OpenDNS hires Websense CTO to guide enterprise DNS security services

DNS services provider OpenDNS has hired away the chief technology officer of security vendor Websense Inc. and is laying the groundwork for a variety of DNS layer security services and products aimed at enterprises.

Dan Hubbard, who spent 14 years at Websense, is planning to build out OpenDNS’ security product portfolio. Hubbard played a significant role at Websense, building the Websense Security Labs and the company’s classification engine, which is at the heart of its security products. The engine is used to filter out malicious websites, block spam and phishing attacks and is also at the core of Websense’s content filtering technology.

Hubbard confirmed his departure this week. A Websense spokesperson said the company is already reshuffling executives to fill the CTO role. Charles Renert, an expert noted for his work with Symantec Security Labs and founding Determina, was promoted to vice president and will assume Hubbard’s responsibilities in the interim.

It’s going to be extremely interesting to see how OpenDNS’s enterprise security plans unfold under Hubbard’s guidance.

I spoke to Hubbard at a reception at RSA Conference 2012 where he exuded a lot of enthusiasm for his new gig at OpenDNS. Hubbard said there’s a potential for a whole new range of security technologies that take advantage of being in the DNS layer. The company, which launched in 2005, already provides malware protection for its users by blocking outbound botnet communications at the DNS layer. It also maintains PhishTank, the largest clearinghouse of phishing information on the Internet. OpenDNS has 12 data centers that handle DNS requests, but also have been collecting threat intelligence data for years. Combining threat intelligence with the ability to keep track of individual IP addresses opens up an interesting set of capabilities for protecting laptops and mobile devices.

The company already has a broad set of users of OpenDNS Enterprise, which provides inbound and outbound protection and is application-, operating system-, protocol- and port-agnostic since it is essentially cloud-based at the DNS layer. The company has been pushing itself as an extra layer sitting between the Internet and enterprise firewalls and antivirus technology at the endpoint. There are some built-in reporting capabilities providing data on attacks and malicious websites that were blocked by the service.

Hubbard’s move to OpenDNS and the company’s security strategy caught the eyes of at least two prominent security luminaries: Dan Kaminsky and Paul Vixie, who attended the reception. Last year, Kaminsky briefly shared with me his vision of what DNS-based security technologies can do. He believes a broad range of technologies can be built out leveraging DNSSEC architecture for authentication and establishing trust in Internet communications. It could provide a much needed injection of trust into the Internet, which has been evaporating in recent years because of a variety of issues, including breaches at SSL Certificate Authority vendors and well known weaknesses in the digital certificate system itself. Vixie has also publicly shared the potential of adding security to the DNS layer.

It was hard, however, to find the enthusiasm for OpenDNS from others at the RSA Conference. The first thing that comes to mind with OpenDNS is its consumer products that enable parents to shield porn and other websites from their children.

Several industry analysts and other security professionals I spoke to were too wrapped up in their own respective areas of expertise, but a few people said they share Kaminsky’s passion for the long-term potential of DNS-layer security technologies.

OpenDNS CEO David Ulevitch told me the company already has the foundation in place to provide a wide variety of security services. He said it just has to execute on its strategy and provide a convincing argument that enterprises can get value out of having security at the DNS layer.

Struggling to maintain compliance amidst conflicting priorities

Government and businesses – and individuals – often have competing priorities when it comes to information security and privacy, and those competing priorities are reflected in the multitude of ever-expanding compliance regulations in the U.S. IT pros are struggling to in light of these competing priorities and, from my vantage point sitting in on GRC sessions at RSA Conference 2012 this week, they are pretty stressed out.

Unfortunately, panelists speaking about hot topics in law and compliance at RSA Conference 2012 appeared to have little hope for a resolution to the tension anytime soon.

Panelist Benjamin T. Wilson, general counsel and senior vice president of industry relations for SSL certificate authority DigiCert Inc., called the tension between government and individuals/businesses a “megatrend” that’s overriding the compliance regulationsbeing written or modified in 2012. Regulators are torn between individuals and businesses: each want access to all kinds of information, but also want all their own information kept private.

Add in the many and varied regulations of other countries, who are themselves attempting to regulate how data is stored or transmitted, and the job of compliance manager becomes that much more difficult.

Today’s compliance and risk managers are riding the uncomfortable megatrend of tension between access to data and protection of data. Is it a thankless job?

Microsoft Azure outage apparently triggered by leap year glitch

Microsoft’s Azure cloud service suffered a worldwide outage that started Tuesday and was apparently triggered by a timing miscalculation for the leap year. The company was continuing to work on Wednesday to resolve the Azure outage, which continued to affect some customers.

Microsoft said it became aware of an issue impacting the service management component of Azure at 5:45 p.m. Pacific Time on Tuesday.

“The issue was quickly triaged and it was determined to be caused by a software bug. While final root cause analysis is in progress, this issue appears to be due to a time calculation that was incorrect for the leap year,” Bill Laing, leader of the Azure engineering team, wrote in a blog post.

Microsoft created a fix and deployed it to most of the Windows Azure sub-regions, which restored the Azure service to most customers by 2:57 a.m. PST on Wednesday, he said.

“However, some sub-regions and customers are still experiencing issues, and as a result of these issues they may be experiencing a loss of application functionality. We are actively working to address these remaining issues,” he said.

In an email statement, a Microsoft spokesperson said some customers in three sub-regions – north central U.S., south central U.S. and North Europe – remained affected late Wednesday afternoon. Customers might have issues with Access Control 2.0, Marketplace, Service Bus and the Access Control & Caching Portal, which could result in loss of application functionality, the spokesperson said.

Windows Azure Storage was not impacted, according to Microsoft.

UPDATE: Microsoft reported Thursday at 10:13 a.m. Pacific Time that the Azure service disruption was completely resolved.

Joe Security is pwned: Are security defense technologies working?

RSA Conference 2012 feels like a big ol’ group therapy session. Small circles of friends, larger circles of industry peers, huddled masses freeing themselves of a collective weight on their shoulders. No longer do they have to lie to themselves, their colleagues or bosses. “Hi, I’m Joe Security and I’m pwned!” They’ve come to grips with the fact that it’s OK to say security technologies suck, networks are compromised and attackers are winning.

OK, that last part has always been part of the dialogue. But the other two have only been whispered in the past. Now it’s being shouted at networking events and even from the big keynote pulpit here in San Francisco. Legacy investments in signature-based antivirus, intrusion detection and other detection technologies don’t serve the industry as well as they used to. Signature updates can’t keep up with the evolution of malware. And most attacks are too targeted or too stealthy, or both, to warrant signatures for the masses. It doesn’t work anymore and everyone’s free to say it without repercussion.

Granted, Art Coviello, RSA Security’s chief executive, has a vested interest in shouting it the loudest, but he made a good, encapsulating point during his keynote yesterday: “We have to stop being linear thinkers, blindly adding new controls on top of failed models. We need to recognize, once and for all, that perimeter-based defenses and signature-based technologies are past their freshness dates, and acknowledge that our networks will be penetrated. We should no longer be surprised by this.”

There’s a lot of whispering now about bringing big data concepts to security. Your resume had better soon include some business analytics experience if you wanna be tomorrow’s CISO. You’d also better figure out how to harness all that data your security gear spits out and learn how to baseline “normal” network behavior and address anomalies. And oh yeah, you better know how to talk to your executives about security.

Selling them your initiatives based on fear is so five years ago. You better learn your business, how it makes money, and how to deliver metrics that address not only bottom-line impact, but how the customer experience is affected, how internal processes need to reflect security and how you’re articulating security to the company to turn everyone into an advocate for you.

Journalists and analysts like tipping points and landmarks because it makes it easier for us to articulate our stories to readers. Most of the time those tipping points and landmarks are made up; not this time though. There’s a definite change in the air and some tangible direction for the industry. Let’s see how we did about this time next year.

RSA 2012: Former NSA director warns of economic cyberespionage threat

The Cloud Security Alliance Summit at the RSA Conference 2012 got off to an entertaining start Monday with a keynote from an unlikely entertainer: Mike McConnell, former NSA and national intelligence director. McConnell had the crowd laughing with stories of his grandchildren and old times with Colin Powell, but he segued into a serious message: The country isn’t doing enough to address the threat of economic cyberespionage.
The U.S. is the “most digitally dependent nation” and its competitive advantage is its innovation, creativity, research and development, he said. “That information is regularly being taken from us,” added McConnell, who is now vice chairman at Booz Allen Hamilton.

McConnell didn’t point fingers at any country, but said some nation states make it a policy to conduct economic espionage and capture intellectual capital. “We are moving very slowly to address these threats. …We don’t have a cyberdefense capability on a global scale,” he said.

The country needs to establish a policy for what the NSA can do to protect the nation in cyberspace, he said. “The industry is going to have to accept some level of regulation.”

“The economics of cloud computing are compelling,” McConnell said. “It will happen. We need to address privacy, business interests and the national security dimension.”

Other highlights from the CSA Summit:

The CSA announced an “innovation initiative” to help speed development of cloud security by identifying key issues related to security that block the adoption of next-generation IT, documenting guiding principles that IT innovators should address, and incubating IT solutions that align with CSA principles.

Interestingly, the initiative includes not only a working group within CSA, but a for-profit entity that will work with innovators. Innovators don’t have to use CSA assistance in developing their technology, but can have a CSA working group assess its value.

The CSA also is starting a research project into SLAs and is looking for volunteers. The goal is to develop standards around SLAs – something no doubt many cloud users would appreciate.

Kaspersky buys out equity firm; keeps security company private

CANCUN, Mexico — Kaspersky Labs cofounder and chief executive Eugene Kaspersky announced today that the Russian security company will not pursue an initial public offering in the forseeable future and will buy back the shares it sold to a private equity firm brought in 13 months ago to pursue an IPO.

In January 2011, General Atlantic bought 20% of Kaspersky, valued at about $200 million, from Eugene Kaspersky and his ex-wife Natalya. GA was brought in at the time to seek acquisition opportunities and set Kaspersky Lab up for an initial public offering.

“It’s quite a big deal, the biggest deal of my life,” Kaspersky said at the Kaspersky Security Analyst Summit 2012. “The company will stay private and stay focused on IT security.”

Kaspersky said the main motivation for the buy-back was the preservation of the company culture.

“IT security has to be flexivble and innovating. My impression is that being private is the right way because you don’t need to report [finances],” Kaspersky said. “I like the way company is going and the spirt of the company. To change their basic design, I’m afraid is dangerous. We are not going to change our ways, spirit, culture, emotion or strategy.”

Kaspersky said he could see the company branch beyond its core consumer and enterprise antimalware expertise. The company has a worldwide stable of security researchers with offices in 29 countries. Kaspersky said the company is profitable (less than 20% year over year growth), and promised to remain as transparent as possible in its financial disclosures.

“[If public], there are much more reports and governance and a longer decision-making process,” Kaspersky said. “I have the same feeling that I read in Richard Branson’s book that when you go public, the company goes slower. I don’t want that.”

Faith in webmasters’ security rewarded-kinda

CANCUN, Mexico — Kaspersky Labs senior security researcher Stefan Tanase knows all about the old adage “You never know until you ask.”

Tanase conducted an experiment recently where he emailed the webmasters of 100 websites infected with malware informing them of the problem asking in return only for some data on the infections in the form of log entries. What Tanase got in return was a big fat zero, as in no replies.

Undeterred, Tanase said Wednesday during the Kaspersky Lab Security Analyst Summit 2012, that he emailed another 200 and actually got a 3% reply rate time on his second attempt.

“The assumption I made is that webmasters don’t know their sites are infected,” he said. “The reality is that webmasters don’t care if their sites are infected.”

Tanase said he knows 52% of his emails reached their destination; 48% bounced back to him.

Of the three percent who did reply, one came from a monestary and a priest who asked for help in cleaning up the websites and under what conditions. Another respondent came from an advertising agency that wasn’t interested because the infected site in question was an old site no longer in use. Another, from an industrial equipment supplier, said they didn’t have a dedicated IT person on staff, but offered to send Tanase an administrative username and password and wondered if he could help–a major security fail.

The experiment, however, wasn’t a total bust; 3% may have replied, but upon a second scan, 5% had removed the malware from their sites.

“They may not have replied,” Tanase said, “but they did clean up their site.”

Typosquatter hive targets holiday shoppers

Every year the holiday season is a boon to typosquatters using scams to phish unsuspecting users of sensitive information or peddle rogue antivirus software.

By Hillary O’Rourke, Contributor

With the hassle of finding the best deal and coping with the constant crowds, online shopping has never been more popular for the holiday season. But with that ease comes a warning from Websense: keep an eye out for online scams, particularly typosquatted sites.

Researchers at security research company Websense, Inc. are warning online holiday shoppers of typosquatted online domains, domains that cybercriminals have registered that are virtual but malicious copies of familiar sites in hopes of taking advantage of those who misspell the URL.

Websense researchers have claimed they’ve recently found more than 2,000 typosquatted online domains set up. Websense published a list of domains it found as part of a network of typosquatters, attempting to pose as a legitimate UK brand-name sites.  Websense said it has a “list of hundreds of hosts that are part of a typosquat hive (the hive itself contains thousands of hosts), and all of them are hosted in the US. We call it a hive because all of the listed hosts have a connection, and were most likely set up by the same cybercriminals.”

Researchers are also claiming that although the brand names may be spelled correctly in the domain, cybercriminals have created sites with the “.org” or “.net” domain suffixes as well. They added that they’ve seen a recent influx of these fraudulent domains in preparation for the holiday season.

The attackers often use these websites in fake emails and phishing sites in an attempt to lure consumers to claim online coupons. After a user clicks on the provided link, a pop-up shows up in another window with a different offer.

It’s important to remember that legitimate websites and the companies behind them sometimes employ a strategy of buying typosquat hosts that are similar to their site’s name. This is a good strategy for successful websites, as those companies usually understand the dangers of typosquatting and how their brand name can be affected and abused. Kudos go to Amazon, which registered a good number of potential typosquat hosts, including aqmazon (dot) com, amaxzon (dot) com, amzon (dot) com, and many more. These are all GOOD hosts registered by Amazon itself, leaving no chance for abuse as long as they remain registered to Amazon.

Typosquatting is used to quickly gain advertising revenue from sites receiving a high volume of accidental traffic. More recently, however, it’s often more about collecting as much information as the cybercriminals can get. With the holiday season in full swing, cybercriminals should expect to see success in both of those areas.

As the Websense says, it’s all “to ensnare the unaware.”

Nitro attackers sending malicious emails using Symantec report

By Hillary O’Rourke, Contributor

The cybercriminals responsible for the Nitro attacks have certainly showed audacity in their latest move: Sending malicious emails claiming to be from security vendor Symantec with the company’s own report on those Nitro attacks.

According to a Symantec blog post, the group, which is currently targeting chemical companies, is using the same social engineering techniques they have used in previous attacks, but lately they have been sending malicious emails that are created to look like they were sent by Symantec’s technical support department.

“They are sending targets a password-protected archive, through email, which contains a malicious executable,” explained Symantec researchers keeping a close watch on the group’s attack techniques. “The executable is a variant of the Poison IVY and the email topic is some form of upgrade to popular software, or a security update.”

The security vendor originally exposed the gang in a report released on Nov. 1 on the Nitro attacks that began in July and lasted until September. Those attacks also involved emails carrying a variant of the Poison Ivy backdoor and were specially crafted for each targeted company. According to the blog post, they are still using the same hosting provider for their command and control (C&C) servers.

The Symantec blog post explains one of the emails ‘offers protection from “poison Ivy Trojan’!”

The fraudulent emails come with an attachment called “the_nitro_attackspdf.7z” with an archive containing a file called “the_nitro_attackspdf.exe.” According to the blog post, the large space between “pdf” and “.exe.” is to trick a user into thinking the attachment is a PDF.
When the attachment is opened, the executable creates a file called Isass.exe, more commonly known as Poison IVY, and then creates a PDF file that is none other than Symantec’s Nitro Attacks whitepaper (PDF).

“The attackers, in an attempt to lend some validity to their email, are sending a document to targets that describes their very own activity,” Symantec said.

Symantec launches mobile security evaluation, app assessment services

Security assessment reviews an organization’s mobile security policies and technologies, evaluating the mobile security posture against a set of 15 core elements.

Symantec’s consulting team is launching a mobile security assessment service, designed to assess a business’ mobile security policies and defensive technologies.

The new service is an extension of the Symantec Security Program Assessment. Symantec created a Mobile Security Framework that is designed to evaluate how a business addresses mobile device security from a governance, intelligence and infrastructure perspective. Among the 15 core elements that make up the framework are policies, standards and awareness, asset inventory and ownership, application security and monitoring and reporting metrics.

Symantec’s mobile assessment service is one of many available to enterprises. Security vendors have been quick to offer a variety of mobile services and products because businesses have been inundated with employees bringing in personal devices that they expect to connect to the corporate network. For example, McAfee, Verizon Business, IBM and other firms provide a variety of consulting services that can evaluate security programs and more specifically, an organization’s mobile security posture. Experts have been touting ways to write effective mobile security policies to address the influx. Technologies are available to address policy enforcement across platforms and control access to sensitive data.

In an interview with SearchSecurity.com, Franklin Witter, manager of security business practices at Symantec, said his consulting team will use a series of surveys, workshops and interviews to understand the organization’s risk tolerance and practices and technologies already in place. “We want to understand the business use case for mobile technology in the enterprise,” Witter said.

The goal is to lay out a security plan that addresses the strengths and weaknesses inherent in each mobile platform, Witter said. Organizations will get a better understanding of the gaps in their current state of maturity.

Witter said Symantec clients that have undergone a full security program assessment have been asking for a more focused mobile evaluation. “Our advisory team takes a product agnostic approach,” Witter said. “We’re not solely focused on Symantec products.”

The Symantec Mobile Security Assessment Suite costs about $40,000. Organizations that undergo the review are given a final written report and scorecard illustrating the organization’s mobile security readiness. The report also provides recommendations and an action plan to address existing gaps.
Mobile Application Assessment Service

Symantec also rolled out an application assessment service designed to test mobile apps for a variety of coding errors that could lead to data leakage or a costly data breach. Witter said the testing will be offered in either a white-box or black-box testing. The cost of the evaluation will depend on the scope of the project, he said.

The application assessment service has been operating for about a year. Symantec is seeing an increase in businesses designing custom applications for either employee use or for their customers.

The assessment can identify issues with authentication and authorization, data validation, session management, encryption, auditing and logging and the business logic of a mobile application. It can be performed in conjunction with a penetration assessment to provide a more deeper view of vulnerabilities.