Stuxnet – Nation-state attacker threatening critical infrastructure?

14. August 2010 · Comments Off on Stuxnet – Nation-state attacker threatening critical infrastructure? · Categories: Boundary Defense, Malware · Tags:

There has been a lot written about the Stuxnet malware in the last several weeks and rightfully so. Stuxnet not only infects Windows computers which supervise industrial control systems, but then goes on to infect the software running on individual Programmable Logic Controllers (PLCs) which control the actual subsystems of those industrial processes. (Each Windows computer controls some number of PLCs which actually run the industrial processes.)

Therefore Stuxnet enables the attacker to remotely cause an industrial automation system to malfunction. It gets even worse – the PLC malware is hidden in a way that PLC software engineers won’t notice the change! Thus Stuxnet is the first known rootkit for industrial control system.

And the vulnerability Stuxnet exploits was zero-day. In other words, the vulnerability was not known at the time Stuxnet began. Stuxnet was first detected in late July 2010, but now information is coming out that it really started in 2009! Some are saying that the sophistication of Stuxnet indicates nation-state involvement.

You can read more details (depending on how technical you want to get) from CNET, SC Magazine, Symantec, Kaspersky, and Mandiant.

There has always been a lot of talk about the need to protect critical infrastructure. Now we are seeing a real threat which increases the risk of industrial control incidents, and therefore heightens the priority to deploy Boundary Defense Controls in these environments.

Is SSL safe?

02. August 2010 · Comments Off on Is SSL safe? · Categories: Security-Compliance, Vulnerabilities · Tags: ,

Via DarkReading, if you are using the latest version of SSL and it’s configured properly, the answer still may be no, based on two presentations at BlackHat last week.

First, according to Ivan Ristic, the Director of Engineering at Qualys, the main problems with SSL are running old versions of SSL and poor configuration management. Ivan said that half the sites running SSL are still using SSLv2 which has known vulnerabilities. In addition, a statistically large number have invalid certificates.

On the other hand, Robert “RSnake” Hansen and Josh Sokol believe that SSL is broken. They presented some 24 HTTPS/SSL exploitation techniques. Their assessment is that “HTTPS simply cannot guarantee confidentiality and integrity in the browser.”

Ristic countered with, “While the state of SSL websites is “average” in terms of security, SSL is rarely targeted by attackers today. “I have a disclaimer: SSL is not a common attack vector today because there’s so much low-hanging fruit out there. I think it’s the time to start fixing things, and they can be fixed.”

Security awareness still a problem even in enterpise IT organizations

02. August 2010 · Comments Off on Security awareness still a problem even in enterpise IT organizations · Categories: blog · Tags: , ,

Via Network World,

Social engineering hackers — people who trick employees into doing and saying things that they shouldn’t — took their best shot at the Fortune 500 during a contest at Defcon Friday and showed how easy it is to get people to talk, if only you tell the right lie.

Contestants got IT staffers at major corporations, including Microsoft, Cisco Systems, Apple and Shell, to give up all sorts of information that could be used in a computer attack, including what browser and version number they were using (the first two companies called Friday were using IE6), what software they use to open pdf documents, their operating system and service pack number, their mail client, the antivirus software they use, and even the name of their local wireless network.

Now I would understand the ease with which social engineering would work with non-IT workers. But this contest was focused on IT workers whom you would think are more security conscious. But I guess after the Robin Sage story, I am not surprised.

To block or not to block social media like Facebook

02. August 2010 · Comments Off on To block or not to block social media like Facebook · Categories: Palo Alto Networks, Policy Management · Tags:

Via ReadWriteWebEnterprise, Cisco’s Mid-Year Security Report notes that:

50% of end users admitted to accessing social media tools at work, in spite of company rules, at least once a week. Another 27% have changed the settings on a company device to access prohibited sites or applications. The report notes the security risks, and potential for lost productivity, Facebook and other social media sites present, but doesn’t recommend enterprises block social media sites entirely.

Citing both worker morale and the potential to use the tools for work-related activities, Cisco recommends better security education and social media policies in the work place instead of technical restrictions that employees would likely route-around anyway.

The article also notes Palo Alto Networks’ social media policy capabilities. We believe that Palo Alto Networks, our partner, by far has the most complete social media policy options available.


Details of 100 million Facebook users published – lazy consumer marketers love it

02. August 2010 · Comments Off on Details of 100 million Facebook users published – lazy consumer marketers love it · Categories: Privacy, Security-Compliance · Tags:

ITPRO reported that Ron Bowes, a hacker/security consultant from Skull Security, gathered the personal details of 100 million Facebook users from Facebook’s user directory using Facebook’s standard APIs, and published them in a downloadable file on Pirate Bay.

I suppose that Ron only got 20% of the Facebook population is a reflection of how most people have set their privacy settings. This jives (via ars technica) with a study conducted by researchers at Northeastern and Harvard and published in First Monday showing that college students do in fact care about their privacy on Facebook.

Or maybe Facebook does not really have 500 million users.

What’s even more interesting, are the lazy consumer oriented companies that downloaded the file! I say lazy because they could have done the same thing themselves. Gizmodo, published the list of companies!

Google Malware double that of Bing, Yahoo, and Twitter combined

01. August 2010 · Comments Off on Google Malware double that of Bing, Yahoo, and Twitter combined · Categories: Malware, Security-Compliance

Via Help Net Security, Barracuda’s recently released its Barracuda Labs 2010 Midyear Security Report which includes the results of a study it did on search engine and Twitter malware. It focused on 25,000 trending topics over a two month period. The somewhat surprising finding was that percentage of malware laden links on Google (69%) exceeded Yahoo! (18%), Bing (12%), and Twitter (1%) combined. The “Searching for Malware, A Comparative Study,” starts on page 56 of the report.

It would have been interesting if the study broke down the results by page. In other words, the percentage of malware found on the first page of the search results, etc. Most people only review the first few pages of a search result.

This provides additional proof of the need of a web-based anti-malware solution. You surely cannot depend on the search engines themselves to do the job.

Full disclosure. Cymbel does partner with Barracuda, but for Web Application Firewalls. For web-based anti-malware, we recommend Zscaler.

The attack of the Cookie monsters

01. August 2010 · Comments Off on The attack of the Cookie monsters · Categories: Privacy, Security-Compliance · Tags: , ,

This past Friday, the Wall Street Journal wrote an extensive article on the “nefarious” techniques web content sites use to help monetize their mostly free content. WSJ calls it “spying.” It implies that users are unaware that its happening and are helpless to do anything about.

First, if you read the WSJ or this blog, you are no longer unaware. Second, most browsers provide tools to protect your privacy while you are browsing and to delete the “cookies.” Third, since most people are unwilling to pay anything for content, the content providers have little choice but to monetize via advertising. In order achieve reasonable rates, advertisers want to be able to target their ads. Fourth, I believe that most people are OK with the trade-off – free content in exchange for giving up their privacy. If you are not OK with the exchange, see the second point above.

For the most part, I agree with Jeff Jarvis, who takes the Wall St. Journal to task in his post, Cookie Madness.

On the other hand, Wired reported earlier in the week that a lawsuit was filed against Quantcast, a subsidiary of MTV, which allegedly “violated federal computer intrusion law by secretly using storage in Adobe’s Flash player to re-create cookies deleted by users.”

The Wired article goes on to say,

Unlike traditional browser cookies, Flash cookies are relatively unknown to web users, and they are not controlled through the cookie privacy controls in a browser. That means even if a user thinks they have cleared their computer of tracking objects, they most likely have not.

Quantcast claims it stopped using this technique last August 2009 after Wired had first brought this technique to light.


Apple fixes Safari auto-fill vulnerability

28. July 2010 · Comments Off on Apple fixes Safari auto-fill vulnerability · Categories: Vulnerabilities · Tags: ,

It looks like Apple was working on a fix for the Safari auto-fill vulnerability after all. According to MacRumors, “As noted in the security documentation accompanying today’s release, Safari 5.0.1 and 4.1.1 address an AutoFill security flaw disclosed last week that could allow a malicious site to obtain a user’s Address Book information, including name, company affiliation, city/state/country, and email address.”

The Robin Sage saga – social engineering at its finest

25. July 2010 · Comments Off on The Robin Sage saga – social engineering at its finest · Categories: blog · Tags: ,

The Robin Sage story broke in early July and I am late in getting to it. I was going to skip it, but it’s such a good story, I wanted to note it. The Dark Reading version is quite detailed.

The key though is straightforward – people accepted invitations from someone they did not know. It’s that simple. This is a type of “inside-out,” social engineering attack vector which has become the primary method of cyber criminals. Why bother with the traditional “outside-in” attack on network device or endpoint software vulnerabilities when all you need to do is lure the victim to a malware-laden web page.

Running a Robin Sage type of “experiment” in your organization should be part of your security awareness training program.

Fraud related to virtual goods sales increases to 1.9%

25. July 2010 · Comments Off on Fraud related to virtual goods sales increases to 1.9% · Categories: Fraud, Security-Compliance · Tags: , ,

The Wall St. Journal is reporting that fraud related to the sale of virtual goods, primarily in online games, increased to 1.9% in 2009. This compares to 1.1% for physical goods. These numbers are coming from CyberSource Corp., a subsidiary of Visa, which provides payment management services including fraud detection related to the sale of digital goods. (We at Cymbel have no relationship with CyberSource or the other vendors like PayPal mentioned in the article.)

While interesting, these numbers are not surprising. As the article states, many of the precautions that can be used in the physical world, like checking the shipping address against the address on the credit card, are not available in the world of purely digital goods.

So for those selling digital goods, selecting a payment processing provider should be just as much about its fraud detection capabilities as processing fees.

« Older articles
Newer articles »