Opinions about information security from a risk management perspective
The excitement of World Cup Soccer is increasing. Do you know how many people in our organization are watching matches during the work day? How much Internet bandwidth is being consumed? What about the active malware campaigns leveraging the tournament?
Palo Alto Networks has a blog post detailing its World Cup Soccer video controls and protection capabilities called Prepare for Soccer Hooliganism 2.0.
IRC-Junkie is reporting that researchers at TU Wien (Vienna University of Technology, Austria) have developed a software program that performs a “man-in-the-middle” attack between IRC users causing them to click on malicious links at a 76% click rate. As opposed to impersonating a user and attempting to perform one side of the conversation, this program sits between two users and simply makes changes to the words and inserts malicious links.
The so called “HoneyBot” is capable of influencing the ongoing conversation by “dropping, inserting, or modifying messages” and the researchers assert that “if links (or questions) are inserted into such a conversation, they will seem to originate from a human user” and therefore the click-probability will be “higher than in artificial conversation approaches”.
It seems to me that the high click rate is due to the lack of knowledge that such an attack is even possible and therefore people are not in the least bit suspicious. If HoneyBots become more prevalent, people will be more on guard.
In any case, approach each link cautiously – hover over the link and inspect the URL that is displayed at the bottom of the browser. If you cannot determine exactly where the URL is going to take you, don’t click on it.
Another thought, how long before we see this type of attack in the wild on Facebook?
IRC-Junkie is reporting that researchers at TU Wien (Vienna
University of Technology, Austria) have developed a software program
that performs a "man-in-the-middle" attack between IRC users causing
them to click on malicious links at a 76% click rate. As opposed to
impersonating a user and attempting to perform one side of the
conversation, this program sits between two users and simply makes
changes to the words and inserts malicious links.
The so called "HoneyBot" is capable of influencing the
ongoing conversation by “dropping, inserting, or modifying messages”
and the researchers assert that “if links (or questions) are
inserted into such a conversation, they will seem to originate from a
human user” and therefore the click-probability will be “higher
than in artificial conversation approaches”.
It seems to me that the high click rate is due to the lack of
knowledge that such an attack is even possible and therefore people are
not in the least bit suspicious. If HoneyBots become more prevalent,
people will be more on guard.
In any case, approach each link cautiously – hover over the link and
inspect the URL that is displayed at the bottom of the browser. If you
cannot determine exactly where the URL is going to take you, don't click
on it.
Another thought, how long before we see this type of attack in the
wild on Facebook?
What kind of access to Facebook do you give your employees? What about those in Marketing who want to use Facebook to monitor a competitor’s social marketing efforts? Or just gather competitive intelligence? Completely blocking Facebook for everyone in the organization may not make sense anymore because there are legitimate business uses for Facebook.
Palo Alto Networks has been a leader in enabling fine-grained policy control of web-based applications. Today, they extended their Facebook policy capabilities by creating a “Read-Only” option. I have no doubt that this was a customer driven enhancement to their already robust Facebook policy capabilities.
This is a great example of enabling business value while minimizing risk.
Slate recently published an article entitled, “The End of Malware?” The sub-title is, “How Android, Chrome, and the iPad are shielding us from dastardly programs.” The premise trotted out the usual, Windows is insecure; Android, Chrome, and the iPad are more secure because they deploy sandboxing technology, i.e. restricting an application’s access to operating system resources.
While this may be a good thing, it is hardly the “end of malware.” Not even close.What the author is missing is the intent and motiviation of the bad guys. They go where the money is, i.e. where there is the opportunity to steal cash from people’s bank accounts, steal credit card information, steal intellectual property they can sell. At present, these opportunities are minimal on Android, Chrome, and iPads. Once there is critical mass for profitable hacking, you will definitely see an increase in exploits on these devices.
Now even with limited opportunities for profitable hacking we are starting to hear about vulnerabilities on these devices. Just yesterday I wrote about a Massive iPhone Security Issue where passcode protected content on the iPhone can be accessed by simply attaching the device to a computer running Ubuntu or OSX. Therefore, if you lose your iPhone, your passcode protection is useless.
If you need to hear more, check out the June 3 article in the Wall St. Journal, Dark Side Arises for Phone Apps. Here are some key quotes, first on Google:
In one incident, Google pulled dozens of unauthorized mobile-banking apps from its Android Market in December. The apps, priced at $1.50, were made by a developer named “09Droid” and claimed to offer access to accounts at many of the world’s banks. Google said it pulled the apps because they violated its trademark policy.
The apps were more useless than malicious, but could have been updated to capture customers’ banking credentials, said John Hering, chief executive of Lookout, a mobile security provider. “It is becoming easier for the bad guys to use the app stores,” Mr. Hering said.
And on Apple:
Apple vets applications before they appear in its App Store, but risks still exist. In July 2008, Apple pulled a popular game called Aurora Feint from its store after it was discovered to be uploading users’ contact lists to the game maker’s servers. More recently, it yanked hundreds of apps it said violated its policies, some out of security concerns.
In conclusion, while sandboxing is a good idea, there is no silver bullet when it comes to security.
Slate recently published an article entitled, "The End of
Malware?" The sub-title is, "How Android, Chrome, and the iPad are
shielding us from dastardly programs." The premise trotted out the
usual, Windows is insecure; Android, Chrome, and the iPad are more
secure because they deploy sandboxing technology, i.e. restricting an
application's access to operating system resources.
While this may be a good thing, it is hardly the "end of malware."
Not even close.What the author is missing is the intent and motiviation
of the bad guys. They go where the money is, i.e. where there is the
opportunity to steal cash from people's bank accounts, steal credit card
information, steal intellectual property they can sell. At present,
these opportunities are minimal on Android, Chrome, and iPads. Once
there is critical mass for profitable hacking, you will definitely see
an increase in exploits on these devices.
Now even with limited opportunities for profitable hacking we are
starting to hear about vulnerabilities on these devices. Just yesterday I
wrote about a Massive iPhone
Security Issue where passcode protected content on the iPhone can be
accessed by simply attaching the device to a computer running Ubuntu or
OSX. Therefore, if you lose your iPhone, your passcode protection is
useless.
If you need to hear more, check out the June 3 article in the Wall
St. Journal, Dark Side Arises for Phone Apps. Here are some key
quotes, first on Google:
In one incident, Google pulled dozens of unauthorized
mobile-banking apps from its Android Market in December. The apps,
priced at $1.50, were made by a developer named "09Droid" and claimed
to offer access to accounts at many of the world's banks. Google said
it pulled the apps because they violated its trademark policy.The apps were more useless than malicious, but could have been
updated to capture customers' banking credentials, said John Hering,
chief executive of Lookout, a mobile security provider. "It is becoming
easier for the bad guys to use the app stores," Mr. Hering said.
And on Apple:
Apple vets applications before they appear in its App
Store, but risks still exist. In July 2008, Apple pulled a popular game
called Aurora Feint from its store after it was discovered to be
uploading users' contact lists to the game maker's servers. More
recently, it yanked hundreds of apps it said violated its policies,
some out of security concerns.
In conclusion, while sandboxing is a good idea, there is no silver
bullet when it comes to security.
ReadWriteEnterprise is reporting that:
Content stored on an iPhone 3GS with passcode
protection can be accessed without the passcode simply by attaching the
device to a computer running the latest version of Ubuntu or a Windows
or OSX system running off the shelf software such as iPhone Explorer.
This flaw was discovered by Bernd Marienfeld, an information
security professional and blogger, last week. Recently, the enterprise
has seen a steep increase in the adoption of the iPhone and iPad. But Apple will need to
aggressively address security concerns such as these in order to gain
and hold market share.
Read the whole article here.
ReadWriteEnterprise is reporting that:
Content stored on an iPhone 3GS with passcode protection can be accessed without the passcode simply by attaching the device to a computer running the latest version of Ubuntu or a Windows or OSX system running off the shelf software such as iPhone Explorer. This flaw was discovered by Bernd Marienfeld, an information security professional and blogger, last week. Recently, the enterprise has seen a steep increase in the adoption of the iPhone and iPad. But Apple will need to aggressively address security concerns such as these in order to gain and hold market share.
Read the whole article here.
An important part of Cymbel’s approach to IT Security and Compliance leverages the SANS Twenty Critical Controls for Effective Cyber Defense: Consensus Audit Guidelines (20CC). We have embraced 20CC for the following reasons:
If there is any weakness to the 20CC, it’s the consensus nature of it. However, in our opinion this weakness is only reflected in its understandable unwillingness to recommend a solution that would inure to the benefit of a single manufacturer. This is particularly reflected in the “Boundary Defense” control which recommends stateful inspection firewalls and separate Intrusion Prevention Systems.
For boundary defense, Cymbel recommends the only next-generation firewall on the market – Palo Alto Networks. That’s not just us saying it. Gartner said it in its 2010 Enterprise Firewall Magic Quadrant.
I would love to hear your opinions on the SANS Twenty Critical Security Controls.
Today, we at Cymbel are launching our new website. The purpose of the new site is to better express our vision and mission as a company to our existing clients and to potential clients considering Cymbel to help them meet security and compliance objectives.
Cymbel is an IT Solutions Provider, 100% focused on security and compliance. We were founded in 2000 and have just entered our eleventh year in business.
I can boil down our mission to seven words – help our clients rethink defense-in-depth. We are witnessing major changes in technology, threats, the economy and our clients’ business needs and compliance requirements. Due to these changes, the traditional approach to defense-in-depth is simply not effective. We have developed a next-generation architecture focused on applications, users, and data.
I would like to remind readers that this site is a work in progress. We decided to launch today because we felt we were far enough along that our clients and potential clients would benefit. We will continue making improvements in content and infrastructure.
Finally, we made sure that it’s easy for you the reader to provide feedback to us. If you would like more information on a topic or product, or if you disagree with any of our opinions, we would love to hear from you.
