Short history of airport security from Bruce Schneier:
A short history of airport security: We screen for guns and bombs, so the terrorists use box cutters. We confiscate box cutters and corkscrews, so they put explosives in their sneakers. We screen footwear, so they try to use liquids. We confiscate liquids, so they put PETN bombs in their underwear. We roll out full-body scanners, even though they wouldn’t have caught the Underwear Bomber, so they put a bomb in a printer cartridge. We ban printer cartridges over 16 ounces — the level of magical thinking here is amazing — and they’re going to do something else.
This is a stupid game, and we should stop playing it.
The Choice Escrow and Land Title escrow company had $440,000 stolen from its bank account in one fraudulent online transaction. Choice Escrow is suing the bank – BancorpSouth, Inc of Tupulow, Miss.
The fraudulent transaction was to a corporate account payee in Cyprus.
Technically the bank is not responsible for commercial account losses unless reported within 48 hours of the transaction. However Choice Escrow is suing on the basis that BancorpSouth did not provide the two-factor authentication required by the Federal Financial Institutions Examination Council (FFIEC).
Even if that were true, two-factor authentication is no longer enough to thwart online banking fraud. The problem is if the end user’s computer is compromised with a “man-in-the-browser” trojan like Zeus, once the authentication process is completed, the illicit transactions are performed while the end user is logged on!!
Think of it this way. No number of locks on your front door will stop a bad guy from walking into your house right behind you after you have opened the door.
We have partnered with Becrypt, who provides a “Trusted Client” solution which (1) resides on an encrypted USB stick which you boot from, or (2) resides on a dedicated PC which you use only for banking.
While the hijacking happened as described in the Congressional report that was released earlier this week, the probability that this was done to steal information is very low. There are far stealthier and surgical approaches available and used on a daily basis.
On the other hand, it shows off the vulnerability of BGP, a core routing protocol of the Internet. While this vulnerability is well known among network security engineers, this incident will bring it to the attention of senior management of Fortune 500 organizations.
Is there anyone left on the planet by now who’s (a) in charge of a large chunk of address space, (b) not monitoring the BGP routing of that space, and (c) not petitioning their service providers to implement best common practices for route filtering?
Late Friday afternoon, Pacific Time, the computer identified as the command-and-control server used to send instructions to infected Koobface machines was offline. According to Nart Villeneuve the chief research officer with SecDev Group, the server was one of three Koobface systems taken offline Friday by Coreix, a U.K. Internet service provider. “Those are all on the same network, and they’re all inaccessible right now,” Villeneuve said Friday evening.
Villeneuve has no illusions about Koobface being stopped. “I think that they’ll probably start up pretty soon, and they’ll probably try to recover as many of their bots as soon as they can,” he said.
Something I’ve found unsettling for some time now is the drastically increased usage of gzip as a Content-Encoding transfer type from web servers. By default now, Yahoo, Google, Facebook, Twitter, Wikipedia, and many other organizations compress the content they send to your users. From that list alone, you can infer that most of the HTTP traffic on any given network is not transferred in plaintext, but rather as compressed bytes.
The post goes on to claim that most network security solutions are blind to gzipped web traffic.
While I have not done a survey of “most” network security solutions, I can say for sure that Palo Alto Network does automatically decompress gzipped content in hardware and then inspect and apply policies.
John Pescatore harkens back 59 years ago to the first direct dial transcontinental telephone call and 100 years before that when the telegraph was spreading throughout the U.S., comparing that to Facebook.
Same thing going on in security today – next generation firewalls and secure web gateways are way less about blocking and way more about securely enabling connectivity of people and applications – applications like social networking…
In an effort to broaden the range of incidents used by Verizon Business’s annual Data Breach Investigations Report beyond those it investigates itself and those provided in 2010 by the Secret Service, Verizon Business’s ICSA Labs has created an application that allows anyone to add incidents using the VERIS Framework.
In return for adding anonymized incident information,
…you will receive a comparative report that frames your incident within the broader VERIS dataset. You will, for instance, know whether your incident was a rare event or one commonly experienced by others and such information can help you decide what, if anything, should be done to prevent similar events in the future.
Is this enough value? Why not allow direct access to the VERIS database through an API? This would allow you to do your own analysis rather than just relying on Verizon’s. Is it possible that third parties, bringing different perspectives and tools, would glean insights that Verizon is missing?
The VERIS Framework is very straightforward. There are three key components to any incident – Agents (actors), Actions, Assets. Perhaps I like it because it’s very similar to methodology I developed with a colleague for log analysis using the terms Subject, Action, Object, which not coincidentally corresponds to the three key parts of a sentence – Subject, Verb, Object.
There is a fourth “A” which stands for Attributes of the above mentioned three A’s. The selection of classification Attributes is critical to effective analysis. For anonymized incident information, Verizon has done a good job in its classification attribute selection.
Brian Krebs highlights Nart Villeneuve’s detailed analysis of Koobface. This is the most detailed analysis I’ve read about how one type of botnet thrives.
The entrée point for Koobface is almost irresistible: a link sent from a fake “friend” prompting a visit to a video site that purportedly reveals the recipient captured naked from a hidden web cam. Who wouldn’t follow that link? But for the hapless recipient, that one click leads down a Kafka-esque rabbit hole of viruses and Trojan horses, and straight into the tentacles of the Koobface network.
In a sense, Koobface, while malware, is the opposite of Zeus because the value per illicit transaction is very low, while Zeus’s transaction value is very high.
The operators of Koobface have been able to successfully monetize their operations. Through the use of payper-click and pay-per-install affiliate programs, Koobface was able to earn over US$2 million between June 2009 and June 2010 by forcing compromised computers to install malicious software and engage in click fraud.
Without a victim, particularly a complainant, it is almost impossible for a police force to justify the resources to investigate a case like Koobface. Police officers ask: what’s the crime? Prosecutors ask: what or whom am I supposed to prosecute? In the case of Koobface, it is almost as if the system were purposefully designed to fall between the cracks of both questions.
New preventive and detective controls are needed to combat this new generation of malware. Think about this:
A recent study by Bell Canada suggested that CA$100 billion out of $174 billion of revenue transiting Canada’s telecommunications infrastructure is “at risk.” The same operator measured over 80,000 “zero day” attacks per day targeting computers on its network — meaning, attacks that are so new the security companies have yet to
register them.
Preventive network security controls must include (1) next generation firewalls which combine application-level traffic classification and policy management with intrusion prevention, and (2) 0-day malware prevention which is highly accurate and has a low false positive rate.
Detective controls must include (1) a Log/SIEM solution which uses extensive contextual information to generate actionable intelligence , and (2) a cloud-based botnet detection service which can alert you to compromised devices on your network.
Web Mail and Instant Messaging are the most popular applications. Gmail, which is SSL encrypted is the most popular by traffic rate. Hotmail and Yahoo claim more users but are behind Gmail in usage. They are also moving to SSL encryption. If your network security solutions cannot decrypt SSL, you are blind to this traffic and potential data leak vector. Facebook dominates social networking. No surprise here, but it does highlight the need for being able to monitor and control social networking using a more fine-grained approach than URL blocking, since there are business benefits to allowing some people, particularly sales and marketing, access to certain functions.
File sharing shifting to the browser. The implication is that blocking peer-to-peer file sharing is not sufficient to control file sharing any more.
10% of the applications found can be considered “Enterprise Cloud.” This covers applications like WebEx, GoToMeeting, Salesforce.com, Microsoft Office Live, and Google Docs.
