20. January 2011 · Comments Off on ‘Cyberlockers’ present new challenges to music industry · Categories: blog · Tags: , ,

PaidContent.org published an interesting article yesterday entitled, How ‘Cyberlockers’ Became The Biggest Problem In Piracy.

PaidContent uses the term “cyberlocker” to refer to browser-based-based file sharing applications which pose a new challenge to the music industry’s efforts to thwart illegal sharing of music, aka piracy.

The article highlights some of the better known applications like RapidShare, Hotfile, Mediafire, and Megaupload. It also points out that Google Docs qualifies as a cyberlocker, although it’s used mostly for Word and Excel documents.

What the article fails to mention is amount of malware lurking in these cyberlockers. The file you download may be the song you think it is or it may be trojan.

Palo Alto Networks, the Next Generation Firewall manufacturer, has the statistics to corroborate PaidContent’s claim that browser-base file sharing is growing rapidly.

Palo Alto Network’s Applipedia identifies 141 file sharing applications, of which 65 are browser-based.

Any organization which has deployed Palo Alto Networks can control the use of browser-based file sharing with the same ease as the older peer-to-peer file sharing applications.

Furthermore, if you configure Palo Alto to block the “file sharing” sub-category of  applications, not only will all of the known file sharing applications be blocked, but any newly discovered ones will also be blocked. However, there are valid business use cases for using a file sharing application. Therefore you would want an exception for the one you have selected.

Finally should you choose to allow a file sharing application, Palo Alto will provide protection against malware.

19. January 2011 · Comments Off on HIghlights from Sophos threat report · Categories: blog · Tags: , , ,

Highlights from Sophos threat report.

The recently released Sophos Threat Report claims that with more than 50 percent of companies allowing free and open access to social networking sites:

  • 67 percent of users were spammed on social networks – double from when the survey began in 2009 (33.4 percent)
  • 40 percent were sent malware
  • 43 percent were phished – more than double from when the survey began in 2009 (21 percent)

The answer is not totally blocking access to social network sites. People in marketing and sales need access, but they don’t need to be playing Farmville. Also totally blocking all aspects of social network sites might create a morale issue.

Anti-virus can play a role, but a defense-in-depth strategy is needed that includes Next Generation Firewalls.

19. January 2011 · Comments Off on Experi-Metal vs. Comerica Case Heads to Trial — Krebs on Security · Categories: blog · Tags: ,

Experi-Metal vs. Comerica Case Heads to Trial — Krebs on Security.

Detailed update on the upcoming Experi-Metal vs. Comerica trial. In brief, Experi-Metal is suing its bank, Comerica, for money ($560,000) it lost due to fraudulent wire transfers that resulted from a security breach.

The bank, Comerica, claims the fault of the lost money is entirely with Experi-Metal, while Experi-Metal claims that Comerica should have realized that a large number of wire transfer requests within a few hours was suspicious, especially considering it had only done two wire transfers in the two years prior to this incident.

Businesses do not enjoy the same legal protections afforded to consumer banking customers hit by cyber thieves, and most organizations will be held responsible for any losses due to phishing or account takeovers. But a rash of these attacks that has netted thieves more than $70 million over the last few years has caused some victim businesses and their lawyers to look for ways to hold banks more accountable, by pointing out ways in which the banks may not be living up to the somewhat nebulous state legal standards that govern commercial banking activities.

This case and other similar ones are putting pressure on small and mid-size banks, and the outsourcers who provide transaction processing services to them, to strengthen their security posture.

… more banks could and should offer the kind of technology employed by the major credit card networks, which try to build profiles of customer activity and then alert the customer or the issuing bank of any suspicious or unusual activity. But she said a large percentage of banks outsource the day-to-day customer transactions to third-party service providers, most of whom do not currently offer services that would conduct that transaction analysis.

When the costs of improving security posture are lower than the risk-weighted costs due to a breach, then these banks will move. I not mean to appear overly cynical here. It’s the banks’ fiduciary responsibility to move only when the risk analysis scale tips in favor of improving security. That’s what makes this trial so interesting.

17. January 2011 · Comments Off on Top 3 Tools For Busting Through Firewalls — Internet Censorship — InformationWeek · Categories: blog · Tags: , , ,

Top 3 Tools For Busting Through Firewalls — Internet Censorship — InformationWeek.

The three tools described in this article are Tor (The Onion Router), Circumventor, and Glype. If you are unfamiliar with them, here is a brief description. The article provides a deeper analysis of them.

TorTor is nominally used for the sake of anonymity, but also works as a circumvention tool, and its decentralized design makes it resilient to attacks. It started as a U.S. Naval Research Laboratory project but has since been developed by a 501(c)(3) nonprofit, and is open source software available for a variety of platforms. Human Rights Watch, Reporters without Borders, and the United States International Broadcasting Bureau (Voice of America) all advocate using Tor as a way to avoid compromising one’s anonymity. With a little care, it can also be used to route around information blocking.


Circumventor – Developed by Bennett Haslelton of the anti-Internet-censorship site Peacefire.org, Circumventor works a little bit like Tor in that each machine running the Circumventor software is a node in a network.

Circumventor is most commonly used to get around the Web-blocking system in a workplace or school. The user installs Circumventor on an unblocked PC — e.g., their own PC at home — and then uses their home PC as a proxy. Since most blocking software works by blocking known Web sites and not random IP addresses, setting up a Circumventor instance ought to be a bit more effective than attempting to use a list of proxies that might already be blocked.

Glype – The Glype proxy has been created in the same spirit as Circumventor. It’s installed on an unblocked computer, which the user then accesses to retrieve Web pages that are normally blocked. It’s different from Circumventor in that it needs to be installed on a Web server running PHP, not just any old PC with Internet access. To that end, it’s best for situations where a Web server is handy or the user knows how to set one up manually.

While these tools are used in certain countries to bypass censorship, in the U.S. they are mostly used to bypass organizational firewall policies.

In order to block these tunneling and proxy applications, organizations have turned to Palo Alto Networks, the leading Next Generation Firewall manufacturer.

However, the real issue is much bigger than blocking the three most popular tools for bypassing traditional stateful inspection firewalls. Or even peer-to-peer applications. The real goal is to enable a Positive Control Model, i.e. only allow the applications that are needed and block everything else. This is a much harder goal to achieve. Why?

In order to achieve a Positive Control Model, your firewall, not your IPS, has to be able to identify every application you are running. So in addition to the applications the firewall manufacturer identifies, the firewall must give you the ability to identify your home-grown proprietary applications. Then you have to build policies (when possible leveraging your directory service) to control who can use which applications.

Once you have implemented the policies covering all the identified applications the organization is using, and who can use them, then the final policy rule can be, “If application is unknown, then deny.”

Once you have implemented the Positive Control Model, you don’t really care about the next new proxy or peer-to-peer application that is developed. It’s the Negative Control Model that keeps you the never-ending cycle of identifying and blocking every possible undesirable application in existence.

Achieving this Positive Control Model is one of the primary reasons organizations are deploying Palo Alto Networks at the perimeter and on internal network segments.

05. January 2011 · Comments Off on How Will Technology Disrupt the Enterprise in 2011? · Categories: blog · Tags: , , , , ,

How Will Technology Disrupt the Enterprise in 2011?.

Constellation Group’s Ray Wang lists five core disruptive technologies: social, mobile, cloud, analytics, and unified communications.

What’s interesting to us at Cymbel is that each of them require rethinking compliance and security to mitigate the new risks their deployments create for the enterprise. In other words, inadequately addressing the security and compliance risks around these technologies will inhibit deployment.

What are the risks?

  • Social – The new threat vector – the “inside-out” attack, i.e. rather than having to penetrate the enterprise from the outside-in, all a cybercriminal has to do is lure the insider to an external malware-laden web page.
  • Mobile – All the types of attacks we’ve seen over the years against desktops and laptops are finding their way onto smart phones.
  • Cloud – Will you put trade secrets and PII out in a public cloud deployment without protecting them from third party access? How will you verify that no third parties, like the administrators at SaaS companies are not accessing your data?
  • Analytics – Good security technology has only recently taken hold for traditional relational databases that rely on the SQL access language. The new analytics are about new ways of storing and accessing data for analysis. How do you monitor and control access?
  • Unified Communications – Attempting to apply traditional IPSec VPN technology to converged data, voice, and video networks creates unacceptable latency issues and unstable session connections. And MPLS itself does not provide encryption.

Cymbel’s mission is to provide the information security and compliance solutions which enable these technologies. We help our clients rethink and re-implement defense-in-depth.

Darwin said, “It is not the strongest of the species that survive, nor the most intelligent, but the ones most responsive to change.”

As an Information Security and Compliance Solution Provider, we are enablers of technology change.

04. January 2011 · Comments Off on Technical botnet takedowns useless. Technical controls needed. · Categories: blog · Tags: , , , , ,

TrendMicro’s 2010 in Review: No Recession for Cybercrime notes the ineffectiveness of several of the publicized botnet takedowns.

The futility of takedowns was seen when Pushdo/Cutwail was taken down earlier this year. Within days, it was back in business. Similarly, security researchers were able to take down the Waledac botnet in March but, as we noted at the time, the spam levels remained unchanged.

The lesson is that shutting down a botnet by purely technical means doesn’t do anything in the long term; arresting the people responsible is key to fixing the cybercrime threat.

What does this mean to the enterprise? You are on your own. Given the ease with which new botnets can be created and their geographic distribution, the arrests will be interesting but will not significantly reduce the botnet threat.

Cymbel provides three complementary solutions which help you mitigate the risks of botnets:

  • Palo Alto NetworksNext Generation Firewall with integrated Intrusion Prevention, URL Filtering, and botnet command and control communications detection.
  • FireEye – Heuristics-based malware detection with sandboxed suspicious code execution to minimize false positives.
  • Seculert – SaaS-based, External Threat Intelligence which alerts you on your compromised systems by monitoring the botnets themselves.
24. December 2010 · Comments Off on Jeremiah Grossman: Which mountain would you rather climb? · Categories: blog · Tags:

Jeremiah Grossman: Which mountain would you rather climb?.

Jeremiah Grossman discusses web application vulnerability scanning strategy.

Some Web application vulnerability scanners, dynamic and static analysis, are designed for comprehensiveness over accuracy. For others, the exact opposite is true. The tradeoff is that as the number of “checks” a scanner attempts increases causes the amount of findings, false-positives, scan times, site impact, and required man-hour investment to grow exponentially. To allow users to choose their preferred spot between those two points, comprehensiveness and accuracy, most scanners offer a configuration dial typically referred to as a “policy.” Policies essentially ask, “What do you want to check for?” Whichever direction the comprehensiveness dial is turned will have a profound effect on the workload to analyze the results. Only this subject isn’t discussed much.

In other words, you can dial down the vulnerability scanner to achieve regulatory compliance or dial it up and put them in the hands of a skilled web application security analyst to mitigate the risks of web application exploits.

24. December 2010 · Comments Off on Nart Villeneuve — RX-promotion: A Pharma Shop · Categories: blog · Tags:

Nart Villeneuve — RX-promotion: A Pharma Shop.

More than 65% of spam consists of “pharmaceutical spam” sent through a variety of well known spam botnets such as Rustock and Cutwail. These spam messages use multiple shop brands and sell a variety of drugs, especially Viagra. These pills, sometime fake pills, are shipped to buyers from pharma manufacturers, often in India or China.

Nart discusses in detail the pharmaceutical spam affiliate network process which is about as sophisticated as Amazon’s.

23. December 2010 · Comments Off on Financial Cryptography: Ernst & Young called to account — should Audit firms be investigated for their role in the crisis? · Categories: blog · Tags: ,

Financial Cryptography: Ernst & Young called to account — should Audit firms be investigated for their role in the crisis?.

How is it possible that not a single audit firm rang the alarm on any of the financial services clients they were auditing leading up to the financial meltdown of 2008?

Andrew Cuomo, Attorney General for the State of New York, has sued Ernst & Young for its role as Lehman Bros’ auditor.

For me, the big question remains: if we can’t expect an audit firm to pick up any signs of trouble, what can we expect of them? Perhaps we could save our money and do our due diligence another way?

23. December 2010 · Comments Off on The Only Trust Models You’ll Ever Need « The New School of Information Security · Categories: blog · Tags: ,

The Only Trust Models You’ll Ever Need « The New School of Information Security.

What is this “trust’ meme all about? Easy – it’s the other side of the risk coin.”Yet another hypothetical construct.”

IF YOU USE QUALITATIVE RISK STATEMENTS

Trust = Opposite of Risk

So “Low Risk” becomes “High Trust”.

IF YOU USE RISK SCORING WITHOUT MEASUREMENT SCALES

Trust = 1/Risk

So The larger the risk score, the smaller the trust score.