Symantec, in their recent Internet Security Threat Report, has found that Denial of Service (DOS) attacks have declined against service providers by 15 percent.

"The thing is that DoS attacks are loud and risky," Yazan Gable, security response engineer for Symantec, stated in the blog post. "Whenever a bot-network owner carries out a denial of service attack they run the risk of losing some of their bots."

This has led them to conclude the DOS attacks do not pay. But that doesn't mean cybercriminals are just letting their botnets rust away from disuse, because in the same period DOS attacks have declined, spam has increased. Lately, botnet operators are focusing increasingly on bulk spam, namely penny-stock pump-and-dump scams, as well as trying to steal financial data.

A number of underground e-commerce sites have been found where criminals can buy and sell stolen financial data, which range from $30 dollars for log-on credentials to $250 for account info for a major financial institution. Also, prices for credit card number with the verification PIN included run from $1 to $6 dollars while social security numbers and bank account info can cost $14 to $18 dollars.

Just another week in As The Security World Turns.

Tag: DOS Attacks, Denial of Service, Spam Trends

Posted by pschooff in | Permalink | Comments (0) | TrackBacks (0)

As almost every industry now seems to be doing mash-ups of different technology, you can now include spammers and cybercriminals in that group. A recent report by MessageLabs stated that recent email messages touting stocks have also come to include links to malicious code. The reasoning is, even if the stock mention fails to entice the recipient, maybe they'll still click on the link, thereby infecting their computer with malware.

In the past 10 days, MessageLabs has uncovered only 3,500 such messages, which has them wondering if the spammers are just at the testing stage of this new scam. Said Mark Sunner, chief technology officer for the company, "These activities are now much more under the radar because they are sending the messages out in discrete chunks. If you spam out (the malicious link), you have a lot of control over the resultant bot net -- you can control the size, (and) what time zone it is being sending to."

What is also interesting about the Storm Worm, also known as Zhelain and Peacomm, is that it does not spread on its own, but only by someone clicking on the link. This is another change in strategy, as by sending out worms and viruses in the form of spam, criminals can grow their bot nets at a more controllable pace (while, most importantly, remaining undetected). This is also an attempt to stymie the virus detectors by denying them the latest variations of the worm which they need to detect it elsewhere.

Tag: Malware, Spam, Storm Worm,botnet

Posted by pschooff in Hackers | Permalink | Comments (0) | TrackBacks (0)

Listen to or download the entire 10:03 podcast below:

Download file

What follows is a summary of my discussion with Mike Rothman, top analyst and founder of the website Security Incite, where we discuss the recent escalation of security attacks, what a CSO needs to focus on to counter these attacks, as well as why open source security is a myth, what went so very wrong with the recent TJX breach, and, finally, why every CSO needs to read his book “The Pragmatic CSO: 12 Steps to Being a Security Master.”

Recently on your website, you said it is always darkest before the dawn, and that it is probably going to get a bit darker in the near term. Can you elaborate?

You bet. Even this week (note: this podcast was recorded April 5) we had a huge issue with animated cursors and that kind of came out of nowhere. That is really what I would call a zero day attack. I guess some folks knew there was an exploit or vulnerability out there but the general public had no idea until they could be attacked by it and then all hell broke lose.

So when I say “It’s always dark before the dawn” it seems that a lot of the folks I spoke to in the last week, they're a little discouraged because we keep having these issues and as much time and money we spend the bad guys always seem to find some other hole to come in and reek havoc. So from my standpoint I think we’re going to continue to see more of those because fundamentally a lot of the older operating systems, and by that I mean Windows 2000 and Windows XP, are inherently problematic. Vista helps a lot of those things, but what we’re talking about is a 2 or 3 year time frame until folks decide to upgrade to Vista or go to an alternative operating system that may have more security aspects to it. But I think that it’s really important to focus on the things they can control and be able to react quickly so when we see an issue like we saw this week we’re able to react very quickly to it.

What do you think a CSO needs to focus on today to keep their systems secure in this increasingly dangerous online world?

There’s probably about a million things that folks can really focus on, but if I said I had to focus on one thing, well, I don't know if I could focus on one thing, but what CSO's need to worry about today is really understanding what is their most critical system. Because a lot of people do the generic stuff, they put a firewall in place, they put a IDS or IPF in place, they run AV all over the place, they do some antispam because that’s annoying, but they don’t really have the context of what their business is about.

If there is one thing I philosophically believe is you can't get to everything. The list is too long. If you run a scanner against your networks or applications you’ll find that you could literally work for the next 500 days straight and still not get everything done so the reality is you have to focus, you have to prioritize, and by prioritizing I mean you have to understand what's important.

Once you understand what's important than you can put a plan in place to protect whether it’s data or a system or an application or a network. Once you understand what’s important to your business then you can design a defensive strategy to protect it.

What is the main thing preventing a CSO from accomplishing this?

I think a good portion of it is politics. Most security folks come out of the technical ranks. That’s been the career path. One day they’re bestowed a chief security title or director of security and they haven’t really been trained to play the game.

What do I mean by the game? I mean the funding game. Which is, I’ve got to able to make a case for why the stuff I want to do is important. I’ve got to be able to make a case to the folks who count the money about how either I’m going to save money or make money by the things that I’m doing. From that perspective, it really has been a challenge for a lot of security orientated folks to get the funding they need to adequately protect their data and their systems just because they really don’t know the language of business that they need to talk in in order to get that type of funding.

I also read that you’re working on a piece about security and open source? Why do you think open source security is a myth?

I think open source is fantastic. The software that runs my website is open source. But I don’t necessarily know from a security stand point that open source is anything more than a distribution channel or a way to take a product to market. I think we’re blurring the lines between free software and open source software. Open source, even something like Metasploit, which is a penetration testing tool, that’s free. It used to be open source, but now it’s basically free software because they’ve tightened the license to make sure people don’t use it for commercial means.

So from that standpoint, what has happened in security that hasn’t really happened in a lot of other markets like content management or some of the other places where open source really excels is there hasn’t been an ecosystem that has been built up around a specific tool; there’s basically been a company. So if you look at Snort, the company is Sourcefire, if you look at Nessus, the company is Tenable. Those are great tools, and yes they’re free, from that standpoint, but I wouldn’t certainly call them open source.

Would you discuss the recent breach with TJX, and how incident response and crisis communications would have made a difference?

I always point back to the issue that Johnson & Johnson had with Tylenol. That was years ago and I was just a kid and there was bedlam and everybody was terrified and they were tossing their Tylenol out of their windows because they were scared. The CEO got on TV and accepted responsibility and said this is what my plan is going to be to both restore your trust in my company as well as the product and this is what we’re doing to make sure it never happens again. That started the whole thing with sealing the drugs and making sure you’ve got tamper proof packaging. It really was a watershed moment in crises communications.

You look at how TJX handled their data breach which was, well, we didn’t tell you for a couple of months. Sorry. You could tell they didn’t even mean it and we’re not going to give you any credit monitoring all 45 million customers that have been transgressed because, you know, at the end of the day I don’t legally have to and my margins are like 2% so there is no way I can stay in business and do that. It just felt that every step of the process they were stonewalling the public, they were treating their customers shabbily. I think that comes back and bites you.

A brand is a very hard thing to build and is a very significant thing to waste. You do one stupid thing and years of good karma go by the wayside. I think by handling the situation a lot more effectively, TJX could have made this much less of an issue. But they stonewalled, they didn’t admit a problem, they tried to blame other people, and they wouldn’t do the right thing for customers. So at the end of the day, I believe customers won’t do the right thing by them.

What do you think a CSO needs to focus on in the future for security?

Their applications. It’s a simple discussion. It gets back to what I said before: you have to figure out what’s important. I think, in terms of business systems, which are kind of automated business processes, kind of the technology that automates that process is some kind of application. Applications are clearly the path of least resistance for the bad guys now. So whether its attacks like cross-site scripting or cross-site request forgery or a lot of other new fangled application attacks, that is the path of least resistance and that is where a lot of security folks need to start focusing their efforts.

You do that a couple of ways: you want a gateway to protect that specific application traffic. You also want to start working with your developers to educate them as to what they should be coding in a secure fashion - wat that means and how they can eliminate a lot of these problems before software is even published.

Finally, tell me about your book, the Pragamatic CSO, and why should a CSO buy it?

The Pragmatic CSO was born out of a lot of frustration that I heard. Not only from myself, but from a lot of my clients and a lot of my contacts in the industry. A lot of it gets back to what I said before, relative to not being able to justify or put a value on what security does. What security people have done is they’ve gotten addicted to throwing a new product at the problem. They’ve gotten addicted to generating a report and hoping the auditors go away. They’ve just gotten addicted to trying to take the easy path is the best way I can put it. Not that it’s easy in any stretch of the imagination, but it’s also not gotten them anywhere. We are largely in the same place we were a couple of years ago and, from my standpoint, that’s not a good thing.

What I really built with the 12 step program that I laid out in the Pragmatic CSO is a way to prove relevance to business users. It’s a way to show the context of what security can do for an organization’s business and, again, make sure that you are constantly communicating, managing expectations, hitting milestones, basically treating your security operation as a business. Not a lot of people are talking this language. Thus far, since I released the book since early January, it has been very well received.

Tags: Animated Cursor Attack, Zero Day Attack, Windows 2000, Windows XP, CSO, Spam, Antivirus, Open Source, Data Breach, TJX, Application Attacks,

Posted by pschooff in Better Protection | Permalink | Comments (0) | TrackBacks (0)

Some months ago I wrote a blog about the critical steps a company can take to prevent against some of the easiest of Google hacks, which usually entails a hacker searching for private and privileged information that has leaked out into the public sphere and within easy reach of Google.

First, it’s important to point out that Google is not to blame, as they are only providing access to what is already available. This is taken from SecuritySearch.com, and is based upon a presentation given by Tom Bowers, managing director of Security Constructs LLS based in Allentown, PA.

Hackers often unearth sensitive information using Google Earth, Google Patent Search, and Google Blog Search. Google can easily assists locating financial filings or security analyst reports that can serve up critical information. Also, Google Earth can reveal competitors plants, while Google Patent Search can easily pick up patents that might contain too-much information.

Daniel Pinto, from the company RAC Partners LLC, out of New Jersey, says the key is to make everyone aware that certain types of information are not to be publicized, whether at an industry conference or on the internet. Essentially, companies need clear policies on what information can be released both by its employees and its partners.

Because if someone unearths your companies sensitive information, most don’t even considered it hacking, as once it’s on Google, it’s considered publicly available data. That’s why a good security team must maintain a foolproof firewall. Also, all email coming and going should be both encrypted and filtered.

Finally, to make sure people are kept aware of the need to protect critical corporate information, anyone who lets information slip should lose their access rights.

Tags: Google, Google Earth, Google Hacks, Data Protection,

Posted by pschooff in | Permalink | Comments (0) | TrackBacks (0)

In a welcome shift, Symantec today announced that they will begin the beta launch of the Symantec Protection Network, which is to provide affordable security to small and medium sized businesses.

Symantec’s first offering will be an Online Backup Service, which will provide a cost-effective and reliable back-up service for business-critical data, all from the convenience of a web browser. This service will assist with one of the most pressing problems smaller companies face today – disaster recovery.

As companies of all sizes have grown increasingly dependent on information technology, and as the online world has grown ever more dangerous, the number of security products seems to grow right along with the number of threats. While many big companies can afford their own chief security officer, it’s the small companies, and their already overwhelmed system administrator, who are left desperately trying to catch-up.

Symantec is one of the most trusted names in security, and giving small to medium sized companies the ability to simply hand over their security tasks and get on with their day-to-day business seems to me most welcome. While the press release did not say which other security services would be introduced next, one would believe that it would follow right in line with the rest of Symantec’s industry leading security solutions.

Tags: Symantec, Computer Security, Data Protection, Online Backup

Posted by pschooff in | Permalink | Comments (1) | TrackBacks (0)

According to an article at eweek.com, the new breed of cyberthieves know almost as much about how to track and trace a data breach or security slip as the experts do. And they are using this kind of knowledge to break-and-enter computers without leaving a trace: which means not just covering their tracks, but totally erasing them.

While companies have long believed that, as long as they keep up with patches and check logs and change passwords, that they would pretty much be safe. That may no longer be true. Bryan Sartin, a vice president of investigative response for Cybertrust, said the new breed of cyber thief will delete their tracks and often purposely soil the crime scene, perhaps by using their own encryption to make transaction logs unreadable.

One thief that Sartin tracked purposely set back the system clock back several months once he broke in (and which would reset itself once he left), knowing no one would look at logs a couple of months old, logs they had probably already gone over, to search for a break-in.

Also, banks have gotten so good at reacting to data breaches so the bad guys know they need to steal much more data. They realize that, because so few of the account will be active by the time they try to use them, the more credit card or bank accounts they have, the better the chance of finding a still active account the bank overlooked.

Finally, as cybercriminals have gotten so good at erasing their tracks, they no longer need to make their entrances quiet, and in general attempt to steal as much data in as quick a time as possible.

Tags: cybercriminal, data breach

Posted by pschooff in Hackers | Permalink | Comments (0) | TrackBacks (0)

Listen to or download the entire 6:26 podcast below:

Download file

What follows is a summary of my discussion with Michael Katz, President and Founder of Message Partners, about the problems with spam, why it hits service providers the hardest, and what they need to do to protect themselves against current and future threats to email. Please note: for full disclosure, I also work for Message Partners.

While I’m sure everyone is very aware of the problems of spam, can you tell me why service providers need to be even more concerned?

Service providers provide email services for many more customers than typical enterprise customer has to service. Since 90 percent of email is spam, that means that service providers are carrying 90 percent more email traffic than they need to carry.

Service providers waste lots of bandwidth by transporting email that’s junk. Bottom line, the more service providers can reduce spam, the more efficient their business runs, the more efficient their cost structure is, and the happier their customers are.

How are service providers' needs different than a typical company that uses email?

Service providers have to work with many different customers. One thing that we find in the anti-spam industry is that from company to company people have different ideas of what spam is. They have different ideas of how they want to handle spam, there are different regulations, some companies cannot ever discard an email, some companies never want to see a spam email and just want them totally discarded. So service providers have to respond to an array of customer requests and need to have a type of technology that can be adaptive based on what their customers demand.

Furthermore, most service providers have a much higher volume of email than your typical corporate customers especially if you consider that lots of spam are dictionary attacks. So, even a company with an ISP email account that has only 5 users, in a dictionary attack may get email for 5,000 or 50,000 or 500,000 users in their domain that do not exist, so service providers need very scalable solutions, solutions that are very flexible to deal with, multiple requirements, and also service providers tend to operate on very small profit margins that need very cost efficient solutions.

Do you think it’s feasible for service providers to use a completely open source solution?

Open source makes great component technologies. There’s good email servers, there’s good virus scanners, there’s good spam scanners, there’s good other components of email systems such as mail user agents or authentication systems but when it comes down to raw filtering open source doesn’t have very good scalable solutions and further more combining all those technology components into scalable multi-domain solution. It’s pretty difficult with open source.

Lastly, even though you may save money on open source because there are no licensing costs, if you look at the complete cost of ownership of an open source solution you generally need very highly skilled admins to run your open source solution and you’re going to require lot’s more programming skills than you will need on a commercial solution. If you take all the resources and you hire a very skilled admin to run your open source solution, and then you put all the time into that, in the end they’re not really making you money, they are just running something that saves you money, supposedly. It’s much better to hired a skilled person and put them on something that make money like content development or network systems management rather than spam filtering which is generally not a huge profit center for ISPs.

I would also imagine if all that system information lies with one person, a person who has done all the fixes and patches to keep everything up-to-date and running, if that person leaves the company, what does that company do?

Putting all your eggs in one employees basket is very risky and putting all of your business into an open source project where support may only be a mailing list and one smart guy who is generous to help you doesn’t make a lot of sound business sense.

Why is the email platform so important for service providers?

As much as people complain about email and as much as spam has tried to take over email, pretty simply, it was the first and will probably remain to be the killer application for the internet. People can live without web browsing...sometimes, but people can’t live without email.

So tell me why MPP is ideal for service providers?

Because, for one, our policy engine allows service providers to serve their different customer types, so they can have completely separate configurations on a per-domain or per-group basis. Secondly, MPP allows you to combine open source technology components but augment open source architecture with commercial technology components that perform much better. For example, our Cloudmark anti-spam plug-in performs about 20 or 30 times better than our SpamAssassin plug which makes a huge difference for service providers.

Lastly, the ability to customize all aspects of the MPP email security architecture gives service providers the competitive advantage to present services how they need to and compete in a very individualistic fashion.

What do you see as the future of email threats, and do you think spam is ever going to go away?

As long as you can make money with spam, then there will be people that will exploit that. Spam won’t ever go away.

Bill Gates predicted the end of spam by 2006 or 2007, but certainly spam has only increased. I think you’re going to see email threats that are going to be more focused on theft of information and that’s going to carry more dangerous payloads besides just text. And I think you’re going to see phishing schemes, schemes where identity is extracted, become far more sophisticated and far more difficult to defend against and detect against legitimate requests for information.

Tags: Spam, Stop Spam,Service Providers,ISP,Reduce Spam,Email,Dictionary Attack,Open Source, Applications, System Administrator,

Posted by pschooff in | Permalink | Comments (0) | TrackBacks (0)

An article in Dark Reader details how Javascript has become one of the favorite tools of cybercriminals to both attack a computer and disguise the attack. While, to the naked eye, this form of attack is often hard to distinguish, every Java-Script encoded payload also has to also carry the tools to decode the disguised malware.

"They use JavaScript to obscure what's going on. It looks almost encrypted, so researchers look at it and say they can't make heads or tails of it," Jose Nazario, senior software and security engineer for Arbor Networks, says. But adds: "The decoder ships along with it so the browser can decode [the JavaScript] and run. So we simply run the decoder."

And once the malware is decoded, the malware often reveals characteristics of the attacker as well as pinpoint its different distribution points and close them down. The malware also will reveal what information the attacker was after and what they plan to do with it. Explains Nazario, "We can find out if there's spyware, where is the information going? If they are taking information stolen from a computer and emailing to an account at Gmail, we contact the security [people] there and tell them here are the mailboxes used to receive information from spyware-infected boxes," he explains.

This is part of the trend of cybercriminals focusing on clients and web browsers. And being able to essentially reverse engineer malware allows them to profile the criminals. And while most malware is just copied by the attacker with little change, that’s not always the case: "We see a very small number of people who write their own private exploit code. You know then that you've got an adversary who studies the technology, is highly motivated, and making a bunch of money off of this."

While the ability to reverse-engineer malware is a good way to fight back, if it becomes too prevalent, expect the cybercriminals to adapt to it. As you may have already predicted, Nazario say they have already seen a few anti-reverse engineering techniques.

To read more go to: Dark Reader

Tags: JavaScript, Malware, cybercriminals,

Posted by pschooff in | Permalink | Comments (0) | TrackBacks (0)

Microsoft announced it plans to release a patch for a dangerous security vulnerability in its Windows operating system that cybercriminals are actively exploiting. This fix comes a week earlier than Microsoft's typical patch Tuesday.

The company's break from standard operating procedure was clearly prompted by an unofficial patch release by third-party software vendors which include eEye Digital Security, Determina, and the Zero-Day Emergency Response Team (ZERT), a coalition of security experts who's goal is to provide timely fixes for unpatched software flaws that pose an active and serious risk to computer users.

The vulnerability stems from a flaw in Windows animated cursor files which hackers have been exploiting for the past week. All it takes is a user to open a specifically created email or a specially built webiste for an attacker to gain complete control over a Windows system.

The SANS Internet Storm Center raised the Internet Threat Level to yellow after observing several big blasts of spam and a growing number of websites designed to take advantage of the vulnerability. This is one of only a half-dozen times that SANS has increased the threat level due to a single threat.

What is most discomfiting about this vulnerabiilty is apparently Microsoft has known about this flaw for some time. One company stated that they notified Microsoft last December about this flaw. Microsoft's sudden rush to release this patch ahead of the standard monthly fixes is a good step, but only a first step in what needs to be a more proactive approach to threats to its ubiquitous operating system.

Tags: Microsoft, Patch Tuesday, Animated Cursor

Posted by pschooff in Microsoft | Permalink | Comments (0) | TrackBacks (0)