Friday usually get people excited since it’s countdown to the weekend but this week we’re excited about it because we’re going to be having some stellar guests participate in the SecurityBuzz podcast.
As you may recall last week Robert Scoble’s WordPress blog Scobleizer was hacked. We’ve asked Scoble and Rob La Gesse, director of customer development at Rackspace to join us to discuss corporate blogs and security issues they face, how to prevent them, etc.
The podcast will be posted Friday afternoon so stay tuned. In the meantime, let us know if you have any questions you’d like for us to ask these guys and/or answer during the podcast. You can post them here or send me a note via Twitter - @smasiello.
In my copious amounts of spare time one of the things that I like to put thought into is where I believe the Threat Landscape is headed. Even in just the last 10 years since the Melissa virus (yes, I know viruses extend quite a bit further back than that. I'm just using this as a reference point) we've gone from mass mailing viruses to network worms that run through your network compromising any vulnerable host as quickly as it can to social engineering tricks that sometimes even make it difficult for the trained professional to tell whether something is real or fake.
So, the question that I pose to myself is "What's Next?" Taking even just the events of the last decade into account, where are we headed for the next few years? Some of this is obviously hard to determine because that also involves being able to forecast what new technologies will be released, but we can start to make some assumptions based off of what is available today.
Since this is a blog post, I'll try to keep this relatively brief. Maybe it is something that I can submit as an article to some technology pub as a full byline article (Here's a free plug for the folks over at (IN)Secure Magazine, who just released Issue 22 today. I like them and I've had the opportunity to write for them twice now) at some point soon.
Some things to think about:
-- The Insider Threat
Especially given the current economic conditions and the uneasiness around many offices around the country as to whether or not their companies will remain viable, organizations need to be ever cognizant of the data that is leaving their organization. Given that the latest USB 3.0 spec that was released in November 2008 allows for data transfer speeds at about 5Gb per second sensitive, proprietary corporate data can be pulled off a company's network an onto a thumb drive faster than ever before. Couple that with the number of disgruntled employees who either see the writing on the wall for their own jobs or who are upset at benefit and wage freezes/cutbacks, and you have a dangerous cocktail for data theft. We need to make sure we are putting as much focus on protecting our sensitive assets from insiders who much more easily have access to proprietary data as we do keeping the external threats at bay.
-- VoIP
Voice over Internet Telephony technologies are being adopted at an ever increasing rate. This is happening not only in the enterprise space, but in the consumer market. Services like Vonage make it easier than ever for people to have portable phone numbers so that they can be easily reachable at local numbers by family members out of state. VoIP implementations at organizations are also becoming ever popular as well. As these technologies become more widely adopted we have started to see hints of what abuse of these tools might look like. Throw away phone numbers used to make spam phone calls have started to become more common. There are services available online which allow you to purchase throw away numbers in blocks. Spammers and can use and abuse these numbers just like they do IP addresses now.
Another thing to watch out for is the compromise of VoIP systems as vulnerabilities start coming out in larger quantities. Threats like direct voicemail injection will become another method that cyber criminals will use in order to get advertisements delivered to end users. As the social engineering used in these threats improves, they could easily be used to steal personal identities and corporate data.
-- Mobile Malware
Let's face it. The phones that we carry in our pockets are little personal computers. Although they lack the computing power of the quad-core processors now becoming commonplace on personal computers, they are another "always connected" device that people always have turned on. I think the only time that I turn mine off on a weekly basis is when we are doing our weekly recording of the Security Buzz podcast, and that is mainly because the GSM buzz wreaks havoc with the microphones (and our Executive Producer's headphones :) ). As mobile phone manufacturers have opened up their APIs to developers to create third party applications, they will need to be ever diligent in their QA processes to make sure that applications don't get posted to their distribution channels that contain some form of malware or open up a trojan backdoor to the device. The mobile phone industry is growing by leaps and bounds with the addition of new, better, more feature rich smartphones entering the market. The smartphone market is too large of a target for cyber criminals to ignore, especially if you consider the value of the data that we are now storing on these devices. Secure sandboxing of third party applications is a must, but that is only a start. Only hundreds of mobile malware variants exist today (compared to the approximately 1 every 4 seconds that is released for PCs), but that number is slowly growing and as hackers pay more attention to how they can penetrate mobile devices, that number is sure to only increase.
-- Social Networking
Social networks provide an interesting shift in the information sharing game because the rules that typically govern what personal data people are willing to share seem to have gone out the window. This has really opened the door for cyber criminals. With the data that is now available online through the use of social media sites like Facebook, Myspace, and Twitter criminals can much more easily target attacks to specific individuals or groups of individuals using data made available via public profiles or geolocation tools that map your IP address to what town you live in (or near) so that they can deliver compelling content which direct you to malware infected downloads (ala the Waledac botnet). The Web of Trust that exists between users on social networking sites is being actively exploited regularly by hackers looking to take advantage of the fact that users will click on whatever their friends send to them. It's already been proven that people will click on links and open attachments from people they don't know so why would they judge more closely the content from those that they do.
-- Political Hacktivism
Recently cyber criminals have picked up the pace a bit with respect to using online resources like social networking sites to quickly spread political messages in order to help them spread propaganda and recruit people to fight for their cause. Due to the sensitive nature of political issues and the passion that people have for them, social engineering techniques like creating highly controversial views on sensitive topics is something that cyber criminals will latch onto in order to get people to react quickly and irresponsibly to either open attachments or visit websites that they would normally scrutinize more closely.
These are only a small sampling of what I believe we will be encountering as we move forward (I didn't even go into the increased prevalence of compromise of legitimate web sites, and the further use of file sharing services, and calendar spam!), but they are things that we will need to keep top of mind as we look toward what threats are coming down the road. Hackers will go where the money is and the money is where the people are. So, whether it is Twitter, MySpace, Facebook, email, instant messenger, or our phones, criminals will leverage whatever technology is available because in their eyes the goal is to make money regardless of the available technologies, and if one person can be the one to figure out how to exploit a technology for their own financial gain before the others they'll end up getting the lion's share of the notoriety as well as beat defense mechanisms to the punch.
Byron Acohido of the USA Today poses a question that we have been battling for a long time in his latest piece on GSM conversation eavesdropping. That question is how much time is enough time to give a vendor to patch an issue before the vulnerability becomes public knowledge?
The debate rages as to who is should be the one to set the time frame for responsible disclosure? Should the person who identified and reported the vulnerability to the vendor also be the one to determine that timeframe? That sounds a bit like extortion to me. "Fix this problem by the time I say you should have it fixed by else we'll expose you to the world" seems an awful like someone who is sitting more toward the "black" end of the white/black hat spectrum.
Should the vendor be the one to control that timeframe based on their knowledge of the risk factors (i.e. how exploitable is this problem?, Is it already being exploited?, What is the potential for damage if it were to be exploited?, How will it affect our market position, amongst other criteria) and other defined priorities? Should they be held accountable for patching known flaws regardless of these factors due to their fear of being taken to task by the person who found the bug?
In Byron's article, he specifically mentions a campaign by Karsten Nohl, who is threatening to expose a longstanding flaw in the encryption method used on GSM phones that will allow eavesdropping of conversations to take place. Nohl mentions in the article that this is already being exploited widely, but is also calling upon the community of hackers to crack the encryption method. If it is already being exploited (meaning that proof of concept code exists), why is he calling on the community do it? Isn't that somewhat reinventing the wheel? I didn't quite follow this path in Byron's article.
So, what's the point to all of this? On one side we have "grey hat" (in my opinion this designation is silly. Grey hat is just a candy-coated way of saying "black hat", but wanting to appear as if you have the public's best interests in mind) hackers who feel like they are the superheroes of the security community by holding threat of humiliation over the heads of companies who don't fix software flaws on their timeframe (Nohl suggests that the flaw he threatens to expose has existed for 15 years. I am not sure how many of us are truly in the position to either confirm or refute that claim). One the other we have companies who may have good intentions to fix vulnerabilities, but clearly perform their own internal risk assessments first based on a number of criteria, only a few of which I mentioned earlier.
In my opinion, the answer to the question "how long should a vendor have to fix a reported vulnerability?" lies with the vendor and with the vendor alone. Certain factors may cause a company to shift those priorities and release a patch outside of their regular software release cycles or the flaw might be something that doesn't get fixed until the next major software release. Either way, if you really have the common good (as opposed to your own inflated ego) in mind, you'll let the vendor responsible for fixing the bug do so on a timetable that is acceptable to both them and their customers. If their customers aren't happy with whatever that timeframe is, don't worry, they'll complain loudly (customers do that :) ) and the vendor will be forced to shift their priorities accordingly. The process self-regulates that way and leaves the over inflated egos out of it.
Obviously there are many opinions on both sides of the fence on this issue. So, let's have them! Feel free to drop me a note at sam AT mxlogic.com or on Twitter as "@smasiello".
Do we really know? Recent research would say that we don't.
In late April two conflicting articles were published: One was an article was posted at IT Brief which appears to have been supported by AVG that states 250,000 malicious web sites are created every day and another article was published by Security Pro News that says MessageLabs claims 3,500 new malicious sites daily.
So, which is it? The truth in my opinion is that we don't really know. Also, what neither of these articles discuss is the increase in compromise of legitimate sites due to trojans like Gumblar. The number of compromised legitimate sites is also harder to quantify because it is likely there are a lot more of them out there than are currently known.
One thing appears to be for certain and that is that we have reached the tipping point with the web being used as the primary threat vector for the distribution of malware ahead of email.
As news of the most recent Twitter breach spread and details of what was compromised started to come forth the question that was at the forefront of my mind was "Whatever happened to responsible disclosure?" where you notify the vulnerable party, give them ample time to fix the problem, and if any information is released publicly, it is done after the problem has been confirmed resolved by the vendor.
According to the article on TechCrunch that contains data that was stolen, they "spent much of the last 36 hours talking directly to Twitter about the right way to go about doing that" (where that = the right way to go about releasing the data). Now I was certainly not privied to those discussions, but I have a hard time believing personally that those discussions involved Twitter saying "yes, please post the information, but just leave out the secret sauce bits." I don't understand what criteria TechCrunch used such that they are now the governing authority over what is and is not confidential or why they feel they have a right to make that call to begin with. I am disappointed that a purportedly reputable news organization would feel that they have such privilege.
In a follow up post TechCrunch attempts to justify their actions by pointing to previous cases where they and another news organization had each taken it upon themselves to post sensitive information. I guess that means that since there is a precedent for something happening that it somehow makes it right? They also state within this article that they "break big stories." Obviously, those that break the big stories get the big press, but let's not also forget that a certain level of responsibility is expected as well. Saying that "others do it too" as justification for doing anything is just plain juvenile.
Of course, let's not let the person who leaked the information to TechCrunch off the hook either as they are certainly culpable as well. At this point nobody seems to know who that person is (at least not publicly). This mystery person submitted the information with the expectation that it would get published. Otherwise, why send it to a news organization to begin with. They baited the hook and TechCrunch bit down hard.
Whether TechCrunch will end up facing any legal action from Twitter remains to be seen. Twitter might want to consider at least sending TechCrunch a thank you note for at least temporarily turning the stink-eye from this whole mess away from themselves as TechCrunch appears to be getting flamed worse than Twitter, who had the breach to begin with!
It looks like the Hack du Jour, Twitter, has had another high profile data breach.
It seems like we have been around the block on this topic before on a couple of occasions, haven't we?
According to TechCrunch the cause of this most recent data breach isn't stolen Twitter account credentials because of ClickJacking exploits or people who have given up their logins because of look-alike Twitter application sites. This exploit was far more elementary and one that Twitter could stand to learn a lesson from on their own account signup form: weak passwords. According to the TechCrunch article, the password to some of Twitter's publicly facing servers was "password". Maybe they thought that was too easy for people to guess and that nobody would actually try a password as simple as "password" ? Either way, this is another example of how Twitter needs to take its own security and the security of its users much more seriously. Strangely enough repeated lapses in judgment does not appear to have slowed their growth.
The portion of the MSNBC article that I linked to in the first paragraph that irked me the most was in the section titled "Dangers Highlighted" where the author states that "The techniques used by the hackers to obtain access to Twitter highlight the dangers of a broader trend promoted by Google Inc. and others toward storing more data online, instead of on computers under your control." I couldn't disagree more with this statement. The missteps by Twitter that have caused their recent compromises are not a result of a lack of standards or good security practices by cloud computing, SaaS, or other off-network service providers. They are a result of Twitter's poor security practices and Twitter's alone.
Any service provider, construction outfit, or home business who has their own network equipment needs to ensure that they have taken proper precautions to secure those devices. That includes changing default passwords and identifiers (like SSIDs on wireless access points) all the way through to keeping those devices up to date on security patches and application updates. These are not practices that are relevant to Cloud Computing providers alone. To insinuate such in an effort to spread FUD against these types of services is downright irresponsible, in my opinion. We're talking about best practices that need to be employed by everyone in all industries and form factors. Perhaps if we did that instead of just talking about it and always looking to point the finger at someone when they make a mistake we would have less people to point fingers at.
Just as a general Public Service Announcement, if you are interested in Cross Site Scripting exploit news, and if you are not following @xssexploits on Twitter, do so (and of course follow @smasiello too :) ).
The reason that I mention that is, in addition to wanting to stay up to date on some of the latest XSS announcements, @xssexploits is also one of the first places that I was informed about the recently made public XSS vulnerabilties found on several McAfee web sites.
So, why are these exploits of consequence?
One of the sites mentioned as being vulnerable to cross site scripting vulnerabilties is McAfee's Rebate and Promotion Center web site. One of the fields that a user must populate when filling out the form to obtain a rebate is the date that you purchased one of McAfee's qualifying products in mmyydddd format. By using a technique known as HTML code injection a user could get redirected to another (potentially malicious) McAfee look alike web site used for phishing unsuspecting user's sensitive information or a malware distribution site that looks like an official McAfee web site.
Many security vulnerabilities are introduced by software not doing proper input checking. Following a "whitelist model" where as part of the input checking code you specify the valid types of input as allowed (generally a small list) as opposed to identifying all of the input that is not allowed (a much larger list) is common practice. In this case, it doesn't appear as if the form was doing any kind of input checking. Why the form would allow HTML characters such as quotation marks, less than, and greater than symbols in a field that is clearly expecting only numerical input is only asking for trouble.
I am not trying to pick on McAfee here, but they are a prime example of the reality that if it can happen to a company where security is their business you would expect them to have a pretty keen eye towards security vulnerabilities within their own web site. Back in January, CWE and SANS posted their list of the top 25 programming errors that occur most frequently within applications and Improper Input Validation is at the top of that list. It tops the list because it is the most common flaw and because it is the easiest to exploit. Improper input checking can be exploited with even the simplest of test cases which means that even your lowest level hacker who only knows the bare minimum about XSS and code injection could take advantage of this flaw.
Protect your brand. Protect your web site. Protect your users. Follow secure coding practices and incorporate a security mindset into the products and applications that you build. You don't have to be a security company to think securely.
I wanted to take a moment to write about a topic that we discussed during the recording of Episode 29 of the Security Buzz podcast earlier today. That topic is based off of a post found on DarkReading that discussed Microsoft's decision to release an update to disable the Autorun feature in Windows for USB drives in response to the variant of the Conficker worm which would spread via these devices. The question at hand was whether or not this move is happening too little too late given Conficker's already large presence.
My opinion is that not only is the move too little too late, but it is also a completely irrelevant one for the main reason that according to the folks over at mtc.sri.com, who have posted in depth research as to how the Conficker worm operates, most of the machines that are infected with this worm are still running versions of the Windows XP operating system with Internet Explorer 6 installed on them. This means that most of the machines infected are not one or two patch levels behind on their updates from Microsoft. They are likely years behind and have never been patched, and may in fact be running the original version of Windows XP originally released in October 2001 and have never had a single security patch applied to them meaning that they are vulnerable to every Windows XP vulnerability ever patched.
USB drives, although an important infection avenue to consider (although in my opinion are more of a risk from a data leakage perspective than they are a malware distribution point), are still only a small portion of the infection problem. Emails with attachments, malicious web sites and compromised legitimate web sites that distribute malware, and peer-to-peer downloads of pirated software with embedded trojans are all far more prevalent issues with respect to current worm and malware propagation than USB drives.
Unfortunately, this move by Microsoft will do little to solve the Conficker problem or slow its' spread. It also will not do much overall to prevent further malware propagation in the future because the machines that need to be cleaned up are not the ones that are following best practices by keeping up to date on security patches, running up to date antivirus, and defending in layers. It's those that aren't are and continue to be the real problem.
The folks over at SecurityFocus have published yet another Adobe PDF Reader related vulnerability. No exploits have been seen in the wild at this time taking advantage of this flaw, but unless patched quickly by Adobe will likely come in short order due to the prevalence of Acrobat Reader in the wild and the success of previous exploits.
This is in no way an endorsement of this product, but if you are looking for an alternative to Adobe's PDF reader, consider looking into FoxIt Reader by FoxIt Software. As with any software, it has its own vulnerabilities that have been patched, but since it isn't as widely used has not been as highly targeted as Adobe's products. There are other alternatives available as well. Consider looking into them if you frequently find yourself opening PDFs as part of your daily professional or personal responsibilities.
Over the coming days, please be on the lookout for any spam campaigns related to the recent outbreak of the Swine Flu. With the number of confirmed swine flu cases rising in the United States (currently at 40 according to this recent article posted on bloomberg.com) and around the world coupled with the threat looming that the World Health Organization (WHO) will raise its pandemic alert because of the illness, and you have a combination of circumstances that creates a dangerous cocktail that we frequently see spammers and phishers jump all over.
Although we are yet to see any specific fraudulent campaigns related to the Swine Flu in our Threat Operations Center, our team is on high alert looking for anything that may crop up. Due to the nature of today's blended threat landscape, it is possible that we could see phishing campaigns related to donations to help victims of Swine Flu purporting to be from the WHO or other related organizations. We could also see emails that attempt to lure users to news oriented web sites that play videos which are setup as spoofs for the intention of distributing malware.
News grabbing events like the Swine Flu outbreak are exactly the type of social engineering lures that spammers love to latch onto because of the public's interest in learning more about the topic. Be aware. If you would like to learn more about the recent Swine Flu, or any other breaking news story topic, visit the site of your most trusted news organization directly. Clicking on links within emails is an invitation for trouble.
Just about anyone and everyone who is active on the internet is either using, has used, or at least has heard of Twitter, the micro-blogging service that grew in usage by 752% in 2008 and is poised to grow even more in 2009.
As we know, where there are users, there are hackers. Any technology that has grown in popularity at the speed of which Twitter has is certain to become a target for information and money stealing cyber criminals. As such, Twitter has been the target of several application exploits over the last few months including a Samy-like exploit which would force users to follow you, multiple Clickjacking exploits, and two worms dubbed Mikeyy and Stalkdaily just this past weekend.
Funny enough, one of the things that is frequently part of the fallout of numerous security exploits is a drop in brand trust and user confidence. So far, that fallout does not appear to have taken place with Twitter. At least based on the reported numbers, Twitter's growth does not seem to have been hampered at all despite the numerous security flaws that have been patched over the past 8 months. Perhaps this is because there hasn't been a serious incident of data theft or widespread malware infection as a result of one of these exploits. Rest assured, those are coming!
So, what can we learn as a result of Twitter's recent security woes?
I believe that one of the most important lessons to be learned from Twitter is the need to ensure security is being built into your product from the concept and design phases, not after the code has been consumed by the public. This is true for online applications like Twitter as well as boxed software that you buy in the stores. Don't let your customers be your test bed to identify security risks because you can bet that criminals will find them and exploit them before your customers do. At that point you have put your customers at risk also. It is far cheaper and less damaging to your corporate brand and reputation if security risks are identified up front, before any code is launched than to try to retrofit security into a live product.
Up to this point the vulnerabilities exposed on Twitter have largely been considered annoyances. I was unable to find any reports of identity or financial theft as a result of a Twitter exploit, and again perhaps that is why they haven't been placed under the same microscope that Microsoft and Google have been. Don't take these proof-of-concept quality threats lightly though as they could easily have been much more nefarious than they were.
Let's take the Mikeyy worm as a primary example. One of the ways that Mikeyy would spread is by sending Tweets out under the accounts of infected users trying to lure their followers to visit the profile of another Twitter user that exploited a site flaw. Once that page was visited the user's account was hijacked and Tweets would be sent out as them to their followers trying to trick them into clicking also. Rinse and repeat. In this instance the worm was merely spreading out across Twitter to anyone who was fooled into clicking the link presented in the Tweet. What if this link was forwarding unsuspecting users out to a drive by malware site that installed malware like Storm or Conficker? In a previous post we discussed how URL abbrevation services can potentially hide an underlying threat vector to redirect users to malware drive-by or phishing sites. Granted, that example isn't one of a specific Twitter flaw, but it is just another thing that users of the popular service need to be on the lookout for.
In its short existence Twitter has almost single handedly revolutionized how we communicate (in 140 characters or less :) ) online. Whether you are using Twitter to communicate with friends from school, family, or professionally to keep up on market trends or as another method to increase your brand awareness (a recent report by comScore said that more than 50% of Twitter users are between 25-54 with most users being on the upper end of that scale), Twitter has stormed onto the social media scene and has already become an important part of how people communicate online. I use it myself. As such, it creates another avenue by which we need to make sure we educate ourselves and our users about the potential for online threats.
I am guessing that most people are suffering from Conficker information overload today! As such, it is very important to be able to separate the Conficker Facts from the FUD. In case you have not yet seen it, I blogged last week about what I believe will (not) happen when the Conficker.C variant activates tomorrow, April 1st. Up to this point we still have not yet seen anything that would lead me to believe anything contradictory to that statement.
I read a couple of places yesterday about a flaw in the C variant of the Conficker worm that identifies infected machines on your LAN differently than machines that are not infected. According to Dan Kaminsky's blog, this flaw causes a function named NetpwPathCanonicalize() to work differently in the infected version than the version in either the patched or unpatched versions of the Windows OS. This different behavior is what folks like McAfee, Nessus, Qualys, and others are using to key on to develop a scanner to identify infected hosts.
Although a tool is great to identify machines already infected with the Conficker worm, it is more important to emphasize and re-emphasize the importance of patching and multiple defense layers (from out in the cloud all the way down to the network endpoints) to mitigate these types of infections to begin with. In the interim, if you believe that machines on your network may currently be infected with the latest Conficker variant download the proof of concept scanner and put together a quickly actionable plan to clean these machines up.
There certainly is a lot of attention being paid to the Conficker botnet these days. Some of this attention is warranted. What is its purpose? What is it going to do? What is it going to be used for? Will it be split up and sold off to the highest bidders? All valid questions, but recently most of the attention surrounding Conficker has been around what is being called the "activation" of the botnet on April 1 (April Fool's Day. Coincidence?).
Earlier this month a new variant of the Conficker worm, dubbed Conficker.C, was pushed out to update machines that had previously been infected with Conficker.B (the previous variant of the worm). Several improvements were made in Conficker.C that makes it more difficult to infiltrate than its predecessor. Firstly, it moved away from a pull model where the infected hosts would ping back to a command and control server (the URL that it would communicate with was randomly generated based on an algorithm within the malware code) to see if it had any updates to be downloaded. In Conficker.C it has moved to a push based method of update where code changes are sent from a command and control host down to the infected client. The malware further updated itself to include code signing techniques so that it will only accept updates from itself. These updates are game changers as it relates to how security researchers had generally infiltrated and analyzed botnets.
One of the other major changes that was introduced in Conficker.C was the number of domains that are registered by the botnet to distribute code updates. In Conficker.B there were 250 random URLs being generated on a daily basis that the botnet would use to look for updates. Researchers were able to crack the URL generation algorithm and figure out what domains were going to be used on what days so that they could register those domains in advance of the botnet attempting to use them. In response, the Conficker authors seriously upped the ante by changing the number of URLs used by the botnet from 250 daily to 50,000. A virtual scoff from the worm authors.
On April 1, the botnet is said to activate its latest variant, Conficker.C, and rumors are running rampant as to what the wide scale implications will be as a result. All we know at this point is that on April 1, Conficker.C will start using its new code and algorithms to make the botnet much more resilient to penetration by security researchers. We have spoken several times now about how malware authors are attempting to build the next generation botnet after the McColo shutdown. Conficker is a clear example of a proof of concept that will likely be used by malware authors until the "next big idea" comes along.
Will it ever actually be used for anything? Sure, it will. Why go through all of this effort to create such a huge botnet then not utilize it for something. In a financially motivated economy it doesn't make sense to not rent it out or sell it off. My point is don't buy too much into the April 1 hype. It very well could be much ado about nothing.
We will touch on this in some more detail during the Security Buzz podcast (Episode #25) that will be recorded this Friday, but I wanted to make a couple of comments here as well about an article that was posted on canada.com regarding a Staples Business Depot Store in Ottawa, Ontario that sold a returned hard drive that still had a number of personal files on it.
To summarize the article, a woman named Jill Vickers, a retired political science professor from Carleton University had purchased an external Maxtor Mini portable drive, then attempted to return it to the store after her son noticed that the automatic backup function was not working properly (Vickers had already put a number of her personal files, including some that contained sensitive information on the drive).
Staples is getting a lot of the bad press here for not properly wiping the drive prior to putting it in the clearance bin. Staples says that it is standard operating procedure to wipe "anything with memory" prior to it being resold. So, mea culpa on Staples' part in this case for not following their own policy and so the negative attention is well deserved. What the article doesn't state is "how" they wipe the drive. Is it a quick format? Is it being wiped to DoD standard? This is a point left to speculation, but I think is an important point nonetheless because I don't think you can expect the average consumer to know the difference and why that difference is important.
That being said, I believe that Vickers deserves at least part of the blame as well. If the data that she was storing on the drive was so important to her and if it was potentially sensitive, she (or her son) should have thought to at least take basic steps to ensure that this information was not readily visible to anyone who would be handling the drive (including the employees of the Staples store that she returned the drive to). Even if Vickers isn't familiar with the different types of data deletion standards that are out there, doing a "Select All" and then "Delete" on the files contained on the drive is certainly better than nothing at all.
I guess the best take away from this experience for the rest of us is that we should always be taking whatever steps necessary and possible to protect our own sensitive data from potential exposure because even if others who are handling our information have protection policies in place. You cannot rely on them to be followed.
Short and Sweet post this time. Need to go meet with a prospective customer, but I had to post this first. It's not very often that you meet an honest spammer. The following header came into one of our spamtraps today on a 419 phishing scam attempting to get me to engage with the scammer on purchasing residential and commercial property. They requested that I open foreign bank accounts to which the sum of one billion (doing my best Dr. Evil impression) dollars.
Anyway, what made this particular scam somewhat humorous was the subject line of the message:
It isn't every day that a spammer will tell you his email is spam before you even read it. I'm willing to bet the uptake on this one probably wasn't that great :-D
I have been starting to feel like I have hardly been in the office over the past month. After attending MAAWG in San Francisco for a week in mid-February I was in town for a week and a half before going on an extended vacation/business trip to Orlando for InfoSec World 2009 and some time visiting my wife's family. I am finally back in town and expect to be so for about the next month until RSA rolls around in late April so expect to see regular blog updates rolling out again.
I wanted to take a few minutes to talk about something that has kind of been bothering me lately. It is something that I have been hearing more and more of in passing conversation as it relates to browser security, in particular between Firefox and Internet Explorer. Similar to the debates that have been raging for a few years now between the "security" of Apple's OS X (and previous versions) as compared to Microsoft Windows are debates between how using Firefox is a more secure browser than Internet Explorer.
Is it, really? Or Is it just a matter of perception?
At the end of the day, the level of security of any application installed on our computer is a combination of the vendor's ability to release timely updates to address new security issues, and the user's ability/willingness to install those updates. The discussion about application security is completely irrelevant if user's do not install the updates that the vendor provides.
Take this recent analysis of the Conficker worm/botnet as an example. According to the report, more than 90% of the users who got infected with Conficker got infected while using Internet Explorer 6, the default browser that comes with Windows XP. Windows XP is also the OS that has the highest concentration of infected Conficker users, but that is to be expected as it is currently the most deployed Windows OS version. What this tells me is that many users who are running Internet Explorer 6 are not keeping it up to date with updates and patches. This is also somewhat to be expected because the largest concentration of infections are in countries like China, Brazil, Russia, and India who also have some of the highest numbers of pirated copies of Windows in the world. You could argue that this might not be the best example of browser security because Conficker is an exploit for an OS level vulnerability, but the reasoning is still sound in that if you aren't applying OS patches you likely aren't patching your browser either. If you aren't familiar with the "insecurity iceberg" report, I would recommend it. It is a good read as it outlines browser and plugin usage across many different data cross-sections to illustrate that browser security is about more than just the browser. It also includes the many plugins that are available such as Adobe Flash, Java, Apple Quicktime, and Adobe PDF Reader.
So, to go back to my original question, is Firefox really more secure than Internet Explorer? In addition to my previous argument about patching, I believe this also comes down to an issue of perception. For example, Firefox releases security updates more frequently than Internet Explorer. Does that make it more secure or less secure? Additionally, Firefox has a "nagware" type of feature where it regularly throws popups at you when a new version is available encouraging you to upgrade to the latest and greatest version of the browser. This gives the impression to the user that they are being kept safer. Second, Firefox has an active community of developers creating plugins for Firefox that help create additional security features on top of what the browser already provides. Neither Firefox nor IE have any native protection against what is known as Clickjacking. With Noscript, a plugin available for Mozilla based browsers like Firefox (et al), Clickjacking protection can be added. IE currently has no protection available although it is being planned for IE 8. Another security threat that I have written about previously is the danger that can be introduced by URL abbreviation services like TinyURL and SnipURL. Firefox has a plugin that will allow users to preview where these abbreviated URLs will really take the user before they click the link. URL abbreviation services are being used more and more by phishers and malware creators to trick users into clicking on legitimate looking links and redirecting them to malicious web sites. So, there are security related addons that users can plug into their browsers if you know what the good, actively maintained ones are and know where to look, but this functionality isn't native to the browser and leaves the user with having yet even more software to have to update.
You could make analogies between the OS X and Windows debate here too. Apple users claim they don't have the malware problem that Windows users have. In sheer volume of released exploits, this is certainly true, however you are also dealing with a much smaller market share. Is the reason that Firefox exploits haven't been more widely targeted that they just don't have the market share to support the effort on the part of cyber criminals?
My point is that there are compelling arguments on both sides of the browser security war debate, but at the end of the day is onus is still on the user to make sure their software (includes both browser and plugins!) is patched regularly, and that they are employing additional security measures like anti-virus and outbound traffic blocking firewalls to reduce their risk. More online threats are moving to the browser every day so having multiple layers of defenses in place at different points of the network remains your best method to minimize risk.
Following up on January's publication of the Top 25 Most Dangerous Programming Errors, today the SANS Institute has released Draft 1.0 of the Consensus Audit Guidelines (CAG), a set of recommendations that organizations should implement in order to improve their security posture.
Strong coding standards and following network security best practices can go a long way towards increasing your security position as an organization. These published practices provide a solid roadmap to help you get there.
As with the Top Programming Errors list, I do not believe that anything in the CAG is revolutionary in its thinking, but at the same time it provides a starting point for companies who are looking for a checklist of items to implement to make themselves less vulnerable to a successful attack by a cyber criminal. One of the nice things about this list as well is that it breaks down its recommendations into several different categories from Quick Wins to Advanced. This type of categorization is especially important for those who are just starting their security programs and wish to show quick, meaningful successes to their executive teams. These types of small, early wins can help build executive support, a crucial element to the success of any security program.
The CAG is broken up into 20 individual controls ranging from internal hardware and software inventories to vulnerability testing and remediation and wireless device control. Each control is introduced by a description on how hackers are utilizing the lack of implementation of best practices to their advantage. This is followed by a categorized outline of each of the recommendations for that control and how to measure its effectiveness. Using this information an IT Manager can start to answer the "What", "Why", and "How" questions that go into making a strong business case for implementation of these practices.
As experienced security professionals, it is important that we not take neither the CAG nor the Top 25 Programming Errors lists for granted. These types of guidelines are not always as well known or practiced as we might expect. That isn't to say that everyone should go out of their way to implement every single one of these practices either. Identify the guidelines that are most pertinent to your organization, map out a plan, and hold people responsible for making sure they are carried out. If you are just starting out in your security career or with your security program you have an increasing number of tools at your disposal to help increase your chances of success. Use them wisely and reap the rewards of building a solid security program and culture within your organization.
Yesterday, security experts from more than 30 United States and international cyber security organizations jointly released a list of the top 25 most dangerous programming errors that lead to security bugs and are enablers for cyber crime according to this article posted on sans.org.
Most security professionals speak to these coding standards fairly religiously, but the article points out something that I don't think we talk enough about. That is, ingraining secure coding practices into software developers during their education at the high school and college levels. As it stands now, software development courses taught at most schools (at least this is how it was when I was in high school and college, so if there is a more dedicated effort on secure coding practices now, please correct me!) focused on the results of the application (i.e. what is the output and does it match what was expected), but did not enforce proper boundary and input checking to ensure that the application could not potentially be compromised in a real world situation. As a result, programmers entering the business world aren't used to coding for these exceptions which end up leading to applications that crash frequently when put in the hands of users. As the article also mentions, if these best practices are part of how software developers are taught to code from the beginning businesses will receive the trickle down effect of having better applications released from version 1.0 which decreases the company's risk of a security breach and embarrassment.
If your organization is one that is responsible for developing software applications, be sure your coding standards also include ensuring that best secure coding practices are being followed. Do not just do this for new application development. Be sure to review your existing code base to incorporate these standards there as well. You'll reduce the number of bugs that have to be fixed later as users uncover unhandled exception cases, and you'll improve the quality of your product overall.
It is a bit of a long read to get through all of the recommendations, but I would encourage you to take the time to read and evaluate how these best practices can be incorporated into your own software development processes if they are not already. If you are an educator and teach classes on software development, look for ways to integrate these practices both into your teaching, but into how you do code evaluation. If you are a software developer, start using these practices in your own coding and encourage your colleagues to do the same and make these part of your required coding standards before code is released into your "production" environments.
Security awareness concepts reach far beyond teaching users what they should and shouldn't click on and what web sites they should stay away from and where it is and is not safe to provide their personally identifiable information. It also extends down to your company's SDLC and releasing rock-solid code.
Recently, SC Magazine posted an article that quotes a report by Forrester Research which claims that security spending will be higher for both SMBs and Enterprises in 2009. This makes sense to me.
As businesses are looking for ways to cut costs across every department security remains one of, if not the most, important IT matter they still need to be sure is addressed over the course of 2009. As such, matters like inbound spam, viruses, application level intrusions, data leakage protection, web threats, archiving, and compliance will still need to receive top priority as cyber criminals are not feeling the same effects of a downturned economy as everyone else is. As such, their efforts will not be slowed which means that businesses of all sizes need to be as diligent as ever. Organizations are looking to outsource some of their daily tasks that are outside their core competencies so that they can refocus their IT resources towards the company's business objectives, typically at less cost and more effectively than can be accomplished internally.
2009 will certainly be an interesting and exciting year for security as network and application threats become more undetectable and uncleanable by existing technologies and businesses look for ways to protect their intellectual property. The definition of the "network endpoint" has become more and more unclear with mobile and social networking technologies becoming the norm rather than the exception. This creates a large burden as companies try to come to grips with how much of their confidential, proprietary information is floating around freely on the web. As such, IT security spending will be a more prominent a budget line item than in years past. If it isn't, then a company's level of risk increases exponentially.
On Saturday, Twitter posted this security alert on its web site to make users aware of a phishing campaign that was going around via Twitter direct message attempting to steal login information for the social networking site.
Phishing campaigns are certainly nothing new. So, what makes this interesting or different?
Phishing emails are certainly something we have become accustomed to in our inboxes and they are becoming more popular on personal profile pages on social networking sites like Facebook and Myspace. In the December version of the MX Logic Threat Report and Forecast the very first prediction we made for 2009 was an increase in (ab)use of social networking technologies by spammers and other cyber criminals.
Twitter presents a bit of an interesting twist because URLs posted to "tweets" (status updates posted by Twitter subscribers) and direct, private messages sent person to person are shortened using URL abbreviation tools like tinyurl.com and bit.ly. These types of services allow a cyber criminal to easily hide a potentially malicious or fraudulent URL behind the covers of a legitimate looking one. For example, a user could unknowingly be directed to a web site that silently injects a keylogger on their PC by clicking on one of these links. URL abbreviation tools can also be utilized to hide a nasty URL within the body of an email as well so this is not an attack that is solely abused by spammers using social networking technologies.
There is more to this potential threat than just the risk of the redirection to a phishing site. Cross site scripting and SQL injection vulnerabilities can also easily be exploited using this tactic if the vulnerability is exploitable via URL code injection. The malicious code can be hidden in the URL, compacted using tinyurl.com, then distributed in an email as a DDoS against a spammers target.
For the potential risk that sites like tinyurl.com and bit.ly can potentially introduce they certainly do have their place. Sites like monster.com for example sometimes create URLs that are extremely long when copied and pasted into an email so abbreviating the link address is a great way to keep your message professional looking. As with all other online threats, diligence is of the utmost importance. Spam and phishing threats via social networking applications is still new territory in many regards when compared to email (for example) so many users do not think about the potential security ramifications that come along with using these technologies. That education is occurring rapidly, but is also happening partly by necessity as more and more users are falling victim to quickly evolving tactics on the part of cyber criminals.
According to this RWW (Read Write Web) article posted on Saturday, a recent cyber war simulation revealed that the United States is not equipped to handle a major attack against its computer networks.
This news is not new.
Other articles have been published (example from Signal Online here) about the vulnerability of the United States to a cyberterrorism attack, but we are not alone.
Be sure to understand that this is not potentially just a United States issue, it could be a world-wide issue. South-East Asia is vulnerable according to this article from DarkNet. Microsoft claims that Europe is also a likely target for attack. Siliconindia.com wrote last Thursday that India is also vulnerable to cyberterrorism. Many other countries surely are as well.
If such an attack were to happen (and to be honest, I am not entirely convinced that this would actually happen, but I am certainly not discounting the need for increased security awareness regardless of its potential effects either) on any of the major economies, its effects would be experienced at a global level.
One of the many items that Obama is being pressed on as he puts together his new administration is the creation of a National Office for Cyberspace that is headed by a new Cybersecurity Czar. I believe that this is a good idea if the right appointment is made, but neither that person nor the Cyberspace Office can act in a silo. They need to coordinate with other nations and create uniformity in establishing policies and procedures. An obvious question that then arises out of all of this is "Are the policies enacted by the National Office for Cyberspace going to be compulsory for Government Agencies or on the Finance, Telecom, and Energy industries only?" Secondarily, if these policies will also be required for small businesses and enterprises, what will be the cost to them?
The RWW article also asks the question on whether or not the White House is the right entity to be coordinating this effort for the United States. A good question considering their track record in addressing issues like spam via the CAN-SPAM act, which just celebrated its fifth birthday. Despite that negative mark though, I'll ask the question for discussion as to who else could coordinate this effort and achieve the necessary involvement from the EU, India, South-East Asia, et al? If there is such a group, let them step forward.
There are clearly a lot of questions that are as of yet unanswered and likely will not be answered for the foreseeable future. Here's to hoping that the Obama administration will be taking the cybersecurity initiative as a whole (not just from the cyberterrorism angle) seriously and that he also solicits the opinions and ideas of the security industry when making any decisions. We have a lot of ideas and recommendations that should be seriously considered.
It looks like Apple has finally changed their tune as it relates to using security software on their PCs and is now telling their users to make sure they have antivirus software installed. See article here.
This move was inevitable. At some point Macs would gain enough market share for them to become more of a target for hackers and cyber criminals. Most security researchers have been saying that for a long time, and I applaud Apple for finally coming to that realization also, even though it really should have been said some time ago. Now the Mac users who have long been saying that they don't need to worry about malware "because they run a Mac" really don't have a leg to stand on as even the manufacturer of their computer has come out and contradicted that claim.
From a timing perspective this announcement comes at a good time as well. As IT managers are working on their 2009 budgets, this is now something that they need to include as another line item to allocate money for early in the year. If your Mac does not already have some kind of antivirus software installed, the time is now to get it. Apple's personal computer market share continues to increase which means its prevalence as a target will also continue to rise. Don't be left holding the bag either as a personal Mac user or as a corporate user. Macbots are coming. iPhones and iPods will not be far behind.
*** UPDATE 12/2/2008 4:42pm MST *** So it looks like I need to recant a little bit. If you look at Apple Knowledge Base Article 4454, you notice the last updated date of December 2, 2008. This article was originally published back on June 8, 2007. Unfortunately, the existence of this article hasn't changed most Mac user hubris in their invulnerability to malware because the fact of the matter remains that many Mac users still don't use antivirus software on their machines. The time is still now to change that. A widespread Mac virus could be a devastating event!
Happy "Cyber Monday" - what is widely considered to be the official start of the online shopping season. After eating too much turkey, gravy, mashed potatoes, and stuffing on Thursday (and probably Friday, Saturday, and Sunday too!), then spending way too much time in line for Black Friday shopping deals that probably weren't worth getting up at 3am for, today is the first day back at work after the long holiday weekend. As such, today is also the day that many people start buying presents online.
According to comScore, spending on Cyber Monday has historically reflected overall holiday season spending. The question that I have though, "Is Cyber Monday relevant anymore?" Many retailers now offer the option, even on Black Friday, to order items via their web site to get the same deals. So, many of the specials that people were standing in line for on Friday could have been purchased online, at home, in your pajamas.
From a security perspective, Cyber Monday is the start of a season where we attempt to educate users as much as possible as it relates to being aware of the "too good to be true" deals that may arrive in your inbox and have typically offered a couple of pointers to keep yourself safe online:
-- Shop only with vendors that you already know and trust. Don't give your credit card information away to someone that you don't already have some kind of pre-existing shopping relationship with.
-- Avoid clicking on what appear to be links to legitimate web sites in an email or IM. If you want to go to the Land's End web site to shop, go to the URL directly. The link may actually go to a look-alike site setup solely to steal information.
-- Ensure that web sites that are accepting credit card information and/or that you have to log into have SSL encryption on the pages that are processing this data. This should be a given and a standard nowadays, but the lack of existence of encryption of your sensitive data should be your first red flag that your business should likely be taken elsewhere.
-- Look for seals from organizations from privacy enforcement organizations like TrustE and BBBOnline. Although this isn't a guarantee that their site cannot be compromised, cooperation with these organizations means that they do not ask for sensitive information like social security number without explicitly explaining in their Privacy Policy why they are collecting it. So you can at least be certain going in why you are being asked for something that you wouldn't normally provide. You can then make an informed decision as to whether you want to take your business to another merchant.
These tips are not just important for Cyber Monday though. They are relevant to the entire holiday season and for the entire year. Sometimes with the rush and hurry to find the best deals for that must-have gift we let our guards down or think that it is too inconvenient to go through some of these extra steps. The question then comes down to, whether you want to take a few extra minutes to make educated decisions about who you are giving your credit card data to now or risk spending a lot more time trying to clean up an avoidable mess later.
Here's to a fun, safe, and secure holiday season. Cheers! :)
According to this PC World Article, spammers have started using political hacktivism by reaching out to keep voters from going to the polls during this election season. Emailed warnings have been sent to people in Maryland telling them that they cannot vote in the election if their homes have been foreclosed on. There have also been reports in Florida that emails have been circulating that your driver's license and social security information will need to match up with federal records in order to be able to vote.
I am certainly no political guru, but the thing that interests me the most about this is what is intended to be gained by spammers by employing this tactic? These emails have been sent out en masse and have not been targeted towards a particular party affiliation. So, it isn't like they are going out and trying to specifically keep Democrats or Republicans from voting in an attempt to steer the vote towards one candidate or the other. Either way, in this financially motivated underground economy, it isn't clear to me what a spammer would have to gain by spreading these types of messages. There is no proof at this time that these emails are in any way associated with either the Obama or McCain campaigns.
This certainly isn't the first time that email has been used to spread false political messages, but in many of those cases there has been a target or some kind of agenda associated with it. Barack Obama has been the social engineering lure used in a couple of spam and malware campaigns since the Democrating National Convention concluded, but those have been attempts to discredit Obama by associating him with non-existent online sex videos.
The long and short of all of this is, with one week to go until the election there are likely to be more email campaigns with similar political themes. It is also entirely possible that as users are visiting more and more political web sites to ensure that they are informed about all of the local issues that they will be voting on that some of those web sites may become compromised by cyber criminals. Compromise of legitimate web sites is becoming more and more common. So, be sure that your computer is up to date with all of its latest security updates and patches.
MX Logic is always looking to find out more about the folks we serve, so we can do a better job at helping to make life just a little easier for IT Managers the world over. To that end, we've just put together a simple, short survey for IT professionals that will provide a better picture of spam and email security concerns facing businesses.
Care to share your opinion? It will only take 2-3 minutes. Once we have enough responses, we'll share the results here on the MX Logic IT Security Blog.
Since I am not gone yet, and because I have had quite a few thoughts building over the past several days, I wanted to take a couple of minutes to talk about something that has given me a LOT of job satisfaction over the past few months. That is, the tangible fruits of a lot of effort to increase internal security awareness.
In the midst of the everyday chaos I do try to sprinkle in my personal thoughts about the importance of security awareness within your organization and the fact that no company is immune to the need for it, even though it might be well outside the focus of the company. Obviously, after a breach is certainly a great time to enhance whatever security measures that you might have, but one of my favorite lines as it relates to security (and this could be applicable just about anywhere) is "Perspective is good. Being proactive is better." In other words, don't wait for a breach to act. The damage is already done.
Information Security has always been a significant part of my role at MX Logic and at other companies that I have been at in different capacities. It's been a primary part of my role here for about the past one and a half years. During that time I have put a lot of work into internal education as well as implementation of best practice policies and procedures. As one would expect, there were some who grasped onto the concept immediately, understood what the end goal was, and were supportive from the word "go." Others were detractors and took a bit more working with either because they didn't truly understand the need for such a program or for security in general (it's much easier for me to do what I need to do if there are no restrictions!) or thought it was going to significantly impact the way that they do their jobs.
As in most organizations though, there is more than just your own data or your own intellectual property that you are a custodian of. You are also responsible for the confidentiality, integrity, and availability of your customer's data. They are entrusting you with protecting them as much as your executive teams are expecting you to protect them as well as the company's IP.
Over the past few months, one of the things that I have noticed from an internal perspective is the increased awareness of security in just about every conversation or meeting that I am a part of. Feature planning discussions don't go by without a mention of the multiple security aspects associated with a particular new piece of functionality (and I am not always the one to bring them up!); how we are going to protect the data (not only from hackers, but from curious customers or someone who just accidentally stumbles upon something that they aren't supposed to be able to do/see), how we are going to protect the underlying infrastructure, and how we are going to maintain the feature going forward.
I can't express how satisfying it has been to hearing these security related sentiments coming from other areas of the company. I still feel as if I am the one leading the charge, but my army of supporters has gotten larger and the number of supporters has outnumbered the detractors to the point where the detractors have been forced to jump on the bandwagon or be left behind. I hope you all reach that same point as you go forward with your own internal security programs. It's a great rush and a sense of accomplishment that I hope every security professional gets the opportunity to feel.
According to this TechTarget article, Microsoft has a few tools that they recommend people use to address SQL injection attacks.
Don't be fooled by what is meant by "address" in this context. Let's be clear on what these tools do and what they don't do.
They DO:
-- Scan web sites and identify potential SQL injection vulnerabilities. Even Erik Peterson, a senior director of products for HP's application security center states that Scrawlr (one of the tools identified) falls short the functionality provided many commercial tools.
-- Analyze source code for potential vulnerabilities, however the source code analyzer that is recommended only supports ASP code written in VBScript.
Seems like we are quickly narrowing down the number of web sites these recommended tools will even function on.
They DON'T:
-- Provide protection against any attacks
-- Solve the real root of the problem which is ensuring programmers are following safe coding practices to protect the sites that they develop from SQL injection vulnerabilities.
If you use any of these tools that Microsoft is recommending, don't be lulled into the false sense of security that they can provide. As we can see, many free scanning tools have all kinds of limitations that will only provide the most basic of testing or only work provided that very specific technology conditions and phases of the moon exist.
I am glad to see that Robert Westervelt, the author of the article linked at the beginning of this post wrote up this clarification today. I like Robert and actually did an interview with him back in January related to PDF spam which posted to his blog, but I think his original article not only missed the mark, but could very well have generated a lot of confusion with junior security researchers and management folks on effective ways to detect SQL injection vulnerabilities.
Last week I had the privilege of attending the 13th General MAAWG Meeting in Heidelberg, Germany (I serve as the co-chair of the Zombie/Botnet Subcommittee with my friend Ken Simpson from Mailchannels).
The MAAWG conferences are a great opportunity to meet and talk with some of the best minds in the anti-spam industry, discuss anti-spam tactics, operational best practices (what works and what doesn't), how to be a responsible ESP, and many other topics. Although MAAWG is largely run by ISPs, its mission is to also bring together both email senders as well as email receivers in a collaborative environment where both sides can attempt to work out best practice solutions so that senders can achieve better deliverability rates at the large mailbox providers, a constant struggle for ESPs.
If you are a messaging vendor or provider (and this includes both email filtering vendors as well as email senders) or an ISP, you are doing yourself a disservice by not becoming a member of an organization like MAAWG where ideas, practices and upcoming threats are shared that it is very likely you will not hear anywhere else.
This has been an unpaid advertisement :)
Before I close, I'd be remiss if I didn't bring up something security related in this post. So, I am standing in the security line at Denver International Airport about to go through the metal detector when the guy who was working behind the conveyor belt asks me and the woman behind me the standard "Any liquids, gels, or aerosols in your bag?" before our bags went into the X-Ray machine. I just look at him and say "No", but the woman behind me responds with "Not that I know of." Apparently this set off the ire of the TSA worker who immediately responded with "Not that you know of?! Don't you know what is packed in your bags, ma'am?" I'd never seen a TSA worker move so fast, but her bags were immediately yanked off of the conveyor, she was pulled out of line, and then was escorted by 2 TSA workers to wherever they take you likely to inspect every minute crevice of her bag.
For all of the flack that the TSA gets for either bad procedures or lack of attention to detail, you would think that as a traveler it is also our responsibility to know the basic responses to the simple questions security officers may ask you. The questions are neither tricky nor confusing. I guess this woman had to learn the hard way...
According to this article posted at PC Pro, ScanSafe says that remote employees are more than twice as likely to be surfing porn than employees who work in the office.
This is not a surprising stat as telecommuting takes a level of discipline on the part of the teleworker that is far and away greater than office-bound employees. What is surprising to me is that companies are ALLOWING this type of web surfing to be taking place on their corporate computers!
Porn sites are one of the biggest security risks out there. Porn sites commonly install malware, adware, tracking cookies, and other security risks that could cause a security breach to your organization.
In most cases you want to use technology as an enabler for employees to be as efficient as possible, particularly your remote employees who are frequently less scrutinized because most of management's attention is focused on the employees that are in the office every day. This, however is one of those instances where technology needs to enforce the policies of the organization so that the company can protect itself and its intellectual property from compromise and disclosure. Data leakage as a result of inappropriate employee web surfing and irresponsible organizational content filtering policies is one of the easiest insider threats to mitigate. Companies should be doing everything that they can be to assure that this is not an avenue of information disclosure.
For everyone in the United States, I hope you and your families had a wonderful Thanksgiving holiday. For those outside the US, I hope you had a productive second half of last week.
And so the holiday shopping season has begun. The Black Friday early morning deals are over. I didn't go out this year, but did last year and have to admit, it was kind of fun despite the chaos.
Last year I went to a Kohl's department store in search of a kitchen mixer that my wife really wanted (it was on sale from $300 down to about $160). So, I got to the store about an hour before it opened and the foyer area was already packed. I was still able to find a little space to squeeze in though which was nice because it was pretty darn cold outside. Anyway, 5am came, the doors opened and the mad rush began. The hot item was a personal DVD player which was on sale (after rebates) for about $50, down about 75% or so from its' regular price. There was a huge display of boxes of DVD players about 50 feet from the door and as soon as the doors opened people ran towards them like they were going to get an opportunity to touch their favorite rock musician. It was almost cartoon-like watching not only people fighting over these boxes, but watching the boxes fly all over the place as people tried to grab them. It truly was something to behold. Thankfully most people weren't there for the mixers so I was in and out of the store in about 7 minutes. Not bad to save $140!
Anyway, I digress...
Coming up on Monday is the single largest *online* shopping day of the year, thusly named Cyber Monday. On Cyber Monday (November 27th) 2006 people spent $608M online according to comScore Networks. That was a 26% increase over the 2005 number of $484M. The 2007 number is expected to be higher than the 2006 number, but perhaps not as much of an increase because of the economic ups and downs of the past year.
Why is this a security issue? Many people will be doing not only their Cyber Monday shopping, but also a good amount of their total holiday online shopping from their computers at work, taking advantage of faster online connections than they have at home. Depending on who you read the percentages range anywhere from 45% to 75% of people will do some amount of online holiday shopping while at work.
Online safety should be of paramount concern during the holiday season. With numbers like $608M in one day of online spending looking them in the face, that is too large a number for criminals to not try to get a piece of the action on. As aware as you need to be of threats on the internet (like phishing) during the other 47 weeks of the year, the 5+ of the holiday season present the biggest risk of fraud.
To help, here are some tips to follow during the holiday shopping rush (they really aren't any different than the rest of the year, but require extra diligence during the holidays because people are often in a rush to buy items quickly and easily online and don't always pay attention to the warning signs):
-- Shop only at retailers you know and trust, just like you would do if you were shopping in the local mall. Also, if you want to visit that retailers web site, type their URL directly into your browser. Don't follow links from email marketing email as that email could direct you to a fraudulent site setup to look like the real one.
-- Look for security indicators. All legitimate security retailers should protect your confidential information (even your login to their site) with encryption. Make sure that not only does the little padlock that indicates encryption appear in your browser window, but that the site that the security certificate is registered to matches the site that you are expecting to be buying from. If it doesn't, then assume that to be suspicious.
-- Do not shop from public Wi-Fi hotspots. Many of these networks either employ no encryption of your data or very weak encryption leaving you open for potential identity theft.
-- Do not use a computer that you are not familiar with/public computers to do your online shopping. Web browsers often store information entered onto web forms within their memory for easy reuse later. Someone could easily walk up to one of these available computers, go to a couple of common shopping sites and start writing down whatever information they can find.
Holiday shopping is supposed to be a fun time of year, but it also can be very hectic and stressful at the same time. As such, make sure that in your haste to find the best deals and the right gifts you also keep sensible browsing and shopping habits in mind. For all of the conveniences and speed that the web brings to holiday shopping, it also brings many potential risks.
In the past few postings we have covered why you should seriously consider implementing a Security Awareness Program, what the goals of a successful program are, and some of the challenges that many face when putting this program in place. As a wrap up to National Cyber Security Awareness Month, today's final installment will focus around how to go about implementing a successful Security Awareness program within your organization.
As a disclaimer before we go into specific detail, let me first point out that there is no "one size fits all" solution to implementing this type of program. Each program will need to be tailored to fit within your company culture and to merge well with the work habits of the other employees. If your new security policies introduce unnecessary process, are poorly outlined/conveyed, or make people less efficient it will be rejected.
First and foremost when going about putting together your SA program, before you do anything make sure you have executive approval for your program. Put a presentation together which outlines some of the things that we have spoken about here in the past month and make a good business case for why your company needs to prioritize SA as an important company initiative. If you go forward without this approval from the beginning you will end up either redoing a lot of work to make the program fit executive direction or it will be shot down outright.
The next item that will ensure the success of your program is the development of meaningful security metrics. Once you have the program in place, it will be important to be able to justify its successes (and also to point out what areas still need work). Create metrics that are easily measurable, preferably automatable, and have an achievable target. Once that target is consistently reached, change your focus and start collecting metrics on other areas that need improvement. The goal of a successful metrics program should be agile enough to be able to change what is being tracked so that you are reporting on areas that are currently being improved upon. If all of your metrics always show 100%, then they are not showing continual process improvement. They are only showing what has already been successfully implemented across the company.
Be sure to have regular (Monthly? Quarterly? Whatever works best for you) checkpoints with internal stakeholders to determine if they have any needs in supporting the mission of your SA program. If they need additional tools or training, be sure to provide them. If other managers do not feel as if they can implement your program successfully within their group for whatever reason, they likely will not do it.
Always remember that you need complete buy in across the organization in order for your program to succeed. That isn't just at the manager level. All employees need to buy in. It only takes one person to not participate and that person can be responsible for a major security leak or information breach.
The most important thing to remember is that security is a journey, not a destination. Continual communication and education will be necessary in order to assure the continued success of your program and to make sure that it remains a high priority for everyone.
Best of luck implementing your own SA programs. It can be one of the most difficult, yet also one of the most rewarding tasks to undertake as a security professional as you see your efforts begin to bear fruit. Missteps along the way are certainly not failures, rather opportunities to learn and grow!
Earlier this month we discussed why a Security Awareness (SA) program should be implemented followed up by a discussion on what the goal of such a program should entail. Let's take a brief look at the opposite side of the coin today and discuss some of the challenges that are likely to be encountered when implementing your SA program.
The immediate first question in the mind of anyone who is working on a program such as this would likely be "Why would I have any challenges? Everyone should know how important security is. Don't they read the news? There are new security breaches and more compromised data every day!" That very well may be true, but they may not understand how that applies to them, why it is important to them, or why they should care. Not to mention that any SA program needs to fit well into the corporate culture and structure of the organization in which it is implemented. In other words, SA programs are definitely not a one size fits all solution.
Here are some suggestions that I believe will go a long way toward making the rollout of your SA program a success:
-- Deliver a consistent message about the importance of Information Security. If you are inconsistent, then people will be confused about what you are really trying to accomplish.
-- Convince users to develop and maintain safer computer usage habits. This includes education about what types of web sites are generally safe to visit and which are not, not to open email attachments from people they don't know, and make sure they have up to date security software on their computers (anti-virus and outbound firewalls). It's really about changing the way your users think so that they think twice about clicking that email/IM link or opening that attachment.
-- Motivate users to take a personal interest in Information Security. Make sure they understand that they are part of the process and that the success of the program really relies on them. It only takes one person not actively taking part to potentially introduce an organization wide security or information breach.
-- Give end user security awareness a higher priority within the organization. Make sure though that in doing this you aren't making it more difficult for people to do their jobs. A well drawn out SA program will actually make people more efficient. If it makes them less efficient, they will reject it.
-- Develop materials that deliver a clear message about security topics. Hang posters about security or give brown bag presentations that show stats on the success of the program. Also, be sure people understand the potential risks if those policies aren't followed. Continuous education is key!
I can't say it enough, but the success of the program ultimately depends on the willingness of the users to follow it. If the message is not clear, consistent, and efficient, it will not be adhered to and you will find your job very frustrating. The best security programs fit like a puzzle piece into the culture of an organization so that it is easy to understand and easy to follow.
Now that we have all of the administrivia out of the way, tune in next time when we will discuss how to actually go about getting started putting together your SA program.
I've been at the 11th General Meeting of MAAWG in Washington, DC for the past few days. I can honestly say that this, my 8th MAAWG conference, is the best one that I have been at yet. In addition to MAAWG members, representatives from the London Action Plan (LAP) and the Contact Network of Spam Authorities (CNSA) were also invited. Having all of these groups at the conference provided some great insight and perspective as to law enforcement and anti-spam efforts in the UK and the EU. There are some invitation only meetings between MAAWG, the LAP, and the CNSA on Thursday which I am hoping to will lead to action items for continued cooperative work between the organizations as we move forward.
So, in keeping with the theme of the month today's topic is understanding the goals of a successful Security Awareness Program. We've already discussed why organizations of all types need an SA program, so now that you understand this, the next logical step is to understand what the goals of that program should be. If you go forward with implementing a program without a clear goal in mind, it will surely fail.
One of the most important things to remember about implementing an SA program is that security is a journey, not a destination. There isn't a point where you finally say, "We're here" and stop. The process of your SA program needs to continually evolve and change to meet the needs and requirements of your organization.
The end intent (your goal) is to create an overarching security posture so that the thorough assessment of risk and potential security issues become larger parts in corporate decisions and initiatives.
So, how to achieve this goal? There are 4 main steps:
1. Build interest in Security Initiatives Internally
In the end everyone has to be on board with whatever security initiatives that are enacted. In order to make sure everyone is on board the implementation needs to not take away from someone's ability to do their job efficiently. Additional burden means additional resistance. Even just one person who decides to undermine the integrity of your security position can cause a breach of confidential information of any kind.
2. Educate! Educate! Educate!
Make sure that employees understand not only what policies and procedures are being implemented (and where they are posted on your corporate intra/extranet) but why they are important and why they should care. Policies that are not understood are less likely to be followed and less likely to receive continuing management support.
If done properly, good security procedures can actually make you more efficient!
3. Communicate! Communicate! Communicate!
Regularly follow up on implemented procedures to make sure that your SA program is not "set and forget." Remember this needs to be a process that evolves as regularly as your business does. Otherwise its policies and procedures will become out of date and irrelevant which leads to the policies not being followed.
4. Repeat
Start back at Step 1 and do it all over again! This is the best way to reinforce the program and its importance to the organization. It's easy to forget something you just hear once. It also removes some of the urgency if it is not regularly followed up on and reinforced. Continually repeating these steps will not only show continued urgency and support from the organization, but will give better chance to ensure that your SA policies are better ingrained into your corporate culture at all levels.
MX Logic has announced that we will be joining the National Cyber Security Alliance (NCSA) to actively promote awareness of internet safety and security issues in conjunction with National Cyber Security Awareness Month (NCSAM) during the month of October.
As such, I have pledged to devote a series of blog postings this month to assist with the development of a Security Awareness Program within your organization.
Before we get into the meat and potatoes of developing a Security Awareness (SA) program, the question one must first answer is "Why should I implement a security awareness program? Aren't security programs for the Techies?" This is an excellent question, especially for organizations who might not be anything Information Technology related.
The answer to that question is that no matter what field you are in, security should be a part of your organization. Security doesn't just mean making sure someone doesn't hack your web site or that your computer doesn't get infected with a virus. The concept of corporate security also involves physical security of your office as well as data that you might be storing there.
Let's use a car repair shop as an example. Should they be concerned about security? Absolutely! We'll put aside for the moment that a car repair shop may have thousands of dollars of inventory sitting right in their main lobby area (tires and the like), but where the real money is to be had from a thief's perspective is from the customer records. A car repair shop has customer lists with customer names, addresses, phone numbers, and potentially credit card numbers. If this information isn't properly secured by the shop, your personally identifiable information could be at risk.
As organizations, who are we trying to defend ourselves against? From a technology perspective there are virus writers, hackers, spammers, etc. Those are a given. Data and physical property thieves are also a risk. What are companies doing though to protect against their internal employees? As much as you want to believe that everyone that works for your organization is there to advance the progress of the company, a 2006 E-Crime Watch Survey reports that insiders were responsible for 27% of all security incidents. More than 1 in 4 security incidents (either accidental or intentional) were the result of an employee at a company obtaining access to information that they shouldn't have had access to.
Why is that? For starters, it is easier to get information. The higher up you are in an organization, the more critical data that you likely have access to as part of your normal network access levels which means that your potential risk to a company is also much higher. Why break into the house to steal the jewels when you are already in the bedroom?
Over the next few blog entries we'll go into some more detail on what the goals of a successful SA program should be, some of the inherent challenges that come along with the implementation of such a program as well as steps that you can take to start implementing a security awareness program at your organization. Different types of companies have varying requirements for security (Do you have servers? Do you accept credit cards? etc), but the discussion can certainly be made general enough to apply to everyone.
Hopefully over the rest of October the information that is presented here will be of use to you and will help jog some thoughts of your own on how a security awareness program could work for you.
The National Cyber Security Alliance (NCSA), a consortium of government agencies and private industry sponsors, is proud to designate October 2007 as National Cyber Security Awareness Month (NCSAM).
National Cyber Security Awareness Month is a national campaign designed to increase the public's awareness of cyber security and cyber crime issues so that users can take precautions to avoid these threats on the Internet.
--------------------
So throughout the month of October I will focus my blog postings on not only Security Awareness, but points to consider when implementing a successful security awareness program in your organization.
Stay tuned for more to come over the next few weeks. I hope you all find the information useful!
The Computer Security Institute's annual Computer Crime and Security Survey reports that insider attacks are now surpassing computer viruses as the most common cause of security incidents within organizations. It also says, however that the losses incurred are not significant. The fact that insider threats have surpasses viruses in prevalence makes sense to me, but the argument that damage is minimal does not. Companies have been fighting the virus wars for years now. Granted, insider espionage has been a potential issue for much longer than computer viruses, it has generally not received the same level of attention.
It is estimated that a little less than one third of all security incidents are the result of an insider, whether the incident was a result of malicious intent or an honest mistake. What is not accounted for here, however is the level of ease by which insiders can obtain potentially damaging company confidential information. Some users have access to it by default as a result of their position within an organization. Others gain access by finding security weaknesses within the company's infrastructure. Either way, I believe that the reason companies are saying that the resulting losses from the insider threat are not the biggest cost is because they don't know how to estimate the damage.
Do they know how much data was really altered/copied/deleted? Do they have a good idea as to how much that data is really worth? Are the values being underestimated because they don't want to lose face in their respective industries? Do they not want to give their competitors ammunition to use against them? Do they not want their customers to lose confidence in them as a provider of a good or a service?
I think all of those are valid points to consider, but the real question at the root of the entire issue is not "Will you have a security incident?", rather "When will you have a security incident?" and are you equipped to respond?
We generally spend so much time trying to make sure that the bad guys can't get in from the outside, but we need to also consider the possibility that they are already "in" and have been for quite some time.
Do not underestimate the insider threat and the ease by which they can cause damage to your organization. Chances are that someone who may cause either inadvertent or intentional data leakage/deletion already has access to the information they need....they don't have to break in or be sneaky to get it.
Another part of my role here at MX Logic in addition to being in charge of our Threat Research group is that of our security officer. This includes not only security education, but also implementation and enforcement of our internal security policies and procedures.
One of the things that I have been putting a lot of thought into lately is the security implication of telecommuting. Telecommuting is becoming much more commonplace among many different types of organizations now that more and more companies are adopting mobile computing practices. This often comes at the cost of security, however. In an effort to make employees more productive when they are away from the office (either traveling or working from home), the security implications of opening up your network in this way are not always considered...or if they are considered, they are set aside for the trade-off of getting more out of your workforce.
So, what's the big deal? So what if Jane wants to work on her desk PC at home when she telecommutes instead of using her laptop?
There was an article posted recently on darkreading.com that said that 94% of Federal CISOs do not believe that telework/telecommuting programs are a threat to security. It also stated that 83% of Federal CISOs are "interested" in mobile endpoint certification for compliance with the Federal Information Security Management Act. Being interested means that they aren't doing it yet, but think it is a good idea.
These numbers don't add up to me. How can you not be concerned about the security implications of telecommuting, but at the same time haven't even certified that your own equipment is in compliance with your own Information Security Management Act?
Let's discuss some best practices that companies can use when implementing a work from home policy:
-- Setup access control so that only your company authorized PCs are allowed to connect to your VPN. If Jane has been connecting her work laptop to her own home unsecured wireless network or to the local Starbuck's Wi-Fi network, you still can't guarantee that she won't be trying to spread a virus across your corporate infrastructure, but you have more control over this PC than you do Jane's home PC that she shares with her two teenagers.
-- Implement as many defense-in-depth strategies on your company PCs as possible. This includes at least one anti-virus product and some kind of Host-Based Intrusion Prevention System (HIPS).
-- Disable ports on the PC which allow users to plug in external storage devices like USB drives. Not only are these devices handy if someone wants to steal your corporate secrets off of your corporate intranet, but they are an easy injection point for malware.
-- Turn off the wireless radio when the PC is going to be hard wired to the network. It will prevent accidental connection to a potentially rogue wireless network. A nice side effect is that it will increase battery life on a single charge as well since the radio is such a wear on the battery when it is on.
As with anything technology related, technology solutions are only part of the answer. User education is also a large piece of this pie as well. One of the most important jobs of a security officer is security awareness and making sure that security is part of the consciousness of every employee at an organization. It is one thing to put policies and technology in place which enforce security, but it is another entirely to make sure everyone in your company is also aware of those policies and knows and understands how to follow them. The backend technology should be in place to enforce those policies, but it is the end user's responsibility to try to not put themselves into a vulnerable position and that is done through education, education, and more education.
