The Poison Ivy remote administration tool (RAT) was employed in the infamous RSA breach last year to glean authentication credentials that allowed access to other systems in the company's network.

Danchev had received an early morning Skype message from a trusted contact that was typical of a social engineering attempt. The note said “hahahahaha foto” and contained a link to "hxxp://random_subdomain.photalbum.org".

Danchev noticed that the message was being sent to a large number of contacts in a group, and being a malware expert, he immediately had suspicions and began investigating - here is what he found:

"Once the socially engineered clicked on the link, a Download window will automatically prompt them to download the following file - Photo9321092109313.JPG_www.facebook-com.exe. Notice how the cybercriminals behind the campaign try to trick end users into thinking that they’re about to open an image file, potentially coming from Facebook. In reality though, it’s an executable," Danchev explains.

Less than half of the 42 commercial antivirus solutions surveyed are able to detect the Trojan's signature.

"The Photo9321092109313.JPG_www.facebook-com.exe sample has the following MD5, MD5: bc3214da5aac705c58a2173c652e031e, currently detected as Trojan.Win32.Jorik.PoisonIvy.yy, Trojan.Win32.Diple!IK by 16 out of 42 antivirus engines. Upon execution the binary, creates a batch script, installs a program to run automatically at logon, and creates a thread in a remote process," said Danchev.

Danchev analyzed the malware's payload and discovered it was delivering a version of the Poison Ivy Trojan, a common tool employed by malware propagators.

"What’s so special about the payload anyway? The payload is a copy of the infamous Poison Ivy DIY RAT (Remote Access Tool) also known as a trojan horse or backdoor. The attackers chose this easy to obtain RAT for serving malicious code, compared to a situation where they would need to code it from scratch," warns Danchev.

Danchev goes on to explain how this malware campaign is a prime example of the use of social engineering exploits that prey on a target's innate trust and lack of situational awareness.

"Hijacked trusted and legitimate Skype accounts are invaluable from a social engineering perspective. Trust is vital, even novice end users know it. If the cybercriminals were to automatically register thousands of bogus accounts, they would attempt to only target users who allow the receiving of messages from users who are NOT on their contact list," said Danchev.

Aside from spam messages one may receive from unknown sources, Danchev warns that even messages from trusted contacts should be cause for caution, as campaigns such as this one may involve compromised accounts.

"Although millions of Skype users continue receiving these messages, the majority of successful malware campaigns using Skype as propagation vector, tend to involve trusted and compromised Skype accounts in an attempt to increase the probability of a successful infection," Danchev concluded.

As always, think twice before clicking a link, even from a trusted contact. More details on the malware campaign can be found here:

Source:  http://blog.webroot.com/2012/05/15/poison-ivy-trojan-spreading-across-skype/

What makes this service unique is the fact that it’s attached to your credit or debit card. That bothers me from a security standpoint.

In poking through the “edo” website, and reading the Techcrunch article, we find out about how this new service works. Here are a list of features that are potential attack vectors from a high-level standpoint:

• It’s white label, meaning that you as a consumer may not even know that you’re using edo’s service through your bank’s website/application.

• Since it’s white label the bank/credit card company gets to decide whether you’re opted in or out by default.

• It uses your past credit/debit card usage to figure out what deal you might be interested in.

The first two bullets I have issues with from a privacy setting standpoint, and I’m not going to deal with that. What I want to deal with is the fact that this service uses past credit/debit card transactions to figure out what deal it should send to the customer.

That would mean that there is an interface between edo and the banks credit card database. There better be something making sure that an attacker cannot come in from edo’s system, hop to the interface to the bank, and into the credit/debit card database.

The Techcrunch article points out that “the banks don’t need to pull any personally identifiable info, your demographic profile, or anything else but how you like to spend and where you spend in order to start sending you offers.”

So how will the bank send the “daily deal” email to me exactly? Right, my email address on record will have to be used. So how do they plan to do that?

Sure, that “personally identifiable” information might not be handed over to edo to do a pattern analysis of what deals should be sent to me; however, I have a feeling that edo will get it eventually.

edo just flat out bothers me. It’s one thing for Amazon.com to be able to run pattern analysis to suggest other items from you, it’s totally different for a 3rd party to use my credit and debit card records to send me daily deals.

What’s worst is the fact that this service can fly under the bank’s colors.

Cross-posted from Home+Power

In simple terms, any system or device out of the box comes with all its bells and whistles belling and whistling. Which is great if you’re going to use it to backup your holiday pictures at home.

But if it’s going to be deployed as part of your critical infrastructure, you need to harden it up a bit. Think of it like a Rocky montage to get it into shape.

When it’s been hardened, all unnecessary bells and whistles are turned off, disabled or simply ripped out, leaving only the bare minimum needed to run the service. This leaves a much smaller surface to attack.

A bit like how a boxer will turn sideways, tuck their chin in and keep their hands up to make it harder for their opponent to hit the smaller target. Of course, you could end up turning off everything, in which case you will be left with a perfectly secure, yet somewhat unusable system.

Don't forget to like the video if it has been of any use to you. As always, Javvad is easy to stalk:

J4vv4D.com
@J4vv4D
Facebook.com/J4vv4D
youtube.com/infoseccynic

This year's theme is "CYBER Operations 2.0". The project document (.pdf, in Dutch) describes it as follows:

For operations and command, the Dutch MoD relies on radio and satellite connections and the internet. But developments such as WiFi, smartphones and tablets will eventually make their appearance in the armed forces. The difference between military radio networks and the internet is therefore becoming more diffuse. And cyber is therewith definitively added to the domain of Defense.

Guided by the Dutch National Cyber Security Strategy, the government, industry and knowledge institutions join forces. Externally, the MoD closely cooperates with these other players in the cyber security chain. But internally, the MoD must guarantee the integrity of its own information provisioning, networks and IT infrastructure. Therefore, the MoD is actively pursuing enhanced digital defensibility and the development of cyber as an operation capability. Regarding cyber, the MoD is expeditious and innovative; under the motto "Cyber, more than Defense!", the MoD must be able to operate in the same way it does in other dimensions (land, sea, air, space), in other words, the MoD must also defend, delay, maneuver, attack and gather intelligence in the cyber dimension. Cyber Security thus entails more than Cyber Defence: for the MoD, it means: Cyber Operations. To this end, the MoD founded the Taskforce Cyber in January 2012.

In order to guarantee its future military capability (power) in the cyber domain, the MoD is in need of new technologies and innovations. With the Defense Innovation Competition 2012, the MoD is challenging the SME and Dutch industry. Use your innovation, your creativity and technological ingenuity to make a tangible contribution to the future of cyber operations.

The proposals are judged by seven criteria:

1. Applicability/implementability
2. Innovation
3. Feasibility
4. Quality (in terms of language, argumentation)
5. Competence, reputation of submitting entity
6. Risk analysis of follow-up phase 

The MoD has reserved EUR 200k to make the winning idea become reality. The deadline for submitting proposals is August 22nd 2012. Participation is restricted to Dutch industry and SME.

A botnet infection can lead to the monitoring of a consumer's personal information and communication, and exploitation of that consumer's computing power and Internet access.  

To address the problems created by botnets, the botnet lifecycle must be disrupted and the malware on the devices removed or made impotent. Companies, organizations and governments around the world have been developing policies, high-level principles and solutions.

NIST seeks to engage all stakeholders to identify the available and needed technologies and tools to recognize, prevent, and remediate botnets; explore current and future efforts to develop botnet metrics and methodologies for measuring and reporting botnet metrics over time; and, understand where ecosystem stakeholders are in terms of roles and responsibilities.

Date: Wednesday, May 30, 2012

Location: 100 Bureau Dr. Gaithersburg, MD. 20899 (Building 101 - Green Auditorium)

Registration:  Online registration

Agenda:

Panel 1: Current and Future Efforts and Challenges

This panel will discuss the various efforts ongoing in this area. The panel will also address issues and challenges related to the prevention, detection, notification, and remediation of botnets. Panel members will discuss the impact of botnets, the characteristics and threats that make botnets a unique problem, and what it will take to effectively counter them. The panel will focus on the environment and ecosystem in which botnets function and the gaps in developing solutions.

Panel 2: Metrics, Measurements and Reporting

This panel will focus on opportunities and methods for measuring and reporting botnets. Panelists will examine what metrics work, how they should be reported, if they need to be standardized, where they should be employed, and the major challenges. The panel will discuss current and future efforts to develop metrics and potential methodologies for evaluating and reporting botnets over time.

Panel 3: Technologies, Tools, and Resources

This panel will explore the various technologies, tools and resources that are needed to effectively detect, prevent and remediate botnets. Panel members will examine their effectiveness, existing gaps or areas needing improvement, and those characteristics that make them most useful.

Panel 4: Roles and Responsibilities

The botnet ecosystem has many players. In this panel, government and private sector representatives will share their perspectives on what roles the various stakeholders (e.g. ISPs, browser providers, security firms, search engines, users, etc.) play and what their responsibilities are or could be. Panelists will discuss trends, gaps, and opportunities in the current environment.

Security Instructions:

Please note that there are now additional requirements for visitor vehicles entering the campus. When a Guest/Visitor checks in at the NIST Visitor Center at Gate A and intends to drive into the campus, they will have to show two documents: a Photo ID (State issued driver's license, Federal ID or passport) and a Vehicle Registration card. If a guest does not have a valid vehicle registration, they will be required to park at the Visitor Center and take the NIST Campus Shuttle. Visitors driving rental cars can show their rental agreement in lieu of vehicle registration.

Once you leave the Visitor Center, you will be asked to show the name badge you picked up and a photo ID before being admitted onto the campus.

The NIST Conference office coordinates security instructions with registered attendees directly.

Source:  http://www.nist.gov/itl/csd/botnets-workshop.cfm

This series will break things apart and expand upon useful tools and techniques, getting more advanced and complex as we go.  

We’ll also tackle some scripting languages: Batch, Bash, VBScript, Python and Powershell being the most likely candidates for simplicity and compatibility with environments.  

N = 1;
Part = N;

Today’s fun: Simple Uses for “For” loops using Batch and Bash

For an example, suppose we have an asset number on the outside of each workstation; sometimes we need to reconcile it to a pcname.  Normally, this is not a big deal, but when getting a request involving lots of machines, it can be a pain to look up if given asset numbers instead of pcnames.

This request could be anything; perhaps it is a list of machines to be patched, or that need a scan run on them. Here is a script to take a tag from a list of tags in a file and compare it do another large file/datastore and pull the lines you need and then trim it for the data you want.

First, take your list of Tags and put them in “assets.txt”. Name your masterlist “AssetList.txt”. Keep in mind you can always change the code to just reflect your own file names.

You say in the following line of code that for each entry in assets.txt, the computer will perform a search for the line with that entry in the datastore and output it to the file “listofpcnames.txt”. If you’ve got Grep & Cut available you can also cut each entry down by a delimiter (I am using | in the example) and select only the bit of text you need.

FINDING DATA:

MS:

for /f %i in (assets.txt) do find “ %i” AssetList.txt  >> listofpcnames.txt

MS With MinGW:

for /f %i in (assets.txt) do grep %i AssetList.txt  |cut -d"|" -f 6 >> listofpcnames.txt

Linux:

For pcname in $(cat assets.txt); do grep $pcname Assetlist.txt |cut  -d”|” –f6 >> listofpcnames.txt

Now, any time you want to find multiple pieces of text in a large file like a .csv or .xls you can use this technique.  

SORTING LOGS:

You can also use this technique for processing network logs.  Have a series of IPs you want to find or compare against a list of computer names?  Fill your “assets.txt” with the IP addresses you want to compare.  If it’s messy you could run the following if you have Grep & Cut.

Pretend your data looks like the following; What you want is the 3rd and 9th field.

Date1, time1, mac1, ip1, code, field3, field17, gibberish1, klingon1, cat1, furball
Date2, time2, mac2, ip2, code, field3, field17, gibberish2, klingon2, cat2, furball
Date3, time3, mac3, ip3, code, field3, field17, gibberish3, klingon3, cat3, furball

You run the above script and in the do section you change it to read :

MS With MinGw:

for /f %i in (assets.txt) do grep %i  masterpclist.csv |cut -d"," -f3,9 >> listofpcnames.txt

For Linux:

For ip in $(cat assets.txt); do grep $ip MasterPcList.csv |cut  -d”,” –f3,9|sort -u >> listofpcnames.txt

If you run this, you’ll get:

• mac1, klingon1
• mac2, klingon2
• mac3, klingon3

COPYING:

Perhaps you need to put a file on all pcs in a list; you are placing a patch, distributing something to all users desktops like an icon, or just placing a key/reference file for later.

For us to place a file in “all users\desktops” (XP), we’ll do the following script.

Place all computer names in copy.txt
MS with or Without MinGW

for /f %i in (copy.txt) do Copy c:\scripts\Keyfile.txt ”\\%i\C$ \Documents and Settings\All Users\Desktop”

This can take a while, so if you are stuck using this method because you don’t have some sort of patch management software and you have a large amount of machines, I recommend using 5-10 instances of this script with the list broken up into parts and running them simultaneously.

Linux:

Without Samba or something else handling the exchange of files, this doesn’t work. 

COMMANDS:

I’m just going to give one example set here. You can tweak this to suit your needs pretty easily.

You can stop a service on the list of machines, and then restart it. What you do in the middle is up to you. If you have a lot of machines, this can also be broken up into multiple instances just like the copy script above.

for /f %i in (listofpcs.csv) do sc \\%i\ stop "Service name"
for /f %i in (listofpcs.csv) do sc \\%i\ start "Service name"

I’m happy to take suggestions for future articles. You can reach me either here or on Linkedin:

• http://www.linkedin.com/in/damionwaltermeyer

A good reference on modifying the Batch FOR command is:

• http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/for.mspx?mfr=true

After my previous posts (Part 1 and Part 2) on connecting the dots between information security, risk and fraud, you can imagine my pleasure that I, alongside my fellow speakers, were asked to do just that...

A delightfully interactive audience, some very interesting chats at the breaks and the recent buzz about the value of security conferences prompted me to share some thoughts on how actively to engage with your stakeholders and get the results you need...

Down memory lane...

Four years ago, when I started on this crusade, I inherited a very specific audience. The industry push on PCI DSS was starting to be felt and organisations decided they ought to know a bit more about it.

Enter the reluctant software developers, IT managers or network security engineers who’ve been told that they’d better get clued on and report back so the higher powers could decide the next course of action.

So what did they do first? What everyone does: Google and find the PCI SSC site, try to make sense of the documentation (Oh my gosh, it’s an American standard!), talk to people who are just as clueless, attend technical conferences and webinars, read white papers and get approached by vendors swearing they’ll make you compliant.

They soon came to the conclusion that it was something complicated to do with security their organisation had to comply with lest they suffer The Financial Penalties. So the message went back up the line: it’s very complicated and terribly technical (trust me, I’m a specialist...), needs a lot of investment (shiny new boxes!) and you have to do it otherwise the acquiring bank will strike you down...

This is 2008, and the audience I regularly address wants to hear about the 12 requirements, so I tell them. I also tell them about non-compliance and data breach fines and associated fraud losses. This is not popular and I encounter two types of organisations.

Those where the Finance Director thinks that they’ve done very well so far and that they really don’t believe anything could happen to them because they have brilliant IT teams (you know what, I’ll take that risk, because I don’t believe you, and I haven’t seen anyone suffer yet...).

The other type is where the IT Director is influential and sees this as a way of securing investments in shiny new tech under the sacred banner of “mandatory/regulatory” (often with no relation to PCI DSS).

At the same time, non-compliance fines started to rain on the acquiring community and this was being felt, with outrage, by merchants. A whole industry was born (well in the UK anyway, as it started a bit earlier than that in the US, but the principle is the same).

2008 RESULT:

PCI DSS is technical, standalone, very expensive and unpopular. Organisations don’t really understand why they have to do it, many projects fail and much money is spent. No connection has been made with other similar areas of the business (e.g. information security, data protection).

The perceived stakeholders are the techies. They attend security conferences because they need to understand more about what they think they need to do and see what tech is available to achieve it.

At the same time, the CSO and CISOs concentrate on controls and policies and are seen as “business preventers” (see earlier post). So the techies want to learn, that’s great, because we need them on board, so we all keep catering to this audience.

But in 2008, I also wished I could talk to the decision makers that were not involved in technology to try and show them that infosec could really benefit their business, but they were simply not interested (and data breaches hadn’t made it to mass media notoriety yet...)

Fast forward to 2011-2012...

Well, we all know 2008 turned out to be a big year for data breaches (in fact, as big as 2011 according to DataLossDB.org) and we all felt it one way or the other. This contributed to raising the awareness of cybercrime in the ensuing years, at all levels.

Unsurprisingly, the audience at the forum I mentioned in my introduction included Risk, Fraud, Finance as well as Security professionals. Uncannily, have you noticed that there has not been a new Mordac strip since 2010?

Mordac May 2008

I am a firm believer of popular culture as a good barometer of socio-economic concerns...

So what happened since 2008 that contributed to this change of attitude?

• Data breaches, lots of them. (public attention - Boards questioned their IT: “can it happen to us? Make sure it doesn’t).

• Fines and financial penalties, lots of them (FDs and Treasury suddenly paid a lot of attention, and for those that were breached, they paid even more attention).

• Everybody talking seriously about Risk Management since 2010 (I don’t mean just infosec professionals, I mean everyone, and the current economic climate contributed to that).

• More and more industry conferences dedicating slots to security related topics (Finally, I get invited to them!). Having said that, I had to organise a few of my own industry sector conferences to target this new audience, but it paid off in the end. The trick: 1) don’t talk tech to business people (don’t even try) and 2) explain how you can help in their own language (which is usually income or turnover related).

In the meantime, hard core security conferences continue to happen and continue to be successful, and long may it continue. We still need the techies to make sure we have the right tech to support the people and processes in our businesses. We also need the techies to try and keep ahead of the bad guys.

One thing I would suggest, however, is that, in the same way infosec/risk/fraud professionals want to talk at business conferences, security conference organisers should think about inviting business speakers so they can explain what’s important to them...

Going back to my introduction of this post, I was having a chat during the break at that forum, and a good friend said to me: “I have the buy-in of my Executive Committee, that’s not the problem. My problem is all those developers that are paid and measured to deliver business applications on specific deadlines, and they really don’t want to hear about security matters that might delay their projects...”.

Here we go, another income/turnover related problem... Let’s examine it.

How to contribute to business development...

Situation: my company wants to develop a new mobile application. The business case suggests that it will deliver x income over y years.

The first question to ask is: Have you (as an infosec/risk/fraud professional), been involved in the development of that business case?

If you have, good. You have hopefully incorporated all the (financial) metrics of security by design (rather than as an afterthought) and everyone understands the cost of bolting on or retrofitting security/fraud prevention compared to building it in (and let’s not forget the cost of remediation should anything go wrong, and important regulations –existing or coming during the life time of the product).

If you have not, here lies the problem. Why have you not been involved? May be you haven’t yet convinced the people that matter. Who was the accountable executive?

Whether this lies with Sales, Business Development or Marketing, your task is the same. Try to understand the objectives and the pain points they are trying to address and the pressures they are under.

You will always be able to come up with a mutually acceptable plan if all sides understand each other and no one wants to 1) be in the news for the wrong reasons 2) suffer fraud for lack of adequate controls 3) take unreasonable risks.

After all, the developers that are not listening to you are accountable to these people... Convince the top, the rest follows, unless the top didn’t really mean it... And yes, the Chief Marketing Officer may not want to talk to you, but have you shown him what some fraud monitoring tools can do for web session behavioural analysis or how he could use security as a USP for mobile apps?...

So who are you preaching too, really?...

Well, the techies need to continue attending those security conferences, because we need them totally aware of what’s out there. Security professionals need to continue looking at risk management and get closer to fraud professionals and vice versa.

Security conferences should invite business people and industry/verticals/segments event organisers should invite more and more security/risk/fraud people... Just mix it up and make it happen... We’re all part of the business.

Until next time...

Cross-posted from neirajones

Metrology covers length, time, weight and myriad other areas.  Physicality lends itself quite easily to measurement.

Non-physical items are an entirely different matter and often the subject of significant debate.  While it is relatively easy to define the speed of sound and the length of a second, measuring things like who was the greatest US President, NFL quarterback or concert pianist introduce significant levels of subjectivity.

Facebook and Twitter users are often barraged by those touting their Klout scores. Klout ties into metrology as a Klout score measures online influence on a scale of 1 to 100. 

Klout states that the score measures influence based on the entities ability to drive action in social networks.  They process this data on a daily basis and give an updated Klout Score each morning.

Some of the actions it uses to measure influence are:

• Twitter: retweets and mentions
• Facebook: comments, wall-posts, likes
• LinkedIn: comments, likes
• Foursquare: tips, to-do’s, done
• Google+: comments, reshares, +1

Other networks Klout is working to measure are Facebook Pages, Youtube, Instagram, Tumblr, Blogger, Wordpress, Last.fm and Flickr.

Be it metrology or bibliometrics, measuring influence is an extremely difficult endeavor.  In the academic world, the Hirsch number is an index that attempts to measure both the productivity and impact of the published work of a scientist or scholar.  But there are myriad different situations in which the Hirsch number, like every other index can be manipulated and provide misleading information.

So is Klout an effective method of measuring online influence? From my analysis of Klout, no.

First, do no harm

Klout believes I am influential in surgery and trading; that’s news to me.  Not sure the correlation between surgery and trading, but these are two areas where I have no training or experience.  The fact that Klout thinks I am influential in surgery is reason for a second opinion.

(click image to enlarge)

Battle of the influencers

Check out the following two profiles and estimate what you think their influence scores should be:

Tim O'Reilly is the founder of O’Reilly Media. He created the firm which spreads the knowledge of innovators through its books, online services, magazines, research and conferences.  He has been a leader and catalyst of leading-edge development, homing in on the technology trends that really matter and galvanizing their adoption.  O’Reilly is a legend who has influenced millions and makes the world a better place through his books, conference, insights and more.

Funny One Liners is the persona of an entity that brings humor to Twitter and has over 12,500 humorous tweets.  Stating it has the best of the old and the new humor compiled in one place.  Assuming that laughter is the best medicine, Funny One Liners is healing the world one funny tweet at a time.

If I had to score them as I saw them, I would give Tim O’Reilly a 90 and Funny One Liners a 20.

So how does Klout score them?  71 for Funny One Liners with O’Reilly close behind at 70.

Res ipsa loquitur - facts speak for themselves.  Irrespective of what Klout says, as witty as Funny One Liners is, it can’t come close to the true level of influence that O’Reilly brings to the industry.

(click image to enlarge)

Me vs. the SANS Institute

The SANS Institute is the source for anyone who is serious about information security.  Every SANS instructor is unrivaled from Hal Pomeranz, Lenny Zeltser, to Ed Skoudis and the other scarily smart instructors.

Yet with all that, even if you throw Jess Garcia, Dr. Eric Cole and Stephen Northcutt into the mix, and the SANS InfoSec Reading Room with thousands of free articles, I still come out as more influential than SANS, albeit that their instructors collectively have over 1,500 years of industry experience.  That alone should clearly demonstrate that something about Klout’s notion of influence is lacking. 

(click image to enlarge)

Metrology hubris

While it is absurd to think that O’Reilly and Funny One Liners have the same influence, nor SANS and I, Klout measures itself at a lofty 89. 

Like the parent who thinks their child is the most precious, and really believe the talent agent who says that their little boy will be the next Justin Bieber (Klout score of 100), Klout needs to get a large dose of reality.

(click image to enlarge)

Measurement is hard

I ran a number of comparisons on truly influential entities and came out with similar results.  I suggest you do the same and see what your results are. 

Measuring influence is not a trivial matter, in fact it is extremely difficult.  A single Consumer Reports like is worth infinitely more than a million Kim Kardashian likes.  Yet Kardashian’s Klout score of 91 pales to Consumer Reports 58.

(click image to enlarge)

If nothing else, the fact that Klout considers Kardashian to be an influence in religion and spirituality is somewhat heretical.

The challenge of measuring influence on a social media scale is colossal, given the hundreds  different data points.

Klout has its work cut out and it seems like they need to be in beta a while longer.  Klout can and should be applauded for trying to measure this monstrosity called social influence; but  their results of influence should in truth, carry very little influence. 

Ben Rothke, CISSP is an information security professional and the author of Computer Security: 20 Things Every Employee Should Know.

The old saying “You get what you pay for” may or may not be in effect, but I surely don’t know what is in effect when signing off your business functions to a third party.

Historically, firms used outsourcing in many different ways, but most of the work would be performed on-site or by software used in-house with collaboration and corrections driven by the business.

I have stated that I haven’t been involved in closing a contract to allow business functions sourced from the Internet. I have been hopeful to find a great service provider, but I think I see the direction of this road.

Exposure. Risk and threats may be better termed and considered in the security minds, but exposure is another little brother who needs to be heard.

There are many independent CPAs who do work for their clients, and that information is sensitive or not publicly available.

A move to store their tax data in the cloud comes from a desire to be able to be stored off-site reliably. Sounds like a sound IT move.

The CPA's clients will first take it up with the accountant if the sensitive data becomes public.

The accountant will go to the provider, and the provider will refer to the contract that may remove any accountability towards their requirements for compliance.

What can the clients and/or companies do?  I see that they are going to have to get Cyber Insurance like those for other uncontrolled events that homeowners use.

I surely don’t want to see the main outcome of security and data breaches become lengthy litigation between all involved when the victims are at the bottom of the pile.

If security boils down to he who has the best law team, the direction of security will have an approach of least exposure to litigation versus Cyber threats. This does not settle with me as a valid security driver for improving security posture.

But having a better understanding of what occurs behind the scenes can help consumers adapt to influential new technologies.

The Federal Financial Institutions Examination Council responds to innovations and increases in cybercrime with updated security guidelines for banks and financial institutions.

In January of 2012, new rules went into effect requiring banks to protect their consumers with increased security. One of the FFIEC’s key recommendations for eliminating fraud is consumer awareness and education.

Financial institutions have established a layered security approach that includes multi-authentication, which may involve requiring users to punch in a second security code or carry a key fob, as well as doing due diligence when it comes to identifying customers as real people whose identities haven’t been stolen.

This defense-in-depth approach is all about assessing risk throughout multiple points on an organization’s website.

These layers of security include:

Device identification: Complex device identification identifies the user’s PC, mobile, or tablet. The next evolution of security is device reputation management, incorporating geolocation, velocity, anomalies, proxy busting, browser language, associations, fraud histories, and time zone differences.

Out-of-wallet questions: “What’s your mother’s maiden name?” “What’s your Social Security Number?” “What are your kids’ names?” or “When were you born?” are examples of typical challenge questions, as opposed to out-of-wallet questions, which are generally opinion-based, such as, “What is your favorite vacation spot?” “What is your favorite flavor of ice cream?” or “What is your favorite book?”

Malware prevention & detection: Many banks offer antivirus, anti-spyware, and anti-phishing tools from well-known security vendors as full suites of total protection products.

You can take comfort in knowing that your bank has systems in place to protect your investments. But you should also bear in mind that your own PC or mobile that might be the weakest link in the process, so be sure to keep your device secure.

Robert Siciliano, personal security expert contributor to Just Ask Gemalto. Disclosures

In this article I will discuss the data provided in the 2011 IC3 Internet Crime Report from the Internet Crime Complaint Center (IC3) which examines cybercrime in the US.

On May 8, 2000, from a partnership between NW3C, BJA and the FBI was born The Internet Fraud Complaint Center for the purpose of addressing online fraud. Three years later, the center changed its name to the Internet Crime Complaint Center (IC3) and its mission became the fight against cyber crime of all types.

The Internet Crime Complaint Center serves as an institution to gather, develop and refer criminal complaints regarding rapidly expanding of cyber crime, and it provides victims with a convenient and easy-to-use reporting mechanism to alert authorities of suspected criminal or civil violations.

The reports shows an increase internet crime with respect previous years:

(click image to enlarge)

Let's take a look to the overall statistics related to 2011:

• Total complaints received: 314,246
• Complaints reporting loss: 115,903
• Total Loss: $485,253,871*
• Median dollar loss for those reporting a loss: $636
• Average dollar loss overall: $1,544
• Average dollar loss for those reporting loss: $4,187

An interesting observation is that of all the complaints, only 36.9 percent reported a financial loss. This data could be interpreted in different way, assuming the efficiency of preventative actions or in considering that some complaints are only related tentatively to a crime. Analyzing all complaints reported is helpful in identifying trends and building statistical reports on the crimes.

Each complaint submitted to the IC3 follows a specific lifecycle that makes it possible for analysis and comparison with similar events for crime prevention in the future.

The function of IC3 are crucial in the fight against cyber crime through the analysis of complaints, the collection of relevant case information and in providing of public service announcements.

The results of the activities are shared with state, local, tribal, federal and international law enforcement personnel via email and through the www.ic3.gov website.

(click image to enlarge)

To identify links and commonalities between complaints, IC3 analysts use an automated matching system that aggregates them into groups for law enforcement. In 2011 the 314,246 complaints received have been grouped in 47,592 categories used for analytical review.

Which were the most reported offenses last year?

The Top five crime type are:

1. FBI-related Scams - Scams in which a criminal poses as the FBI to defraud victims.
2. Identity Theft - Unauthorized use of a victim’s personal identifying information to commit fraud or other crimes.
3. Advance Fee Fraud – Criminals convince victims to pay a fee to receive something of value, but do not deliver anything of value to the victim.
4. Non-Auction/Non-Delivery of Merchandise -Purchaser does not receive items purchased.
5. Overpayment Fraud – An incident in which the complainant receives an invalid monetary instrument with instructions to deposit it in a bank account and send excess funds or a percentage of the deposited money back to the sender.

(click image to enlarge)

Of course, IC3's primary activity is to provide prevention services through an alert system based on the analysis of complaints and to rapidly identify any kind of internet crime and provide a prompt alert.

In this perspective it is easy to understand how crucial the gathering of complaints is by the IC3, which prepares public service announcements (PSAs) on the latest cyber trends to keep users and industry up-to-date on Internet fraud.

IC3 distributes these PSAs through media outlets, corporate partners and its web site www.ic3.gov.

In conclusion, I find IC3's services to be really important as an indispensable action to reduce and prevent the increase in cyber crime. What is really interesting is the shortcut that these services create between law enforcement and victims allowing for a prompt response.

The time factor is essential in the fight against internet crime, and the services provided by the Center allow for an informed internet community in real time.

IC3 represents a perfect example of how technological services could help in the prevention and analysis of criminal activities, and highlights that the real weapon against Internet crime is awareness and information sharing.

Cross-posted from Security Affairs

On June 1-2, 2012, Detroit will host the second annual conference at the GM Renaissance Center.  

The BSides conference is billed as a un-conference where practitioners go for clear unfiltered view of the industry. The conference features two tracks and thirty-two talks of local and national experts on a variety technical and non-technical subjects.

In addition, three keynote speakers have been announced:

• Changing an Industry by Dave Kennedy is the penetration testing keynote. Kennedy is the author of several books such as Penetration Testers Guide.
   
• House of Cards by Rafal Los is the security business keynote. Los is the Chief Evangelist of Cloud Security from HP.
   
• Top Ten Web Defenses by Jim Manico is the application security keynote. Manico is the VP at WhiteHat Security and a committee chair for the Open Web Application Security Project (OWASP).

  Along with compelling track sessions, the event features four workshops:  

• SecBiz Workshop - Bridging the Security/Business Gap offered by Rafal Los.
   
• Forensics Challenge offered by Larry McDonald.
   
• Introduction to MetaSploit offered by Georgia Weidman.
   
• Pentest Basics with Armitage by John Moore.

Security BSides has always welcomed the security practitioners and researchers. However, the technology which enables our use of information is becoming increasingly ubiquitous.

Our approach to work, to social interactions – even to solitude – is touched by mobile and static devices whose workings are targeted by cyber miscreants. In response, BSides Detroit is reaching out to everyone who relies on the deep knowledge and experience of this community.  

This conference is offered to all participants free of charge. Ticket information and complete schedule is available at: http://bit.ly/BSidesDetroit.

For questions and additional details, please contact the BSides Detroit organizers at bsidesdetroit@gmail.com. 

The authors note that while cyber criminals make good use of common website vulnerabilities like cross-site scripting and SQL injections to infect as many users as possible with malicious code usually for some monetary gain, the employment of strategic web compromises is intended for use in cyber espionage and data collecting.

"The goal is not large-scale malware distribution through mass compromises. Instead the attackers place their exploit code on websites that cater towards a particular set of visitors that they might be interested in. In the past few years we have witnessed several strategic web compromises of organizations in a variety of fields with a recurring focus on those involved with freedom of speech, human rights, defense, foreign policy and foreign relations. In these cases, normally trusted websites have been compromised to serve up malicious code designed to give backdoor access into the systems of unsuspecting visitors," Adair and Moran explain.

Key to such operations is the use of exploits taking advantage of unpatched vulnerabilities that may as of yet be unknown the authors state, which leaves visitors to the infected websites exposed.

"In general a well patched system will be immune from many of the attacks, but in several cases previously unknown 0-day exploits (no available patch) have found their way onto these sites — in short the average visitor may not have much of a chance to defend themselves."

The authors point out that some of the cyber espionage operations detected recently have been using more widely widespread exploits that have compromised larger populations, such as the OS X FlashBack Trojan, as they present these more narrowly targeted attacks an opportunity for success.

"Macs have been hit fairly hard in recent months, most notably with crimeware via a variant of malware dubbed FlashBack. However, advanced threat malware targeting Human Rights organizations and those in the foreign policy space have also been observed utilizing this exploit to target both OS in more limited attacks."

The authors also note the use of a recently discovered Adobe Flash exploit targeting Windows units to infect websites including the "Center for Defense Information, Amnesty International in Hong Kong, and the Cambodian Ministry of Foreign Affairs.

"In the last few weeks there has been a notable increase in strategic web compromises used to serve the most recent Flash exploit (targeting Windows users). At the time of this writing, several high profile websites are still compromised and serving the most recent Flash exploit. If successful the exploit will drop malware from attackers typically labeled as the advanced persistent threat...”

They caution readers not to visit those websites due to the presence of still active malicious iFrames. Also included in their analysis are active exploits being served up on the following websites:

• International Institute for Counter-Terrorism (ICT)
• American Research Center in Egypt (ARCE)
• Institute for National Security Studies (INSS)
• The Centre for European Policy Studies (CEPS)

"Cyber Espionage attacks are not a fabricated issue and are not going away any time soon. These attackers are not spreading malware through strategically compromised websites to make friends. They are aiming to expand their access and steal data. Communications (primarily e-mail), research and development (R&D), intellectual property (IP), and business intelligence (contracts, negotiations, etc) are frequently targeted and stolen. Take the cyber espionage threat seriously..." the authors conclude.

Source:  http://blog.shadowserver.org/2012/05/15/cyber-espionage-strategic-web-compromises-trusted-websites-serving-dangerous-results/

I was having a chat with our CFO by the Keurig machine and he said something I thought was interesting – that one of the things the CFOs of public companies worry about the most is surprises.

Surprise, you woke up today and found that 10% of the value of your company is gone because confidential customer information was made public.

Surprise, the FTC is knocking on your door asking for a forensic security audit. Surprise, your largest investors are calling about the scope of the breach and what it will cost the company.

Surprises like those drive the financial arm of public companies to perform unnatural acts to recover the value of the company. Avoiding those unnatural acts makes risk management a top of mind issue for most CFOs in public companies.

That conversation got me thinking about how a CFO might look at Veracode’s State of Software Security (SOSS) reports – especially the latest supplement that focuses on public companies.

It seems to me that SOSS gives CFOs some raw data to start understanding the bets the company is making with their application development and application sourcing processes.

For example, 84% of web applications from public companies were found to be vulnerable to web application vulnerabilities listed in the OWASP Top 10. While our report looks at the prevalence of a wide variety of flaws, this statistic is telling because it focuses on the most easily and frequently exploited web application vulnerabilities – the ones that have flashing neon signs saying “WELCOME HACKERS, ENTER HERE.”

This statistic is saying that if a typical web application is deployed without going through some sort of security quality checks and mitigation, then there is a higher probability of surprises for a CFO.

Our analysis further showed that public company revenue has no bearing on application security performance against industry standards, proving that improvements are needed across companies of all sizes. What this means is that public companies of all sizes are making bets that there will be no CFO surprises once the applications are live.

Given what we’re seeing in the public company SOSS data, those bets are long-shots that would give any CFO ulcers. So one of the things we’re working on with our business consulting partners is A Financial Model for Application Security Debt which we hope will eventually help CFOs get a better handle on modeling the monetary risks of their software vulnerabilities.

Cross-posted from Veracode

The researchers are looking into designs in which the networks, after detecting an intrusion attempt, could autonomously respond by altering aspects of the system's configurations.

DeLoach and Ou have been awarded over one-million dollars in grants from the Air Force to conduct the five year study into the development of an adaptive "moving-target defense" defense system to protect critical networks from attacks.

"As the study progresses the computer scientists will develop a set of analytical models to determine the effectiveness of a moving-target defense system. They will also create a proof-of-concept system as a way to experiment with the idea in a concrete setting," a Kansas State University press release states.

The research is aimed at determining if the development of adaptive defense systems is not only feasible, but also cost-effective from a resource allocation perspective.

"It's important to investigate any scientific evidence that shows that this approach does work so it can be fully researched and developed," DeLoach said.

The concept of a "moving-target defense" was first proposed over a decade ago, and other researchers have toyed with the idea, but this is the first instance where a sizeable level of funding has been committed to investigating the notion.

"The idea behind moving-target defense in the context of computer networks is to create a computer network that is no longer static in its configuration. Instead, as a way to thwart cyber attackers, the network automatically and periodically randomizes its configuration through various methods -- such as changing the addresses of software applications on the network; switching between instances of the applications; and changing the location of critical system data," the release explained.

To an attacker, an adaptive defense response would thwart an intrusion attempt by randomly changing network settings, but key to the concept is the ability of the network to simultaneously operate normally for an authenticated user.

"If you have a Web server, pretty much anybody in the world can figure out where you are and what software you're running. If they know that, they can figure out what vulnerabilities you have. In a typical scenario, attackers scan your system and find out everything they can about your server configuration and what security holes it has. Then they select the best time for them to attack and exploit those security holes in order to do the most damage. This could change that," DeLoach said

The researchers believe the development of such a defense mechanism would turn the tables to a significant degree on attackers who currently have the upper hand by needing only to identify one exploitable vulnerability to wreak havoc on a system.

"This is a game-changing idea in cybersecurity. People feel that we are currently losing against online attackers. In order to fundamentally change the cybersecurity landscape and reduce that high risk we need some big, fundamental changes to the way computers and networks are constructed and organized," Ou said.

Source:  http://www.k-state.edu/media/newsreleases/may12/movingtarget51012.html

We understand cloud computing is being presented as a fantastic way to utilize technology and virtualization in new and innovative ways, but to do that you must have some of these key ideas - one of which is portability.  

When you're thinking about deploying applications in cloud-based environments, you have to have the ability to abstract out the implementation details from the meta-data about that implementation - this is called a model-driven approach.  That model-driven approach creates the ability to be portable across not only various environments but also cloud providers as well.

Today's agile business who view cloud computing as an opportunity to gain agility and competitive advantage are thinking about how to not have cloud become a single point of failure like it has been for many.  When you think of how many organizations put their faith in single-cloud solutions in the past - take Amazon for an example - and lost not only valuable time but entire components of their business in some cases.  

This exposed many of the failures of single-sourced solutions on single-sourced platforms.  Many of today's agile and risk-averse businesses are multi-sourcing their cloud computing environments meaning that they may not only have multiple vendors, but also multiple private and public cloud environments they use for dev-test and production of their critical applications.  How does portability play into this?  The answer to that is a question- "How does the security of a compute environment move across implementations?"

Achieving high portability requires a few things.  First you need to standardize on well-adopted technology and open standards.  This includes security standards and cloud standards and cloud technologies.  HP has chosen to standardize on OpenStack, which means greater portability of the workloads and even security policies from one environment and cloud to another.  

Other vendors are doing this too... customers fear vendor lock-in and are thus looking for cloud vendors/partners who provide openness and thereby portability across their various platforms.

What are we talking about here, when it comes to portability?  First is the acknowledgement that security isn't about the perimeter (exclusively) anymore and hasn't been for quite some time.  The move to cloud computing environments hastens this awareness.  When an application is built and packaged up it can be done at the individual application level, or at the deployment level.  

Think about it this way - you can either bundle up the virtual workload (virtual machines) complete with security policies, application deployment, etc or you can do this on an application-level as well.  Either way, we're forced to acknowledge that the perimeter is vanished and firewalls around the outside of the castle simply don't cut it anymore.

Being able to claim portability is a difficult thing.  The only way you can achieve high levels of portability is when environments you're deploying to, or building for, are consistent.  As an example, OpenStack provides an API with rate limiting and authentication.  

Having the ability to rate-limit and authenticate API calls against the environment is critical not just because you need to know who's making requests of resources, but it would be really good to have the ability to keep one customer from impacting several others and thereby creating a service degradation condition.  I've talked about this at last week's HP TechDay in Sydney.  

OpenStack goes a long way to create a good security environment - but in order to take advantage of it we require a consistent implementation of OpenStack.  Therein lies the next issue - making sure your providers are consistent in their implementation of even an open platform like OpenStack.

Portability is important not just across your various cloud providers but also internally as most organizations start to build internal private clouds and external consumption of public clouds rises as well.  Being able to run an internal build-test environment on your private cloud and then have a package you can push to the public cloud when that's ready is critical to the speed of deployment and resiliency.

It's also critical when adopting a rapid-release development mentality like DevOps or similar approaches.  The ability to spread a single packaged workload or application across multiple cloud providers is critical as well... in case you need that level of resiliency and failure recovery capability.

I'm going to put together a post on exactly what portability means in technical implementation in the near future, so watch this blog for more information!

Cross-posted from Following the White Rabbit