October, 2009

Twitter warns of new phishing attacks

Phishing campaign uses a direct message and a fake Twitter login page to pilfer credentials.

Twitter issued a spam warning via a Twitter message telling users not to click on a direct message that sends users to a Twitter login page. The Twitter warning said the login page is a fake and attempts to steal login and password credentials. Once a victim types in their credentials, a fake Twitter fail-whale over capacity message is displayed.

Sophos security expert Graham Cluley blogged about the Twitter phishing attempts on Wednesday, describing the fake Twitter message. calling on users of the social network to change their passwords regularly.

So, what should you do if you fell for one of these phishing messages and handed over your Twitter login details to the bad guys? You should consider yourself now hacked, and must change your Twitter password *immediately* before your account is abused by hackers.

Mozilla update repairs Firefox buffer overflow vulnerabilities

Repairs fix several critical memory corruption errors and buffer overflow flaws that could cause the browser to crash and leave users vulnerable to attack.

Mozilla issued an update to its popular Firefox browser this week, repairing more than a dozen flaws that could cause the browser to operate erratically and crash or allow remote attackers to target vulnerable users.

The browser maker issued 10 advisories on Tuesday, five critical, fixing memory corruption errors, buffer overflow flaws and an object handling flaw that could enable an attacker to execute malicious code and gain access to sensitive data. Firefox 3.5.4 and 3.0.15 plug 16 holes were addressed in a variety of browser functions.

Mozilla repaired four critical memory corruption errors affecting the browser engine and the JavaScript engine. In its advisory, Mozilla said some of the errors could be targeted by attackers to execute arbitrary code.

The browser maker also updated several third-party libraries used to render media. The corrupted libraries were used by the browser to read Ogg Vorbis encoded media files.

“Some of the bugs discovered could potentially be used by an attacker to crash a victim’s browser and execute arbitrary code on their computer,” Mozilla said.

Other serious flaws were repaired. The Mozilla update fixed a heap-based buffer overflow in Mozilla’s string to floating point number conversion routines; A flaw that could enable an attacker to execute malicious JavaScript code with chrome privileges; and an error in Mozilla’s GIF image parser.

Last month, Mozilla released a new feature it said would help get users to update third-party plugins. The changes came in the release of Firefox 3.5.3 and Firefox 3.0.14.

McAfee survey: Less money, less time, less security for midmarket

McAfee report estimates that mid-sized businesses in the U.S. spent $17.2 billion fixing IT security incidents in 2008.

How much should a midmarket company spend on security? Am I spending it on the right technologies? How much time and effort should their IT people devote to it?

“The Security Paradox,” McAfee’s global survey of mid-sized (51-1,000 employees) companies raises some interesting questions about the balance between the money and manpower they invest in security on the one hand, and the risk, on the other.

Before we go too far, the report is a little thin on the ground. Only about 100 companies were surveyed in each of nine countries. So, maybe a good sampling globally, perhaps less so per each nation.

According to the report, most mid-sized companies are experiencing more security incidents in the last year than in the previous 12 months and are very concerned about the possibility of data breaches and IT security attacks. One out of five experienced a serious security incident that caused them to lose, on average, $41,000 (based on what they calculate as lost business spent, on average, $43,000 in a year remediating IT security incidents.

But, while three-quarters of the companies froze or cut their IT security budgets—reduced staff, fewer new product purchases, switching to cheaper, stand-alone products– the telling correlation was between the amount of time the average organization devotes to security and the time it takes to recover from an incident. Overall, smaller companies that spend an hour or less per week on proactive preventive measures often spend days recovering; organizations that spend several hours frequently recover in less than a day.

Makes sense. If busy, understaffed IT folk in midmarket companies can find a few hours a week to focus on security, it pays off. According to the report, the majority of British and U.S. companies surveyed find or make the time. The French, not so much.

Still, the report estimates that mid-sized businesses in the U.S. alone spent $17.2 billion fixing IT security incidents in 2008.

So what are the McAfee report recommendations for beleaguered middling companies in the worst economy since the Great Depression? After delivering the valuable message that they can mitigate the damage if they devote a little more time and effort to security, the conclusion is that what we really need to do is to spend smarter:

1. Integration. Consolidate security vendors who offer integrated suites (let’s assume they’re not recommending Symantec).
2. Centralized management (Hey, we have EPO).
3. Lower costs. Integrated solutions are more economical (really a corollary of 1 and 2).

Well, it’s all probably true, but the message is rather cynical. Tell me how to find those extra hours. Tell me what activities will give me the most value for the time I invest. Then, maybe, once I get that, tell me about investing some more time in replacing my security technologies and/or introducing new ones.

Cigital’s Gary McGraw talks cloud security with Chris Hoff

Security needs to pay more attention to the protocols which bind the applications and infrastructure together. That’s where the cracks are appearing.

What is cloud computing? In an interview with Cigital’s software security expert Gary McGraw, Network security expert Christopher Hoff tries to answer that question from two perspectives — a cloud provider and a consumer.  After understanding what cloud computing is, the conversation ultimately moves to what is being done right and perhaps wrong to secure it. Hoff, formerly of Unisys Corp. is currently director of cloud and virtualization solutions at Cisco Systems Inc. The podcast is a good overview of cloud computing and security because it peels away all the vendor marketing hype that, pardon my pun, has clouded the issue.

According to Hoff:

• From the perspective of a consumer, cloud computing is “any vendor, any technology that would allow them to take their content and their data and place it in the stewardship of somebody else.” Hoff says it could be Apple’s MobileMe, iTunes, and any other services where you connect and are using the Internet.
• From the perspective of a cloud provider, cloud computing is “an operational model; a way of more efficiently, more effectively using computing resources.”

The cloud is not impervious to failure, Hoff says. A lot of interesting expectations are being set and Hoff says that is illustrated by Larry Ellison of Oracle Corp. who says there’s nothing new and we’ve been doing it for years versus the perspective from others who say that how we’re using the cloud is different.

“Every time we’ve had a new instance, a new way of operationalizing our computing resources we’ve had this same sort of turn that takes place in the industry. It ultimately smooths out.”

McGraw says while we’re not so bad at protecting hardware, we’re really bad at protecting virtual operating systems and applications.

Hoff explains the three levels of cloud computing and how security applies:  Infrastructure as a service, platform as a service and software as a service … He says the lower down the stack you go the more responsible you still are as a consumer for the security of that service. “With infrastructure as a service you are essentially building in security, with software as a service you are basically contracting it …” Hoff goes on to say that platform as a service is more interesting from a security perspective because your apps are somewhat tied into the platform. Since you are writing the applications and you own the data “maintaining security as it relates to that model is a shared, cooperative approach.”

Security is always playing catch up and disruptive innovation such as cloud computing is a good example of that, Hoff says.  It ultimately comes down to the age old problem that “consumers see security and applications thereof as an adverse function of convenience.”

“When it comes down to any enterprise architecture in general, time to market and delivery just trumps our capability, desire, wants and needs and ultimately budgets to get stuff done as a balance of security versus convenience.”

The final part of the podcast talks about the problems companies are having applying security to the three cloud computing models from a design pattern versus the bolt on approach. Hoff says the people behind the cloud model are fragmented — developers work on their applications — network architects deal with the network — and the security guys try to figure out what each of them are doing.

Hoff says what is terrifying is the metastructure pieces — the protocols, the glue that holds the application layer and infrastructure layer together is for the most part completely ignored.  DNS and identity and access management issues are starting to show cracks.

Check out Hoff’s blog Rational Survivability for more of his great insight into the cloud computing models and the security issues they raise.

Email archiving vendor sues Gartner, doesn’t see magic in quadrant

ZL Technologies is seeking $1.7 billion in damages from Gartner Inc. Analyst firm dismisses claims.

ZL Technologies Inc., an email archiving vendor is suing analyst firm Gartner for eroding its market presence by consistently ranking it in the lower quadrant of its popular Magic Quadrant as a niche player in the market analysis report.

The ZL lawsuit was filed in May. Gartner filed a motion to dismiss the case citing the First Amendment. The lawsuit is continuing this month as both parties argue whether the case should be dismissed.

ZL Technologies CEO Kon Leong said Gartner’s Magic Quadrant consistently ranks vendors with big marketing and sales budgets at the top of its Magic Quadrant. ZL Technologies also sells compliance and encryption products. Leong says his company’s eDiscovery capabilities consistently beat large vendor products, such as Symantec, but XL Technologies gets poor marks for its sales and marketing budget.

Despite low investments in sales and marketing, Leong said his firm has a proven track record and has survived for 10 years.

“We’ve sustained profitability,” Leong said in an interview. “We’ve garnered enough resources to launch challenge against Gartner without affecting our business.”

Still, the firm’s bad Magic Quadrant standing has resulted in losing customers and is making it difficult for the firm to increase sales, Leong said. In the interview, Leong cited a customer win in Asia where the customer was pressured by management to pull out of the deal as a result of the Gartner report. In other cases, the company is being immediately dismissed despite being praised in the report for its features and core capabilities.

“We can go head-to-head with the big guys, but now we’re not being invited to the party in first place because of Gartner and that hurts the most,” Leong said.

My colleague Beth Pariseau wrote a blog entry at Storage Soup detailing the ZL Technologies lawsuit. In it, Beth asks readers: Does ZL have a point about the weight being given to a subjective report in technical purchasing decisions? Or is this a case of impugning an evaluative process because of a disliked outcome?

Michael Krigsman, CEO of software consultancy Asuret, Inc., wrote in a blog entry that the lawsuit does call into question the ties analyst firms have with vendors. Still, Gartner’s analysis could be subjective, he said.

Analyst research and reporting is not an exact science, which does lead to real or perceived conflicts of interest. The analyst industry can reduce potential conflicts by improving transparency around how it forms opinions and makes recommendations. … To increase transparency, analyst firms should also disclose their revenue relationships with vendors.

Unfortunately that could open a big can of worms. It’s a slippery slope that some say could erode the First Amendment. Increasing transparency by disclosing revenue relationships with vendors somewhat would erode the integrity of the product by saying that the analyst who wrote the report could be somehow persuaded to give a firm positive play for its investment in the analyst firm. I don’t doubt that there are some bad apples out there who cave into pressures to alter their opinion on a product or service, but I’m willing to bet that the vast majority of industry analysts (many of whom I know are experts in their field) want to protect the integrity of their work and stay away from the financial side of the company they work for. After all, the quality and integrity of their analysis is how they gain respect.

Earlier this month Gartner analyst Thomas Bittman addressed the issue of analyst integrity in a blog entry appropriately titled: A Rant – My Integrity as an Analyst. Bittman, a vice president and distinguished analyst, has been with Gartner for more than 14 years.

I understand the impression in the marketplace that analyst firms can be bought. But that’s not where I work. My integrity is very important to me. I’m sure we’ll continue to make enemies of vendors, and bloggers who have a vested interest in one thing or another. Badge of honor! But my goal is to provide value to my clients, and to be proven right over time – priceless!

A good business model: Symantec reports on “scareware”

Report finds cybercriminals well organized in coordinated rogue antivirus schemes.

Maybe we’ve made people too security conscious?

I’m being facetious, but if we hadn’t succeeded in scaring people straight into worrying about identity-stealing malware and phishing attacks, would so many fall for rogue antivirus scams? I confess, I’m more tempted to click yes, please make my PC whole again when I see a pop-up that looks even more like Windows Security Center than Windows Security Center than I am to click a link to address a bogus issue with my bank account security or, certainly, to respond to a sales pitch for cheap Viagra or breast implants.

The “Symantec Report on Rogue Security Software” covering a year (July 2008-June 2009) of “scareware” paints an all-too-familiar picture of organized cybercrime that is…very well organized.

Consider that this is a direct pay model. You give the AV “vendor” your credit card number, paying anywhere from $30 to $100 for software that at best does nothing at all and at worst drops some really nasty malware on your hard drive. They’ll often use legitimate credit card transaction companies– it’s just good business practice — because phony transaction handlers are likely to be discovered and shut down.

The scareware vendors use networks of affiliates, who use dedicated websites, banner ads, spam and spyware to download the “YOUR PC IS INFECTED!! TO BE SURE YOU ARE FREE OF MALWARE, PURCHASE XPANTIVIRUS” message. According to the report, the affiliates get between a penny and 55 cents per installation, the highest payoffs going for drops on U.S. computers. Affiliates get a lot more if someone actually buys the rogue software.

Symantec received reports of 43 million rogue security software attempts to install the more than 250 distinct examples of rogue AV software it identified.

The report echoed many of the findings of Panda Security in a July report.

Is it time for security managers to get tough?

With so many of the same security problems plaguing organizations year after year, it’s time to get tough, a health care security executive suggested Tuesday during a panel discussion at the Cornerstones of Trust 2009 conference in Foster City, Calif.

Connie Sadler, information security officer at Lucile Packard Children’s Hospital at Stanford, said some security challenges from 20 years ago continue today. Security managers started out as tough but became less so as systems became more distributed and employees did their own thing, she said.

“I think we’ve lost control,” Sadler said, suggesting a range of corrective steps, including whitelisting, better access controls, and punitive action such as fines.

“There’s no consequence for having a bad password,” she said. “Maybe there’s needs to be a consequence for not doing basic things…We need to introduce more discipline into our environment.”

But responding to a question from the audience, Sadler acknowledged that the tough approach needs to be balanced. “Don’t we need both the carrot and the stick?” asked security luminary Donn Parker.

“There does need to be a balance,” Sadler agreed. “People shy away from doing the right thing because they don’t have the knowledge… It comes back to us. We need to train people.”

The annual Cornerstones of Trust is co-hosted by ISSA’s Silicon Valley and San Francisco chapters and San Francisco Bay Area InfraGard.

Analyst calls Barracuda-Purewire deal proof of cloud dominance

Forrester analyst calls Barracuda’s acquisition of Purewire proof that cloud computing has gone mainstream.

Barracuda announced its acquisition of Purewire on Tuesday and so far at least one analyst has been caught by surprise. Chenxi Wang of Forrester Research said Barracuda seemed skeptical of cloud-based model of delivering security services during one recent briefing.

Despite having deep pockets, it’s unclear if Barracuda was the right partner for Purewire. In a blog entry Wang said it’s unknown if Barracuda has the ability to execute on its plans to ingegrate Purewire. She said Barracuda will still largely be an appliance vendor, since it will take time to iron out the changes needed to deliver services from the cloud.

Switching from selling appliances to selling services is a non-trivial change. Distribution partners who are used to pushing boxes have to be re-trained to sell services. Incentive models have to be changed to entice them to sell services, or new distribution partners have to be acquired. Barracuda will do well to bring in more experienced personnel in service marketing and sales.

Some Facebook applications lead to Russian attack sites

Poor coding on some Facebook apps lead to websites pushing malware, rogue antivirus.

Security researchers at antivirus vendor AVG Technologies have discovered that faulty coding in some Facebook applications are being targeted by cybercriminals. Roger Thompson, chief research officer of AVG cited several hacked Facebook applications that appear to be pushing Facebook users to Russian-based attack websites that push out malware and rogue antivirus software. In a blog entry, Thompson cited several examples and called the application developers victims, not the perpetrators of the attacks.

Initially, we thought that the applications were deliberately acting as lures, but it now seems to us that they are victims themselves. The difficult part for them will be to find and plug the hole that the DataSnatchers are using to hack the applications.

So far, about eight Facebook applications have been targeted by the cybercriminals. Most of the applications are games. Check out Thompson’s blog entry for the list. He warns that there could be more.

Microsoft record Patch Tuesday: Should flaws be counted?

Security experts say counting patches is senseless.

Another Microsoft Patch Tuesday has come and gone, but this one has trumped June for setting a new record for the number of flaws patched by the software giant. There were 34 vulnerabilities fixed in 13 Microsoft Security Bulletins. Seeing 13 security bulletins, eight of them critical didn’t phase me and I’m not sure knowing that 34 vulnerabilities were repaired should phase any IT administrator. They care most about the initial bulletin rating and the relative threat risk each bulletin addresses.

This month I’m reminded of Eric Schultze’s recent column. Schultze, formerly of Shavlik Technologies, wrote a column for our friends at Threatpost.com: “Patch Counting: Horseshoes and Hand Grenades,” in which he explained what really should be considered when looking at Microsoft’s patches each month.

As a Systems Administrator, one thing is clear to me: if my users visit an evil website, their machine’s can be exploited. How do I rectify this? I can apply the suggested patch.
Do I care that there were eight different underlying flaws that would lead to the evil code execution? No.

Even Microsoft has taken a little heat for counting flaws. In this case, Microsoft counted flaws in Vista in 2007 to show how secure the OS has been made.

Perhaps Mike Shaver vice president of engineering at Mozilla summed the issue up best in 2007 in his post titled “Counting Still Easy, Critical Thinking Sill Surprisingly Hard,” in which he was referring to a Microsoft report comparing vulnerabilities fixed in Internet Explorer to those repaired in Mozilla Firefox. According to Microsoft, IE was better since Mozilla repaired more vulnerabilities in the time period studied.

You can only count what a vendor wants you to see. … If Mozilla wanted to do better than Microsoft on this report, we would have an easy path: stop fixing and disclosing bugs that we find in-house. It is well known that Microsoft redacts release notes for service packs and bundles fixes, sometimes meaning that you get a single vulnerability “counted” for, say, seven defects repaired. Or maybe you don’t hear about it at all, because it was rolled into SP2 and they didn’t make any noise about it.