Security Bytes

November 2, 2007  10:08 AM and the debate over SaaS security, email confidentiality

Leigha Leigha Cardwell Profile: Leigha

Bill BrennerSoftware as a Service (SaaS) is growing in popularity, and along with it comes the inevitable debate over the security implications.

Driving the debate is recent news about a security breach affecting clients of SaaS vendor, including Automatic Data Processing Inc. (ADP) — one of the nation’s biggest payroll and tax services providers — and SunTrust. Security Blog Log

The Washington Post had an item on the incident a couple weeks ago, reporting that a database of email addresses and names for SunTrust and ADP employees was pilfered from The data was apparently exploited for a phishing scheme urging would-be victims to download a .pdf in reference to an identity theft claim. Thousands of email addressed were reportedly compromised, and about 500 people apparently received phishing emails.

Arieanna Schweber writes in the Absolute Software Laptop Security blog that the issue at hand is not phishing, since it’s a fairly universal problem now, but whether or not people should be notified if their email address is compromised.

That said, I want to use this week’s column to solicit feedback not only on the question of whether compromised email addresses should be treated like compromised credit card and Social Security numbers, but on the issue of SaaS security in general.

First, a little background on SaaS, courtesy of my friends at and Software as a Service (SaaS) is a software distribution model in which applications are hosted by a vendor or service provider and made available to customers over a network, typically the Internet. SaaS is becoming an increasingly prevalent delivery model as underlying technologies that support Web services and service-oriented architecture (SOA) mature and new developmental approaches, such as Ajax, become popular. Meanwhile, broadband service has become increasingly available to support user access from more areas around the world. SaaS is closely related to the ASP (application service provider) and On Demand Computing software delivery models. IDC predicted SaaS would make up 30% of the software market this year and will be worth $10.7 billion by 2009.

Benefits of the SaaS model include:

  • Easier administration
  • Automatic updates and patch management
  • Compatibility: All users will have the same version of software.
  • Easier collaboration, for the same reason
  • Global accessibility.

The question for some is whether or not a SaaS vendor can secure those Web applications better than its clients could on their own.

Rational Survivability blogger Christofer Hoff believes in SaaS in general, but isn’t so sure using it means better security.

“I believe in SaaS [and] encourage its use if it makes good business sense,” he writes. “I don’t, however, agree that you will automatically be more secure.”

Hoff wisely notes that as SaaS adoption grows, driven by compliance, outsourcing, or efficiencies of a leveraged business model, we’re going to have to pay more attention to what it means to have our data spread out beyond the supposedly ironclad perimeter companies have spent so much time and money on.

“It means making sure your policies extend and are applicable outside the castle,” he writes. “It means potentially engaging a third party to test the assertions the company makes about their posture.”

The security breach is a good example of why this is necessary, Hoff says. There’s a secondary market for stolen data and once the information is loose, the lost trust can mean lost business, he notes.

The other question, of course, is whether email addresses should be treated as confidential data.

Schweber presented both sides of the argument in her blog entry: Some would argue that email addresses are available in the public sphere, she says, but others would argue that some remain private and that access to emails in list form increases the risk for phishing scams and potential identity theft incidents.

Jack Dunning, keeper of The Dunning Letter blog, writes that email addresses are just like Social Security numbers — everywhere and fairly easy to access.

“The big difference,” he says, “is the connection between the address and a company which lends it the necessary credibility, and that is why we need to begin to secure this medium before this newest hoax gets out of hand.”

What do you think? Can SaaS vendors provide their clients with better security? Should emails be treated as confidential data?

I ask the readers to opine.

About Security Blog Log: Senior News Writer Bill Brenner peruses security blogs each day to see what’s got the information security community buzzing. In this column he lists the weekly highlights. If you’d like to comment on the column or bring new security blogs to his attention, contact him at

November 1, 2007  7:14 PM

Cisco snaps up Securent

Marcia Savage Marcia Savage Profile: Marcia Savage

Cisco Systems on Thursday said it agreed to buy security software maker Securent for about $100 million.

Cisco described Securent’s policy management software as allowing enterprises to administer, enforce, and audit access to data, communications, and applications in heterogenous IT environments.

“As enterprises shift to service-oriented architectures and adopt technologies such as unified communications and Web 2.0 based collaboration, there is a rising need for control over access to distributed enterprise resources,” Don Proctor, senior vice president of Cisco’s collaboration software group, said in a prepared statement.

Mountain View, Calif.-based Securent was founded in 2004 and has 57 employees with development operations in India. The deal is expected to close in the second quarter of Cisco’s fiscal year 2008.

Scott Crawford, research director at analyst and consulting firm Enterprise Management Associates, wrote in a recent report that the need to more closely manage resource access for more effective governance and risk management is spurring innovation in the identity management market.

He added that “the elaboration of XACML, the XML Access Control Markup Language, has factored centrally in the emergence of Securent’s distinctive entitlements management offering.”

November 1, 2007  4:10 PM

Bit9 releases top 10 vulnerable apps for 2007

Robert Westervelt Robert Westervelt Profile: Robert Westervelt

The folks at endpoint security vendor Bit9 Inc. of Cambridge, Mass., released their list of top vulnerable applications for 2007. Most of the apps on the list can be downloaded by users and many have updates making them more secure. We’ll probably see a number of security vendors come out with lists like this in the next couple of months.

  1. Yahoo! Messenger and earlier
  2. Apple QuickTime 7.2
  3. Mozilla Firefox
  4. Microsoft Windows Live (MSN) Messenger 7.0, 8.0
  5. EMC VMware Player (and other products) 2.0, 1.0.4
  6. Apple iTunes 7.3.2
  7. Intuit QuickBooks Online Edition 9 and earlier
  8. Sun Java Runtime 1.6.0_X
  9. Yahoo! Widgets 4.0.5 and previous
  10. Toolbar and previous

October 30, 2007  4:55 PM

McAfee buys ScanAlert

Marcia Savage Marcia Savage Profile: Marcia Savage

On the heels of its acquisition of SafeBoot, McAfee on Tuesday said it’s buying ScanAlert, a supplier of Web site security certifications, for $51 million.

Napa, Calif.-based ScanAlert audits and certifies the security of more than 75,000 Web sites. Its Hacker Safe certification is displayed by big-name brands like Guess and Petco. McAfee will integrate ScanAlert’s service into its SiteAdvisor Web rating system, which warns users about malware-infested or otherwise risky Web sites.

If certain performance targets are met, the deal will cost McAfee another $24 million. The acqusition is expected to close in the first quarter of 2008. McAfee will integrate ScanAlert into its Web Security Group.

Earlier this month, McAfee acquired data encryption and access control vendor SafeBoot for $350 million to boost its endpoint security product offerings. In a report, Andrew Braunberg of CurrentAnalysis wrote that the deal made sense from a product development direction but added that the price tag seemed steep.

Interestingly, while McAfee continues in an acquisitive mode, Braunberg recommended in a separate report that the vendor should seriously consider any offers to be acquired.

“With the recent acquisitions of RSA and ISS, the security market has entered a new phase of consolidation and appreciation by the larger IT infrastructure vendor community,” he wrote. “McAfee would be a smart acquisition for any number of players including identity management, systems management, or network management vendors. Again, while the possibilities are many, two examples are HP and Novell.”

October 30, 2007  8:31 AM

FTC: Beware of phishing attempts

Leigha Leigha Cardwell Profile: Leigha

Phishers are sending out fake messages from the Federal Trade Commission that drop malware onto the machines of users who click the malicious attachment.

In response, the FTC has issued a public warning to consumers not to open fraudulent emails made to look as though they come from its fraud department. The email says it’s from “” and has the FTC seal. Click on the attachment and you’ll download malware designed to steal passwords and account numbers, the agency warned.

“It’s a treasure trove for identity theft,” David Torok of the FTC’s Bureau of Consumer Protection told the Reuters news service. “We’re concerned. The virus that’s attached to the email is particularly virulent.”

The agency doesn’t know how many people found the email in their inboxes, but Torok confirmed the agency has received hundreds if not thousands of calls and complaints.

Recipients of the email are advised to forward it to, an FTC spam database used in its online fraud investigations.

October 29, 2007  7:47 AM

TJX court documents confirm earlier suspicions

Leigha Leigha Cardwell Profile: Leigha

I’m not surprised by court documents claiming that TJX blew it on nine of the 12 requirements of the PCI Data Security Standard (PCI DSS), which of course allowed hackers to break into its network and steal the credit card information of more than 94 million customers. PCI DSS auditors have been suggesting for months that TJX had failed on some of the core elements of the standard.

Several banking groups are suing the retail giant for all the money they were forced to spend re-issuing credit cards compromised in the security breach, and last week the plaintiffs filed a new batch of documents in Boston federal court claiming that, among other things, TJX violated PCI DSS by failing to properly secure its wireless network; failing to wall off parts of the network where sensitive data was stored from other parts of the network (popularly referred to as segmentation); and storing data that shouldn’t have been kept around in the first place.

That the latter issue was a factor in the breach is something PCI DSS auditors have been saying for some time.

Way back in March, Roger Nebel, director of strategic security for Washington D.C.-based FTI Consulting, said the breach offers some clear examples of the wrong way to treat sensitive data under the PCI DSS. At the very least, TJX violated the PCI DSS by storing unencrypted cardholder data, agreed James DeLuccia, an independent auditor based in Atlanta, Ga.

“Credit and debit card data is something the PCI Security Standards Council will be concerned about,” he predicted around the same time. “You’re not supposed to store that kind of data, and [TJX] had it online and unencrypted.”

The court documents also confirm another prediction the PCI DSS auditors made — that Visa and/or MasterCard would probably pelt TJX and its card processor with fines. According to one report on the court filings, Visa has already fined TJX’s card processor $880,000 and plans to collect more in the future.

When I interviewed the PCI DSS auditors for that March report, I got plenty of good advice on how retailers could avoid the same mistakes. The best advice, in my opinion, came from Joseph Krause, senior security engineer for Chicago-based AmbironTrustWave.

He said companies first have to get a fix on where customer data is on the network, where it travels and whether or not it’s encrypted.

“Understanding where the data is and where it goes is a challenge for some, but it’s a very important part of PCI DSS,” he said. “If you don’t know where your data is traveling and where it is stored, you can’t secure it.”

Krause also said companies also have to be sticklers for network monitoring. “Usually when we see an environment for the first time, we find they are deficient in this area,” he said. “Just being able to help them understand which logs they need to have a close eye on, on a daily basis,” is a lot of work.

Finally, companies need to understand that there’s no single product or service that can alleviate an enterprise’s PCI DSS compliance woes. Every business and every network is different, and PCI DSS controls must be tailored to an organization’s particular make-up.

“I tell clients it’s not an easy process and it is an educational experience,” he said. “The requirements for every company on the path to PCI compliance are quite different. There’s no one-size-fits-all approach.”

For more advice on how best to respond when your company is hit by data thieves, check out this story from last week’s data breach roundtable discussion at the Harvard Club in Boston.

And keep an eye on this week for another analysis we’re putting together on lessons from the TJX data breach.

October 26, 2007  7:45 AM

Windows admins unhappy over Automatic Update changes

Leigha Leigha Cardwell Profile: Leigha

Bill BrennerA couple weeks back, Windows expert Scott Dunn warned that the repair feature in Windows XP was knocked out of alignment when Microsoft silently deployed a batch of new support files for Windows Update (WU) in July and August. As a result, those who rely on XP’s repair function were unable to install 80 Microsoft patches.

It appears Microsoft’s Automatic Update services continue to do things without the permission of IT administrators, some of whom are venting about it in the blogosphere.

Security Blog LogThe latest report of auto update trouble comes from Dunn, associate editor of the Windows Secrets newsletter. In a new article on the Windows Secrets Web site, he reveals that installing Windows Live OneCare changes the settings of Automatic Updates without notifying users.

And so, he writes, “Windows has been mysteriously installing patches and rebooting itself, even though users had completely shut down the Automatic Updates function.”

Nate Clinton, a program manager with Microsoft’s product update team, denied in a recent blog entry that its software is to blame for the updates and reboots. “I want to stress that the Windows Update client does not change AU settings without user’s consent,” he wrote.

However, he continued, AU settings can be set or changed in the following scenarios:

–During the installation of Windows Vista, the user chooses one of the first two recommended options in the “Out of Box Experience” and elects to get updates automatically from Windows.

–The user goes to the Windows Update Control Panel and changes the AU setting manually.

— The user goes to Security Center in Windows Vista and changes the AU setting.

— The user chooses to opt in to Microsoft Update from the Microsoft Update Web site.

–The user chooses to opt in to Microsoft Update during the installation or the first run experience of another Microsoft application such as Office 2007.

Dunn did his own research and reported the following:

“My finding is that Windows Live OneCare silently changes the AU settings,” he wrote. “This explains at least some of the complaints that have been reported so far. Users could have installed OneCare — even a free-trial version — at any time in the recent past and been unaware of any changes until Automatic Updates forced a reboot in the wee hours.”

In repeated tests on Windows XP and Vista, Dunn said, he installed Windows Live OneCare and found that in every case, OneCare changed a machine’s Automatic Updates settings to fully automatic.

“It did so even when Automatic Updates had been completely disabled,” he wrote. “In Windows XP, this state is known as ‘Turn off Automatic Updates.’ In Vista, it’s called ‘Never check for updates.’ In no case did the OneCare installer give any indication that a machine’s Automatic Updates settings would be changed. Worse, OneCare silently enables Windows services that had been carefully disabled using Microsoft’s own configuration utilities.”

Clinton’s assertion that the trouble’s are user-initiated doesn’t sit well with some bloggers, including a writer in the The GTA Patriot blog.

“Microsoft says users just don’t realize that their machines are set to update,” the blogger wrote. “They think users are to blame! Is Microsoft completely incompetent or are they lying?”

For admins looking for away out of the current problem, Dunn offers some guidance:

“If you wish to use OneCare but you want updates to be installed only when you’re first notified, the only workaround is to install the program and then change Automatic Updates back to your preferred settings,” he says. “If you install OneCare when Windows is not likely to phone home, you should be able to change AU before any updates are automatically installed. (Installing OneCare at any time other than 3 a.m. should do the trick.)”

After OneCare is installed, Dunn says it doesn’t change the user’s Automatic Updates settings again, but it does peg the disabled Automatic Updates as an “urgent” matter in need of addressing. “In this situation,” Dunn says, “the OneCare icon in the taskbar tray turns a bright shade of red, which you may find annoying.”

He said an alternative workaround is to buy and use security software other than Microsoft’s.

While XP is affected by the trouble, this is also another complication for those trying to get their arms around Windows Vista. In my ongoing series on Vista deployment pain points, a recurring theme has been the compatibility issues suffered by those trying to deploy the OS en mass. But most of the trouble has involved Vista clashing with third-party products, including some security tools.

It’s ironic that in this case, the solution is to ditch Microsoft’s own security program in favor of third-party products.

Dunn does offer some helpful examples of security software admins can turn to.

He says he installed Symantec’s Norton 360 and Norton Internet Security, McAfee Internet Security Suite and the ZoneAlarm Internet Security Suite.

“The McAfee product and both of the two Norton products flagged Automatic Updates as a security problem if it was disabled, and provided ways to turn it back on, but none of them changed the setting,” he says. “The ZoneAlarm suite did not note a disabled copy of AU as a problem, nor did it change the setting. For now, it appears OneCare is the only security package changing users preferences without warning.”

Until Microsoft comes up with a better arrangement, avoiding OneCare appears to be the best bet.

About Security Blog Log: Senior News Writer Bill Brenner peruses security blogs each day to see what’s got the information security community buzzing. In this column he lists the weekly highlights. If you’d like to comment on the column or bring new security blogs to his attention, contact him at

October 24, 2007  3:18 PM

Spammers exploiting SoCal fires

Marcia Savage Marcia Savage Profile: Marcia Savage

It’s inevitable: Whenever there’s a disaster, online scammers try to exploit the situation. Randy Abrams, director of technical education at security software vendor Eset, said he received an email Wednesday that purported to offer news about the devastating wildfires in Southern California but turned out to be spam advertising Viagra.

Abrams fully expects there to be a deluge of email scams exploiting the fires. These emails will either have links or attachments that download malware onto a user’s machine or will pretend to be charitable organizations raising money for fire victims, he said in an interview.

“The Storm worm creators are good at manipulating current news,” he said. “Even though the Storm worm seems to be declining, it’s still affecting a significant number of PCs and this is the kind of headline that will get exploited.”

In a blog posting on Eset’s Web site Wednesday, Abrams warned users not to respond to emails soliciting donations, including those from legitimate charities such as the American Red Cross. Those wanting to donate should look up the phone number or Web site of the Red Cross rather than using any information in the email, he wrote.

Eset, which has its U.S. headquarters in San Diego, is assisting employees affected by the fires. Some employees have had to evacuate their homes, said Abrams, who works remotely in Seattle.

October 24, 2007  3:13 PM

Reported Vonage flaw a reminder of VoIP dangers

Eric Parizo Eric Parizo Profile: Eric Parizo

We’ve written quite a bit in the past about how many enterprises are ignoring the dangers of voice over IP (VoIP). While we doubt many enterprises are in the practice of using Vonage, as yet another example that VoIP and its protocols are easy to attack, it’s worth noting a Reuters report today that hackers have figured out how to intercept calls made on the Vonage VoIP service, according to Sipera Systems.

Here are the highlights in a press release from Sipera: “Sipera VIPER Lab determined the Vonage VoIP Motorola Phone Adapter (VT 2142-VD) and Vonage service implementations leave users vulnerable to a form of VoIP identity theft, allowing hackers to take over a user’s phone service with a ‘registration replay attack,’ then make and receive calls while impersonating the victim. Incomplete security practices, such as not encrypting traffic, open Vonage users to eavesdropping on private voice and video communications. Hackers can also send multiple SIP INVITE messages to a user, an Internet version of ‘ringing the phone off the hook’ which creates a DoS attack. Leveraging these vulnerabilities, remote attackers can also send malicious messages directly to Vonage users, subjecting them to spam, social engineering and VoIP scams.” Sipera also noted a similar vulnerability with European provider Globe7’s online account access system.

Let it serve as a reminder that, as our threats expert Ed Skoudis wrote recently, enterprises should proceed with caution on any and all VoIP implementations because of the many exploits in the wild. Since VoIP security still isn’t getting the attention it demands, it wouldn’t be surprising if enterprise VoIP attacks soon become more popular; Infonetics Research says half of small and two-thirds of large organizations in North America will be using VoIP products and services by 2010. Of course VoIP security is an area we’ll continue to watch closely.

October 24, 2007  11:16 AM

Why data thieves love academia

Leigha Leigha Cardwell Profile: Leigha

Check out the excellent chronology of data breaches kept by the Privacy Rights Clearinghouse and you’ll notice that a massive chunk of those affected reside in academia. At a gathering of IT security and privacy professionals at the Harvard Club in Boston put on by Text 100 this morning, I heard some interesting examples of why the bad guys love the colleges and universities so much.

Catherine Allen, chairman and CEO of The Santa Fe Group, mentioned that the person responsible for a breach at the University of Missouri earlier this year had been caught, and that authorities learned that the culprit had some long-term plans for the 22,396 record compromised.

Allen explained that the thief was apparently planning to hang on to the data and wait for about a decade before using the stolen identities — when today’s students are more likely to be duly employed and earning steady income.

The lesson — Don’t be lulled into a false sense of security if your information was compromised a year ago and you haven’t become a victim of identity theft yet. Chances are the bad guys are just waiting a few years for you to start making some real money worth stealing.

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: