Security innovation must hurdle academic, regulatory roadblocks

CAMBRIDGE, MA. — On the same day consolidation hit the security information and event management market hard, a group of influential industry leaders was busy talking innovation and telling the entrepreneurs in the room to pick up the pace and bring new products to market that address current threats and adversaries.

Too many great ideas, several speakers said at the SINET Innovation Summit held Tuesday at MIT, smash headfirst into significant roadblocks. Regulators, lawmakers, academia share equal blame in putting the brakes on innovation in security, they said. In the meantime, attackers continue to win the cat-and-mouse game with defense contractors, government agencies and large enterprises and innovate at light speed faster than those tasked with defending corporate data, trade secrets and national security.

“[The industry] needs guidance to move ideas to a point where they can be seriously considered in terms of commercialization,” said Paul Barford, chief scientist at Qualys, Inc., and computer science professor at the University of Wisconsin. “For startups, there is a huge gap between developing a security idea and actually moving it into practice.”

Barford pointed a harsh finger at academia.

“Processes in academia stifle innovation,” he said. “Tenure stifles innovation! With tenure, you have to publish and getting published is accomplished by adding another brick to the foudnation of your particular domain. All of these little bricks end up being narrow ideas, and not the big jump in innovations we need to solve today’s security problems.”

Despite the fact that big tech companies such as IBM, and even large security firms such as McAfee, continue to consolidate the security industry as they did on Monday scooping up Q1 Labs and Nitro Security respectively, smaller companies remain capable of innovating. Heartland Payment Systems CTO Kris Herrin explained how his company reached out to Voltage Security and partnered on an encryption solution following the 2008 breach at the payment provider. Heartland purposely went with a smaller partner and fostered a relationship that required a lot of handshakes and understanding to get past some ambiguities to solve a problem.

“After the breach, we had to reach out to other innovators,” Herrin said. “The risk element involved is about both parties understanding there will be ambiguity and the lawyers can’t shore it up. Where you run into problems is when a partner shores everything up tight and isn’t comfortable with the same level of risk.”

Larger IT organizations, such as Lockheed Martin, have formalized their efforts to seek out innovative security technologies to partner with and invest in. Lockheed VP and CTO Haden Land explained how the defense contractor has built cybersecurity labs in the U.S., U.K., and Australia to foster the development of security tools. There is also an emerging technology fund that has been established in-house that is used for minority investments in startups with unique capabilities, Land said. Then there are collaborative efforts with large enterprises in other industries to meet annually with venture capital firms seeking funding in a handful of companies annually.

“These are good venuues to connect and provide guidance,” Land said.

Post-data breach security SaaS handles incident response

Startup Co3 Systems leapt out of stealth mode last week with a software-as-a-service offering that helps organizations automate their response after a data breach. The company, launched by security veterans John Bruce (Symantec, Counterpane, Authentica) and Ted Julian (Arbor Networks, @stake), says its SaaS offering eliminates manual processes and significantly reduces incident response time post-data breach.

“No one is focused on post-incident scenarios,” chief marketing officer Julian said in explaining the company’s positioning.

The tool helps organizations map incident response internally and simplifies communication with the media, customers, regulators and others required by law to be notified in the event of a breach. It can also run through possible attack scenarios and simulations and estimate losses and notification costs bad on pre-loaded templates of different regulatory mandates.

Julian said the service can provide an organization with a response play in fewer than 20 minutes. In addition to helping organizations conduct dry runs of an incident response plan, the tool helps define the scope of a breach and identify data that could be impacted. Security and incident response teams can also get an at-a-glance and up-to-date look at regulatory requirements, deadlines and penalties in the event of a breach, as well as a visual workflow of incident response tasks and the ability to track responsibilities for different members of an IR team.

Co3 is offering a three-month trial of its service, priced at $450 a month. Customers then have different price levels based on the number of annual incidents expected.

BitTorrent announces breach of its uTorrent systems

Popular P2P file sharing company said its systems were breached Tuesday, enabling an attacker to replace its uTorrent client download with scareware.

BitTorrent Inc., which creates popular P2P file sharing software, said it discovered a breach of its systems Tuesday enabling an attacker to replace a file download of its uTorrent client with a scareware program.

The San Francisco-based company said the breach took place at 7:20 a.m. ET and lasted nearly two hours. Anyone attempting to download the standard Windows version of uTorrent would have instead downloaded a fake antivirus program.

BitTorrent said in its blog that the rogue program is called “Security Shield,” and performs like other rogue antivirus programs, popping up phony virus detection warnings and prompting users for payment to remove the bogus discoveries. The company said it made the discovery and immediately took the affected servers offline. It urged users who may have downloaded software between 7:20 a.m. and 9:10 a.m. ET to scan their machines for malware.

“We take the security of our systems and the safety of our users very seriously,” the company said. “We sincerely apologize to any users who were affected.”

After a security analysis, the company determined that neither BitTorrent.com nor the BitTorrent Mainline/Chrysalis clients were compromised in the attack.

SpyEye attackers turn to Android phones to steal SMS messages

SMS-stealing Trojan poses as banking protection but once installed it can intercept text messages, sending them to the attacker’s command and control server.

A new banking Trojan from cybercriminals brandishing the SpyEye toolkit targets users of Android smartphones, tricking victims into installing a malicious application that steals text messages.

Called SPITMO, the Trojan was first discovered targeting Android phones in July by security researchers at Boston-based Trusteer Inc. It begins as a man-in-the-middle attack on a machine infected with SpyEye malware. A user that browses to the targeted bank is met with a phony message urging them to install a new application on their mobile phone to protect against SMS stealing malware. Once installed, the victim will see no sign of the malicious application running on the device.

“After the compromised user installs the Android application on his/her device, the application named ‘System’ is not visible on the device dashboard,” wrote Ayelet Heyman, a senior malware researcher at Trusteer in the company’s research blog. “It’s not a service, and it’s not listed in any current running applications. In order for a user to determine the existence of this app a bit of searching is required.”

Up until now, similar attacks have targeted BlackBerry and Symbian smartphones, Trusteer said. Security researchers are calling the technique of sniffing SMS messages a Man-in-the-mobile (Mitmo) attack. Often, the attacker requests the victim’s cell phone number and the device’s international mobile equipment identity (IMEI) number when installing the malicious application. Similar attacks were documented in 2010 targeting non-U.S. banks for two factor authentication.

Once the Trojan is installed successfully on the victim’s device, all incoming SMS messages will be intercepted and send to the attacker’s command and control server, Trusteer said.

The good news is, according to Trusteer, that the attack has yet to gain momentum. Security software that protects against man-in-the-middle attacks will help protect against the attack.

Sourcefire pushes new ‘Agile’ message to market

Since going public in 2007, network security company Sourcefire Inc., the home of the open source Snort intrusion detection and prevention system, has been busy expanding the breadth of its offerings – and has done so primarily via acquisition. Strategically, it’s a smart move to branch out beyond IDS and into endpoint (Clam AV) and cloud-based protection (Immunet), but the company has admittedly struggled with its identity because of Snort’s tremendous brand.

Today, the company launched a new campaign promoting what it’s calling Agile Security designed to put the message front and center to the market and customers that Sourcefire is deeper than just Snort. The company, founded by Marty Roesch, wants to position its products as a counter to today’s dynamic attacks.

“Traditional security is static; set-it-and-forget-it security doesn’t help,” said Sourcefire senior VP of marketing Marc Solomon. “Our research shows that 75% of the malware we see on customer environments is seen once. These are polymorphic viruses taking on an average lifespan of less than a day. You can’t throw bodies at it, because you can’t keep up. Attackers are winning.”

Sourcefire says the solution is a mix of automation and intelligence on threats that is applied to enterprise networks to set and enforce policies, and ultimately block rather than alert on attacks if the company so chooses.

“Sourcefire has had trouble articulating its vision; ‘We’re the inventor of Snort.’ That was their tagline. That’s no way to build an enterprise security company,” said Richard Steinnon, founder of IT-Harvest, an analyst firm. Steinnon said Sourcefire’s edge is its context-aware offerings via its RNA product and the attack intelligence gained from its cloud-based Immunet initiative Collective Immunity and the Sourcefire Vulnerability Research Team.

Solomon diagrammed the Agile Security vision in four steps: See, Learn, Adapt and Act. Via RNA, which is being re-branded FireSIGHT, customers will be able to watch network traffic for anomalies as it moves over endpoints, different operating systems, and the network. Networks may then adapt to threats and create rules to either alert or block attacks; an upcoming next-generation firewall is at the heart of this phase of the vision, Solomon said. This automation will enable enterprises to act on intelligence in real time, Solomon said.

Critically-rated Microsoft patch can be reverse-engineered to create DoS attack

By Hillary O’Rourke, Contributor

Researchers at vulnerability management vendor Qualys Inc. discovered this week how to reverse-engineer a Microsoft patch to perform a denial-of-service attack on a Windows DNS Server.

The researchers reverse engineered one of two critical patches released by Microsoft in its August Patch Tuesday round of security updates. The 11-058 update resolves two vulnerabilities to Windows DNS.

The research goes against Microsoft’s Exploitability Index, which gave the update a 3, meaning it was unlikely that code would surface exploiting the flaws. The index is used by patch management specialists to weigh the priority of specific patch deployments. Qualys said it is possible to accomplish the attack through a step-by-step process.

“We reverse engineered the patch to get a better understanding of the mechanism of the vulnerability and found this vulnerability can be triggered with a few easy steps,” explained Bharat Jogi, a vulnerability security engineer at Qualys, in a blog post.

Although this proof of concept demonstrates a denial of service, Jogi explains that “an attacker who successfully exploited this vulnerability could run arbitrary code in the context of the system” and those “with malicious intent may be able to get reliable code execution.”

Qualys took advantage of one of the two patches that were rated critical. This particular patch fixed two flaws in Windows DNS Server while the other fixed seven flaws in Internet Explorer.

Qualys researchers used binary-diffing of the unpatched and patched version of the files to compare and understand the changes that were made to fix the vulnerabilities. The binary-diffing tool, called TurboDiff, shows them “a list of all the functions that are identical, changed, unmatched, and those that look suspicious,” said Jogi.

Two DNS servers were needed for the proof of concept in order for researchers to crash one of them and serve as a comparison. Researchers discovered it was particularly simple and the vulnerability could be triggered with a few easy steps. Therefore, they recommend to “apply this security update as soon as possible.”

RSA adds malware domain feeds to CyberCrime Intelligence Service

List of malware domains can be fed into IPS and IDS appliances to disrupt communication between malware and an attacker’s command and control server.

RSA is bolstering its CyberCrime Intelligence Service, adding malicious domain blacklists as a new feature for organizations that use the service.

Malicious domain blacklists, which can be gotten from a variety of sources, are pieced together by the security research community to cut off malware from their command and control server. Blacklisted hosts and IP addresses are used by cybercriminals for launching attacks or storing stolen information. Many of the blacklist feeds are freely available, but RSA’s service will bring together information it has collected from its partners into one location.

The RSA CyberCrime Intelligence Service is a managed security service, which provides companies with data about infected machines and systems present on their network. It focuses mainly on endpoint devices and provides raw data on malware detection and what business data or email correspondence may have been compromised. RSA said the data helps organizations identify gaps in existing security policies, remediate incidents of identity theft and infected corporate machines and educate employees about the impact of malware infections.

RSA is likely wrapping in data pulled from its NetWitness acquisition. NetWitness Spectrum provids users to with a feed to the Malware Domain List, ZeuSTracker and Shadowserver, as well as its own live threat intelligence service. RSA also licenses feeds from its partners, which collect malicious IP and domain data from their customer base.

McAfee, Symantec, VeriSign and other security vendors offer similar managed security intelligence services. IBM, Hewett-Packard and CA also offer security services that include threat assessments and other services designed to help organizations assess their individual risk profile. Some services like VeriSign’s iDefense Security Intelligence Services offer more robust information, including vulnerability data and malicious code analysis to help incident response teams.

Telecommunications providers AT&T and Verizon also have subscription-based services providing near real-time threat landscape data and information specific to an organization. In June, Verizon announced a new Incident Analytics Service, which brings together the firm’s popular data breach investigation report along with data from its incident, classification and reporting repository. The goal of that service is to help organizations score themselves relative to other firms in their peer group.

China cyberwar topic raised in Republican presidential debate

At last week’s Black Hat 2011 conference, the Central Intelligence Agency’s former director of operations, Cofer Black, made the claim that the security community has a unique opportunity to influence and educate government decision makers about cybersecurity because awareness of the issue among power players in Washington has never been higher.

Proof of Black’s point has perhaps never been more evident than it was Thursday night during the Republican presidential debate. During the lively two-hour debate, which aired on Fox News Channel, moderator Bret Baier of FNC asked presidential candidate Jon Huntsman, former Utah governor and former ambassador to China under President Barack Obama, whether he would consider cyberattacks acts of war.

In his question, Baier seemed to reference Operation Shady RAT, the McAfee Inc. research effort revealed last week that led to the identification of 72 compromised, intruded parties, all relevant to the national security posture of the U.S. or other nations, broken down into 32 unique organization categories in 14 different countries over a five-year period. While McAfee’s report stops short of naming China as the perpetrator or addressing the China cyberwar issue specifically, experts believe China to be the source behind the attacks, which involved the theft of closely guarded and classified national secrets, negotiation plans and exploration details for new oil and gas field auctions, SCADA configurations, design schematics and numerous other pieces of sensitive information. Of course speculation in the industry has been rampant for years that China has been behind numerous other cyberattacks.

“Absolutely,” Huntsman said in response to whether a cyberattack should be considered an act of war. “This is the new warfield.” He added that the U.S. should use the cyberespionage issue as not only an economic development tool, but also a national security tool to improve early warning capabilities, safeguards and countermeasures.

“We need a strategic dialogue at the highest levels between the United States and China. That is not happening,” Huntsman said. “This is a relationship – the United States and China – we are both on the world stage. As far as you can see into the 21^st century, we are going to have to deal with the Chinese. We better get it right.”

Patch Tuesday update blocks dangerous Trojan

The update to the Microsoft Malicious Software Removal Tool (MSRT) includes the removal of FakeSysdef, a pesky Trojan that poses as a system performance tool.

Microsoft has bolstered its Malicious Software Removal Tool this month to include a signature that detects and removes FakeSysdef, a Trojan that has been successfully tricking people by posing as a system performance tool. According to engineers at Microsoft’s Malware Protection Center blog, the Trojan masqueraded as a program called System Defragmenter last December. It’s also surfaced under different names including Scan Disk and Check Disk.

Victim’s run across the program in poisoned search engine results. As Microsoft explains, the malware spread fairly easily thanks to the multitude of exploit toolkits that have the search engine poisoning built in as a feature.

Creators of the Trojan and rogue security software are notorious for using exploit kits and “search result poisoning”, or Black SEO, to launch installers of their malware. For example, malware creators could use an image search poisoning scheme to deliver poisoned search results to users that search for a photo of a popular or public person. When opening a (malicious) returned search results page, the user could become infected by way of a drive-by download that executes

The bad news for victims is that the Trojan can be really pesky. If the message to purchase performance improvements is ignored, the malware “reboots the machine repeatedly until they activate the fake fix.”

FakeSysdef is very much like rogue antivirus programs, which latch onto potential victims by poisoning search engine results. We’ve been keeping track of the highs and lows of rogue antivirus. Brian Krebs of KrebsonSecurity reported last month that international law enforcement was making some headway against Russian cybercriminal gangs peddling rogue antivirus.

There’s no doubt that the game of wack-a-mole will continue in this area.

Gartner on mobile device management

The mobility and wireless tracks were packed at the Gartner Catalyst Conference 2011 this week in San Diego, underscoring the pressure enterprises are under to accommodate mobility demands. in fact, the standing-room only sessions on Wednesday drew grumbles from some attendees who wondered why Gartner didn’t figure that the hot topic would draw crowds; other sessions in much bigger rooms drew far fewer attendees.

One of the sessions I managed to get a seat to provided an overview of mobile device management technology. With more new smartphones and tablets coming out all the time, the age of the single mobile OS — BlackBerry — is over, said Michael Disabato, a Gartner research vice president. These devices, which employees are bringing into the enterprise, lack management capabilities; mobile device management technology provides a way to control and secure diverse devices, he said.

MDM products can do over-the-air provisioning and provide “virtual containers” to separate personal and professional data, he said. If the device is compromised or lost, a company has the ability to delete the corporate data from it.

Disabato said MDM products are available in client-less and client-based implementations, with the latter providing the most flexibility and more granular management capabilities. He also noted that MDM vendors have created enterprise application stores that bypass the iTunes Store and Android Market for application distribution.

He recommended that companies determine which MDM features they really need by conducting a detailed risk analysis. “There are a lot more on these things [MDM products] than you really need,” he said. IT pros also should understand how the MDM agent will impact the end user, he added.