of course Verizon Business is a for-profit organization and the license terms are as follows:

Verizon grants you a limited, revocable, personal and nontransferable license to use the Verizon Incident Sharing Framework for purposes of collecting, organizing and reporting security incident information for non-­‐commercial purposes.

Nevertheless, I do hope that this or an alternative incident sharing framework becomes an industry standard which enables the publishing and sharing of a larger number incidents from which we can all learn and improve our security policies and processes.

16. January 2010 · Comments Off on Google discloses breach and new threat type from China – Advanced Persistent Threats · Categories: Advanced Persistent Threat (APT), Books, Botnets, Breaches, Malware, Phishing, Privacy, Risk Management, Security Management, Trade Secrets Theft · Tags: , , , ,

Earlier this week Google took the unprecedented step of disclosing a breach which does not legally require disclosure. Google's reasons for the disclosure are tightly linked to its concerns about human rights in China and its views on China's reasons for breaching Google's email systems. These last two points are well worth discussing and are being discussed at length all over the blogosphere. However, I am going to focus on the security and disclosure issues.

First regarding disclosure, IT risk reduction strategies greatly benefit from public breach disclosure information. In other words, organizations learn best what to do and avoid overreacting to vendor scare tactics by understanding the threats that actually result in breaches. This position is best articulated by Adam Shostack and Andrew Stewart in their book, "The New School of Information Security."

I blogged about Verizon Business's forensic team's empirical 2009 Data Breach Investigations Supplemental Report here. This report shows cause-and-effect between threat types and breaches. You could not ask for better data to guide your IT risk reduction strategies.

Organizations have been so reluctant to publicly admit they suffered breaches, the Federal and many state governments had to pass laws to force organizations to disclose breaches when customer or employee personal information was stolen.

Regarding the attack itself, it represents a type of attack that is relatively new called "advanced persistent threats" (APT) which in the past had primarily been focused on governments. Now they are targeting companies to steal intellectual property. McAfee describes the combination of spear fishing, zero-day threats, and crafted malware here. The implications:

The world has changed. Everyone’s threat model now needs to be adapted
to the new reality of these advanced persistent threats. In addition to
worrying about Eastern European cybercriminals trying to siphon off
credit card databases, you have to focus on protecting all of your core
intellectual property, private nonfinancial customer information and
anything else of intangible value. 

Gunter Ollman, VP of Research at Damballa, discusses APT's further here, focusing on detecting these attacks by detecting and breaking the Command and Control (CnC) component of the threat. The key point he makes is:

Malware is just a tool. The fundamental element to these (and
any espionage attack) lies with the tether that connects the victim
with the attacker. Advanced Persistent Threats (APT), like their bigger
and more visible brother “botnets”, are meaningless without that tether
– which is more often labeled as Command and Control (CnC).

Jeremiah Grossman points out the implications of Google's breach disclosure for all cloud-based product offerings here, countering Google's announcement of Default https access for Gmail.

Indeed, the threat landscape has changed.

28. December 2009 · Comments Off on Verizon Business 2009 DBIR Supplemental Report provides empirical guidance for unifying security and compliance priorities · Categories: Breaches, Compliance, Risk Management, Security Management, Theory vs. Practice · Tags: , , ,

The Verizon Business security forensics group's recently released 2009 Data Breach Investigations Supplemental Report provides common ground between those in the enterprise who are compliance oriented and those who are security oriented. While in theory, there should be no difference between these groups, in practice there is.   

Table 8 on page 28 evaluates the breach data set from the perspective of data types breached. Number one by far is Payment Card Data at 84%. Second is Personal Information at 31%. (Obviously each case in their data set can be categorized in multiple data breach categories.) These are exactly the types of breaches regulatory compliance standards like PCI and breach disclosure laws like Mass 201 CMR 17 are focused on.

Therefore there is high value in using the report's "threat action types" analysis to prioritize risk reduction as well as compliance programs, processes, and technologies.

While the original 2009 DBIR did provide similar information in Figure 29 on page 33, it's the Supplemental report which provides the threat action type analysis that can drive a common set of risk reduction and compliance priorities.

Symantec's Hon Lau, senior security response manager, is reporting that the Koobface worm/botnet began a new attack using fake Christmas messages to lure Facebook users to download the Koobface malware.

This again shows the flexibility of the command and control function of the Koobface botnet. I previously wrote about Koobface creating new Facebook accounts to lure users to fake Facebook (or YouTube) pages.

These Facebook malware issues are a serious security risk for enterprises. While simply blocking Facebook altogether may seem like the right policy, it may not be for two reasons: 1) No access to Facebook could become a morale problem for a segment of your employees, and 2) Employees may be using Facebook to engage customers in sales/marketing activities.

Network security technology must be able to detect Facebook usage and block threats while allowing productive activity.

22. November 2009 · Comments Off on Koobface botnet creates fake Facebook accounts to lure you to fake Facebook or YouTube page · Categories: Botnets, IT Security 2.0, Malware, Network Security, Next Generation Firewalls, Risk Management, Security Policy · Tags: , ,

TrendMicro's Malware Blog posted information about a new method of luring Facebook users to a fake Facebook or Youtube page to infect the user with the Koobface malware agent. 

The Koobface botnet has pushed out a new component that automates the following routines:

  • Registering a Facebook account
  • Confirming an email address in Gmail to activate the registered Facebook account
  • Joining random Facebook groups
  • Adding Facebook friends
  • Posting messages to Facebook friends’ walls

Overall, this new component behaves like a regular Internet user that starts to connect with friends in Facebook. All Facebook accounts registered by this component are comparable to a regular account made by a human. 

Here is yet another example of the risks associated with allowing Facebook to be used within the enterprise. However simply blocking Facebook may not be an option either because (1) it's demotivating to young employees used to accessing Facebook, or (2) it's a good marketing/sales tool you want to take advantage of.

Your network security solution, for example a next generation firewall, must enable you to implement fine grained policy control and threat prevention for social network sites like Facebook.

NetworkWorld has an interesting article today on the perils of social networking. The article focuses on the risk of employees transmitting confidential data. However, it's actually worse than that. There are also risks of malware infection via spam and other social engineering tactics. Twitter is notorious for its lax security. See my post, Twitter is Dead.

Blocking social networks completely is not the answer just as disconnecting from the Internet was not the answer in the 90's. Facebook, Twitter, and LinkedIn, among others can be powerful marketing and sales tools.

The answer is "IT Security 2.0" tools that can monitor these and hundreds of other web 2.0 applications to block incoming malware and outgoing confidential documents.

26. October 2009 · Comments Off on Evil Maid attack shows that laptop hard drive encryption not the silver bullet · Categories: Breaches, Malware, Risk Management · Tags: , , , ,

As important as laptop hard drive encryption is, it's not the silver bullet for protecting confidential data on laptops. Bruce Schneier described Joanna Rutkowska's "evil maid" attack against a disk encryption product. This type of attack would probably work against any disk encryption product because disk encryption does not defend against an attack where the attacker gets access to your encryption key.

As usual, risk management is about understanding the threat which you are trying to mitigate. Disk encryption does solve the stolen laptop problem. But if an attacker can get access to your laptop multiple times without your realizing it, the evil maid attack can defeat disk encryption.

PGP, a disk encryption vendor, discusses the limitations of disk encryption and as well as other defenses available to protect against evil maid and other attacks.

Bruce Schneier notes that two-factor authentication will defeat the evil maid attack. BTW, don't leave your token in the hotel room for the evil maid to find. 🙂

12. October 2009 · Comments Off on IBM CIO study ranks Risk Management and Compliance #3 of 10 CIO visionary plans · Categories: IT Security 2.0, Risk Management · Tags: , , ,

On September 10th, IBM released the results of a global study (registration required) they conducted of 2,500 CIO's from around the world. Of the ten top "visionary plans," these CIO's ranked Risk Management and Compliance third. Business Intelligence and Analytics was first followed by Virtualization. Also, I found it significant that Customer and Partner Collaboration came in fourth.

Unfortunately, the report did not divulge details of the methodology used beyond saying that over 2,500 CIO's were interviewed. If one grants that IBM is an able marketing organization, it genuinely wants to understand the priorities of CIO's so it can respond with the right services to increase its revenue. Therefore these priorities do represent what CIOs are thinking.

A more cynical opinion would be that this study is simply a marketing tool of IBM Global Services. In this case, IBM Global Services is advising CIOs that Risk Management and Compliance should be their third highest priority. Either way, this report highlights the importance of Risk Management and Compliance.

Looking at the study as a whole, it correlates the use of information technology to drive innovation with higher corporate profits. (Reminder – correlation and causation are not the same thing.)  In addition, information technology creates new risks which must be understood and mitigated.

Perhaps I am writing this because it supports my previously stated position that risk management enables innovation, e.g. Web 2.0 creates new risks which if not mitigated completely outweigh the value.

I just received an email advertisement from a "Web 2.0 security" vendor recommending that I use its product to block the evil Facebook. This is rather heavy handed.

Sales and marketing people want to use Facebook to reach prospects and interact with customers.
Sure there are issues with Facebook, but an all-or-nothing solution does not make sense. A more granular approach is much better. I discussed this issue recently in a post entitled, How to leverage Facebook and minimize risk.