Archive
Microsoft: if it needs to be said, it’s said here first
Ahem… I refer my honourable friends to my earlier post last year.
In which, I said,
So Microsoft’s new strategy could be to own both hardware and software – starting with its own tablet but moving into phones (perhaps by buying Nokia?) and desktops (perhaps by buying Dell or Acer, or even building new from scratch?)…
Toward a new strategy for Microsoft
Yesterday, Reuters reported,
Microsoft Corp is in discussions to invest between $1 billion and $3 billion of mezzanine financing in a buyout of Dell Inc, CNBC cited unidentified sources as saying on Tuesday.
Microsoft in talks to invest up to $3 billion in Dell
Keep up, chaps.
My news stories on Infosecurity Magazine
Last week’s news stories (Jan 30 to Feb 3):
Security researchers break satellite phone encryption
German researchers have cracked 2 satellite phone encryption codes – huge implications.
EU publishes 10 Myths about ACTA
EU says ACTA ain’t bad, just misunderstood.
VeriSign repeatedly hacked in 2010
VeriSign was repeatedly hacked in 2010, and never even told its own senior management.
Science and Technology Committee publishes Malware and Cyber Crime report
Commons committee makes recommendations on how to tackle cybercrime.
New development in post-transaction banking fraud
Banking malware now seeks to divert telephone calls between banks and customers.
Counterclank is not malware, just aggressive adware
Contrary to Symantec’s initial claim, Android’s Counterclank (Apperhand) is not a trojan.
Major UK companies still not blocking porn namesakes
UK companies remain open to cybersquatting by YourBrandName.xxx
New Forrester Report: Big Data Risks
Forrester describes how to secure Big Data.
Resilience is the key to security says World Economic Forum
WEF suggest an holistic view of resilience to risk rather than an isolated view of prevention.
A call for a new standard in infosec training and awareness
We need a new standard to improve security awareness in users.
IE6 users: no longer caught between a rock and a hard place
A new product allows legacy IE6 applications to run in new versions of the browser.
75% of all new malware are trojans
PandaLabs 2011 report is full of facts, figures and information.
Spam and phishing are growing problems: DMARC has the answer
A new standard is being developed to help stop spam and phishing.
CSO Interchange: Cloud concerns are largely propaganda
Misunderstandings about the cloud make it seem a problem rather than an opportunity.
Up to five million Androids infected with Counterclank
Android’s largest ever infection reported by Symantec.
I’m not behind Kelihos botnet, claims Sabelnikov
Man named by Microsoft says I didn’t do it, guv.
New free AVAST anti-virus for Mac 10.5+
Sophos showed the way. It was the first major anti-virus company with free AV for Mac. In a masterly PR stroke it gave away what it could not sell: Mac AV for home users. The rest of the industry was thrown into catch-up.
And finally it has started. AVAST Software has launched a new free Mac AV product, available for 10.5 and newer users.
“It’s time for Mac users to start thinking about an antivirus app and this beta shows what they will need for their protection,” said Ondrej Vlcek, CTO of AVAST Software. “The Mac has long had a ‘cloak of invulnerability’ because its small market share made it a fringe target for malware. As Mac sales surge it is becoming a natural target for malware such as the Pinhead and Boonana Trojans or the MacDefender fake antivirus.”
For the moment it’s still in beta – and if you want to try that you can get it here. Otherwise you’ll have to wait for the released version which should be announced soon.
Free hard drive data recovery from DTI
A new and most welcome reality is gaining traction: vendors’ understanding that users do not buy product for their personal computers. Business vendors get their income from business computers, not from home computers.
So, if home users are never going to buy my software, and it costs me effectively nothing to let them have it (courtesy of the internet), why should I not give it away free for personal/home use? No reason at all. In fact it makes excellent PR, and good business sense since that home user might also be a senior executive between 9 and 5.
DTI Data Recovery is the latest company to see this sense. It is making three products available for free download:
- External Hard Drive Undelete
- Hard Drive Partition Repair
- Windows Hard Drive Recovery Verification
Since the world comprises those who have been through the panic and heartache of lost data and those who will soon experience that panic and heartache, these products could go a long way towards preserving our future sanity.
The inaugural Websense Insight – and the two clicks from danger rule
Websense has launched a new series of reports based on the huge amount of information its HoneyGrid captures. The Websense HoneyGrid is a sort of massively distributed honeypot hosted by the Websense installations all around the world: that’s something like 50 million real-time data collection systems parsing one billion pieces of content every day. That’s a lot of information in almost real-time.
Charles Renert, senior director of security research, Websense
Introducing these new Websense Insights, Charles Renert, senior director of security research at Websense, explained: “The security landscape changes so fast these days that it’s increasingly difficult to get that information out in a timely fashion. We’re putting in a little extra effort to take all of the information we have – which is immense – and collapse it into the core messages about what’s happening out there on the web.”
It’s a laudable intent. But is it achieved? I asked him to explain the first report.
“When we did this study we were looking at link ecosystems. The web is composed of links – it’s the links that make the web what it is. We wanted to get a better understanding of the link ecosystems on social networks and other popular sites, and then to correlate that understanding with what the bad guys are doing. How, for example, are those link ecosystems being used by the bad guys to spread malware and spam today. Something like 75% of all internet traffic on the planet is going to the top 20 sites – so how are the bad guys using this new phenomenon to spread their wares?
“We took a look at the most frequently visited sites, and we looked at their link ecosystems. We looked at the links on the popular sites and we downloaded all of the content from all those links and analysed them. That gave us the two-click analysis: are you just two-clicks away from malware when on the most popular sites? I wonder if it would be possible for Websense to use its HoneyGrid to prove or disprove the six degrees of separation theory. More specifically, are we in fact just six clicks away from any and every piece of malware on the Internet?Well, if you take the top sites on the web, for example news and media sites, we found you have over a 72% chance of having at least one piece of malware within two clicks of the site. Message Boards and forums were 71%, entertainment was 53%, and social networking was 55%. More specifically, on Facebook we found that 40 percent of status posts contain a URL, and that 10 percent of those are either spam or malicious.”
I’m not sure how much value we really get from this particular Websense study. For the average user I consider the ‘2 clicks’ concept is potentially quite dangerous. My advice would be for all users anywhere on the internet to assume that you are always just one-click away from malware. Don’t ever click on any link without weighing up the possibility that it might be leading you to malware. Assume the worst and you won’t be disappointed. Trust and verify? No. Verify before you trust on the internet.
You can see the actual report here. But if you do look at it, remember Renert’s description of how much information went into the making of it; and then consider how much information we’re given within it. It’s not much in comparison – and I blame that on the medium. Websense has chosen video reports; and in my opinion a video report is almost always lightweight in comparison to a 20-page PDF document. Video makes good advertising, and to a large extent that’s what this inaugural Insight really is. I hope Websense learns for future Insights. They could be something special. The first one is not.
The Top Cyber Security Risks Report
Last Thursday, Qualys (in conjunction with TippingPoint and SANS) published The Top Cyber Security Risks Report. I consider this report to be more valuable than most, because it
…features in-depth analysis and attack data from HP TippingPoint DVLabs, vulnerability data from Qualys and additional analysis provided by the Internet Storm Center and SANS.
The Top Cyber Security Risks Report
In short, it combines genuine data with the highest quality professional analysis. Compare this approach to the two recent ‘perception’ surveys I discuss here and here. Perception is, of course, highly valuable for marketing purposes: the danger is that other users might confuse the perception of what works with the reality of what works – and make bad choices. I put Wolfgang Kandek, CTO of Qualys on the spot by asking him if his experience of reality confirmed the general perception held by both of the perception reports that data loss prevention (DLP) and encryption are two of the best security controls for preventing security breaches.
Wolfgang Kandek, CTO of Qualys
“I haven’t seen that impact, I have to say,” he responded. “For me, encryption is very helpful on, let’s say, on the laptop that is lost or stolen. It’s good then if it’s encrypted; it makes it very difficult for someone who finds or steals that laptop to actually get to the data. It’s also very useful between two points, if someone eavesdrops on the line or the internet connection. In these situations it is very, very useful. However, with the attacks we are seeing today, the attackers actually get into the end point where the data is unencrypted, where you actually write your emails, or where you submit your bank transfer before you type in your password. At that point it has to be unencrypted; and that is where the modern attackers are acting right now.
“DLP is again a useful technology for the unintentional leakage points; but I’m not sure how well it works against a determined attacker who is able to use encryption in his communications.” To illustrate his point, I could do no better than point to the section Analysis of a PDF attack in The Top Cyber Security Risks Report. It includes a series of graphics to illustrate the process of the attack – and I include the final graphic here. It shows the endgame. The attacker has compromised the victim’s network, and is communicating sensitive data back to home base. How effective, we have to ask ourselves, would DLP be if the attacker’s malware is able to encrypt the communications?
The last phase of a PDF attack
And we have to assume that today’s professional criminal is well able to do this.
One of the more alarming trends observed in the previous six months is the increased sophistication of attacks. Attackers have not only become more organized, they are also increasingly subversive and inconspicuous in the way they execute their attacks. The attacks are so sophisticated and subtle that few victims realize they are under attack until it is too late. It is increasingly common to hear of attackers remaining inside a compromised organization for months, gathering information with which they design and build even more sophisticated attacks. Once the desired information is obtained, the attackers launch attacks that are both more devastating and more covert.
The Top Cyber Security Risks Report
“What we’re seeing,” explains Kandek, is that the modern attacker is moving away from emailing threats or malicious attachments and is instead attacking the tools that the user is using: the web browser, all the plug-ins, the web itself, and so on. The modern attacker has decided that the easiest thing to do is to attack the website that the user is going to visit rather than setting up special malicious sites and trying to drive users to them. Incidentally, a little plug here for Qualys: it has several products that will go a long way to mitigating this particular threat. It’s well worth exploring their product range if you’re worried – and let’s face it, you should be – about this new refinement to the drive-by downloading threat. If you are a web owner, you should in particular check out the free QualysGuard Malware Detection (BETA) Service. It’s still beta, but Kandek assures me that it’s all there.We’ve learnt how to recognise bad sites and not to go there – so the bad guys are focusing their attention today on normal websites that people go to anyway, and say that if I could infect that site with a little pointer that then makes that client visitor do my bidding, well, that would be really good. The intent today is not to deface the website, and publish a political message or something like that – but to put a little code or malware on the site that then infects the client browser that visits the websites.”
To prove Kandek’s point, it is worth mentioning that last week (6 September) the popular site TechCrunch was compromised and started serving its visitors with malware. And on 17 September, the day after the Qualys report was published, Websense announced that the music site Songlyrics.com had been compromised. Songlyrics gets something like 200,000 visitors each day, making it a far more attractive proposal (for the attackers) than creating a new site and trying to drive people to it.
The Crimepack exploit kit is available on the internet
Once a user accesses the main page of the song lyrics site, injected code redirects to an exploit site loaded with the Crimepack exploit kit. Attempted exploits result in a malicious binary (VT 39.5%) file that’s run on the victim’s computer. Once infected, the machine becomes another zombie-bot in the wild.
It is interesting to note that the malicious code injected on Songlyrics.com uses a similar obfuscation algorithm as Crimepack – a prepackaged commercial software used by attackers to deliver malicious Web-based code. It appears that the majority of pages served by Songlyrics.com are compromised. Crimepack has become one of the best selling exploit packs on the market due to its huge number of pre-compiled exploits offering a great base for the “drive-by-download & execute” business implication.
Websense report: Singing a malicious song
So, in short, if you want to know what’s really happening out there so that you can work out how to stop it, then I cannot more highly recommend that you get and read The Top Cyber Security Risks Report.
Song lyrics can be so compromising!
Be careful out there. Just as Qualys releases its latest report discussing the changing face of today’s threats (and I’ll be discussing that with Wolfgang Kandek in the next post), Websense discovers a perfect example: bad guys are compromising good sites. The Websense Security Labs ThreatSeeker Network has found that Songlyrics.com (which gets about approximately 200,000 daily page views) got compromised with obfuscated malicious code.
Once a user accesses the main page of the song lyrics site, malicious code is injected which leads the user to an exploit site loaded with the Crimepack exploit kit. Only 39.5% of antivirus engines currently recognise this exploit. Any computer exposed and infected just becomes another zombie-bot in the wild; and there’s hardly anything the user can do to prevent this from occurring.
Carl Leonard, Senior Manager, Websense Security Labs
We are seeing the bad guys more frequently compromise popular sites in an effort to infect and exploit the most users, as in this most recent case with songlyrics.com, a site that gets millions of unique visitors. It is unfortunate that in this case, Google Instant results are also helping to steer unaware users to this malicious content. Without real-time content analysis, all users are at risk.
Carl Leonard, Senior Manager, Websense Security Labs
The Securosis 2010 Data Security Survey
This morning Imperva published a survey produced by Securosis: the Securosis 2010 Data Security Survey. It is a fascinating work, but I suspect that it will be of more value to security vendors than security buyers – it is, in short, an analysis of perception rather than proven reality: it is a compilation of what security practitioners believe works for them.
In fairness, the report doesn’t actually claim to be anything else:
The Securosis 2010 Data Security Survey is designed as an early step towards providing security managers and practitioners with practical information on the perceived effectiveness of major data security tools and techniques. The results are based on the responses of over one thousand security and IT professionals within organizations of all sizes.
So when you read the report keep that phrase ‘perceived effectiveness‘ in mind. Where a particular security control is not included, you need to ask yourself whether this is evidence of absence or an absence of evidence.
Two examples. Firstly, there is not one single mention of anti-virus or anti-malware as a security control in the entire report. Why is this? Is it because AV is not considered relevant, not considered effective, not used at all, or so all-pervasive that its value goes without saying? There is no way of telling.
Secondly, according to the survey, “Email filtering is the single most commonly used control, and the one cited as the overall least effective.” Is it actually the least effective, or just perceived to be the least effective. Could it be that it is invisibly effective for 90% of the time; but the 10% of failures is all that people notice? Again, there is no way of telling.
So here’s my problem with this report. If you are a vendor, it’s brilliant. You know where to concentrate your efforts. If you sell DLP and full-disk encryption, recruit some more salesmen and get out there: DLP and encryption are perceived to be good.
But if you are a small company with not too much in-house security expertise, this report could actually be dangerous. You will be tempted to think, well, the professionals don’t rate anti-virus or email filtering so I won’t bother with those – I’ll spend all my money on data leak prevention. The danger is that smaller companies might be tempted to use this survey as an inexpensive alternative to a proper risk analysis. And that would be a bad thing.
Having voiced these concerns, provided that you keep that word ‘perception’ in mind, it’s worth taking a look at the report. As Imperva’s Amichai Shulman says, “This survey will help security teams identify what their peers find successful and hopefully help make improvements to their own strategy and operations.”
Software security assurance: quantifying ROI is difficult – but can be done…
Mainstay Partners is a much-respected research company that specialises in putting a value to business propositions. When Fortify Software wanted an independent statement on the return on investment (ROI) that software companies might achieve from the use of its software security assurance (SSA) products, Mainstay Partners is where it went. The result is a new whitepaper: Does Application Security Pay? Measuring the Business Impact of Software Security Assurance Solutions – and, basically, yes it does (as much as $37m per annum in some cases).
We reviewed 30 software security providers and found that, while everyone talks about ROI, no one has really quantified the business value of SSA. Fortify’s effort to put some real cost and time savings against an investment in SSA is unique in the industry, and should give security executives the language they need to communicate the value of SSA in a way that resonates with senior IT and business leaders.
Amir Hartman, co-founder and managing director of Mainstay Partners
Cost of pentesting reduced by 50% or more...
Key findings include
- Vulnerabilities per application reduced from 1000’s to 10’s
- Average time to fix a vulnerability reduced from 1 to 2 weeks to 1 to 2 hours
- The percentage of repeat vulnerabilities reduced from 80% to 0%
- Costs for compliance and penetration tests reduced from ~$500k to $250k
- Time-to-market delays due to vulnerabilities reduced from 4+ incidents (30 days each) to none
FIFA staff sell passport data: long term planning or short term opportunism?
As allegations of corruption rock the cricket world (and I am one of those people who believe that civilization will last only so long as cricket is played), we hear news that FIFA staff may have been selling the passport data of thousands of World Cup fans on the black market. This should come as no great surprise. Anyone who believes that football (soccer in the US) is not riddled with corruption is living in a dream world. Where there is so much money (the contracts of top players are now routinely valued at more than £50,000,000) there will be criminals. Believe it.
Amichai Shulman, CTO, Imperva
But to the specific issue here. There are, of course, two points to consider: the outright criminality involved, and the ‘criminal’ negligence of the data owners. “Although this was clearly illegal,” comments Amichai Shulman, CTO at Imperva, “it also calls into question the internal security practices within football’s international governing body whose IT managers really should have known better. It confirms something we’ve been saying for some time, namely that most organisations defend their digital assets against external attack, but they ignore the internal threat at their peril.” The insider threat is real and growing.
Surprisingly, the data sold to the black market is already four years old – it comes from fans at the 2006 World Cup, not the 2010 World Cup. “The data that was sold was fan data from 2006 which was used for the 2010 games,” explained Shulman. “There are two scenarios that could have occurred. Either the data was stolen in 2006, stored locally and then when the time came the insider put it on the market.” This implies that the employee knew in 2006 that he was sitting on a gold-mine, given that football fans tend to be lifetime fans, and he knew that in four years time the data would be of great value.
(If this is true, we need to consider whether we should still be worrying about the child benefit CDs lost just under three years ago: “Two password protected discs containing a full copy of HMRC’s entire data in relation to the payment of child benefit was sent to the NAO, by HMRC’s internal post system operated by the courier TNT. The package was not recorded or registered. It appears the data has failed to reach the addressee in the NAO.” Alistair Darling, November 2007. Someone, somewhere, may be sitting on them, waiting for their value to increase as the likelihood of early detection decreases.)
“Or”, continued Shulman, “the other option, which I actually believe is probably the case – the data was retained in the databases from 2006 and accessed by employees in 2010. The question then is why was the data stored in the databases for so long? If the data was being stored for the specific company for stats/ analysis/ anticipation of participation/ etc. then why did they feel it necessary to store the real personal details such as passport details? It very much seems that controls on the database were completely inadequate.”
Shulman believes that “A database access monitoring system that looks at the rate at which data is taken out of the database would have detected this problem but it is not enough to have a simple monitoring solution because the access to the database is usually through an application so you need to be able to maintain end to end visibility through all the different tiers. The system should alert on any abnormal amount of data retrieved from the database and also apply geo-location analysis and alert on an illogical access to database by a user who should not be accessing the data so many times or retrieving a large number of details in a single session.”
See also Log Management: a necessary part of information security
Kevin Townsend 