ESO - Security Trends Report
CIA endorses cloud computing, but only internally
While it can improve security, the agency won't be outsourcing data to Google or Ama-
By Patrick Thibodeau
October 7, 2009 06:06 AM ET
Computerworld - WASHINGTON -- One of the U.S. government's strongest advocates of cloud computing is
also one of its most secretive operations: the Central Intelligence Agency. The CIA has adopted cloud computing
in a big way, and the agency believes that the cloud approach makes IT environments more flexible and secure.
Jill Tummler Singer, the CIA's deputy CIO, said that she sees enormous benefits to a cloud approach. And while
the CIA has been moving steadily to build a cloud-friendly infrastructure -- it has adopted virtualization, among
other things -- cloud computing is still a relatively new idea among federal agencies.
"Cloud computing as a term really didn't hit our vocabulary until a year ago," said Singer.
But now that the CIA is building an internal cloud, Singer sees numerous benefits. For example, a cloud ap-
proach could bolster security, in part, because it entails the use of a standards-based environment that reduces
complexity and allows faster deployment of patches.
"By keeping the cloud inside your firewalls, you can focus your strongest intrusion-detection and -prevention
sensors on your perimeter, thus gaining significant advantage over the most common attack vector, the
Internet," said Singer.
Moreover, everything in a cloud environment is built on common approaches. That includes security, meaning
there's a "consistent approach to assuring the identity, the access and the audit of individuals and systems," said
Singer. But there are limits. The agency isn't using a Google model and "striking" data across all its servers; in-
stead, data is kept in private enclaves protected by encryption, security and audits.
The CIA uses mostly Web-based applications and thin clients, reducing the need to administer and secure indi-
vidual workstations. And it has virtualized storage, protecting itself "against a physical intruder that might be in-
tent on taking your server or your equipment out of the data center," said Singer.
Speaking at Sys-Con Media's GovIT Expo conference today, Singer not only provided a rare glimpse into the IT
approaches used by the agency, but also talked about one of its greatest challenges: the cultural change cloud
environments bring to IT. A move to cloud environments "does engender and produce very real human fear that
'I'm going to lose my job,'" she said.
In practice, highly virtualized environments reduce the need for hardware administration and, consequently, for
system administrators. Barry Lynn, the chairman and CEO of cloud computing provider 3tera Inc. in Aliso Viejo,
Calif., said a typical environment may have one systems administrator for every 75 physical servers. In contrast,
a cloud-based environment may have just one administrator for every 500 servers or more.
The CIA has "seen a significant amount of pushback, slow-rolling [and] big-process engineering efforts to try to
build another human-intensive process on top of enterprise cloud computing," said Singer. "It will take us a good
long while to break that."
One thing the agency will do to address resistance will be to base contract competitions on performance, not
head count, "where it's to [a service provider's] benefit to do the work with fewer bodies and make more profit for
their company," said Singer.
Federal CIO Vivek Kundra is encouraging agencies to adopt cloud computing, and he recently opened an online
apps store that enables federal agencies to buy cloud-based services from Google, Salesforce.com and other
vendors. That's something the CIA will not do; its data will remain within the agency's firewalls, said Singer.
Government market research firm Input has revised its forecast for federal cloud-related spending upward; it now
expects the government's cloud expenditures to grow from $363 million this year to $1.2 billion by 2014. "I think
this is probably a conservative estimate, considering the push from the administration," said Deniece Peterson,
an analyst at Reston, Va.-based Input.
Obstacles to the adoption of cloud computing, including concerns about security and loss of data control, may
slow momentum, but "I think we'll see broader adoption and higher spending after the administration makes
progress in some of the pilot programs it has planned," said Peterson.
Singer said the CIA's IT department was moving in the direction of cloud computing, even if it wasn't using that
term, when it widely deployed virtualization technology. Abstracting the operating system and software from the
hardware "is the foundation of the cloud," Singer said. "We were headed to an enterprise cloud all along."
PCI DSS Compliance Survey
(September 23, 2009)
According to the PCI DSS (Payment Card Industry Data Security Standard) Compliance survey, commissioned
by Imperva and conducted by the Ponemon Institute, approximately 70 percent of entities that handle payment
card transactions view compliance as a box checking exercise rather than as central to their operations. Com-
panies that implement PCI DSS as part of their strategic approach are less likely to experience breaches.
Nearly 80 percent of those surveyed said their organizations had experienced a data security breach. Fifty-five
percent of responding organizations said they protected payment card data but not other customer data, like So-
cial Security numbers (SSNs), driver's license numbers and financial account information. Of the small busi-
nesses (501 to 1,000 employees), 28 percent are PCI DSS compliant; of large businesses (75,000 or more em-
ployees), 70 percent are PCI DSS compliant.
The top reason for non-compliance is the cost associated with implementing new security programs.
“Chat-in-the-Middle” Attack Preys on Online Banking Customers
(September 18 & 24, 2009) In a new twist on phishing, cyber thieves are posing as employees in a bank's fraud
detection department in a live chat. Users are directed to the site through a phishing email and are asked to
type in their login credentials. The chat window then opens, and the attackers tell the victims that the fraud de-
partment of the bank is requiring additional information, including challenge questions, to validate their accounts.
The cyber criminals are using the Jabber IM protocol to conduct their online conversations with the victims; the
attack is being hosted on a fast-flux network.
Hackers pay 43 cents per hijacked Mac
Russian cyber crime gangs after Apple's Macs, too, says researcher
By Gregg Keizer
September 25, 2009 01:58 PM ET
Computerworld - A network of Russian malware writers and spammers paid hackers 43 cents for each Mac ma-
chine they infected with bogus video software, a sign that Macs have become attack targets, a security re-
searcher said yesterday.
In a presentation Thursday at the Virus Bulletin 2009 security conference in Geneva, Switzerland, Sophos re-
searcher Dmitry Samosseiko discussed his investigation of the Russian "Partnerka," a tangled collection of Web
affiliates who rake in hundreds of thousands of dollars from spam and malware, most of the former related to
phony drug sites, and much of the latter targeting Windows users with fake security software, or "scareware."
But Samosseiko also said he had uncovered affiliates, which he dubbed "codec-partnerka," that aim for Macs.
"Mac users are not immune to the scareware threat," said Samosseiko in the research paper he released at the
conference to accompany his presentation. "In fact, there are 'codec-partnerka' dedicated to the sale and promo-
tion of fake Mac software."
One example, which has since gone offline, was Mac-codec.com, said Samosseiko. "Just a few months ago it
was offering [43 cents] for each install and offered various promo materials in the form of Mac OS 'video
players,'" he said.
Another Sophos researcher argued that Samosseiko's evidence shows Mac users, who often dismiss security as
a problem only for people running Microsoft's Windows, are increasingly at risk on the Web.
"The growing evidence of financially-motivated criminals looking at Apple Macs as well as Windows as a market
for their activities, is not good news -- especially as so many Mac users currently have no anti-malware protec-
tion in place at all," said Graham Cluley, a senior technology consultant at U.K-based Sophos, in a blog entry
Mac threats may be rare, but they do pop up from time to time. In June 2008, for example, Mac security vendor
Intego warned of an active Trojan horse that exploited a vulnerability in Apple's Mac OS X. Last January, a dif-
ferent Trojan was found piggybacking on pirated copies of Apple's iWork '09 application suite circulating on file-
Mac OS X's security has been roundly criticized by vulnerability researchers, but even the most critical have ac-
knowledged that the Mac's low market share -- it accounted for just 5% of all operating systems running ma-
chines that connected to the Internet last month -- is probably enough protection from cyber criminals for the mo-
Protect your privacy on Facebook and Twitter
Here's how to safeguard your identity and your personal data in the age of the
By Tony Bradley
September 25, 2009 09:30 AM ET
PC World - Web surfing is no longer a solo affair. Facebook, Twitter, and other social networks have quickly be-
come an integral part of the online culture, and with them comes a whole new array of potential security threats.
In this article, I'll identify some of the key dangers of social networking and offer a few easy steps that you can
take to stay safe online.
Social networking is built on the idea of sharing information openly and fostering a sense of community. Unfortu-
nately, an online network of individuals actively sharing their experiences and seeking connections with other
like-minded people can be easy prey for hackers bent on social-engineering and phishing attacks. It's important
to be aware of the threats, and to maintain a healthy skepticism in your online interactions.
Be careful what you share
For starters, even in an open community of sharing, you should observe some boundaries. As President Obama
warned students in his address to schools earlier this month, "be careful what you post on Facebook. Whatever
you do, it will be pulled up again later somewhere in your life."
The core truth of that statement can be applied to any social networking site, and possibly even to the Internet as
a whole. As a general rule, refrain from posting things online that you will regret later. Odds are good that some-
one, someday, will stumble across it, and it may come back to haunt you -- especially if you are planning to run
for public office.
Aside from simply abstaining from posting embarrassing or inflammatory comments online, take two fundamen-
tals to heart: Remember who your friends are, and know that a friend of a friend can be an enemy.
Remember who your friends are
When you write a Twitter tweet or post a Facebook status update, you have to keep your audience in mind. More
and more these days, we hear stories of people who have forgotten that their boss is part of their network and
have said things online that have gotten them reprimanded, even fired.
The consequences of inappropriate online comments have become so common that they have earned an entry
in the Urban Dictionary: Facebook fired. Saying something as obvious and seemingly innocent as "I'm bored" in
a status update during work hours can have dire consequences if the wrong people see it.
With services like Twitter, or the recent changes to Facebook that allow anyone to view and search updates, you
really have no way to hide.
Friends of friends may see your post
So, you've thought it through. You want to shout to the world what you really think about your boss's forcing you
to work overtime and making you come in on the weekend. You've checked and double-checked, and you've de-
termined that your boss is not in your network, so you let loose on the keyboard and speak your mind.
Unfortunately, you're not out of the woods just yet. Being outside of your network, your boss can't see your post
directly, but if one of your Facebook friends who are connected with your boss comments on your status update
-- even just to say "I sympathize" -- your boss may be able to click on the link through the common friend and
see your post anyway.
Go ahead, be social -- share your trials and tribulations with your growing network of adoring followers. To be
safe, however, do so with one rule in mind: Don't ever post anything online that you aren't comfortable with ev-
eryone seeing, because eventually they probably will.
Marrying privacy and social networking may seem unintuitive. How can you be social and open, yet protect your
privacy? Well, just because you are choosing to share some information with a select group of people does not
necessarily mean that you want to share all of your information, or that you want the information you share to be
visible to all.
Facebook in particular has suffered from a number of issues related to privacy concerns. If you have used Face-
book for a while, you may have noticed ads with your friends' names or photos associated with them.
Facebook does provide privacy controls for you to customize what types of information should be available to
third-party applications. If you look at the Facebook Ads tab of the privacy controls, though, you'll notice that it of-
fers no way for you to opt out of the internal Facebook Ads. It merely states that "Facebook strives to create rele-
vant and interesting advertisements to you and your friends."
What do quizzes reveal about you?
For many users, one of the primary attractions of Facebook is the virtually endless selection of games and
quizzes. Part of the lure of the games and quizzes is the social aspect. In the games, friends can compete
against one another; through the quizzes, you can learn more about your friends while being briefly entertained.
The ACLU exposed problems with how much information these quizzes and games share, though. When a
Facebook user initiates a game or quiz, typically a notice pops up to declare that interacting with the application
requires opening access to information; the notice also provides the user the opportunity to opt out and cancel,
or to allow the access to continue.
The permission page clearly tells the user up front that allowing "access will let [the application] pull your profile
information, photos, your friends' info, and other content that it requires to work." One might wonder, as the
ACLU has, why any game or quiz application would "require" access to your friends' information in order to work.
Canada says 'no way'
Facebook's privacy, or lack thereof, has also run afoul of the Canadian government. The Privacy Commissioner
of Canada has determined that Facebook's privacy policies and practices violate Canadian privacy regulations,
and has recommended a variety of changes that Facebook should make to be compliant.
One of the major concerns involves the permanence of accounts and account data. Facebook offers a way to
disable or deactivate an account, but it doesn't seem to have a method for completely deleting an account. Pho-
tos and status updates might be available long after a user has shut down a Facebook profile. And like the
ACLU, the Canadian government is concerned about the amount of information shared with third-party applica-
Control what you can
While the concerns of the ACLU and the Canadian government run a little deeper, Facebook does in fact offer
privacy controls that restrict or deny access to information. Since Facebook is a social networking site designed
for sharing information, many of the settings are open by default. It is up to you to access the Privacy Settings
and configure the options as you see fit.
For each of the available settings, you can choose to share information with Everyone, My Networks and
Friends, Friends of Friends, or Only Friends; if you prefer, you can customize the settings to fine-tune access fur-
Hijacking and phishing
Social networking, by its very nature, is about socializing, which means users are letting their guard down and
sharing information. They're expanding their professional networks, connecting with old friends, and communi-
cating in real time with pals and peers. And for bad guys who favor social-engineering and phishing attacks, tak-
ing advantage is like shooting fish in a barrel.
Beware friends seeking money
Most people know enough to not respond to e-mail requests from exiled Nigerian royalty promising millions of
dollars if only you will help them smuggle the money out of the country. Anybody who doesn't know better proba-
bly shouldn't be on the Internet; such people are a danger to themselves and others.
But what if your good friend from high school whom you haven't seen in 18 years sends you a message on
Facebook explaining how their wallet was stolen and their car broke down, and asks you to wire money to help
them get home? You might not be as apprehensive -- but you should be.
Attackers have figured out that family and friends are easy prey for such sob stories. Using other attacks or
methods, they gain access to a Facebook account and hijack it. They change the password so that the legitimate
owner can't get back in, and then they proceed to reach out to the friends of the hijacked account and attempt to
extort money from those friends through social engineering.
How do you resist such techniques? Assume that a relative or friend close enough to ask you for money would
probably have your phone number, and that Facebook or e-mail would not be the first choice for contacting you
in an emergency. If you get such a Facebook message or e-mail plea, and you aren't sure, pick up the phone
and call the person directly to confirm.
What's behind that tiny URL?
Another threat that has emerged as a result of social networking is the tiny-URL attack. Some URLs are very
long and don't work well in e-mail or in blog posts, which created a need for URL-shortening services. Twitter,
with its 140-character limit, has made the use of URL-shortening services like Bit.ly a necessity.
Unfortunately, attackers can easily exploit a shortened URL to lure users into accessing malicious Web sites.
Because the shortened URL is a random collection of characters that has nothing to do with the actual URL,
users cannot easily determine whether it is legitimate.
TweetDeck, a popular application for Twitter, provides a 'Show preview information for short URLs' option, which
offers some protection. The preview window shows details about the shortened URL, including the actual long
URL it leads to.
If you aren't using TweetDeck for Twitter, or if you need to deal with shortened URLs on other sites and services,
maintain a healthy dose of skepticism and remain vigilant about what might lie behind that obfuscated address.
Botnet PCs Stay Infected for Years
A hardcore of PCs controlled by botnets stay that way for years, an
analysis from security vendor Trend Micro has found.
By John E. Dunn, TechWorld.com
September 22, 2009 —
A hardcore of PCs controlled by botnets stay that way for years, an analysis from security vendor Trend Micro
According to an unpublished research note, the average length of time a PC stays part of a botnet, or is re-
infected by it or another bot, varies from country to country, with China not surprisingly leading the way in
absolute numbers of infections.
But Trend's figures culled from 100 million compromised IP addresses suggests that eighty percent remain
compromised for more than a month, with the global median time for infection being over 300 days.
The majority of botnet-infected PCs, 75 percent, belong to consumers, but a surprising quarter of the IPs were
associated with business domains. Trend Micro assumes that this equates to a much higher level of business
botnet infection as a business IP address will usually hide a larger number of possibly infected machines.
The three biggest botnets are associated with the Facebook-targeting Koobface, Zeus/Zbot and the long-
established Ilomo/Clampi, the company says, representing possibly 100 million compromised machines.
"This means that cybercriminals have more computing power at their disposal than the entire world's
supercomputers combined. Small wonder that more than 90 percent of all email worldwide is now spam," the
Trend researchers says.
It is not a new insight by any means, but the analysis nevertheless detects a surprisingly large group of PCs that
appear to stay compromised indefinitely, undermining efforts to fight the botnet phenomenon.
Every country measured by Trend showed this spike (including the UK) and the numbers are significant, from
tens of thousands to hundreds of thousands of PCs that exist as loyal botnet zombies for years at a time. The
numbers of old zombies far outnumbers the numbers of new zombies - those which have been infected for
between one and three days - by some distance.
Site Offers Facebook Account Break-Ins for $100
Security vendor PandaLabs has discovered an online service offering to
help those so inclined to hack into any Facebook account they choose for
a price: $100.
By Jaikumar Vijayan
September 18, 2009 — Computerworld — Security vendor PandaLabs has discovered an online service offering
to help those so inclined to hack into any Facebook account they choose for a price: $100.
However, those who sign up for the service could find themselves becoming the victims instead, PandaLabs
The Facebook hacking service, which is delivered via a professional looking Web site, was discovered by
PandaLabs earlier this week.
Users of the service are required to first register with the site and then provide an ID of the Facebook account
they want hacked, said Luis Corrons, technical director of PandaLabs. Users who enter the ID and click on a
"Hack it" button are then presented with the username of the owner of the Facebook account. They then have
the option to "Start Facebook hacking."
Those who follow the instructions are eventually told that the hack was successful and a password for the
account was retrieved. But to actually get the password, the user is then required to send $100 via Western
Union to an individual in Kirovohrad, Ukraine. It's not clear whether sending the money will yield any login and
passwords, Corrons said.
But the way the site has been designed and the ease with which a potential client can interact with it lends it a
certain degree of credibility, he said. The site contains an FAQ section, which claims the site has been in
business for more than four years.
The site even provides a link to a Webmoney account that in fact does appear to be four years old, Corrons said.
However the domain itself appears to have been registered by someone in Moscow only a couple of days ago,
"We've been looking at it and we are 99.9% sure it is a ruse," to get people to pay up money in exchange for
what they think will be legitimate Facebook credentials, he said.
At least as of the last time PandaLabs inspected the site, it was not downloading or distributing any malware and
seems to have been set up purely to scam those seeking to gain illegal access to Facebook accounts, Corrons
Those who do fall for the scam are unlikely to go to law enforcement to report it, he noted.
Researchers Overwhelm Vendors with Security Flaws
Booming numbers of security researchers are uncovering so many flaws
that vendors are finding it almost impossible to patch them all in a
reasonable timeframe, the latest SANS report has found.
By John E. Dunn, TechWorld.com
September 22, 2009 —
Booming numbers of security researchers are uncovering so many flaws that vendors are finding it almost
impossible to patch them all in a reasonable timeframe, the latest SANS report has found.
This paradox is one of a number of findings contained in the Top Cyber Security Risks report, which the
organisation now plans to publish twice yearly in association with data provided by customers of partners
TippingPoint and Qualys, upgrading the annual reports it has produced for some years.
More researchers hunting for flaws should be a good thing, but the report for March to August 2009 suggests
that this has created logistical problems for an industry that is still heavily focused on adding features and
product enhancement as its main priority.
Attackers now look to undermine systems through application vulnerabilities, with server-side and OS flaws
declining in significance. Simultaneously, legitimate researchers have started finding the same types of flaws,
which has caught some vendors in a pincer of malicious attacks and honest disclosures they often don't seem to
have allocated the resources to deal with.
"There is a corresponding shortage of highly skilled vulnerability researchers working for government and
software vendors. So long as that shortage exists, the defenders will be at a significant disadvantage in
protecting their systems against zero-day attacks," note the report's authors.
The applications being attacked are significant in that they probably live on almost every PC in the world. The
leading culprits identified by SANS are Microsoft's Office, Adobe's Acrobat Reader and Flash programs, and
Sun's Java, and the various browsers in which such program often run as plug-ins. Apple's Quicktime is another
rising vulnerability star notable because it is popular across more than one operating system.
The arithmetic is daunting. More flaws, including zero day flaws, are being are being discovered in software that
is ubiquitous, which has led to increased patching times. This is partly to do with the time it takes to produce a
patch and partly down to organisations misunderstanding the risk of app flaws and taking too long to apply
"On average, major organisations take at least twice as long to patch client-side vulnerabilities as they take to
patch operating system vulnerabilities. In other words the highest priority risk is getting less attention than the
lower priority risk," says the report.
According to Wolfgang Kandek of Qualys, one of the major contributors to the SANS data, a third issue was how
to roll out security updates to consumer PCs in an efficient way.
"The problem today is that it is splintered on six [or more] different updaters." Just coping with application
patching on a single PC had become a major challenge, he said, which suggested a new integrated mechanism
was needed to make patching more seamless. Kandek praised Google's Chrome browser, where patching
happened transparently and without user intervention, as a model for the future.
"It can be quite challenging if you are focused on development to understand that software gets abused."The
issue of patching cycles and patch application is already well-discussed by Qualys's own annual Laws of
Vulnerability report, so the latest blast from SANS says nothing organisations shouldn't already be aware of.
The bigger lesson is for software vendors, which need to employ more researchers of their own and more people
to relate their discoveries to the complex process of patching vulnerable apps. Microsoft has done a lot of hard
work in this area with its much-vaunted Software Development Lifecycle (SDL), which is supposed to have
changed the way apps get written from the first line of code. Others have much work to do - Adobe take note.
Is Your Office Printer Secure?
A new program from ICSA Labs aims to tackle network-attached device
security - a problem they believe is overlooked and poses serious risks
By Joan Goodchild, Senior Editor
September 21, 2009 — CSO —
Hackers may be using your office printer as a conduit for criminal activity. Think about it: A printer in today's
office environment often saves on its hard drive all images of documents that are printed, scanned or faxed.
Therefore, hackers who know anything about accessing files on a network might easily gain access to that
sensitive data . This kind of threat is too frequently overlooked, according to ICSA Labs, a security products
testing and certifications firm. ICSA said Monday it is introducing new certification and assessment programs
that will address security threats posed by networked devices such as printers, fax machines and security
cameras. The programs, known as Network Attached Peripheral Security (NAPS), will include a vendor
certification program. The class of network-connected devices addressed by the program will include printers,
faxes, point-of-sale systems, copiers, ATM machines, digital signs, proximity readers, security cameras, and
facility management systems for power, lighting and HVAC systems, said George Japak, managing director,
"You have UPS systems, you have power strips, I could go on an on about the different devices that are being
connected with this functionality"
Network-connected devices, according to Japak, can pose as much risk as an unsecured server on the network
but are often ignored and are typically not securely installed or configured by end-users, he said. Network-
attached devices, like network servers, are at risk for unauthorized access and data breach, denial of service
attacks and can even propagate worms like Code Red Nimda. However, specific statistical data to back up the
severity of the security issues posed by network-connected devices is scant. ICSA referred to figures from the
Verizon Business 2009 Data Breach Investigations Report which finds many breaches occur through what is
called "unknown, unknowns," which can involve systems such as printers and faxes. No further data about
specific attacks or incidents was available from ICSA.
"Based on the feedback from current and prospective customers, this is going to be or have the potential to be a
significant issue and problem with enterprises as they continue to deploy these devices," said Japak.
Networked-device security is certainly not a new issue and the potential for security problems with devices has
been talked about for several years now. Printer security has also received attention from other organizations.
Earlier this year, the IEEE released new security standards for networked printers that include specifications and
a checklist for printer security requirements. The standards, known as the 2600 Profile requirements, were
created by IEEE in a joint effort with Xerox and were created to give printer vendors basic security requirements
when developing devices. Japak said ICSA is still reviewing the IEEE standards to determine who they will fit in
with the NAPS program.
The NAPS certification will target device manufacturers and will include rigorous testing that examines several
different aspects of a device and how each impacts its overall security. ICSA is also hoping to gain attention from
enterprise clients concerned about device security with a NAPS assessment program that offers an evaluation
and report with results of testing and recommended configuration instructions.
Playing Catch-up, Again
by Tom Olzak, Olzak
Thu, 2009-09-17 16:23
A heap of blogs and articles popped up recently about the shift attackers are making to attacking applications
instead of operating systems—Windows especially. Why? Ostensibly because operating systems are more
secure today, due to vendor design decisions and user/organizational patching efforts. So the reasoning is that
this leaves applications as the weak security link. Is this really news? Not really.
In our rush to fight the criminal assaults against our operating systems and LAN/WAN devices, we have typically
overlooked applications running on servers and other endpoint devices. Organizations which tried to assess
their ability to patch other applications found themselves hampered by the lack of effective, centrally managed
tools. This is better today—at least for Windows-based organizations—with the introduction of Microsoft’s
SCCM solution, but there is still a gap—a big one.
The average medium- or large-sized business might have hundreds of applications spread across hundreds or
thousands of end-user devices. The problem is propagated by the unwillingness of many organizations to
remove local administrator access from users who don’t absolutely need it to do their jobs. Exacerbating the
problem is the tendency for IS teams to ignore desktop application patching because it is just “too hard.”
This set of conditions creates a big opportunity for people like Henry B. Hacker (fictional character I made up…).
In the past, Henry focused on Windows to gain access to data he could sell to the highest bidder. Now,
however, Windows is getting harder to crack. Not because it is completely hardened, but because Microsoft and
its customers have gotten smarter about patching and general device hardening. So Henry, looking for an attack
surface with a lower work-factor, is beginning to go after installed endpoint application vulnerabilities. The
general lack of application-level processes and tools deployed across Henry’s target industries results in a rich
The application vulnerabilities have always been there. And no, I’m not just talking about Adobe products or
Java. These high profile applications are typically addressed. It is the other applications, which are typically not
managed by IS, which present the biggest problem. For example, an entire department might have decided to
download and install a cool freeware application they just can’t live without. A satellite location may have
purchased an application, comprised in part by commonly used and potentially vulnerable components, to
process protected health information. On top of all this, many vendors don’t bother issuing patches. If an
organization hasn’t locked down endpoint devices, applications like these have been infiltrating its network for
The effect is the need to once again play catch-up. As we’ve largely ignored problems associated with “user
approved” applications, Henry has been working hard to come up with ways to exploit them. So I recommend
two solutions to the current, well-publicized shift to attacking applications.
1. Deal with existing applications. If your organization still provides users with local administrator access,
you have to assume they’ve installed a large number of applications unknown to you. Further, you have to
make sure those applications IS actually installed and supports are protected. So the first step is
deploying a solution, like SCCM, which can identify and report on installed applications. Applications like
SCCM probably cannot identify all third party applications, but it’s a good start. Second, develop
processes to identify vulnerabilities or patches as they’re announced. Once of the best resources for this
is the National Vulnerability Database. Another excellent resource, which includes whether patches are
available for specific vulnerabilities, is SecurityFocus. In other words, know what’s installed and deal with
2. TAKE AWAY LOCAL ADMIN ACCESS. It’s doubtful you can track all applications users install on their
systems. The only way to control this problem is to take away their ability to install anything not approved
and packaged by the organization. And let’s not forget that taking away privileged access helps keep bad
stuff from installing surreptitiously.
New Trojan gives criminals full-service bank theft
By Robert McMillan
September 30, 2009 02:26 AM ET
IDG News Service - Security experts agree that cyber-criminals are getting better, but a new Trojan takes things
to a whole new level.
The URLzone Trojan, identified by researchers at Web filtering vendor Finjan Software earlier this month, repre-
sents "the next generation of bank Trojans," said Yuval Ben-Itzhak, Finjan's chief technology officer.
After it infected about 6,400 computer users last month, the Trojan was clearing about €12,000 (US$1,750) per
day. That puts it on track to rake in as much as €7.3 million annually.
Criminals installed the Trojan by luring visitors to infected Web sites and leveraging a variety of PC software
flaws. They managed to infect about 7.5 percent of the 90,000 computers they attacked before Finjan got access
to their command-and-control server, the company said.
More widespread Trojans such as Zeus and Clampi have been siphoning millions of dollars per day out of banks
by stealing victim's online credentials and then moving money to unsuspecting "money mules" who then transfer
the cash offshore. These mules are often recruited from job sites such as Monster.com and they typically believe
they're doing legitimate payroll work for overseas companies, and not organized criminal enterprises. Once they
send the stolen money offshore, they can be the ones who are held accountable for the loss.
But URLzone is even more sophisticated than its predecessors, Ben-Itzhak said.
Its sophisticated user interface lets the bad guys set some controls that help keep fraud detection systems at
bay. From a central server, they can, for example, set the system to ensure that the account's balance never
drops below zero; they can pre-set the system to make a series of small withdrawals that will appear unsuspi-
cious; and the software will change the way the victim's banking page is displayed so the true transactions don't
"Basically they say, 'I will steal from you €5,000, but I want to make sure at least 5 percent will remain in your
balance,'" Ben-Itzhak said.
Organized Cybercrime Revealed
The shadow economy for stolen identity and account information
continues to evolve
By Michael Fitzgerald
September 28, 2009 — CSO —
As if CSOs don't have enough on their plates, they now need to beat back made men, capos and the other
elements of the Mafia. Yes, the Mafia is formally involved in cybercrime, or so alleges the U.S. attorney for
Florida, who filed charges against associates of the Bonanno crime family that included pilfering data from Lexis-
The Mafia engaging in cybercrime might sound like your grandmother joining Facebook. In fact, "the majority of
data breaches are the result of organized crime," says Nick Holland, an analyst at Aite Group in Boston. That
doesn't mean it's the conventional Mafia pulling the strings—though it can be. In fact, it's hard to tell just who is in
control sometimes. For the most part, cybergroups that become notorious, like the Rockfish or the old Russian
Business Network, do so because very few cybercrime groups publicize themselves, says Steve Santorelli of
Team Cymru. (Cymru, pronounced cumri, is the Welsh word for Wales.)
In fact, observers sometimes disagree on just who's behind a crime. Take last year's RBS Worldpay scam,
which saw hackers not only make off with 1.5 million records from the electronic payments processor, but make
fake ATM cards used to withdraw more than $9 million in 49 cities around the world in a one-hour period. Frank
Heidt, CEO of Leviathan Security in Seattle, thinks this was a case of an extremely well-organized group with
roots in Russian organized crime. Peter Cassidy, director of research at Triarche Consulting Group in
Cambridge, Mass., says it looks like a franchise-style operation in which the data and details on how and when
to use it was sold to groups operating in different regions.
Either way, it's organized crime. Just a few years ago, most hackers either acted for the glory of spreading a
virus they'd written, or handled all aspects of an operation, from phishing to building fake websites to cashing in
on the fraud. Since then, cybercriminals have discovered Adam Smith. They specialize, they create markets and
above all, they're entrepreneurial. And because of the Internet, "you get radical distribution of labor and a
radically fast ability to recruit skills," says Cassidy.
These organizations adopt various structures. The crime family model obviously still applies when the Mafia is
involved. Some groups that seem independent of the Mafia, like the people who ran Carder's Market—an
underground site for buying and selling credit card information—also use a Mafia-like structure and terminology.
Phishing groups tend to work like Japanese keiretsu, says Cassidy, who is also secretary of the Anti-Phishing
Working Group. Cybercriminals sometimes use a hub-and-spoke model, where a criminal mastermind puts
together various tools and people needed to pull off a job. Want a botnet? A Symantec study found that on
average, you could gain use of one for $225. Need a keystroke logger? Average price: $23. Want someone to
host a phishing scam? That can be had for as little as $2. A specific vulnerability in financial sites might cost
You can even get specialized versions of malware, websites, etc.—the Verizon 2009 Data Breach report found
that 59 percent of the malware it saw was customized. Sometimes the criminals adopt models that look like the
software business. You can literally buy "fraud as a service," where criminals subscribe to hosted services—a
story first illuminated in CSO's September 2007 article, "Inside the Global Hacker Service Economy" (see
Between 70 percent and 80 percent of malware now comes from organized groups, estimates Bogdan Dumitru,
CTO at BitDefender, an antivirus firm based in Romania. Lone hackers still break new ground: Dumitru says
Twitter malware that's popped up recently was "developed by a kid. But in the next two months we'll probably
see organized entities taking advantage of it."
The fluidity of cyberorganizations can make them more difficult for law enforcement to penetrate than their real-
world counterparts. But it's not impossible. DarkMarket, a spam and phishing forum, eventually was taken over
and hosted on FBI servers. J. Keith Mularski, the supervisory special agent at the FBI assigned to the National
Cyber Forensics and Training Unit, ran this site undercover, posing as a spammer named MasterSplynter.
DarkMarket started leading to arrests of prominent spammers and phishers in May 2007. It eventually closed in
October 2008, after the arrest of DarkMarket's boss, a Turkish hacker whose handle was Cha0, leaving Mularski
as the last leader standing. Ultimately, sixty people—most of them the most powerful members of DarkMarket—
were arrested in at least four countries: Germany, Turkey, the U.K. and the U.S. The FBI also got six complete
malware packages and may have prevented $70 million in losses at financial services firms. Plus, it arrested
Cha0 and his seven-member gang in Istanbul before they could ship out about 1,000 ATM skimmers, which
prevented an additional $33 million in losses.
"Sure, they'll reorganize, but with every law enforcement action, it's a little bit harder to regroup," says Mularski.
The DarkMarket operation has at least temporarily driven many cybercriminals off of Internet Relay Chat and
bulletin boards, says Team Cymru's Santorelli. They've opted instead for private instant messenger groups that
they control, says Santorelli.
DarkMarket involved law enforcement groups working together across borders. That's a good step in what
remains a challenge. Cybercriminals "are good at finding cracks in international law," says Yuval Ben-Itzhak,
CTO of security firm Finjan. A group might be based in one country, use servers in a second and commit crimes
in a third.
This problem has led to calls for better international law. For instance, Brazil has become a hotbed of bank fraud,
phishing and Trojan activities since the penalties there are very light. Some are even calling for a group that can
force Internet service providers to cut off servers that obviously house phishers.
More countries may be taking cybercrime seriously. While Eastern Europe is seen as a kind of Wild Cyber West,
last year, Romanian police arrested 20 people in Ramnicu Valcea and Dragasani, towns known for organized
eBay scams (one tried to auction off a Romanian city hall). Florin Talpes, BitDefender's CEO, says joining the
European Union in 2007 has changed attitudes in Romania and in Bulgaria, which have created stronger legal
frameworks for fighting cybercrime.
Mularski, however, cites Romania as a country where traditional organized crime clearly has become involved in
cybercrime. The FBI arrested 35 Romanians running a phishing and ATM skimming scam in Los Angeles, and
Mularski says they were connected with Romanian organized crime. He concedes that the FBI did work with
Romanian law enforcement to make 80 arrests in the two countries in a separate case. At least there are arrests
in Romania. That rarely happens in a place like Russia, although two unnamed Russian hackers were recently
indicted in the Heartland and Hannaford hacking cases—along with US-based alleged mastermind Albert
Still, even cybercrime groups suffer from market forces. They've so flooded the cyber black market with credit
card data that prices are falling. Organized crime has shifted its targets. They're after medical records, which are
valuable. They target company CFOs, aiming to get access to corporate bank accounts and wire money out of
them. That tactic has had success: In late July, The Washington Post detailed how stealth Trojans had been
used to infect a PC used by a county treasurer, a school district and the head of a small business. Hundreds of
thousands of dollars were wired to money mules who then sent the funds on to bank accounts in the Ukraine
Targeted industries are also shifting. While financial firms make the juiciest targets, Borenstein says that RSA is
seeing more activity around the healthcare, manufacturing and government sectors.
Also on the rise are call center scams. Organized criminals may get access to someone's bank or brokerage
account but be unable to transfer money because of Web protections put in place by financial firms. So the
criminals call customer service to complain and even bully, hoping to get help in transferring money out.
Meanwhile, social networks "are gold mines to social engineers, to someone who wants to get to the CFO of an
organization to attack them," says Joshua Corman, principal security strategist at IBM Internet Security Systems.
Corman says CSOs need to tell employees not to answer things like those "25 Questions" surveys that run
rampant on sites like Facebook because the answers often include information used as hints for account
BATTLING BACK AGAINST ORGANIZED CYBERCRIME
Even as cybercriminals get more sophisticated, the best ways to stop them are often the simple ones. Verizon's
report said that many credit card breaches occurred at firms with minimal PCI compliance. It also found that 51
percent of firms breached had never changed the default vendor passwords for equipment.
Equipment itself gets overrated by CSOs and CISOs, says Michael Levin, former deputy director of the National
Cyber Security Division of the Department of Homeland Security. "They are wasting money on hardware and
software," he says. Instead, they should do things like tell employees not to click on e-mail attachments and
other basics. Levin has cofounded the Center for Information Security Awareness in Fairfax, Va., which has
prepared the free, online awareness training offered through Infraguard, the FBI's regional effort to work more
closely with private companies on cybercrime.
CSOs should get involved with groups like Infraguard or develop relationships with regional FBI or Secret
Service agents and local law enforcement. They should also regularly assess their risk levels. "You have to
assess every record and every piece of data in the place for its value to criminals," says Cassidy.
CSOs should also be prepared to do much of their own forensics work before going to law enforcement. Levin
says once law enforcement is involved, they may need a search warrant or even a grand jury subpoena to do
things like explore company computers for malware, slowing the process.
Above all, talk to people outside of the security department or IT, and talk to peers at other companies,
especially financial firms, which are on the front lines of the corporate cyberwars. The cybercriminals don't
cloister themselves, and CSOs can't either.
U.K. High Court serves injunction using Twitter
By Jeremy Kirk
October 2, 2009 06:55 AM ET
IDG News Service - For the first time, a U.K. court delivered an injunction over Twitter on Thursday, a ground-
breaking embrace of technology by a traditionally slow-moving legal system.
The injunction orders an anonymous person to stop impersonating Donal Blaney, a prominent right-wing blogger
and owner of the Griffin Law firm based in Hawkhurst, England.
The impersonator had set up a Twitter account that used Blaney's photo from his blog, linked to his blog posts
and tweeted with the same style and tone of writing. While parody could be a defense, in this case "it was clearly
designed to encourage people to think it was truly me," Blaney said.
Blaney's attorney went to the U.K.'s High Court in London on Thursday morning. The injunction was delivered by
Twitter's direct message feature to the impersonator, so it is not public. The tweet contained a link to the injunc-
tion, which orders the person to reveal their identity and stop impersonating Blaney on Twitter.
The judge, who was familiar with Twitter, also knew of a case in Australia where court proceedings were deliv-
ered over Facebook, Blaney said.
The delivery of an injunction over Twitter is innovative and "will make it harder for people who are abusing the In-
ternet and abusing the cowardly cloak of anonymity to harass and bully people," Blaney said.
If the impersonator doesn't get in touch with the court, Blaney has a couple of options, although identification of
the person could be difficult. He could get a penal notice from the court, which would warn that the impersonator
could be held in contempt of court for not coming forward.
However, penal notices must be served in person, Blaney said, and it's unlikely a judge would allow one to be
delivered over Twitter.
Another option would be to file separate proceedings against Twitter in California to reveal the IP (Internet Proto-
col) address of the computer that posted the tweets. Then, it would be possible to ask the ISP (Internet service
provider) to reveal the subscriber's identity or location of the computer. That is a "slow and expensive process,"
The impersonator's account was still active as of Friday morning, he said.
Blaney said he went directly to the court instead of immediately contacting Twitter because the service can take
a week to remove a fraudulent account, based on his experience with one of his clients. He sent an e-mail to
Twitter this morning asking for the account to be removed.
Part of his frustration stems from the fact that Twitter has no public phone line to report complaints, and users
who feel there is inappropriate contact must just send an e-mail, Blaney said.
"It is unacceptable that a site as powerful as Twitter is behaving in the same manner as an ISP a decade ago,"
Because of increasing abuse by spammers, phishers and other scams, ISPs have generally improved their re-
sponse times now when alerted to problems on their networks. Social networking sites such as MySpace and
Facebook, which grew very rapidly, have also made efforts to improve their reaction times.
Twitter could not be immediately reached for comment.
Researchers advise cyber self defense in the cloud
By Dan Nystedt
October 12, 2009 06:16 AM ET
IDG News Service - Security researchers are warning that Web-based applications are increasing the risk of
identity theft or losing personal data more than ever before.
The best defense against data theft, malware and viruses in the cloud is self defense, researchers at the Hack In
The Box (HITB) security conference said. But getting people to change how they use the Internet, such as what
personal data they make public, won't be easy.
People put a lot of personal information on the Web, and that can be used for an attacker's financial gain. From
social-networking sites such as MySpace and Facebook to the mini-blogging service Twitter and other blog sites
like Wordpress, people are putting photos, resumes, personal diaries and other information in the cloud. Some
people don't even bother to read the fine print in agreements that allow them onto a site, even though some
agreements clearly state that anything posted becomes the property of the site itself.
The loss of personal data by Sidekick smartphone users over the weekend, including contacts, calendar entries,
photographs and other personal information, serves as another example of the potential pitfalls of trusting the
Cloud. Danger, the Microsoft subsidiary that stores Sidekick data, said a service disruption almost certainly
means user data has been lost for good.
Access to personal data on the cloud from just about anywhere on a variety of devices, from smartphones and
laptops to home PCs, shows another major vulnerability because other people may be able to find that data, too.
"As an attacker, you should be licking your lips," said Haroon Meer, a researcher at Sensepost, a South African
security company that has focused on Web applications for the past six years. "If all data is accessible from any-
where, then the perimeter disappears. It makes hacking like hacking in the movies."
A person who wants to steal personal information is usually looking for financial gain, Meer said, and every bit of
data they can find leads them one step closer to your online bank, credit card or brokerage accounts.
First, they might find your name. Next, they discover your job and a small profile of you online that offers further
background information such as what school you graduated from and where you were born. They keep digging
until they have a detailed account of you, complete with your date of birth and mother's maiden name for those
pesky security questions, and perhaps some family photos for good measure. With enough data they could
make false identification cards and take out loans under your name.
Identity theft could also be an inside job. Employees at big companies that host e-mail services have physical
access to e-mail accounts. "How do you know nobody's reading it? Do you keep confirmation e-mails and pass-
words there? You shouldn't," said Meer. "In the cloud, people are trusting their information to systems they have
no control over."
Browser makers can play a role in making the cloud safer for people, but their effectiveness is limited by user
habits. A browser, for example, may scan a download for viruses, but it still gives the user the choice of whether
or not to download. Most security functions on a browser are a choice.
Lucas Adamski, security underlord (that's really what his business card says) at Mozilla, maker of the popular
Firefox browser, offered several bits of cyber self defense advice for users, starting with the admonition that peo-
ple rely on firewalls and anti-virus programs too much.
"You can't buy security in a box," he said. "The way to be as secure as possible is about user behavior."
There is a lot of good built-in security already installed in browsers, he said. If you get a warning not to go to a
site, don't go to it. When you do visit a site, make sure it's the right one. Are the images and logos right? Is the
URL correct? Check before you proceed with filling in your username and password, he counseled.
Software updates are vital. "Make sure you have the most up-to-date version of whatever software you use," he
said. Updates almost always patch security holes. Key software programs such as Adobe Systems' Flash Player
and Reader are particularly important to keep updated because they're used on so many computers and are
prime targets for hackers.
He also suggested creating a virtual machine on your computer using VMWare as a security measure.
"It's really hard to get people to change their browsing habits," he said. People want to surf the Web fast, visit
their favorite sites and download whatever they want without thinking too much about security. "Educate them,
move them along, but don't expect them to become security experts."
Internet browser makers take great care in building as much security as possible into their products and putting
them through rigorous testing.
The security team for Google's Chrome browser, for example, will take the first crack at any major update to the
software, hacking away to find vulnerabilities or ways to improve security, said Chris Evans, an information secu-
rity engineer at Google.
After the Chrome security team takes a whack at the software and it is reworked to fix the holes they found, oth-
er security teams at Google will have a go at the product to see what trouble they can cause. Finally, the soft-
ware is released in beta form, and private security researchers and others can hack away. Any problems are
fixed before the final release goes out and then the Chrome team stands ready to make new patches for any
other security issues that crop up.
Despite all the testing, browser makers are only one part of the security solution because they have no control
over Web software or user browsing behavior.
The cloud is the Wild West: hackers and malware makers abound, phishers seek passwords and users do what-
ever they want to, recklessly surfing and downloading potentially dangerous content as judged by security re-
Companies developing Cloud applications and services will need to do more for Web security. Amazon.com with
its Web Services and Google as it moves forward with initiatives, such as Google Docs, that attempt to draw
people to Web applications and away from computer applications will need to work more closely with security re-
searchers, Meer said.
And Google's work on the security in the Chrome browser highlights the reason why: Computer applications
such as Chrome face intense scrutiny by security researchers throughout the Web, while Web applications do
"Reverse engineering keeps [big software companies] honest," said Meer. "If they hide something in the soft-
ware code, sooner or later someone finds it. With Cloud services, you just don't know because we simply cannot
Cloud applications are built by one company, and nobody is looking at the code or how safe it is, said Meer. Ap-
plications for computers are different. They can be ripped apart by security experts then put back together
stronger so there are no security holes, he said.
"Trust but verify," said Meer. "Just because a guy does no evil today, we cannot trust that they will do no evil to-
morrow because we simply cannot verify it."
UC Berkeley tightens personal data security with data-masking tool
By Ellen Messmer
October 12, 2009 02:05 AM ET
Network World - To better safeguard the personal data of its students, the University of California at Berkeley
(UC Berkeley) has adopted a specialized data-masking technique in its application development work that effec-
tively can hide data in plain sight by mixing it up.
Data such as students' first and last names can be switched around to camouflage the real names, and sensitive
information such as student identification numbers also undergoes a gentle jumbling so what appears to the eye
is not the true number. It's done with a tool called datamasker from dataguise. Steve McCabe, associate director
of information in UC Berkeley's residential and student services program, says the advantage in using the
dataguise tool is it significantly reduces security risks around personal, sensitive data.
"Student IDs paired with names becomes restricted data here," says McCabe, describing some of the data-priva-
cy rules that the university must follow. But the challenge has been how to enforce restrictions in a software-de-
velopment environment where constant work by several developers is ongoing to support UC Berkeley's home-
grown Web-based applications for SQL Server, such as the housing and assignment system.
McCabe says the data-masking approach, in which the dataguise tool mixes up names, sensitive numbers and
other data prior to developers seeing it (dataguise calls it "de-identification"), has worked out well because the
data columns maintain the necessary structure but the content is effectively concealed to the naked eye.
"We do a lot of application development and handling large volumes of student information, and we wanted a
way to restrict that data," McCabe says. "So we randomize the IDs, and first name, last name, date of birth, and
While one main copy of a production database is preserved, with the genuine student information, developers
can freely work on copies that have undergone the dataguise data-masking treatment in what McCabe calls a
"sanitized version" without concern of a potential data breach.
"It maintains the relationship and updates with scrambled data," McCabe says. Though the production database
has to be protected through other means, the risks associated with data exposed to developers and testers in
the course of their work has been vastly reduced since UC Berkeley started using the tool about six months ago.
UC Berkeley, like many universities, has suffered consequential data breaches. In May, UC Berkeley acknowl-
edged a data breach in which it said hackers broke into its health-services databases, compromising health-re-
lated information on about 160,000 individuals.
How hackers find your weak spots
October 19, 2009 (ComputerWorld) -
While there are an infinite number of social engineering exploits, typical ones include the following:
Stealing passwords: In this common maneuver, the hacker uses information from a social networking profile to
guess a victim's password reminder question. This technique was used to hack Twitter and break into Sarah
Friending: In this scenario, a hacker gains the trust of an individual or group and then gets them to click on links
or attachments that contain malware that introduces a threat, such as the ability to exploit a weakness in a
corporate system. For example, says Netragard CTO Adriel Desautels, he might strike up an online conversation
about fishing and then send a photo of a boat he's thinking of buying.
Impersonation/social network squatting: In this case, the hacker tweets you, friends you or otherwise
contacts you online using the name of someone you know. Then he asks you to do him a favor, like sending him
a spreadsheet or giving him data from "the office." "Anything you see on a computer system can be spoofed or
manipulated or augmented by a hacker," says Desautels.
Posing as an insider: Imagine all the information you could extract from an unknowing employee if you posed
as an IT help desk worker or contractor. "Roughly 90% of the people we've successfully exploited during
[vulnerability assessments for clients] trusted us because they thought we worked for the same company as
them," Desautels says.
On the Netragard blog, he describes an exploit in which a Netragard worker posed as a contractor, befriended a
group of the client's workers and set up a successful phishing scheme through which he gleaned employee
credentials, eventually gaining entry to the entire corporate infrastructure.
Hijacked Web sites attack visitors
October 19, 2009 (ComputerWorld) -
Some malware attacks target site visitors rather than the site brands themselves.
Here's the scenario: Attackers compromise a major brand's Web site. But instead of stealing customer records,
the attacker installs malware that infects the computers of thousands of visitors to the site. The issue goes
unnoticed until it's exposed publicly.
Such attacks are a common occurrence, but most fly under the radar because the users never know that a
trusted Web site infected them, says Brian Dye, senior director of product management at Symantec Corp.
When his company tracks down the source of such infections, it often quietly notifies the Web site owner. But
word can get out, leaving the Web site's customers feeling betrayed, and seriously damaging a brand's
Attackers, often organized crime rings, gain entry using techniques such as cross-site scripting, SQL injection
and remote file-inclusion attacks, then install malicious code on the Web server that lets them get access to the
end users doing business with the site.
"They're co-opting machines that can be part of botnets that send phishing e-mail, that are landing sites for traffic
diversion and that host malware," says Frederick Felman, chief marketing officer at MarkMonitor. But because
the business's Web site isn't directly affected, the administrators of most infected Web sites don't even know it's
That possibility is one of Lynn Goodendorf's biggest worries as global head of data privacy at InterContinental
Hotels Group. "I worry about attacks that use a combination of malware and botnets," she says, adding that she
has watched this type of activity increase steadily over the past two years. "That's very scary," says Goodendorf.
Most victims haven't associated such attacks with the Web sites that inadvertently infected them. But that may
The latest versions of Microsoft's Internet Explorer browser and Google's search engine detect sites infected
with malware, issue a warning and block access to the site. "To me, this is serious online brand damage," says
Garter analyst John Pescatore, and it can be disastrous for small and midsize businesses that totally depend on
search engine traffic. The next frontier, says Dye, may be attackers who use these types of exploits against the
Web sites of high-profile brands and then publicize -- or threaten to publicize -- what happened.
Preventing attacks like SQL injections requires using enterprise-class security tools, such as intrusion-prevention
and -detection systems, with a focus on behavioral analysis to spot attacks, Dye says. But Pescatore sees a
more fundamental problem: rushing through Web site updates and ignoring development best practices
designed promote security.
Most organizations follow formal processes for major upgrades, but not for the constant "tinkering" that takes
place. The result: Vulnerabilities creep into the code. "Security groups often are forced to put Web application
firewalls in front of Web servers to shield [these] vulnerabilities from attack," says Pescatore.
How data security can vaporize in the cloud
October 15, 2009 (ComputerWorld) -
IT managers should consider security, legal issues before signing up for hosted storage services.
While hosted cloud computing may be all the rage for reducing cost of ownership and management, IT
managers say hosted storage services present dramatic security challenges and legal implications that need to
Arthur Lessard, chief information security officer at toy manufacturer Mattel Inc., in El Segundo, Calif., said
during a presentation at Storage Networking World on Wednesday that cloud computing is appealing, even if
many end users don't know what the word "cloud" means. For example, many confuse cloud computing with
pure server and storage virtualization or simply backing up data to a remote site.
True cloud services should be characterized by grid-architected hosts with central management, applications
that can be ported seamlessly from system to system, capacity that is easily provisioned and significant data
redundancy, he said.
"We're talking software as a service," Lessard said.
When storage is hosted offsite in a virtualized server and disk array environment, cloud computing presents real
limitations around authentication and auditing - especially auditing of logging. The lack of auditing capabilities
may affect the ability to record user logins, administrative actions and data writes, Lessard said.
"What I can't find out is who has been reading the data files, and ... depending on what business you're in, that
might be important," he said.
Also, there's usually no indication of login anomalies, such as repetitive attempts to log into a site under an
incorrect name and password. That information is kept by the vendor and is usually part of a contract negotiation
process. With respect to authentication, or who sets up the accounts and what control you have over accounts
and how they're provisioned, most vendors offer self-registration into your applications, "and that can have
holes," Lessard said.
"Most authentication in a cloud environment is done through user name and password only, so if I had a nifty
two-factor authentication set up or biometrics, it's no longer offered," he said.
Most service providers also have restrictions against penetration testing of the cloud by their customers.
"To be honest, I can't blame the vendor because by doing penetration testing against their environment for your
applications, it could impact someone else's applications," he said. "Remember, it's a cloud, and you don't have
a lot of control over where my stuff is running or where it sits."
Hackers can exploit security holds associated with hardware and software cloning in virtual server environments.
Most operating systems have unique or personalized components when they're installed on hardware, and the
OSes rely on the hardware to generate random numbers for public and private encryption key pairs and user
IDs, even when they're being cloned onto new systems.
When operating systems are cloned in virtual environments where new servers and software are stamped out to
meet user demand, service providers may use pseudo-random number generators. These create values that
appear to be random and for the most part are spread out over a range, but they aren't truly random and can be
predictable, Lessard said.
At the last Black Hat hackers convention, there was an attack proposed that would exploit resources in the cloud
based on pseudo-random number generation.
"If you have multiple systems, and they're all cloned and you have some idea of when a particular instance was
cloned and created, you can start making some pretty good guesses about the pseudo-random number
generator in that operating system, and that means you can start making some pretty good guesses about public
and private key pairs that got generated when an operating system got cloned."
One of the stickier legal ramifications of storing data with a cloud service provider falls under the government's
right to search and seize that information during the course of a criminal investigation.
According to Lessard, the U.S. government has also asserted that it has a right to serve a warrant to a third party
service provider in order to see data on their systems wihtout notifying the provider's customers prior to the
Because one company's data may be kept on the same disk as another's by a service provider, a criminal
investigation could expose data to authorities or simply limit the ability to access data through that cloud service
provider, Lessard added.
"Essentially, you're losing your right to answer warrants served by the government," he said. "To use a technical
term, cloud computing is probably going to give your legal department the heebie jeebies."
Other IT managers also had security concerns about cloud services, some of whom overcame them after
becoming SaaS customers and others who weren't convinced the security around such services is sufficient.
Gordon Peterson, director of information technology for the city of Carlsbad, Calif., recently began using
Microsoft's Live Mesh cloud computing service to host collaborative applications, such as Exchange, Office
Communicator and Live Meeting in order to spend less time on maintaining back office systems and more time
on technology innovation.
Peterson, who has a staff of 25, said he definitely had security concerns, mainly about Microsoft employees who
would be able to see internal e-mail traffic.
"We do have justice system traffic, after all," he said. "But I think what helped was realizing somebody else can
probably do security better than I can."
Peterson said his main concern was Microsoft's hiring and firing procedures and whether employee background
checks were thorough. A trip to Microsoft's hosting facilities helped alleviate those concerns.
"Their procedures are very similar to ours," he said. "They told me that if they mess up, the online community is
Norton Healthcare Inc., a private, nonprofit hospital system based in Louisville, Ky., is in the middle of rolling out
virtualized servers, desktops and storage to serve four acute care hospitals and other health care facilities in
Kentucky and southern Indiana.
Brian Comp, associate vice president of technology at Norton Healthcare, said cloud computing, with its ease of
use is definitely in the hospital's future, just not the near future. Comp said over the next five years, as cloud
computing providers and technology mature, it will become more reliable and secure, allowing him to put non-
clinical systems on a distributed architecture.
"I wouldn't say I'm uneasy about security in the cloud, but I do have reservations about it. It's about having data
offsite. I just want certain assurances. Nobody wants to be on the front page of a newspaper because of security
problems," he said. "But I do think cloud vendors will work that out over time."
Their phone, your headache
By , Ojas Rege, vice president of products and marketing, MobileIron
October 16, 2009 10:48 AM ET
Network World - For years analysts have encouraged the consumerization of IT to enhance collaboration and
productivity. It began with adoption of consumer instant messaging applications and continued with Web 2.0
technologies such as Wikis and social networking. Now, as employees start bringing their smartphones to work
and request IT to provide access to email and other corporate applications, we are seeing the consumerization
of not just an application but an entire computing platform.
At first glance this looks like a great idea. IT increases employee satisfaction, reduces OpEx costs by having em-
ployees foot part of the wireless bill, and cuts CapEx costs by ducking the cost of the pricey phones. What’s
more, employees with smartphones devote more personal time to work so there is a productivity gain.
Early data from the Aberdeen Group shows that 20% of companies surveyed allow their employees to use per-
sonal devices for work.
But securing employee-owned smartphones is not the same as securing corporate-owned devices. In the corpo-
rate model, if an employee leaves the company, standard procedure is to retrieve the phone and “brick” it, wiping
it clean of all data and resetting it to factory defaults. In the new model, when an employee leaves the company
the phone goes too, packed as it is with personal pictures, videos, contacts, applications, music and confidential
corporate information.Is it fair to wipe all personal information from a phone just because an employee tried to be
more productive for the company? At the same time, is it damaging to the company’s business to compromise
security levels just because that employee happens to own the phone?
Enterprise data boundary
The way to address this issue is to start by adopting a framework that provides visibility into corporate data on an
employee’s smartphone and allows administrators to set boundaries around this data. This doesn’t have to be
something as fancy as tagging or fingerprinting mobile files. It can start with simply drawing a line between me-
dia files on one side and xls, doc, ppt, and pdf documents on the other.
The key is that however this enterprise data boundary is drawn, if an employee leaves the company, he or she
should be able to take the phone with personal data intact, while IT should be able to ensure that any corporate
information has been safely removed. The process should be simple and transparent to all.
In addition to segmenting personal information from corporate, IT must have an honest dialogue with employees
about the trade-offs that exist when attaching a personal smartphone to the enterprise. For instance, regulatory
compliance policies may mandate that corporate communications be archived for e-discovery purposes. These
communications can include SMS messages, therefore, the employee must weigh the privacy concerns of hav-
ing SMS archived in the same manner as corporate e-mail.
IT will likely find that different policies will apply between corporate-owned and employee-owned phones, so it’s
crucial for the policy enforcement framework to delineate between phones based on ownership.
Finally, the overall governance structure for mobility must move from one of command-and-control to one of part-
nership. Employees and IT must take responsibility for the corporate data on employee phones. IT cannot be the
sole policing function; accountability and responsibility have to move to the employee.
Security systems have traditionally focused on inbound reporting of exceptions to IT and security staffs. Mobile
management systems have to be just as focused on outbound reporting of exceptions to employees so they can
do something about it. Employees must be engaged, understand their role in the partnership, and have the tools
to live up to their part of this cooperative security bargain.
While shifts in enterprise security models have often led to battles between employees and IT staffs, the adop-
tion of employee-owned smartphones may be an exception. Here, employees have an incentive to securely op-
erate their personal smartphones because they genuinely want to use them for both work and life. What IT
needs to do is provide these employees the tools to be able to strike that balance without compromising enter-
prise security or personal usage.
Five Problems Keeping Legacy Apps Out of the Cloud
By Kevin Fogarty
October 15, 2009 11:35 AM ET
CIO - The hype about cloud computing has gotten so loud that Gartner Group used Cloud as the lead in its
hype-parazzi special report Hype Cycle 2009. The sharply sloping graph in the report places cloud, along with e-
book readers, wireless power and social software suites, at or near the "Peak of Inflated Expectations," prepar-
ing for a dive into the "Trough of Disillusionment."
One thing that may drive it into that trough - other than the unrealistic projections by some providers of cost-sav-
ings and easy capacity planning - is the difficulty in getting certain applications to run on it effectively, according
to analysts and vendors selling technology to help bridge the gap.
What are the difficulties? Here's a look at five key hurdles.
1. Today's clouds are not alike No one "cloud platform" exists - each is different, meaning the specific migration,
support, cost and capacity issues vary from vendor to vendor. And moving a legacy application to the cloud
means taking a proven quantity in a known environment and moving it to a new environment that will make al-
most everything about it different, according to Bernard Golden, CEO at HyperStratus, and CIO.com blogger.
"Legacy applications come with a lot of integration with your other systems, and usually they had to be done fast,
so you have a lot of direct database calls from one application to another and that kind of thing that may not work
when one endpoint is outside the perimeter," according to Golden.
"There's the tiny straw issue, too; there is an order of magnitude more bandwidth available inside the data center
than outside it. And you have to decide whether it's important that you manage everything from one pane of
glass, because the management tools are not up to doing that with cloud and legacy applications yet," Golden
says. "There are a lot of basic technical issues that are often not addressed."
2. Security worries Security gets top billing as a risk of cloud computing because the idea is new and the locks
aren't as fully tested as those on legacy applications. At least as big an issue for many companies is knowing
who is using the applications or accessing the data, whether they have permission to do so or not, according to
Chris Wolf, infrastructure analyst at The Burton Group.
Cloud Security: Danger (and Opportunity) Ahead
"For enterprises that have security or compliance concerns, multitenant cloud infrastructures are just non-
starters right now, because the tools to monitor or control that has not been addressed yet," he says.
Single-tenant clouds - that is, cloud platforms a company owns and manages itself - only solve part of that issue.
Being able to physically limit access to the cloud by controlling the rest of the IT infrastructure makes the con-
tained cloud safer, but still doesn't provide the detailed audit trail many companies need to comply with financial
or privacy regulations, Wolf says.
3. Licensing and interoperability concerns Legacy applications are supposed to be the creaky inflexible problem
when it comes to migration, but neither major software vendors nor cloud providers are making the migration any
easier, Golden says.
While most legacy applications have been upgraded from the homegrown, no-public-standards era of corporate
computing, most are built with databases, communications or data-translation modules and other commercially-
licensed technology. That means vendors like Oracle, Siebel, SAP and others would have to change their licens-
ing to support "three weeks running on three servers, then one week per month expanding to ten and only pay-
ing for the capacity you use," Golden says. "Most licenses are still tied to one physical box, although Oracle has
made some movements in this direction.
Legacy apps typically also don't typically support the newest technology except in the user interfaces that aren't
part of their cores - exactly the technologies on which cloud platforms are built. Microsoft Azure is based on
its .Net programming architecture, which most legacy apps are not. Google's App Engine is designed to support
software written in Python - a Web-friendly language popular with developers of PHP-based software running on
Web servers. Salesforce.com has a proprietary application and data structure.
4. You don't know your own legacy Your company may live and die by its line-of-business applications, but that
doesnt mean you know everything going on behind the endlessly-customized codes, interfaces and forms that
started out as business automation and turned into a rigid legacy application, according to CEO Mark Cashman
and CTO Steve Yaskin of Queplix.
Queplix's tools are designed to extract data, metadata, business logic and security information from legacy appli-
cations using a mix of custom-written and canned analysis and conversion utilities, so the resulting code can be
run on cloud computing platforms - usually internal clouds rather than public ones.
With all the data, data structures and policy guidelines extracted, Queplix can analyze security, data-access and
compliance rules from both commercial and homegrown apps - often finding huge holes in the process.
"We run a report that will show big holes in security that security people don't know about and they don't like
when they see it," Yaskin says. "Siebel isn't designed to share [access control list] data with SAP and vice versa,
so no one knows users have all this access; when we take all that out, you can see the access points and poten-
tial breaks in security and turn them to your advantage."
Queplix sells a set of software development, analysis and conversion tools designed to extract data, business
logic and security information from legacy apps so they'll run in cloud-computing environments.
5. Migration is manual and darn few tools will help Even at their best, Queplix and its competitors - master data
management (MDM) providers such as Siperian and Initiate Systems - convert only a portion of the application
and data, leaving the end-user or service provider to deal with the rest, according to John Abbott infrastructure
analyst at The 451 Group, who published an evaluation of Queplix recently. Yaskin estimates Queplix' best shot
automates 85 percent of the migration. When will the situation improve?
VMware, which bought application-virtualization-developer Springsource earlier this year, is working on the prob-
lem, but not for legacy applications. Smaller companies such as the Israeli firm Gizmox will put an AJAX GUI on
a legacy app and run that in the cloud, but don't take care of its guts.
SAP and IBM - both of which have extensive custom-development and migration divisions - are also working on
legacy-to-cloud migration tools, as is Oracle and Cobol-stalwart Micro Focus, Abbot says. So does Oracle, which
is adopting technology developed by Sun.