Archive for September, 2009

More on Cloud Computing

Several months ago I wrote a blog entry on cloud computing and after all that vitriol, I wouldn’t blame you if you did not want to read anything else about cloud computing that I have written. But I just attended the COSAC Conference in Ireland, and my brain is (as always after I attend this conference) full of new ideas. Issues concerning cloud computing frequently came up during presentations and the workshop sessions. I admit that I have been a harsh critic of the notion of cloud computing because it is really nothing new and because it too often amounts to handwaving and marketing hype more than anything of substance. So I tried to keep an open mind with respect to cloud-related issues. Here are some of the things that I learned and observed: Read more…

Categories: Uncategorized Tags:

Should companies spend to avoid breaches??

I was shocked by the blog posted September 4 by Robert Westervelt of search  and re-forwarded today to subscribers of “SecurityBytes Roundup” concerning the aftermath of the TJX credit card breach. As readers of this blog will no doubt recall TJX experienced a breach in early 2007 that exposed over 45 million credit cards and the company has been busy cleaning up after the mess ever since then. Now, 2 1/2 years later, after a 42% decline in stock price (in 2008), Westervelt sees TJX financial performance as an indicator that spending for advanced information security tools is apparently unjustified. Read more…

Categories: Uncategorized Tags:

Persistent Attacks

I was at the Emagined Security booth at the SecureWorld Conference in Santa Clara, California yesterday when someone came up to me and asked me what I thought about persistent attacks. The person caught me off guard. But I started talking about them with him and then went back home and noticed a few recent news items, and suddenly my brain was ablaze with ideas about this subject.

Persistent attacks are attacks in which not only are certain machines targeted, but they are targeted over a span of time. In normal attacks an attacker who succeeds in “owning” a machine continues to own it until someone takes away this person’s ability to access and control it, usually by cleaning or possibly rebuilding it. The attacker then normally moves on and attacks other machines—the world of computing is, after all, a very target-rich environment. In persistent attacks, however, the attacker and/or malware continually comes right back and takes control of the targeted system each time after it has been cleaned or rebuilt. Consequently, there are machines out there that have been more of less continuously compromised for a period of a half year or more. Read more…

Categories: Uncategorized Tags:

Alignment is one key to long-term security success

Many information security programs are languishing on a plateau or a mild downward trend when viewed from the perspective of budget and resource allocation. There are many reasons this is true but one of the most important ones is a congenital lack of alignment between the information security program and the overall business. Simply stated, if security is not viewed as part of the top line success of any organization, it’s just another cost to be minimized. And as infosec leaders know all too well, there are plenty of people inside the corporate organization who know how to drive costs down ruthlessly. Read more…

Categories: Uncategorized Tags:

The SIEM Market: Why Isn’t it Doing Better?

When I worked in the Security Information and Event Management (SIEM) arena, I remember the glowing predictions concerning the likely growth of the SIEM market. In 2005 IDC predicted that this market would grow from 266.6 million that year to $635.5 million in 2009, and I have even seem some more optimistic projections than IDC’s, Nothing I have seen suggests that 2009 SIEM sales will even come close to this prediction, however.

Granted—the world economy is in bad shape right now. Purchases that would have been made a little over a year ago are currently not even being considered. The SIEM market is by no means the only one that has faltered during bleak economic times. But given the great potential value and potential cost savings (especially in labor costs) associated with SIEM technology, one would think that it would currently be more popular. What else is keeping organizations from using this technology? Read more…

Categories: Uncategorized Tags:

More About Security Risks in Social Network Sites

Given the current popularity of social networking sites, this particular posting is not likely to be one of the more popular ones that I have written. But I feel compelled to write more about the security risks associated with these sites because of a recent incident that a good friend of mine experienced. I received an email message from him earlier today in which he informed me as well as others that information about him that was recently spread on Facebook was completely untrue. An update from his account claimed that he was stuck in London, England and could not get home because he had no money. The update asked readers to transfer money to a certain bank account so that he could get home. What ostensibly occurred was that a fraudster broke into his account by guessing his password, then created and sent the update that others and I received. Read more…

Categories: Uncategorized Tags:

Encryption is Evidence of Illegal Activity

Most of our readers will be aware that the Customs Service has a program to search the laptops of selected travelers returning to the United States. Typically, a traveler is asked to step aside, power on the computer, and provide the password so that the computer can be perused ostensibly for contraband. Of course, anyone who experiences this will, at best, find this a huge hassle. Moreover, if you also happen to be trafficking in child pornography or jihadist writings, your trip may get a lot worse at this point. However, what if you’re a mild-mannered businessman — or woman – who’s been abroad on business and just wants to get home with his or her company provided laptop?

The answer is it’s not so pretty. There are many reasons you might not want the government to know the contents of your laptop. For example, your laptop might contain the confidential information of clients for whom you provide highly sensitive and confidential advice. Or, your laptop may contain writings that are privileged communications between yourself and your attorney; or your laptop might contain the confidential intellectual property of your employer which you are bound to keep secret under the terms of your employment contract, unless you are compelled to reveal it through judicial due process. The little kabuki drama that unfolds at Customs is not a judicial due process. So, you may be tempted to simply refuse to provide the password to unlock and/or decrypt the computer. Now what? Read more…

Categories: Uncategorized Tags:

London Hospitals: A Failure to Exercise Due Dilligence?

Not too long ago a Web posting described how Whipps Cross University Hospital NHS Trust in London had experienced numerous Conficker worm infections in its Windows systems. A spokesperson for this hospital tried to do damage control by stating that a mere five percent of the systems had been infected and also that the compromised systems were only administrative systems, not medical systems. Additionally, the posting mentioned that several additional hospitals in the London area had suffered the same fate. Read more…

Categories: Uncategorized Tags:

Cybercrime Trends

Cybercrime goes on year-after-year, but the way it manifests itself continually changes. I’ve been putting together a presentation on global security threats for an upcoming meeting and have had to do quite a bit of research on the types of cybercrimal activity that is currently occurring. After analyzing a fairly wide range of sources, I’ve concluded that viruses and worms, then laptop theft, then insider attacks, then denial of service (DoS), then network break-ins, and then data security breaches are currently the most prevalent types of attacks.

I remember when I started in the information security arena nearly 25 years ago how unauthorized access, insider tampering with systems, and viruses such as the Brain and Lehigh viruses constituted the overwhelming majority of types of cybercrime activity. Attacks in those days were incredibly crude by today’s standards, as was malware.

In 2000 I gave a presentation with the same title (“Global threat update”) as the one I am currently preparing; cybercrime statistics were quite different then. At that time, denial of service attacks were most prevalent, followed by man-in-the middle attacks, spam and mail bomb attacks, attacks exploiting vulnerabilities in services, exploitation of cgi-bin vulnerabilities in Web servers, buffer overflow attacks, exploitation of misconfigured FTP servers, and relay host attacks.

In 2006 I made another “global threat update” presentation. This time virus infections were most prevalent, followed by spyware infections, port scans, laptop theft, denial of service, and network break-ins. Interestingly, in 2006 wireless network abuse made the top ten for the very first time.

Looking at the trends over the years, viruses (and also worms), insider attacks, network break-ins and DoS attacks have had the greatest longevity. Some of you may remember when not all that long ago I proclaimed that virus and worm infections were on the decline. I believe that I was right at that particular time. Cybercriminals had by that time turned to other attack methods that were more likely to produce monetary gain; virus and worm infections are not conducive to monetary gain because they are so highly detectable. But then came the Conficker worm. No one is sure how many Windows systems Conficker has infected, but an estimate of 15 million or more systems so far would not be unreasonable. Conficker alone is largely responsible for the huge increase in malware infections over the last ten months. And I now believe that perpetrators have probably already designed a new “son of Conficker” that builds on Conficker’s base features, but also introduces new features. Given all the highly vulnerable Windows systems out there, it is reasonable to expect viruses and worms to remain at the top of types of cyberattacks for some time to come.

In preparing for my upcoming presentation, I’ve done a trend analysis that spans only over the last few years. The following types of attacks are becoming proportionately more prevalent: virus and worm incidents, data security breaches, financial fraud, DNS-related incidents, and targeted attacks. I’ve already discussed virus and worm infections, so I’ll turn to data security breaches. To put it simply, most organizations are not exercising due diligence in protecting information assets. As such, expect the proportion of data security breaches to continue to grow at a disproportionate pace. Financial fraud is always a problem, but the overwhelming majority of it over the last decade has been perpetrated by insiders. Insiders still perpetrate a large proportion of financial fraud, but organized crime and “hackers for hire” are becoming more and more prevalent with respect to this type of crime. DNS attacks, especially DNS poisoning and exploitation of Berkeley Internet name daemon (bind) vulnerabilities, are growing so fast because they are so useful in perpetrating other types of computer crime rather than their serving as an end to themselves. Targeted attacks are becoming increasingly frequent because they have such a high probability of succeeding in gaining access to restricted information. If you don’t believe me, just ask the US State Department, the UK Home Department, and the US Department of Defense!

According to available statistics, phishing, DoS attacks, and bots and botnets are all on the wane. (This is not to say that they do not pose very serious risks, however.) The combination of anti-phishing features in Web browsers and quick action by law enforcement to take down phishing sites has much to do with phishing becoming less prevalent. But the reason for the decrease in the relative prevalence in DoS attacks, which just nine years ago constituted over 40 percent of all reported attacks, is a bit of a mystery. A possible reason is that there is less money to be made from DoS attacks compared to other types. Finally, the decrease in bots and botnets may be due to the greater efficiency of law enforcement in finding and bringing to prosecution botnet owners and operators.

A final caveat—everything I have said is based on statistics. In most cases, little or no detail about the methodologies used to gather these statistics has been available. Always take statistics with a grain of salt. But I would rather have some statistics that are only partially valid than none at all.

Categories: Uncategorized Tags:

Legal Intrigue in the Cybersecurity Arena

Legal rulings in the cybersecurity arena keep getting more interesting. A federal appeals court just recently ruled that electronic searches are excluded from the “plain view doctrine.” This doctrine is based on a legal precedent in which evidence that is in plain view may be seized and used as evidence if a legally permissible search is being conducted. The ruling was in response to a case in which the US government had obtained a court warrant to find records potentially relevant to a drug testing company that is suspected of having provided illegal steroids to professional baseball players. The government investigators scoured through the company’s computers and found evidence related to baseball players other than the ten named in the warrant. Chief Judge Alex Kozinski ruled that the government overlooked constraints specified in the warrant and thus should not be allowed to “benefit from its own wrongdoing.” Additionally, Kozinski stated that the government should not be allowed to access data for which there is no probable cause.

Purely and simply, what happened in this case is that government investigators screwed up, and yet the government in its zeal to crack down on suppliers of illegal steroids to baseball players tried to get away with what the investigators did anyway. At a deeper level of analysis, this ruling realistically reflects the difference between searching for evidence in a computing system versus in the physical world. In a computing system, once someone, a.k.a. an investigator, has root or Administrator privileges on that system, that person can now access virtually every file and directory in that machine. An investigator in the proverbial heat of battle might very well be tempted to “take a shortcut,” so to speak, by accessing files that are not specified in a warrant. I suspect that a fair proportion of investigators feel that because they are in “cyberspace,” they will somehow not get caught.

In contrast, in physical investigations numerous physical barriers, many of which occlude physical objects from view let alone prevent physical access, are almost always present. Suppose, for example, that law enforcement has obtained a search warrant that allows investigators to enter an apartment of a suspected criminal. After entering that apartment, investigators are not likely to see certain things in the apartment—hard to find trap doors that lead to vaults or other rooms, ventilation and heating ducts in which contraband or evidence many be hidden, and so on. Furthermore, the search warrant used for access to this apartment will not allow access to the apartment next door after clues about the use of the next door apartment in a crime are discovered in the first apartment. The negative consequences of law enforcement entering the second apartment without a warrant serve as a strong deterrent to doing so.

Alex Stamos of iSEC Partners Inc. has added even more intrigue to legal issues surrounding electronic searches by arguing that the recent ruling in the case of the drug testing company is not likely to apply to information stored as part of software as a service (SaaS) as opposed to information stored on a company computer because there are fewer legal obstacles to accessing the former. I fail to comprehend Stamos’ reasoning. Just because information is owned by a variety of organizations happens to reside on a single computer does not allow someone with a warrant to obtain information belonging to company A to access company B’s information any more than the investigators in the case of the drug testing company’s computer. But who knows—Stamos could possibly turn out to be right. In a country with common law, as in the US, laws are passed, but their meaning is defined by court rulings. So let’s wait for the first ruling concerning a law enforcement search of a SaaS-related database to occur. Whatever the outcome is, rest assured it will again be intriguing.

Categories: Uncategorized Tags: