Listen to or download the entire 10:39 podcast below:

Download file

What follows is a summary of my discussion with Amir Lev, the President and CTO of Commtouch, concerning image spam: what it is, why it exists, how to stop it, and what he believes will be the next wave of threats to hit our inboxes.

What exactly is image spam?

A lot of spam messages contain images, but the term image spam refers to messages that have all their spam content contained in the image. While in some cases spammers will add random text to the message under the image or above, this is designed to fool anti-spam filters. But usually we refer to the image spam as spam content that is entirely in the image.

When did spammers first start using image spam and why?

Images have been contained in spam for a long time but this type of image spam that we relate to started in 2005. We’ve seen the first seedings and tests done by spammers beginning in 2005. At the end of the year during Nov. and Dec. of 2005 they started a massive distribution of image based spam. During the beginning of 2006 it came up to the level that it is now at which is about 20 or 25 percent of all spam.

Why is most image spam telling me to buy penny stocks?

Most products and services that are promoted via spam contain hyperlinks because they want you to go online and register for a service or download something or buy something. Once they contain a hyperlink, it’s easier for anti-spam filters to track them down by the hyperlink, or the URL contained in them rather than by the image. So, if you didn’t have an anti-spam filter, you would probably see a lot of image spam that is not only promoting penny stocks, but it’s the penny stocks that does not contain hyperlinks and only wants you to buy stocks, so this type of spam is getting through the filters where the other are stopped.

Why has image spam been so successful at getting through anti-spam filters?

Mainly because most of the anti-spam filters are content related. One way or another they are looking for the lexicode analysis, or trying to look for words or symbols like mortgage or Viagra, etc, in order to know whether a message contains spam. But once all the text is converted into an image, those filters cannot cope with the image anymore.

What are some of the problems that image spam creates?

The first and biggest problem is less detection rates. If the anti-spam filters could have handled the image spam, that would have been great, but image spam makes it through more than other spam.

The second thing is image spam is much larger in size than regular text spam. They are five to eight times bigger which means that all the resources (bandwidth, disc space, archival) is much bigger. If you just take 2006 where 25% of spam was image, and because there was also more spam, then just during 2006 the demand for bandwidth and disc space used by spam during the year was three-fold because of image spam.

How do most companies stop image spam?

The most natural solution would be the OCR, or optical character recognition, which is trying to take image spam and convert it back to text because most of the filters know how to handle the text. The problem with using OCR is that it needs a lot of resources. If you take an ISP that gets hundred of thousands of messages a second, it is very hard for a OCR engine to handle images that fast so a lot of the OCR solutions are not good enough for ISPs or large organizations.

The second thing is that spammers are smart enough to know that anti-spam vendors would use OCR so most of the tricks they use today are in order to fool OCR engines as well. So OCR is the most natural solution but a very problematic one.

Some other engines or solutions try to work around it like adding a heuristic saying if you get a message from someone you don’t know and it contains an image then block it, but of course this would result in a lot of false positives.

How does Commtouch detect image spam?

Commtouch works in a different way. We have no content analysis in any way and for us image spam is just like any spam. The way Commtouch detects spam is by looking at the fact that all spam, by definition, is massive, it comes in bulk, and we’ve found a way to look at the traffic on the internet and find recurring patterns of messages on the internet. It’s kind of a mathematical, algorhythmic way that finds patterns of messages that repeat themselves on the net and this specific pattern is used to block next messages.

We don’t care what the content of the message is, it can be an image, it can be textual, it can be any language, it can be in Chinese or Japanese, as long as it repeats itself we can find the pattern and block it.

Spammers have proven to be incredibly adaptable. What’s the next trick you think spammers are going to use?

We can look at two things. First of all the format of the messages as well as the distribution methods they are going to use. The main way to distribute spam today is with botnets, which are innocent infected computers, usually home-users, and spam is being sent through the botnets, and those computers do not belong to the spammers so in fact their resources are unlimited. They don’t care about the CPU, the bandwidth, as they are using somebody else’s resources. So this allows them to send more image spam and I believe if they want to move a step forward and do audio-spam or video-spam that will probably generate a higher click-through rate which is important for them as well.

So I think using more formats of spam is something that we will see soon. But the other thing relates more to distribution: one of the biggest trends in anti-spam today is sender authentication. There are many efforts on the internet to stop messages if they do not come from the person that says they sent the message. So if sender authentication efforts continue to be effective, spammers will have a harder time sending random addresses than they do today.

And I believe that one of the things that they will do is that the infected machines will start sending messages that look like they are from the owner of the machine. So it might be spam injected into person-to-person messages or spam injected into valid newsletters that will come from the person who should have sent it but will now come with added spam. This is much like viruses used to be distributed before.

It is only business for them today, and if there’s business they have enough money to invest in new technologies. And one more thing we’ve already started seeing are the blended threats. Spam is not a stand-alone today, it’s being sent by the same people who send out viruses. They can use the same zombie machine to do distributed denial-of-service attacks, etc.

Tag: Spam, Image Spam, Stop+Spam, Botnets, Spam Filter, Penny Stocks, Text Spam, OCR, ISP,

Posted by pschooff in | Permalink | Comments (5) | TrackBacks (0)

According to Brian Kreb's Security Fix, cybercriminals are exploiting a number of security vulnerabilities in MailEnable, an email server program offered by many large Web hosting companies.

Over the past several months, MailEnable has released a half-dozen patches to try to fix vulnerabilities that allow hackers to totally hijack a user's system. But apparently many MailEnable customers are either not registered, and are therefore not receiving the update notices, or are simply ignoring them.

Lawrence Baldwin, chief forensics officer for myNetWatchman, said, "We are seeing hundreds of mail servers getting compromised via the rash of MailEnable vulnerabilities that have been discovered and announced in the last few months."

Baldwin and his company are often contacted by people after an ISP has blocked them because of spamming. myNetWatchman does provide a program that checks firewall logs and will alert you if your system shows signs of being compromised.

And as evidence that hackers and cybercriminals are joining forces and sharing information, the code showing how to exploit MailEnable has been posted on several high-profile hacker sites. Baldwin continued, "We could actually see that the miscreants became aware of a new vulnerability in early to mid January, had a full month of ravaging and pillaging MailEnable systems" before a patch was released.

Besides using hijacked systems to send spam, the cybercrooks are also using code to steal passwords from systems. That includes spying on Microsoft Windows remote desktop protocol (RDP) traffic to snatch passwords from anyone who logs on remotely to administer their mail servers.

The hackers also seem to be planting malware that enables them to crack encrypted Windows system passwords. Why would they do that when they already have control of the system? Very simply, many Web hosts using MailEnable also put a number of systems on the same Windows Active Directory domain using the same password to remotely configure the machines. Thus, steal one password, and you can control all of the hosting company’s mail servers. Sounds like a botnet to me.

The prevalence of this exploit directly correlates to the number of botnets, which Shadowserver.org says has tripled in the past three weeks alone. Unfortunately, servers will continue to remain compromised even after applying the MailEnable updates, as the exploit works through the Windows logon process, which is quite difficult to repair.

"I think the hackers' intentions have been to collect as many login accounts or authentication mechanisms to the compromised machines as they can, so that even after the infection is cleaned up, they can still get back in," Ron Bradburn, director of engineering for Vancouver, Canada-based Peer 1 Dedicated Hosting, said.

Peer 1 offers back-up services that help customers recover from such intrusions, but many don’t choose that route. For them, the only safe way to recover from such an attack is to reinstall the operating system on the Web host.

Tags: MailEnable, Botnets, Spam, patches, Service Providers,

Posted by pschooff in | Permalink | Comments (0) | TrackBacks (0)

According the the Anti-Phishing Working Group’s most recent report, Phishing websites and crimeware are at record levels. Also, for the first time, ISPs replaced the retail sector as the second-most targeted group, although both are still far behind financial services.

From an article I found at Dark Reader, the APWG recorded 29.930 phishing attempts worldwide in January, a 25 percent increase over December’s 28,531. One bit of good news, though, is the number of phishing sites dropped slightly, as well as the number of imitated brands.

"You're getting a diversification of strategies by phishers, mostly because of anti-phishing techniques" cramping their style, says Adam O'Donnell, senior research scientist for Cloudmark. "By diversifying, they can distract and bait the [phishing] analysts and get into more fertile phishing grounds."

The storm warm was an example of cybercriminals diversifying their malware. The worm created hundreds of mutations over just one weekend, and also had auto-upddate features built right in. "If you're able to release a virus that gets in the wild and makes an impact before" antivirus engines map it out, the attacker wins, he says. "This is a huge trend in crimeware."

Also, password-stealing malware went up from 340 apps in December to 345 in January. The APWG found that Brazilian-based malicious software developers were now using Web Attacker, a wildly popular toolkit from Russia. This confirms the reports that crimeware groups are globally collaborating.

Social networking and gambling sites also saw more highjacking attempts than ever. Experts say this is only likely to increase as cybercriminals discover more ways to collect money from the information gained on those sites. This is especially true of MySpace, which, while it doesn’t have financial data, may have data that can be used for more social engineering schemes.

Finally, trjoan “redirectors”, or those sites that redirect a user’s web traffic to some other, more malicious location by changing host files or other DNS-based info, are also on the rise. Most alter DNS settings or host files to redirect the user to a fake DNS server, and the user is unlikely to be able to tell the difference.

This seems to follow the simple and inevitable trent that, as more and more criminals realize that, at least here in New York City, street crime gets harder and harder to pull-off without getting caught on some video camera or other, the ease of online fraud just keeps pulling them in.

Tags: Crimeware, Malware, Cloudmark, cybercriminals, Storm Worm, MySpace,

Posted by pschooff in | Permalink | Comments (0) | TrackBacks (0)

Listen to or download the entire 7:56 podcast below:

Download file

The following is a summary of my podcast with Alex Bakeman, Chairman and Founder of Ecora.

Current data security compliance laws.

Sarbanes-Oxley, which is for public companies; GLBA, which primarily affects financial companies; PCIDSS (Payment Card Industry Data Security Standard) that has come out of major credit card brands and primarily effects every organization that processes credit cards; FISMA (Federal Information Security Management Act of 2002) in the federal government, so it’s a long and growing list of regulations and security standards.

Are companies currently meeting the standards of protecting sensitive information?

Unfortunately not. Just about every day we’re hearing about a new security breach. Most companies are taking a very reactive approach instead of being proactive.

The problem is people’s personal information is at risk. Identity theft is at an all time high and that is the reason so many new regulations are coming forth.

How would Ecora have helped the recent highly publicized security breach at TJX, which owns TJ Maxx stores?

If TJX took security seriously they would have been compliant with the PCIDSS security standard which has been around since 2005. As part of the compliance process they would have used Ecora Auditor to scan their IT infrastructure as well as their databases and operating systems and discovered points of vulnerability.

Explain the “insider” threat problem with sensitive information.

Companies have done a really good job for the most part building perimeter security: putting firewalls in place, creating intrusion detection, creating antivirus protection. But what has been really missing is a focus on people inside the company, many whom have high access, very privileged access to critical data, i.e. system administrators, people in the financial group; unless organizations take steps to secure critical data systems that these people have access to, the internal risk for someone being unhappy with a company then taking advantage of exploiting that information, stealing that information, selling that information is very high.

If you look at some of the most publicized and very expensive security breaches, almost in all of them, there was an insider who was crucial to that event take place.

How does visualizing and automation solve the problem of the growing security threat of system complexity?

The fundamental problem is we’re dealing with very complex IT systems. Compare just 10 or 20 years ago what a typical IT system looks like to what it looks like today – there are many more devices, complex network connections, databases, applications, application enablers – just the amount of technology has expanded dramatically. Each piece of technology comes with configuration settings which controls much of the security, which controls who has access to what system and data.

Essentially, you have people dealing with an exponential number of configuration settings, and unless they are able to quickly and proactively monitor them on a daily basis, identify changes, and review changes (critical changes), they are really not being secure.

For example, say there was a change in access control and you find out a new person has been added to the system administration group. It would be a very good idea for someone in the organization to review the access and make sure it is a valid person with valid access.

Explain Ecora’s approach to password compliance.

Many of the compliance requirements and regulations focus on password compliance management. Policies such as every employee should change passwords every 30 days, or passwords should be at least 8 characters long and have alpha numeric sets. There are examples of the type of organizational policies to improve security compliance.

Ecora auditor enables security professionals and IT auditors to very quickly audit compliance to that policy and find noncompliant IDs and take action.

What is the future for compliance?

Many more regulations are on the way and the regulations themselves are going to get stringent. The primary driver is consumer safety and consumer information protection and data protection. As long as it remains an issue, and I believe we’ve only seen the tip of the iceberg, and as long as the public remains at risk, the number of regulations is only going to increase. We’re seeing more and more regulations within various industries, for example in the energy sector, NERC. Japanese are adopting Sarbanes-Oxley, which they're calling JSOX.

It’s a worldwide phenomenon. We’re dealing with sensitive data that needs to be protected and unless organizations proactively take steps to become compliant and protect the sensitive data, the government is inevitably going to step in and ratchet it up.

Tags: Insider Threats, Sarbanes-Oxley, Compliance, Protecting Personal Information, PCIDSS, Security Breach, Complexity, Password Compliance,

Posted by pschooff in | Permalink | Comments (0) | TrackBacks (0)

While this isn’t exactly a security issue (unless, of course, you’re high-up in the Chinese government), I’m constantly fascinated by how certain societies struggle to keep a lid on all the information and personal narratives and basically our freedom of information (which also comes with the freedom of misinformation) in this ever-expanding information age.

According to this article I came across, China plans to tighten control over blogs and webcasts that have allowed many Chinese to avoid the government’s censorship efforts. Or, as President Hu Jintao puts it, he wants to “purify” the internet. Thus, the ruling party plans to introduce new regulations targeting blogs and webcasts.

For me, this ties in with something that Bill Gates’ once said, and something I think is one of the true beauties of the internet age. I can’t find the quote, and am in a bit of a hurry, so I’ll have to paraphrase: 20 years ago, I would rather have been an average person from Iowa than a genius from Calcutta. Today, because of opportunities brought on by technology, I would rather be the genius in Calcutta

The head of China's Press and Publication Administration, Long Xinmin, said, "Advanced network technologies such as blogging and webcasting have been mounting new challenges to the government's ability to supervise the Internet."

"Whether we can cope with the Internet is a matter that affects the development of socialist culture, the security of information and the stability of the state," Hu said in January.

Perhaps he should have said what he really means, which is, “Whether we can cope with the Internet is a matter that affects the development of socialist culture, the security of information and the stability of OUR JOBS.”

Tags: China's Firewall

Posted by pschooff in | Permalink | Comments (0) | TrackBacks (0)

Keeping up with your email is now absolutely essential no matter where you are, which means sometimes jumping on free WiFi connections in airports or coffee shops or at conventions. But how big of a risk is it?

If you use unsecured WiFi without encryption, it’s not a matter of if, it’s a matter of when. You’re computer is broadcasting data that can compromise your system as well as your company’s. Hacker’s have sniffer tools that can pick-up passwords or reveal who you are and very possibly gain access to corporate applications.

Most security experts will tell you to “Just say no” to unsecured WiFi. They will go on to say that you should only use WiFi networks to simply surf the net, doing things like checking the news or sports or weather.

But if you absolutely must use WiFi, what follows is a list of seven tips to safer WiFi taken from Dark Reader:

1. Disable unencrypted POP3 and IMAP email.

POP and IMAP send login data in clear text, which is like raising a flag with your login and password on it. Also, it is email that is most likely to get you into trouble with WiFi.

Therefore you either have the option of encrypting it, or using Google’s Gmail, which features encryption using Transport Layer Security (TLS).

"You should not use email that uses POP with a clear text user name and password exchange," says Amit Sinha, CTO at AirDefense Inc. "Any clear text message pops right up, so if a hacker is connected to the same AP as you, he can do a quick ARP spoof and redirect all your traffic through his machine." Also, "instead of using HTTP, use HTTP-S, and SSH instead of telnet, and secure FTP instead of FTP."

The fact is, wireless turns everything into one gigantic connected hub, and anyone in the hub is going to have access to everything else.

2. Add an extra firewall, or other security tools

It is rather easy to add another layer of security to your laptop with tools like ZoneAlarm, which blocks all internet activity until your connected to a known VPN network. Also, Air Defense Personal is a Layer 2 firewall that works with the laptops current firewall and stop hotspot-type attacks like the evil twin attack.

Many users have no idea that their laptop continually searches for networks it has connected to previously, even when you are offline, which makes you an easy target. An extra firewall can protect you from that.

Some say adding a firewall isn’t the answer, because it doesn’t protect you from information you’re sending out willingly. Yoggie Security Systems, an Israel-based company, has a USB-based wireless secure-network-in-a-card for laptops. It serves as a VPN gateway, firewall, IDS/IPS, antivirus, anti-spyware, and anti-spam system and costs $220.

Still, many say the only change you can really make to make WiFi safe is your behavior.

3. Encrypt all communications – including using a VPN connection.

Basically, you need to end the idea of plain-text traffic. Encryption is no long considered optional but essential to survival in a wireless space. These can be either SSL or IPSec-based VPN connections.

A VPN connection narrows the window of a WiFi attacks, which means it doesn’t completely secure you. Also, VPN isn’t easy to run, although Google offers a free VPN service option.

Says AirDefense’s Sinha, What you're doing is setting up a secure tunnel after you connect with the wireless network. So you might still be susceptible to man-in-the middle or session highjacking attacks. But you've still raised the barrier higher so that the hackers will go to the lower-hanging fruit."

4. Use a broadband wifeless card instead of WiFi

Both Verizon and Cingular now offer broadband wireless service cards to plug into your laptop, which is what most security experts use. These services aren’t cheap, though, and oftentimes are slower. But they do reduce the risk of getting hacked, for now. Many believe they will pose a greater target in the future as more users switch to them.

5. Close your chatty applications

You should shut down all the applications you don’t need when using WiFi. But that, even for security experts, is hard to do.

The trouble is, many desktop agents, such as email client, or Oracle, immediately start reaching out to the server once connected. And if you have database credentials caches on your laptop, Oracle will try to connect to the database server back home, which means that data gets broadcasted.

Microsoft Outlook is especially difficult to silence. Errata’s CEO Robert Graham says, "If you're on a Web page that's actually an email link, Outlook starts trying to send POP and your password across the wire," Graham says. "You really can't turn it off." The only app he trusts on WiFi is Google’s Gmail.

6. Don’t use the same or similar passwords for critical and noncritical applications

While this may sound easy, this is a oft-made mistake.

"We're out there watching people on WiFi with MySpace and ESPN.com accounts, and all the other little credentials saved in their browser," Graham says. "When they do an auto-login, we see them using the same account and password, and it's showing that in clear text."

Then, a hacker will try the same login or password on a more sensitive site, and voila!

7. Disable your wireless when not in use

Even if not in range, your laptop is constantly reaching out for a connection and the danger is an attacker could trick your machine into accepting his connection to a malicious access point.

While most WiFi threats are short-lived, and an attacker must be physically nearby to engage, there is also the danger of getting malware planted on the machine, so use WiFi carefully.

Tags: Safer WiFi, Unsecured WiFi, POP3, IMAP, TLS, VPN+Network

Posted by pschooff in Better Protection | Permalink | Comments (0) | TrackBacks (0)

Apple patched at least 46 weaknesses and vulnerabilities in Mac OS X as well as popular Apple applications in a release on Tuesday.

The updates fixed numerous problems with the open-source components of Apple's operating system and fixed seven flaws with the MySQL database used by Macs. The patch also addressed flaws reported by the Month of Kernal Bugs (MoKB) and Month of Apple Bugs (MoAB) websites. This included 6 problems with Apple's disk image format, as well as problems with FlashPlayer and iPhoto.

That means one-third of the flaws corrected problems found by MoKB and MoAB, and these patches come just two weeks after a security researcher took Apple to task for its handling of security flaws. As I blogged then, Apple fixed a number of serious issues in QuickTime last week.

If you have not already set your Apple preferences to automatic update, the patches can be found here.

Tags: Apple Patches, Mac OS X

Posted by pschooff in | Permalink | Comments (0) | TrackBacks (0)

The feds have charged three Indian nationals with hacking online brokerage accounts and using them to manipulate the stock of Google, Sun Microsystems and 12 other companies.

The three men, Jaisankar Marimuthu, Chockalingam Ramanathan and Thirugnanam Ramanathan, were indicted. This makes the first time an arrest was made in an online brokerage account intrusion case.

Apparently the men bought 14 different stock and then used the hacked brokerage accounts, and the victims’ funds in the account, to pump up the market shares before dumping them. This allegedly occurred between July and November of 2006 and profited $121,500 dollars. The brokerages suffered damages of more than $875,000 for the compromised accounts.

According to the indictments unsealed Monday in a Nebraska federal court, Marimuthu and Chockalingam Ramanathan were both charged with one count of conspiracy, eight counts of computer fraud, six counts of wire fraud, two counts of securities fraud, and six counts of aggravated identity theft. The third person in the case, Thirugnanam Ramanathan, was charged with one count of conspiracy, two counts of computer fraud and two counts of aggravated identity theft. Only Chockalingam Ramanathan remains at large.

The Securities and Exchange Commission filed a civil complaint in the case, seeking a preliminary and permanent injunction, disgorgement of illegal proceeds and monetary damages. The SEC has filed four account intrusion cases since December, involving defendants in Estonia, Latvia and now Hong Kong and Malaysia.

Tags: Pump and Dump, Computer Fraud, SEC, Brokerage Scam

Posted by pschooff in | Permalink | Comments (0) | TrackBacks (0)

As I blogged about it here, a DDOS (distributed denial of service) attack on the backbone of the internet in February inevitably had little effect. This is in thanks to new protection technology the Internet Corporation for Assigned Names and Numbers said in a recently published document.

DNS serves as the address book of the internet, which maps all the text-based domain names to the numeric IP addresses of the servers connected to the internet, and vice versa. A DDOS attack attempt to take down targeted servers by overwhelming them with an onslaught of traffic from multiple sources, usually from compromised PCs and botnets.

The Internet sustained a significant distributed denial-of-service attack, originating from the Asia-Pacific region, but stood up to it," said the ICANN document.

The attack lasted almost 8 hours and targeted 6 of the 13 root DNS servers. The good news is that only 2 of the 6 were noticeably affected, and both machines affected did not have the new shield, known as Anycast, installed, as the technology was still being tested.

With Anycast now proven, it is likely to encompass the remaining D, E, G, H, and L roots, the ICANN document stated (the letters referring to 5 of the 13 root DNS servers that did not have Anycast installed).

The root DNS servers are at the top of the DNS hierarchy and only get accessed if other DNS serves, like those at an Internet service provider, have a faulty or incorrect address for a certain website. The 13 servers are spread out across the globe and are physically located in 100 different locations.

Anycast was developed after a similar DDOS attack in 2002, which managed to bog down 9 of the 13 root servers. While the internet continued to run, the 2002 attack served as a wake-up call. If the DNS system does go down, email would be undeliverable and web sites would be unreachable.

The one scary prospect about past February’s attack: some experts were wondering if it was just a test run. But with Anycast now tested and installed, it seems the internet is safe, for now.

Tags: DDOS, Backbone of the Internet, Anycast, ICANN, Root Servers

Posted by pschooff in | Permalink | Comments (0) | TrackBacks (0)

Download file

Introduction

In the following discussion with Brendan Hannigan, the Chief Operating Officer of Q1 Labs, Hannigan details how Q1 Labs utilizes the resources of New Brunswick University students to gather security information and engage in attack simulations that helps companies find out where they are at risk and exactly what to do if an attack occurs.

Q1 Labs' Partnership with New Brunswick University

Q1 Labs was founded out of the University of New Brunswick and have a lot of folks in the company who have been hired from the University as they graduate and then we continue to work with the academic department. In particular, the computer science department and very specifically Ali Ghorbani (Professor & Assistant Dean Faculty of Computer Science, UNB).

As we’ve been working with each other relative to recruiting etcetera, we both realized that while Q1 Labs is very innovative at developing security management products, there were some key areas in the security domain where some fundamental research would really help. We approached the Canadian Government with a proposal and based on that we all agreed that we could form this center of excellence around the whole area of security, research in the area of security, and then taking that research and applying it to commercial product particular of course to the Q1 Lab’s family of products which are security management products.

Current Student Focus

Anomaly Detection – Research in the area of behavior analysis and anomaly detection in networks. Understanding when unusual activity happens – how can we use algorithm to detect and automatically see that unusual activity.

Gathering Information to Enable Modeling and Simulation – Gathering information on security posture from a lot of different sources and then using that to do modeling and simulation of what might happen if an attack occurred of a particular type in a particular place; what might happen in the infrastructure so we can help companies get ahead of the security problem rather than constantly being reactive. And of course, to do that, there’s a lot of fundamental research on data collection techniques and algorithms to understand the whole problem and how to predict these types of attacks.

3 Key Emerging Threats

The nature of security is that it is always changing – there is always a threat here and a threat there, but there are three very important greater trends.

1. Companies have deployed many specific products to solve a specific problem. In some ways they have exasperated the problem by basically creating these very complex environments where there are many different products, there are many different sources of information, and they are becoming overwhelmed. That in and of itself has become a source of risk because it is so complex, threats are getting missed in the noise of all this information.

2. Very specific targeted attacks and threats. In the past somebody released a worm and it went crazy all over the and it went crazy in companies and caused downtime and it was vandalism. Now companies are releasing very targeted, specific pieces of software trying to collect specific pieces of information. We have helped our customers detect problems like botnets, sending information to countries that they really shouldn’t be sending information to. And we’ve detected other very insidious types of attacks which are targeted at getting information and quite frankly at making money.

3. Insider type activity, which is what’s happening inside a corporation as opposed to attacks coming from outside. That’s not necessarily watching what employees are doing, it is really watching what the computers are doing. These computers are very powerful and they can become infected, so what are they doing inside the company that may be of great concern.

Reasons for an Attack Simulation

What you really want to do is capture the security posture of an organization now. So gather information about what type of activity is going on in the network, what type of protections are in place, where these protections are and how are particular assets protected, and how vulnerable are they to different types of threats.

The big concern is that when an attack occurs or something happens, and a particular asset gets compromised, there is obviously a question about type of information and type of ability that asset has. The even bigger question is that, now that that asset is compromised, how further inside the organization can that asset now be used to attack other parts in the organization.

One of the key areas of this research is to look at how can you gather all this information, understand the exposure if a particular asset is compromised. Understand what else it can do, because now I understand what’s going on in the environment and how it’s configured. These assets are highly sensitive because if they do become compromised they open up the entire business.

One of the key cornerstones of the research is determining what if something happens to this asset, and what is the impact.

Q1 Labs’ Security Solution

Q1 Labs aggregates information up from the entire infrastructure and Q1 Labs is unique in this regard. Bringing information in from the network to gather user activity on the network. Who is communication to whom for what. Q1 Labs also aggregates up security information as in: what events are being alarmed from the different security devices, and then Q1 Labs applies algorithms on top of the information so they can distill down the important items that must be acted upon.

What that boils down to is, for one financial institution, that means in one 24 hour period Q1 Labs gathered 770 million events related to user activity, 16 million events related to security activity and security notifications, alarms, and status, and we boiled that down to 5 high priority things that enterprise customers need to look at and take action on.

Summary

Q1 Labs provides a security command-and-control consol, a network security management solution that helps companies detect threats they would otherwise miss, a solution that really reduces the amount of information that companies need to look at, one that helps companies comply with industry policies and regulations, and lastly, Q1 just helps enterprises save money through more efficient operations.

Tags: Q1 Labs, Insider Threats, University of New Brunswick, Attack Simulations, Anomaly Detection, Emerging Threats, Targeted Attacks

Posted by pschooff in Better Protection | Permalink | Comments (0) | TrackBacks (0)

On Monday Apple issued security patches to plug various security holes in its QuickTime media player software (which is now QuickTime 7.1.5), fixing at least eight separate and serious vulnerabilities.

The updates are for Mac OS X, Windows 2000, Windows XP and Windows Vista versions. Mac users can get the latest version either from Apple or, if you already have the automatic update feature, it is already taken care of. Windows users with recent versions of QuickTime installed will already have Apple's Software Update program and should already be aware of the update. Otherwise, Windows users can download it here.

Tags: QuickTime Patches, Apple+Upgrade

Posted by pschooff in | Permalink | Comments (0) | TrackBacks (0)