An amusing image from Adam Shostack's blog to help you understand when to use pie charts, i.e. never. The yellow = the pie not eaten, the silver = the pie that's been eaten.
Brian Krebs wrote another article about the rising number of E-Banking funds transfer fraud incidents where the Zeus trojan/botnet is used to compromise end point systems. The man-in-the-browser (MITB) exploit is a version of the classic man-in-the-middle (MITM) attack where the user's bank credentials are stolen without the user realizing it. In fact, the Zeus trojan goes on "to control what the user sees on his or her browser."
One is left to ask, is there is no "inline" defense against the Zeus trojan? In other words, is there no end point anti-malware product that can successfully defend against morphing trojans/botnets like Zeus?
It appears that the best choices at present are:
Alternatively from a bank process perspective, why not require a 48 hour waiting period between the time a new payee is created and the time a payment can be made to that new payee?
In addition, the bank could add another step to the "add a payee process" where the bank sends an email or even hard copy notification of the new payee to the user (payer) and the user has to call from a known home phone number to verify the new payee.
Clearly these steps would add a level of inconvenience to online banking, but that has to be weighed against the costs of reimbursing consumer and corporate customer losses. If the lawsuits in progress are adjudicated in favor of the corporations suing their banks, we may very well see these or other changes.
The Register reports:
The latest version of the Zeus do-it-yourself crimeware kit goes to great lengths to thwart would-be pirates by introducing a hardware-based product activation scheme similar to what's found in Microsoft Windows.
The newest version with bare-bones capabilities starts at $4,000 and additional features can fetch as much as $10,000. The new feature is designed to prevent what Microsoft refers to as "casual copying" by ensuring that only one computer can run a licensed version of the program. After it is installed, users must obtain a key that's good for just that one machine.
To state the obvious, if anyone needed a reminder, the crimeware software industry is big business and maturing.
In addition The Register reported:
The latest version of Zeus is 1.3.3.7, SecureWorks researcher Kevin Stevens told El Reg. But the authors are already busy working on version 1.4, which is being beta tested. It offers polymorphic encryption that allows the trojan to re-encrypt itself each time it infects a victim, giving each one a unique digital fingerprint. As a result, anti-virus programs, which already struggle mightily to recognize Zeus infections, have an even harder time detecting the menace.
No information was provided as to where you could submit your feature requests.
SC Magazine reports:
LifeLock will pay $11 million to the Federal Trade Commission (FTC) and $1 million to a group of 35 state attorneys general to settle charges that the Tempe, Ariz.-based company made false claims about its identity theft products.
The FTC contended that LifeLock's claims were "deceptive" because the fraud alerts it places on customers' credit files can only protect against certain types of identity theft, such as new account fraud, which occurs when an ID thief opens up new financial accounts by using the victim's name and Social Security number.
In addition, ironically:
LifeLock, which bills itself as "#1 in identity theft protection," has gained national notoriety with commercials that show Davis' Social Security number on the side of a truck, while Davis tells the audience that he is confident his company's services will protect him – and potential customers – from having their identity stolen. But Davis reportedly has been a victim of ID theft.
As I have said before, Identity Theft is a real problem. To protect yourself, start by reviewing the offerings of the three credit agencies Equifax, Experian, and TransUnion.
CSOonline published an article entitled, "What Are the Most Overrated Security Technologies?" At the head of the list are, no surprise, Anti-Virus and Firewalls.
Anti-Virus - signature based anti-virus products simply cannot keep up with the speed and creativity of the attackers. What's needed is better behavior anomaly based approaches to complement traditional anti-virus products.
Firewalls - The article talks about the disappearing perimeter, but that is less than half the story. The bigger issue is that traditional firewalls, using stateful inspection technology introduced by Check Point over 15 years ago, simply cannot control the hundreds and hundreds of "Web 2.0" applications. I've written about or referenced "Next Generation Firewalls" here, here, here, here, and here.
IAM and multi-factor authentication - Perhaps IAM and multi-factor authentication belong on the list. But the rationale in the article was vague. The biggest issue I see with access management is deciding on groups and managing access rights. I've seen companies with over 2,000 groups - clearly an administrative and operational nightmare I see access management merging with network security as network security products become more application, content, and user aware. Then you can start by watching what people actually do in practice rather than theorize about how groups should be organized.
NAC - The article talks about the high deployment and ongoing administrative and operational costs outweighing the benefits. Another important issue is that NAC does not address the current high risk threats. The theory in 2006, somewhat but not overly simplified, was that if we checked the end point device to make sure its anti-virus signatures and patches were up-to-date before letting it on the network, we would reduce worms from spreading.
At present in practice, (a) worms are not major security risk, (b) while patches are important, up-to-date anti-virus signatures does not significantly reduce risk, and (c) an end point can just as easily be compromised when it's already on the network.
A combination of (yes again) Next Generation Firewalls for large locations and data centers, and cloud-based Secure Web Gateways for remote offices and traveling laptop users will provide much more effective risk reduction.
The Verizon Business Security Incident Response team, whose yearly published Data Breach Investigations Reports I've written about here, has has extended its thought leadership in security incident metrics with the release of its Incident Sharing Framework. Their purpose is to enable those responsible for incident response to "create data sets that can be used and compared because of their commonality. Together, we can work to eliminate both equivocality (sic) and uncertainty, and help defend the organizations we serve." The document can be found here.
Of course Verizon Business is a for-profit organization and the license terms are as follows:
Verizon grants you a limited, revocable, personal and nontransferable license to use the Verizon Incident Sharing Framework for purposes of collecting, organizing and reporting security incident information for non-‐commercial purposes.
Nevertheless, I do hope that this or an alternative incident sharing framework becomes an industry standard which enables the publishing and sharing of a larger number incidents from which we can all learn and improve our security policies and processes.
CNet News reported yesterday afternoon that:
The U.S. Federal Trade Commission has notified nearly 100 organizations that data from their networks has been found on peer-to-peer file-sharing networks, the agency said on Monday.
The FTC notices went to private and public entities, including schools and local government agencies and organizations with as few as eight employees to as many as tens of thousands, the FTC said in a statement. The sensitive information about customers and employees that was leaked could be used to commit identity fraud, conduct corporate espionage, and for other crimes.
Unfortunately file sharing based on peer-to-peer technology is only a part of the problem. Some firewalls and most intrusion prevention systems (IPSs) can block peer-to-peer file sharing. However, the problem is actually much worse - the growth of browser-based file sharing applications designed to bypass most firewalls and IPSs.
Palo Alto Networks, a next-generation (as defined by Gartner) firewall vendor, recognizes and can control or block 88 different file sharing sharing applications. Of these, 40 use peer-to-peer technology, 39 are browser-based, and 9 are client-server. Therefore if your network security infrastructure can control or block peer-to-peer file sharing, you are solving less than half the problem.
For more information about the hundreds of applications that ought to be controlled or blocked, go to Palo Alto Network's Applipedia.
An amusing image from Adam Shostack's blog to help you understand when to use pie charts, i.e. never. The yellow = the pie not eaten, the silver = the pie that's been eaten.
Mitre, via its Common Weakness Enumeration effort, in conjunction with SANS, just published the 2010 CWE/SANS Top 25 Most Dangerous Programming Errors. Heading the list are:
For each weakness this report provides a Description, Prevention and Mitigation techniques, and links to more reference material. This is well worth reading.
While the term, Advanced Persistent Threat (APT) is not a new term, it is being used much more often since the breach announcement Google made in January. I wrote about it here and here.
Mandiant, a security consulting firm, defines the APT "as a group of sophisticated, determined and coordinated attackers that have been systematically compromising U.S. government and commercial computer networks for years. The vast majority of APT activity observed by MANDIANT has been linked to China." You can read more about what they have to say here.
Mandiant did a webinar on February 18 called Malware Behaving Badly, in which they compared Mass Malware Threats to Advanced Persistent Threats. As of today, Feb 20, Mandiant has not posted the webinar on its site.
Richard Bejtlich defined APT in this January 16, 2010 blog post:
Bejtlich goes on to itemize APT objectives, which interestingly does not include stealing money:
Mike Cloppert, a security engineer at Lockheed Martin, wrote about APTs in mid-2009 in his Security Intelligence series of blog posts. In Security Intelligence: Introduction (pt 1), he defines APT as "any sophisticated adversary engaged in information warfare in support of long-term strategic goals." Note his focus on the adversary and goals rather than just the techniques.
In summary then, APTs do represent techniques that are more difficult to detect because the adversary, when faced with an above average defense, does not move on to a weaker target. The adversary is persistent and will escalate tactics. Second the focus is on stealing intellectual property rather than money to advance the adversary's strategic technical, economic, political, and military goals.
Trustwave's recently published 2010 Global Security Report shows that the top two attack vectors, by far, resulting in breaches are Remote Access Applications and Third Party Connections. Here is the list of the top five:
> 95% Remote Access Application
> 90% Third Party Connection
> 15% SQL Injection
> 10% Exposed Services
< 5% Remote File Inclusion
Clearly for each breach they investigated, there was more than one attack vector. It's also important to note that 98% of their investigations were on Payment Card Data breaches. No surprise since Trustwave is focused primarily on PCI compliance. The report does not indicate what percentage of the breaches occurred at organizations for which Trustwave was the QSA.
Regardless of these caveats, I believe it is worthwhile to note the total dominance of Remote Access Application and Third Party Connections.
It is imperative that organizations upgrade their firewalls to provide network segmentation (zoning) and to be able to recognize and control the use of most major application categories including Remote Access Applications.
Unfortunately you will have to register here to get the full report.