Security Bytes

March 8, 2012  3:56 PM

Changes to European privacy laws foreshadow serious business impact

Jane Wright Jane Wright Profile: Jane Wright

Changes to the data protection regulations are on the way for the 27 countries of the European Union, and the fallout in Europe serves as a good case study for U.S. governing bodies and businesses who are also playing tug-of-war over compliance regulations.

Businesses in the U.K. are steaming over the DPA proposals. In fact, our U.K. bureau chief, Ron Condon, described the reaction of the Confederation of British Industry (CBI), a lobbying organization representing more than a quarter-million companies, as “hostile.”  Why such a severe reaction to proposed European privacy laws that, according to the European Commission, will save businesses £2.3 billion (about $3.6 billion) per year? 

As part of the new data protection regime, businesses operating in the EU will need to ask consumers for explicit permission to capture the consumer’s data. Businesses fear just asking for permission will make consumers nervous, and nervous consumers can be miserly consumers.

It appears businesses may be right to worry. Consider what happened to the Information Commissioner’s Office in the U.K. when it implemented its own PECR regulation, specifically asking all site visitors for permission to place a cookie on their computer.  According to the BBC, the ICO website normally received 12,000 site visitors per day, but after debuting the cookie request notice, the number of visitors dropped to about 1,400 per day. 

Actually, the number of visitors willing to be tracked dropped. The ICO said only about 10% of its visitors accepted the cookie. The other 90% were probably still there; they may have simply declined to be tracked.

This could have serious repercussions to the way many businesses operate today. Without knowing which pages visitors look at, how long they study a product page, or the order they place products in the online shopping cart, businesses will lose crucial information they need to direct their strategies. Some businesses, I wager, may even go out of business once deprived of customer information.

Where should the line be drawn between visitors who want to be anonymous, and businesses who can’t serve their customers’ needs without fundamental information about those customers?

The ICO holds out hope that, eventually, users won’t be so easily scared off by cookie warnings, but I see this playing out another way.  I got an inkling from an incident at RSA Conference 2012 last week.

A security vendor had a representative standing on Howard Street, flagging down anyone walking by who was wearing an RSA conference badge. In return for handing over a business card, the passerby received a $5.00 Starbucks gift card. Apparently $5.00 is the price this particular vendor was willing to pay for an RSA attendee to share their basic information.

As for me, I’m wondering how many cookies I can buy for $5.00 at Starbucks.  

March 7, 2012  5:14 PM

How CloudFlare’s website security service protected LulzSec

Marcia Savage Marcia Savage Profile: Marcia Savage

When it comes to customer case studies, CloudFlare has one of the most unusual and dramatic I’ve ever heard.

Last summer, the LulzSec hacking group signed up its website for CloudFlare, drawing the website security service and accelerator company into one of the biggest cyber battles ever, as LulzSec created mayhem on the Internet while rivals and others tried to knock it offline. CloudFlare’s CEO and Co-founder Matthew Prince detailed the attacks in a presentation at RSA Conference 2012; I wasn’t able to attend, but he filled me in during a briefing at the show last week.

LulzSec registered for CloudFlare on June 2, 2011 after it a substantial DoS attack knocked its newly launched site — — offline for 45 minutes, Prince said. “We had no idea who LulzSec was,” he said. As it turns out, the group had just published information it had allegedly stolen from Sony.

For the next 22 days, LulzSec waged battle on the Web as rivals and white hat hackers launched a volley of attacks against the group’s site. “It was like a gunfight and we were sitting in the middle of it,” Prince said.

The battle proved a mighty test for Palo Alto, Calif.-based CloudFlare, which protects websites against threats like DDoS, XSS and SQL injection attacks while also boosting site performance. “It was the most massive pen test ever,” Prince said. “We learned a ton from the fact that LulzSec was with us.”

He explained that CloudFlare’s system automatically looks for anomalies to detect attacks and once it does, adds protection for all the websites it protects. More than 250,000 websites, from Fortune 500 companies to individual blogs, use CloudFlare. Using the service doesn’t require any hardware installation, only a change to network settings to allow site traffic to pass through CloudFlare, which operates 14 data centers around the world.

“We’re like a smart, skilled router on your network,” Prince said.

The fact that LulzSec stayed online for the 22 days it was with CloudFlare illustrates the company’s core value proposition, Prince said. “Because we saw these threats our network got smarter,” he added.

After those 22 days, the website disappeared. Prince began receiving requests to tell the story of what happened, but the company has a privacy policy with its customers not to reveal them without permission. He used the contact information LulzSec provided to sign up for the service and eventually got a single line reply giving him permission.

Prince said CloudFlare never got a request from law enforcement to take LulzSec offline, but quickly added that it has no mechanism to do that anyway. He noted that CloudFlare wasn’t LulzSec’s hosting provider.

As to whether CloudFlare considered shutting off service for LulzSec – a group linked to a number of attacks on corporate government sites – Prince said his company’s role isn’t that of an Internet censor.

“There are tens of thousands of websites currently using CloudFlare’s network,” he said in a blog post last summer. “Some of them contain information I find troubling. Such is the nature of a free and open network and, as an organization that aims to make the whole Internet faster and safer, such inherently will be our ongoing struggle. While we will respect the laws of the jurisdictions in which we operate, we do not believe it is our decision to determine what content may and may not be published. That is a slippery slope down which we will not tread.”

March 6, 2012  9:01 PM

What are the best Android mobile security apps?

Robert Westervelt Robert Westervelt Profile: Robert Westervelt

Traditional antivirus vendors are doing a good job detecting and blocking known mobile malware, according to Av-Test, a Germany-based independent service provider that tests antivirus and antimalware software.

The firm tested the detection capabilities of a variety of available Android mobile security apps using a malware set of 618 malicious application package (APK) files. Malicious apps that were discovered between August and December 2011 were included in the test set.

Avast, Dr.Web, F-Secure, Ikarus and Kaspersky rated highly, according to the firm’s latest analysis, Test: Malware Protection for Android 2012 (.pdf), issued today. Zoner and Lookout, two independent security firms with mobile security apps also performed well, Av-Test said. The apps had a detection rate of more than 90%.

Products that fell between 65%-90% included AegisLab, AVG, Bitdefender, ESET, Norton/Symantec, Quick Heal, Super Security, Trend Micro, Vipre/GFI and Webroot. Despite falling below 90%, Av-Test said the mobile security apps are still very good and should be considered.

“Some of these products just miss one or two malware families, which might be not prevalent in certain environments anyway,” Av-Test said in its report.

Mobile malware continues to make up about 1% of overall malware, but despite the threat currently being minimal, experts at RSA Conference 2012 have pointed to a variety of attacks, from banking Trojans to SMS fraud, which could pose a threat to enterprise networks. Some say attackers are not too far away from weaponizing applications to perform a variety of functions all aimed at collecting as much data as possible about the device owner.

Judging by the attendance at the mobile sessions during the conference, it’s clear that security professionals are concerned about mobile device security and are looking for ways to gain control and visibility into employee devices at the endpoint. Both Google Android and Apple iOS have been built with security features right into the platform.

“I would go as far as to say they are probably the most secure platforms ever built,” Kevin Mahaffey, CTO of Lookout told me in a mobile security interview at RSA Conference. Sandboxing and granular permissions that limit the device capabilities available to installed mobile applications make it much harder for an attack to be successful, Mahaffey said.

“We haven’t really seen malicious use of vulnerabilities on mobile devices yet, but plenty of researchers have demonstrated that it’s possible. There’s no magic pixie dust in iPhone or Android that makes it somehow immune from all the problems on the desktop,” Mahaffey said.

Anup Ghosh, founder and CEO of browser security vendor Invincea, shares a different view about the
Android platform. At RSA Conference, Gosh told me Android users should be concerned about mobile malware. Apple has done a good job of controlling its platform, keeping its ecosystem closed off to potential malware writers. Meanwhile, Android is using Java as part of its sandboxing strategy. It’s highly buggy, Ghosh said, with a lot of native interfaces to the underlying firmware.

According to Gosh: “When you download an app from the Android store you are giving explicit permissions, giving that app access to all kinds of system resources, which are all holes to that sandbox. It’s a fairly rich environment for adversaries to write malware. We’re still early as far as malicious code development goes, but they will follow the money.”

It doesn’t hurt to have a layer of security for protection. Mahaffey said a good mobile security app can protect device owners from malware or spyware, provide safe browsing capabilities and locate lost and stolen devices.

Av-Labs said that its test determined a grouping of 17 trustworthy mobile security apps. Even if a mobile security app performed poorly in its detection tests, some have other capabilities such as remote lock and wipe, backup and phone locating that may make them useful.

The firm tested the latest version of available mobile security apps using an Android emulator running the Gingerbread version of Android. The results were verified on a Samsung Galaxy Nexus running the latest Android version, Ice Cream Sandwich.

March 2, 2012  6:17 PM

OpenDNS hires Websense CTO to guide enterprise DNS security services

Robert Westervelt Robert Westervelt Profile: Robert Westervelt

DNS services provider OpenDNS has hired away the chief technology officer of security vendor Websense Inc. and is laying the groundwork for a variety of DNS layer security services and products aimed at enterprises.

Dan Hubbard, who spent 14 years at Websense, is planning to build out OpenDNS’ security product portfolio. Hubbard played a significant role at Websense, building the Websense Security Labs and the company’s classification engine, which is at the heart of its security products. The engine is used to filter out malicious websites, block spam and phishing attacks and is also at the core of Websense’s content filtering technology.

Hubbard confirmed his departure this week. A Websense spokesperson said the company is already reshuffling executives to fill the CTO role. Charles Renert, an expert noted for his work with Symantec Security Labs and founding Determina, was promoted to vice president and will assume Hubbard’s responsibilities in the interim.

It’s going to be extremely interesting to see how OpenDNS’s enterprise security plans unfold under Hubbard’s guidance.

I spoke to Hubbard at a reception at RSA Conference 2012 where he exuded a lot of enthusiasm for his new gig at OpenDNS. Hubbard said there’s a potential for a whole new range of security technologies that take advantage of being in the DNS layer. The company, which launched in 2005, already provides malware protection for its users by blocking outbound botnet communications at the DNS layer. It also maintains PhishTank, the largest clearinghouse of phishing information on the Internet. OpenDNS has 12 data centers that handle DNS requests, but also have been collecting threat intelligence data for years. Combining threat intelligence with the ability to keep track of individual IP addresses opens up an interesting set of capabilities for protecting laptops and mobile devices.

The company already has a broad set of users of OpenDNS Enterprise, which provides inbound and outbound protection and is application-, operating system-, protocol- and port-agnostic since it is essentially cloud-based at the DNS layer. The company has been pushing itself as an extra layer sitting between the Internet and enterprise firewalls and antivirus technology at the endpoint. There are some built-in reporting capabilities providing data on attacks and malicious websites that were blocked by the service.

Hubbard’s move to OpenDNS and the company’s security strategy caught the eyes of at least two prominent security luminaries: Dan Kaminsky and Paul Vixie, who attended the reception. Last year, Kaminsky briefly shared with me his vision of what DNS-based security technologies can do. He believes a broad range of technologies can be built out leveraging DNSSEC architecture for authentication and establishing trust in Internet communications. It could provide a much needed injection of trust into the Internet, which has been evaporating in recent years because of a variety of issues, including breaches at SSL Certificate Authority vendors and well known weaknesses in the digital certificate system itself. Vixie has also publicly shared the potential of adding security to the DNS layer.

It was hard, however, to find the enthusiasm for OpenDNS from others at the RSA Conference. The first thing that comes to mind with OpenDNS is its consumer products that enable parents to shield porn and other websites from their children.

Several industry analysts and other security professionals I spoke to were too wrapped up in their own respective areas of expertise, but a few people said they share Kaminsky’s passion for the long-term potential of DNS-layer security technologies.

OpenDNS CEO David Ulevitch told me the company already has the foundation in place to provide a wide variety of security services. He said it just has to execute on its strategy and provide a convincing argument that enterprises can get value out of having security at the DNS layer.

March 2, 2012  12:06 AM

Struggling to maintain compliance amidst conflicting priorities

Jane Wright Jane Wright Profile: Jane Wright

Government and businesses – and individuals – often have competing priorities when it comes to information security and privacy, and those competing priorities are reflected in the multitude of ever-expanding compliance regulations in the U.S. IT pros are struggling to in light of these competing priorities and, from my vantage point sitting in on GRC sessions at RSA Conference 2012 this week, they are pretty stressed out.

Unfortunately, panelists speaking about hot topics in law and compliance at RSA Conference 2012 appeared to have little hope for a resolution to the tension anytime soon.

Panelist Benjamin T. Wilson, general counsel and senior vice president of industry relations for SSL certificate authority DigiCert Inc., called the tension between government and individuals/businesses a “megatrend” that’s overriding the compliance regulationsbeing written or modified in 2012. Regulators are torn between individuals and businesses: each want access to all kinds of information, but also want all their own information kept private.

Add in the many and varied regulations of other countries, who are themselves attempting to regulate how data is stored or transmitted, and the job of compliance manager becomes that much more difficult.

Today’s compliance and risk managers are riding the uncomfortable megatrend of tension between access to data and protection of data. Is it a thankless job?

Bookmark and Share     0 Comments     RSS Feed     Email a friend

March 1, 2012  1:24 PM

Microsoft Azure outage apparently triggered by leap year glitch

Marcia Savage Marcia Savage Profile: Marcia Savage

Microsoft’s Azure cloud service suffered a worldwide outage that started Tuesday and was apparently triggered by a timing miscalculation for the leap year. The company was continuing to work on Wednesday to resolve the Azure outage, which continued to affect some customers.

Microsoft said it became aware of an issue impacting the service management component of Azure at 5:45 p.m. Pacific Time on Tuesday.

“The issue was quickly triaged and it was determined to be caused by a software bug. While final root cause analysis is in progress, this issue appears to be due to a time calculation that was incorrect for the leap year,” Bill Laing, leader of the Azure engineering team, wrote in a blog post.

Microsoft created a fix and deployed it to most of the Windows Azure sub-regions, which restored the Azure service to most customers by 2:57 a.m. PST on Wednesday, he said.

“However, some sub-regions and customers are still experiencing issues, and as a result of these issues they may be experiencing a loss of application functionality. We are actively working to address these remaining issues,” he said.

In an email statement, a Microsoft spokesperson said some customers in three sub-regions – north central U.S., south central U.S. and North Europe – remained affected late Wednesday afternoon. Customers might have issues with Access Control 2.0, Marketplace, Service Bus and the Access Control & Caching Portal, which could result in loss of application functionality, the spokesperson said.

Windows Azure Storage was not impacted, according to Microsoft.

UPDATE: Microsoft reported Thursday at 10:13 a.m. Pacific Time that the Azure service disruption was completely resolved.

February 29, 2012  10:32 PM

Joe Security is pwned: Are security defense technologies working?

Marcia Savage Michael Mimoso Profile: maxsteel

RSA Conference 2012 feels like a big ol’ group therapy session. Small circles of friends, larger circles of industry peers, huddled masses freeing themselves of a collective weight on their shoulders. No longer do they have to lie to themselves, their colleagues or bosses. “Hi, I’m Joe Security and I’m pwned!” They’ve come to grips with the fact that it’s OK to say security technologies suck, networks are compromised and attackers are winning.

OK, that last part has always been part of the dialogue. But the other two have only been whispered in the past. Now it’s being shouted at networking events and even from the big keynote pulpit here in San Francisco. Legacy investments in signature-based antivirus, intrusion detection and other detection technologies don’t serve the industry as well as they used to. Signature updates can’t keep up with the evolution of malware. And most attacks are too targeted or too stealthy, or both, to warrant signatures for the masses. It doesn’t work anymore and everyone’s free to say it without repercussion.

Granted, Art Coviello, RSA Security’s chief executive, has a vested interest in shouting it the loudest, but he made a good, encapsulating point during his keynote yesterday: “We have to stop being linear thinkers, blindly adding new controls on top of failed models. We need to recognize, once and for all, that perimeter-based defenses and signature-based technologies are past their freshness dates, and acknowledge that our networks will be penetrated. We should no longer be surprised by this.”

There’s a lot of whispering now about bringing big data concepts to security. Your resume had better soon include some business analytics experience if you wanna be tomorrow’s CISO. You’d also better figure out how to harness all that data your security gear spits out and learn how to baseline “normal” network behavior and address anomalies. And oh yeah, you better know how to talk to your executives about security.

Selling them your initiatives based on fear is so five years ago. You better learn your business, how it makes money, and how to deliver metrics that address not only bottom-line impact, but how the customer experience is affected, how internal processes need to reflect security and how you’re articulating security to the company to turn everyone into an advocate for you.

Journalists and analysts like tipping points and landmarks because it makes it easier for us to articulate our stories to readers. Most of the time those tipping points and landmarks are made up; not this time though. There’s a definite change in the air and some tangible direction for the industry. Let’s see how we did about this time next year.

February 28, 2012  1:31 PM

RSA 2012: Former NSA director warns of economic cyberespionage threat

Marcia Savage Marcia Savage Profile: Marcia Savage

The Cloud Security Alliance Summit at the RSA Conference 2012 got off to an entertaining start Monday with a keynote from an unlikely entertainer: Mike McConnell, former NSA and national intelligence director. McConnell had the crowd laughing with stories of his grandchildren and old times with Colin Powell, but he segued into a serious message: The country isn’t doing enough to address the threat of economic cyberespionage.
The U.S. is the “most digitally dependent nation” and its competitive advantage is its innovation, creativity, research and development, he said. “That information is regularly being taken from us,” added McConnell, who is now vice chairman at Booz Allen Hamilton.

McConnell didn’t point fingers at any country, but said some nation states make it a policy to conduct economic espionage and capture intellectual capital. “We are moving very slowly to address these threats. …We don’t have a cyberdefense capability on a global scale,” he said.

The country needs to establish a policy for what the NSA can do to protect the nation in cyberspace, he said. “The industry is going to have to accept some level of regulation.”

“The economics of cloud computing are compelling,” McConnell said. “It will happen. We need to address privacy, business interests and the national security dimension.”

Other highlights from the CSA Summit:

The CSA announced an “innovation initiative” to help speed development of cloud security by identifying key issues related to security that block the adoption of next-generation IT, documenting guiding principles that IT innovators should address, and incubating IT solutions that align with CSA principles.

Interestingly, the initiative includes not only a working group within CSA, but a for-profit entity that will work with innovators. Innovators don’t have to use CSA assistance in developing their technology, but can have a CSA working group assess its value.

The CSA also is starting a research project into SLAs and is looking for volunteers. The goal is to develop standards around SLAs – something no doubt many cloud users would appreciate.

February 3, 2012  9:44 PM

Kaspersky buys out equity firm; keeps security company private

Marcia Savage Michael Mimoso Profile: maxsteel

CANCUN, Mexico — Kaspersky Labs cofounder and chief executive Eugene Kaspersky announced today that the Russian security company will not pursue an initial public offering in the forseeable future and will buy back the shares it sold to a private equity firm brought in 13 months ago to pursue an IPO.

In January 2011, General Atlantic bought 20% of Kaspersky, valued at about $200 million, from Eugene Kaspersky and his ex-wife Natalya. GA was brought in at the time to seek acquisition opportunities and set Kaspersky Lab up for an initial public offering.

“It’s quite a big deal, the biggest deal of my life,” Kaspersky said at the Kaspersky Security Analyst Summit 2012. “The company will stay private and stay focused on IT security.”

Kaspersky said the main motivation for the buy-back was the preservation of the company culture.

“IT security has to be flexivble and innovating. My impression is that being private is the right way because you don’t need to report [finances],” Kaspersky said. “I like the way company is going and the spirt of the company. To change their basic design, I’m afraid is dangerous. We are not going to change our ways, spirit, culture, emotion or strategy.”

Kaspersky said he could see the company branch beyond its core consumer and enterprise antimalware expertise. The company has a worldwide stable of security researchers with offices in 29 countries. Kaspersky said the company is profitable (less than 20% year over year growth), and promised to remain as transparent as possible in its financial disclosures.

“[If public], there are much more reports and governance and a longer decision-making process,” Kaspersky said. “I have the same feeling that I read in Richard Branson’s book that when you go public, the company goes slower. I don’t want that.”

February 3, 2012  1:12 AM

Faith in webmasters’ security rewarded-kinda

Marcia Savage Michael Mimoso Profile: maxsteel

CANCUN, Mexico — Kaspersky Labs senior security researcher Stefan Tanase knows all about the old adage “You never know until you ask.”

Tanase conducted an experiment recently where he emailed the webmasters of 100 websites infected with malware informing them of the problem asking in return only for some data on the infections in the form of log entries. What Tanase got in return was a big fat zero, as in no replies.

Undeterred, Tanase said Wednesday during the Kaspersky Lab Security Analyst Summit 2012, that he emailed another 200 and actually got a 3% reply rate time on his second attempt.

“The assumption I made is that webmasters don’t know their sites are infected,” he said. “The reality is that webmasters don’t care if their sites are infected.”

Tanase said he knows 52% of his emails reached their destination; 48% bounced back to him.

Of the three percent who did reply, one came from a monestary and a priest who asked for help in cleaning up the websites and under what conditions. Another respondent came from an advertising agency that wasn’t interested because the infected site in question was an old site no longer in use. Another, from an industrial equipment supplier, said they didn’t have a dedicated IT person on staff, but offered to send Tanase an administrative username and password and wondered if he could help–a major security fail.

The experiment, however, wasn’t a total bust; 3% may have replied, but upon a second scan, 5% had removed the malware from their sites.

“They may not have replied,” Tanase said, “but they did clean up their site.”

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: