Latest News from Web Security Journal

Federal Cybersecurity and IT News Round-Up

Wed, 16 May 2012 07:30:00 EDT

Today’s federal cybersecurity and information technology news: The U.S. Office of Naval Research is partnering with Chilean scientists to develop a mobile application to provide information helpful in countering pirates, arms traffickers, and illegal fishermen. More here. The Army’s 780th Military Intelligence Brigade. which handles cyber systems security and intelligence, is looking to hire 400 civilian employees. More [...]

Attacks from Within

Tue, 15 May 2012 10:00:00 EDT

Just as business critical as perimeter security, having strong internal controls to manage users is important. Using cloud-managed security tools can help reduce incidents. So much is written about the events outside your perimeter; those nefarious and shadowy individuals and offshore syndicates who are looking to steal technology or personal data or piggyback on your servers to peddle everything from pirated products to pornography, implant botnets or viruses, or simply to create corporate chaos. With all that weighing on our collective IT asset protection strategies, it is easy to miss what a new Carnegie Melon report is pointing to as one of the fastest growing threats…insider breaches. Even KPMG says this threat has tripled since 2007.

Cyber Physical Systems Virtual Organization Holds National Symposium

Mon, 14 May 2012 07:00:00 EDT

On 11 June 2012 the Cyber Physical Systems Virtual Organization will be holding a symposium on Moving Target Research. In this context, think of Moving Target as meaning the creation of a dynamic attack surface to adversaries done in a way that dramatically increases the work factor required to successfully attack a system. This cybersecurity research [...]

Americans More Concerned About Cybersecurity Than Terrorism

Thu, 10 May 2012 05:15:00 EDT

Here are today’s federal cybersecurity and information technology news: The Missile Defense Agency has issued a request for proposals for a new methods to identify counterfeit electronics. More here. The Federal Bureau warns travelers not to update software on hotel wireless networks due to the risk of fake or malicious update messages. More here. The Department of Defense‘s National [...]

Review of Certificate of Cloud Security Knowledge

Sun, 06 May 2012 06:00:00 EDT

Recently (well, last night) I had the opportunity to take the Certificate of Cloud Security Knowledge exam and just wanted to put out some of my thoughts while they were fresh in my head. I always like to take a random sampling of certifications. It’s fun to challenge myself (some are more challenging than others) and it gives me a good idea of what sorts of training and certificates I’d like my guys to have (if any). I’ve never been the biggest fan of some of the bigger ones out there, but we’ll save that for another post.

Top Ten Firewall Management Metrics that Matter…and Why

Sat, 05 May 2012 13:30:00 EDT

If you look at some of the headline-making breaches of the past few years, they all occurred at large companies with highly dynamic and complex computing environments. Securing these environments is impossible to do without automation, which is why so much of the innovation in IT security in recent years has been focused on automating security management. Network security is one area where systems have become too complex to manage manually. Let’s take firewalls as a case in point. A single firewall can have hundreds or thousands of rules, each made up of three components: source, destination and service. Next-generation firewalls add at least two additional fields – users and applications. Larger companies have hundreds of firewalls, usually from multiple vendors, in multiple geographies, managed by different people. That’s just for starters – any number of factors can exponentially increase the degree of firewall complexity. While rare, in extreme situations a particularly bloated or neglected rule base – or even a simple typo while configuring a rule – if left untended, can result in a situation where a firewall can introduce more risk than it prevents.

Try App Whitelisting to Mitigate Malware

Fri, 04 May 2012 11:00:00 EDT

There will always be a threat from malware - malicious software that is designed to steal or corrupt data on computers. Malware affects everyone from security services to silver surfers, and when it isn’t checked it can wreak havoc. Ultimately, it doesn’t matter what size your business is, whether you’re a multinational or a sole trader, the threat from malware is real and present, which means that you’ll need a solution. Usually this means anti-virus software, but keeping on top of updates and distributing these to all of the computers in your organization requires regular attention. Can application whitelisting help? Is it even a valid alternative, or should your business stick to the tried and tested solution of anti-virus software and malware removal tools that detect and quarantine malicious software, keyloggers, rootkits and Trojans?

Coordinating Security Information

Fri, 04 May 2012 10:00:00 EDT

A recent article in Government Computer News raised the topic of FISMA reporting, specifically describing the “pessimism” of many USG agencies over meeting the September 2012 deadline for “using continuous monitoring to meet Federal Information Security Management Act reporting requirements.” The article cites a survey of over 200 government IT professionals, conducted by RedSeal Networks, in which 55% of respondents felt they won’t be ready, or don’t know if they will be ready, by the deadline. One can certainly debate the significance of the number of agencies expressing concern over meeting the deadline, and the reasons given would likely drag the conversation to arguing over the validity of a deadline set by government for something that is far more complex than “flipping a switch.” But set that aside for the moment. More interesting is the fact that, when you look at the responses by the role of the respondents, “53 percent of security managers, administrators and auditors expected to meet the Sept. 30 deadline, while only 28 percent of CIOs and chief information security officers expected to.” Mike Lloyd, RedSeal’s CTO, said “This is an interesting finding, not what a cynic might expect.” That cynic would expect the typical (over-)confidence of an executive, the one telling folks “no problem, we’re right on track” while the IT managers, the ones actually tasked with the design, deployment and operation of relevant systems, the feverish scramble to find the right tools, the right people, and the right data to meet the reporting requirement.

Would Metadata Cleaning Spoil Your Evidence?

Thu, 03 May 2012 07:45:00 EDT

RPost’s latest integration with Esquire is called iScrub. This new product removes metadata from important “reusable” documents such as loan application forms. One of the questions raised by using a product like this is what effect metadata cleaning would have on evidence used in the courtroom. We asked RPost CEO Zafar Khan to weigh in on how metadata changes electronic documents and they effect that can have.

680% Increase in Cyberattacks Against Government

Mon, 30 Apr 2012 06:00:00 EDT

Today’s federal cybersecurity and information technology news: The White House has threatened to veto the Cyber Intelligence Sharing and Protection Act (CISPA) if it reaches the President in its current form. More here. The Office of Management and Budget agrees, asking President Obama to veto the bill. More here. The Federal Bureau of Investigation (FBI) raided the [...]

Scott McNealy's Wayin...for Enterprise Security

Thu, 26 Apr 2012 09:45:00 EDT

Study after study refutes the myth that cybersecurity is compromised by malicious, brilliant hackers. Advanced persistent threats, state-sponsored hackers, and foreign intelligence agencies are serious threats, especially to major targets, but the vast majority of breaches and leaks result from the cyber equivalent of forgetting to lock your door or losing your wallet. Two recent, [...]

Keeping Your Network Security One Step Ahead

Tue, 24 Apr 2012 08:00:00 EDT

Advanced malicious content and attacks are starting to threaten conventional network filtering technologies that are not able to keep up with the increased volume and complexity of network traffic. Currently, one in every 14 downloads contains malicious content that may create operational, reputational and customer relationship management challenges. The Global State of Information Security survey conducted by PwC in 2012 found that 57 percent of security experts are dissatisfied with their information security strategy. When malware and non-compliant data slip through the networks undetected, organizations are at risk for IT infrastructure damage and information leakage. The explosion of social media, mobile data usage and cloud computing has introduced new threats that demand a different approach to security. Deep Packet Inspection (DPI) and packet filtering are two of the standard inspection technologies that secure networks at the packet level; unfortunately, these technologies have limited efficiency and cannot adequately scale to provide optimal security with the evolving Internet.

Contradicting Earlier Reports, Flashback Malware Infections Still High

Mon, 23 Apr 2012 05:00:00 EDT

Symantec reported this past Wednesday that the number of total Flashback infections was down to approximately 140,000 from around half a million. However, the company has since revised its estimate to note that its method for detecting infected systems is reporting “limited infection counts,” as discovered by virus analysts at Dr. Web. Read the full [...]

Terrorism Research Center Reconstitutes as Non-Profit Organization

Fri, 20 Apr 2012 05:00:00 EDT

I took great pleasure in reading the release below regarding the reconstitution of the Terrorism Research Center. The founders of the Terrorism Research Center (Matthew Devost, Brian Houghton, and Neal Pollard) are all highly regarded national security professionals and thought leaders who bring years of proven past performance to helping the nation.

Complying with PCI DSS – Part 3

Fri, 20 Apr 2012 01:00:00 EDT

According to the PCI SSC, there are 12 PCI DSS requirements that satisfy a variety of security goals. Areas of focus include building and maintaining a secure network, protecting stored cardholder data, maintaining a vulnerability management program, implementing strong access control measures, regularly monitoring and testing networks, and maintaining information security policies. The essential framework [...]

Alert Logic Reports Q1 2012 Results: Growing Revenue

Thu, 19 Apr 2012 10:38:00 EDT

Alert Logic (www.alertlogic.com), a provider of Security-as-a-Service solutions for the cloud, has announced GAAP revenues for the quarter ending March 31, 2012 of $6.7 million, up 45 percent from the first quarter of 2011, and up nearly 10 percent from the fourth quarter of 2011. Driven by customer and partner demand, Alert Logic completed and integrated its first ever acquisition during the quarter. The acquisition of Armorlogic expands Alert Logic's portfolio of Security-as-a-Service solutions. "After a strong Q1, we remain on course to achieve our goal of being a $30 million company by mid-year," said Gray Hall, Alert Logic's president and CEO. "We finished 2011 at a $25 million run-rate, and we are now more than halfway to reaching $30 million by the end of Q2."

"Bug Bounty" Programs Encourage Responsible Disclosure

Wed, 18 Apr 2012 06:15:00 EDT

The idea that you might pay someone else to keep quiet a vulnerability while you fix it may seem a bit backward to some in computer security. It would also seem to invite attacks on infrastructure. It’s no surprise, then, that many companies with technological products don’t have bug bounties.

Two Totally Different Ways to Do SQL Server Backup and Recovery

Fri, 13 Apr 2012 13:08:08 EDT

This post is about how traditional database backup products work and how Zetta's new SQL server backup feature, which is part of our DataProtect solution, does the job in a distinctly different way. Both the solution and this post were created because finding a database backup solution for a medium-sized organization is painful. Database Backup Using "Full, Differential, and Log" Modes Most traditional database backup products use "full, differential, and log" based backup modes. So, what do these terms mean?

BriteVerify Delivers Real-Time Email Verification Platform

Fri, 13 Apr 2012 12:44:23 EDT

BriteVerify is the leader in email verification. We deliver the simplest, fastest and most accurate real-time email verification platform available. This platform is designed for any company that builds or maintains an email marketing database and works with consumer, B2B and international email addresses. BriteVerify provides a reliable safeguard against sending messages to invalid email addresses, a process that can significantly reduce marketing campaign ROI and damage a company’s sender reputation. BriteVerify requires no contracts, no set-up fees and has no monthly minimums. Our users pay only for the transactional volume they use each month.

Cloud Expo New York: The Compliant Cloud

Fri, 13 Apr 2012 07:00:00 EDT

Many organizations have embraced, or are considering, the benefits of cloud computing – speed, flexibility, increased expertise, shared workload, reduced costs, etc. The benefits are many – but so are the risks. What are the threats to cloud security? Which parties assume responsibility for securing the environment? What about the data? Which type of cloud deployment offers superior security benefits? In her session at the 10th International Cloud Expo, Kristin Lovejoy, Vice President of Information Technology Risk for IBM, will examine cloud computing from a security and compliance perspective.

School IT: Online Backup and Disaster Recovery at St. Francis High

Wed, 11 Apr 2012 13:34:28 EDT

Larry Steinke of St. Francis High School needed a simple, low-maintenance data backup solution, so he could focus on other pressing IT needs at the school. With over 1700 students and 100 faculty members at the school, Steinke has a lot of data to manage. On a daily basis, the IT team at St. Francis deals with email, directory, and web services as well as cross-platform support and databases full of teacher and student files. Previously, files were stored on tape in the vault at a fireproof facility at the school, but according to Steinke, "I had to always check to see if it was having issues like disks filling up or backups failing. Sometime it was difficult to find the necessary files to recover making disaster recovery a real challenge." Once the data from St. Francis was at Zetta's datacenters, it became available in a directly mountable file system for instant access or recovery, including historic versions of the files created through automated snapshots. Files can now be accessed in-place on the Zetta file service, transferred back to a local storage device, or both.

CTO Security Round-Up

Wed, 11 Apr 2012 07:45:00 EDT

600,000+ Mac Computers Infected While this kind of activity wouldn’t rouse much attention from those esconced in WinTel (Windows and Intel) architechures, it is much less common for Mac users to be impacted by infections on this scale so quickly. The infection, called Flashback, is installed via a Java vulnerability (CVE 2012-0507) which was patched [...]

Stripping EXIF from Images as a Security Measure

Tue, 10 Apr 2012 04:30:00 EDT

And you thought FourSquare was a security risk…

Mobile phones with great cameras are an awesome tool. Many of these end up on Facebook, visible to friends, family and, well, friends of friends and maybe even the public. They get shared around so much, you can’t really be sure where they might eventually wind up.

According to Justin Mitchell, an engineer for Facebook Photos, answering a Quora question on the subject last year, Facebook has “over 200 million photos uploaded per day, or around 6 billion per month. There are currently almost 90 billion photos total on Facebook. This means we are, by far, the largest photos site on the Internet.”

As most of these are uploaded via modern cameras – whether on mobile phones or digital cameras – which are almost universally enabled with GPS technology, they almost all certainly include some data that you might not want others to find: the exact location the picture was taken.

Pshaw! Many may think. After all, “checking in” via FourSquare and adding location to Facebook and Twitter posts is something many do regularly. But this data can be very dangerous, and not just for soliders who have been warned against geotagging photos uploaded to facebook, as cited by a recent Gizmodo article, “US Soldiers Are Giving Away Their Positions with Geotagged Photos”:

The Army has issued a warning to its soldiers to stop geotagging their photos on Facebook and other social media outlets. Because it's putting soldiers in danger, and has been for years.

Now you might not be worried about giving away the location of helicopters inside a compound that leads to the enemy able to “conduct a mortar attack, destroying four of the AH-64 Apaches” there, but the risks to everyone exists. Those who share photos of their home or things in their home (can’t resist showing off your latest collectible addition to friends, can you?) are opening themselves up to theft, especially if they also like to broadcast their latest travel schedules via a host of other socially connected tools. Even if you aren’t actively sharing your address, all a potential thief needs to do is grab a photo of your fat loot and extract the GPS coordinates hidden in the EXIF data to find his target and then move in, right after you made sure everyone know you were out of town by broadcasting your latest flight information (ATL –> ORD –> SEA).

“But I’ve locked down my photos using Facebook’s privacy features!” you say. You might have done so, but do you really know everyone on your list of “friends”? Are they really who they claim to be? And did any of them share your photo with their friends, and their friends? Facebook privacy doesn’t prevent the old standby of “save as” and “upload”, and a quick tag of your name and a Twitter search and bam! You’ve shared data with people you wouldn’t have, if only you had known.

While perhaps requiring a bit more paranoia than the average user (and an inherent distrust in humanity), there are very real security implications for a wide variety of folks to embedding Geotags in photos via EXIF, though perhaps those in service to their country more than others.

There is a simple and more automated mitigation for this risk. In addition to turning off Geolocation tags on your camera or phone or manually eradicating the EXIF info from photos, a mediating application delivery service can, on-demand, strip this data from images.

MEDIATED EXIF STRIPPING

With the right application delivery tier implementation, mediated EXIF stripping is as simple as other content scrubbing exercises. Requests are received as normal for an image object. When the image is retrieved from the origin server, a service in the application delivery tier is invoked that strips EXIF data from the image before it is returned to the end-user or deposited in a caching solution. Subsequent requests for that same image, then, though served out of cache are also clear of potentially dangerous GPS information – without modifying the original.*

That’s important, as for some folks having that information available to them may be necessary or desirable, but serving it up to the public may simply incur too much risk.

Given the velocity with which we click and share photos today, we may be underestimating the associated risk. Others may think that’s just far too paranoid and desire to keep EXIF data in their images. This is another opportunity to monetize a service for providers. The right application delivery tier, capable of interpreting context as well as being instructed by external infrastructure (including applications), could be configured such that only image-containing responses with specific HTTP headers are subject to EXIF stripping. The more security-minded users may desire such a service – and be willing to pay for it – while others could simply continue on as they were, EXIF and all.

And even if you aren’t concerned with potential security risks associated with EXIF, you might want to consider that stripping out that extraneous data from images like thumbnails and product shots can reduce the overall size of the image, which is a boon if you’re trying to improve overall performance – particularly on network and resource constrained devices like mobile phones.

* Image optimization techniques are always best-effort and sometimes cannot be applied to an image given other factors. Also, if a positive caching models is used, the original image is served the first time it is requested, but not cached.

Connect with Lori:	Connect with F5:

Related blogs & articles:

Technorati Tags: F5,MacVittie,acceleration,EXIF,optimization,performance,caching,application delivery,security,mobile,blog

Cloud Computing Turns InfoSec Upside Down

Mon, 09 Apr 2012 10:15:00 EDT

I had the opportunity to write a post for SecureWorld Post’s site. You can view it at: http://secureworldpost.secureworldexpo.com/crawford-cloud-computing-turns-infosec-upside-down/

Typemock Survey: Unit Testing Is Effective in Reducing Software Bugs

Wed, 04 Apr 2012 15:41:00 EDT

Typemock, (http://www.typemock.com/) a provider and pioneer of easy unit testing solutions, released today the results of their developer survey, finding that over 90 percent of developers agree that unit testing is an effective practice to reduce software bugs. Typemock surveyed developers from around the world to gather their opinion on the impact of software bugs. The global online survey showed that developers think that unit testing was more effective in reducing bugs than other practices, such as integration testing, pair programming, and QA. Only 50-70 percent of respondents find them to be effective in reducing bugs.

Botnet Takedowns; Anonymous Rumblings; Visa/Mastercard Breach

Mon, 02 Apr 2012 05:45:00 EDT

Botnet takedowns make front page in this week’s security news in review This week saw a lot of activity on botnet control and disruption as several corporations struggled to disrupt or destroy major botnets and their command-and-control facilities.

Exploring the World of Malware

Thu, 29 Mar 2012 07:30:00 EDT

As the bad guys get more sophisticated with launching online attacks on your business PCs, you have to get smarter about how you are protecting them. And in the past year, many of the traditional anti-virus vendors have improved their … Continue reading →

McAfee Brings Security to the MySQL Open Source Database Community

Mon, 26 Mar 2012 08:05:00 EDT

McAfee has announced the availability of a free open source audit plug-in for MySQL database users to capture complete detailed activity audits from their databases. The free-of-charge plug-in was created and developed by McAfee as part of a new set of features for its award-winning database security solution. The new plug-in helps small and medium-sized businesses as well as larger enterprises satisfy audit requirements. “McAfee developed the free database audit plug-in to give the community of MySQL users a means of building enterprise-level database security around their databases,” said Dan Sarel, vice president of Database Security Product Management at McAfee. “When coupled with the McAfee Database Activity Monitoring sensor for MySQL, the data is subject to the same real-time analysis and policy enforcement as the data collected from other supported databases.”

Meeting Government Security Standards

Tue, 13 Mar 2012 02:00:00 EDT

Cyber security is a top priority for US government agencies seeking to protect critical information assets. As the number of attacks increases, so does the amount of data government needs to process. Federal agencies have therefore mandated support for stronger cryptographic keys and more robust algorithms. Naturally, electronic signature providers need to follow suit. Silanis meets the security certification standards issued by the National Institute of Standards and Technology (NIST) and the Joint Interoperability Test Command (JITC).

Which Handshake, Which Identity?

Wed, 07 Mar 2012 07:45:00 EST

Last week, I had the pleasure of discussing REST access control patterns with Enterprise Architects and partnering technology folks. I also had the opportunity to present on this topic and one of the questions that came up afterwards was from a security architect who was unsure whether OAuth would be a good fit for some [...]

Top Four IT Trends to Master in 2012

Tue, 06 Mar 2012 07:00:00 EST

Last year saw some of the biggest security breaches to date, and some large organizations are feeling the heat. Anonymous and LulzSec made their presence known, taking on a large number targets. RSA suffered a massive breach, inadvertently putting the security of its many customers in jeopardy. The Sony Playstation Network had to be shut down following a breach. Even Apple cracked under an attack from malware writers. Whether this year will be as eventful remains to be seen but what we can predict is cybercriminals will continue to look to profit from their illicit activities, albeit with evolving tactics. Rather than wait for them to strike, a little foresight can help prepare to fight back. So, with this in mind, this article draws on the author’s experience of the corporate security landscape to predict four key threats he believes organizations will have to face in this Olympic year and how to mitigate them. Perhaps more important he also looks at the equally Olympic battle organizations face as they migrate away from Windows XP to Windows 7.

US Patriot Act: Red Herring?

Tue, 06 Mar 2012 05:00:00 EST

Is the US Patriot Act a red herring? Some European countries, as well as Brazil and China, have been using the U.S. Patriot Act as an excuse to set up barriers for the transfer of data into the U.S., but according to Business Software Alliance CEO Robert Holleyman, those countries have similar laws in place that allow them to inspect data when looking for evidence of terrorist activity. The reason for the barriers may be to stall America's growth in the cloud market, according to this InformationWeek article.

NASA Admits to Severe Security Breaches

Tue, 06 Mar 2012 04:00:00 EST

NASA was hacked 13 times last year, resulting in major breaches of sensitive government data. Hackers working from Chinese IP addresses gained full access to NASA’s files, employee credentials and system logs. Unencrypted laptops were also stolen containing codes for controlling the International Space Station. Read the full article at Reuters.com

Linode Hacked, Bitcoins Stolen, Anonymous Arrests, NASA Hacks

Mon, 05 Mar 2012 08:00:00 EST

Linode Hacked, Bitcoins Stolen: Linode.com, popular provider of virtual private servers (VPS) systems responded to a morning breach of it’s control panel software, which apparently enabled a malicious attacker to gain control over several virtual servers of a bitcoin service named Bitcoinica. The Register has a conflicting report mentioning that attackers gained administrative access to [...]

Why Passwords Will Remain Relevant: Duress

Mon, 05 Mar 2012 07:45:00 EST

With the continued rise in home-based and mobile working, the possibility of people being forced to access and potentially modify data during encounters with ne’er-do-wells becomes a genuine security issue. For example, while there haven’t been many cases reported yet, the time will come when the kid lurking in the alley with the switchblade, isn’t [...]

What’s Missing from Data Loss Prevention Solutions

Mon, 05 Mar 2012 06:00:00 EST

In most organizations today, there is sensitive data that is overexposed and vulnerable to misuse or theft, leaving IT in an ongoing race to prevent data loss. Packet sniffers, firewalls, virus scanners, and spam filters are doing a good job securing the borders, but what about insider threats? The threat of legitimate, authorized users unwittingly (or wittingly) leaking critical data just by accessing data that is available to them is all too real. Analyst firms such as IDC estimate that in 5 years, unstructured data, which makes up 80% of organizational data, will grow by 650%. The risk of data loss is increasing above and beyond this explosive rate, as more dynamic, cross-functional teams collaborate and data is continually transferred between network shares, email accounts, SharePoint sites, mobile devices, and other platforms. As a result, security professionals are turning to data loss prevention (DLP) solutions for help. Unfortunately, organizations are finding that these DLP solutions in many cases fail to fully protect critical data because they focus on symptomatic, perimeter-level solutions to a much deeper problem – the fact that users have inappropriate or excessive rights to sensitive information.

Kaazing WebSocket Gateway Security is Strong

Sat, 03 Mar 2012 05:00:00 EST

This is the second post of a two-part blog post that discusses HTML5 WebSocket and security. The first post, HTML5 WebSocket Security is Strong, talked about the security benefits that derive from being HTTP-compatible and the WebSocket standard itself. In this, the second post, I will highlight some of the extra security capabilities that Kaazing WebSocket Gateway offers.

Storing Encryption Keys Outside the Cloud

Sat, 03 Mar 2012 03:00:00 EST

Startup Porticor (privately held) has released its “Virtual Private Data” solution for enterprises wishing to make more secure use of public cloud resources. Secure use of public resources requires encryption of data at rest and in motion, to minimize the possibility of even accidental data compromises. 39% of organizations say they have no plans to move [...]

Anonymous, Surfaces, and Gaps

Thu, 01 Mar 2012 05:00:00 EST

The 1980s Marine Corps doctrine of Maneuver Warfare (MW) heavily focused on the concept of “surfaces and gaps.” Marines, which largely defined themselves with frontal tactical and operational attacks against fortified sites in World War II maritime campaigns, would aim to move through existing weaknesses in the enemy’s line in future campaigns rather than creating [...]

Is Your Organization Living Below the Information Security Poverty Line?

Thu, 01 Mar 2012 04:00:00 EST

During the season of politics here in the US, I would like to borrow shamelessly from topics in the political debate with a look towards the state of information security. According to CNN (Poverty Rate Rises as Incomes Decline), the number of US citizens living below what is considered the bare essentials is on the increase. I believe we can say the same for information security programs. According to SANS, the top security controls can be boiled down to 20 Critical Controls (Top 20 Critical Controls). These are regarded as the “poverty line” for an Information Security Program. The bare essentials needed for a program to live at a level regarded as a minimum standard.

HTML5 WebSocket Security is Strong

Thu, 01 Mar 2012 02:00:00 EST

This is a two-part blog post that discusses HTML5 WebSocket and security. In this, the first post, I will talk about the security benefits that come from being HTTP-compatible and the WebSocket standard itself. In the second post (coming soon) … Continue reading →

Code Reviews, Threat Modeling and Fuzz Testing

Wed, 29 Feb 2012 21:24:00 EST

I interview F5 Technical Marketing Manager, David Holmes, who happens to be a former F5 Product Development dude about F5′s focus on security during the development phase. They discuss code reviews, threat modeling and fuzz testing along with some observations about the RSA conference.

BIG-IP Data Center Firewall Solution

Tue, 28 Feb 2012 23:37:00 EST

Peter Silva interviews F5 Security Product Manager Preston Hogue about the BIG-IP Data Center Firewall Solution, BIG-IP’s ICSA Certification and some BIG-IP differences vs. traditional firewalls.

ITSEF Brings Uniqueness to Security Community

Sun, 26 Feb 2012 14:23:00 EST

The Security Innovation Network (SINET) 6th annual IT Security Entrepreneurs’ Forum (ITSEF) takes place at Stanford University, March 20 & 21, 2012. ITSEF is the flagship event of the Security Innovation Network. ITSEF is designed to bridge the gap between the Federal Government, Silicon Valley and other centers of innovation, and they are highly regarded [...]

Security's Rough Ride: Put On Your Virtual Life Vests!

Sun, 26 Feb 2012 14:00:00 EST

I know I’ve said this before but it sure seems like almost daily there is a security breach somewhere. Over the years, the thought process has changed from prevent all attacks to, it is inevitable that we will be breached. The massive number of attacks occurring daily makes it a statistical reality. Now organizations are looking for the right solution (both technology and practice) to quickly detect a breach, stop it, identify what occurred and what data may have been compromised. Over the last couple of days various entities have had their security breached.

As you are probably already aware either due to the headlines or a direct note in your email inbox, Zappos, a popular online shoe site, was compromised exposing information on 24 million customers. While a good bit of info was taken, like usernames, passwords, addresses, email and other identifiable information, Zappos claims that the stored credit card information was apparently spared due to being encrypted. There are still many details that are unknown like how it occurred and how long it had been exposed but all users are being required to change their passwords immediately. Users might also want to change similar passwords on other websites since I’m sure the criminals are already trying those stolen passwords around the web. These days it's entirely too easy to use information from one hack in many others. It doesn't even matter if passwords were compromised. Your can change your password, but the make and model of your first car, and your mother's maiden name can't be changed. Yet, online service providers continue to rely on these relatively weak forms of secondary authentication. The interesting thing is Zappos is/was apparently PCI-DSS compliant, proving once again, PCI compliance is a first step, not the goal. Being PCI compliance does not mean that one is secure and this also underscores importance of using WAF like BIG-IP ASM. And if it was not a web app that was owned on the server in Kentucky, then Section 6.6 is irrelevant. But again, all the details are still to be uncovered and as far as I know, no-one has claimed responsibility.

Overseas, there is an ongoing cyber-war between a Saudi (reported) hacker and Israel. 0xOmar, as news articles have identified him, claims to have posted details of 400,000 Israeli-owned credit cards and Israel’s main credit card companies have admitted that 20,000 cards have been exposed. Along the way, he has also attacked the Tel Aviv Stock Exchange and Bank Massad. In an interesting and potentially scary turn of events, a group of Israeli hackers, IDF-Team, took down the Saudi Stock Exchange (Tadawul) and the Abu Dhabi Securities Exchange (ADX) as a counter-attack. Another Israeli hacker going by Hannibal claims to have 30 million Arab e-mail addresses, complete with passwords (including Facebook passwords), and says he’s received e-mails not only from potential victims but from officials in France and other countries asking him to stop. This cyber-conflict is escalating.

In a very different type of breach, you’ve probably also seen the cruise ship laying on it’s side a mere 200 yards from the Italian shore. While not necessarily a data security story, it is still a human security story that, so far, has been attributed to human error – like many data security breaches. Like many data breach victims, people put their trust in another entity. Their internal risk-analysis tells them that it is relatively safe and the probability of disaster is low. But when people make bad decisions which seems the case in this situation, many others are put at greater risk.

Put on your virtual life vests, 2012 is gonna be a ride.

References:

Technorati Tags: F5, cyber-crime, trojan, Pete Silva, security, business, education, technology, application delivery, cruise, cyber war, ddos, hackers, iPhone, web, internet, security, breach, privacy, PCI-DSS,

Connect with Peter:	Connect with F5:

Quick Response, Quick Risk?

Thu, 23 Feb 2012 06:45:00 EST

Quick Response (QR) codes are intended to help direct users quickly and easily to information about products and services, but they are also starting to be used for social engineering exploits. This article looks at the emergence of QR scan scams and the rising concern for users today. You don’t have to look far these days to spot a QR code. From their humble beginnings in labelling and tracking parts used in vehicle manufacturing, these blocky little barcodes-on-steroids are being placed everywhere from product packaging, to posters and billboards, to magazines and newspapers. QR codes are a jumping-off point from the offline to the online world. By simply scanning the code with your smartphone, people can quickly access the digital content triggered by the code – making them a marketer’s dream because they make it easy to direct users toward information and services. What’s more, they still retain a certain cool and curiosity factor, with users enjoying the point-and-browse convenience they offer. However, this also makes them useful to hackers as a social engineering tool, to exploit user interest and trust and direct them to malicious websites or malware. While the concept of ‘drive-by downloads’ is already well established as a stealthy tactic for stealing user data when web browsing, QR codes offer a new method for manipulating mobile users in a similar way.

Effective Report Writing Applied to Cyber Security

Wed, 15 Feb 2012 12:55:29 EST

In almost all professions, report writing is a requirement. Typically, reports document the success and failures of a particular action. While it may not be your favorite part of the job, report writing does validate your work to the customer. In our profession, Cyber Security, we have the unique challenge of communicating highly technical information in a non-technical format, so that the impact of our efforts can be understood. Early in my career I hated writing reports. Back then, I had a hard time understanding why reports were so important. Little did I know that the countless hours I spent converting technical details into a "human readable" format would payoff in the future.

Symantec Confirms Blackmail Attempt

Mon, 13 Feb 2012 08:30:00 EST

Starting last month an unidentified hacker – or maybe it’s hackers – called Yamatough and believed to be part of a group called Lords of Dharmaraja and affiliated with Anonymous – from the looks of it not a native English speaker – or else a semi-literate – demanded $50,000 in blackmail from Symantec. The entry point was apparently servers run by Indian military intelligence. Yamatough threatened to expose stolen Norton antivirus and PCAnywhere source code. Symantec, which secretly called the cops, told CNET it agreed to pay the extortion as part of a sting operation that failed. The PCAnywhere code was posted Tuesday. The go-between was a fictional Symantec employee named Sam Thomas, who offered Yamatough incremental payments of $2,500 a month for three months until the Symantec was confident the code was destroyed. Sam was actually law enforcement.

Eight Criteria for Evaluating Enterprise E-Signatures - Part 8

Wed, 08 Feb 2012 15:21:15 EST

Q: Enterprise e-signatures, like any enterprise-class software, is a strategic technology with far-reaching implications. After all, this is an underpinning technology that reaches beyond the firewall to directly touch customers and automates revenue-generating business processes. Considering this importance, how can a company evaluate the stability of a solution provider in a market that is relatively young, with many start-ups or small firms relying on venture capital or even debt financing? The most prudent way to proceed is by asking the right questions. Here are some suggestions. If you consider record retention, how many years does your organization need to retain records? It is common in financial services, for example, to have 25-30 year archiving requirements. E-signed records are no different. Will your electronic signature provider be there when a signed document needs to be verified – or to help defend a transaction in dispute?

Eight Criteria for Evaluating Enterprise E-Signatures – Part 7

Wed, 08 Feb 2012 11:31:00 EST

Lack of adequate professional services can greatly impact the success of an organization’s electronic signature implementation. What professional services are typically involved in Silanis’ customer implementations? How can you achieve the right balance between leveraging best practices and achieving autonomy? In addition to the scope of services offered, organizations considering an enterprise license for e-signatures should look at the vendor’s implementation methodology, time-to-market track record and resources. At Silanis, a professional services team of 20 supports customizing, implementing and deploying e-Sign Enterprise. This includes custom project planning, development, consulting, testing, documentation, on-site deployment services, training and integration. We provide deployment support through the customer’s test/staging/QA process until the solution is live and in production.