September, 2009

Twitter gets condemned by CISOs at Forrester forum

Security professionals are worried the social network could cause security problems for their companies.

CISOs attending Forrester Research Inc.’s security forum held Sept. 10-11 in San Diego must have gotten an earful from the forum’s keynote speaker: Marcus Ranum. According to Forrester analyst Rob Whiteley, attendees responded to Ranum’s opposition to Twitter with “loud, thunderous applause.”

Writing about some of the highlights from the two day forum, Whiteley said he was shocked by the audience reaction:

It’s very clear to me that we’re at an inflection point in information security. What we called a “shift in ownership” will be the challenge of all CISOs heading into 2010. It’s no longer sufficient — and definitely not necessary — to denounce the use of social media.

In an interview I had with Whiteley, he referred to this “shift in ownership” as perhaps the most important area IT security is grappling with right now. Security can no longer “control” data. The bottom line: Guard the intellectual property that is the lifeblood of the business as tightly as you can. Focus on reducing the risks of data leakage elsewhere.

It’s hard to gauge audience reaction. Perhaps those in attendance have never used Twitter and don’t understand its significance or usefulness as a communication tool. But others are finding it useful to share research and items of interest and its popularity can’t be ignored. The service has attracted 14 million US visitors according to Nielsen Online. It’s now valued at $1 billion. It’s clear that Twitter has found its niche.

As Whiteley points out there are security concerns. Users can click on malicious links hiding behind URL shorteners (though browser-based tools are available to avoid this malicious use.) Employees can post negative comments about their company or leak intellectual secrets (Employees can leak company data on blogs, wikis and forums as well. Shall ban them too?) Here’s another one to add to that list of concerns: According to security consultant Lenny Zeltser, employees could be leaking data in drops that collectively could be used by an attacker to figure out passwords, conduct social engineering attacks and ultimately gain access to corporate networks. Zeltser, who leads the security consulting practice for Savvis and is a faculty member at SANS Institute, said it’s easy for an attacker to collect information that appears harmless on Twitter, Facebook and other social networking platforms. And if it’s easy, it’s being done. You can count on it. (Listen to my interview with Zeltser in our June 10 edition of Security Wire Weekly on social networking threats.)

Perhaps the more appropriate response from senior-level security professionals is to get educated on these newer forms of communication and respond with the right mixture of education and policy for employees. (Sign up for a Twitter account and follow some of your employees.) It’s highly unlikely that employees can be blocked from using tools they find helpful to their productivity. After all, standing in the way of innovation is not the goal of security. Finding the appropriate level of policy and technology to reduce risks should be the end goal.

Microsoft makes free antivirus software widely available

Software meets the needs of those looking for lightweight, free antivirus.

Microsoft Security Essentials (MSE), free antivirus software for Windows users, has been in beta for quite some time. Today, Microsoft has ripped the beta status off the software, making it widely available to the public.

Security Essentials is aimed at consumers who are content with free antivirus, but it could help businesses, especially those whose employees sometimes work on their personal computers. A no-no in many industries, but tolerated by many firms.

From Microsoft:

Microsoft Security Essentials is a free* download from Microsoft that is simple to install, easy to use, and always kept up to date so you can be assured your PC is protected by the latest technology. It’s easy to tell if your PC is secure — when you’re green, you’re good. It’s that simple.

No new features were provided in the final release version. It provides antivirus and antspyware protection and removal. That’s it. Microsoft said it worked to keep the software light. I’ve been using it on my little Acer Aspire netbook and I can report that it doesn’t appear to slow the machine down at all, unlike other free software suites I’ve used.

Our security expert contributor, Eric Ogren said Microsoft Security Essentials lacks vision. Ogren called it “yesterday’s antimalware solution” and said consumers should stick to free versions provided by AVG or Avast and check if their Internet service provider offers a free version of a more full-fledged suite.

Experts, vendors search for PCI’s holy grail

The First Data-RSA partnership is pitted against the Heartland-Voltage E3 project in the payment industry race for securing transactions.

Like the Betamax vs. VHS format war or the Blu-ray vs. HD DVD scuffle, the transaction processors in the payment industry are wrestling with how to secure credit card data without affecting transaction times or strapping merchants with additional costs. So far there are two options on the table: Format-preserving encryption vs. in-motion encryption and token technology.

In June, Heartland Payment Systems Inc. announced that it would work with Voltage Security Inc. and others to design a credit card masking service called E3 that uses format-preserving encryption. Heartland CEO Robert Carr briefly mentioned the E3 project at a Sept. 17 Senate panel hearing on his company’s breach. He told the Senate Homeland Security and Governmental Affairs Committee that the goal is to make credit card data unreadable to outsiders at the point of the swipe.

Another processor is working toward the same goal. Last week, while payment industry experts met at the Mandalay Bay Resort and Casino in Las Vegas for the Payment Card Industry Security Standards Council North American Community Meeting, First Data Corp. made a broad announcement, telling the industry that it planned to take a different route. First Data said it would partner with RSA to use its tokenization technology and provide end-to-end encryption and tokenization for merchants.

Which method will win the industry’s favor is anybody’s guess. But it’s likely to be a combination of the two. First Data hasn’t provided the cost of its service, but claims it won’t slow transaction times by issuing tokens. The First Data implementation should be fairly easy for merchants. Most of the work will take place on First Data’s servers. The Heartland E3 service consists of new payment terminals. Beyond the costs associated with buying and deploying the terminals, Heartland says there would be no monthly encryption maintenance fees, no key management fees, and no activation fees. Heartland has a good website describing the E3 project and its status.

Experts largely agree that these offerings are a step in the right direction to better protect sensitive payment data. Our site experts have written extensively about tokenization. Tokenization technology is a cheaper way to comply with PCI DSS, but by no means is it a silver bullet. Experts say it helps scale down the scope of a PCI assessment by making network segmentation easier. Expert Mike Chapple explained how to implement a PCI network segmentation.

One of our best pieces of advice came last year from a former certified PCI quality security assessor (QSA). He said merchants should focus on eliminating data, not securing it. The faster the data is purged from a merchant’s systems, the less likely it will have to deal with a costly data breach.

Until a solution is embraced by the entire payment industry, attackers will continue to find holes that give them access to those coveted credit card numbers. For now, we’ll have to take a step back until a method is found that satisfies both merchants and payment processors. Maybe the winning solution hasn’t been invented yet.

Video shows Twitter attacks using shortened URLs

Symantec video highlights shortened URL problems on Twitter.

Back in June, I wrote about URL shortening services and how they could contribute to sending the Internet out of control. In short, Cligs, the fourth used URL shortening service, suffered an attack at the time that edited most URLs on Cligs to point to a new location. According to Cligs, 2.2 million URLs were affected. The error was nearly unavoidable by users. Even links from trusted sources were redirected to a new location.

Symantec posted a blog entry and a video Thursday showing how shortened URLs are spreading rogue antivirus and ultimately malware onto victim’s machines. “Clicking any link like this is entirely a security leap of faith, said Symantec’s Ben Nahorney.

The simple answer is to not click on shortened URLs or users should instead download the browser add-ons for FireFox and Internet Explorer that preview the URL. Those behind Twitter have not yet stepped up to address the issue. It could be addressed by developing a tool within Twitter that masks a long URL and doesn’t count toward the 140 character limit. Perhaps the URL should be treated as an attachment within a Tweet. Once the attachment is opened revealing the link, a user can examine the link for authenticity.

Attackers target PDF, DirectShow flaws with malicious banner ads

Advertising networks DoubleClick, YieldManager and FastClick have supplied a series of malicious banner ads to several popular legitimate websites this week.

Security vendor ScanSafe says it has discovered a series of malicious banner ads appearing on popular websites, including drudgereport.com, horoscope.com and lyrics.com. While the discovery is far from groundbreaking, it supports the recent SANS Institute report showing legitimate websites increasingly being targeted by attackers.

Making it even more difficult for legitimate website owners is the third-party relationship they have with popular advertising networks. Let’s face it, advertising networks is what keeps many websites afloat. Without DoubleClick, YieldManager, FastClick and others many website owners wouldn’t be able to get a snapshot of their audience or provide relevant visitor data to potential advertisers. In this case it appears that the three ad networks I named inadvertently delivered the malicious ads.

From ScanSafe:

The malicious ads delivered PDF and DirectShow exploits engineered to silently install a Trojan downloader. The installed malware attempts to download further malware, intercepts and tampers with Web searches and can redirect the user to sites other than expected – including sites that can lead to further malware infestation.

The malicious ads appeared on the sites between Sept. 19-21. They took advantage of another rising concern highlighted in the SANS report – client applications not being fully patched. In this case, the attackers were targeting PDF and DirectShow flaws – updates that should have been applied to client machines.

Conficker analysis finds P2P coding limited, less sophisticated

New analysis of Conficker finds peer-to-peer coding less sophisticated and not likely coded by the same developers who coded the other major components of Conficker.

Researchers at SRI International have conducted additional research on Conficker C and determined that a peer-to-peer (P2P) module was not likely coded by the original programmers of the worm.

From the latest SRI research:

The P2P module provides a limited peer command set, keeping complexity to a minimum - perhaps due to scheduling pressures and quality control concerns in deploying new functionality across millions of geographically dispersed victim machines.

The report is very technical. Researchers reverse engineered the P2P protocol and provided the results of their findings. My takeaway is that the P2P protocol, though unsophisticated, has been an important part of how Conficker has been able to continue to infect and how those behind the worm have been able to bypass security filters to send out orders. SRI said the P2P coding conducts scan-based peer discovery across the Internet, looking for previous versions of Conficker to upgrade to the latest and greatest version.

The fact that security experts haven’t been able to stop the spread of orders via Conficker’s P2P algorithm enables Conficker to remain a threat, the SRI researchers said.

Unfortunately, unlike the binary delivery distributions over the DGA rendezvous points that were achieved by the Conficker Working Group [2], whitehats currently employ no equivalent capability to hinder binary distributions through Conficker’s peer network.

Successful rogue antivirus hinges on social engineering

Attackers are getting better at social engineering because Internet users are ignoring privacy.

Attackers have gotten very good at tricking end users into clicking on links to malicious content and they’re likely to get even better, according to a blog entry this morning in the SANS Internet Storm Center diary.

Rogue antivirus programs have been one of the most successful schemes, according to SANS. The scheme is simple. It involves tricking users that they have been infected with a virus and must download an antivirus program to disinfect their machine.

From the SANS diary entry:

The main reason, however, why rogue AV is so successful is its persistence and amount of details - the web page they use to scare the visitor looks almost exactly like Windows’ Security Center. … It is now not strange that rogue AV programs are infecting so many machines. The devil is in the details, and the attackers made damn sure that all details are here to fool the potential victims.

I used to say that only your mother or grandfather actually clicks on those links, but clearly the attackers have gotten better at using social engineering tactics to easily trick victims into clicking on links. But clearly it doesn’t matter how technology savvy the younger generation is.

The mountains of data being placed on social networking websites like Twitter, Facebook, MySpace and others is making it easier for attackers to scan and identify victims by location, know their likes and dislikes and understand who their friends, family and coworkers are. The result is terrifying to consider.

The SANS’ Bojan Zdrnja points out that persistence has been key to the success of rogue AV. Those behind it have coded it elegantly, Zdrnja says. They also stay on top of current events to get users to click on search engine results leading to malicious Web pages.

The attack takes persistence on the part of the attacker, but it also is relying on our complete ignorance of privacy. The use of social networks and the amount of information being shared on the Internet is feeding right into the hands of cybercriminals.

Zeus Trojan evades antivirus software, Trusteer says

A study of 10,000 PCs infected with the Zeus showed that the machines had antivirus installed.

The Zeus Trojan has already proven itself to be one nasty piece of malware in its quest for banking credentials. Now, a new report by security vendor Trusteer shows another alarming facet of Zeus: It’s infecting PCs with updated antivirus software 77% of the time.

In a study of 10,000 PCs infected with the Zeus, also called Zbot, Trusteer found that most of the infections occurred on machines where an antivirus product was installed and kept up-to-date: 31% percent of the Zeus-infected PCs had no antivirus while 55% percent had updated antivirus software. Installing antivirus and keeping it updated only reduces the probability of a Zeus infection by 23%, Trusteer concluded.

The study was based on reports gathered from consumer PCs running Trusteer’s Rapport, which the company said detects Zeus through a unique fingerprint the Trojan leaves when it penetrates the browser process. Rapport is a browser plug-in that protects online credentials and transactions. According to Trusteer, the technology detects whether a PC has antivirus and whether it’s updated through the Windows Security Center.

Trusteer claims that its test of how effective antivirus is against Zeus in the wild is more accurate than most other antivirus efficiency tests, which it says are performed in the lab. The test result, the company said, is “disturbing and reveals that the vast majority of Zeus infections go unnoticed by antivirus products.”

VeriSign extends DDoS attack protection service

VeriSign has entered into the DDoS protection market, hoping the latest spate of DDoS attacks have raised enough concern among companies that they are shopping for solutions.

The firm is using the word “cloud” to describe their DDoS service since it filters network traffic in one of VeriSign’s data centers before it reaches the company network. It entered the market for DDoS protection earlier this year but is announcing a monitoring-only service this week.

From the company announcement:

DDoS attacks have become a serious threat to enterprise online business continuity. What has traditionally been managed as an incremental part of bandwidth provisioning and cost has now evolved into a threat of growing scale and sophistication that warrants a dedicated review and mitigation approach.

After talking to experts about this during the last round of attacks aimed at South Korean and some U.S.-based websites DDoS attacks don’t appear to be increasing in sophistication and certainly don’t seem to be causing great concern among ISPs and network service providers that partner with Cisco, TippingPoint, Arbor Networks and others. Most enterprises either rely on ISPs or network service providers or if they’re big enough, they’ll partner with Cisco and others to install an appliances to detect and weed out bad traffic.

For example, the DDoS attacks against U.S. federal agencies and South Korea sites were aimed at top level domains, bringing down the agency home page. It did not disrupt business and processes in place to protect against DDoS mitigated the threat, filtering out or throttling down the suspected nefarious traffic before it could cause any major disruptions.

Jose Nazario, a noted botnet and DDoS expert with Arbor Networks went as far as to call the attacks a nuisance.

“This attack is requesting [Web] pages and content that is easily obtainable. The attacks are trivial to detect and trivial to thwart.”

Of course the attacks are a serious threat to online retailers and social networks which depend solely on website up-time for business. VeriSign quotes a Forrester Research survey which found that 74% of companies have experienced a DDoS attack of some kind. And 75% are overprovisioning their bandwidth to handle attacks. My guess is the overprovisioning is a standard method used in addition to DDoS protection for ecommerce sites not willing to risk downtime.

A great example of the type of customer VeriSign is targeting is online payment-processing company, Piryx. The fledgling company was taken down last weekend by a DDoS attack. It provides online payment-processing services for U.S. Rep. Joe Wilson’s (R-S.C) campaign fundraising arm. Wilson was the congressman who yelled out “liar” during President Barak Obama’s healthcare speech. Piryx said the attack knocked out services for about 150 other Piryx clients.

The company is only a year old and extremely small when compared to many of its industry peers. It received its first round of funding in 2008. Piryx is more of an example of a business that accepted the risk DDoS posed. It gambled and lost. It’s also the kind of customer that may not have had the client base or the funding to invest in DDoS protection.

ShmooCon soliciting papers

Organization announces an open call for papers and presentation proposals for the annual ShmooCon event.

The Shmoo Group is soliciting papers and presentations for the sixth annual ShmooCon. The event is slated for February 5-7, 2010 in Washington DC.

The organization said that despite being a security conference, it is soliciting submissions on “offbeat technology topics.”

From the announcement:

ShmooCon presentations should be focused on topics that are of interest to security and technology professionals who are paying attention to current trends and issues. Presentations dealing with new technologies such as cloud computing or large-scale virtualization or new takes on existing methods and techniques are of interest. Presentations that are rehashes of old talks, primers on known technologies, or vendor pitches will be rejected and summarily panned.

The 2009 conference included sessions on a variety of topics. Researchers exposed social networking threats, flaws in Google Android were presented in a mobile security session and a demonstration was given on how to easily clone smart cards — just to highlight a few.