So I was delighted to read this today on Ars Technica:

On the application front, Facebook will tweak its application system in September to introduce new badge branding for applications that are verified to be safe. A “Great Apps” label will also appear for applications that embody all ten of Facebook’s guiding principles that dictate how good apps should behave (apps that are meaningful, trustworthy, transparent, fast, etc.).

This isn’t enough, but it’s a promising start.

Hook
New York’s chief information security officer William Pelgrin and his team sent mock phishing emails to 10,000 New York State employees. The messages appeared to be official notices asking them to click on Web links to provide passwords and other confidential information. Upon the first run, 75 percent of employees opened the email, 17 percent followed the link and 15 percent entered confidential information. The employees were informed that they had been scammed and were then sent a second mock-phishing message. After the second run, only eight percent of employees even opened the email.

Catch
Phishing has become an epidemic. According to Rohyt Belani, CEO of Intrepidus Group, “Spear Phishing exploits human vulnerability. Thus our service focuses on the human element.” Expert organizations such as iDefense, SANS, and Carnegie Mellon University support employee training and mock phishing exercises to train their end users. Even the U.S. Department of Defense and Coast Guard have ordered mandatory spear phishing training. According to a recent report by iDefense Labs, a security and vulnerability research organization, phishing groups have claimed more than 15,000 corporate victims between February 2007 to June 2008. The victim losses exceeded $100,000. The victims tend to be employees at Fortune 500 companies, financial institutions, government agencies and legal firms, but everyone is at risk.

Whaling Attacks
Cyber criminals are now in a sense stalking their victims. According to Belani, cyber criminals are scouting career Web sites such as Monster.com and social networking sites to craft up targeted phishing emails. Whaling attacks, in which cyber criminals target high-level employees, are also a threat. Imagine the data breach that could ensue if a high-level executive typed in his/her password on a phishing Web link, and the results of that confidential information ending up in the wrong hands. “Hackers will target C-level executives. They go to the company Web sites to find the names of CTOs and CEOs. Then they draft emails to their potential victims that appear to come from the CEO of the company.” Although mass-phishing campaigns are often caught by anti-spam filters, spear phishing attacks resemble legitimate emails and often go undetected. Training end users against spear phishing attacks will defeat cyber criminals comparable to Ahab in his quest for Moby Dick.

Safe Swimming
Although PhishMe will offer your company valuable statistics that can prove your ROI, provide educational anti-phishing messages, and possibly protect you from a data breach, it will cost you (although, not nearly as much as a breach). Pricing is set with two license models: a one-time message delivery or an annual subscription with an unlimited number of messages, but expect to spend thousands for either option.

If you work for a small business or your budget doesn’t allocate for awareness training, consider sending your own message including a link to the Anti-Phishing Phil game. Carnegie Mellon University students and faculty created a similar Web based game that teaches which Web links are safe to click on and which ones are possible phishing scams. The game does not offer metrics to prove your ROI, but it is free. Visit http://cups.cs.cmu.edu/antiphishing_phil/quiz/index.html to play. (There is also a Portuguese version of the game at http://seguranca.sapo.pt/phishingze/).

No matter which solution you decide to utilize, some words of advice from PhishMe.com: “Phish your employees before hackers do!”

Now we’ve heard the news that Vista has the dubious honor of being nominated for a Pwnie award for “Most Epic FAIL.” The biggest loser will be announced Wednesday, Aug. 6 during BlackHat.

I’m not certain what the prize is. A statuette? A plaque? A sash, tiara and sparkly wand? (I’m hoping for the last one.)

Things kicked off with the release of a research report that made some headlines because it claimed that business travelers lose more than 12,000 laptops per week in U.S. airports. No sooner had this received some online news coverage than readers posting comments suggested that the numbers sounded too high.

They really do sound too high. A quick reality check raises a red flag or anyone who travels by air with any regularity. The TSA says some 10 million travelers pass through its checkpoints each week. At the rate of 12000 losses per week, you’d expect one notebook lost per 833 passengers through the mill.

Most of us have spent more time than we’d like to think about standing in airport security lines with several hundred fellow passengers. Is it true that someone loses a laptop in the interval between my joining the line and my getting my shoes retied on the other side of the X-ray? That doesn’t square with my sense of what the TSA officers around me in those instances are focusing on. It’s an anecdotal reality check at best, but still it seems fishy.

Ponemon was taken to task in relatively short order in a Computer World article by Patrick Thibodeau, who noted that, whereas Ponemon’s report claimed that an average of 1000 computers went missing at Miami International Airport each week, data provided to Computerworld by the airport officials showed that “for all of 2007, 68 laptops were reported stolen and 480 were turned in to the airport’s lost and found.” At Dulles, where the study estimates 400 lost laptops per week, “43 laptops were turned over to the airport’s lost and found in 2007.”

On the one hand, the article arguably punched some serious holes in the study. And it didn’t help the general perception that the study was underwritten by Dell, with the release of the study timed to coincide with Dell’s introduction of notebooks offering special loss-recovery features. (Ponemon says the research project was initiated several months before Dell contacted his institute in May 2008.)

However it may have looked to the casual observer, I think it’s important to note that there’s really no reason to believe that the report is in any way disingenuous with regard to what survey respondents told the research team. TSA checkpoint workers were asked how often they thought notebooks were lost, even if only temporarily. They answered and, on the face of it, they don’t seem to know what they’re talking about.

On the flip side of the coin, the airport theft reports may under-report the losses. There’s no particular reason to think that the airport security offices report laptop losses more accurately than TSA checkpoint workers. It’s interesting, though, that the two possibilities are so impossibly far apart. If one answer is correct, then the other answer is two orders of magnitude wrong.

R.R.

Most security measures–access control, encryption, etc.–are generally achieved through software. Yet trusted computing achieves many of these same security measures through hardware (thus, requiring an attacker to attain the harder-to-attain physical access).

The TPM chip can protect data (and satisfy a lot of compliance requirements) through whole-disk encryption and provides a secure environment for storing encryption keys.

By marrying the TPM with some components of NAC solutions (this is what TCG’s Trusted Network Connect series of standards is all about) you can go further than simply verifying the “health” of a device, you actually authenticate the device. Thus, just knowing credentials isn’t enough to gain access–an attacker must also have physical access to the device.

Trusted computing reduces reliance on passwords and takes the responsibility for many security controls out of the hands of end users–both so they can’t accidentally/ignorantly do insecure things and so that they can’t intentionally circumvent security controls.

And it does all this inexpensively, using hardware you’ve probably already got. (TPM chips are in somewhere near 200 million computers, including Macs.)

Yet actual use of the TPM is limited–how limited is unclear, since those numbers are hard to get. So we’ll be gathering our own numbers. The entire August issue of the Alert–solely for CSI members–will be devoted to trusted computing, and we’ll survey our member base on their trusted computing practices and perspectives. (Trusted computing will also be the topic of one of our new summits at the CSI 2008 conference in November.)

The bigger question, though is why is it limited. Why aren’t more enterprises using trusted computing? Brian Berger, a member of the TCG board of directors, representing Wave Systems, has a few ideas. The first hurdle to clear was “saturation”–having enough of an enterprise’s machines equipped with the TPM hardware. Until that happened, enterprise IT folks weren’t really ready to consider it. The saturation hurdle is now just about cleared.

The rest of it seems mainly to be an awareness problem and a frame-of-mind problem. Berger said that when he talks to CIOs about the various uses and benefits of trusted computing (and Wave’s associated products), he says “And you already have this [hardware and capability]. And they say, ‘We do?’” Further, even the people who know what a TPM chip is and does, don’t seem to quite know how to apply it. It’s quite a different model than most common security products.

But in fact, it’s hard to find a reason why an enterprise should not start seriously investigating and embracing trusted computing… but we’ll keep trying to find one anyway. More info as the Alert issue develops (but not all the info… cause that’s just for members).