Subscribe to RSA Conference podcasts in iTunes: http://rsac.me/iTunes-Podcasts

That’s why we wanted to share a bit about our experience with Splunk, a big data management system that provides fast machine data parsing, indexing, searching and data analyses. The GUI interface, dashboard and availability of security-related add-ons make for a neat out-of-the-box solution for enhanced data visibility. 

Splunk Basic Usage

Installation of Splunk base is rather straightforward. Check out their official docs for installation instructions. When you’re getting started, these are some of the basic ways to use Splunk: add data to splunk (data input), search, delete, data aggregation, data transformation, and charting. 

If you’re using customized data, you’ll likely find input to be the trickiest part. That’s where Splunk will have to figure out the correct data format, and properly parse it to extract fields. Splunk tries to automatically break the raw blob of textual input into EVENTS based on default or customized event breaking settings, and recognize the timestamp for each event. These settings can be customized both via Splunk GUI or command line interface (CLI). Make changes props.conf file to tell Splunk how to treat your data with correct configurations.

An example of extracting tab delimited fields from my input data: 

For data queries and other operations (aggregating, data transforming etc.), Splunk’s pipe syntax seems pretty straightforward.

The following query that maps out a number of IP addresses that fits certain criteria serve as a good example of basic query syntaxes. The example requires the geoIP mapping app provided by Maxmind, and amMap, a mapping app. 

sourcetype=mute* | rex "(?d+.d+.d+.d+)"| search ip!=192.168* ip!=0.0.* ip!=10.*|  stats count by ip | eval count_label="Event" | eval iterator="ip" | eval iterator_label="IP" |  eval zoom = "zoom="334%" zoom_x="-128.58%" zoom_y="-113.11%""| eval movie_color="#FF0000" | eval output_file="home_threat_data.xml" | eval app="amMap" | lookup geoip clientip as ip | search client_country!=^$ | mapit

Splunk data forwarding and receiving 

Install the universal forwarder if your have remote data. The universal forwarder gathers data from servers where your input data reside and forwards them to your main Splunk server for indexing and searching. 

./splunk add forward-server [splunk server:port]

/opt/splunkforwarder/bin/splunk add monitor /path/to/app/logs/ -index main -sourcetype %app%

At the same time, enable receiver – the main Splunk server and indexer by going to Splunk GUI, in forwarding and receiving->add new -> TCP port [port]

To troubleshoot the deployment, check these internal logs at the receiving indexer:

$SPLUNK_HOME/var/log/splunk/splunkd.log

$SPLUNK_HOME/var/log/splunk/license_audit.log

Use cases for Splunk security apps 

Splunk base has a set of charting choices. In the following example, we made a pie chart of user agent distribution of our mobile clients data. 

Snort app has been a great tool for quick network threat monitoring and alerting. We can easily retrieve all the entries that triggered snort, and perform in-depth investigations given the source IP addresses and contextual network data. 

Snort and amMap makes use of Maxmind’s geo-ip mapping to give us an instant global look at the threat’s scale and spreading patterns.  

Conclusion

We have yet to explore Splunk’s other interesting capabilities, such as real-time correlation making and alerting, or its distributed system deployment scheme (with Hadoop integration). We’ve spent lots of time with Hadoop and Hbase, which are largely back-end systems. As far as our primitive use of Splunk goes, it seems to serve quite well as a front-end portal for internal search, query and reporting. Data parsing for customized data is not as intuitive. It would be great if it provided pipe-like syntax for data input, as well. 

The post Big Data Driven Security with Splunk appeared first on Umbrella Security Labs.

via the logic of the indomitable Randall Munroe at XKCD.

ToorCon only accepts papers on new technologies and methodologies that have
been recently developed in the area of computer security. We will not accept
papers that have already been presented prior to 2013 unless they present
fundamental concepts or conform to any of the outlined topics below." - via ToorCon

☕

In the six minute segment Chris talks about “the dark side” of putting medical data online in cloud servers. Among the stats thrown around;

• 50% of doctors offices put customer data online,
• 80% of hospitals put customer data online,
• 21 million people had electronic records stolen in last 3 years,
• 94% of healthcare companies report data breaches.

Staggering numbers no doubt, you might be asking exactly how dangerous is this information? Health insurance fraud, financial identity theft, credit risk and even personal endangerment. If a someone undergoes a medical procedure under your identity, your medical records become flawed. In a scenario where you’re undergoing emergency procedures your records could say you’ve had your appendix out when in fact you haven’t.

Beyond personal data privacy concerns are medical device security concerns, a topic we’ve previously touched upon. Wysopal on the subject says, “The medical device problem is particularly scary because you have these devices which were standalone and now you’re adding wireless functionality to them…so you can monitor these devices and connect to them. A lot of them weren’t designed with security in mind.” All of a sudden these devices that were designed to only be accessed physically in person are now being exposed to attackers online, Wysopal also adds to the commentary, “It’s also hard to fix these medical devices and update them because there’s such a long certification process..they aren’t like typical IT systems that you can patch in a few hours.”

So what can you do to protect yourself?

1. Ask your health insurance company for a copy of your medical record and activities.
2. Pull your credit report at least once a year and verify all accounts and activity.

If you don’t recognize something on one of these two reports, raise a red flag immediately starting with your healthcare provider. Check out the full video here for more great information.

The report, issued last month, said half of all targeted attacks last year were aimed at businesses with fewer than 2,500 employees. The largest growth area for targeted attacks was businesses with fewer than 250 employees; 31 percent of all attacks targeted them.

“This is especially bad news because based on surveys conducted by Symantec, small businesses believe they are immune to attacks targeted at them,” said the report, based on the company’s threat-monitoring network which covers more than 150 countries.

Symantec said some small businesses assumed they had nothing a targeted attacker would want to steal, but in fact they had customer information, intellectual property, and money in the bank. “While it can be argued that the rewards of attacking a small business are less than what can be gained from a large enterprise, this is more than compensated by the fact that many small companies are typically less careful in their cyber-defenses,” the report said.

“Criminal activity is often driven by crimes of opportunity. With cybercrimes, that opportunity appears to be with small businesses. Even worse, the lack of adequate security practices by small businesses threatens all of us. Attackers deterred by a large company’s defenses often choose to breach the lesser defenses of a small business that has a business relationship with the attacker’s ultimate target, using the smaller company to leapfrog into the larger one.”

Symantec reported a 58 percent increase in mobile malware families last year compared to 2011, with the Android system being the most popular target.

“With a 32 percent increase in the number of vulnerabilities reported in mobile operating systems, it might be tempting to blame them for the increase,” the cybersecurity firm said. “However, this would be wrong. In the PC space, a vulnerability drives attacks as new vulnerabilities are incorporated into commonly available toolkits. The more they’re used, the faster they spread. This is not occurring in the mobile space.”

Symantec said that while Apple’s iOS had the most documented vulnerabilities in 2012, there was only one threat created for the platform. However the Android OS, with only 13 vulnerabilities reported, led all mobile operating systems in the amount of  malware written for it.

“Android’s market share, the openness of the platform, and the multiple distribution methods available to applications embedded with malware make it the go-to platform of malware authors,” the report said.

Symantec also sounded a warning about the so-called Elderwood Gang, a group of hackers that the company has been tracking for several years. It reported that the gang was responsible for four of the 14 zero-day vulnerabilities discovered last year.

“They’ve used at least one so far in 2013,” the report said. “The gang has used one zero-day exploit  in each attack, using it continually until that exploit becomes public. Once that occurs they move on to a new exploit. This makes it seem that the Elderwood Gang has a limitless supply of zero-day vulnerabilities and is able to move to a new exploit as soon as one is needed. It is our hope that this is not the case.”

Teens are sharing more information about themselves on their social media profiles than they did when we last surveyed in 2006:

• 91% post a photo of themselves, up from 79% in 2006.
• 71% post their school name, up from 49%.
• 71% post the city or town where they live, up from 61%.
• 53% post their email address, up from 29%.
• 20% post their cell phone number, up from 2%.

60% of teen Facebook users set their Facebook profiles to private (friends only), and most report high levels of confidence in their ability to manage their settings.

danah boyd points out something interesting in the data:

My favorite finding of Pew's is that 58% of teens cloak their messages either through inside jokes or other obscure references, with more older teens (62%) engaging in this practice than younger teens (46%)....

While adults are often anxious about shared data that might be used by government agencies, advertisers, or evil older men, teens are much more attentive to those who hold immediate power over them -- parents, teachers, college admissions officers, army recruiters, etc. To adults, services like Facebook that may seem "private" because you can use privacy tools, but they don't feel that way to youth who feel like their privacy is invaded on a daily basis. (This, btw, is part of why teens feel like Twitter is more intimate than Facebook. And why you see data like Pew's that show that teens on Facebook have, on average 300 friends while, on Twitter, they have 79 friends.) Most teens aren't worried about strangers; they're worried about getting in trouble.

Over the last few years, I've watched as teens have given up on controlling access to content. It's too hard, too frustrating, and technology simply can't fix the power issues. Instead, what they've been doing is focusing on controlling access to meaning. A comment might look like it means one thing, when in fact it means something quite different. By cloaking their accessible content, teens reclaim power over those who they know who are surveilling them. This practice is still only really emerging en masse, so I was delighted that Pew could put numbers to it. I should note that, as Instagram grows, I'm seeing more and more of this. A picture of a donut may not be about a donut. While adults worry about how teens' demographic data might be used, teens are becoming much more savvy at finding ways to encode their content and achieve privacy in public.

ps

Related:

• Interop2013: Find F5
• Interop2013: DDoS’ing the Interop Network
• Interop2013: F5 Certification Program
• Interop2013: BIG-IQ Cloud
• Interop2013: Partner Spotlight – Big Switch Networks
• Interop2013: Partner Spotlight – ICSA Labs
• Interop2013: DDoS’ing Interop Follow Up
• F5′s YouTube Channel
• In 5 Minutes or Less Series (23 videos – over 2 hours of In 5 Fun)
• Inside Look Series
• Life@F5

Connect with Peter:	Connect with F5:

However, I quickly became a #sadpanda when I happened across some explosive 3D pie charts later on. Rather than deride, I thought a re-imagining would be a better use of time and let you decide which visualizations both communicate better and are more appealing.

I chose to use @Datawrapper to showcase how easy it is to build and publish pleasing and informative visualizations without even leaving your browser.

Figure 4, Original:

Figure 4, Alternative:

Figure 5, Original

Figure 5, Alternative (horizontal vs vertical, just to mix it up a bit):

If the charts had been closer together in the report, I would have opted for vertical design for both and probably kept malware-type ordering vs sort by highest percentage.

How would you re-imagine the pie charts? Post a link to your creations in the comments and I’ll make sure they show up embedded with the post.

Companies of all sizes invest significant time and money protecting their sensitive information, but their priorities are not always the right ones. Security investments are too often aimed at preventing accidents, such as when employees accidentally lose laptops or inadvertently send emails containing customer information. Smaller companies in particular are sensitive to these concerns because meeting compliance with regulations, customer pressures, criminals, and contractual mandates make toxic data spills expensive.

A good start is for all companies examine their current data security strategies to ensure that they are balanced and appropriate for the assets they are trying to protect.  Here are a few tips to establish your security baseline:

•  Go Back to Basics – Some information assets are more valuable than others so identify the most valuable information first bu asking your organization’s asset owners to assign coarse-grained monetary values to their custodial data and secrets. Stack-rank the top five most valuable assets, and calculate the proportion that is “secrets” versus “custodial data.”  Does your enterprise contain more or less secrets than other enterprises in your vertical?
• Create a “Risk Register” of Data Security Risks — Divide the risks your firm faces into two categories: compliance risks and misuse of secrets. For compliance, review the history of “toxic data spills” involving mobile devices and media. For misuse of secrets, review cases of abuse by users with access to valuable information. Examine the types of information given to third parties, especially the extent to which they are stored on non-company-owned assets. Create a risk register documenting the specific threat scenarios: what data is at risk and from whom, and the likeliest threat vectors the threat agents might exploit?
• Prioritize — Assess your program’s balance between compliance and protecting secrets. Your organization may have a set of priorities documented that outlines the key principles of your security program e.g. “Protect our patients’ medical records” or “keep our company out of the papers” imply priorities for protecting custodial data, but “stop our designs from being stolen by our competitors” sends a different message. Understanding how your management’s priorities map to the security team’s control strategies is essential to understanding whether it is balanced.

Even if your current security program is based on these it’s always worth re-visiting to ensure that the controls you have in place are still relevant to protect your most valuable assets. Tune in to my next blog in this series where I will offer next steps based on the results of the three principles outlined above.

View videos from webcasts and sessions from previous events on our YouTube channel:http://www.youtube.com/RSAConference

Get the very latest news all in one place. Become a Facebook fan of RSA Conference. http://on.fb.me/p1hr8l

People – this is a “knee jerk” to the insanity that is information security. Things are chaotic, sure. Breaches, crime, national defense…all contributors to this mess. Top that off with a general distrust for vendors (with a perception of them selling “snake oil”), a disturbing number of “charlatans”, raging debates about certifications like the CISSP, drama at every turn, and constant cries of “we have to get better”. Sigh. I know, it sounds bad, right? But it really isn’t nearly as bad as it seems.

We are an “industry” in a very early stage, folks. I’ve said this before, I’ll say it again – we have a major, fundamental difference in infosec that makes it seem much worse – we have adversaries. They are working against us. When the Windows MCSE came out, it was a joke. Anybody could go learn a little about Windows, and become a “certified” Windows…, uh, person. But there was no diabolical Blofeld waiting in the wings to set Microsoft back, planning a global overthrow with Linux-wielding henchmen in an underground lair while he stroked his cat. Same for networking, whether Cisco or otherwise. Same for databases, CRM, enterprise middleware, and so on. Nope, only infosec has these shadowy lurkers who continually thwart our best efforts, stealing data and making the news.

We’re making progress. Really. Yeah, we have some idiots jumping on the bandwagon churning out Nessus reports as “pen tests”. So do we run to “certify” everyone so such an atrocity can never happen again? Really? You’d put us in a little box so that we can all feel safer? No. Here’s a better plan – those of us who are NOT clueless and DO provide quality work for clients or our businesses should work harder to educate people on this. That’s the problem. People are freaked out, they may not know any better, and they’re looking for solutions. Be it vendor or consultant or both, there’s ALWAYS a solution. Some are good, some are not. We’re falling prey to FUD, plain and simple. And if you get caught up in the daily whining on Twitter and elsewhere proclaiming that infosec is “so messed up” and that it “needs fixing”…well, you’re falling right into the drama-laden trap that plagues our industry.

The infosec industry needs creativity. It needs people who don’t fit the mold, who would rather set a kitten on fire than wear a tie, and who cannot help themselves from telling dick jokes, no matter when or where. Those people may not fit the “professionalization” scheme, but we would be SCREWED if we lose them. They think outside the box, they don’t look “corporate”, and they insist on wearing black T-shirts. I’m being purposefully stereotypical, of course. We’re a widely diverse crew these days, and we’re better for it. But thinking we’re failing so badly that we need to “professionalize” is silly. If that is the case, then why don’t we REALLY get to the heart of things, and professionalize programmers? It’s their shitty code that is causing a lot of the mess, there’s no denying this. While we’re at it, we should probably “professionalize” systems admins, network engineers, everyone. They screw up too, right? We should definitely “professionalize” project managers. Those people are a pain in the ass. Let’s make them certify!

C’mon. This isn’t the answer. Infosec is crazy, sure. But we’re not headed into doom and gloom as some would have you believe. We’re improving education programs all the time. I have met some of the college kids who are taking part in Red Team-Blue Team competitions, and some of them are crazy sharp. We’re trying to fix things like the CISSP, with guys like Wim Remes and Dave Lewis as our men on the inside. We’re having proper debates about “attacking back” and cyberwarfare (ugh), and so on. We’ll get there. But don’t react and put us in a little defined “program”. I don’t want to be a part of the Borg, not now and not ever. I have hundreds of happy clients who can attest to my work, and so do many of you. Let’s let folks like the Attrition crew smoke out the worst charlatans. And let’s try to keep our sense of humor AND reality along the way.

The post Web Security Vulnerabilities Exposed by Google Searches (Google Hacking) appeared first on Acunetix.

Let me explain why UKIP MEPs (and their allies in other member states) may well determine the future of EU Internet regulation and what is at stake if they do. 

I have attended a number of recent meetings on the EU Cyber Security strategy. There is almost unanimous agreement with the objectives and almost unanimous condemnation of the means. For example, we need to make it much easier to report attacks, whether or not they are successful, in formats which enable rapid collation and response, as well as intelligence. The reporting of breaches, which may not be actually known until long after the event, is of historic interest only and diverts effort. Mandatory public reporting, as opposed to personally warning those known to be at risk via channels they can trust, is worse than useless. It is not merely a job creation programme for lawyers and compliance officers. It actively gets in the way of good practice in tackling threats as they emerge. More-over it penalises well run organisations which know what has happened, while protecting those which are unaware that their customer and personel files are in use by fraudsters.

Yesterday BIS issued a Call for Evidence on the EU Directive on Network and Information Security this is important - VERY important. You should read and respond.

The timing of the consultation is also very important. This Directive is unlikely to be scrutinised by the current crop of MEPs. We are moving into a period of interregnum when Commission initiatives will gather momentum while the politicians are away. There is nothing quite so dangerous as ignorance in motion and this Directive will be up to speed when the new crop of MEPs arrives, to be manipulated at will: save that half the new crop from the UK are likely to be members of UKIP or will have have done deals with them. Many other member states will have elected members of similar "a plague on all your houses" parties. In looking to educate those MEPs who will scrutinise this Directive we need to intercept the selection processes of the parties to educate the candidates, including those of UKIP. This may also be the type of cause which will appeal to those UKIP members who wish to do something useful while they are in Brussells or Strasbourg. 

In educating them we will, hopefully, also educate the Commission officals as to the changes they need to make for the European Union to survive the pressures for "democratisation not bureaucratisation". This directive could be the touchstone because the vast majority of Internet users appear to agree that something must be done to improve on-line security. Unfortunately this is not the "something" that should be done. In the meantime make sure you respond to the BIS call for evidence so that, with luck, we can get the Directive re-written before the start of the inter-regnum.

The new (2013-2018) identity plan is for a stricter 2-factor authentication scheme, a continuing push for OpenID, locking ‘bearer’ tokens to specific devices (to reduce the damage an attacker can cause with stolen tokens), and a form of Android app monitoring that alerts users to risky behavior. These are all very good things! Google did not explicitly state that passwords and password recovery schemes are broken, but it looks like they will promote biometrics such as face and fingerprint scanning to unlock devices and authenticate users. The shift away from passwords is a good thing, but what will replace them is still being hotly debated. From the roadmap Google is looking to facial and fingerprint scans first.

This latter is a big deal from a outfit like Google because consumers have shown they largely don’t care about security. Despite more than a decade of hijacked accounts, data breaches, and identity theft, people still haven’t shifted from saying they care about security to actually adopting security. Even something as simple and effective as personal password managers is too much for most people to bother with. A handful of small companies offer biometric apps for mobile devices – targeting consumers and hoping Joe User will actually want to buy multi-factor authentication for his mobile device. So far that pitch has been about as successful as offering brussels sprouts to a toddler. But companies do care about mobile security. Demand for things like biometrics, NFC, risk-based access controls, and 2-factor authentication is all driven by enterprises. But if enterprises (including Google) drive advanced (non-password) authentication to maturity – meaning a point where it’s easier and more secure than our current broken password security – users will eventually use it too.

Google has the scale and pervasiveness to push the needle on security. Initiatives such as their bug bounty program have succeeded, leading the way for other firms. If Google demonstrates similar successes with better identity systems, they are well positioned to drive both awareness and comfort with cloud-based identity solutions – in a way Courion, Okta, Ping Identity, Symplified, and other outfits cannot. There are many good technologies for identity and access management, but someone needs to make the user experience much easier before we can see widespread adoption.

On to the Summary:

Webcasts, Podcasts, Outside Writing, and Conferences

• Adrian’s DR post: Why Database Monitoring?.

Favorite Securosis Posts

• David Mortman: (Scape)goats travel under the bus.
• Mike Rothman: Websense Goes Private. It’s been a while since we have had two deals in a week in security, and these were both driven by private equity money. Happy days are here again! Rich’s analysis of the first deal was good.
• Adrian Lane: Solera puts on a Blue Coat.

Other Securosis Posts

• Making Browsers Hard Targets.
• Network-based Malware Detection 2.0: Evolving NBMD.
• Incite 5/22/2013: Picking Your Friends.
• Wendy Nather abandons the CISSP – good riddance.
• Spying on the Spies.
• Websense Going Private.
• Awareness training extends to the top.
• This botnet is no Pushdo-ver.
• A Friday Summary from Boulder: May 17, 2013.
• Quick Wins with Website Protection Services: Protecting the Website.
• Quick Wins with Website Protection Services: Are Websites Still the Path of Least Resistance?

Favorite Outside Posts

• Dave Lewis: Woman Brags About Hitting Cyclist, Discovers Police Also Use Twitter. Wow… just, wow.
• David Mortman: Business is a Sport, You Need A Team.
• Mike Rothman: Mrs. Y’s Rules for Security Bloggers. Some folks out there think it’s easy to be a security blogger. It’s hard, actually. But with these 6 rules you too can be on your way to a career of pontification, coffee addiction, and a pretty okay lifestyle. But they are only for the brave.
• Adrian Lane: A Guide to Hardening Your Firefox Browser in OS X. Good post on securing Firefox from Stach and Liu.

Research Reports and Presentations

• Email-based Threat Intelligence: To Catch a Phish.
• Network-based Threat Intelligence: Searching for the Smoking Gun.
• Understanding and Selecting a Key Management Solution.
• Building an Early Warning System.
• Implementing and Managing Patch and Configuration Management.
• Defending Against Denial of Service (DoS) Attacks.
• Securing Big Data: Security Recommendations for Hadoop and NoSQL Environments.
• Tokenization vs. Encryption: Options for Compliance.
• Pragmatic Key Management for Data Encryption.
• The Endpoint Security Management Buyer’s Guide.

Top News and Posts

• Krebs, KrebsOnSecurity, As Malware Memes. Say what you will, but malware authors have a sense of humor.
• NC Fuel Distributor Hit by $800,000 Cyberheist.
• The Government Wants A Backdoor Into Your Online Communications. For everything they don’t already have a backdoor for.
• Hacks labelled hackers for finding security hole.
• Twitter: Getting started with login verification.
• Chinese hackers who breached Google gained access to sensitive data, U.S. officials say.
• Yahoo Japan Suspects 22 Million IDs Stolen. It’s like 2005 all over again.
• Skype’s ominous link checking: facts and speculation.
• Bromium: A virtualization technology to kill all malware, forever. Interesting technology.
• Indian companies at center of global cyber heist. Update on last week’s $45M theft.

Blog Comment of the Week

This week’s best comment goes to Simon Moffatt, in response to Wendy Nather abandons the CISSP – good riddance.

CISSP is like any professional qualification. When entering a new industry with zero or limited experience, you need some method to prove competence. Organisations need to de-risk the recruitment process as much as possible when recruiting individuals they don’t know. It’s a decent qualification, just not enough on its own. Experience, like in any role is paramount. Infosec is now becoming big business with loads of avenues of specialism – pen testing, identity, audit etc etc. CISSP is 15 years old and was just a generic entry into infosec. I have it, doubt I’ll continue to renew it, but it does get a lot of undeserved bashing.

Get caught up on this week’s posts with Weekly Rewind.

Welcome to another edition of our Weekly Rewind – where we summarize all our posts from the last week. The top stories this week were 3) “NovaHackers May Meeting Videos Posted”, 2) “20% Discount on Level 1 Penetration Testing Class”, and 1) “NIST Releases Analysis of Cybersecurity Framework RFI Responses”. If you missed anything or happened to be offline, we hope you find this summary post useful as a quick reference.

A la Schneier … you can also use this rewind post to talk about the security stories in the news that we haven’t covered.

20% Discount on Level 1 Penetration Testing Class: After the success of last month’s discount program, Bulb Security has once again decided to extend a deal to NoVA Infosec readers for one of their upcoming classes in June. This time it will be for a $100 Penetration Testing Level 1 class (a.k.a., Penetration Testing with Metasploit), which is probably much more accessible than the previous months “Intro to Exploit Development” topic. (continued here)

NIST Releases Analysis of Cybersecurity Framework RFI Responses: Earlier today NIST released a document covering their initial analysis of the hundreds of comments provided by industry as part of the RFI for the development of a critical infrastructure cybersecurity framework. The 33-page document starts out by introducing some of the overall categories and themes and culminates in Figure 1 to the right. This chart provides a map for the remainder of the document with each of the subsequent sections detailing a theme in terms of key phrases, statistics, example responses, and questions.  How do you feel about NIST’s initial analysis? Let us know in the comments below. (continued here)

NovaHackers May Meeting Videos Posted: If you weren’t able to attend last week’s NovaHackers meetup, five of the presenters opted in to being recorded. Brett Thorson, of the Compute Cycle podcast, recorded and recently posted them. We weren’t able to attend but we heard it was a great time as usual. Did you attend May’s NovaHackers meeting and have any thoughts on any of the talks? Let us know in the commends below. (continued here)

Skype and the End to P2P Architecture & Privacy: I’ve been thinking about the recent discovery by H-Online.com of Microsoft visiting URLs used in the Skype chat window. Yeah, they may be scanning it for spam and such but in reality what we are really experiencing is the loss of the basic foundation on top of which Skype was built … encrypted peer-to-peer communications. Anyone know of a Skype-type application that still supports true peer-to-peer secured conversations? Obviously, open source is preferred… Let us know in the comments below. (continued here)

Amazon AWS Becomes FedRAMPable: Yesterday, we picked up on a bit of big news … Amazon and their AWS service officially received the stamp of approval in meeting FedRAMP in coordination with the US Department of Health and Human Services (HHS). It’ been three years in the making since the government announced FedRAMP and now Amazon joins the elite with only two other approved cloud offerings that include CGI Federal and Autonomic Resources. Will FedRAMPing systems into the cloud really make authorization easier and more secure? Let us know in the comments below. (continued here)

Twitter Adds Two-Factor Authentication but Still No Silver Bullet: Twitter has always had a special place in my heart and as a security professional I was pretty happy to learn that they finally implemented two-factor authentication earlier today. The second factor is a six digit code sent to your registered phone over SMS. In their blog post announcing the new feature, Twitter mentioned the following four simple steps in getting two-factor authentication setup.  (continued here)

#####

Hope everyone had a wonderful week. Have a great weekend!

Stay up to date with our webcast series: http://rsac.me/365-webcasts

The thing about options is that you have them…and options tend to let people remain lazy. Options also carry consequences which never make sense until they actually happen to you. That being said, Twitter gives you the option to activate two-factor authentication, but first…you are going to have to link a phone-number to your account.

As the plot thickens, it also doesn’t yet scale for those with the biggest targets on their backs. Media outlets cannot afford to sacrifice the coverage they get with multiple users on staff for a little bit of security….but this is only the first round from Twitter, as they have informed us all to “Stay tuned”. So maybe it is less likely we will be seeing tweets announcing Justin Bieber’s birth to Siamese monkey twins at the Anne Frank House in the coming weeks, but knowing your Twitter account is (more) secure is worth it, right?

I know we all love the instant gratification that comes from the massive amount of irrelevant nonsense Twitter delivers around the world; the very concept of a tweet is that thoughts and opinions (assuming they are <140 characters) are available to all of your loyal followers just as quickly as you can get them out.

Keep fighting the good fight my friends. Until next time, “help us, help you”.

Today Microsoft released the new Trends in cloud computing report, which analyzes the results of current IT maturity and adoption practices of organizations worldwide that have used the free Cloud Security Readiness Tool (CSRT). The data consists of answers provided by people who used the CSRT over a six-month period between October 2012 and March 2013. This trends report helps organizations understand and evaluate IT security areas that are strengths and weaknesses. For example, areas of strength for those who utilized the tool are information security (through deployment of antivirus /antimalware software), security architecture, and facility security. Areas of weakness are human resources security, operations security, information security (through consistent incident reporting), legal protection and operations management.

In October 2012, Microsoft released the free Cloud Security Readiness Tool (CSRT) to help organizations assess their IT environment and evaluate the benefits of cloud adoption. Organizations are using the CSRT to better understand their systems, processes, policies, and practices. The tool provides a survey and a custom, noncommercial report organizations can understand and improve their current IT state, learn about relevant industry regulations, and receive guidance on how to evaluate different cloud options.

Jeff Jones on my team provides insights on the new trends in cloud computing report. I recommend taking time to run the CSRT survey and read the custom report about your current IT state so you can evaluate the benefits of cloud adoption or growing services if you’re already in the cloud.

Text of email:

“Dear E-Mail User
Due to the package compromise of 1.4.11,1.4.12 and 1.4.13, we are forced to release 1.4.15 to ensure no confusions. While initial review didn't uncover a need for concern, several proof of concepts show that the package alterations introduce a high risk security issue, allowing remote inclusion of files. These changes would allow a remote user the ability to execute exploit code on a victim machine, without any user interaction on the victim's server. This could grant the attacker the ability to deploy further code on the victim's server.
So upgrade to  Squirrel Mail Development Team by  click Squirrel Mail Login SquirrelMail 1.4.15 Released
We STRONGLY advise all users of 1.4.11, 1.4.12 and 1.4.13 upgrade immediately.”

The page, when I looked at it anyway, didn’t contain any exploits. It's a simple email address/password harvest (of course very valuable to spammers).  Of course, you should still stay away from the page. It’s behavior could change at any moment (or even change depending on your IP address, or browser used, or time of date or who knows what…)

    Hackers find China the land of opportunity

http://www.nytimes.com/2013/05/23/world/asia/in-china-hacking-has-widespread-acceptance.html?smid=tw-share&_r=0

Really interesting read about the commercialization of hacking as a service

    North Carolina fuel distributor hit by $800,000 cyberheist

http://krebsonsecurity.com/2013/05/nc-fuel-distributor-hit-by-800000-cyberheist/

“The way [the bank] changed it [account access], anybody anywhere could access it as long as they had my login, and apparently that’s what happened because the logins came from a different IP address than our normal one. I think they made it more convenient, but less secure.”

    Utilties to FERC: Thanks for your security controls, but no thanks

http://www.smartgridnews.com/artman/publish/Technologies_Security/Utilities-to-FERC-Take-your-security-measures-and-shove-it-5778.html?utm_source=buffer&utm_medium=twitter&utm_campaign=Buffer&utm_content=buffer9ad79#.UZ5qSIfVCYk

The controversy of regulation continues…

    FBI Arrests NYPD Detective On Hacking Charges

http://www.informationweek.co.uk/security/attacks/fbi-arrests-nypd-detective-on-hacking-ch/240155332

The Department of Justice Tuesday announced the arrest of New York City Police Department (NYPD) detective Edwin Vargas, 42, on computer hacking charges

    Government Plan to Build "Back Doors" for Online Surveillance Could Create Dangerous Vulnerabilities

http://www.slate.com/blogs/future_tense/2013/05/23/calea_reform_to_build_back_doors_into_online_communications_could_create.html

Do the benefits of intentionally made back doors outweigh the risks?

    IT security vendors seen as clueless on industrial control systems

http://www.csoonline.com/article/733873/it-security-vendors-seen-as-clueless-on-industrial-control-systems

"The IT world has done an awful lot more on networking than we have, but they're not looking at our types of applications and constraints,"

    Is it time to professionalize information security?

http://www.net-security.org/article.php?id=1842

Information security is no longer a niche department

    Cyber security spending on electrical grid infrastructure to reach $2.9bn by 2013

http://security.cbronline.com/news/cyber-security-spending-on-electrical-grid-infrastructure-to-reach-29bn-by-2013-230513

"Operators need to view cyber security as a core, integrated requirement of their offering and not as a secondary add-on”

    Kim Dotcom Claims He Invented Two-Step Authentication

http://www.pcmag.com/article2/0,2817,2419441,00.asp

Dotcom says he will allow Google, Facebook and Twitter to “use [his] patent for free” if they help fund his legal defense

Application Defense

As we mentioned in the Managing WAF paper, it’s not easy to keep a WAF operating effectively, which involves lots of patching and rule updates based on new attacks and tuning the rules to your specific application. Doing nothing isn’t an option, given the fact that attackers use your site as the path of least resistance to gain a foothold in your environment. One of the advantages of front-ending your website with a website protection service (WPS) is to take advantage of a capability we’ll call WAF Lite.

Now WAF Lite is first and foremost — simple. You don’t want to spend a lot of time configuring or tuning the application defense. The key to getting a Quick Win is to minimize required customization, while providing adequate coverage against the most likely attacks. You want it to just work and block the stuff that’s pretty obviously an attack. You know, stuff like XSS, SQLi, and the other stuff that makes the OWASP Top 10 list. These are pretty standard attack types and it’s not brain surgery to build rules to block them. It’s amazing that everyone doesn’t have this kind of simple defense implemented.

Out of one side of our mouths we talk about the need for simplicity. But we also need the ability to customize and/or tune the rules when you need to, which shouldn’t be that often. It’s kind of like having a basic tab, which gives you a few check boxes to configure and needs to be within the capabilities of the unsophisticated admin. That’s what you should be using most of the time. But when you need it, or when you enlist expert help, you’d like to have an advanced tab to give you lots of knobs and granular controls.

Although a WPS can be very effective against technical attacks, these services are not going to do anything to protect against a logic error on the part of your application. If your application or search engine or shopping cart can be gamed using legitimate application functions, no security service (or dedicated WAF, for that matter) can do anything about that. So parking your sites behind a WPS doesn’t mean you don’t have to do QA testing and have smart penetration tester types trying to expose potential exploits. OK, we’ll end the disclaimer there.

We’re talking about service offerings in this series, but that doesn’t mean you can’t accomplish all of these goals using on-premise equipment and managing the devices yourself. In fact, that’s how stuff got done before the fancy cloud-everything mentality started to permeate through the technology world. But given the fact that we’re trying to do things quickly, a service gives you the opportunity to deploy within hours and not require significant burn-in and tuning to bring the capabilities online.

Platform Defense

Despite the application layer being the primary target for attacks on your website (since it’s the lowest hanging fruit for attackers) that doesn’t mean you don’t have to pay attention to attacks on your technology stack. We delved a bit into some of the application denial of service (DoS) attacks targeting the building blocks of your application, like Apache Killer and Slowloris. A WPS can help deal with this class of attacks by implementing rate controls on the requests hitting your site, amongst other application defenses.

Given that search engines never forget and some data you don’t want in the great Googly-moogly index, it pays to control the pages available for crawling by the search bots. You can configure this using a robots.txt file, but not every search engine plays nice. And some will jump right to the disallowed sections, since that’s where the good stuff is, right? Being able to block automated requests and other search bots via the WPS can keep these pages off the search engines.

You’ll also want to restrict access to unauthorized areas of your site (and not just from the search engines discussed above). This could be pages like the control panel, sensitive non-public pages, or your staging environment where you test feature upgrades and new designs. Unauthorized pages could also be back doors left by attackers to facilitate getting back into your environment. You also want to be able to block nuisance traffic, like comment spammers and email harvesters. These folks don’t cause a lot of damage, but are a pain in the rear and if you can get rid of them without any incremental effort, it’s all good.

A WPS can lock down not only where a visitor goes, but also where they come from. For some of those sensitive pages you may want to enforce those pages can only be accessed by someone on the corporate network (either directly or virtually via a VPN). So the WPS can block access to those pages unless the originating IP is on the authorized list. Yes, this (and most other controls) can be spoofed and gamed, but it’s really about reducing your attack surface.

Availability Defense

We can forget about keeping the site up and taking requests, and a WPS can help with this function in a number of ways. First of all, a WPS provider has bigger pipes than you. In most cases, a lot bigger that gives them the ability absorb a DDoS without disruption or even impacting performance. You can’t say the same. Of course, be wary of bandwidth based pricing, since a volumetric attack won’t just hammer your site, but also your wallet. At some point, if the WPS provider has enough customers you can pretty much guarantee at least one of their clients is under a DDoS at any given time, so they spend a bunch of money on anti-DoS equipment and extra bandwidth — so you don’t have to.

Another benefit of implementing a WPS in front of your site is to obscure the coordinates (IP addresses) of your site. This prevents an attacker from by bypassing your WAF or other proxy designed to protect the site. If they don’t know the IP address, they can’t attack the directly. This approach allows you to restrict inbound connections on your site to trusted IP addresses within the WPS. Thus random folks can’t connect to the site without going through the WPS. Similarly, the WPS can be configured to block protocols like SSH, FTP and telnet - which should only be used by internal people (and locked down to your internal network, as described above) and only in limited situations.

As you can see, using a WPS reduces a lot of the applicable attack surface of your websites. Not all, but a lot. Since this is a Quick Wins series, unless you can deploy and turn up the service quickly, all for naught. So we’ll wrap up the series next week by looking at the deployment decisions you’ll need to make, implementation process you’ll undergo, and finally the ongoing management responsibilities to keep your sites protected, available and operational.

Question of the week:  First it was Facebook, then Living Social, then LinkedIn, now Twitter accounts have been hacked. How can I keep my business and personal accounts from being hacked, if the big boys can’t even protect theirs?

You are right. It seems like every week we hear about another major website or an account on a social network being hacked into. Your concern is genuine, because once hackers get in they can not only gain control of your account, but they can also get your email address, passwords, and even get access to your bank account.

There are some steps you can take.

Use Password Protection

Strong passwords are essential to protect your online accounts. The challenge comes in remembering your various usernames and passwords, so we suggest that you use avast! EasyPass. For less than it costs for lunch, you can protect all your passwords for an entire year. Here’s some of the highlights:

• One-click log ins Save all your log in details and log into your favorite websites with a single click.
• Single master password EasyPass securely stores all your website and Windows application passwords. From now on, you only need to remember one master password.
• Password generator Generate random passwords for all your different accounts for the most protection. 12345 just doesn’t cut it anymore.
• Fill in forms Store personal information which can be used later to automatically complete online forms, so you don’t have to manually type in the same details every time.

You can try a 1-month free trial of avast! EasyPass. Visit the avast! Store and click free trial Download.

Two-Factor Authentication

Google and Facebook offer two-factor authentication, and Twitter just announced that they added this extra security layer yesterday.  Two-factor authentication requires users to enter a second code along with their username and password.

As a barrier between your account and hackers, we suggest that you enroll in login verification programs when offered. For those who sign up, Twitter will send a six-digit code using a text message each time they sign in to Twitter.com. Besides their username and password, users will have to enter the code as well to log in. It’s a bit inconvenient, but it’s more of a pain to clean up your reputation if a hacker gets ahold of your account. Get started by going to the Twitter blog.

Log out

It is a little harder to log out when we access our accounts from a smartphone, but if you lost your phone, a hacker would not only have your phone; he’d have your identity!

Protect your smartphone from theft by installing avast! Free Mobile Security. With the Anti-Theft component enabled,  you will have remote options to locate and recover your phone.