28. April 2010 · Comments Off on Blippy’s security/privacy strategy – do they deserve to survive? · Categories: Breaches, IT Security 2.0, Malware, Phishing, Privacy, Risk Management · Tags: , ,

Earlier this week, the CEO of Blippy posted an extensive explanation of the breach they suffered and the steps he is planning to take to improve the site's security and better protect the privacy of the users. I can only hope his explanation of the breach is accurate.

As to his "Plan" going forward, it reveals a shocking, but not untypical, heretofore lax attitude toward protecting the site's users.

I like their Rules page. The intent is to inform Blippy users of "Inappropriate Content and Use of Blippy," However, if I were considering signing up for Blippy, I might consider some of them the risks of using Blippy. Here are examples: 

Impersonation: You may not impersonate others through our
services in a manner that does or is intended to mislead, confuse,
deceive, or harass others.

Serial Accounts: You may not create serial accounts or
relationships in order to evade the block tools or to otherwise disrupt
the Services.

Name Squatting:You may not engage in name-squatting (creating
accounts for the purpose of preventing others from using those account
names or for the purpose of selling those accounts). Accounts that are
inactive for more than 9 months may be removed without further notice.

Links: You may not publish or post content
that disguises the content of a link in a misleading or deceptive way.

Malware/Phishing: You may not publish or link
to malicious content intended to damage or disrupt another user.s
browser or computer or to compromise a user's privacy.

Social Network Spam: Blippy provides a
variety of ways for users to interact with one another. You may not
abuse these tools for the purpose of spamming users. Some of the
behaviors we look at when determining whether an account is spamming
include:

  • The user has followed and unfollowed people in a short time
    period, particularly by automated means.
  • A large number of people are blocking the profile.
  • The number of spam complaints filed against a profile.

And I can only hope that Blippy is taking steps to reduce the risks of these actions and worse. How long will it be before Koobface infiltrates Blippy, or there is a new botnet specifically targeting Blippy called "ypblip?"

11. April 2010 · Comments Off on More PDF exploits – time to stop downloading PDFs · Categories: Malware · Tags:

It seems like there is a constant flow of PDF vulnerabilities. Two new ones are highlighted here.

It's time to stop using PC-based PDF readers.I've switched to a browser plug-in called gPDF which works with IE, Firefox, and Chrome.It opens the PDF file in Google Docs. Google Docs gives you the ability to print it without downloading it. The one issue I have is, there is no apparent way to save the document in Google Docs for future reference. So for that, I save the link in Delicious.

I'm done with downloading PDF's for now – just not worth the risk.

11. April 2010 · Comments Off on Spotlighting the Botnet business model · Categories: Malware, Network Security · Tags:

TrendLabs has a nice article on the botnet business model. It features an illustration showing the relationships between different botnets including CUTWAIL, BREDO, KOOBFACE, ZEUS, WALEDEC, and others.

The level of cooperation and coordination is stunning. If you are not monitoring for and blocking botnet activity in your organization, you are exposing your organization to serious risks. If you are seeing no botnet activity in your organization, you are not using the right tools.

21. March 2010 · Comments Off on Vulnerability-based Signatures Are Needed To Defend Against Operation Aurora Variations · Categories: Malware · Tags: , , ,

NSS Labs recently tested seven anti-malware products against the actual and variations of the Operation Aurora attack which was successful against Google, Adobe, and as many as 100 other companies. Six out of seven were successful against the specific attack, but only one provided protection against the variations.

NSS Labs points out that only "vulnerability-based" protection can protect against variations of a specific attack. Here are their key findings:

  • Endpoint security products need to focus more on vulnerability protection. Rather than reactively blocking individual attacks, security product vendors should minimize their customers' risk of exposure by insulating them from the vulnerability.
  • An approach based on preventing specific exploits or malware is less desirable due to the reactive nature of identifying exploits and malicious payloads, as well as the nearly infinite methods to evade detection. Only one of the seven endpoint security products tested demonstrated a focus on the vulnerability and blocked more than one exploit variant.

The report provides a comprehensive description of the vulnerability, the Operation Aurora attack, and specific descriptions of exploit-based vs. vulnerability-based signatures.

Click here to read the whole report and find out which vendor has vulnerability-based signature(s) that were able to cope with Operation Aurora variations.

13. March 2010 · Comments Off on Latest Zeus Trojan software release added hardware-based anti-piracy control · Categories: Botnets, Innovation, Malware · Tags: , ,

The Register reports:

The latest version of the Zeus do-it-yourself crimeware kit goes to
great lengths to thwart would-be pirates by introducing a
hardware-based product activation scheme similar to what's found in
Microsoft Windows.

The newest version with bare-bones capabilities starts at $4,000 and
additional features can fetch as much as $10,000. The new feature is
designed to prevent what Microsoft refers to as "casual copying"
by ensuring that only one computer can run a licensed version of the
program. After it is installed, users must obtain a key that's good for
just that one machine.

To state the obvious, if anyone needed a reminder, the crimeware software industry is big business and maturing. 

In addition The Register reported:

The latest version of Zeus is 1.3.3.7, SecureWorks researcher Kevin Stevens told El Reg.
But the authors are already busy working on version 1.4, which is being
beta tested. It offers polymorphic encryption that allows the trojan to
re-encrypt itself each time it infects a victim, giving each one a
unique digital fingerprint. As a result, anti-virus programs, which
already struggle mightily to recognize Zeus infections, have an even harder time detecting the menace.

No information was provided as to where you could submit your feature requests.

CSOonline published an article entitled, "What Are the Most Overrated Security Technologies?" At the head of the list are, no surprise, Anti-Virus and Firewalls.

Anti-Virus – signature based anti-virus products simply cannot keep up with the speed and creativity of the attackers. What's needed is better behavior anomaly based approaches to complement traditional anti-virus products.

Firewalls – The article talks about the disappearing perimeter, but that is less than half the story. The bigger issue is that traditional firewalls, using stateful inspection technology introduced by Check Point over 15 years ago, simply cannot control the hundreds and hundreds of "Web 2.0" applications. I've written about or referenced "Next Generation Firewalls" here, here, here, here, and here.

IAM and multi-factor authentication – Perhaps IAM and multi-factor authentication belong on the list. But the rationale in the article was vague. The biggest issue I see with access management is deciding on groups and managing access rights. I've seen companies with over 2,000 groups – clearly an administrative and operational nightmare  I see access management merging with network security as network security products become more application, content, and user aware. Then you can start by watching what people actually do in practice rather than theorize about how groups should be organized.

NAC – The article talks about the high deployment and ongoing administrative and operational costs outweighing the benefits. Another important issue is that NAC does not address the current high risk threats. The theory in 2006, somewhat but not overly simplified, was that if we checked the end point device to make sure its anti-virus signatures and patches were up-to-date before letting it on the network, we would reduce worms from spreading.

At present in practice, (a) worms are not major security risk, (b) while patches are important, up-to-date anti-virus signatures does not significantly reduce risk, and (c) an end point can just as easily be compromised when it's already on the network.

A combination of (yes again) Next Generation Firewalls for large locations and data centers, and cloud-based Secure Web Gateways for remote offices and traveling laptop users will provide much more effective risk reduction.

A week later, "Operation Aurora," which I discussed in detail here, is still the most important IT security story. PC Magazine provided additional details here.

Early in the week it appeared that the exploit took advantage of a vulnerability in Internet Explorer 6, the version of Microsoft's browser originally released on August 27, 2001. Larry Seltzer blogged about Microsoft's ridiculously long support cycles demanded by corporate customers. Why any organization would allow the use of this nine year old browser is a mystery to me, especially at Google!!

Later in the week, we found out that the exploit could be retooled to exploit IE7 and IE8.

In conclusion, let me restate perhaps the obvious point that a defense-in-depth security architecture can minimize the risk of this exploit:

  • Next Generation Firewall
  • Secure Web Gateway
  • Mail Server well configured
  • Desktop Anti-malware that includes web site checking
  • Latest version of browser, perhaps not Internet Explorer
  • Latest version of Windows, realistically at least XP Service Pack 3, with all patches
  • Database Activity Monitoring
  • Data Loss Prevention
  • Third Generation Security Information and Event Management
16. January 2010 · Comments Off on Google discloses breach and new threat type from China – Advanced Persistent Threats · Categories: Advanced Persistent Threat (APT), Books, Botnets, Breaches, Malware, Phishing, Privacy, Risk Management, Security Management, Trade Secrets Theft · Tags: , , , ,

Earlier this week Google took the unprecedented step of disclosing a breach which does not legally require disclosure. Google's reasons for the disclosure are tightly linked to its concerns about human rights in China and its views on China's reasons for breaching Google's email systems. These last two points are well worth discussing and are being discussed at length all over the blogosphere. However, I am going to focus on the security and disclosure issues.

First regarding disclosure, IT risk reduction strategies greatly benefit from public breach disclosure information. In other words, organizations learn best what to do and avoid overreacting to vendor scare tactics by understanding the threats that actually result in breaches. This position is best articulated by Adam Shostack and Andrew Stewart in their book, "The New School of Information Security."

I blogged about Verizon Business's forensic team's empirical 2009 Data Breach Investigations Supplemental Report here. This report shows cause-and-effect between threat types and breaches. You could not ask for better data to guide your IT risk reduction strategies.

Organizations have been so reluctant to publicly admit they suffered breaches, the Federal and many state governments had to pass laws to force organizations to disclose breaches when customer or employee personal information was stolen.

Regarding the attack itself, it represents a type of attack that is relatively new called "advanced persistent threats" (APT) which in the past had primarily been focused on governments. Now they are targeting companies to steal intellectual property. McAfee describes the combination of spear fishing, zero-day threats, and crafted malware here. The implications:

The world has changed. Everyone’s threat model now needs to be adapted
to the new reality of these advanced persistent threats. In addition to
worrying about Eastern European cybercriminals trying to siphon off
credit card databases, you have to focus on protecting all of your core
intellectual property, private nonfinancial customer information and
anything else of intangible value. 

Gunter Ollman, VP of Research at Damballa, discusses APT's further here, focusing on detecting these attacks by detecting and breaking the Command and Control (CnC) component of the threat. The key point he makes is:

Malware is just a tool. The fundamental element to these (and
any espionage attack) lies with the tether that connects the victim
with the attacker. Advanced Persistent Threats (APT), like their bigger
and more visible brother “botnets”, are meaningless without that tether
– which is more often labeled as Command and Control (CnC).

Jeremiah Grossman points out the implications of Google's breach disclosure for all cloud-based product offerings here, countering Google's announcement of Default https access for Gmail.

Indeed, the threat landscape has changed.

05. January 2010 · Comments Off on Adobe PDF exploit detected by only four of 41 anti-virus vendors · Categories: Malware · Tags: ,

The Register is reporting on an "unusually sophisticated attack" on the well known Adobe PDF vulnerability that is caught by only four of 41 anti-virus vendors tested by Virus Total.

As Computerworld and others reported in mid-December, Adobe chose to release the patch to this vulnerability in its normal cycle on January 12, 2010 instead of rushing it out as soon as it was ready.

05. January 2010 · Comments Off on More details on the security risks of IDNs · Categories: Malware, Phishing · Tags: , ,

A few days ago I wrote about the risks of non-ASCII domain names, i.e. International Domain Names (IDNs). Trend Micro's security research group, TrendLabs, has just released a detailed analysis of the security risks of IDNs.