Sophos security guru Graham Cluley writes today about the Mossad, Israel’s intelligence gathering operation and how spies there gained access to a Syrian official’s laptop and uploaded a Trojan to collect data. According to German magazine Der Spiegel, the data collected using the malware helped Israeli officials plan a bombing run against a suspected Syrian nuclear facility in 2007.

According to Der Spiegel story on the Syria bombing:

The hard drive contained construction plans, letters and hundreds of photos. The photos, which were particularly revealing, showed the Al Kibar complex at various stages in its development. At the beginning — probably in 2002, although the material was undated — the construction site looked like a treehouse on stilts, complete with suspicious-looking pipes leading to a pumping station at the Euphrates.

As Clueley puts it, the Israeli operation is an example of how cyberespionage is very much happening around the world. Reports seem to trickle out a few times a year about how malware was found on government computers in the United States and abroad.

Spyware has evolved to the point where many variants remain undetectable by antivirus programs. And no doubt intelligence gathering operations around the world are using it on any systems connected to the Internet.

Security researchers at Symantec are closely monitoring the Fragus exploit pack, an $800 package of tools developed by cybercriminals to enable users to set up attack websites. Their latest findings have identified an effort by the toolset writers to clamp down on how the toolpack is used – an effort, no doubt, to keep the revenue stream open long after someone plunks down the hefty chunk of change needed to buy Fragus.

The blog entry, written by Peter Coogan with help from researcher Cathal Mullaney includes several screenshots of the exploit kit the researchers found in use on a specific domain. The toolkit they found was in use in September and October and targeted users in Spain and Germany.

Symantec said the toolkit is one of the most popular, but we’ll have to see how the author’s clampdown affect its popularity. The authors restrict files to run on specific IP addresses and servers meaning that if an owner of the kit wants to make a change they have to go back and get a software update to do so. The toolkit also contains a self-destruct mechanism, expiring files after a certain time period.

Despite the limitations, the toolkit’s popularity must mean that it is a big – real big – money maker for cybercriminals. A person willing to give up $800 is willing to accept a lot of risk and much like the stock market, the more risk you take on, the bigger the rewards.

Symantec has posted an interesting blog post about a new ransomware Trojan with a twist. Instead of asking for cash to unlock the files, the Ramvicrype Trojan encrypts files on victim computers and then sends victims seeking help via a search engine to a website where they can buy software that supposedly fixes the problem and decrypts the files. Older ransomware would push the the victim buy the keys outright.

Symantec virus researcher Shunichi Imano said in a blog entry that Ramvicrype victims will see some files on the computer with a vicrypt extension.

Entering the term ‘vicrypt’ into a search engine leads us to a company offering a fix, which of course is a charged service. So, there was a reason for that file extension after all.

The security vendor has developed a Symantec Ramvicrype removal tool for victims to decrypt the files.

Ransomware is not new. In fact, security expert Mike Chapple points out that it could be over a decade old. In an expert tip on what to do if you’re infected with ransomware, Chapple says you could reimage the drive and/or restore from backup. Check the Internet for the keys first. In many cases Chapple says others have been infected and security researchers likely have made the keys available.

Whether ransomware affects your organization directly or not, use the painful experiences of your peers to learn a lesson: install current antivirus software on all enterprise systems (especially the CEO’s laptop!). Make sure to also run regular backups and check firewall configurations.

Twitter issued a spam warning via a Twitter message telling users not to click on a direct message that sends users to a Twitter login page. The Twitter warning said the login page is a fake and attempts to steal login and password credentials. Once a victim types in their credentials, a fake Twitter fail-whale over capacity message is displayed.

Sophos security expert Graham Cluley blogged about the Twitter phishing attempts on Wednesday, describing the fake Twitter message. calling on users of the social network to change their passwords regularly.

So, what should you do if you fell for one of these phishing messages and handed over your Twitter login details to the bad guys? You should consider yourself now hacked, and must change your Twitter password *immediately* before your account is abused by hackers.

Mozilla issued an update to its popular Firefox browser this week, repairing more than a dozen flaws that could cause the browser to operate erratically and crash or allow remote attackers to target vulnerable users.

The browser maker issued 10 advisories on Tuesday, five critical, fixing memory corruption errors, buffer overflow flaws and an object handling flaw that could enable an attacker to execute malicious code and gain access to sensitive data. Firefox 3.5.4 and 3.0.15 plug 16 holes were addressed in a variety of browser functions.

Mozilla repaired four critical memory corruption errors affecting the browser engine and the JavaScript engine. In its advisory, Mozilla said some of the errors could be targeted by attackers to execute arbitrary code.

The browser maker also updated several third-party libraries used to render media. The corrupted libraries were used by the browser to read Ogg Vorbis encoded media files.

“Some of the bugs discovered could potentially be used by an attacker to crash a victim’s browser and execute arbitrary code on their computer,” Mozilla said.

Other serious flaws were repaired. The Mozilla update fixed a heap-based buffer overflow in Mozilla’s string to floating point number conversion routines; A flaw that could enable an attacker to execute malicious JavaScript code with chrome privileges; and an error in Mozilla’s GIF image parser.

Last month, Mozilla released a new feature it said would help get users to update third-party plugins. The changes came in the release of Firefox 3.5.3 and Firefox 3.0.14.

How much should a midmarket company spend on security? Am I spending it on the right technologies? How much time and effort should their IT people devote to it?

“The Security Paradox,” McAfee’s global survey of mid-sized (51-1,000 employees) companies raises some interesting questions about the balance between the money and manpower they invest in security on the one hand, and the risk, on the other.

Before we go too far, the report is a little thin on the ground. Only about 100 companies were surveyed in each of nine countries. So, maybe a good sampling globally, perhaps less so per each nation.

According to the report, most mid-sized companies are experiencing more security incidents in the last year than in the previous 12 months and are very concerned about the possibility of data breaches and IT security attacks. One out of five experienced a serious security incident that caused them to lose, on average, $41,000 (based on what they calculate as lost business spent, on average, $43,000 in a year remediating IT security incidents.

But, while three-quarters of the companies froze or cut their IT security budgets—reduced staff, fewer new product purchases, switching to cheaper, stand-alone products– the telling correlation was between the amount of time the average organization devotes to security and the time it takes to recover from an incident. Overall, smaller companies that spend an hour or less per week on proactive preventive measures often spend days recovering; organizations that spend several hours frequently recover in less than a day.

Makes sense. If busy, understaffed IT folk in midmarket companies can find a few hours a week to focus on security, it pays off. According to the report, the majority of British and U.S. companies surveyed find or make the time. The French, not so much.

Still, the report estimates that mid-sized businesses in the U.S. alone spent $17.2 billion fixing IT security incidents in 2008.

So what are the McAfee report recommendations for beleaguered middling companies in the worst economy since the Great Depression? After delivering the valuable message that they can mitigate the damage if they devote a little more time and effort to security, the conclusion is that what we really need to do is to spend smarter:

1. Integration. Consolidate security vendors who offer integrated suites (let’s assume they’re not recommending Symantec).
2. Centralized management (Hey, we have EPO).
3. Lower costs. Integrated solutions are more economical (really a corollary of 1 and 2).

Well, it’s all probably true, but the message is rather cynical. Tell me how to find those extra hours. Tell me what activities will give me the most value for the time I invest. Then, maybe, once I get that, tell me about investing some more time in replacing my security technologies and/or introducing new ones.

What is cloud computing? In an interview with Cigital’s software security expert Gary McGraw, Network security expert Christopher Hoff tries to answer that question from two perspectives — a cloud provider and a consumer.  After understanding what cloud computing is, the conversation ultimately moves to what is being done right and perhaps wrong to secure it. Hoff, formerly of Unisys Corp. is currently director of cloud and virtualization solutions at Cisco Systems Inc. The podcast is a good overview of cloud computing and security because it peels away all the vendor marketing hype that, pardon my pun, has clouded the issue.

According to Hoff:

• From the perspective of a consumer, cloud computing is “any vendor, any technology that would allow them to take their content and their data and place it in the stewardship of somebody else.” Hoff says it could be Apple’s MobileMe, iTunes, and any other services where you connect and are using the Internet.
• From the perspective of a cloud provider, cloud computing is “an operational model; a way of more efficiently, more effectively using computing resources.”

The cloud is not impervious to failure, Hoff says. A lot of interesting expectations are being set and Hoff says that is illustrated by Larry Ellison of Oracle Corp. who says there’s nothing new and we’ve been doing it for years versus the perspective from others who say that how we’re using the cloud is different.

“Every time we’ve had a new instance, a new way of operationalizing our computing resources we’ve had this same sort of turn that takes place in the industry. It ultimately smooths out.”

McGraw says while we’re not so bad at protecting hardware, we’re really bad at protecting virtual operating systems and applications.

Hoff explains the three levels of cloud computing and how security applies:  Infrastructure as a service, platform as a service and software as a service … He says the lower down the stack you go the more responsible you still are as a consumer for the security of that service. “With infrastructure as a service you are essentially building in security, with software as a service you are basically contracting it …” Hoff goes on to say that platform as a service is more interesting from a security perspective because your apps are somewhat tied into the platform. Since you are writing the applications and you own the data “maintaining security as it relates to that model is a shared, cooperative approach.”

Security is always playing catch up and disruptive innovation such as cloud computing is a good example of that, Hoff says.  It ultimately comes down to the age old problem that “consumers see security and applications thereof as an adverse function of convenience.”

“When it comes down to any enterprise architecture in general, time to market and delivery just trumps our capability, desire, wants and needs and ultimately budgets to get stuff done as a balance of security versus convenience.”

The final part of the podcast talks about the problems companies are having applying security to the three cloud computing models from a design pattern versus the bolt on approach. Hoff says the people behind the cloud model are fragmented — developers work on their applications — network architects deal with the network — and the security guys try to figure out what each of them are doing.

Hoff says what is terrifying is the metastructure pieces — the protocols, the glue that holds the application layer and infrastructure layer together is for the most part completely ignored.  DNS and identity and access management issues are starting to show cracks.

Check out Hoff’s blog Rational Survivability for more of his great insight into the cloud computing models and the security issues they raise.

ZL Technologies Inc., an email archiving vendor is suing analyst firm Gartner for eroding its market presence by consistently ranking it in the lower quadrant of its popular Magic Quadrant as a niche player in the market analysis report.

The ZL lawsuit was filed in May. Gartner filed a motion to dismiss the case citing the First Amendment. The lawsuit is continuing this month as both parties argue whether the case should be dismissed.

ZL Technologies CEO Kon Leong said Gartner’s Magic Quadrant consistently ranks vendors with big marketing and sales budgets at the top of its Magic Quadrant. ZL Technologies also sells compliance and encryption products. Leong says his company’s eDiscovery capabilities consistently beat large vendor products, such as Symantec, but XL Technologies gets poor marks for its sales and marketing budget.

Despite low investments in sales and marketing, Leong said his firm has a proven track record and has survived for 10 years.

“We’ve sustained profitability,” Leong said in an interview. “We’ve garnered enough resources to launch challenge against Gartner without affecting our business.”

Still, the firm’s bad Magic Quadrant standing has resulted in losing customers and is making it difficult for the firm to increase sales, Leong said. In the interview, Leong cited a customer win in Asia where the customer was pressured by management to pull out of the deal as a result of the Gartner report. In other cases, the company is being immediately dismissed despite being praised in the report for its features and core capabilities.

“We can go head-to-head with the big guys, but now we’re not being invited to the party in first place because of Gartner and that hurts the most,” Leong said.

My colleague Beth Pariseau wrote a blog entry at Storage Soup detailing the ZL Technologies lawsuit. In it, Beth asks readers: Does ZL have a point about the weight being given to a subjective report in technical purchasing decisions? Or is this a case of impugning an evaluative process because of a disliked outcome?

Michael Krigsman, CEO of software consultancy Asuret, Inc., wrote in a blog entry that the lawsuit does call into question the ties analyst firms have with vendors. Still, Gartner’s analysis could be subjective, he said.

Analyst research and reporting is not an exact science, which does lead to real or perceived conflicts of interest. The analyst industry can reduce potential conflicts by improving transparency around how it forms opinions and makes recommendations. … To increase transparency, analyst firms should also disclose their revenue relationships with vendors.

Unfortunately that could open a big can of worms. It’s a slippery slope that some say could erode the First Amendment. Increasing transparency by disclosing revenue relationships with vendors somewhat would erode the integrity of the product by saying that the analyst who wrote the report could be somehow persuaded to give a firm positive play for its investment in the analyst firm. I don’t doubt that there are some bad apples out there who cave into pressures to alter their opinion on a product or service, but I’m willing to bet that the vast majority of industry analysts (many of whom I know are experts in their field) want to protect the integrity of their work and stay away from the financial side of the company they work for. After all, the quality and integrity of their analysis is how they gain respect.

Earlier this month Gartner analyst Thomas Bittman addressed the issue of analyst integrity in a blog entry appropriately titled: A Rant – My Integrity as an Analyst. Bittman, a vice president and distinguished analyst, has been with Gartner for more than 14 years.

I understand the impression in the marketplace that analyst firms can be bought. But that’s not where I work. My integrity is very important to me. I’m sure we’ll continue to make enemies of vendors, and bloggers who have a vested interest in one thing or another. Badge of honor! But my goal is to provide value to my clients, and to be proven right over time – priceless!

Maybe we’ve made people too security conscious?

I’m being facetious, but if we hadn’t succeeded in scaring people straight into worrying about identity-stealing malware and phishing attacks, would so many fall for rogue antivirus scams? I confess, I’m more tempted to click yes, please make my PC whole again when I see a pop-up that looks even more like Windows Security Center than Windows Security Center than I am to click a link to address a bogus issue with my bank account security or, certainly, to respond to a sales pitch for cheap Viagra or breast implants.

The “Symantec Report on Rogue Security Software” covering a year (July 2008-June 2009) of “scareware” paints an all-too-familiar picture of organized cybercrime that is…very well organized.

Consider that this is a direct pay model. You give the AV “vendor” your credit card number, paying anywhere from $30 to $100 for software that at best does nothing at all and at worst drops some really nasty malware on your hard drive. They’ll often use legitimate credit card transaction companies– it’s just good business practice — because phony transaction handlers are likely to be discovered and shut down.

The scareware vendors use networks of affiliates, who use dedicated websites, banner ads, spam and spyware to download the “YOUR PC IS INFECTED!! TO BE SURE YOU ARE FREE OF MALWARE, PURCHASE XPANTIVIRUS” message. According to the report, the affiliates get between a penny and 55 cents per installation, the highest payoffs going for drops on U.S. computers. Affiliates get a lot more if someone actually buys the rogue software.

Symantec received reports of 43 million rogue security software attempts to install the more than 250 distinct examples of rogue AV software it identified.

The report echoed many of the findings of Panda Security in a July report.

Connie Sadler, information security officer at Lucile Packard Children’s Hospital at Stanford, said some security challenges from 20 years ago continue today. Security managers started out as tough but became less so as systems became more distributed and employees did their own thing, she said.

“I think we’ve lost control,” Sadler said, suggesting a range of corrective steps, including whitelisting, better access controls, and punitive action such as fines.

“There’s no consequence for having a bad password,” she said. “Maybe there’s needs to be a consequence for not doing basic things…We need to introduce more discipline into our environment.”

But responding to a question from the audience, Sadler acknowledged that the tough approach needs to be balanced. “Don’t we need both the carrot and the stick?” asked security luminary Donn Parker.

“There does need to be a balance,” Sadler agreed. “People shy away from doing the right thing because they don’t have the knowledge… It comes back to us. We need to train people.”

The annual Cornerstones of Trust is co-hosted by ISSA’s Silicon Valley and San Francisco chapters and San Francisco Bay Area InfraGard.