WebSense released their security predictions for 2013. Trends:
- More Mobile Attacks targeting mobile devices - taking advantage of HTLML 5 etc.
- More cross platform Attacks
- Increase in the sophistication of Hacktivism as a result of more awareness of the issue
- Government Sponsored attacks will increase
- Threats becoming more virtual aware able - with more focus on attacks targeted towards virtual systems
- Malicious emails making a come back
The whitepaper can be found below.
- Websense 2013 Security Predictions Whitepaper.pdf (PDF 3.1 MB)
Robert X. Cringley makes a nice point in this story about the realities of out sourcing to India:
India, having invented mathematics in the first place and now granting more computer science and computer engineering degrees each year than does the U.S. is the new quality center for IT, we’re told.
… right now IBM is preparing to launch an internal program with the goal of increasing in 2013 the percentage of university graduates working at its Indian Global Delivery Centers (GDCs) to 50 percent. This means that right now most of IBM’s Indian staffers are not college graduates.
Did you know that? I didn’t. I would be very surprised if IBM customers knew they were being supported mainly by graduates of Indian high schools.
Cyber-Arks annual global IT Security Survey has been released. Here are the key snippets:
Privileged accounts are increasingly being targeted in enterprise assaults – regardless of the attack entry point :
- 71 percent of respondents consider insider threats to be the greatest security risk to their organisation.
- 29 percent cite external threats, including targeted cyber-attacks and opportunistic hacks.
- 64 percent of respondents believe that the majority of recent security attacks have involved the exploitation of privileged account access.
Recent high-profile security attacks, such as the RSA and Global Payments data breaches, have made an impact on security strategies this year:
When asked if they were rethinking security strategies based on these high profile breaches, more than half said yes (51 percent).
Respondents were asked to rank their 2012 IT security priorities in order of importance:
- Vulnerability Management (17 percent)
- Privileged Identity Management (16 percent)
- Security Information and Event Monitoring (SIEM) (15 percent)
- Anti-Virus/Malware (13 percent).
Despite growing awareness of the privileged connection in cyber-attacks and the increasing insider threat, some businesses are failing to uphold their responsibility for securing customer and similar sensitive information:
- 43 percent of respondents stated that their organizations do not monitor the use of privileged accounts or were unsure of whether they did.
- Of those organizations that monitor privileged access, 52 percent of respondents believe they can get around the current controls.
Current legislative and regulatory efforts to curb data breaches have proven ineffective to date:
When asked if data breach notification laws are effective in curbing data loss, 72 percent of respondents stated no, while only 28 percent stated yes.
The perception of the insider threat as the greatest security risk is driven by continued unauthorized access to sensitive information:
* 45 percent of respondents indicated that they have access to information on a system that is not relevant to their role.
* 42 percent of respondents indicated that they or a colleague have used admin passwords to access information that was otherwise confidential.
* 55 percent of respondents believe that competitors have received their company’s highly sensitive information or intellectual property.
- 2012 Cyber-Ark Trust Security Password Report FINAL.pdf (PDF 339.64 KB)
Cyber-Ark have released the following E-Book that provides an interesting perspective and some consolidated facts in relation to recent attack trends. The take away message is that controlling access to your Privilege credentials is an important component to improving your security posture.
A year ago today, at 12:50 in the afternoon, I was working at my desk thinking about what we might have for lunch. At 12:51pm it felt like a freight train hit the building. We didn’t hear it coming, they say it was traveling faster than sound. Everything bucked like a bronco and as we went for the door frame a computer fell forward onto the desk. In seconds the power was gone and I braced my arms and legs on either side of my wife so she wouldn’t fall. We could feel the building fighting huge forces trying to twist it out of place and as it shuddered and shook we listened to the roar and the noise of crashing glass. I was thinking ‘fight it baby’. 24 seconds after it hit it stopped. I thought I had loved my house, but now it’s like a faithful friend who stood in the gap. In the silent aftermath I said ‘It’s not over, just stay here, it’s not over”. There were six earthquakes of 5.0, or over, on the Richter scale that day alone.
We set off up the driveway because we knew Lizzy over the road was home alone with two kids under four. When we got to the top of the hill and gazed across the city skyline we could see a huge dust cloud. And the smoke of the burning. It’s a dead end road but cars shot past as desperate parents tried to get to their children. Lizzy was under the dining room table with another neighbour Karen each holding a crying child. It was 1:04pm. I know because the record shows that’s when a 5.9 hit. Lizzy wasn’t good and I was trying to to reassure her so I stood and rode it like a surf board telling her it wasn’t that bad and everything was going to be fine. I wanted to get them out because blocks were coming off the front of the their house and the power lines ran on their side of the road.
Power and phones were out and mobiles weren’t working for outbound calls or texts. We didn’t know how bad it was. People outside the city had a better idea of what was going down than we did. Ground acceleration was over 2 times the force of gravity and vertical power so high buildings were literally thrown in the air. As a friends wall leapt up rugs and power cords slipped underneath and were trapped there when the wall landed again. Almost every historic building in the city was destroyed. It caused an 11 foot wave across lake Tasman when parts of the glacier collapsed. On the hills behind me two people were crushed by rock slides while trying to walk home because the tunnel was closed. One of Bernards oldest friends was crushed by rocks in his Sumner backyard. Satellite images assure us the entire hill I live on has moved 50cm to the west.
185 people died that day, as hillsides, buildings and parts of buildings lost the fight and collapsed. Friends, fiances, wives, husbands, mothers and fathers. Today is the day we remember them. Friends will come for lunch and at 12:51pm we’ll pause and remember Wally and Helen and Stephen and Rhys, and give thanks that our loss wasn’t more. Tomorrow and the next days are for the living, because Esther lost Rhys, Donna lost Wally, Brett and the boys lost Helen - and so the list goes.
I don’t have a great memory for historical details but I remember it rained that week. Like tears from heaven. I know they’re having outdoor memorial services but it would somehow seem right if it rained.
The proposed US Cybersecurity Act of 2012 seems to be motivated by good intentions. Read these quotes from two proponents, taken from CSO online;
Senator Joe Lieberman said … the bill was carefully crafted to protect privacy and ensure that it is aimed specifically at avoiding cyber attacks that could lead to mass casualties, damage to the economy or destruction of infrastructure necessary for the health and safety of citizens.
… all indications were that the law would enhance security innovations.
Senator Susan Collins … stressed lessons learned from the terrorist attacks of Sept. 11, 2001, in which much of the blame could be placed on the lack of information sharing between law enforcement and intelligence agencies.
This bill is urgent,” Collins said. “We cannot wait to act. We cannot wait until our country suffers a catastrophic attack.
Lastly.., witnesses and senators said fast action is necessary to protect critical infrastructure against certain attack.
Who could be against preventing mass casualties from certain attack and catastrophic attack all whilst enhancing innovation to boot?
And yet history shows governments are the kings of unintended consequences in spite of a raft of good intentions. Supporters of prohibition in the 1920’s suggested economic benefits would be substantial as the money wasted on booze was used elsewhere in the economy. But unintended consequences included:
**The closing of breweries, distilleries and saloons led to the elimination of thousands of jobs, and in turn thousands more jobs were eliminated for barrel makers, truckers, waiters, and other related trades.
**Restaurants failed, as they could no longer make a profit without legal liquor sales.
**Because of the loss of excise income the federal budget lost $11 billion in revenue (in the 1920 when a billion was real money) with a lasting consequence that governments came to rely on income tax revenue.
**Because pharmacies were allowed to dispense whiskey for medicinal purposes the number of registered pharmacists in the New York state tripled.
**On average 1000 americans a year died from tainted alcohol poisoning because quality on the black market slumped.
Not only did the legislation not achieve it’s goals it left a lasting negative impact on society. I mean – come on – anyone who tells you government interference in a marketplace will increase innovation is blowing wind up your skirt. I’m suspicious of anyone who tells me an issue is so urgent there is no time to make considered decisions or the solution involves giving up freedom in some form. Remember, these guys are proposing to vacuum up huge quantities of personal data with few clear protections.
Just because something is dressed up for sale as a “solution” it is no guarantee it won’t make things worse than they already are.
This story at Tech World says Google plans to remove online certificate revocation checks from future version or Chrome, because it considers the process inefficient and slow.
So is this a crazy move that makes is less secure or are Google simply the first to state the obvious, that SSL is fundamentally broken?
It’s hard to propose this move will make us more secure given the steady hacking of CA’s over the last year. If the browser can’t tell you if a certificate is bogus what chance does the average end user have. Google suggest they will simply send out a list of banned certificates when needed, just like what has happened after the recent CA hackings. But what kind of engineering solution is that, response by strength of negative press attention?
As I see it this situation exists largely because no one is liable for the negative outcomes. What does it hurt Google if the certificate is bogus and the site steals your credit card? And it’s not the banks’s fault you gave your credit card to thieves. What are you going to do - sue some Comodo reseller in the UK because they let their certificates be stolen. Good luck on that one.
Because no one is liable for the backend revocation system nobody has any interest in fixing it. And all the major parties to the system, who currently enjoy zero liability for the crappy solution they created, market and extol the benefits of are quite happy with the status quo. It’s fair to say all will be quiet on the SSL front as long as that status quo remains. Unless of course it’s your own credit rating that get shot in one of those little skirmishes that no one except is liable for.
In the old days I would have suggested that if banks were made liable for SSL failures it would all magically change overnight. But these days of course bank profits are guaranteed by taxpayers so maybe that doesn’t hold true anymore.
No one can accuse spammers of a lack of innovation!
Check out this entry on the Websense security labs blog (Spam Emails Link to QR Codes) showing how spammers have started using QR codes to get your mobile phone browser to automatically load their spam page.
A QR code is like a fancy (two dimensional) bar code. According to Wikipedia it was developed by a Toyota subsidiary to track cars along their production line: http://en.wikipedia.org/wiki/QR_code. All very nice until somebody takes the automation of it and uses it against you.
Spammers are like the pirates of the 17th Century and it wouldn’t surprise me if a few of them had tacit state protection - just like they did then. They should make laws that allow them to be pursued where ever they reside to be taken home for trial and hanging.
I wanted to inform you of an issue that some of you may experience with regard to the administration of GTA firewalls using Microsoft’s Internet Explorer 8 & 9. Recently Microsoft issued security software updates to IE 8 & 9, which causes problems when attempting to administer a GTA firewall on GB-OS versions less than GB-OS 6.0.3.
GTA engineers are not sure why Microsoft changed the behavior of Internet Explorer to operate in this new manner but it apparently has something to do with their recent security update. A simple description of the problem is: IE sends an initial packet that contains a single byte of data, which to the GB-OS IPS appears to be a “Slowloris” attack.
GTA have updated their logic to both defend against Slowloris and to work with inefficient SSL implementations. This has been implemented in GB-OS 6.0.3, however since we know there are still customers running GB-OS 5.4.x we will be releasing a GB-OS 5.4.3 patch release to address this problem. The GB-OS 5.4.3 release is targeted for 19 Jan 2012.
This same behaviour occurs in Google Chrome V15 and above.
Firewall Login Fails and browser will display “Not Implemented”. This is seen in;
- Google Chrome v15 and above.
- Internet Explorer with Microsoft Update KB2585542 installed.
Internet Explorer and Chrome send an incomplete or inefficient commands to the firewall.
1. Upgrade to GB-OS 6.0.3 or GB-OS 5.4.3
2. Use Firefox, Opera or Safari
3. Try removing Microsoft Security Update KB2585542.
Oh - and happy new year everyone!
A great visionary has departed from our industry. We make no mistake and acknowledge today is a landmark and a monument. If WebSecure were a country we would fly our flags at half mast in respect and in admiration of what this man has achieved. It is my belief we live in a time that history will not judge kindly and where people of lasting greatness have been few. A generation whose marks are to love self and money above all else and to the expense of all else.
Some say life is a play we get caught up in, forgetting we are merely players and that with or without us the great story goes on. Others say life is a dance where the only marks we leave are wild and dusty foot marks upon a stage of time and those we touch along the way. I say walking through life is like walking towards an ever setting sun, where each moment draws us nearer to the end and that death is a beacon towards the final reality and in whose critical light we must make our stand.
Steve Jobs said, “Remembering that I’ll be dead soon is the most important tool I’ve ever encountered to help me make the big choices in life. Because almost everything–all external expectations, all pride, all fear of embarrassment or failure–these things just fall away in the face of death, leaving only what is truly important.”
There are those who are willing to lift their eyes to that horizon of time, to meet the gaze of a setting sun and to live their lives in the light of it. The courageous few whom history, time and death call, to a thing we call greatness.
Steve Jobs was one of them.
Our thoughts, prayers and condolences go to his family and those with whom he walked and lived and worked.
It’s probably the biggest unspoken about problem in our industry today, it’s greatest challenge and the most persistent enemy of real security. We’ve all experienced it in some way and, I think, we are struggling to meet the challenge of it.
I talking about psychology, the way people think and react, what they see as important, how they come to their perception of the service they receive and how able they are to receive advise, solutions or even discuss the root of issues. Take a simple example of two perceptions of spam management. On the one hand we have a corporate email gateway receiving 27,000 denial of service attacks, 1500 relay attempts, 63,000 spam connection attempts each day and through that gateway only a few dozen emails are delivered that you could say are unwanted. On the other hand we have a user who received nine emails today, one of which he didn’t want.
Is there a correct way to perceive such a state of affairs?
In mockery of the idea truth does not exist, cannot be known or can’t be absolute (therefore true), is the spam scanner. Which did stop, actually and absolutely exactly what it stopped. Sadly, and regardless of perception, current anti spam technologies cannot stop 100% of unwanted emails and attempts to do so simply result in the blocking of legitimate business emails.
Our problems arise from the fact that in one organisation the unwanted email goes uncommented on but in another generates a helpdesk ticket or complaint. Many times this reaction is ignored as just another irrational end user. Irrational, or course, because the reaction lacks what we might call common sense or context. Maybe the end user has no idea how many emails were successfully blocked or why limits exist for current technology. But more disturbing, and equally possible, the complaint that came from a place of political power within the organisation and therefore must at least be seen to be taken seriously.
Therein lies the rub.
We arrive at an irrational place I call ‘perception and politics are reality’. If left unchecked perception and politics replace reality and decisions are made on those foundations. In many places we would probably view such a process as either politics or corruption. It’s an easy trap to fall into because we all love our own opinion above reality. In any event the entire process is corrosive to real security.
Here’s a hack where an SSL certificate provider was hacked because they didn’t have strong passwords, or patched servers - or - even anti virus installed. I wonder how much of their organisation ran on politics and how much was based in reality.
I think the current trend of out sourcing will make this worse in every way. An outsourced problem is an out sourced skill, outsourced skills are outsourced understanding, lack of understanding is loss of context and without context rational thought loses one of it’s foundations. What is left is a weak defence against force of will, personality and superstition.
That might sound a little extreme, but think of it as rust. It’s a corrosive process that left unchecked eats away at real world security.
You can’t fix what you can’t see.
It’s a simple but often over looked reality driven home to IT support people every day. We ourselves speak to people who describe symptoms of systems that don’t work but do not have enough visibility to work out the reason why.
My favourite customer quote that illustrates this is the customer who, in frustration, says “but nothing has changed”. Technical joke of course, because of course something major has definitely changed – that’s why they are ringing technical support for help. What they mean to say is they can’t see whatever has changed that’s causing their problem, which is a very valid and frustrating place to be.
This problem of visibility has more than a few faces. Sometimes the log or data exists but it’s hidden in a blizzard of background noise and hard to find or isolate. Other times a system is so hard to use, so poorly designed, that to even create minimum useful logging is a serious challenge in it’s own right. On top of this an organisation can have problems of it’s own in retaining and training the skills required to run the complex systems they own or operate.
Although this truth isn’t new I believe we are traveling towards an inflection point where three trends meet to force change.
1. Increasing technical complexity of systems
I think of this as the slow wave that keeps putting pressure on IT everywhere and in multiple ways. You can argue it’s a major contribution to the recent fashion of outsourcing as organisations attempt to reduce the financial burden or complexity.
2. IP version 6
Whilst we are only starting to see it’s impact the sheer size of it is mind boggling. Fro example, the idea that every single spam email can have a random IP address you can’t track will turn many anti spam technologies on their head. For attackers of every kind IPv6 is going to provide an enormous smoke screen to hide behind. It is possible this will undermine the current trust models we use and trust assumptions we make.
3. Mobile devices
Whether we like it mobile devices are going to take over a good part of the IT world. Already Stewart runs around the market place armed with just a smart phone and iPad. With these two tools he does more than he could ever do with a what we euphemistically called a notebook ten years ago.
When I picture the combined impact of these trends I see in my head the poor IT Manager trying to hold in one hand a hundred ends users on leashes as they stream in a dozen different directions, whilst in the other hand trying to hold the lid on a huge boiling pot of technologies that are exploding. IPv6 and complexity are pushing technologies out of the pot faster than the IT Manager can handle and mobile devices are sending end users off in new directions all the time.
On the good news front, in the last few months I have had the pleasure of seeing the seeds of the future on two fronts. Technology that is going to allow IT Managers to thrive in this new world because they create visibility. From that visibility comes new levels of productivity and control.
Number One - NitroSecurity
Collecting logs is hardly a new idea but this product takes it to a whole new level. Collect, correlate and normalise millions of events from everywhere on your network with one easy to use appliance. Windows event logs, router logs, firewall logs, switch logs, IPS logs, syslogs, database logs - any kind of logs. They already have a vast amount of device support that correctly parses the log information and takes all the hard work out of problem spotting.
With a Nitro box grooming your mountain of data all of a sudden logging makes great sense. The more logs you can get into the view and correlate with other logs the more precise the view is and the more accurate as to what’s important right now. 18 million log entries can be quickly reduced to ten things of interest. It’s quite incredible.
Number Two - TrustSphere
I reckon IPv6 is going to destroy IP trust on the internet. The current paradigm of trusting an IP unless it is blacklisted will become completely unworkable. Stepping into this gap is a company called TrustSphere who have developed google like algorithms that track every single email transaction you make and creates a pattern of trust from it. And it’s a fully automated solution designed to link with your current anti spam solution. Vendor support isn’t very high yet but I can’t help but think that will come as needed because this is very smart way of dealing with spam, threats and phishing problems.
What I found most interesting, which is a total spin off from the technology, is the visual presentation a pattern of organisational email can create. From that pattern alone you can tell what some people do for a living. People who work together closely have strong, thick connecting lines whist people doing marketing have a flower shaped pattern from large numbers of single emails to a huge number of addresses.
Not only does the technology remove the slowly growing problems of false positives in spam detection, but with a tool that automatically builds a map of normal business a foundation of trust can be rebuilt. Spammers suddenly stick out as outsiders and phishing attacks like people who wear fluro-yellow rain suits in a crowd.
We’re working with both these vendors now and have already sold Nitro products into ket accounts. TrustSphere have finished a proof of concept program with us doing integration with MailMarshal and we’re excited about taking the next steps. If you’re interested in the future take a look because it’s quite encouraging.
It’s been pretty busy lately so I’m just posting a few of the more interesting stories I’ve come across recently.
At the Black Hat conference in Las Vegas on Wednesday, two researchers demonstrated how they were able to send commands via a laptop to unlock the doors of a Subaru Outback – and then, awing the audience, actually start the car. So how far will this go and how long will it tack before the whizzy bluetooth in your car is nothing but a liability?
What happens when former hackers get the smell of money in their nostrils? Peiter “Mudge” Zatko, famed member of the legendary L0pht hacker group, announced the launch here today of a new program at the Defense Advanced Research Projects Agency (DARPA) aimed at funding hacker spaces and research in cybersecurity. I’m not sure if this is response to constant attention from China and not sure if it’s a good idea either…
This is one of my favourite beefs – the german police finally say what everyone knows, full body scanners at airports only catch zips, boots and sweaty arm pits! I’d welcome a change of the tide here before we’re all standing around in our undies in the name of security.
Hands up if you like Secunia - ‘cos I love them.
Anyone who helps cut through the blizzard of vulnerabilities we live with every month is tops by me. There is a link of their blog entry here for downloading their half yearly report. What caught my attention in this report is this statement, which I quote from the blog entry;
Security patches are found to be an effective means to escape the arms race, as they remediate the root cause of compromise.
Read that again slowly – there’s wisdom in that.
Look, the bad guys like to weave the story about how they can’t be stopped, the variants morph so fast there is nothing you can do. Or if there something you can do it’s pointless because they move so fast. You may have read how, for example, the hacking group Anonymous has targeted the biotech giant Monsanto. Now read this, which is taken from the Freedom Hub where Anonymous taunts Monsanto;
Over the last 2 months we have pushed the exposure of hundreds of pages of articles detailing Monsanto’s corrupt, unethical, and downright evil business practices.
We’ve created a nice go-to reference guide on piratepad/anonpad (anonpad.org/opmonsanto, backed up elsewhere), where anyone can read up on and add
their own info about MonsantoCo.
We blasted their web infrastructure to shit for 2 days straight, crippling all 3 of their mail servers as well as taking down their main websites world-wide.
We dropped dox on 2500+ employees and associates, including full names, addresses, phone numbers, and exactly where they work ( https://pastee.org/xkg43 ). We are also in the process of setting up a wiki, to try and get all collected information in a more centralized and stable environment. Not bad for 2 months, I’d say.
What’s next? Not sure… it might have something to do with that open 6666 IRC port on their nexus server though ;)
But, of course, it’s at best a half truth. But listen to this media release from Monsanto that followed .
“Last month, Monsanto experienced a disruption to our Web sites which appeared to be organized by a cyber-group,” Tom Helscher, director of corporate affairs, said in a statement provided to CNET. “In addition, this group also recently published publicly available information on approximately 2,500 individuals involved in the broader global agriculture industry. Contrary to initial media reports, only 10 percent of this publicly available information related to Monsanto’s current and former employees. The list also included contact details for media outlets as well as other agricultural companies.”
That’s the best a Ten Billion dollar multinational could muster! With all apologies to the IT and security people at Monsanto, because this probably came from some PR schmuck - BUT WHAT PUSSIES!!!. Poor poor little Monsanto, such a victim of those big bad internet bullies, how will they ever survive? Quick somebody call 911.
Secunia nail the other side of the coin in their half yearly report. It’s a shed load harder to take out a fully patched system, more than 50% harder. Now we can all follow Monsanto’s pathetic lead and “cry victim” or we could quit whining like losers and do some hard yards patching our systems.
Prison guard, Manu Stanley Jensen pleaded guilty to two charges of corruption after he admitted smuggling cannabis to a prisoner in Tongariro-Rangipo prison in New Zealand’s mid North Island.
“I felt sorry for him. He kept on asking me to bring it in. I would tell him, ‘Nah, nah, I’m not doing it,’ but then I got sick of him so I said, ‘OK, I’ll think about it,’ I struck up a friendship with him, more or less … I was seen as an easy target, I guess.”
The full news story here.
There are some places we as a society put a lot of effort into making secure. Banks, courts of law and airports are good examples and even some malls have security people around full time. The stand out is of course prisons because unlike a bank, mall or airport people in prisons are mostly deemed and treated as untrustworthy and risk is always part of the equation. Also unlike most places they are purpose designed from the ground up to be secure. We’ve also a long experience of prisons and securing them over centuries, one would think if we could secure anything it would be a prison.
So this sad story says a lot about the limits of security outside brochures, sales promises and politicians. In the real world all the aspects of this story come into play. The weakest link is always going to be the insider. That’s because when we talk about an insider in this context we mean someone who was trusted. An enormous part of security is simply placing the lines of trust correctly, who/what is trusted and who/what is not. This issue of trust is a foundation of all security and so when what was trusted is proven not be be trustworthy the entire system quickly breaks down, even if it was purposed designed. It’s shows one of the reasons why security is always a trade off. At what point does double checking, triple checking cross checking and checking the checkers for trust become counter productive in terms of moral and cost?
For me, what makes this story sad isn’t just a man who made a mistake in friendship (his prisoner ‘friend’ was the one who ratted him out), it’s that the guard didn’t do it for money, he did it because he felt sorry for him. A misguided but well intentioned thought of mercy. The root weakness and basic limitation of security is starring at you from the mirror every morning. I defer to G.K Chesterton, who, when the British daily newspaper The Times invited several eminent authors of the day to answer the question ‘What’s wrong with the world?’ had the self awareness and humility to reply in a letter;
Dear Sirs, I am. Sincerely yours, G.K. Chesterton.
Which of us has never opened a suspect email, ended up at a site or clicked on a link we perhaps shouldn’t have? This guards humanity and judgement limitations failed to keep him safe and that’s the story of security. History is littered with the betrayed the double crossed and corruption of every kind, security failures every one. So when someone promises you something will solve your security problems always remember - they can’t even keep drugs out of prisons.