Security Bytes

September 9, 2009  8:04 PM

Reuters: Obama ready to select cyber security czar

Robert Westervelt Robert Westervelt Profile: Robert Westervelt

Reuters reported Wednesday that Frank Kramer, a former assistant Defense secretary under President Bill Clinton. is the lead candidate, according to an unidentified source.

Citing sources close to the matter, Reuters reported today that President Barak Obama is expected to name a security coordinator “in the next week or two.”

U.S. chief technology officer Aneesh Chopra told reporters at a technology conference on Wednesday that he had interviewed candidates for the position, and that a coordinator would be named in the not too distant future.

Reuters calls the lead candidate, Frank Kramer, a former assistant Defense secretary under President Bill Clinton. If this is the case, Kramer signals the need for an international focus on cybercrime. He has been involved in international affairs since the 1970s and turned his focus on technology as a research fellow at the Center for Technology and National Security Policy, part of the National Defense University – which has focused on national security policy and military plans when it comes to understanding technology and policy.

Obama had announced the creation of a White House senior cybersecurity coordinator position in May. Since then a number of names had surfaced as candidates for the position including former Republican U.S. Congressman Tom Davis. Several top cybersecurity officials also stepped down since then, including Melissa Hathaway, Obama’s top adviser on security who spearheaded the 60-day review helping shape the administration’s position on cybersecurity. Last month, Mischel Kwon, the director of US-CERT, the Department of Homeland Security’s research and response unit also resigned.

While it has taken more than three months to name a person to the position, experts say it’s going to take years to realign and coordinate all the different facets of the position, let alone setting priorities that result in bolstering federal cybersecurity.

September 8, 2009  8:35 PM

Mozilla helps Adobe push out faster patches

Robert Westervelt Robert Westervelt Profile: Robert Westervelt

Mozilla is coming to the aid of third-party vendors whose components are used in its popular browser.

Mozilla is releasing a new feature in Firefox that will warn users of the popular browser that their Adobe Flash plug-in is out of date.

The changes will come to the upcoming releases of Firefox 3.5.3 and Firefox 3.0.14.

Mozilla’s Human Shield, Johnathan Nightingale, announced the new feature in a blog entry last week:

Our intent is to get the user’s attention, and direct them to the Adobe website where they can download the most up to date version. For users who are already running the latest version, or who don’t have the Adobe Flash Player installed, the page will look very much like what they would normally see after a Firefox security update.

Nightingale said Mozilla hopes to provide similar checks for other third-party plug-ins in the future.

Adobe has been under fire of late for its patching processes. The software maker has had a slew of updates over the last year as attackers targeted holes in its popular PDF reading software and its Flash player in drive-by attacks.

Last month, Mickey Boodaei, the CEO of security vendor Trusteer criticized Adobe after a review of more than 2 million Trusteer users found that nearly 80% of Flash users were using a flawed version of the browser component two weeks after Adobe pushed out the patch.

By default, Adobe set its Flash component to check for a new version every 30 days, resulting in a patching delay when a security update is issued. Adobe has an extremely large install base so setting the update check for every day or every week could overburden its servers and cause even more problems.

September 8, 2009  7:49 PM

Security industry remains resilient to tough economy

Robert Westervelt Robert Westervelt Profile: Robert Westervelt

A new survey from Gartner Inc. is confirming what industry analysts and experts have said over the last year and a half: The Security industry is resilient to the tough economy.

Gartner is predicting a slight increase in security spending in 2010. A survey conducted in April and May of 1,000 IT professionals showed security software budgets expected to grow by about 4% in 2010, outpacing all other areas of infrastructure software. Security services budgets are expected to grow nearly 3%.

“In the current highly uncertain economic environment, with overall IT budgets shrinking, even the modest spending increases indicated by the survey show that security spending accounts for a higher percentage of the IT budget,” said Adam Hils, principal research analyst at Gartner. “Security decision makers should work to allocate limited budgets based on enterprise-specific security needs and risk assessments.”

Specific areas that could expect spending growth:

  • Security information and event management (SIEM)
  • e-mail security
  • URL filtering
  • user provisioning

In June Gartner said increased interest in managed security services is driving much of the growth in the specific areas above as well as the reliance on third-party compliance consulting and vulnerability audits and scans.

At the time, Hils told me security budgets were pretty flat in 2009 while IT budgets were in decline. Companies are buying from a single security vendor offering a suite of security offerings rather than niche players. Spending on firewalls and intrusion protection systems remains strong, especially where encryption and data leakage prevention is being done, Hils said earlier this summer

Still, I wrote a story talking about some security pros having trouble navigating an increasingly competitive security job market. Perhaps the move to managed security services has enabled some firms to cut on-site security jobs.

Salary expectations need to come down as well, so we’re not signaling an all-clear for the security industry. A 4% security spending increase, as stated above by Gartner, is a standard or even slightly substandard increase. The economy has taken its toll across the board.

September 4, 2009  12:49 PM

TJX thrives following breach, bucks sour economy

Robert Westervelt Robert Westervelt Profile: Robert Westervelt

The message to those who have been watching TJX closely since its massive data breach: You can survive and even thrive following a massive breach.

Retailers have been struggling over the last year or so following a precipitous economic decline, layoffs and most Americans holding on to their wallets, buying items that are needed rather than wanted. But the Framingham, Mass.-based retailer has bucked the trend. It’s at the top of a short list of retailers reporting strong results – very strong results, reports the Boston Globe’s Steven Syre in a column today.

Syre’s column points out that TJX has had six – yes six – straight months that same-store sales were above results for the same period in the previous year.

That performance has created a boom in TJX shares this year. After a steep decline during the last five months of 2008, the company’s stock has soared 73% so far in 2009. Yesterday shares gained 92 cents to close at $35.75. The stock stands just $1.25 below its all-time high. … For now, TJX is the best story retailing has to sell.

The massive data breach in January, 2007 that exposed at least 45.7 million credit and debit card numbers to possible fraud is a distant memory. Other breaches, most notably the massive breach at Heartland Payment Systems, have removed TJX as the data breach poster child.

What does TJX have to show for its breach; it’s incredibly weak WiFi and its inability to detect an intrusion for months? Lawsuit settlements. Those settlements were likely paid out and buffered by their insurance policies. The latest settlement: $525,000 to settle a lawsuit by several financial institutions – AmeriFirst Bank, HarborOne Credit Union, SELCO Community Credit Union and Trustco Bank – is a drop in the bucket.

All the lawsuits appear to be getting settled out of court. And that usually benefits one side – the defendant. There was $9.75 million to settle a lawsuit brought on by attorneys generals from 41 states. Up to $40.9 million to cover costs related to the breach for Visa card issuers. How much was actually paid so far? We don’t know.

All in all, looking at one of the most massive breaches in history, it’s difficult to say that companies should spend millions on new technology to defend their data. Defense in depth? Yes. Security fundamentals? Yes. Millions on the latest and greatest security technology? That’s a hard sell.

August 26, 2009  9:21 PM

Apple adds malware scanning to Snow Leopard

Robert Westervelt Robert Westervelt Profile: Robert Westervelt

Ryan Narain of and ZDNet’s Zero Day blog writes this week about Apple’s decision to add a malware scanner in Snow Leopard, the next version of its OS.

Apple has quietly added a new Snow Leopard feature to scan software downloads for malware, a no-brainer move that coincides with a noticeable spike in malicious files embedded in pirated copies of Mac-specific software.

Apple is not immune to hackers and never was. Although the risk of being attacked remains lower than if you were on Microsoft XP, the risk of infection has risen to a level that Apple decided it needed to do something about it. Clearly this should be taken as a positive development for Apple fans out there. Anyone who plans to surf the Web, download information and ultimately be connected to the Internet in any way should have some kind of protection in place. As Ryan points out in his blog entry, Apple has already recommended third-party antivirus software.

August 26, 2009  4:45 PM

ConSentry Networks’ demise underscores changing nature of NAC market

Neil Roiter Profile: NBRoiter

The somewhat quiet news that ConSentry Networks has gone out of business is more bad news for the independent network access control (NAC) market and underscores the struggles of a handful of pure-play independent vendors — Nevis Networks and Vernier Networks were the others — that took similar approaches.

The trio were notable for their strong post-connect monitoring and enforcement, and fine-grained policy controls around identity-based NAC. All offered appliances, and ConSentry and Nevis also sold NAC-enabled switches. Vernier slipped quietly away a couple of years ago and tried to reinvent itself as Autonomic Networks, focusing on NAC for compliance auditing. It closed in February. Nevis went bankrupt and sold its assets to Aviram Networks in May. Aviram has resurrected the business, still as Nevis Networks.

(Two other NAC vendors, Caymas and Lockdown Networks shut their doors in the last couple of years. Remaining independents include StillSecure, InfoExpress, Bradford Networks and ForeScout Technologies.)

NAC–the next big thing a few years ago — has not yet developed into the huge market it was expected to be. Gartner pegs it at $221 million this year. Venture capitalists have sunk more than $ 550 million into the NAC market, including $9.4 million for ConSentry in January, according to the Wall Street Journal.

With all the major security and network infrastructure vendors offering some sort of NAC capability, focusing primarily either on the endpoint (Microsoft, Symantec, McAfee, Trend Micro,Sophos, etc.) or the network (Cisco Systems, Juniper Networks), the indications are strong that NAC will be subsumed, rather than persist as a market. My colleague, Eric Ogren, noted in his April column, “Gartner gets NAC wrong, again,” that there was no NAC exhibition category for vendors at RSA and that enterprises should be thinking in terms of features to infrastructure products, rather than separate tools.

ConSentry, Nevis and Vernier may be the poster children. For all their impressive capabilities, they may have been selling into a market that didn’t exist. The vast majority of companies are still primarily with basic guest access control and pre-connect endpoint hygience, particularly for remote users (and you should generally be able to get that basic piece with your VPN).

Most companies either don’t have the kind of granular role-based access control policies that would be a good match for the identity-centric monitoring and enforcement ConSentry et al presented. Those that do would likely prefer to work with their network company –Cisco more often than not — through the admittedly slow-to-develop and somewhat painful process of embedding NAC in the infrastructure while working through their endpoint security vendor on the client side. In particular, ConSentry and Nevis switch-based options, while perhaps the right place to put NAC, was never going to make a dent against established network equipment vendors, doomed for the most part to spot deployments in special scenarios.

August 25, 2009  12:46 PM

Serious IFrame attacks spread Trojan cocktail

Robert Westervelt Robert Westervelt Profile: Robert Westervelt

Security researchers at Web security services vendor ScanSafe have tracked a successful IFrame attack infecting nearly 55,000 website pages with code that infects victim machines with a Trojan downloader that installs a potent mixture of malware.

Mary Landesman, a senior security researcher at ScanSafe, said the IFrame is responsible for loading additional exploits and malware from up to seven different malware domains.

A Google search on the iframe script tag resulted in 54,900 hits. Victim sites include,, and a number of charitable and nursing facilities, including,,, and

Last year, security researchers believed the Russian Business Network (RBN) was involved with a scam that corrupts hundreds of thousands of Web sites with IFrame redirects

July 2, 2009  12:02 AM

Card security a costly fix, according to Aite study

Marcia Savage Marcia Savage Profile: Marcia Savage

Aite Group, a Boston-based research and advisory firm, on Wednesday issued a report with some interesting findings on what folks in the industry think it will take to secure payment cards. Respondents to a survey the firm conducted at the MasterCard Risk Symposium in Miami last month expect it will cost around $100 billion to fix card security in the U.S. Sixty-seven percent of survey participants expect card issuers to foot that whopping bill. Now, the report is based on a rather small sample — 29 people — but it carries weight with most of those people heads of risk management for issuing banks or payment processors.

So exactly what will it take to improve card security? Ninety-two percent of those surveyed by Aite Group believe end-to-end encryption of the card network to have a high impact in reducing card fraud losses within the next three years, according to the report. More than two-thirds of respondents see DLP technologies as helping to reduce card fraud. Fewer see a move to EMV architecture (an industry standard for chip-based payment cards) as having a big impact, but Aite Group researchers figure that may just be because most don’t see it happening very soon in the U.S. Those surveyed said the decision to shift to EMV in the U.S. is likely at least five years away and 36% don’t believe it will ever happen.

June 19, 2009  12:46 PM

What is a browser? Video may change your security training strategy

Robert Westervelt Robert Westervelt Profile: Robert Westervelt

If a major piece of your security strategy revolves around employee training, the following video might be a major setback. Many security pros pride themselves on the amount of training they give their employees. But I wonder, is it all for naught?

A Google employee took a camera and microphone onto the streets of New York City to find out if non-techies knew what a browser is and the results were astounding. Less than 8% of those interviewed knew. And these guys don’t reside in an assisted living facility or a 55 and over community. Many of them could have Facebook accounts and even Twitter handles.

After watching the following video, I wonder, how would I begin a security training program if many of my employees don’t know what a browser is? Phishing sounds like a foreign language and malware sounds like a bad word. Maybe the next generation will have a better understanding. But how long can we wait?

June 18, 2009  9:48 PM

Cligs URL shortening flaw highlights social networking ills

Robert Westervelt Robert Westervelt Profile: Robert Westervelt

Could flaws in social networks send the Internet spiraling out of control?

A flaw discovered in URL shortener Cligs ( last weekend demonstrates the fragility of the social networking ecosystem and how potentially dangerous it could be.

Cligs competes against TinyURL and, which dominate link shortening on Twitter. It is recognized as the 4th most used link shortener on Twitter. On Monday, Cligs acknowledged the flaw, calling it a security hole in Cligs’ editing functionality.

The attack edited most URLs on Cligs to point to a single URL hosted on I’ve identified the hole and disabled all cligs editing for now and I’m restoring the URLs back to their original destination states.

Lucky for Cligs that whoever discovered the gaping hole only forwarded to a story on and not a porn website or attack webpage. According to the blog post 2.2 million URLs were affected.

Phishing attempts (Twishing), Tweetspam and even Twitter worms are being tracked by the major security vendors. Sammy Chu of Symantec Security Response today said the vendor has detected fake Twitter invitations that carry a mass-mailing and malicious worm. The messages appear as if they have been sent from a Twitter account.

This is all very close to spiraling out of control. Attackers are latching on to Twitter, MySpace, Facebook and others and using them to spread malware and harvest data. In a recent interview I had with security expert Lenny Zeltser, he said these short bursts of information – 180 characters on Twitter – alone doesn’t raise any eyebrows. But together with hundreds and in some cases thousands of other posts, the data could be used in a social engineering attack and could in fact harm businesses.

What can be done? To avoid being duped by malicious URL shortening links, Graham Cluley a security consultant with UK-based security vendor Sophos, who was the first to blog about the Clig hack, urges people to run a plug-in that will expand shortened URLs before they are clicked.

But we can’t rely on the public to take action. And they shouldn’t have to. It probably would be difficult for any group or association to take the lead on ensuring the security of social networks, but these organizations may benefit by joining forces in some sort of social network cabal to hash out standards around security and privacy issues.

The good news is that security researchers seem to be on top of the threats and the alarm is being sounded. But why is it taking a group of concerned security researchers and experts to get Google to better secure its Web applications? Who inside the search engine giant or any of these websites are weighing the risks and deciding to let the dice roll on security?

Unfortunately it may take catastrophic event to get any of the social media giants to take action. They owe it to their millions of users to take action and it may be the most prudent approach to ensuring their longevity on the Web.

Now go and listen to this interview with Lenny Zeltser on social networking woes:

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: