14. December 2010 · Comments Off on Stuxnet’s Finnish-Chinese Connection – The Firewall – the world of security – Forbes · Categories: blog · Tags: ,

Stuxnet’s Finnish-Chinese Connection – The Firewall – the world of security – Forbes.

While we may never know for sure the originator of Stuxnet, Jeffrey Carr presents a credible, if circumstantial, alternative originator to the common assumption of Israel or the United States – the People’s Republic of China (PRC) – for the following reasons:

  • Vacon’s frequency converters are manufactured in Suzhou China.
  • In March, 2009, Chinese Customs arrested two Vacon employees.
  • The genuine digital certificates used by Stuxnet where stolen from RealTek Semiconductor, a Taiwanese company with a subsidiary in Suzhou, China.
  • China has direct access to Windows source code.

The article also discusses what China’s motives might be. You definitely want to read the whole article as well as Carr’s whitepaper.

14. December 2010 · Comments Off on Network Security Blog » Customer information stolen · Categories: blog · Tags: , , , ,

Network Security Blog » Customer information stolen.

Three database/email server compromises were revealed over the weekend.  A business partner of McDonald’s lost their promotional mailing list, Gawker’s entire user database was compromised and posted, and the DeviantArt user mailing list was also stolen, along with additional user information, again through a partner.  None of these cases involved financial data; none of these would have been covered in any way by the PCI requirements.

So what is the value to the hackers? Martin sums it up nicely:

The danger with the McDonald’s and DeviantArt compromises isn’t the account names, it’s the the potential for phishing and other scams.  The phishers now have a validated list of customers they can target their spam at, quite likely starting with fake alerts about the compromise itself to get users to click on links to malicious sites.  From there, they can move on to lower impact, less obvious attacks, but that’s how I’d start.  The potential of a user trusting an email warning them of danger is quite a bit higher than the other emails.

PS: Walgreen’s customer email list was compromised. Again, no big deal, just email addresses. But as Martin said above, a valid list of email addresses is a great starting point for phishing scams.

13. December 2010 · Comments Off on Jeremiah Grossman: Internet Explorer 9 ad blocking via “Tracing Protection” — no means yes. · Categories: blog · Tags: , , , ,

Jeremiah Grossman: Internet Explorer 9 ad blocking via “Tracing Protection” — no means yes..

Last week, the FTC issued a report recommending Congress implement Do-Not-Track legislation to help protect consumer privacy. This week, Microsoft detailed Do-Not-Track” options in the upcoming Internet Explorer 9. Coincidence? Doubtful.

No way Microsoft slammed out the code from scratch in a few short days because the FTC made some recommendation. The IE team clearly saw ad blocking as a good idea despite what they told us before and had ad blocking, errr I mean Tracking Protection, ready to go. Only they might not have had the juice to include it because of the aforementioned road blocks.

Will Mozilla make AdBlock Plus a standard feature of Firefox? AdBlock Plus is the top download in the Privacy & Security category with overd over 100 million downloads. It has over 8 million daily active users and a 5 star rating with over 2,000 reviews.

Will Mozilla try to match or exceed Microsoft? How will Google react?

Are we going to see a major shift in Internet advertising so it’s more akin to email marketing?

I think we’re witnessing the beginning of a whole new chapter in the ongoing browser war. Now we must ask, when and if Mozilla is going to add the functionality of their #1 extension natively into their browser? How can they now not do so? Can Firefox’s market-share position afford Internet Explorer to be more advanced in privacy protection features? We’ll have to wait and see what they say or do. I’m hopeful they’ll come around as Microsoft did. Even more interesting will be how Google reacts. AdBlock is their most popular add-on as well. The bottom line is these are very good signs for everyone on the Web.

08. December 2010 · Comments Off on Network Security Blog » Connected systems: The NTP server is connected to the SQL DB · Categories: blog · Tags: ,

Network Security Blog » Connected systems: The NTP server is connected to the SQL DB.

Scoping is one of the most subjective parts of doing a PCI assessment.  What I consider to be a ‘connected system’ and what someone else considers to be the same can sometimes be substantially different.

Martin McKeay points out that not only is PCI scope subjective, but it’s also changing. Martin expects major changes from the Scoping Special Interest Group early next year.

08. December 2010 · Comments Off on From the Concrete To The Hypervisor: Compliance and IaaS/PaaS Cloud – A Shared Responsibility | Rational Survivability · Categories: blog · Tags: ,

From the Concrete To The Hypervisor: Compliance and IaaS/PaaS Cloud – A Shared Responsibility | Rational Survivability.

Security, and therefore Compliance, in the cloud is a shared responsibility. In other words, no IaaS or PaaS cloud vendor can provide complete compliance since the cloud providers’ responsibilities end at the hypervisor. You, the application provider, are responsible for securing the VM and the applications/data therein.

In the case of an IaaS cloud provider who may achieve compliance from the “concrete to the hypervisor,” (let’s use PCI again,) the customer in turn must have the contents of the virtual machine (OS, Applications, operations, controls, etc.) independently assessed and meet PCI compliance in order that the entire stack of in-scope elements can be described as compliant.

Thus security — and more specifically compliance — in IaaS (and PaaS) is a shared responsibility.

08. December 2010 · Comments Off on Kevin Beaver’s Security Blog: Unbelievable #s in the new Billion Dollar Lost Laptop Study · Categories: blog · Tags: ,

Kevin Beaver’s Security Blog: Unbelievable #s in the new Billion Dollar Lost Laptop Study.

Intel commissioned Ponemon Institute report says that one in ten laptops are lost or stolen during the typical three life cycle. The billion dollar number comes from the estimated $49,000 cost associated with each lost laptop incident. While you may disagree with that number, it’s surely higher than simply the cost of the laptop itself.

According to the study only 30% of laptops are encrypted!!

From the InfoWorld article, Corporate America’s lost laptop epidemic:

One way Intel works to ameliorate the problem internally is by letting its workers put their personal information on the computers. People are less cavalier about the security of their laptops when they have their own data on them, said Malcolm Harkins, Intel’s chief information security officer.

06. December 2010 · Comments Off on Researchers Bypass Internet Explorer Protected Mode | threatpost · Categories: blog · Tags: , , , ,

Researchers Bypass Internet Explorer Protected Mode | threatpost.

A new paper from researchers at Verizon Business identifies a method through which an attacker can bypass Internet Explorer Protected Mode and gain elevated privileges once he’s successfully exploited a bug on the system. Protected Mode in Internet Explorer is one of a handful of key security mechanisms that Microsoft has added to Windows in the last few years. It is often described as a sandbox, in that it is designed to prevent exploitation of a vulnerability in the browser from leading to more persistent compromise of the underlying system. Protected Mode was introduced in Windows Vista and Internet Explorer 7, and other software vendors have followed Microsoft’s lead, introducing sandboxes in applications such as Adobe Reader X and Google Chrome.

The key points and recommended actions are well summarized in Verizon’s own blog post, Evaluating Protected Mode in Internet Explorer:

Since it is not an official security boundary, Microsoft does not guarantee that it will issue patches for bypasses within the monthly patch-cycle.

It can be recommended that domain administrators consider following the steps below to improve the security of Protected Mode Internet Explorer in the enterprise:

  • Ensure that User Access Control (UAC) is enabled, as disabling it will also disable Protected Mode.
  • Ensure that workstation users cannot run as administrators.
  • Enable Protected Mode for all zones where possible.
  • Disable the Local Intranet Zone, or limit the members of the zone as far as possible.
  • Ensure that third-party software vendors create software which does not incorrectly configure Internet Explorer’s elevation policy and introduce privilege escalation bugs that allow malicious code to escape from Protected Mode.
06. December 2010 · Comments Off on Enterprise security strategy – Is More Cyber-Security Regulation the Answer? – eWeek Security Watch · Categories: blog · Tags: , , , ,

Enterprise security strategy – Is More Cyber-Security Regulation the Answer? – eWeek Security Watch.

A survey of critical infrastructure companies by Enterprise Strategy Group reported that the companies with the most industry regulations to address tended to have better security practices, something that did not strike me as all that surprising. What did strike me as somewhat surprising, though, is some of the things people agreed the government should do in regards to cyber-security.

According to the survey (PDF) – which fielded answers from a total of 285 security pros in industries such as food and agriculture, defense and information technology – 39 percent said the government should “enact more stringent cyber-security legislation along the lines of PCI.” Thirty-two percent believed the government should create legislation with higher data breach fines.

It seems to me that the federal government should enact some cyber-security legislation, but not like PCI. Government bureaucracy is too slow moving to be effective. In fact, IMHO, the PCI DSS bureaucracy is too slow moving. PCI DSS 2.0 could have done much more but chose to simply focus on clarifications. I think the federal government should (1) force more and more complete breach disclosure and (2) possibly increase penalties for breaches. The latter was a tactic the government took to with HITECH to strengthen HIPAA.

In the mean time, the states have been moving aggressively, e.g. Massachusetts 201 CMR 17.

06. December 2010 · Comments Off on Sparse iPhone, iPad Screen Space Aids Phishers | threatpost · Categories: blog · Tags: , , ,

Sparse iPhone, iPad Screen Space Aids Phishers | threatpost.

Pinched screen real estate on iPhone devices may make it easier for users to be fooled into using bogus “phishing” Web sites, according to an analysis by researcher Nitesh Dhanjani.

In a post on the SANS Application Security Street Fighter Blog on Monday, Dhanjani called attention to the common practice of hiding the Web address once Web pages and applications have loaded. That practice, coupled with the ability of application programers to render  screen elements that can mimic real address bars, could throw open the door to the kinds of phishing attacks that modern browsers have long since rendered ineffective.

Dhanjani recommends URLs be displayed within the applications and more importantly that Apple (1) makes this a policy and (2) sets default behaviors to encourage this policy.

You can read Dhanjani’s post in its entirety at Insecure Handling of URL Schemes in Apple’s iOS.

06. December 2010 · Comments Off on Enterprises Riding A Tiger With Consumer Devices | threatpost · Categories: blog · Tags: , , , , ,

Enterprises Riding A Tiger With Consumer Devices | threatpost.

George Hulme highlights two technology trends which are increasing enterprise security risks – employee-owned smartphones and Web 2.0 applications including social networking.

Today, more than ever, employees are bucking efforts to be forced to work on stale and stodgy corporate notebooks, desktops or clunky, outdated mobile phones. They want to use the same trendy smart phones, tablets, or netbooks that they have at home for both play and work. And that, say security experts, poses a problem.

“If you prohibit access to the services people want to use for their jobs, they end up ignoring you and doing it from their own phone or netbook with their own data connection,” says Josh Corman, research director, security at the analyst firm 451 Group. “Workers are always going to find a way to share data and information more efficiently, and people will always embrace ways to do their job as effectively as possible.”

To control and mitigate the risks of using Web 2.0 applications and social networking, we’ve been recommending to and deploying for our clients Palo Alto Networks’ Next Generation Firewalls.

Palo Alto posted a well written response to Hulme’s article, Which is Riskier: Consumer Devices or the Applications in Use? Clearly, Palo Alto’s focus is on (1) controlling application usage, (2) providing intrusion detection/prevention for allowed applications, and (3) blocking the methods people have been using (remote access tools, external proxies, circumventors) to get around traditional network security solutions.

We have been big supporters of the thinking that the focus of information security must shift from protecting devices to protecting information. That is the core of the next generation defense-in-depth architecture we’ve assembled.

Corman agrees that the focus needs to shift from protecting devices to protecting data. “Security managers need to focus on the things they can control. And if they can control the computation platforms, and the entry and exit points of the network, they can control the access to sensitive data, regardless of who is trying to access it,” he says. Corman advises enterprises to deploy, or increase their focus on, technologies that help to control data access: file and folder encryption, enterprise digital rights management, role-based access control, and network segmentation.

Having said that, we are currently investigating a variety of new solutions directly aimed at bringing smartphones under enterprise control, at least for the enterprise applications and data portion of smartphone usage.