30. April 2010 · Comments Off on Four questions to ask your firewall vendor and Gartner on the future of firewalls · Categories: Application Security, Innovation, IT Security 2.0, Network Security, Next Generation Firewalls, Web 2.0 Network Firewalls · Tags: ,

Gartner's John Pescatore blogged about his view on the future of firewalls today. Many pundits have opined about enterprise deperimeterization. Not so says Pescatore, although the functionality of the firewall is changing to respond to the changes in technology and the threat landscape. Gartner calls this new technology, "next-generation firewalls."

It is really just border control – we don’t declare countries
“deperimeterized” because airplanes were invented, we extend border
control into the airport terminals.

Unfortunately every firewall vendor in the industry has jumped on the term. So in order to help you separate marketing fluff from reality, whenever you are speaking to a firewall vendor, be ready with these questions:

  • How have you adapted your stateful inspection engine in your next-generation firewall?
  • When in the firewall's packet/session analysis is the application detected?
  • Is all packet analysis performed in a single pass?
  • How does your appliance hardware support you analysis approach?
  • is there a single user interface for all aspects of policy definition?
  • What is the degradation in performance as functionality is turned on?

If you like the answers, ask for more thing – show me.

28. April 2010 · Comments Off on Blippy’s security/privacy strategy – do they deserve to survive? · Categories: Breaches, IT Security 2.0, Malware, Phishing, Privacy, Risk Management · Tags: , ,

Earlier this week, the CEO of Blippy posted an extensive explanation of the breach they suffered and the steps he is planning to take to improve the site's security and better protect the privacy of the users. I can only hope his explanation of the breach is accurate.

As to his "Plan" going forward, it reveals a shocking, but not untypical, heretofore lax attitude toward protecting the site's users.

I like their Rules page. The intent is to inform Blippy users of "Inappropriate Content and Use of Blippy," However, if I were considering signing up for Blippy, I might consider some of them the risks of using Blippy. Here are examples: 

Impersonation: You may not impersonate others through our
services in a manner that does or is intended to mislead, confuse,
deceive, or harass others.

Serial Accounts: You may not create serial accounts or
relationships in order to evade the block tools or to otherwise disrupt
the Services.

Name Squatting:You may not engage in name-squatting (creating
accounts for the purpose of preventing others from using those account
names or for the purpose of selling those accounts). Accounts that are
inactive for more than 9 months may be removed without further notice.

Links: You may not publish or post content
that disguises the content of a link in a misleading or deceptive way.

Malware/Phishing: You may not publish or link
to malicious content intended to damage or disrupt another user.s
browser or computer or to compromise a user's privacy.

Social Network Spam: Blippy provides a
variety of ways for users to interact with one another. You may not
abuse these tools for the purpose of spamming users. Some of the
behaviors we look at when determining whether an account is spamming

  • The user has followed and unfollowed people in a short time
    period, particularly by automated means.
  • A large number of people are blocking the profile.
  • The number of spam complaints filed against a profile.

And I can only hope that Blippy is taking steps to reduce the risks of these actions and worse. How long will it be before Koobface infiltrates Blippy, or there is a new botnet specifically targeting Blippy called "ypblip?"

26. April 2010 · Comments Off on Treasury Department estimates up to 1.2 million hiding income by using stolen Social Security numbers · Categories: Identity Theft · Tags: ,

If the IRS is coming after you for not paying taxes on unreported income, it may be that someone used your Social Security Number on his W-4. According to the Treasury Department's Inspector General for Tax Administration, it happened as many as 1.2 million times in 2007.

Thanks for the pointer from the Office of Inadequate Security (databreaches.net).

What is worse, the full article on WebCPA says that the IRS lacks the procedures to identify this type of identity theft:

TIGTA assessed whether the IRS has procedures to effectively handle
collection issues related to ITINs [Individual Taxpayer Identification Number]. It found that the IRS lacks internal
guidelines for its employees to follow to assist either the taxpayer
whose wages are being attached or the legitimate holder of the Social
Security number (who may unknowingly be the victim of identity theft).

Just another way identity theft can bite you!! It appears there is no way to protect yourself against this one. Perhaps the credit agencies could detect this.

26. April 2010 · Comments Off on 47 health care provider breaches between 9/22/09 and 2/15/10 · Categories: Breaches, Health Care, HIPAA · Tags:

Health Data Management Magazine's May issue notes that the Office of Civil Rights (OCR) of the Department of Health and Human Services (HHS) posted 47 breach of unsecured protected health information in the United States between September 22, 2009 and February 15, 2010.

The criteria for posting is at least 500 individuals must be affected. In one case, 500,000 people were affected. The actual list is here. As of today there were seven more breaches posted.

Unfortunately the information on the list is very disappointing. There are no details of any significance about the breaches. For example, here is the latest one on the list (as of 4/26/10): 

Tomah Memorial Hospital
State: Wisconsin
Approx. # of Individuals Affected: 600
Date of Breach: 3/19/10
Type of Breach: Other
Location of Breached Information: Other

While creating this "wall of shame" has some value, posting more details would surely be more valuable to all health care provider security practitioners.

26. April 2010 · Comments Off on Google discovers privacy flaw in Facebook Graph API · Categories: Privacy · Tags: , , ,

The UK-based Guardian posted a story today that an engineer from Google discovered a flaw in Facebook's Graph API where all events you have participated in or are planning to participate in cannot be kept private.

My reactions are (1) given Facebook's privacy policy trajectory, I am not surprised, and (2) given the threat that Facebook represents to Google, I am not surprised that a person from Google found the flaw.

If anything is going to blunt Facebook's popularity, it's going to be privacy issues. And I say this despite the long history of consumers willingness to give up privacy to gain convenience, e.g. Debit Cards.

25. April 2010 · Comments Off on Aurora – Why was Gmail China’s Target? · Categories: Breaches, Privacy · Tags:

Larry Seltzer has an interesting post about a conversation he had with Mikko Hypponen of F-Secure about the reason for the Operation Aurora attack in China against Google's Gmail service.I wrote about Aurora here and here. However, the question remains – why Gmail and not Yahoo or Microsoft's free email service?

Perhaps it's because only Gmail offers SSL encryption which prevents sniffing on the wire to read emails. Because the other free email services don't offer SSL, you can simply sniff the wire to read the emails on those services.

End users who have some level of security consciousness gravitate to Gmail. And if you want to read messages on Gmail, you have no choice but to hack the service itself as you are not going to crack SSL.

25. April 2010 · Comments Off on Facebook accounts for sale starting at $25 for 1,000 accounts · Categories: IT Security 2.0, Privacy · Tags:

Dark Reading published a story based on VeriSign's iDefense's research of an underground black market for stolen social networking credentials. One criminal was selling 1,000 Facebook accounts with 10 or less friends for $25, while the price for 1,000 Facebook accounts with 10 or more friends is $45.

While this should not be surprising, it is worth noting again the level of cybercrime organization.

22. April 2010 · Comments Off on Ten “Must Haves” for Secure Mobile Device Management · Categories: blog


Smartphones and tablets offer tremendous productivity enhancements because wherever your are, whatever time of day, you can get access to your entire enterprise – the corporate network, proprietary business applications, and sensitive data – from a device small enough to fit in your pocket.

This era of “the pocket enterprise” also creates serious enterprise risks with employee habits or behaviors that can lead to data loss, exposure of the corporate network, and compliance breaches. Have employees passcode-enabled their devices? Do they abide by the corporate mobile app policies? Have they tampered with the device.s security features? Do they synch non-public data using Dropbox or forward it to their Gmail account? And the most pressing question of all: How can the enterprise even begin to answer these questions?

Zenprise, the leader in Secure Mobile Device Management, and a Cymbel partner, has recently released a white paper entitled, The Ten “Must Haves” for Secure Mobile Device Management.

If you would like a copy of this white paper, please fill out the form on the right side of this page.

Links to Explore


21. April 2010 · Comments Off on Defense-in-Depth Architecture focused on Applications, Users & Data · Categories: Slides

In response to the five forces of change, our approach to defense-in-depth has changed. Our solutions are focused on applications, users, and data. In addition, many of our solutions have embraced function consolidation or unification. For example, in network security, firewall and IPS functionality are unified in next-generation firewalls. Overall, the benefits include:

  • Reduced IT Security risks
  • Reduced costs of meeting regulatory compliance requirements
  • Reduced IT Operations costs
  • Increased IT Service availability and performance
  • Improved IT alignment with business needs.

Links to Explore

20. April 2010 · Comments Off on Compliance & Security Services · Categories: blog

Cymbel provides a wide range of services related to automating compliance and reducing security risks.

Cymbel uses a four step process – Assessment, Policy Development, Policy Implementation, Re-assessment. The key to our approach is to gain real visibility during the Assessment process by using automated tools to collect actual operational data. Learn more.

Links to Explore