LifeLock pays $12 million to settle charges of false and deceptive claims

13. March 2010 · Comments Off on LifeLock pays $12 million to settle charges of false and deceptive claims · Categories: Identity Theft · Tags: ,

SC Magazine reports:

LifeLock will pay $11 million to the Federal Trade Commission (FTC)
and $1 million to a group of 35 state attorneys general to settle
charges that the Tempe, Ariz.-based company made false claims about its
identity theft products.

The FTC contended that LifeLock's claims
were "deceptive" because the fraud alerts it places on customers'
credit files can only protect against certain types of identity theft,
such as new account fraud, which occurs when an ID thief opens up new
financial accounts by using the victim's name and Social Security
number.

In addition, ironically:

LifeLock, which bills itself as "#1 in identity theft protection," has
gained national notoriety with commercials that show Davis' Social
Security number on the side of a truck, while Davis tells the audience
that he is confident his company's services will protect him – and
potential customers – from having their identity stolen. But Davis
reportedly has been a victim of ID theft.

As I have said before, Identity Theft is a real problem. To protect yourself, start by reviewing the offerings of the three credit agencies Equifax, Experian, and TransUnion.


The most overrated security technologies and what to do about them

13. March 2010 · Comments Off on The most overrated security technologies and what to do about them · Categories: Authentication, Malware, Network Security, Next Generation Firewalls, Theory vs. Practice · Tags: , , , , , ,

CSOonline published an article entitled, "What Are the Most Overrated Security Technologies?" At the head of the list are, no surprise, Anti-Virus and Firewalls.

Anti-Virus – signature based anti-virus products simply cannot keep up with the speed and creativity of the attackers. What's needed is better behavior anomaly based approaches to complement traditional anti-virus products.

Firewalls – The article talks about the disappearing perimeter, but that is less than half the story. The bigger issue is that traditional firewalls, using stateful inspection technology introduced by Check Point over 15 years ago, simply cannot control the hundreds and hundreds of "Web 2.0" applications. I've written about or referenced "Next Generation Firewalls" here, here, here, here, and here.

IAM and multi-factor authentication – Perhaps IAM and multi-factor authentication belong on the list. But the rationale in the article was vague. The biggest issue I see with access management is deciding on groups and managing access rights. I've seen companies with over 2,000 groups – clearly an administrative and operational nightmare  I see access management merging with network security as network security products become more application, content, and user aware. Then you can start by watching what people actually do in practice rather than theorize about how groups should be organized.

NAC – The article talks about the high deployment and ongoing administrative and operational costs outweighing the benefits. Another important issue is that NAC does not address the current high risk threats. The theory in 2006, somewhat but not overly simplified, was that if we checked the end point device to make sure its anti-virus signatures and patches were up-to-date before letting it on the network, we would reduce worms from spreading.

At present in practice, (a) worms are not major security risk, (b) while patches are important, up-to-date anti-virus signatures does not significantly reduce risk, and (c) an end point can just as easily be compromised when it's already on the network.

A combination of (yes again) Next Generation Firewalls for large locations and data centers, and cloud-based Secure Web Gateways for remote offices and traveling laptop users will provide much more effective risk reduction.

Verizon Business extends its thought leadership in security incident metrics

13. March 2010 · Comments Off on Verizon Business extends its thought leadership in security incident metrics · Categories: Breaches, Research, Risk Management, Security Management, Theory vs. Practice · Tags: , ,

The Verizon Business Security Incident Response team, whose yearly published Data Breach Investigations Reports I've written about here, has has extended its thought leadership in security incident metrics with the release of its Incident Sharing Framework. Their purpose is to enable those responsible for incident response to "create data sets that can be used and compared because of their
commonality. Together, we can work to eliminate both equivocality (sic) and
uncertainty, and help defend the organizations we serve." The document can be found here.

Of course Verizon Business is a for-profit organization and the license terms are as follows:

Verizon grants you a limited, revocable, personal and nontransferable license to use the Verizon Incident Sharing Framework for purposes of collecting, organizing and reporting security incident information for non-­‐commercial purposes.

Nevertheless, I do hope that this or an alternative incident sharing framework becomes an industry standard which enables the publishing and sharing of a larger number incidents from which we can all learn and improve our security policies and processes.

FTC warns 100 organizations about leaked data via P2P

23. February 2010 · Comments Off on FTC warns 100 organizations about leaked data via P2P · Categories: Breaches, Next Generation Firewalls, Privacy · Tags: , , , ,

CNet News reported yesterday afternoon that:

The U.S. Federal Trade Commission has notified nearly 100
organizations that data from their networks has been found on
peer-to-peer file-sharing networks, the agency said on Monday.


The FTC notices went to private and public entities, including schools
and local government agencies and organizations with as few as eight
employees to as many as tens of thousands, the FTC said in a statement.
The sensitive information about customers and employees that was leaked
could be used to commit identity fraud, conduct corporate espionage,
and for other crimes.

Unfortunately file sharing based on peer-to-peer technology is only a part of the problem. Some firewalls and most intrusion prevention systems (IPSs) can block peer-to-peer file sharing. However, the problem is actually much worse – the growth of browser-based file sharing applications designed to bypass most firewalls and IPSs.

Palo Alto Networks, a next-generation (as defined by Gartner) firewall vendor, recognizes and can control or block 88 different file sharing sharing applications. Of these, 40 use peer-to-peer technology, 39 are browser-based, and 9 are client-server. Therefore if your network security infrastructure can control or block peer-to-peer file sharing, you are solving less than half the problem.

For more information about the hundreds of applications that ought to be controlled or blocked, go to Palo Alto Network's Applipedia.


The only time it makes sense to use a pie chart

20. February 2010 · Comments Off on The only time it makes sense to use a pie chart · Categories: Uncategorized

via emergentchaos.com

An amusing image from Adam Shostack's blog to help you understand when to use pie charts, i.e. never. The yellow = the pie not eaten, the silver = the pie that's been eaten.

Top 25 Most Dangerous Programming Errors

20. February 2010 · Comments Off on Top 25 Most Dangerous Programming Errors · Categories: Research, Security Management · Tags: , , ,

Mitre, via its Common Weakness Enumeration effort, in conjunction with SANS, just published the 2010 CWE/SANS Top 25 Most Dangerous Programming Errors. Heading the list are:

  1. Cross-site Scripting (Score = 346)
  2. SQL Injection (330)
  3. Classic Buffer Overflow (273)
  4. Cross-Site Request Forgery (261)
  5. Improper Access Control (219)

For each weakness this report provides a Description, Prevention and Mitigation techniques, and links to more reference material. This is well worth reading.

Advanced Persistent Threats – substantive or just marketing buzz?

20. February 2010 · Comments Off on Advanced Persistent Threats – substantive or just marketing buzz? · Categories: Advanced Persistent Threat (APT) · Tags: ,

While the term, Advanced Persistent Threat (APT) is not a new term, it is being used much more often since the breach announcement Google made in January. I wrote about it here and here.

Mandiant, a security consulting firm, defines the APT "as a group of sophisticated, determined and coordinated attackers that have been systematically compromising U.S. government and commercial computer networks for years. The vast majority of APT activity observed by MANDIANT has been linked to China." You can read more about what they have to say here.

Mandiant did a webinar on February 18 called Malware Behaving Badly, in which they compared Mass Malware Threats to Advanced Persistent Threats. As of today, Feb 20, Mandiant has not posted the webinar on its site.

Richard Bejtlich defined APT in this January 16, 2010 blog post:

  • Advanced means the adversary can operate in the full
    spectrum of computer intrusion. They can use the most pedestrian
    publicly available exploit against a well-known vulnerability, or they
    can elevate their game to research new vulnerabilities and develop
    custom exploits, depending on the target's posture.


  • Persistent
    means the adversary is formally tasked to accomplish a mission. They
    are not opportunistic intruders. Like an intelligence unit they receive
    directives and work to satisfy their masters. Persistent does not
    necessarily mean they need to constantly execute malicious code on
    victim computers. Rather, they maintain the level of interaction needed
    to execute their objectives.


  • Threat means the
    adversary is not a piece of mindless code. This point is crucial. Some
    people throw around the term "threat" with reference to malware. If
    malware had no human attached to it (someone to control the victim,
    read the stolen data, etc.), then most malware would be of little worry
    (as long as it didn't degrade or deny data). Rather, the adversary here
    is a threat because it is organized and funded and motivated. Some
    people speak of multiple "groups" consisting of dedicated "crews" with
    various missions.

Bejtlich goes on to itemize APT objectives, which interestingly does not include stealing money:

  • Political objectives that include continuing to suppress its own population in the name of "stability."


  • Economic objectives
    that rely on stealing intellectual property from victims. Such IP can
    be cloned and sold, studied and underbid in competitive dealings, or
    fused with local research to produce new products and services more
    cheaply than the victims.


  • Technical objectives that
    further their ability to accomplish their mission. These include
    gaining access to source code for further exploit development, or
    learning how defenses work in order to better evade or disrupt them.
    Most worringly is the thought that intruders could make changes to
    improve their position and weaken the victim.


  • Military objectives that include identifying weaknesses that allow inferior military forces to defeat superior military forces. The Report on Chinese Government Sponsored Cyber Activities addresses issues like these.

Mike Cloppert, a security engineer at Lockheed Martin, wrote about APTs in mid-2009 in his Security Intelligence series of blog posts. In Security Intelligence: Introduction (pt 1), he defines APT as "any sophisticated adversary engaged in information warfare in support of long-term strategic goals." Note his focus on the adversary and goals rather than just the techniques.

In summary then, APTs do represent techniques that are more difficult to detect because the adversary, when faced with an above average defense, does not move on to a weaker target. The adversary is persistent and will escalate tactics. Second the focus is on stealing intellectual property rather than money to advance the adversary's strategic  technical, economic, political, and military goals.

Top two attack vectors – remote access applications and third party connections

20. February 2010 · Comments Off on Top two attack vectors – remote access applications and third party connections · Categories: Breaches, Research · Tags: , ,

Trustwave's recently published 2010 Global Security Report shows that the top two attack vectors, by far, resulting in breaches are Remote Access Applications and Third Party Connections. Here is the list of the top five:

> 95% Remote Access Application

> 90% Third Party Connection

> 15% SQL Injection 

> 10% Exposed Services

< 5% Remote File Inclusion

Clearly for each breach they investigated, there was more than one attack vector. It's also important to note that 98% of their investigations were on Payment Card Data breaches. No surprise since Trustwave is focused primarily on PCI compliance. The report does not indicate what percentage of the breaches occurred at organizations for which Trustwave was the QSA.

Regardless of these caveats, I believe it is worthwhile to note the total dominance of Remote Access Application and Third Party Connections.

It is imperative that organizations upgrade their firewalls to provide network segmentation (zoning) and to be able to recognize and control the use of most major application categories including Remote Access Applications.

Unfortunately you will have to register here to get the full report.

A new VoIP threat – steganography

16. February 2010 · Comments Off on A new VoIP threat – steganography · Categories: Steganography, Voice over Internet Protocol · Tags: ,

IEEE Spectrum published an article about three techniques for hiding information in VoIP calls, thus showing again that bits are bits.

Hiding secret messages in MP3 or video files has been done for many years. From the bad guys perspective, there is the problem that copies of these files are left on many servers when they are transmitted by email for example, and therefore can be investigated after the actual transmission is completed. 

Hiding information in the VoIP protocol itself leaves nothing behind to be investigated.

Insiders abuse poor database account provisioning and lack of database activity monitoring

10. February 2010 · Comments Off on Insiders abuse poor database account provisioning and lack of database activity monitoring · Categories: Breaches, Database Activity Monitoring, Log Management, Security Information and Event Management (SIEM) · Tags: , ,

DarkReading published a good article about breaches caused by malicious insiders who get direct access to databases because account provisioning is poor and there is little or no database activity monitoring.

There are lots of choices out there for database activity monitoring but only three methods, which I wrote about here. I wrote about why database security lags behind network and end-point security here

« Older articles
Newer articles »