Listen to or download the 8:43 min. podcast below:

Download file

What follows is a transcript of my discussion with Joshua Block, Vice President of North American Operations for Cyberoam, where we discuss the attack on Monster.com -- what happened, how it happened, and how best to prevent it.

Tell me a little bit about Cyberoam and what you guys do?

Cyberoam is manufacturer of an identity based unified threat management appliance. It's the next generation of UTM appliances in the market that offers a comprehensive range of security applications like the traditional UTM but adds identity based management to all of the feature sets such that we're able to assist corporations in identifying threats that traditional technology cannot find.

That leads right to the next question. Tell me a little bit about this attack that was generated from Monster.com.

So, the attack on Monster.com is really something of a landmark in the market today. This is the use of multiple types of attacks to, not only compromise data from an organization but then to also use that data to exercise a phishing operation to garner additional information and potentially money from individuals from the compromised data.

Do you have an idea or does anyone have any idea where this attack originated from or who started it?

From everything that I've read so far, I haven't seen any results as to who started the attack but it certainly lends itself to kind of normal suspects: that being either a disgruntled employee that had left the organization with knowledge of how to get a Trojan on the website. It's potentially an outside individual working with an individual on the inside to post that information on the website or it's just a hacker that's out there who compromised the website as we have come to realize it's not the most challenging task in today's world to compromise any company's website.

To me this seems like a fairly sophisticated multi-staged attack. Is this what we're going to see pretty much in the future now?

Yeah, I do think we are going to see these types of attacks and these are extremely sophisticated attacks. What makes these types of attacks so dangerous is that, not only was the information on Monster's website compromised whereby the user now has extremely personal data about a number of individuals obviously looking at a very large number of individuals' personal data was taken but considering the source of where the data came from, you can imagine if you had gone to Monster.com and posted your personal resume, not only do you have information about yourself: name, address, phone number, you also have the University that you attended, you have all the former employers that you worked for, and so what makes this very dangerous to someone who is then going to turn around and use the information for phishing is that it's not just you're typical phishing attack that today's type of heuristic technology can capture and alert the user to but because now this organization, this individual has very, very personal data.

I can now execute a spear phishing campaign and an example of that would be: think of how very credible an email would be that's personalized to all of those individuals that was being sent by their alma mater requesting a $100 donation from them and utilizing a lot of that very personal information: dates attended, graduated, names, all of that can make this a very plausible email such that even the most educated user could be fooled into clicking on that link and making a donation.

Exactly what should a company do to protect against this? What should have Monster done and what should a typical enterprise do?

Sure, so I can't necessarily say that there's anything that Monster could have done because I don't think enough companies are, you know, or were thinking about this kind of attack actually happening but now it's happened. So, I think the first step that companies need to take to prevent these types of attacks is to know, know that it's happened, acknowledge that these types of attacks will happen and education is the first step. They need to incorporate into their corporate culture the education to their employees that these types of attacks are now going to happen, to make people aware of them and question the type of email, very, very carefully before responding to any type of very targeted emails that are asking for personal information, whether coming from the corporation or coming from an outside party.

I think that that is absolutely a first step and, you know, in the comment that I just made, it alludes to where these attacks may even be going. You know, today, this is an attack on a public website that's very global in scope, the users that were compromised were from all over the world for that matter, people that came to Monster to register there for a job. Now, take an example to a very private organization where someone, and let's say it is now a disgruntled employee who works for a major corporation leaves and does the same thing. They put something on the website that requests information, for instance, they put something on the website that captures information and then utilizing the database of employees, they now send an email out, maybe on behalf of the Human Resource department that asks people to provide their Social Security number to confirm their benefits. Or some other type of activity and maybe it's not money at that point but it's something that leads ultimately, usually in the end to money.

I've got your Social Security number, now I know where you live, I know your name and address, I can now take that information and potentially now do a credit check, I can now look at all of your credit card information, now I know what credit cards you own, now I can do even further spear phishing exercises to get even more information, ultimately, which typically end with soliciting that particular user for money, I mean, at the end of the day, that's really where all this leads to. It really is discerning at this point to see that these types of attacks are now happening and what can companies do about it as you asked, Peter.

The technology that we have here at Cyberoam is being used in conjunction with technology that is available, as I mentioned, to heuristically look at emails that are identifying potential phishing. So, although our solution today cannot provide a solution for companies to prevent these types of attacks, we have been, for quite some time now, taking the heuristic technology that detects a phishing attack and using our expertise in identifying who the individuals are on our network and marrying those technologies together to provide ways to better discern when these types of attacks are taking place. So, to further explain, one of the ways in which a good hacker will make the attack go unknown is certainly to change the email from email to email and the tools are available to change by the subject and to also change the content and for every message that goes out, it changes. But, some of the things that we can do with identity married with heuristics can look for a trend, maybe that they're using an IP address in the body of the message which is a red flag to most of the heuristic detections that's looking for phishing attacks because they haven't used the fully qualified domain name in the email and also understanding within the corporation, "Am I seeing an email like this being sent to multiple users within my domain?"

And, again, that's something that's not being done today that we believe can be accomplished with the culmination of technologies that exist and we feel that our platform, because we are a platform that is based on identity, we have the ability to roll out these types of new preventative measures to combat these types of attacks down the road.

Tag: Data Security, Monster.com, UTM Appliance, Phishing, Spear Phishing, Trojan Horse, Multi-Staged Attack, heuristic technology

Posted by pschooff in | Permalink | Comments (0) | TrackBacks (0)

While the news and bloggers seems to continually focus on the newest threat (you could almost say in terms of security, if the corporate brand bleeds, it leads), according to Dark Reading, what worries CSO's most is creating and enforcing their company’s security policy.

62 percent of respondents said that their security policy was most critical, and by that they meant that their data was properly secured. That means what's really getting under the CSO's skin is compliance, and the majority said that compliance costs were too high.

Another significant factor weighing on CSO’s is the age of their companies security policies, with 55 percent saying that their company’s policies were either outdated or needed considerable reworking to get inline with current standards. And if that weren’t enough, the company’s that said they were pleased with their policies admitted that they were worried that these policies were essentially being ignored.

The other big concern was encryption, where 62 percent said they either do not have an encryption policy or the one they have is incomplete. The main challenges of encryption is key management, where most companies still manage them manually, which, as the need for encryption grows in leaps and bounds, will quickly create a data bottleneck.

In terms of what companies plan to focus on in the future, a majority of enterprises said they intended to increase their spending on data classification, encryption, and lastly, information leak prevention. That just goes to show you, that while the breaches and the worms grab the headlines, companies still value their internal information assets, and the protection of that information, the most.

Tag: encryption, CSO, security policy, compliance, key management,

Posted by pschooff in Better Protection | Permalink | Comments (0) | TrackBacks (0)

More news keeps coming out about Monster.com's data hack, and the most questionable info is that Monster waited five days to release the news about their attack; waiting, in fact, until after Symantec had already released the info.

According to Yahoo News, some of the info coming to light about the attack (look for a podcast later this week with more details) is, 1.3 million people had their info stolen off of Monster, information which consisted of name, address, school, typical resume sort of stuff, and did not include any bank account info or such. The hackers, using two servers based in the Ukraine, used credentials stolen from its clients to gain access to Monster.

Monster first learned of the problem on August 17, when Symantec informed them they were under attack. "In terms of figuring out what the issue was, that was a relatively quick process. The other issue is you want to make sure exactly what you are dealing with," Patrick Manzo, vice president of compliance and fraud prevention for Monster told Yahoo.

Manzo's security team spent the weekend investigating the attack, locating the servers launching the attack and shut them down. The goal of the hackers was to enhance the information in a spear phishing campaign, which the hackers used to send out detailed emails pretending to be from Monster asking for personal information or try to get the recipients to click on a link that downloaded malware.

It wasn't until Wednesday, a day after Symantec released their report, that Monster posted a notice on their website, and here's what Monster now has to say. Also, a spokesperson stated that Monster posted letters to those targeted by the attack.

5 whole days, huh? Obviously, Monster.com was quite concerned about their reputation, and of understanding the full extent of the attack before they started dealing with the fallout. But one can't help but wonder that had they reported the attack quicker, how many less people would have been taken by the scam.

While reporting the news before you have all the information on the attack raises it's own red flags, I think the sooner the better. I mean, if hackers get better at covering their tracks with these types of attacks, who's to say a company won't then wait a month until they have all the info on the attack to warn people.

One thing is for sure, attack response, in terms of just the negative branding angle on a company's image, is becoming critical to response time. Perhaps companies need to start having a Chief Informing-the-Public-About-Who's-Doing-What-With-Their-Data Officer.

Tag: Monster, data breach, compliance, malware

Posted by pschooff in | Permalink | Comments (0) | TrackBacks (0)

Some bloggers have recently delved into the issue of whether or not Security as a Service, or on demand security, is more or less secure than end-user security. This will become a crucial issue as the scale of attacks increase and companies have to find ever-improved ways to protect themselves from an ever-growing list of vulnerabilities.

The issue was raised at IT Week, with the reason being that many of the SaaS security vendors do not allow access to their applications for security testing. And while there hasn't been a high-profile info spill yet from a SaaS security company, like the recent attack with Monster.com, that doesn’t mean it isn’t going to happen.

Very simply, if you choose not test the security of your applications, more than a few hackers will be very glad to test it out for you in a winner-take-all, or at least your corporate reputation, game.

"It's not a massive issue because we've not seen a huge incident yet, but that's not to say it won't happen in the future," Nick Wells from The Training Camp said. "The potential is there for a massive breach to occur because people are not being allowed to go about their job in preventing it."

Clarence So of Salesforce.com believes that security-as-a-service vendors are able to secure data more effectively than companies can themselves.

Essentially, it comes down to the customer. And the great thing about software as a service is, if the security service isn’t there, the SaaS model makes it ever easier to make the switch. But in the case with security, we are often talking about an organizations most vital information.

Somewhat relatedly, there was always this issue in New York City that, when moving, you never wanted to chose the cheapest moving company because, while the way-too-cheap price might seem great when they're loading your stuff up on the truck, things turn-for-the-worse when the steroidal moving thug turns to you and says, "OK, how much you gonna pay to get your stuff off the truck."

Obviously, choosing the right SaaS company is absolutely essential.

Tag: Security as a Service, Software as a Service, Application Security, Saas, Penatration Testing,

Posted by pschooff in | Permalink | Comments (0) | TrackBacks (0)

Listen to or download the 8:02 min. podcast below:

Download file

What follows is a transcript of my discussion with Bill Bartow, the Vice President of Marketing for Tizor Systems, where we discuss how to protect data against breaches from the inside, behavioral fingerprinting, some of the real-world problems companies have with data protection, whether or not the PCI Standard to protect consumer data is strong enough, and finally, how to protect your data from the threats of Web 2.0.

What are the key steps that a company needs to take to protect against a data breach from the inside?

Well, the first step is for companies to classify their data so that data access policies can be created based on both the type of data being accessed and the role of the user. For example, the CFO may have access to all the financial data in a company but not the engineering data. Most important is to define data access policies for your privileged users like data base administrators. These users typically have access to sensitive data across the entire company. They need this level of access to do their jobs. Due to that level of privilege, these users must be monitored and audited. And the system that audits these privileged users cannot be the same database system that these people manage. That creates a segregation of duties violation that auditors will flag as a material IT control weakness.

So this mandates that companies look to database independent auditing systems that can provide an independent and tamper-proof system for auditing all critical data activity. So, after defining data classifications, defining roles and access privileges, companies must then select a database independent auditing and protection system to really give you that complete protection against data theft from insiders.

I saw on your website that Tizor uses behavior fingerprinting. Can you tell me what this is and how it can be used to protect against data theft?

Let me start with a little bit of background. Most of the data theft incidents in the market that result in a significant business impact are those where someone's masquerading as an insider or as a malicious insider with access to sensitive data in the data center. Traditional perimeter-based security like firewalls really doesn't stop these people since they have credentials that can get them into the company network. So the only way to really prevent data theft from insiders is to monitor users in their behavior as it relates to the usage of that data.

Behavioral fingerprinting is a patented technology from Tizor that creates a dynamic user profile of what is considered normal user behavior with data. Mantra then watches each user's interaction with the database and it compares that interaction with the user's profile. When abnormal or suspicious behavior is seen, Mantra will send a real time alert to an administrator or security product to take action such as killing the user's session or blocking that activity from taking place.

As an example, imagine a user, Fred Smith, let's call him, who normally only accesses the customer database during the day and reads just a few customer records. One day, Fred decides to access the customer database from a very strange location in the middle of the night and all of a sudden instead of just accessing a few records, he decides to download over a hundred thousand customer records with credit card numbers and social security numbers. Well, that's a suspicious behavior, that's a potential data breach. And Mantra would catch that in real time by comparing that behavior to the normal user pattern that it has collected and it would then be able to alert and stop the activity. And that entire activity would then be audited, therefore protecting against the data breach.

Can you give me an example of some real world types of problems you come across when you audit companies' data management systems?

Sure, we typically see a broad range of different data auditing problems or what I'll call "bad practices". First, many companies don't have a good, documented business policy about what data should be audited and how it should be audited. Auditors get really upset with the lack of documented processes because that means lack of IT controls to support that process.

Second, we regularly see segregation of duties violations. A great example of this is a DBA who has access to all the sensitive and critical data is also the same person who is producing the reports for the auditor and those reports are describing what happened with the data.

Third, often we find that companies really don't provide a sufficient level of detail in the audit trail. So, they're not capturing the full event detail and therefore, you can't go back and reconstruct past database events. And finally, a common problem we see is privilege users sharing passwords and sharing accounts. And, clearly that creates a major risk as users could compromise systems without any trail to detect who the user was and what they did.

I see that Tizor has joined the PCI Security Vendor Alliance. Do you think the current PCI standard is sufficient to protect consumer data?

I think the PCI requirements are a really positive step toward educating and driving companies to protect customer data. PCI, unlike some other regulations, is a very prescriptive set of requirements. It is very specifically defining what steps need to be taken to protect data. The challenge is that many companies will not be able to address all those requirements in just one phase.

So, it's going to take time for these vendors to really become PCI compliant and that's why some compensating controls were put in place in PCI which I think is another really good idea. And a good example of this is encryption. PCI recommends that selective encryption be employed. Well, encryption is a difficult technology to implement. It's complex and it's time consuming and in some cases can take a couple of years before it's fully deployed. So, what the PCI folks have said is, "let's allow a compensating control here". And that means that as long as you use an alternative to encryption that still allows you to monitor all cardholder access while you're moving towards encrypting that data, you will pass your PCI audit.

So a good compensating control for encryption is data auditing and monitoring and that's why I think the PCI standard is going to be adopted and it's well done in terms of it's specific requirements for how people should protect data. I also think that some of the new laws that are emerging around data breach disclosure are also a good step and we fully support them as well.

A lot has been spoken about the coming data vulnerabilities from Web 2.0. How does Tizor help companies prepare and protect against these coming threats?

So, Web 2.0 really exposes data to more and more applications and users. In many ways, it opens up new channels of access to things like Ajax-based web applications, or web service oriented applications. Unfortunately, many hackers are also finding new vulnerabilities in these new channels and these new applications and they're exploiting those vulnerabilities to steal data for profit. So, for corporate IT, what it means is that the stakes continue to get higher and protecting data has got to be an IT priority. And that means more reasons to watch who's accessing what with the data.

Companies really should be thinking of a layered data defense system. And data protection is a new layer. It protects data at the core in the data center, right next to the databases and it really needs to be put in place now to protect your data assets.

Now, we think companies are really starting to rethink their approach to securing data. It's less about a strong perimeter which you must have but it won't protect you against data theft. It's more about protecting data at the core in the data center. And because of that, companies are really starting to adopt and embrace technology like data auditing now and that's going to help with the broad data governance initiative and it's also going to support more ways to circumvent or to stop these Web 2.0 vulnerabilities.

Tag: PCI, Data Breach, Behavorial Fingerprinting, Data Theft, User Profile, Database, PCI, Data Audit, Audit Trail, Encryption, Data Monitoring, Web 2.0, Ajax, Application Security

Posted by pschooff in Podcast | Permalink | Comments (0) | TrackBacks (0)

Just noticed my blog from yesterday was completely nonsensical, as I left a quote open in a link and that ate up pert near fifty percent of yesterday’s blog. So if anyone was starting to wonder if the summer sun was affecting my brain, I recommend going back and reading yesterday’s blog here.

In what many have said will be the future of Internet attacks, Monster.com was the victim of a multi-staged attack that included both malware and social engineering, which Dr. Nazario spoke about in the final question of this podcast.

According to Symantec, the attack began with a Trojan horse they dubbed Infostealer.Monstres. The Trojan horse was posted on Monster’s Worldwide Inc’s job search service and managed to steal more the 1.6 records belonging to a few hundred thousand people. The thieves then took that data and used it to create some very specific phishing emails directed at the victims of the Monster data theft which, when opened, planted malware onto their machines.

The data stolen from Monster includes names, email addresses, home addresses, phone numbers and resume identification numbers. Infostealer.Monstres managed to infiltrate Monster by using legitimate log-ins, likely filched from recruiters and HR personnel who had access to the “Monster for employers” section of the website. Once in, the Trojan horse was able to run automated searches for resumes of people in specific locations or working in specific industries.

Once collected, that data was used to create very specific phishing emails. This represents a new level of social engineering, as the last surge of success came with the Storm Worm, which warned about deaths from recent storms. The more successful attacks using the data stolen from Monster instructed the recipient to download a program called “Monster Job Seeker Tool.”

The first bit of malware spread by the Monster.com attack was dubbed Banker.c, and featured a fairly standard Trojan horse designed to steal information by watching for log-ons and online banking accounts. When activated, the malware records the log-in info then transmits the specifics back to a central site.

Gpcoder.e is the second piece of malware spread by the Monster attack. The Gpcoder is known as “ransomware,” meaning it encrypts certain files on the infected user’s computer and holds the files hostage until the user pays a fee to unlock it.

While it was first reported that 46,000 people were reportedly infected by the attacks, other estimates say the number could climb much higher. "We are investigating the reports related to this Trojan and will take any necessary steps indicated by that investigation," Monster.com spokesman Steve Sylven said.

This is just an early example of what will become commonplace multistage attacks using information gained from various Web 2.0 applications to create convincing but false emails in the future.

Tag: malware, Monster Worm, phishing, Storm Worm, Banker.c, Gpcoder

Posted by pschooff in | Permalink | Comments (0) | TrackBacks (0)

Found an interesting article at PC World about Thomas J. Holt, an assistant professor in the Department of Criminal Justice at UNC (go Heels!), where for the past year they’ve been gathering information on the burgeoning online black market for malware and cyberthieves.

To locate the sites where cybercriminals bought and sold their wares, Holt had no inside criminal contacts to assist him, so he started just like anybody would, with a search on Google. After finding several sites that had cut-and-pasted postings from other sites, also called rippers, this lead him to the real black market sites where malware gets reviewed and sellers get ranked.

Online reviews varied from “The best program in its class I have ever seen!" to "One of the most powerful products on the market." Still another reads, "Works well... to find a new attacker." As reported by UNC Research, a typical transaction can cost anywhere from $100 dollars to more than $3,000.

These underground forums also feature product-testing reports, which detail if an illicit application does what it says it can. Certain sites even offer tech support and product updates, and in some cases feature escrow services, meaning they’ll act as a third party and hold onto the transaction money until both sides are satisfied with the deal.

Much like eBay, these sites allow sellers to garner a reputation until they can establish themselves as a “verified seller.” To maintain their anonymity, sellers use handles like Corpse or Cr4sh, and when one site shuts down, the reputations can often transfer to a new site. Thus, buyers can distinguish between who are the good/bad guys versus the bad/bad guys.

The team from UNC found sites in Vietnamese, Spanish, English, and Chinese, but the most common language was Russian. The many different languages made it difficult to find and shut down the sites, and while Holt says he does share his results with law enforcement, and has led to some sites getting busted up, it hardly made a dent in the online black market.

Tag: malware, cybercrime, Online Criminal Networks

Posted by pschooff in Hackers | Permalink | Comments (0) | TrackBacks (0)

The data breach by TJX that exposed the credit and debit card information of more than 45 million customers to fraud continues to add up, and has currently cost the company more than 10 times what the company spent in the first quarter.

According to TJX’s second quarter earnings' report, costs incurred by the data theft amounted to $118 million. TJX continued to report strong sales, which is some proof that reports of the breach has not driven customers away. To this point, TJX has spend $256 million dealing with the breach, first reported last January, which has paid for things like hardening the data storage as well as responding to the growing number of investigations and lawsuits filed as a response to the breach.

TJX admitted that 45.7 million credit and debit card numbers were stolen over an 18 month period. TJX also acknowledged that another 455,000 customers who returned merchandise without receipts had their driver’s license numbers along with other personal information stolen.

The cybercriminals managed to exploit TJX’s Wi-Fi by aiming a telescope-shaped antenna a store in St. Paul, Minn. which allowed them to grab data transmitted between hand-held price-checking devices, cash registers and the store’s computers. From there, the hackers were able to penetrate TJX’s central database.

While the cost of $256 million could be considered quite high, many predict it will continue to spiral ever upward, perhaps even into the billions.

Tag: Data Breach, TJX, PCI

Posted by pschooff in | Permalink | Comments (0) | TrackBacks (0)

According to Errata Security, the United Nations website was recently hacked using a simple SQL injection bug. And while this vulnerability might seem surprising for a site as well known as the UN, numerous sites all over the internet have proven exceedingly vulnerable to an SQL injection attack.

The SQL injection is easy to pull off because, where most systems separate code and data, SQL combines them, so all a hacker has to do is combine some of his own code with the data he sends to a website to gain control of it. The code usually starts with a single quote (‘), which, with SQL, represents the separation between code and data, and SQL assumes that whatever follows the single quote is code it needs to run.

To uncover vulnerable websites, all a hacker has to do is type the single quote into a websites' URL or data field. A vulnerable website will then respond with an SQL error message. To speed up the search for vulnerable websites, hackers can quickly search for websites open to this hack.

So how do you prevent an SQL vulnerability? One way is to avoid using dynamically generated SOL in your code, which you do by using parameterized queries and stored procedures. The other way to avoid an SQL injection attack is by giving away as little information as possible when an error does occur.

Like the guy who puts on tennis shoes to avoid a bear attack -- not to outrun the bear, but to outrun the people’s he’s with, taking simple steps to secure the data on your website, and, with so many vulnerable websites still on the internet, hackers will still have plenty of other easy internet pickings to feed on.

Tag: SQL Injection, SQL Attack, Data Protection,

Posted by pschooff in Better Protection | Permalink | Comments (0) | TrackBacks (0)

Since last October, when it was discovered a crack dealer had nuclear weapons data on a USB stick (you think they were trying to smoke it?), Los Alamos has had two more high-profile data losses. The Los Alamos lab was fined $3.3 million (who pays, us?) over this breach, and since then vowed to no longer store sensitive information on removable media. But Los Alamos continues to have a history of shoddy handling of classified data, and this can be directly attributed to Los Alamos National Security, or LANS.

According to CSO Online, the first data slip occurred in typical fashion, with the theft of a laptop. An employee took his lab laptop to Ireland, where it was stolen. It was inevitably determined that the information was of low sensitivity, and even if the employee had followed standard protocol and requested permission to travel with the laptop, it would have been granted.

Following this theft, though, Los Alamos has begun restricting employees traveling with laptops.

The second, and more disturbing data fumble, occurred last January when Harold P. Smith, a LANS board consultant and former Pentagon atomic weapons adviser, sent an email containing classified data over the ordinary Internet instead of using the secure Defense department network. The email was originally intended for two board members, but the message was relayed on to at least three other boards members.

This incident has been called "the most serious breach of U.S. national security," and has been rated as Impact Measurement Index-1 (IMI-1), the most serious level of security violation.

Los Alamos has had serious data breaches extending back seven years, and the problem is that they keep applying insufficient fixes to each problem after they’ve occurred. Peter Stockton, senior investigator of POGO, or Project on Government Oversite, said the person "has been fined, lab officials have been fired, and the lab was even closed for a number of months so that it could get its act together. It’s clear that it just can’t."

What Los Alamos needs is a top-down all encompassing review of data security. I mean, with data protection like this for our nation’s most vital secrets, who needs terrorists?

Tag: Los Alamos, Data Protection, Data Security, Security Breach

Posted by pschooff in | Permalink | Comments (0) | TrackBacks (0)

Listen to or download the 11:01 min. podcast below:

Download file

What follows is the transcript of my podcast with Dr. Jose Nazario, Security Researcher for Arbor Networks, where we discuss the first computer virus, how it compares with today’s viruses, whether or not anti-virus is dead, what a company needs to do to protect itself today, and finally, the future of security threats.

This is the 25th anniversary of the very first computer virus. Tell me about the very first virus, how did it work and what sort of damage did it do?

A number of folks will actually disagree with calling Elk Cloner, which is what we’re going to be talking about, the very first computer virus. Computer viruses had been theorized much more before that and had actually been developed earlier than Elk Cloner. But Elk Cloner, which was from the early 80’s, was one of the first widespread in the wild viruses and it was an infector, a disk-infecter, actually, for the Apple II computers. So, at the time, Apple had the dominant personal computer share out there, this is right before the IBM PC hit it really big and Elk Cloner would basically take the diskette that you booted from, load itself into memory and whenever you put a new diskette in, you would actually infect the diskette as well.

And, it would pop up a message every now and then basically saying “Ha, ha, I’m the Elk Cloner” and it was basically a proof of concept written by the author, then a young man, to sort of play a game on his friends. He was exploring and having some fun with that but it wasn’t terribly malicious. It couldn’t really cause many big problems, you know, it didn’t delete files, it didn’t prevent the systems from booting, things like that that we’ve seen since then.

Cut to today, where one of the newest threats is the Trojan horse virus, Peacomm, which tries to infect users by getting you to open a fake postcard they say is from one of your best friends. Tell me about Peacomm, and does it bear any similarities to the first virus?

It doesn’t bear much resemblance at all to the first virus other than the fact that it is parasitic in nature and it spreads more or less without the users’ direct intervention of the users’ intentions. What’s interesting about it is that the term virus and the generic idea of malware is so generic and so flexible that it does allow for these two wildly different samples – Elk Cloner and Peacomm – to be categorized in much the same way. Whereas, Elk Cloner infects only diskettes and it had to be created at boot time on a system to infect other diskettes, Peacomm spreads over the network from computer to computer by basically emailing itself out. Originally, this past winter it was spreading itself as an executable attachment in email messages and then about a month or two ago, they started telling people to visit a website where they would then change the executable repeatedly throughout the day to avoid anti-virus detection and it went from basically being a social engineering virus where somebody would be enticed to look at the attachments and infect their computer to now they’re being enticed to go to a website because they want to see this postcard from their friend or their schoolmate or their relative. And when they go to visit the website, their browser is now exploited through one of multiple holes in the software that is actually accessible through the web browser and then the system is then commanded to download and begin running the executables tied together in Peacomm.

Peacomm is a very interesting piece of malware that is very representative of current malware trends in many respects. It has multiple components that fit together to provide communications, it’s primary function which is to send spam, it has replication functions in another executable and it even now has service attack capabilities within it that allow it to attack rival website and sometimes even researchers like myself and others who have been investigating this botnet, the communications it carries with it communicate from host to host, not from one host to a central server but rather from peer to another peer to be able to pass commands and receive them and to act on those commands. These commands might be to download and install a new spam template, to update some components or to launch an attack.

The capabilities of the machines are determined when the machine is actually infected it begins to try to communicate with others and find out how much it can do to the network. Can it be used, for example, to stand up a website that is, you know, one of those fake postcard websites. Or can it only send spam. Or can it launch denial-of-service attacks, those kinds of things.

Lately, some people have been saying that anti-virus is dead. What is motivating this, and how do you respond to that?

I’m actually one of the people who’s talked about this gap on anti-virus between what anti-virus provides and the threats that we’re facing right now. When I talk about anti-virus, I’m talking about any anti-malware software, any anti-malware system so this is designed to detect and prevent and remove unwanted software programs and this can include viruses, this can include Trojan horses, worms, spyware, adware, things like that. So, some folks in the anti-virus community are quick to point out that anti-virus is only about viruses and Trojan horses and not about much else. Now I’m talking about all of these threats. The gap that I’m talking about though is that the number of people writing malware samples and the ease of which they’re doing it and the variability that they are introducing when compared to the detection capabilities of the existing anti-virus and anti-malware solutions leaves a lot to be desired, so I am one of these people that believes that there is a problem there. What I call it “dead”, probably not. When some folks talk about it being dead, they’re talking about clearly it’s a failed technology and we need to have something new. A lot of folks are talking about it as it is not longer that front line of defense in many minds. I agree, a little bit with both of those perspectives. I think, as I mentioned, there is a gap. I think that there is a shortcoming, a dramatic shortcoming these days in the anti-virus and anti-malware world that folks are trying to address and they’re finding that they can’t yet address it as well as they want to.

Now it’s said that you can never truly protect yourself fully against viruses or malware, but what exactly does a company to do to protect itself at all?

It’s true that you can never be fully protected against viruses and I think this goes right back to some of the initial work done by people like Fred Cohen on virus and virus theory. It’s just impossible to enumerate everything that could be used maliciously to become comprehensive there. And so, anti-virus will always have that problem with it. What we are seeing that works pretty well, though, people were trying it with Windows XP and now it’s built into Windows Vista and that is going to be the idea of a very limited set of capabilities for the running user compared to the rest of the system. Often, malware will be able to infect a system completely because it has access to be able to write to the system folders and it has the ability to install itself as always running. If it’s just the user and it has a very limited set of privileges, then it can’t actually install itself permanently. A user might be infected for a session, might run into some problems but when they log out and log back in or re shut the computer, they’re just generally fine.

So, this dramatic change in the default stance through Vista is a big help there. And also applications are prevented, within Vista, much more so than in previous versions of Windows are much better at not cross interacting with each other. They’ve got more barriers between their interactions which prevent, in the case, for example of a web browser from dropping in and launching other files that are unwanted on the system.

Botnets seem to be growing bigger and more dangerous by the day. Why have they grown so fast so quickly?

Botnets are a natural outgrowth of the computer worm that plagued us in the early 2000’s, such as Code Red, Nimda, SQL Slammer and the idea that caused it to be a sort of natural outgrowth is that if you have your code on a hundred thousand machines and it can only do one thing, you’re at a loss. You have to launch new code to make it do something new. If you could update it, if you could command it dynamically, now you have well, you know, a much bigger installed base and so the bot is a natural outgrowth of that. We’re seeing a dramatic upsurge both in the prevalence of bots through more and more botnet operators as well as their tenacity with using better exploits and better defensive tools to protect their installed software, their installation base, if you will and that we think is what’s causing this dramatic upsurge, the availability and the skillset is also dramatically improving.

Botnets are being used by many people to send spam, to conduct phishing attacks, to conduct large scale denial of service attacks against security researchers and security professional organizations as well as even against governments and commercial organizations in many cases. The attackers are finding that a botnet is a fantastic platform from which to build their enterprise and it requires only a little bit of maintenance and a little skill lead into to actually conduct these widespread attacks and make a lot of money at the same time.

What do you see as the future of security threats and do you think it’s every going to get better for the good guys?

I think we are seeing a change back towards the Trojan horse and the idea where you require social engineering to fool a user into installing software. This was very popular in the early days of computer malware. Several years ago, we saw dramatic change towards software vulnerabilities being used to install malicious software and now I think we’re seeing a shift back towards social engineering possibly combined in some cases with exploits like we’re seeing in Pcom where you’re being socially engineered to go visit this website and once you do so, your browser is now being attacked and exploited. So, this combined threat is actually, it’s a big problem there. But, I think the requirement is now given the posture of operating systems and the, you know, default installation of a host-based firewall all of these things combine to having to get the user, if you will, sort of open up and make themselves vulnerable through a social engineering attack. That, I think is going to be the trend that is going to continue for awhile. What goes beyond that, I’m not necessarily sure.

I think that as we grow more interconnected and more capable on these platforms, it gets a little bit harder to anticipate all the pitfalls we’re going to explore there but I don’t want people to continue to think it’s going to get worse. I think that there are some great strides that we’re making in the defensive space and we’re better than we were even yesterday in this but I think the pace of the problem and the scale of the problem, is such that our darker days, I think are still ahead of us in this regards.

Tag: Computer Virus, AntiVirus, Elk Cloner, Peacomm, botnet, DOS Attacks, Adware, Trojan Horse, Code Red, Nimda, SQL Slammer, botnet,

Posted by pschooff in Podcast | Permalink | Comments (0) | TrackBacks (0)

As often happens with revolutionary new products or services, different standards and technologies often vie for market dominance. An easy example of this could be the battle between VHS and Betamax.

In terms of SOA and security, there seems to be an almost primal disconnect between the two. Essentially, SOA wants information and data sources to be free and fully integrated into all levels of a company’s operations and decision-making, but on the security side, the immediate question is, Information free to whom? Because we all know, cybercriminals thrive on free information.

ebizQ’s own Joe McKendrick, and one of the leading voices on the leading edge of SOA and BI, wrote this excellent blog on the very subject, wondering if security threatened to shut-down SOA altogether.

The standards currently battling for SOA security supremacy are:

1. SAML (Security Assertion Markup Language).
2. WS-Federation
3. WS-Trust

As you can probably guess, all three are incompatible, and while SAML is favored by almost everyone, it is incompatible with Microsoft, which favors WS-Federation.

Andy Dornan wrote this excellent article covering SOA security in great detail for Information Week, and according to him, with SOA in a state of near constant flux, there is long long way to go before a single standard is reached.

And we all know who won the battle between VHS and Beta: DVD. But for how long?

Tag: SOA Security, SAML, WS Federation, WS Trust

Posted by pschooff in SOA Security | Permalink | Comments (0) | TrackBacks (0)

Consumer Reports came out with a report on the State of the Net that determined consumers lost 7 billion dollars to viruses, phishing, and spyware in the last two years. The study also put the medium cost of $200 dollars per phishing mishap. Also, according to the report, consumers currently stand a 1 in 4 chance of falling victim to cybercrime, a number that has actually decreased since last year. The survey was done by Consumer Reports National Research Center using a sample of more than 2,000 households with Internet access.

The report also concluded that virus infections remained steady compared to last year, which Consumer Reports called progress, considering the escalation of attack vectors and the growing threat of Web 2.0. According to the survey, 38 percent a virus infection in the last two years, and 17 percent had no antivirus protection on their machines.

Most experts were not surprised by the findings. In a quote taken from EWeek, "Recent statistics indicate that one in every 10 Web sites is infected with malware," said Forrester Research analyst Chenxi Wang. "Therefore it is highly likely that an unsuspecting Web consumer—one that does not have adequate protection in place—would encounter a malware hosting Web site browsing the Internet."

And because of the growing threats from Web 2.0, with sites like MySpace and FaceBook, children were the most likely victims (and the least to be measured by this survey).

Tag: cybercrime, viruses, Tag: phishing, Tag: Web 2.0,

Posted by pschooff in | Permalink | Comments (0) | TrackBacks (0)

Ajax -- or Asynchronous Javascript and XML-- has come to dominate Web 2.0, but it is coming at a price: security. According to Information Week, SPI Dynamics demonstrated at Black Hat last Wednesday several ways to break a web site built using Ajax. HP is set to buy SPI Dynamics, a deal I asked IBM Rational about in this podcast. SPI Dynamics has started calling this rush to use AJAX for Web 2.0, “Premature AJAX-ulation.”

Ajax has become so prevalent in Web 2.0 because it allows developers to build highly responsive applications that can be used over the Internet. Google Maps is one of the more prominent apps that rely on Ajax. The weakness in Ajax is the javascript, which makes greater use of the client, thereby giving attackers access to more of the application's code.

As part of the demonstration, SPI researchers constructed a test site, HackerVacations.com, using the latest books and resources on Ajax, and then showed how flight pricing, seat selection, and other aspects could be easily manipulated on the site.

"Bryan and I were shocked at the bad advice published in Ajax security books," Billy Hoffman, lead security researcher for SPI, said. To secure Ajax, programmers simply need to carefully define and validate data parameters their applications accept and the output they deliver.

Tag: Ajax, Web 2.0, Javascript

Posted by pschooff in Better Protection | Permalink | Comments (0) | TrackBacks (0)

Listen to or download the 11:09 min. podcast below:

Download file

What follows is a transcript of my podcast with Dave Locke, the Director of Offerings Marketing at IBM Rational, where we discuss application lifecycle management and how that relates to IBM’s recent purchase of Watchfire, how application testing works, how the Watchfire acquisition compares with HP’s purchase of SPY Dynamics, and finally, any acquisitions IBM Rational might be looking to make in the future (I know I know, but I still had to ask).

Can you explain application lifecycle management?

In a nutshell, when you’re deciding in a business to look at aspects of your business that need automation, specifically, I’ll give an example to make it easier here, a sales order process, right. Typically, most companies today don’t go through a paper based process, they capture their sales order, they process it off the back end, they ship it out. It’s all done via computers through applications. Easy to know, because everybody does that, right? Well, when you're deciding on what it is you need to automate, typically businesses look at different scope, different areas of the business to say, “hey, you know what, I’m going to take and automate the sales order process, we’re going to get it off paper.”

First off, in an application life cycle management discipline, first thing you want to do is consider what is it you’re trying to accomplish, what are the requirements of this project, how does it fit into the overall business, what is the value I’m going to get by automating this process through some use of technology. As you start making those decisions, you finally come to a decision, OK, it’s going to cost “X” amount of dollars, “X” amount of time, we’re going to reap “X” benefit from doing that. At that point in time, that application now starts moving into the architecture and design phase. So, how does it fit into the rest of the system, the overall enterprise architecture? How does it fit into the other applications it needs to communicate with? What is the architecture? Is it an SOA architecture or am I going a monolithic application?

Then, you start on the development phase: you do the testing, lots of different types of testing goes on, right? So there’s functional testing to make sure it actually works and the known defects are taken care of. You go into performance testing, you know, expecting 5,000 users to hit concurrently? But it’s pretty hard to get 5,000 of your friends to test concurrently, so you automate that. With our new Watchfire acquisition, it’s focused on the security of that application, we’ll talk a little more about that in a moment. Once you’ve completed this development process, you hand off to your IT operations to actually put it up live and manage it in a production environment. Well, the cycle of deciding what you’re going to build, understanding the architecture, building it, testing it, is really this application life cycle management. And, you know, typically depicted in kind of a circle because as you understand what you’re going to build, you learn more about it and you iterate deeper and deeper into the project so you can best facilitate getting that application out in a very cost effective way. The management aspect of this, of course, you have individuals working on different pieces of the project, but you also need to connect those different individuals, right? The folks that are looking at the line of business reasons you’re doing a sales order system are physically in a different department and have a different way of thinking than the people actually doing the coding. We need to hand that off to the coders; well, how do you do that? How do you know if you’re doing it efficiently? Have you captured the right things? Once you’ve handed it off, how many time did you have to go back and change requirements or change architecture? All of these types of decisions typically are made by small sub-teams without the full context of the entire life cycle of the application. So, the notion of application life cycle management is really taking and governing the business process of delivering that software from start to finish, all the steps in between and the providing all different layers of reporting to that senior management, middle management, project management, individual contributors can understand how they fit, the investments we’re making and how efficient we’re running. So, it’s really all that put together.

Tell me a little bit about the security aspect of Watchfire being included in the application lifecycle now.

So, as we see these different types of applications, many of them are now being deployed outside the firewall or inside the firewall, but have through the firewall access. And, not only inside the firewall type applications needing security, but all of these types of applications do need a way to be able to securely present, manage, interact with the user so there is no breach in security. And, as you know, as we look at the world, all of these applications are becoming more and more widely accessed from non-employees, if you will, as well as internal employees. How do I manage that security? It’s become a more and more important topic as we see headline news week after week about this and that security breach. Well, Watchfire, the reason we chose to do this acquisition, Watchfire is actually the leader in the market for application level testing of security. So, as you can imagine, there are many different layers of security that have to be considered, right, so at the firewall level, how strong is the firewall? Is it resisting many attacks? If there’s a breach of security, how do I know there’s been a breach and how do I do the intrusion detection, right? So, there’s many different layers of security. Watchfire focuses on the application and testing the application for known hacks, security leaks and actually, you know, automating the process of banging on that application to find those potential breach areas.

The fact that most new security vulnerabilities pop up in the most unexpected places, exactly how does application security testing test for the future security risk?

That’s pretty tricky. There’s a couple different aspects of this that make sense. So, on the Watchfire level, it does what is considered “black box” security testing, meaning it does not go to the depths, internals of the code. We have some other assets that work on those kind of tests – the “white box” tests. Watchfire focuses on this black box and it does a couple of things. First off, we have a Watchfire team which is now part of IBM, by the way. They are acquired as Monday, so they are IBMers now. But, there’s a team there that focuses on hacking. They’re always looking for different techniques of hacking, looking for the latest, greatest insight from different hacking websites: reverse engineering hacks that folks are doing and so they’re always working on that forefront, bleeding edge of how people are thinking about hacking. And, so, they then take that and codify that into a data base of “techniques” that we then run against websites. So, it’s always kind of working on that bleeding edge and taking known approaches and kind of evolving them to be more effective over time.

Now, I understand that HP just acquired SPY Dynamics. How do you see this as competition to IBM?

The SPY Dynamics/HP deal, that was not a surprise, but interesting to see. So, Watchfire has 63% of the market share as reported by Gartner. SPY Dynamics is in the 20’s, if I recall correctly. So, we went out and acquired the number one tool in this space and what’s really nice about the acquisition is that it absolutely fits into our portfolio, very, very complementary. They’re really isn’t any overlap and, you know, one of the things that is unique about IBM Rational is the depth and breadth of integration we have across a whole application life cycle we were talking about a moment ago. Well, Watchfire, even though the acquisition is only a few days old, is actually already integrated with one of the key tools it needs to be integrated with, Rational ClearQuest. And so that makes it a real hand-to-glove fit. You know, as compared to SPY Dynamics, also a very good tool, they work very similar, absolutely, right in the same space but not as large a market share and, you know, HP, in terms of integrating it in with their ALM offering, they haven’t announced any integration at this point, don’t know what their plans are internally, but we would expect to see that kind of consolidation and it was also a hole in their portfolio as well.

So it’s clear that IBM is going for an end-to-end solution. Do you see anything else that you might need to acquire to achieve a full end-to-end solution or do you feel that IBM is already there?

There’s always places you can improve, right? We could all see improvement; we’re always striving to deliver better results for our customers. You know, it’s interesting, thinking about IBM in general from the security perspective.As a company, we are very serious about security here within IBM. We’re also serious about delivering security solutions to our customers to help them. And, you know, we turn a lot of our tooling on ourselves, really the first step, because we’re so serious about this. Looking across IBM, I’m definitely not an expert on all the different offerings IBM has, but we do have offerings that work across the entire spectrum of security, all the way from the front-end intrusion detection, all the way through to ongoing monitoring of applications and things and now with the Watchfire acquisition, focused on application level, you know, pre-deployment testing. So, is there another announcement in the works? Not here to reveal that. We can always see ways to improve for sure. I would say that IBM, with our market size and the number of employees that work here and our serious focus on testing and security, I think we’re in a pretty good position to continue our market leadership. But, again, there’s always room for improvement.

Tag: Application Lifecycle Management, SPY Dynamics, SOA, SPY Dynamics, SPY Dynamics, Application Security, Application Testing, Security Breach, Vulnerability Testing, Black Box Testing, White Box Testing

Posted by pschooff in Podcast | Permalink | Comments (0) | TrackBacks (0)

While the folks gather at Black Hat and dig into the depths of security's dark side, I'll just have to keep to the sunny side of the Internet street and keep wearing my white hat proudly.

According to Core Security Technologies -- who will be demonstrating this new-found database vulnerability at Black Hat in Vegas today -- where databases have typically been attacked via authorization or access controls, along with trying to insert bugs in the front-end using SQL injections, this attack goes after BTREE, the much used database indexing algorithm and data structure.

This approach uses timing attacks -- which is a fairly typical technique for cracking cipher system implementations -- on databases. CoreLabs intends to demonstrate how this method can be used to obtain database information by enacting record insertion operations, which are generally available to all users, even anonymous users of front-end Web applications.

"What the attack takes advantage of is some features or some characteristics of the indexing algorithm," Core Security Chief Technology Officer Ivan Arce said. "Some inserts will take more time than others, and that time is measurable. So if you control what you are inserting and you can measure the time that it takes to insert into BTREE, you can infer what other contents the BTREE has before you did the insert."

"It's a theoretical attack," he said. "There are a lot of implementation details for an attack like this. Doing an attack like this against a specific database requires a lot of knowledge about the settings of the database and how it was tuned, what the table content, the table structure is."

This attack is still almost entirely theoretical, and one of the key things working against is that, while trying to almost measure the database in isolation, other people are often signed onto the database at the same time, making change in a database a constant.

But with CoreLabs giving their demo today, I'm sure more information will come to light for those who tread in the dark.

Tag: Database Vulnerability, Timing Attacks, Access Controls

Posted by pschooff in | Permalink | Comments (0) | TrackBacks (0)