Archives for January 2011

Schneier on Security: Whitelisting vs. Blacklisting

Schneier on Security: Whitelisting vs. Blacklisting.

Excellent discussion of whitelisting vs. blacklisting. In theory, it’s clear which approach is more appropriate for a given situation. For example:

Physical security works generally on a whitelist model: if you have a key, you can open the door; if you know the combination, you can open the lock. We do it this way not because it’s easier — although it is generally much easier to make a list of people who should be allowed through your office door than a list of people who shouldn’t–but because it’s a security system that can be implemented automatically, without people.

In corporate environments, application control, if done at all, has been done with blacklists, it seems to me, mainly because whitelisting was simply too difficult. In other words, in theory white listing is the right thing to do, but in practice the tools were simply not there.

However, this is changing. Next Generation Firewalls hold the promise of application whitelisting. If the NGFW can identify and classify all of the applications traversing the organization’s network, then you have the visibility to implement application whitelisting.

The advantage of network-based application whitelisting is that you get off the treadmill of needing to identify every new potentially malicious application and adding it to the blacklist.

The objective is that the last firewall policy rule is, “If application is unknown, then block.” At that point you have returned to the Positive Control Model for which firewalls were conceived.

SaaS Compliance solution from Navajo Systems

While there are many compelling benefits to Software-as-a-Service solutions like Salesforce, SuccessFactors, and Gmail, there are also privacy, security and compliance inhibitors which arise from the fact that SaaS application data is stored in clear text.

For many organizations, encrypting the communication between users and SaaS applications is simply not enough. Some large organizations have resorted to installing SaaS applications in their datacenters to meet privacy, security and compliance requirements. This way they get some of the SaaS application benefits but still must endure the real estate, power, hardware, communications, and associated administrative expenses themselves.

Some organizations have restricted the use of SaaS applications to those where clear-text data does not run afoul of regulatory issues.

The ideal solution would  be to encrypt data on the way into and back out of the SaaS applications. SaaS backup solutions, for example, have been doing this for years. The file metadata stays in clear text but the files themselves are encrypted. However, for data-oriented applications like Salesforce, SuccessFactors, and Gmail, standard data encryption does not work because once the data is encrypted, you cannot search or sort on it.

Finally, a solution has come to market – Navajo Systems – which allows you to meet regulatory compliance requirements for storing, for example, Personally Identifiable Information (PII) and Protected Health Information (PHI) in SaaS applications. Navajo’s breakthrough is an encryption algorithm which allows searching and sorting. In other words, data is encrypted before it leaves your organization and is stored in the SaaS application in that same encrypted form, yet can be searched and sorted in a way that is both transparent to the SaaS application and to the users!!

Only you have the encryption keys. No one at the SaaS vendor can read your data. Full disclosure, Cymbel is partnering with Navajo. We would be glad to show you exactly how this works.

Here are links to more information about SaaS Compliance and Navajo Systems.

Panda Security goes inside the web’s black market

Panda Security Goes Inside Web’s Black Market

PandaLabs released 44 page report called, The Cyber-Crime Black Market: Uncovered. If you are not familiar with the subject, this report is very good. Here are some highlights:

The exponential growth of malware

Five years ago, there were only 92,000 strains of malware cataloged throughout the company’s 15-year history. This figure rose
to 14 million by 2008 and 60 million by 2010, which gives a good indication of the rate of growth.

At this rate is it reasonable to rely on a signature-based approach to malware detection? No mention is made of 0-day malware. We like FireEye‘s behavioral approach to complement a signature-based approach to anti-malware.

The cyber-crime professions

Panda quotes the FBI’s list of ten different professions that make up the cyber-crime black market – Programmers, Distributors, Tech Experts, Hackers, Fraudsters, Hosted systems providers, Cashiers, Money mules, Tellers, and Organization Leaders. This division of labor should give you some idea of the maturity of the cyber-crime underground.

The process

Panda does a fairly good job of documenting the process although this section of the report could have been better organized.

The black market at-a-glance

This section show just how sophisticated the black market ecosystem is. Just like the markets we engage in every day, there are promotion, try & buy offers, discounts for volume purchases, multiple payment options, and post-sale support services.

What to do and what not to do

The report closes with some common sense advice as to what to do and what not to do to minimize your risk of cyber-fraud.

Zeus evolves to target online payment providers

Zeus Latest Evolution in Malware Trends – Targets Online Payment Providers.

Trusteer is reporting on the evolution of the Zeus malware. Originally it targeted users performing online bank transactions. It’s now targeting online payment providers like Money Bookers, Web Money, netSpend, and e-gold. These types of companies have millions of users. If one of these users has his or her account looted, what recourse does the person have? After all, these are not banks and are most probably not legally bound to make good to their abused clients.

Zscaler reports on ‘blackhat’ SEO numbers for December 2010

Zscaler reports on ‘blackhat’ SEO numbers for December 2010.

One of the Social Engineering risks a user must cope with is malicious web page links that show up in Google searches. Google is aware of this problem and works to weed out the “blackhat” website pages that attempt to fool Google’s algorithms.

While Google’s efforts are improving, Zscaler is reporting that in December 2010, Google flagged only 44% of the “blackhat” links that Zscaler identified.

Full disclosure – Zscaler is a Cymbel partner.

Facebook scam: Guy that lives on my street killed his girlfriend today

Facebook scam: Guy that lives in my street killed his girlfriend today.

Social Engineering creativity knows no bounds.

This one has been spreading for a couple of days, posing as a news story from one of your Facebook friends that someone who lives in their street has killed his girlfriend.

If you have been hit by scams like this on Facebook, and are struggling to clean-up your profile, here’s a YouTube video I made which describes what steps you need to take.

Cisco 2010 Annual Security Report – Cybercrime ROI Matrix

ReadWrite Enterprise has a nice summary of the Cisco 2010 Annual Security Report. Here are some of the key points.

Cisco goes MBA-ish with a quadrant to show trends in cybercriminals’ attack methods.

Social engineering continues as a key technique. Cisco highlights the seven weaknesses social engineers exploit: sex appeal, greed, vanity, trust, sloth, compassion, and urgency. Cisco recalls the Robin Sage fiasco.

Java has become the number one target for cybercriminals replacing PDF.

And of course, Cisco acknowledges Stuxnet and the “evil” cybercrime winner.

‘Cyberlockers’ present new challenges to music industry

PaidContent.org published an interesting article yesterday entitled, How ‘Cyberlockers’ Became The Biggest Problem In Piracy.

PaidContent uses the term “cyberlocker” to refer to browser-based-based file sharing applications which pose a new challenge to the music industry’s efforts to thwart illegal sharing of music, aka piracy.

The article highlights some of the better known applications like RapidShare, Hotfile, Mediafire, and Megaupload. It also points out that Google Docs qualifies as a cyberlocker, although it’s used mostly for Word and Excel documents.

What the article fails to mention is amount of malware lurking in these cyberlockers. The file you download may be the song you think it is or it may be trojan.

Palo Alto Networks, the Next Generation Firewall manufacturer, has the statistics to corroborate PaidContent’s claim that browser-base file sharing is growing rapidly.

Palo Alto Network’s Applipedia identifies 141 file sharing applications, of which 65 are browser-based.

Any organization which has deployed Palo Alto Networks can control the use of browser-based file sharing with the same ease as the older peer-to-peer file sharing applications.

Furthermore, if you configure Palo Alto to block the “file sharing” sub-category of  applications, not only will all of the known file sharing applications be blocked, but any newly discovered ones will also be blocked. However, there are valid business use cases for using a file sharing application. Therefore you would want an exception for the one you have selected.

Finally should you choose to allow a file sharing application, Palo Alto will provide protection against malware.

HIghlights from Sophos threat report

Highlights from Sophos threat report.

The recently released Sophos Threat Report claims that with more than 50 percent of companies allowing free and open access to social networking sites:

  • 67 percent of users were spammed on social networks – double from when the survey began in 2009 (33.4 percent)
  • 40 percent were sent malware
  • 43 percent were phished – more than double from when the survey began in 2009 (21 percent)

The answer is not totally blocking access to social network sites. People in marketing and sales need access, but they don’t need to be playing Farmville. Also totally blocking all aspects of social network sites might create a morale issue.

Anti-virus can play a role, but a defense-in-depth strategy is needed that includes Next Generation Firewalls.

Experi-Metal vs. Comerica Case Heads to Trial — Krebs on Security

Experi-Metal vs. Comerica Case Heads to Trial — Krebs on Security.

Detailed update on the upcoming Experi-Metal vs. Comerica trial. In brief, Experi-Metal is suing its bank, Comerica, for money ($560,000) it lost due to fraudulent wire transfers that resulted from a security breach.

The bank, Comerica, claims the fault of the lost money is entirely with Experi-Metal, while Experi-Metal claims that Comerica should have realized that a large number of wire transfer requests within a few hours was suspicious, especially considering it had only done two wire transfers in the two years prior to this incident.

Businesses do not enjoy the same legal protections afforded to consumer banking customers hit by cyber thieves, and most organizations will be held responsible for any losses due to phishing or account takeovers. But a rash of these attacks that has netted thieves more than $70 million over the last few years has caused some victim businesses and their lawyers to look for ways to hold banks more accountable, by pointing out ways in which the banks may not be living up to the somewhat nebulous state legal standards that govern commercial banking activities.

This case and other similar ones are putting pressure on small and mid-size banks, and the outsourcers who provide transaction processing services to them, to strengthen their security posture.

… more banks could and should offer the kind of technology employed by the major credit card networks, which try to build profiles of customer activity and then alert the customer or the issuing bank of any suspicious or unusual activity. But she said a large percentage of banks outsource the day-to-day customer transactions to third-party service providers, most of whom do not currently offer services that would conduct that transaction analysis.

When the costs of improving security posture are lower than the risk-weighted costs due to a breach, then these banks will move. I not mean to appear overly cynical here. It’s the banks’ fiduciary responsibility to move only when the risk analysis scale tips in favor of improving security. That’s what makes this trial so interesting.