Kristin Forte Allaben

March Wednesday Wrap-Up: Patch Tuesday in a Nutshell

Microsoft seems to be falling into a routine as March marks the second “light month” of patches so far this year (in January, there were only three vulnerabilities addressed, whereas in February, there were 12 patches released addressing 22 vulnerabilities).

Summary

• Three patches were released this month, one of which is ranked Critical, the other two are ranked Important.
• The Critical update addresses two vulnerabilities, one in Windows Media Center and Windows Media Player components found in almost all versions of Windows, and a DLL load hijacking flaw.
• The MHTML flaw in IE that was revealed in January still remains unpatched.

The Critical Patch
So… there’s some good news and some bad news. The good news is there’s only one critical patch this month.

Now here’s the bad: it’s extremely easy for hackers to exploit this flaw.

Some good news: due to the nature of the vulnerability, it requires some user interaction in order to be successful.

Some more bad news: social engineering attacks related to video clips are becoming more common, and are often very successful. Since Windows Media Player and Media Center use data in DVR-MS files to determine what code gets executed, attackers can skip a few steps with this vulnerability, enabling them to directly execute malicious code.

DLL Load Hijacking
A flaw addressed in each of the three patches this month, DLL load hijacking was first reported in Windows, and a range of third-party Windows applications, last August, with the first available patches released in November. Microsoft described DLL load hijacking as an “ongoing investigation”; industry experts confirmed that these are hard to exploit.

IE still unpatched
IE remains unpatched, a daring approach with the Pwn2Own contest kicking off today (check out the Tangled Web post on this annual event). However, it has been suggested that Microsoft left IE unpatched on purpose as the company is waiting to determine what flaws are uncovered at the event so they can be more quickly addressed.

Based on the patch trend Microsoft has shown so far this year, as well as the Pwn2Own contest kicking off today, it is likely we can expect a big update next month.

Posted by Kristin Forte Allaben on March 9, 2011 at 10:18 AM
| TrackBack (0)

RSA 2011 Kickoff: Day 1

And so it begins--RSA 2011 officially kicks off today. With a “Giants Among Us” theme, the 20th Anniversary of RSA is dedicated to celebrating the industry’s pioneers. This includes a look at the legacy of the RSA algorithm, the history of cryptography and computer security, and a look ahead to the future of the industry.

We’ve highlighted some of the key themes we expect to see come from RSA, some of which seem to be a repeat from last year. Just taking a look at the keynote session titles, anyone can see that cloud security still reigns as an unresolved security topic from RSA 2010. And with Stuxnet making such a splash, especially with the latest news of Anonymous claiming control of the Stuxnet virus, government IT security will once again be a primary topic.

Some additional things to keep our eyes on over the course of the week include:

• Government Information Security Today survey—Officials in local, state and federal governments who are charged with safeguarding IT were polled to determine their attitude when it comes to IT security leadership, vulnerabilities, regulations, budget challenges, skills and cloud computing. Data will be announced on Thursday in the session is entitled “Government Security: The State of the Union.”
• Collective Defense for Internet Health—Described as a new type of computer “check-up,” Microsoft's corporate vice president for trustworthy computing, Scott Charney, has challenged users worldwide to develop collective defenses to help protect Internet citizens from online threats. He presented the idea that the approach to handling online security issues should be modeled after the one used to address sickness in humans. More information on this idea is outlined in Charney’s whitepaper. This idea is likely to be carried into discussions specific to government IT security.
• Organization for the Advancement of Structured Information Standards (OASIS)—OASIS will be holding a KMIP Interoperability Demonstration, touching on policy-based centralized control in order to better manage cryptographic keys. In a recent article, managing encryption keys was described as “the Achilles’ heel of cryptography.”

Regarding specific items in the news, we've already seen a significant number of new product announcements.

Keep an eye on the Schwartz security practice's Tangled Web for a recap of news to come from RSA 2011.

Posted by Kristin Forte Allaben on February 14, 2011 at 10:28 AM
| TrackBack (0)

RSA 2011 - Trends to Watch

RSA is literally days away and as companies prepare for the week-long event, we figured now would be a good time to touch upon some of the key trends we expect to see come from the show. This is based on an evaluation by Schwartz's IT Securty PR Practice Group.

Hacktivism—As this buzz word has essentially been thrown around since the Stuxnet attack, this is nothing new. Described as a technical attack coordinated by a third party, attackers are getting better at their means of attacks, for sure, and it generally seems to be politically motivated. Great example is what’s happening in Egypt. There was a call to action via Facebook and other social networking sites. This leads perfectly to the next idea: personalization of attacks.

Personalization of Attacks—We’ve heard it time and time again: People have a false sense of security when it comes to using social networking sites. This generally results in sharing too much personal information online. As 2011 progresses, we can expect an increase in personalization of attacks as a result of data mining via social networks.

Privacy—Perhaps not surprisingly, privacy was one of the most popular topics for RSA submissions this year. People are curious as to what their cloud providers are doing to ensure the privacy and security of their data. People want to know how secure/private their personal information is when accessing their bank accounts on their mobile devices. It all comes down to this: Despite an information overshare on social networking sites, people want their privacy, and they want it to be protected and respected. It’s possible that we could see some discussions regarding legislation focused on privacy controls and policies this year.

Cloud Security—Oh, the cloud. Between commercials that tout it as something all consumers should use and privacy concerns on the enterprise side, cloud security is not something that will take a back burner any time soon. We saw this at RSA last year; cloud security was by far one of the most frequent topics discussed. It will be interesting to see what the Cloud Security Alliance (CSA) has planned for us this year. They are meeting Monday (Schwartz IT security practice group member Heather Craft is attending).

Mobile Security—The proliferation of mobile devices has created a new target for the bad guys. Everyone seemingly has a smartphone and, let’s face it, the security of those devices is less than ideal. With more people utilizing these devices to bank online or to conduct various business matters, privacy and security become key issues (and when we look to the financial industry, in particular, compliance is introduced as another issue). We can expect lots of buzz around the emerging threats to mobile devices.

Cyber warfare—Similar to hacktivism, cyber warfare and cyberwar have risen as buzz words, frequently used with little to no understanding of what they really mean. It’s been used so frequently, in fact, that my parents have been using both of these phrases, and I wouldn’t classify them as “up with the latest technology.” With this in mind, we can expect discussions surrounding the definition of this phrase, as well as a getting a picture, so to speak, of what a real cyberwar would entail.

There is much confusion about many of these terms, for both the general public and the security industry as a whole. Of these terms, only a few have a clear definition, an issue that the cloud has struggled with since its inception (or at least since the introduction to the mainstream media). It will be interesting to see what companies will announce and promote while at RSA this year.

Keep your eye on the Tangled Web (@tangledweb) blog and be sure to check here first for a recap of news to come. I will be joined by colleague Nina Korfias in providing regular acconts of activity from the show.

Posted by Kristin Forte Allaben on February 11, 2011 at 8:15 AM
| TrackBack (0)

January Wednesday Wrap-Up: Patch Tuesday in a Nutshell

It seems like a blessing: a light Patch Tuesday in January, especially following the beast of a December update that targeted 40 vulnerabilities. But one has to wonder, with so many vulnerabilities left unpatched, is it more accurately thought of as Pandora’s Box?

Summary

• Two patches were issued this month, one of which was ranked “Critical,” the other “Important.”
• The two patches target three vulnerabilities, one of which is considered critical.
• Both patches impact Microsoft Windows as a whole.

MDAC and Backup
It may sound like some cool code names for some action movie, but in reality, MDAC and Backup issues are part of this month’s patches. The critical patch this month addresses two vulnerabilities in Microsoft Data Access Components (MDAC), which is part of Windows. If exploited, an attacker could elevate their user rights to gain administrator privileges. Worth noting, however, is that if a user is limited to the rights they have on a network, the threat is less severe.

The second patch this month impacts Windows Backup Manager for Vista users. The vulnerability is described as allowing “remote code execution if a user opens a legitimate Windows Backup Manager file that is located in the same network directory as a specially crafted library file.”

And then there were five
We discussed in last month’s Patch Tuesday post that the zero day vulnerability in IE, if exploited, could enable hackers to remotely launch malicious attacks designed to steal data or completely shut down the system. Although no patch was issued to fix this vulnerability, Microsoft issued a workaround to address two vulnerabilities in IE since hackers have begun to exploit these vulnerabilities.

Also left unpatched is Google’s fuzzing tool, a potential denial-of-service attack using a vulnerability in IIS FTP 7.5 and an ActiveX control in the WMI Administrative Toolkit.

The challenge, of course, is that the patches are not turned out in time. Leaving one month for known vulnerabilities to be open for attackers to try their hand in the wild can prove to be dangerous, and may force Microsoft to play a little faster, resulting in shoddy patches or poorly instituted bandaids. Reporter Tony Bradley advised “Be aware of what remains unpatched and make sure you have measures in place to guard against exploits.”

Looking back at the hundreds of vulnerabilities patched in 2010, many are surely wondering what 2011 will bring. With such a light start to the year, could this be the calm before the storm? Or could this be the start of a new approach to patches from Microsoft, one of which could include many out-of-band patches?

Only time will tell.

Posted by Kristin Forte Allaben on January 12, 2011 at 11:11 AM
| TrackBack (0)

December Wednesday Wrap-Up: Patch Tuesday in a Nutshell

With the holidays upon us and people looking forward to the start of a new year, everyone expected a light update this month. Microsoft, however, seemed to have other plans. Issuing a round of 17 patches targeting 40 vulnerabilities, Microsoft threw itself head-first into a record setting position for 2010.

Summary

• Two of the 17 patches this month were ranked “Critical” with only one ranked as “Moderate.” The remaining 14 patches were ranked “Important.”
• The most demanding of the two critical patches addressed the zero day vulnerability in Internet Explorer (IE).
• Microsoft issued a patch for the last of the four Stuxnet-targeting vulnerabilities.
• This round of patches wraps up a historic year for Microsoft, ending with a total of 106 patches released targeting 266 vulnerabilities.

Zero Day in Internet Explorer Fixed
We discussed the zero day vulnerability identified in IE last month, which was not addressed in the November patches. Although many expected an out-of-band patch to address this vulnerability, it was instead pushed out as a critical update this month. According to Microsoft, this is the only flaw among the IE bugs that has been successfully exploited.

As a reminder, the zero day vulnerability referenced is the result of an invalid flag reference issue related to Cascading Style Sheets token sequences. If exploited, hackers are able to remotely launch malicious attacks via a specially crafted Web page. Once opened, the page would automatically download malware designed to steal data or completely shut down the system.

According to Amol Sarwate, manager of the vulnerability research lab of Qualys, “There was a big uptick in China and Korea where these vulnerabilities were being used for exploitation.”

Chris Greamo, VP of Research for Invincea Labs, said, “This is yet another example that demonstrates the failure of the penetrate-and-patch approach to defend users from application-level attacks, despite the best efforts of the application vendors. Attackers clearly have a time advantage and defenders need to look to other end point protection tactics.”

This also serves as a warning for those shopping online this holiday season to ensure their browser security is up-to-date.

Stuxnet
Along with WikiLeaks, the Stuxnet vulnerabilities made headlines for weeks after the initial attack. A formerly unheard of method of attack, the Stuxnet worm targeted four separate vulnerabilities to carry out a zero day attack. As part of this month’s updates, Microsoft fixed an elevation of privilege issue in Windows Task Scheduler that resolved the remaining Stuxnet vulnerability.

Fixing Seven at Once
One of the patches this time around targeted seven separate vulnerabilities in Microsoft Office. According to Rob Westervelt of SearchSecurity, an attacker can exploit these vulnerabilities remotely to gain access to critical system files or install malware. Specifically, these vulnerabilities affect Microsoft Office Graphics Filters and, as a result, can be exploited when a malicious image file is opened.

Have a happy end of 2010 and a wonderful start to the New Year! Keep your eye out for what Microsoft will have in store for us on 1/11/11.

Posted by Kristin Forte Allaben on December 15, 2010 at 11:24 AM
| TrackBack (0)

November Wednesday Wrap-Up: Patch Tuesday in a Nutshell

With back-to-back months of large batches of updates, Microsoft seemingly threw a curve ball our way with a small update this month. For November 2010, the number of patches released by Microsoft was significantly less than in previous months, so much so that experts are predicting an out-of-band patch in the near future.

Summary

• Of the three patches released, only one was ranked “Critical.” The remaining two were ranked “Important.”
• Two of the patches target vulnerabilities in Microsoft Office.
• The IE vulnerability addressed last week was not included in this round of patches.

Some key points
To have a Critical rating for a vulnerability in Microsoft Office is pretty rare. Wolfgang Kandek of Qualys wrote in a blog post that vulnerabilities within the Office suite are usually ranked as Important because they require user interaction for a successful exploitation. To have a Critical vulnerability implies that an exploit is possible without user interaction. In fact, viewing an email in Outlook’s preview pane could be enough to trigger the flaw. According to a blog post from Ryan Naraine, hackers can use RTF (Rich Text Format) emails to launch code execution attacks.

Zero Day in Internet Explorer
The zero day vulnerability identified in Internet Explorer earlier this month was not addressed in the November round of patches. Although some experts are predicting an out-of-band patch, Reporter Tony Bradley of PC World explained the zero-day flaw is an issue for IE6 and IE7, to a degree (the user just needs to enable DEP protection). End-users who use IE8 are protected because DEP (data execution prevention) is enabled by default.

According to an article by Jon Brodkin, Microsoft is in the process of testing a patch for IE and to date, there has not been a critical mass of attacks.

Who stepped over the line?
Also in the news recently is the availability of Microsoft’s free antivirus tool. The availability of this tool has been met with both resistance and criticism from a number of third party vendors. The bulk of the resistance and criticism appears to stem from the idea that Microsoft is only promoting its own Security Essentials product, creating a monoculture that could leave millions of PCs without adequate protection. Although the antivirus tool has been available for free download for more than one year, it has only recently been added to Windows Update. The problem? The free package is only available to customers who don’t already have security software installed on their PC.

It leads one to wonder: has someone stepped over the line? Or do people view the line as a moving object, ok for some and not for others to cross?

Keep your eye out for the expected IE patch and check back here for a summary of Patch Tuesday in December.

Posted by Kristin Forte Allaben on November 9, 2010 at 6:03 PM
| TrackBack (0)

SC Magazine Awards: Finalists Announced

For those of you who are not familiar with the SC Magazine Awards, the awards are an annual event, in which winners are announced at a gala during the RSA Conference each year. With 29 award categories—20 Reader’s Trust Awards and 5 Excellence Awards open for vendor submissions, and 4 Professional Awards—companies within the tech and security industry work tirelessly to submit their companies for consideration. The awards were created 14 years ago to recognize and honor professionals, companies and products that help to protect businesses and end-users alike from the increasing variety and presence of security threats.

The Schwartz Security Practice sat down with Illena Armstrong, editor in chief at SC Magazine, back in August this year to learn more about the awards. The Schwartz Digital team produced a video as a result of this meeting, which offered insight into the awards submission process, direct from Armstrong.

For those of you who worked hard to get your SC Magazine Award submissions in on time, the finalists have been announced!

On Monday, November 1, SC Magazine posted the list of 131 finalists within each of the 25 award categories. The full list is available online at http://www.scmagazineus.com/2011-sc-awards-us-finalists/section/1908/.

Some interesting data on the SC Magazine award finalists:

• 61 companies were represented in at least one award category.
• 23 companies were named as a finalist in two or more categories.
• McAfee was named a finalist in 15 categories, leading all companies recognized as a finalist in the most categories.
• Seven Schwartz clients were named as finalists: Agiliance, Avecto, Cloudmark, Core Security, ESET, Invincea and Qualys.

Stay tuned for feedback from the SC Magazine Awards Gala, coming February 16, 2011.

Posted by Kristin Forte Allaben on November 5, 2010 at 11:11 AM
| TrackBack (0)

October Wednesday Wrap-Up: Patch Tuesday in a Nutshell

The October 2010 Patch Tuesday was without a doubt record breaking. According to Dan Goodin of The Register, this is the largest number of bugs ever to be fixed in a single Patch Tuesday release. Almost 50 vulnerabilities were patched this month, emphasizing the importance for end-users worldwide to install updates as soon as they become available.

Although in previous posts we’ve explored the possibility of “up” and “down” months, it appears that since vulnerabilities are more quickly becoming more public, we are likely to continue to see large batches of patches released each month.

The highlights for October

• There were a total of 16 patches released this month, targeting 49 vulnerabilities.
• Four of the patches are labeled as critical, all of which specifically target Microsoft Windows.
• One of the critical patches addresses the .NET framework that has been discussed in the past.
• Ten of the patches are labeled as important; the remaining two patches are labeled moderate.
• MS10-071 addresses ten vulnerabilities in IE specifically, with an elevated threat that applies to IE 7 and 8 that run on Windows Vista or Windows 7.
• Three of the bulletins address 34 of the total vulnerabilities.

Some other key points
This continued increase in the number of vulnerabilities addressed each Patch Tuesday leads one to wonder: by how much have we really exceeded previous years? Ryan Naraine points out just how many vulnerabilities have been patched this year in comparison to the previous three years:

• 2010 – Total 86 security bulletins (as of October 13, 2010)
• 2009 - Total 74 security bulletins
• 2008 - Total 78 security bulletins
• 2007 - Total 69 security bulletins

But that’s not all folks! Along with your Microsoft Patches, you’ll also get…
In addition to the incredible number of vulnerabilities patched this month, Mac users also found that themselves under attack, as Apple recently released a security patch for a file-sharing issue in OS X. Oracle also released some critical updates, which contained 29 new security fixes across Java SE and Java for Business products. And we can all recall the Adobe patches released earlier this month that fixed 23 vulnerabilities.

It’s a fair assumption to make, especially as we move toward the holidays and online shoppers take advantage of the accessibility of the Web for gift purchases, that we may see an increase in the number of vulnerabilities identified in Web browsers over the next few months. Unfortunately, it’s likely these vulnerabilities will become known to use through various attack methods.

As we enter the holiday season, what do you think we’ll begin to encounter? Anything new? Or just more of the same?

Posted by Kristin Forte Allaben on October 14, 2010 at 11:48 AM
| TrackBack (0)

September Wednesday Wrap-Up: Patch Tuesday in a Nutshell

There has been some significant industry news over the last few weeks, including the “Here you have” worm that took advantage of human nature’s basic sense of curiosity and the Chinese promotion of botnets-for-hire.

And when it comes to enhancing Internet security, Microsoft continues to keep us on our toes with nine updates targeting 11 vulnerabilities as part of the September 2010 Patch Tuesday. On the heels of such a big update in August, some may think it’s unusual for so many updates to follow in what would be considered a “down” month, but, alas, cybercriminals are finding more ways to exploit vulnerabilities and quite frankly, don’t seem to care if it’s an “up” or “down” month.

The highlights for September

• Four of the patches are labeled as critical, two of which target Microsoft Office.
• Five of the patches are labeled as important, all of which target Microsoft Windows.
• Two security advisories were issued.

In summary

• One of the two top priority patches with in-the-wild exploits focuses on the vulnerability in the Print Spooler Service, a program that controls the flow of data sent to printers. It was explained that attackers can compromise a machine running Windows XP by sending a specially crafted print request to a vulnerable system.
• The second of the two top priority patches with in-the-wild exploits focuses on the vulnerability in the MPEG-4 codec. Basically, if a user opens a bad media file or streams specially crafted content from a website, especially in AVI format, an attacker can take control of the machine. What is especially worth noting is that the file can be distributed in a variety of ways, making this vulnerability particularly dangerous.
• A hole in the Uniscribe Script Processor requires an update in all versions of Windows, except Windows 7. This vulnerability could allow remote code execution as a direct result of the incorrect parsing of font types in Windows and Office.
• In addition to each of the patches released, Microsoft issued two security advisories that focus on Outlook Web Access and enabling a new feature for Outlook Express and Windows Mail.

Taking a closer look
As evidenced by the priority placed on the two patches for the Stuxnet-exploiting vulnerabilities, the focus did not revolve around the major DLL hole or the IE 8 made public this month, despite forecasts from experts in the industry.

Instead, the focus remained on the reemergence of the Stuxnet worm. Reappearing this month, the worm utilized four separate vulnerabilities to carry out a zero-day attack. One of these vulnerabilities in Windows’ print spooler service was patched today, but two of the lesser zero-day vulnerabilities won’t be addressed until a future update.

Kaspersky Lab and Symantec made a splash in Patch Tuesday coverage this week. As members of MAPP (Microsoft Active Protections Program), the two companies shared information about the vulnerabilities pertaining to the Stuxnet worm, discovered by their researchers, with Microsoft before the information is made public. According to Kurt Baumgartner of Kaspersky, “If this remained unpatched, it could turn into another big worm, like Blaster.”

With the presence of TippingPoint’s Zero Day Initiative and Abysssec’s Month of Bugs sharing zero day information throughout the month of September, it is likely we could see a large batch of updates in October. Keeping in mind it should also be an “up” month in total number of updates, what do you think we’ll see take headlines next month?

Posted by Kristin Forte Allaben on September 15, 2010 at 11:36 AM
| TrackBack (0)

The Internet Kill Switch Debate: Where Do You Stand?

Cybersecurity and cyber threats are part of our daily lives. Everyone has received some sort of malicious message or has (almost) clicked on a malicious site. Botnets are attacking banks and large corporations. Social engineering techniques are effectively stealing sensitive corporate information from employees who think they are doing good. It’s everywhere.

Most recently, vulnerabilities surrounding SCADA programs have played an increasing role in recognizing the potential dangers of utilizing the Internet for so many daily activities. Just think of Live Free or Die Hard…the fire sale attack. With so many things running on or controlled by the Internet, it’s no surprise people seem to lose sleep at night when they think of the panic that could be caused by someone taking advantage of core systems controlled over the Internet.

In the event of a national cybersecurity emergency, the Protecting Cyberspace as a National Asset Act (PCNAA) was proposed. This Act would enable the President to have authority over the Internet, essentially deciding which private sectors and government networks should be shut down in the event of a cyber attack. A recent amendment to the PCNAA states that the President cannot shut down a sector or network indefinitely, but rather can control it for 120 days, after which time Congressional approval is needed.

For some, this seems like a good idea in the making. For others, this could not be a worse idea.

The Good
Believe it or not, the President already has the authority to take over communications networks as needed, stated in the Communications Act, Section 706 (the Communications Act of 1934 was amended with the Telecommunications Act of 1996). Section 706, dubbed “War Emergency—Powers of the President,” enables the President to close any facility or station for wire communication and authorize the use of the facility or station by the federal government when presented with the threat of war. This can continue for up to six months after the threat expires, without Congressional approval.

With this existing authority in mind, Senator Joe Lieberman of Connecticut explained that his proposed PCNAA bill would enable the President to respond efficiently to the threat of a cyber attack in the 21st century with a precise defense. Additionally, according to a description of the PCNAA on Joe Lieberman’s website, the PCNAA would prevent the President from over-using the “broad authority” he has over communications networks in the current law.

The Bad
The initial proposal of this bill led many to believe it would enable the President to serve as some sort of “Internet overlord,” an idea that continues to cause discomfort and breed worry in the minds of many. As a post by Adam Cohen in TIME magazine points out:

“Imagine a President misusing this particular power: If the people are rising up against an unpopular Administration, the President could cool things down by shutting off a large swath of the Internet. He could target certain geographical regions (‘We’ve heard enough from New York and California for a while’). Or he could single out particular websites.”

But the biggest problem seems to be that no one really understands what the PCNAA would allow the President, and therefore the government, to do. As Cohen states, the Internet plays such an important role in our daily lives – be it expressing the freedom of speech or running a power grid – it’s a power that shouldn’t be handed over lightly.

The Poll
The Schwartz Security Practice recently conducted an informal poll across our security clients to gather their thoughts on the Internet kill switch debate. Not surprisingly, the majority of comments we received voted strongly against the existence of the Internet kill switch. Here are just a few thoughts:

Tom Kellermann, vice president of security awareness, Core Security Technologies, explained that “ISPs only currently voluntarily cooperate with shutting down malicious IP addresses and their C2s. There needs to be executive authority to thwart these technological attacks against the U.S. This is not a question of whether we should empower the government to turn off the internet, but instead, can the government civilize a hostile cyberspace?”

Paul Kocher, president and chief scientist, Cryptography Research, explained an Internet kill switch is not workable on either a technical or political level. He explained the equipment that drives the Internet is designed to be reliable, so creating a large-scale shut-down mechanism creates a host of problems. Some questions he proposed include:

• How would the shut-down messages be broadcast (e.g., presumably “killed” equipment would no longer be forwarding these messages)? How would you test whether it worked? What would you do about existing equipment that doesn’t implement the kill switch?
• How would you inform users about what’s happening? There isn’t any uniformly-supported method by which an ISP (or anyone else) can communicate with any network-connected device or end user. There isn’t a single language spoken by all users, and many embedded devices don’t even have a “user” in the normal sense of the word. Even if you created such a protocol, it’s not clear how you’d prevent the protocol from becoming abused or clogged with spam and advertisements.
• Focusing specifically on the political side, who would control the switch and make decisions about when to use it? I’d recommend the following experiment to anybody in government considering a kill switch mandate: Get 10 large government agencies together and let them pick one agency that will control the “kill switch” for the other nine. They’ll never agree.

Anup Ghosh, founder & chief scientist, Invincea, explained that cooperation in the wild between organized communities is much more prevalent than previously thought. “These communities and major telcos monitor botnets and DDoS attacks so that when a DDoS attack occurs, the telcos cooperate fully to push back on the ISP, registrar or Autonomous System (AS) that is providing service to the offending DDoS hosts. In many cases, they will now support botnet sinkhole efforts to completely take down botnets. In other words, the private sector, along with organizations that monitor these things, is actually working together now to address these issues. So in reality, the potential for abuse probably outweighs any perceived risk of private entities not cooperating.” This echoes thoughts Cohen shared in his TIME magazine post.

Scott Cosby, vice president of products and operations, Invincea, stated “cutting off the internet would have a devastating effect on our country’s ability to function for government, industry and individuals. It strikes me that a more effective approach would be to prepare key defense organizations to function ‘off the grid,’ essentially backup and contingency planning to handle responses to a cyber attack. Flipping that type of switch would do more harm than a targeted attack.”

So where do you stand? Leave your comments below.

Posted by Kristin Forte Allaben on August 18, 2010 at 11:58 AM
| TrackBack (0)

August Wednesday Wrap-Up: Patch Tuesday in a Nutshell

It’s that time of the month again and Microsoft really came out with a bang releasing a record-breaking number of patches, tying with June for the number of vulnerabilities targeted and also tying with October 2009 for the number of critical bulletins.

In the August 2010 Patch Tuesday release, Microsoft issued 14 bulletins targeting 34 vulnerabilities. Here’s a quick overview of the bulletins:

• Eight bulletins are labeled “Critical”
• Six bulletins are labeled “Important”
• 10 bulletins involve remote code execution
• 18 vulnerabilities have an exploitability index of 1.

And now a summary of the August Patches:

• Since the sheer volume of updates and vulnerabilities can be overwhelming, Schwartz client Qualys separated the updates into three groups, identified by vulnerability targets: end-users and Internet browsing, file format vulnerabilities and Windows OS.
• Of the six vulnerabilities targeting end-users and Internet browsing, all are ranked as critical, and four have an exploitability index of 1.
• Silverlight and other media file formats are a key target for hackers due to the increasing use of video, emphasizing the importance of these updates. In a Computerworld article, Silverlight was said to be installed on approximately 60 percent of PCs, whether users are aware of the installation or not.
• Accompanying the release of the August patches was an advisory that warns of a problem that could elevate user privileges on a PC. The problem affects Windows XP, Vista, Windows 7, Server 2003 and 2008, and impacts the Windows Service Isolation feature.

Reminder!
August is the first cycle of patches to come out after the end of XP SP2 support. It’s important to note that XP SP2 users will still find themselves at risk regarding these vulnerabilities, but now they will be unable to update their systems with the latest round of patches.

Activity Beyond the Patches
The last four weeks have been busy with improvements to the status of vulnerability disclosures within the industry, a topic that has been top of mind in the last few Wednesday Wrap-Up posts. Although many vendors have not agreed to a bug bounty program, new programs in place will force vendors to fix a bug sooner rather than later.

TippingPoint’s Zero Day Initiative is a great step forward for vulnerability disclosures as it gives a firm deadline as to when the vulnerabilities will need to be fixed. According to an article by Elinor Mills, TippingPoint will give vendors six months to fix a vulnerability. If it is not fixed in that timeframe, TippingPoint will release limited details on the vulnerability. Worth noting is that extensions can be granted, but they will be decided on a case-by-case basis.

Is this a trend?
What’s most interesting is that it appears Microsoft is falling into a light-month, heavy-month trend, releasing a few bulletins one month, then a record number of bulletins—targeting double-digit vulnerabilities—the next. There also seems to be potential for an increasing number of out-of-band patches as more vulnerabilities are identified.

It will be interesting to see if this trend continues, especially with the Coordinated Vulnerability Disclosure (CVD) program and Zero Day Initiative in place.

What do you think we can anticipate from Microsoft over the next four weeks?

Posted by Kristin Forte Allaben on August 11, 2010 at 9:18 AM
| TrackBack (0)

Black Hat 2010 Sessions - Day 2 Recap

Yesterday was the second and final day of Black Hat sessions and there were quite a few key topics that we’ve seen before.

Government
As the government continues to work toward implementing cloud solutions, there is continued discussion of cloud security, as well as cyber-warfare. We saw this in full force at RSA 2010, which we discussed in a previous post.

In his Black Hat keynote yesterday, former National Security Agency Director, retired Gen. Michael Hayden, addressed the need to define cyber-warfare since the term is loosely applied to anything relating to crime on the Internet. He explained the military traditionally operated in four domains: ground, air, water and space. Now, there is the introduction of the fifth domain: the Internet, the first man-made location for warfare. A clear definition of cyber-warfare will prove advantageous for us because it will enable the country to better understand what a cyberattack is and, therefore, know how to properly respond.

SSL
One of the biggest speaking points from Day 2 sessions revolved around weaknesses associated with SSL, which were highlighted in a number of sessions yesterday. In one session, two researchers highlighted the ability for hackers to take over a user’s account or take control of a website due to the way browsers implement HTTPS. Additionally, hackers are able to sniff around the edges of the encrypted information, picking up on clues to help them figure out what their targets are doing.

The session essentially highlighted that HTTPS alone will not stop bad things from happening due to the “breadcrumbs” left behind from secure browsing sessions that skilled hackers can easily follow.

Wallpaper
I remember the first time I wanted to change the wallpaper on my computer and my computer teacher (yeah, that’s true) was furious. I found myself, 30 minutes later, with a very basic understanding of the dangers of malicious downloadable content. Although it seems to be more common sense nowadays, downloading images and other content can still be a threat to users who believe they are using a secure application.

Take the mobile Android situation. A wallpaper application is said to be sending personal information from millions of Android users to a “mysterious Chinese website.” The finding was reported at Black Hat this week as part of the App Genome Project, a real-time database designed to keep mobile users safe by identifying security threats and providing insight into how applications tap into personal data.

There is also more discussion of bug bounty programs, malware-infected SEO terms and ATM vulnerabilities.

As a result of the sessions at Black Hat, we’re likely to see continued discussion regarding the importance of (and need for) a definition of cyber-warfare and, as expected, continued advancements in cloud security as more industries turn to the cloud.

Posted by Kristin Forte Allaben on July 30, 2010 at 9:48 AM
| TrackBack (0)

Black Hat 2010 Sessions - Day 2

The first day of sessions is complete and hackers and security professionals are preparing for the Day 2 sessions. But before we get into what to expect, let’s recap some of the high points from yesterday.

Barnaby Jack’s ATM vulnerability discussion was, as we expected, one of the main highlights from yesterday. His discussion explored some interesting ATM attacks, labeled as dangerous because they affect multiple types of ATMs. Over the course of his presentation, he addressed two types of ATM attacks, one physical and one remote, the latter considered more dangerous because attackers can silently gather account information from anyone who uses the ATM.

The remote attack, which he named “Dillinger,” exploits a vulnerability that exists within the remote monitoring authentication process. Unfortunately, most ATMs made by a certain manufacturer have this authentication process turned on by default. A rootkit can easily be installed once the vulnerability is exploited. For the purpose of his demonstration, Jack installed a rootkit named “Scrooge” enabling the machine to spit out cash.

Additional highlights from yesterday’s speaking sessions include discussion of payment for researchers who identify vulnerabilities. This is a big discussion point for researchers following Tavis Ormandy’s public disclosure of the Microsoft vulnerability not too long ago.

Just like every argument, there are always two sides to the story. Microsoft and Cisco addressed the situation yesterday stating that “bug bounty programs” are not the best strategy for improving internet security. Other panelists, however, explained they thought it was a nice way for a researcher to be rewarded for identifying a vulnerability. Quite frequently, a researcher is offered little more than a “thank you.”

To try to get everyone on the same page, Microsoft created a “coordinated vulnerability disclosure” with the goal of aligning the motives of researchers and vendors. Microsoft also announced its Microsoft Active Protections Program (MAPP) will include vulnerability information sharing from Adobe Systems Inc. to help better protect customers by alerting them to vulnerabilities before Microsoft releases its monthly patches.

Additional highlights from Day 1 sessions include:

• The security of access points within the enterprise called into question, particularly those still programmed as WEP instead of the more secure WPA.
• Department of Homeland Security prioritizing cybersecurity initiatives, although defining the scope and goals of these initiatives is proving to be more challenging and time consuming than expected.
• Increasing customization of malware to defeat layers of security in place and the increasing use of SEO to push out malware.
• Cell phones can indeed be hacked, especially those that utilize the GSM (Global System for Mobile Communications), the global standard for cell phone radios that was previously thought to be a “walled garden.”

With so much of the show’s anticipation met within the first day of speaking sessions, what can expect for Day 2? It is likely we’ll see continued discussion around vulnerability disclosure and Microsoft’s response to bug bounty programs, partnerships and other collaborations to ensure a common goal can be met when it comes to disclosing and fixing a vulnerability, and mobile device security and its impact on the enterprise network.

Check back in tomorrow for a recap of Day 2 sessions.

Posted by Kristin Forte Allaben on July 29, 2010 at 12:05 PM
| TrackBack (0)

Black Hat 2010 Sessions - Day 1

Today is the first day of the 2010 Black Hat Conference speaking sessions. Among the line-up of anticipated talks surrounding wireless security (specifically that of WPA2), mobile device security and ATM vulnerabilities, there is a slew of additional sessions that are bound to make some noise.

One of the noise makers is likely to be the session exploring how to intercept cell phone calls. Some interesting rumors of lawsuits caused eyes and ears to turn toward AT&T, but the company cleared the air, saying it will not interfere with the demonstration.

Although often passed up for obtaining credit card information, counterfeit checks are not a thing of the past. Although you may find yourself having flashbacks to the movie “Catch Me If You Can,” a discussion on how Russian hackers obtained images of checks from a number of retailers and other businesses is a high-tech version of the old story. A quick summary: Russian hackers found a way to utilize technology to make this low-tech crime even more dangerous. They have not yet been caught.

There will also be exploration into weaknesses of SSL, used by websites to protect data. One session on this topic will explore how to attack storage mechanisms to tamper with a SSL session. Another SSL presentation will focus on results of a study that analyzed SSL use to document configuration errors, which weakened thousands of websites.

There will also be discussion surrounding web application security, particularly as it applies third-party code, which includes such items as widgets, applications and advertising modules, all of which are very popular on web applications. These applications are meant to provide additional functionality for the user, but security implications across a variety of industries—including healthcare and finance—could result in infected users.

SEO has been a topic of growing importance for many companies over the past few years. With this in mind, it only makes sense that hackers want to jump on the bandwagon and will utilize SEO to push out malware. Taking a look ahead to DefCon, researchers will show just how important SEO has become to the “malware pushers.”

Check back in tomorrow for a recap of the Day 1 sessions and what we can expect for Day 2.

Posted by Kristin Forte Allaben on July 28, 2010 at 9:09 AM
| TrackBack (0)

Black Hat - Preparing for the Sessions

This year's Black Hat conference is considered to be the most popular to date, and tomorrow marks the first of two days of speaking sessions.

For those of you who participated in the Black Hat Challenge, you are aware that there are many sessions to choose from, and little time to see them all.

One of the most anticipated sessions is the Barnaby Jack ATM scams, which was mentioned in yesterday’s post.

But beyond ATM scams, there is a trend we’re seeing in sessions: mobile security. As I mentioned yesterday, IDC forecasted that the number of mobile workers will exceed one billion by the end of 2010. From a corporate perspective, enterprise network can be open to a number of vulnerabilities stemming from the use of a mobile device. From a consumer perspective, people can fall victim to various malware triggered by bugs in the device. For example, one of the anticipated Black Hat sessions will illustrate to attendees that the A5/1 encryption algorithm used by carriers such as T-Mobile and AT&T is weak and can be easily broken, something spies and security geeks alike have known for some time.

Jeff Moss, founder of Black Hat, explained that for many people, seeing is believing; unless people can literally see what’s possible when it comes to security threats and attacks, they won’t believe it. This specifically applies to corporate decision makers as they need to [visually] understand what is technically possible before they can make informed decisions regarding security.

But what it comes down to is this: no one can predict what the big news will be from Black Hat since there is always a wildcard, as Bob McMillan notes. With so many sessions in the queue and such an array of personalities in the same space, you can never quite tell what the news will be.

Posted by Kristin Forte Allaben on July 27, 2010 at 11:06 AM
| TrackBack (0)

Black Hat 2010 - Anticipation Mounts

As speakers and hackers gather in Vegas for the 2010 Black Hat conference, there are many topics on people’s minds.

In much of the pre-show articles, there has been talk about cloud security, a topic that seems to resonate throughout security conferences this year (see previous post on RSA 2010). There is also discussion on wireless security, particularly as it pertains to mobile devices. This is most definitely an area of increasing importance as IDC forecasted that the mobile workforce would exceed one billion by the end of 2010, potentially bringing to light new security implications for enterprise networks.

Most prominently over the last few days has been discussion of the vulnerability within WPA2, currently the strongest form of WiFi encryption and authentication. The vulnerability, identified as “Hole 196," lends itself to man-in-the-middle attacks.

We can also expect to hear about:

• login security issues with Twitter and Digg and timing attacks,
• DNS rebinding that uses “Jedi-mind tricks” to enable JavaScript-based malware to penetrate private home networks,
• VPN security and management issues regarding out-of-date software and configuration issues, and
• thoughts regarding a rewards system for researchers from Microsoft’s Security Response Center (MSRC).

It appears, however, that the most highly anticipated session surrounds Barnaby Jack’s research into ATM vulnerabilities. As some may recall, this talk was canceled last year due to pressure from ATM vendors. Similarly, this year, a session entitled “The Chinese Cyber Army: An Archaeological Study from 2001 to 2010” was canceled due to outside pressures.

On a fun note, Black Hat attendees will also be participating in the Pwnie Awards, which recognize extreme excellence and incompetence in the field of information security. Some categories include Best-Server-Side Bug, Best Client-Side Bug, Most Overhyped Bug and Lamest Vendor Response.

For those of you preparing to head out to Vegas later this week for the array of speaking sessions, take the Black Hat Challenge. What one session would you attend?

Posted by Kristin Forte Allaben on July 26, 2010 at 9:49 AM
| TrackBack (0)

July's Wednesday Wrap-Up: Patch Tuesday in a Nutshell

It’s hard to believe a full month has passed since the last Wednesday Wrap-Up, but believe it or not, yesterday marked the second Tuesday of the month.

Unlike the “record setting” previous month, there were four patches released to fix five bugs as part of the July 2010 Patch Tuesday, three of which were rated critical.

Here’s the summary of this month’s patches:

• Three of the four patches were rated critical, though the patch ranked important may actually cause some bigger issues in the future. More on that later.
• Two of the patches address flaws in Windows and the other two address flaws in Microsoft Office.
• Google Researcher Tavis Ormandy’s disclosure of a flaw in Microsoft’s Help and Support Center led to some significant disagreement regarding vulnerability disclosure protocol. However, as Ryan Naraine reports, Microsoft issued a critical patch for the flaw in just 33 days, almost half of Microsoft’s typical 60-day response time. This is promising for those who are full-disclosure advocates.
• The bulletin ranked important for Microsoft Office—MS10-045—directly impacts all versions of Microsoft Outlook, excluding Outlook 2010. In this vulnerability, users are unable to determine if an attachment is an executable or not, thus putting users at risk. There exists potential for a large-scale spam attack to occur.
• The July 2010 patches also represent the end of Windows XP SP2 (Service Pack 2) support. Basically, there will be no updates released for Windows XP SP2, along with Windows 2000, after today.

Many of the Patch Tuesday conversations seemed to focus on two specific areas. The first being the vulnerability disclosed by Ormandy a few weeks ago; the second being the end of Windows XP SP2 and Windows 2000 support.

Vulnerability Disclosures
Following Ormandy’s disclosure of the Microsoft Help and Support Center flaw, there has been significant activity in the security realm. Many agree with Ormandy, stating that full disclosure is necessary to move Microsoft along in issuing a fix sooner rather than later. On the other hand, however, many believe this just puts the end-user at greater risk.

Since the disclosure of the vulnerability, a number of malicious exploits emerged, all of which attempted to target the vulnerability, as is reported by Rob Westervelt. Elinor Mills took a deeper look at these malicious exploits as they emerged last month.

Interestingly, there has been little discussion of Microsoft’s relationship with researchers and the emergence of the MSRC. Not the MSRC we’re already familiar with (the Microsoft Security Response Center that is responsible for investigating vulnerabilities), but a new MSRC. Named the Microsoft-Spurned Researcher Collective, this group is composed of anonymous, rogue researchers that have vowed to publicize any Microsoft vulnerabilities instead of quietly reporting them to Microsoft to effectively work on a patch. It will be interesting to see where this leads as researchers immediately publish proof of concept, showing malicious hackers how to exploit vulnerabilities.

The end of Windows XP SP2 and Windows 2000
The end of Windows XP SP2 is a big deal because there are still hundreds of millions users that use this OS. When an upgrade was required of XP from SP1 to SP2, many people went ahead with the upgrade to enhance their security. There were specific benefits offered to upgrading the system. However, the upgrade from SP2 to SP3 appears to be merely for maintenance.

The retired support for XP SP2 users poses the risk of significant security threats since various flaws will only be fixed for SP3. If these flaws remain unfixed in SP2, users could become exposed to serious vulnerabilities. It is only a matter of time before a hacker identifies and takes advantage of a relevant vulnerability.

Additionally, Microsoft has completely retired the Windows 2000 OS line. It has been advised for any users with Windows 2000 to migrate to a new OS, preferably Windows 7.

Although not as record-setting as last month, July’s Patch Tuesday has left many with a call to action, more so than just rebooting your machines. If you are still operating on a Windows XP SP2 OS, take the time to upgrade to SP3. Unfortunately, according to Wolfgang Kandek of Qualys (client), upgrading from XP SP2 to Windows 7 is extremely difficult, and requires some manual work. And, as is always the case, never open an email attachment when you are unfamiliar with the sender.

Check in with us next month for the Wednesday Wrap-Up of August’s Patch Tuesday.

In the meantime, keep an eye out for our thoughts on Black Hat...leading up to the event and at the event itself. Schwartz clients that will be presenting at Black Hat include: Core Security, Damballa and Qualys.

What session or sessions are you most looking forward to attending at Black Hat this year?

Posted by Kristin Forte Allaben on July 14, 2010 at 9:24 AM
| TrackBack (0)

Wednesday Wrap-Up: Patch Tuesday in a Nutshell

Since so much of the working world utilizes Microsoft Windows to run their PCs, we thought it would be beneficial to recap the patches released each month, highlighting the importance of keeping systems updated to ensure the security for your company’s network.

First thing’s first: what is Patch Tuesday? Patch Tuesday occurs on the second Tuesday of every month during which time Microsoft releases a group of security patches.

This begs another question: what is a patch? A patch is a piece of software designed to update a program. Essentially, a patch blocks up a security hole that may exist within a computer program. Think, if you will, of a pipe with a hole in it. A patch will plug the hole to ensure water can continue to flow without any leaks.

Each of Microsoft’s security patches are ranked on one of four levels, illustrating the threat level of a vulnerability. The ranking levels include critical, important, moderate and low. A good description of each of these severity ratings can be found on the Microsoft TechNet website.

Record-setting month
For the June security update, Microsoft issued 10 patches (also referred to as “security bulletins”) for 34 documented vulnerabilities, where the most severe threats could result in remote code execution (RCE).

This is the largest Microsoft patch release so far this year, tying the record for most patches ever released (done in October 2009). We also see that this month offers the largest single bulletin as there are 14 vulnerabilities in Excel that are addressed together.

So here’s the summary:

• The three patches rated “Critical” address the threat of RCE in Windows and Internet Explorer (IE) through ActiveX KillBit controls.
• One of the patches addresses six different vulnerabilities within IE, one of which was publicly disclosed back in February. This vulnerability was given an exploitability index of ‘1’ which indicates that researchers expect an active exploit within 30 days.
• One of the patches addresses 14 different vulnerabilities within Excel. Although rated as important by Microsoft, organizations should make this a priority since many companies utilize Excel spreadsheets for various tasks throughout the day.
• One of the patches addresses a vulnerability within Microsoft Office. If a user opens a Word, Excel, PowerPoint, Visio or Publisher e-mail attachment from an affected version of Microsoft Office, it could result in RCE. It’s important to note, however, that the e-mail attachment must be opened for this attack to be successful.

Some other tidbits from this month’s patch release include:

• Microsoft’s Pwn2Own browser flaw has been fixed. In Ryan Naraine’s write-up, he briefly explained that the Pwn2Own vulnerability was identified by security researcher Peter Vreugdenhil in order to win ZDI’S competition at CanSecWest. That competition was completed in March this year, making this patch a little late to the party. Kelly Jackson Higgins further explained that the Pwn2Own flaw was a memory corruption vulnerability in IE.
• Four of the 10 bulletins address zero-day issues. This, in particular, points to the information disclosure vulnerability identified by Core Security this past February.
• The most vulnerable area for organizations includes third-party devices using old operating systems. What to do? Be sure all systems have been upgraded appropriately.

Additional information on each of the patches can be found in the Microsoft Security Bulletin Summary.

Hopefully this information is useful in helping you keep your organization secure. Check back with us the second Wednesday of each month for Patch Tuesday in a Nutshell. Any thoughts or questions? Post in the comments below.

Posted by Kristin Forte Allaben on June 9, 2010 at 8:45 AM
| TrackBack (0)

RSA: It's Over. Now What?

You spent time planning it for months. To you, and to many IT security companies, RSA is the biggest tradeshow of the year. You worked hard to finalize travel plans, put those finishing touches on the booth design, thought of creative ways to draw attention to your company. The deadline has come and gone and now just a couple of weeks later, the biggest tradeshow of the year is done and can hardly be seen in the rearview mirror. Now what?

If your world has revolved around planning over the last few months, you may find yourself at a loss for words. Not sure what to do next? Here are some suggestions:

Make a note. Write down things that you liked best about the event and specifically, what you liked best about your performance. How was traffic to your booth? Can there be improvements for next year? What are some things you especially liked about other booths? Keep track of these things and brainstorm throughout the year to make improvements where needed.

Get organized. It’s likely that you obtained a number of business cards over the course of those few days. Go through your new collection and determine who you should follow up with first (if you haven't done so already).

Follow up. Send a note or call the people you spoke with to continue to develop the relationship. That being said, it’s also important to keep your promises. If you say you’re going to give them a call, call them.

Strategy. Many companies look forward to these large events to make an announcement, such as launching a new product, service or functionality, because the majority of key industry writers will be around. If you were one of those companies, follow up with those who expressed interest in the latest news. Since you’ve made a splash, it will be important for you to remain in front of these people so your name will not fade into the background. Continue your momentum with a white paper or contributed piece that explains the relevance of the new product or service for the market, encourage and participate in follow up briefings and, if relevant, consider making an announcement with the latest statistics surrounding your news. For example, announce the number of units sold or benefits of the new product/service, such as cost savings, percentage improvement in performance, etc.

If you didn’t make an announcement, review the key trends and news items from the tradeshow and develop your position on the news. There may be a number of opportunities to provide thought leadership on trends and news from the event.

It’s a learning experience. Tradeshows are an opportunity to put faces to names, be it an industry writer or potential customer or partner. It's also a great opportunity to learn how you can prepare for next year.

Posted by Kristin Forte Allaben on March 24, 2010 at 9:42 AM
| TrackBack (0)

Time To Cry Foul: March Madness Is Here

Around every big event, be it a holiday or a nation-wide celebration, cyber criminals look forward to the opportunity to trick the unsuspecting end-user into giving up personal information or sensitive data.

This week (and in the weeks to come), the biggest threat is March Madness. As is typical for this time of year, bracket selections have become a big part of interoffice discussion as employees try to guess the winning teams round by round. With a number of office pools gearing up, many people will try to get the latest information on teams and players, causing many search terms to race to the top of the most frequently searched list. Although we have not heard any reports on it YET, it is just a matter of time where we can expect this to result in SEO poisoning. According to Schwartz client AppRiver, it is not uncommon for nine of the top 10 search results to be malicious Web pages during peak times after a story breaks. Take a look at the Olympics, for example. People around the world frequently searched for the latest medal count, which event was coming up, how a particular athlete performed, etc. It’s no mystery that a hacker would flood the search pages with malware infected sites. And like the Olympics, March Madness has staying power, since it takes place over the course of a couple of weeks and not just one day.

Taking a look at March Madness specifically, once the interoffice brackets are in, the danger turns from SEO poisoning to malware infected sites that are used to stream games live. Not only is this a drag on company servers, but with the expectation that employees will spend time checking scores and their brackets, it’s likely the cyber criminals will turn their attention to targeting not only end-users, but businesses as a whole. We’ve recently seen this done to Google and approximately 30 other U.S. companies with the cyberattacks stemming from two Chinese schools. By gaining access to corporate information, cybercriminals are able to steal trade secrets, computer codes and other valuable corporate information.

Although the threats may have different names, such as Koobface for social networking sites or the Zeus botnet, this is nothing new. Cyber criminals prey on the unsuspecting during the biggest events. Think back to the holidays, for example. How many spam emails did you get offering you a new watch, a Snuggie or Zhu Zhu Pets (enter your favorite latest toy craze).

This is a good reminder that each holiday and big event typically breeds spam and malicious activity. With this in mind, it is a good idea to look ahead to upcoming holidays, rather than wait for them to be upon you, such as Mother’s Day. Has your company given any though to the type of threats can we expect this year?

Posted by Kristin Forte Allaben on March 17, 2010 at 11:57 AM
| TrackBack (0)

This is it: RSA 2010 -- Day 5

This is it. The fifth and final day of the 2010 RSA Conference, and it’s been quite a ride. Looking back, it’s clear the cloud takes the gold as the most discussed item, although government presence and increasing cyberthreats picked up speed in the latter half of the week, placing each at a tie for silver, especially since they seem to go hand in hand. Tim Greene of NetworkWorld wrote a very thorough article that explores each of these topics in greater detail.

Taking a look at the conversations yesterday, many revolved around FBI Director Robert S. Mueller III’s speech regarding the increasing threat of cyberterrorism. In his speech, he presented the idea that hackers will continue to enhance their skills and will eventually combine cyberattacks with physical attacks. Along with warnings of foreign nations supporting radical group recruitment via the Internet, Mueller advised any company that finds itself to be a target or victim of a cyberattack to turn to the government for help, promising business confidentiality and safeguards to privacy.

Continuing down the path of government presence within the cybersecurity realm, there are also some (perhaps not too outlandish) beliefs that the U.S. is involved in a cyberwar…and we are losing. Cybersecurity Czar Howard Schmidt denied the existence of a cyberwar saying it’s a terrible concept and further explaining that it’s an environment where no one can win. To reiterate what has been discussed in previous posts, Schmidt’s priorities for the year include better end-user education (something most security professionals say over and over again is a key area of improvement), information sharing and better defense systems.

There was also talk yesterday of the real benefit of using end-to-end encryption within the credit card industry, increasing ID theft within the healthcare industry and fraud. Interestingly enough, there were also discussions of robotics and the changes this advancement would introduce to society.

For the final day at RSA, anticipate continued discussion of increasing cyberthreats, but be prepared for a slight twist on the conversation, as many sessions today will discuss cybersecurity trends, digital forensics, encryption and identity/access control.

For those of you traveling home this weekend, safe travels and we’ll see you next year.

Posted by Kristin Forte Allaben on March 5, 2010 at 10:01 AM
| TrackBack (0)

RSA 2010 -- Day 4

The government. Microsoft. Cyber threats. The bulk of conversation at the RSA Conference yesterday focused on these three topics. Let’s take a minute to explore each one.

The Government—As I mentioned in yesterday’s post, federal employees are stepping up to the mic to discuss cybersecurity and awareness to better detect and prevent cyber attacks. Between Einstein, the increasing adoption of the cloud and the still vivid memories of Aurora, there's little doubt of the widespread need for better cyber security. According to White House Cybersecurity Coordinator Howard Schmidt, the U.S. is ill-prepared for a cyberwar.

Lawmakers are making an especially hard push to advance a comprehensive cybersecurity plan, especially now with the U.S. cyber czar position filled. Based on Schmidt’s presentation earlier this week, we know the government is gearing up for a few things to occur over the next year:

1. Widespread adoption of cloud computing
2. Significant improvements in cyber security
3. Better working relationships between law enforcement and the private sector to more effectively fight cyber crime
4. Instant response plan for cyber-emergencies
5. Better transparency in government

Although each of these plans are stated with good intentions, it will be important for our government to remember one of the many lessons taught at RSA this week: avoid the excess hype surrounding a cyber threat and/or attack. Why? Because many dangers surround an overhyped threat, especially when you consider many consumers don’t really understand cyber threats.

On a “fun” note, however, Janet Napolitano, the Secretary of the U.S. Department for Homeland Security (DHS), announced a competition to encourage the industry’s “best and brightest” to think of creative ways to better enhance the security of computer systems and cyber networks. Known as the National Cybersecurity Awareness Campaign Challenge, ideas will be accepted through April 30, 2010. Winners will receive DHS funding to better promote the idea to a wider audience.

Microsoft—Scott Charney, Microsoft corporate VP for Trustworthy Computing, made a bold move yesterday, stating that the industry should consider taxing every PC user to better fund the fight against cyber crime. Needless to say, this was met with a variety of responses across the blogosphere and a flurry of activity on Twitter. Richi Jennings at Computerworld selected a few “gems” that he blogged about today in Computerworld’s IT Blogwatch.

Cyber Threats—As I stated above, many consumers do not understand cyber threats. Social networking enhances this misunderstanding as more and more people provide increasingly intimate details about their life on these websites. By providing potentially sensitive information, people make it easier for cyber criminals to better focus their attacks, making their attacks more successful.

For Day 4 at RSA, anticipate more discussion on cyber threats--what to do to prevent them, best tips on what to do when you’ve been hit, etc. We’ll also see some additional discussion regarding security standards and, per usual, discussion of the cloud.

Posted by Kristin Forte Allaben on March 4, 2010 at 9:19 AM
| TrackBack (0)

RSA 2010 -- Day 3

Cybercrime is a threat to both enterprises and consumers; it appears that no one is immune from an attack. As cybercriminals become more sophisticated, targeting their victims based on information obtained from social networking sites, it’s no surprise that cybercrime instills fear into many, especially as enterprises encourage the use of social networking as they learn how to use it to their advantage.

However, a strong word of caution was issued during a panel at the RSA Conference yesterday--security professionals were advised to be wary of the intensity with which they discuss threats. It is important that they find a balance between explaining the risks as well as the probability of an attack. Although some of the hype can encourage companies to re-evaluate their existing security practices, it could cause more harm than good. For example: the threat of stolen IDs, credentials and other sensitive data has many executives rethinking the approach to the cloud.

Once again, we saw the cloud take center stage as many conversations yesterday focused on the security of the cloud (and we can expect the same for today with a quick look at the daily schedule). With many people believing the cloud lacks sufficient security, they turn to the industry with expectations that security pros will “fix it.” Keep in mind, however, that fears and concerns of data security in the cloud are nothing new; this has been a primary reason for delays in adopting cloud computing for some time.

RSA President Art Coviello said in his keynote yesterday that the industry faces one of the greatest challenges: securing the cloud. He explained, “Cloud computing can allow more energy and investment to be directed to a real innovative and competitive advantage, but the one thing that’s holding it back is security.” He also named some key areas that should be prioritized as the industry takes on this task:

• Who gets access to what and gaining visibility in the cloud
• Compliance
• Insider risk
• Privileged user control
• Workflow

A final thought: With cloud computing seemingly the way of the future, there’s little doubt that the government will be included in this new trend. We’ve already seen some significant federal movement toward the cloud, as I mention in a previous post, but at RSA, this is taken to another level. A number of federal employees within the cybersecurity arena are stepping up to the mic to lead various discussions on how law enforcement and the private sector need to work together to fight cybercrime.

Unveiled yesterday was Einstein, the National Security Agency’s Homeland Security program to protect the U.S. from cyber attacks. The still-in-progress, more robust second version of the program is described as being “designed to look for indicators of cyber attacks by digging into all Internet communications, including the contents of emails.” Knowing hackers and cyber criminals view this industry as a business, it will be interesting to see what this leads to as hackers turn to their version of R&D to enhance their operations.

Posted by Kristin Forte Allaben on March 3, 2010 at 10:52 AM
| TrackBack (0)

RSA 2010 -- Day 2

As was expected, much of the news from yesterday's RSA Conference focuses on the cloud, and specifically, the Cloud Security Alliance (CSA)’s four-hour summit. Kelly Jackson Higgins of Dark Reading wrote an article summarizing the summit and the CSA’s top seven threats to the cloud. An interesting point that came from this discussion is that data security still remains one of the key concerns for companies using the cloud. This begs the question: what type of encryption are you using and do you know how it works?

Some other news from yesterday includes an interesting tidbit on compliance. PCI and HIPAA are just two of the many compliance mandates that companies need to be aware of and abide by. The medical industry is increasingly turning to IT, emphasizing the importance of information security in compliance. Bill Brenner discusses the results of a survey illustrating that 41 percent of companies would fail a PCI audit. This makes one wonder: is a true, compliance-focused security solution available?

Today, we can expect a slight change in the focus of conversation. The cloud will still take center stage for most of the day as keynote sessions explore the security of the cloud. But with additional keynote sessions, seminars and panels aiming to discuss the Internet, virtualization and data breaches, we can expect an increase in the amount of coverage around the increasing sophistication of cyber threats and attacks, including specific mention of Advanced Persistent Threats (APTs).

Posted by Kristin Forte Allaben on March 2, 2010 at 9:01 AM
| TrackBack (0)

RSA 2010 -- Day 1

Today is Monday, March 1, day one of the 2010 RSA Conference. The bustle of activity today is quite diverse as exhibiting vendors work hard to get their booths ready, some security professionals prepare for today’s seminars and other vendors begin to announce new offerings and products.

As I mentioned in an earlier post, there is much anticipation of news surrounding the cloud. Just this morning, there have been a number of announcements regarding new cloud offerings and products promising better malware detection and e-mail security.

Interestingly enough, we’re also seeing significant discussion of the cloud’s presence within the government. Matt Hines, an eWeek blogger, wrote an article this past weekend explaining that the government voice will “echo loudly” at RSA this year. Hines explained that in White House Cybersecurity Coordinator Howard Schmidt’s recent press conference, he stated that the coordination of federal cyber security efforts will be a leading priority. Following the recent “Aurora” attacks on Google, the combination of cyber crime and the availability of the cloud for federal institutions will encourage many discussions to look at the cloud’s impact on business productivity as well as data security.

As we turn our attention to RSA sessions, the cloud appears to be a key topic of discussion today. The four-hour Cloud Security Alliance Summit, beginning at 9:00 a.m. PT, will provide key information from industry experts about the state of cloud security. Cloud discussion continues early tomorrow with the first RSA keynote at 8:00 a.m. PT discussing Safety in the Cloud.

On another note, keep an eye on Adobe and Google. Knowing that a number of tomorrow’s sessions will focus on the latest types of cyber threats (such as the Advanced Persistence Threat, or APT, for short) and best practices to avoid falling victim to those threats, it will be interesting to see how these sessions tie-in the latest flaws with Adobe and how companies can better protect their networks with increasingly determined and more sophisticated attackers.

Posted by Kristin Forte Allaben on March 1, 2010 at 10:25 AM
| TrackBack (0)

Pre-Show Trend Report: What to expect going into RSA 2010

Just a few days away from the start of RSA 2010, it’s a good time to take a step back from the bustle of preparations and review some key trends that will likely be the focus of every conversation at the Moscone Center.

Just by perusing the titles of each of the sessions, it’s no mystery that majority of conversations will focus on the cloud, data security, compliance and end-user education. Jon Oltsik stated in a recent blog post on Network World that he believes security spending and compliance will be top of mind.

The security analysts at Securosis believe that compliance, cloud security and cyber crime will be primary discussion topics.

I had the opportunity to listen in on the annual pre- RSA Conference call today, where analysts Chris Christiansen of IDC, Khalid Kark of Forrester Research and Scott Crawford of Enterprise Management Associates each shared areas they think will most likely be key trends. They are summarized below.

Data security and the Cloud -- Crawford addressed data security within the realm of the cloud. Since the cloud was significantly hyped up throughout much of 2009, it’s not hard to believe that the cloud is a big topic at RSA this year. But with varying definitions, confusion as to what the cloud is and the disputes regarding the establishment of guidelines for compliance and data security within the cloud, it brings about a big question: Who owns the data? This makes one wonder if the next big threat to enterprises will involve data ransom. Anticipate all conversations to involve the cloud in varying degrees.

Social Media + Targeted Attacks = ??? -- We are all aware of the increasing sophistication of malware and various other cyber attacks. Simultaneously, we’re aware of the increasing presence of social media in our everyday lives. We constantly see updates from friends, colleagues and clients. So how is this relevant to security?

Christiansen borrowed a quote from Oscar Wilde that ties this all together: “There’s so little useless information.” Any publicly exposed information is relevant to someone, somewhere, and ironically for those so willing to share, is available for a price. Expect these conversations to revolve around the increasing sophistication of cyber crimes, advanced persistent threats (APT) and other new threat models and new attack targets (i.e. smartphone applications).

Social Media and the Enterprise -- According to Kark, organizations need to learn how to leverage social media and Web 2.0 to their advantage, while also being wary of the threat aspect that surrounds it. As Kark stated, “It’s a freight train coming and we need to learn how to deal with it.” Expect conversations on this topic to explore implementing social media guidelines for companies of all sizes.

End-user Education -- Majority of security professionals will frequently reiterate the importance of end-user education. But in a time of social media, when every ounce of information becomes a potential hook to an unsuspecting victim, an appropriate statement to keep in mind is: A company is only as strong (and secure) as its weakest link. Expect to find yourself in conversations discussing increased spending on employee security training.

So in summary, there are four overarching trends to expect at RSA this year, according to the analyts and early online coverage:

    * Cloud computing/SaaS security and compliance
    * Data security and ownership
    * Next generation attacks to the enterprise
    * Education and security spending

It will be interesting to see how each theme plays out when the curtain goes up.

Posted by Kristin Forte Allaben on February 24, 2010 at 1:54 PM
| TrackBack (0)