Security Bytes

May 12, 2009  3:32 PM

Survey: ATM/debit fraud on the rise

Marcia Savage Marcia Savage Profile: Marcia Savage

More than 80% of financial-services managers said they expect ATM/debit card fraud attempts to increase this year, a survey finds.

A recent survey by Actimize has some noteworthy findings, once you get past the parts that are geared to promote the vendor’s antifraud and risk management software.

Of the 113 financial-services managers polled (albeit, not a very big sample), 40% said they experienced double-digit ATM/debit fraud claims in 2008 compared to 2007. More than a whopping 80% said they expect ATM/debit card fraud attempts to increase this year, and almost 35% expect them to increase between 10% and 14%. Survey respondents represented retail banking, card issuers and payment processors.

More than 55% of the respondents predict U.S. card fraud to increase when Canada adopts chip and PIN, which Actimize said is expected to “reach critical mass” by 2010. Almost half said they expect fraud perpetrated by customers themselves — not outsiders — to increase this year.

Actimize’s survey also asked a lot of questions about the impact of mass compromises of payment card data, such as the Heartland breach.  Such breaches impact financial firms in three main areas, said Jasbir Anand, fraud product manager at Actimize: overall costs, call center volume and a decrease in customer confidence.

Forty-eight percent of those surveyed said less than 1% of compromised accounts actually experience fraud and almost 15% said of the cards they reissued after a mass breach, 20% were for accounts that were unaffected by actual fraud. The cost of reissuing a payment card can range from $3.50 to $30, Anand said, making the costs of reissuing cards out of proportion to actual fraud losses.

I know some credit unions, in the wake of the Heartland breach, acknowledged that reissuing cards was costly, but they also said it was the right thing to do for their customers. A spokesperson at Washington State Employees Credit Union, which had to reissue about 4,000 affected debit and credit cards, said it wasn’t acceptable to see if something happened to the cards before reissuing them.

May 12, 2009  12:24 PM

Software delivery could fix software patching issues

Robert Westervelt Robert Westervelt Profile: Robert Westervelt

When was the last time you considered the state of your vendor relationship? Are they doing anything behind your back?

Google recently presented the results of its study touting that users of its Chrome browser are far more likely to have the latest version installed, because Chrome includes a silent update feature that automatically checks and installs the latest version with virtually no user interaction.

Software updates have become ubiquitous with all applications, regardless of their purpose. Sometimes the user must check for a new version, but often an automated process checks for an available update and then prompts the user to approve its installation.

I must admit that like many users, when I am moving quickly on a task, I’ll sometimes delay an application update for another time. But keeping that update process silent, without the user’s knowledge, strikes me as putting security ahead of the user. If I want to surf the Web without antivirus protection, I will do so. If I want to remain on version 1.x instead of 1.5, I want the ability to have that choice. When was the last time you got into an automobile and an automatic seat belt swung into place? Admit it, the auto industry caught on. Even though seat belts could save a customer’s life, automatic seat belts are a thing of the past. They were too intrusive, resulted in less choice for the driver and passenger, and ultimately, I bet they hurt sales.

Mozilla’s Johnathan Nightingale got it right when he said Mozilla prides itself on giving its users information. “We make certain choices, like telling users when security updates happen, and not automatically upgrading users to new ‘major’ versions … because we think it’s important to give our users that information and choice,” he said, explaining his take on the Google study.

Software as a Service and cloud computing services could dramatically change the discussion around patching. But perhaps more importantly are the questions that remain unanswered. Marcus Ranum, CTO of Tenable Network Security Inc., asked the following two questions:

  • Why are we running software that is so bad it constantly needs patching?
  • Since the “security researchers” have been saying for 15+ years that their bug-hunting activities are part of “making software better,” can we declare that effort to be a failure, yet?

It’s possible that if the industry starts to adequately address the issues within the software development lifecycle, the patching discussion will become a moot point. Bruce Schneier said something several times at the 2009 RSA Conference that stuck in my mind: Cloud computing is about trust. Do you trust your vendor? I suspect we are trusting our software and hardware vendors to a certain extent. By downloading a piece of software or buying an electronic device, we are engaging in a relationship. The fact is, by making software updates silent, the vendor is doing something behind our back. It’s something that begins to question our relationship. Isn’t that when relationships have a tendency to fail?

For now, I’ll happily continue to put off my software updates until they’re convenient for me. And yes. I wear a seatbelt.

May 1, 2009  5:11 PM

Panda goes light on client, heavy into cloud

Neil Roiter Profile: NBRoiter

Feeling stuffed, sluggish? Oh, it’s not you? It’s your PC suffering from a bad case of AV bloat. How many thousands of antimalware definitions can it take? How many updates? (Remember when your AV vendor recommended downloading updates at least once a week — or was it even once a month?)

Small wonder antimalware vendors are seriously looking to cloud-based detection, taking the burden off your poor laptop’s memory, CPU and grinding hard drive.

The latest idea, coming from Panda Security, is a free thin client product, which analyzes potential malware on execution, not on the PC, but in the cloud, where the resources of PandaLabs Collective Intelligence determines whether it is malicious or benign and directs the client to allow or block execution accordingly.

“It’s getting more and more cumbersome to deal with large signature files and pushing those out to everybody,” said Forrester analyst Jonathan Penn. “We’ve seen the hockey stick graphs with thousand s of new virus strains a month. Pushing into cloud instead — assuming some level of network connectivity — makes a lot of sense

The cloud approach is not unique to Panda. Most of the leading AV vendors have some similar component: If the desktop engine — using whatever combination of traditional signatures, behavioral analysis, host-based intrusion prevention, application control, etc. — encounters a file it can’t assess, it ships its telltale traits in some sort of hash off to the Big Lab in the Sky for analysis by the vendor’s analog to Panda’s Collective Intelligence.

The cloud’s capacity — unlike your PC — is unlimited.

But the unique and really intriguing aspect of Panda Cloud Antivirus, released in beta this week, is the thin client aspect. Users install the client (you have to uninstall your current AV, which probably rules out your corporate laptop as a test machine), and, Panda tells us, you’re protected in real-time.

It’s not clear where Panda plans to go with this eventually — they’re holding that close to the very least, Cloud Antivirus will increase the flow of potential malware samples to their cloud-based detection, improving its effectiveness. The target community, for now, are sharp end users, including IT and security professionals, who can give them some significant feedback.

(I’ll nervously, at first, run it on my home PC and back it up with Spybot and Malware Bytes Antimalware on-demand scans to assure myself. I expect serious security people, not journalist-poseurs like me, will get deep under the hood to see what’s really  happening on their test computers.)

“Panda recognizes they can benefit from a broad consumer footprint,” said Penn. “Consumer PCs are kind of the  front line in the fight against malware. They’re going to detect things first, they’re more likely to be the target of attack. More attacks will get actually through to them.”

Panda said Cloud Antivirus will utilize a third of the RAM of traditional desktop of  products and have about half the average performance impact.

The thin client notion is not unique to Panda, though it’s arguably taking the lead among vendors. McAfee has a thin client product, VirusScan TC (ThinClient), which is pitched as a small-footprint, low-bandwidth alternative, especially for remote users on slow connections.

And, last September, researchers at the University of Michigan, Ann Arbor, proposed a service provider/network-based approach using a thin client and multiple detection engines (“Rethinking Antivirus: Executable Analysis in the Network Cloud”). They used a thin client to ship thousands of malware samples through eight AV products and two behavioral analysis tools. The individual AV products’ detection rate ranged from about 55% to 87%, but the combination of all detected more than 96% of all the malware.

Using a bunch of different AV engines may not be a practical solution, but the thin client model is valid, especially when one considers the constant flow of information into the cloud and the resources any given vendor can throw at the problem.

April 23, 2009  8:33 PM

LogLogic-Exaprotect deal reflects SIEM-log management bond

Neil Roiter Profile: NBRoiter

It’s not exactly a surprise that LogLogic acquired Exaprotect. The two partnered up in February to add Exprotect’s SEM engine as a module riding atop LogLogic’s log management/analysis platform.

The pending deal, announced Wednesday at RSA, is something of an indication that the log management and SIM/SEM/SIEM markets are becoming too closely integrated to distinguish. (Pick your acronym. At RSA this week, Forrester’s John Kindervag suggested “SIRS” — Security Information Reporting System, suggesting that these tools’ primary value was in reporting and compliance, rather than security).

In the end it’s all about collecting and analyzing information analysts can use for compliance, operational efficiency, forensics, and, maybe, security.

Regulatory compliance, particularly PCI, has driven sales of both log management and SIEM, transforming log management from a niche market to something of a must-have. Major SIEM vendors like ArcSight, seeing these hungry upstarts doing well, were quick to spin off separate log management products or modules to get a piece of the action.

Meanwhile, log management vendors have had some SIEM-like capability, a sort of SIEM Light. It makes sense that LogLogic is building on its success to provide a fuller package. Along with the SEM offering, the company announced  a database monitoring and auditing module (partnering with an unnamed DB monitoring partner) and Compliance Manager, automating compliance approval workflows and review tracking.

The Exaprotect acquisition also brings in Solsoft Change Manager, providing configuration management capabilities, which will round out the LogLogic package nicely for both compliance and operational control once the products are integrated.

April 23, 2009  4:19 PM

Security bloggers, podcasters get day in sun

Michael Mimoso Profile: maxsteel

These days, you can’t log onto Twitter or do a Google search without crashing headfirst into something information security related. Security pros have embraced social networking in a big way, and they’re contributing a lot more to the blogosphere and Twitter arena than updates on where they’re having lunch.

Any of you who contribute or follow the active members of the security blogosphere probably know of the Security Bloggers Network. The network generally meets face-to-face at events such as RSA with a get-together known as the Security Blogger Meetup. Last night’s meetup featured the first presentation of the Social Security Awards, which recognized the best security blogs and podcasts. Alan Shimel of StillSecure, Rich Mogull of Securosis and Martin McKeay, who hosts the Network Security Podcast with Mogull, hosted the awards portion of the night; Jennifer Leggio, a longtime journalist and social media blogger, did a lot of the legwork to organize the event. A panel of journalists did the judging — and yes, a good time was had by all.

Winners were recognized in five categories:

April 17, 2009  2:56 PM

Citrix XenApp may seem complex, but streamlines security management

Robert Westervelt Robert Westervelt Profile: Robert Westervelt

Editor’s Note: Eric Ogren, a frequent contributor to, is guest blogging today. Ogren is founder and principal analyst of the Ogren Group, which provides industry analyst services for vendors focusing on virtualization and security. He can be reached by sending an email to

Citrix Systems’ XenApp can appear complex, but it could boost security by centralizing applications in the data center.

Citrix Systems’ XenApp, its flagship application delivery product line, can appear to require a complex chain of moving parts that can be difficult for prospects to understand. However, existing customers that are saving operational expenses consolidating data centers may also find improvements in the latest version of XenApp to manage user authentication and access control and conduct application auditing as a result of delivering applications from fewer virtual data centers.

Citrix announced improvements to XenApp last month. The latest release is focused on integrating the components of XenApp to enable existing customers to more easily expand the use of Citrix throughout the enterprise.

The primary security benefits of hosting applications in the data center are well known – data remains in the protected data center where it is easier to secure, the risk of data loss through insecure endpoints is dramatically reduced allowing the business to embrace a variety of user friendly devices such as smartphones and shared devices. Applications are patched and upgraded in a centralized controlled environment reducing the risk of skewed software configurations.

  • Consistent authenticated access control to applications: The Citrix account authority consolidates administration of authentication, application access controls, single sign-on and user profiles. Users authenticate once to the data center where IT can then use single sign-on techniques to automate authentication to individual applications and virtual desktops. The immediate benefits of this approach is to reduce the security risk of extraneous user accounts and passwords, as well as lowering help desk costs for password support while making it easier for users to run business applications.
  • Transparent auditing of application access and transactions for compliance: Citrix SmartAuditor works with XenApp 5 to log application access and record activity for compliance with regulatory requirements. Auditing may be difficult to achieve when applications are distributed throughout the enterprise, but it becomes more reasonable as applications are hosted in fewer data centers.
  • Achieve Network Access Control functionality without additional NAC products: The main feature of NAC is to ensure user desktops are configured according to security policy before granting access to applications. This normally includes checks for endpoint security software, but can also include checks and remediation for custom software. IT provides users with secure virtual desktops that are compliant with the latest releases of software and up-to-date security software. XenApp 5 can stream the entire virtual desktop to the endpoint if the user needs to work disconnected from the network or needs to compensate for unreliable network performance. By packaging virtual desktop images with the most up-to-date software that has been pre-scanned for malicious code, IT gets the cost-savings benefits of automated NAC features without having to deploy additional products.

The concentration of hosted applications and virtual desktops in the datacenter is a concept that delivers incremental security benefits with the fundamentals of user identity management, controlling application access, managing the integrity of software configurations and auditing business activity. This is in addition to the operational benefits of efficient administration, equitable service to users, and lesser operating expenses. As you plan to virtualize more applications and increase the density of applications per server, be sure to also look at opportunities to streamline security services and plug security gaps in user and device management.

April 16, 2009  10:07 PM

Proof the Conficker worm not a major threat

Robert Westervelt Robert Westervelt Profile: Robert Westervelt

Kaspersky Lab researchers found a small number of unique IP addresses on the peer-to-peer network, suggesting the worm isn’t as large as previously thought.

It seems that Conficker/Downadup isn’t all that it was cracked up to be. Dennis Fisher of Kaspersky Lab’s confirms what some have been suspecting all along: The Conficker botnet is much smaller than security researchers originally believed. An analysis by Kaspersky Lab researchers found “200,652 unique IP addresses on the P2P network, which comprises machines that are infected with the latest variant of Conficker,” according to Fisher’s post.

In a blog post, Kaspersky Lab virus analyst Georg Wicherski wrote that “only a fraction of the nodes infected with earlier variants have been updated with new variants.” Wicherski used a custom application to monitor the network. He noted in his post that Brazil and Chile stand out in terms of having the most numbers of P2P nodes.

Back in January I wrote about my access to TippingPoint’s ThreatLinQ service. ThreatLinQ can be accessed by TippingPoint IPS customers. The ThreatLinQ data I saw suggested to me the threat wasn’t a major one.  ThreatLinQ is essentially a portal that shows global threat data caught in TippingPoint’s DVLabs’ IPS filters. It can rank threats on a global scale and by country. It also shows how other TippingPoint customers are using their IPS and what is being blocked by default.

The time period I had a view of the global Conficker data was Jan. 26/27. This was a time period when most security researchers said Conficker infections had peaked and some, including researchers at F-Secure, noted the botnet could be as large as 10 million machines.

At the time, the TippingPoint IPS honeypots found ranked attempts to attack the Microsoft RPC vulnerability at No. 5 of all threat’s globally. It wasn’t even close. Attempted attacks were in the hundreds of thousands versus the MS-SQL: Slammer-Sapphire Worm which was picked up globally more than 32 million times in TippingPoint’s honeypots.

I noted that Brazil, Chile and some countries in Asia and Eastern Europe seemed to have the most Conficker infections. They were in countries where software pirating is rampant and machines are not likely to get the MS08-067 RPC patch.

Conficker may have been a worm that fascinated researchers because it spread so quickly, but once the spotlight was shined on it, it sputtered out. Why? The Conficker Working Group appeared to have a good handle on this one and perhaps their efforts to disrupt the worm from receiving its orders worked. Researchers told me the P2P method of receiving its orders is just too slow for Conficker to be a major threat.

April 14, 2009  1:37 PM

Twitter worm attack highlights social network flaws

Robert Westervelt Robert Westervelt Profile: Robert Westervelt

A worm attack designed by a 17-year-old hoping to promote a rival social network wreaked havoc on Twitter, but also highlighted the importance of finding and repairing Web application flaws.

A 17-year-old hacker claimed responsibility for attacking the Twitter microblogging service, crippling thousands of accounts with a worm designed to promote his social network.

The worm spread via a social engineering technique. The hacker first tricked users into clicking on a link to a rival social network. The link infected machines and exploited a cross-site scripting error to use the victim’s profile list to broadcast the malicious link to other users.

The attack was another example of the threat against social networks, where users post data that could be harvested and potentially valuable on the black market. Users of Facebook, MySpace and other social networks have been targeted by phishing attacks serving up malware designed to steal address books and other sensitive data. Experts say it’s easy to be duped by a malicious link or fall victim to Web application attacks within social networks.

In a message to Twitter users, the company’s co-founder Biz Stone said the attack was similar to the Samy worm, which spread on MySpace. “No passwords, phone numbers, or other sensitive information was compromised as part of these attacks,” Stone wrote in a blog entry.

The attack began at 2 a.m. on Saturday. It spread for about 3.5 hours until Twitter’s security team could identify and eradicate the worm. About 90 accounts were compromised. A second wave compromised another 100 accounts. Attacks continued with another wave on Sunday and again on Monday prompting the security team to delete about 10,000 tweets that could have continued to spread the worm.

“Every time we battle an attack, we evaluate our Web coding practices to learn how we can do better to prevent them in the future,” Stone said. “We will conduct a full review of the weekend activities. Everything from how it happened, how we reacted, and preventative measures will be covered.”

The attack is a reminder of the need to address Web application errors now, so developers of these applications clean up their poor coding practices. The OWASP Foundation has taken the lead on spreading the word to developers and companies using Web applications about the importance of security. But volunteers can’t do it all on their own. At some point social networks may need to band together to mop up coding errors and guard against attacks in a coordinated manner. They owe it to their customers, who have remained loyal even in the face of ongoing threats.

March 30, 2009  8:23 PM

CISOs seek frugal ways to secure systems

Robert Westervelt Robert Westervelt Profile: Robert Westervelt

It is budget cutting time. Companies in all industries are looking for ways to save money in a down economy. Security analysts say companies are slowing ongoing projects and delaying others signaling the acceptance of more risk.

Security pros that attended the two day SecureWorld Expo on March 25-26 in Boston learned about a number of ways to keep sensitive systems locked down while trimming their already tightening budgets.

Candy Alexander, CISO at Long Term Care Partners LLC, urged attendees of her session, “Security compliance program on a shoe string budget,” to develop a framework by using guidelines outlined by NIST. Alexander said NIST would be a cheaper source over the ISO standard. Although the benefits of ISO over NIST or vise versa is debatable, ISO is also not a widely adopted standard in the U.S., she said.

While much of the information doled out during the 45 minute presentation was basic, it certainly could serve as a starting point for some security pros looking for ways to keep systems secure despite a tightening budget. The most important piece of the talk: Know your data. Know where it is. Know how it flows through your systems. It’s so simple, yet time after time I hear that many data breaches happen because an attacker found a hole in a database that IT didn’t even know existed.

A friend who works for a major university in Massachusetts told me that in the first few weeks on the job he followed the basic steps of identifying the most sensitive information, where it was and how well it was protected. During the process he found a database containing thousands of credit card transactions in a small office off one of the university’s dining facilities. It had been there for years. Few knew it was there and those that did — dining facility staff with little technical expertise — didn’t realize the data residing on it was so sensitive.

Having a sound security policy and enforcing that policy was also one of the takeaways from the expo. Although it’s another fundamental part of being a security professional, we’ve heard countless times that some organizations have policies that they downloaded off of a website and rarely refer to them or educate end users about them. Charles Cresson Wood, a consultant at InfoSecurity Infrastructure Inc., a Mendocino, Calif-based consultancy, gave the SecureWorld keynote, urging those listening to rethink their security policies. If an organization doesn’t have policies that align with business objectives then they should be written with that in mind, Wood said.

Wood advised attendees to conduct an annual risk assessment tying it into the company security policies. He said some of the best security programs also create an environment that fosters higher security standards among employees. Management plays a big role, he said.

Finally, an information security officer tag team of Leilani Lauger of Loyola University and Morey Straus of NHHEAF Network Organizations tackled ways CISOs can do their job frugally. Straus said CISOs can consider managed security services and should also take a look at the company’s existing contracts with third-party vendors. Some of them may be able to be renegotiated at a cost savings, he said. Straus said CISOs can also help foster the culture of valuing information security by acting “less as a cop and more like a guide.” Lauger said security pros should also design training programs that are interesting and replace outdated posters and material with fresh content on a regular basis. Send out security messages in multiple forms, not just weekly email messages or security posters, she said.

March 4, 2009  8:33 PM

Cisco’s email services — They hadda’ do it

Neil Roiter Profile: NBRoiter

I’ll throw in my nickel’s worth (two cents just isn’t worth anything) on Cisco’s announcement that its IronPort email security — long available in a series of top-shelf appliances — would be offered as a managed service.

This was a necessary, even defensive move for Cisco, when you look at it from a market perspective. Email security as a service, which has been very popular among SMBs, is getting more traction among enterprises as they look at which tasks they can offload comfortably without violating or changing security policy.

So the hybrid approach may be particularly appealing to enterprises. It’s one of three along with a hosted model in which the appliance is managed in a Cisco data center and a managed service in which Cisco manages boxes on the customer’s premises. The hybrid approach takes the chore of managing incoming filtering off the enterprise’s shoulders, while allowing the customer to keep control over their outbound data for DLP and encryption. It’s relinquishing that outbound piece that often makes enterprise security managers’ blood run cold.

SaaS, on the other hand, does more than take up the administrative chores as well as the care and feeding of more boxes on your network. The pay-as-you-go lets you treat email security as an expense. Laid off 1,000 people? Ratchet down. Good times coming? Ratchet back up. Consider whether your email security vendor can offer that kind of flexibility or comparable value if you are looking to move to some services model.

Cisco isn’t offering any new security capabilities, but to my way of thinking, if I were a vendor (thanks, but no, I prefer poverty) I’d want to tell my customers they can get the same level of security whether they buy appliances or contract for services — and IronPort appliances are considered first-rate.

So, Cisco had to start offering their email security as a service. Symantec acquired a full-blown leading SaaS vendor in MessageLabs, in addition to its own appliance and software options. Symantec already offers a stronger DLP combo than Cisco, through its acquisition of Vontu, but IronPort offers more formidable Web security.

McAfee, another big security competitor, applied some considerable pressure when they bought rival Secure Computing, which in turn, got into the email security business by acquiring CipherTrust. They also offered a hosted service option and a mix and match of hybrid combinations (the major appliance vendors also offer virtual appliances, which Symantec says may already account for as much as 20% of its appliance business).

Proofpoint, one of the increasingly rare major independent pure-play email security vendors, offers both appliances and hosted services.

This is getting down to the nitty-gritty. The email security market is pretty well consolidated, both on products and service-based options. SaaS vendors like Google and Symantec’s MessageLabs are gobbling up SMB contracts. At the high and mid-high ends of the market, in particular, competitors are going to have to offer a mix of very robust options at attractive prices.

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: