Compliance & Security Services

20. April 2010 · Comments Off on Compliance & Security Services · Categories: blog

Cymbel provides a wide range of services related to automating compliance and reducing security risks.

Cymbel uses a four step process – Assessment, Policy Development, Policy Implementation, Re-assessment. The key to our approach is to gain real visibility during the Assessment process by using automated tools to collect actual operational data. Learn more.

Links to Explore

Apache infrastructure breach analysis is a model of forthrightness and a learning experience

17. April 2010 · Comments Off on Apache infrastructure breach analysis is a model of forthrightness and a learning experience · Categories: Breaches · Tags:

Last week, the Apache infrastructure team disclosed a breach to their issue tracking software where an XSS exploit led to root access which led to compromised passwords. What makes it interesting is the level of detail they provided about the breach, which security policies worked, which did not work, and what they are changing to reduce the risk of another such breach. No attempt at security by obscurity here. McAfee Labs did a nice blog post on it.

Do you think the use of Apache is going to go up or down? IMHO, the breach will have no effect or might actually increase Apache usage. The reality is that all organizations have breaches regularly. Sharing detailed information like this helps us improve our security.

BTW, if your organization is not experiencing breaches, it's due to lack of visibility.

Conventional password policy recommendations questioned

15. April 2010 · Comments Off on Conventional password policy recommendations questioned · Categories: Security Policy · Tags:

Microsoft researcher Cormac Herley recently published a paper casting doubt on the economic value of following conventional password policy recommendations. Whether you agree with Herely or not, his economic analysis is well worth reading.

Security Watch has a nice summary.

More PDF exploits – time to stop downloading PDFs

11. April 2010 · Comments Off on More PDF exploits – time to stop downloading PDFs · Categories: Malware · Tags:

It seems like there is a constant flow of PDF vulnerabilities. Two new ones are highlighted here.

It's time to stop using PC-based PDF readers.I've switched to a browser plug-in called gPDF which works with IE, Firefox, and Chrome.It opens the PDF file in Google Docs. Google Docs gives you the ability to print it without downloading it. The one issue I have is, there is no apparent way to save the document in Google Docs for future reference. So for that, I save the link in Delicious.

I'm done with downloading PDF's for now – just not worth the risk.

Spotlighting the Botnet business model

11. April 2010 · Comments Off on Spotlighting the Botnet business model · Categories: Malware, Network Security · Tags:

TrendLabs has a nice article on the botnet business model. It features an illustration showing the relationships between different botnets including CUTWAIL, BREDO, KOOBFACE, ZEUS, WALEDEC, and others.

The level of cooperation and coordination is stunning. If you are not monitoring for and blocking botnet activity in your organization, you are exposing your organization to serious risks. If you are seeing no botnet activity in your organization, you are not using the right tools.

HSBC database breach highlights need for better database security

26. March 2010 · Comments Off on HSBC database breach highlights need for better database security · Categories: Breaches, Database Activity Monitoring · Tags:

Dark Reading is reporting more details are emerging about the HSBC database breach where it now appears that data on 25% of HSBC's private clients' accounts were stolen by a "privileged" user.

Click on the Database Activity Monitoring Category on the right for my other posts about the need for Database Activity Monitoring.

TJX hacker sentenced to 20-year prison term

26. March 2010 · Comments Off on TJX hacker sentenced to 20-year prison term · Categories: Breaches, Legal · Tags: , , , , , , ,

The IDG News Service is reporting:

Hacker mastermind Albert Gonzalez was sentenced Thursday in U.S.
District Court to two concurrent 20-year stints in prison for his role
in what prosecutors called the "unparalleled" theft of millions of
credit card numbers from major U.S. retailers.

The retailers who suffered breaches were TJX, Office Max, DSW, and Dave & Buster's. Gonzalez was also involved in the well known breaches at Heartland Payment Systems, Hannaford Supermarkets and 7-Eleven chains.

I applaud the stiff sentence, but I don't think this will have much effect on reducing cyber crime for two reasons:

  • The percentage of cyber criminals who are caught is very low.
  • Much of the activity now is coming from parts of the world where getting cooperation from local governments is difficult. In fact, some believe the governments are abetting the criminals.

Read more of the details here.

Vulnerability-based Signatures Are Needed To Defend Against Operation Aurora Variations

21. March 2010 · Comments Off on Vulnerability-based Signatures Are Needed To Defend Against Operation Aurora Variations · Categories: Malware · Tags: , , ,

NSS Labs recently tested seven anti-malware products against the actual and variations of the Operation Aurora attack which was successful against Google, Adobe, and as many as 100 other companies. Six out of seven were successful against the specific attack, but only one provided protection against the variations.

NSS Labs points out that only "vulnerability-based" protection can protect against variations of a specific attack. Here are their key findings:

  • Endpoint security products need to focus more on vulnerability protection. Rather than reactively blocking individual attacks, security product vendors should minimize their customers' risk of exposure by insulating them from the vulnerability.
  • An approach based on preventing specific exploits or malware is less desirable due to the reactive nature of identifying exploits and malicious payloads, as well as the nearly infinite methods to evade detection. Only one of the seven endpoint security products tested demonstrated a focus on the vulnerability and blocked more than one exploit variant.

The report provides a comprehensive description of the vulnerability, the Operation Aurora attack, and specific descriptions of exploit-based vs. vulnerability-based signatures.

Click here to read the whole report and find out which vendor has vulnerability-based signature(s) that were able to cope with Operation Aurora variations.

Defending Against the Zeus E-Banking Attacks

15. March 2010 · Comments Off on Defending Against the Zeus E-Banking Attacks · Categories: blog · Tags: , , , ,

Brian Krebs wrote another article about the rising number of E-Banking funds transfer fraud incidents where the Zeus trojan/botnet is used to compromise end point systems. The man-in-the-browser (MITB) exploit is a version of the classic man-in-the-middle (MITM) attack where the user’s bank credentials are stolen without the user realizing it. In fact, the Zeus trojan goes on “to control what the user sees on his or her browser.”

One is left to ask, is there is no “inline” defense against the Zeus trojan? In other words, is there no end point anti-malware product that can successfully defend against morphing trojans/botnets like Zeus?

It appears that the best choices at present are:

  • Use a dedicated PC, preferably one that boots from a CD, to do your online banking
  • Depend on your bank to:
    • Use behavior anomaly detection systems to catch/stop fraudulent transactions
    • Refund fraudulent transactions after the fact

Alternatively from a bank process perspective, why not require a 48 hour waiting period between the time a new payee is created and the time a payment can be made to that new payee?

In addition, the bank could add another step to the “add a payee process” where the bank sends an email or even hard copy notification of the new payee to the user (payer) and the user has to call from a known home phone number to verify the new payee.

Clearly these steps would add a level of inconvenience to online banking, but that has to be weighed against the costs of reimbursing consumer and corporate customer losses. If the lawsuits in progress are adjudicated in favor of the corporations suing their banks, we may very well see these or other changes.

Latest Zeus Trojan software release added hardware-based anti-piracy control

13. March 2010 · Comments Off on Latest Zeus Trojan software release added hardware-based anti-piracy control · Categories: Botnets, Innovation, Malware · Tags: , ,

The Register reports:

The latest version of the Zeus do-it-yourself crimeware kit goes to
great lengths to thwart would-be pirates by introducing a
hardware-based product activation scheme similar to what's found in
Microsoft Windows.

The newest version with bare-bones capabilities starts at $4,000 and
additional features can fetch as much as $10,000. The new feature is
designed to prevent what Microsoft refers to as "casual copying"
by ensuring that only one computer can run a licensed version of the
program. After it is installed, users must obtain a key that's good for
just that one machine.

To state the obvious, if anyone needed a reminder, the crimeware software industry is big business and maturing. 

In addition The Register reported:

The latest version of Zeus is 1.3.3.7, SecureWorks researcher Kevin Stevens told El Reg.
But the authors are already busy working on version 1.4, which is being
beta tested. It offers polymorphic encryption that allows the trojan to
re-encrypt itself each time it infects a victim, giving each one a
unique digital fingerprint. As a result, anti-virus programs, which
already struggle mightily to recognize Zeus infections, have an even harder time detecting the menace.

No information was provided as to where you could submit your feature requests.

« Older articles
Newer articles »