Thursday, March 31, 2011
Cloud and social media security are much discussed areas of focus within our profession but what about some of the less shouted-about threats? I thought you might be interested in SC Magazine’s recent study of some of these, which will be discussed in greater detail in 3 of their upcoming webcasts; found at http://www.scwebcasts.tv and http://www.scstudio.tv respectively.
Below is a little more info on the 3 topics to help you assess their relevance to your organisation:
STAMP OUT COSTLY SECURITY DEFECTS IN SOFTWARE DEVELOPMENT
Going live at 2pm GMT, 30th March
The Coverity Scan found an alarming 50,000 defects in just 300 open-source software products. This webcast will give you an instant understanding of the secure coding practices that you should adhere to to eliminate these increasingly costly security vulnerabilities.
Speakers: Robert Seacord, Secure Coding Director, CERT - Software Engineering Institute, Michael White, Technical Director, Coverity
You can secure your free place at: http://www.scwebcasts.tv
ARE RISKY APPLICATIONS UNDERMINING YOUR BUSINESS SECURITY?
Going live at 3pm GMT, 12th April
With 75% of new attacks (CERT) targeting applications and with the lines blurring between personal and business devices, this webcast will shed vital light on the real security repercussions of risky apps in the workplace and what you can do to secure them.
Speakers: Tim Mathias, Director of Security, Thomson Reuters Chris Wysopal, Co-founder & CTO, Veracode
You can secure your free place at: http://www.scwebcasts.tv
THE RISKS AND REWARDS OF ARCHIVING
This webvideo is live now on SC’s site at http://www.scstudio.tv
83% of the 200 IT professionals that SC spoke to (representing both SMEs and larger enterprises) reckoned the cost of email downtime to their business to be over $500,000. This interesting SC Studio show which you can watch right now at http://www.scstudio.tv , offers some interesting pointers on one of the most effective ways to reduce this risk/cost – archiving.
Speakers: Brian Shorten, Risk and Security Manager, Cancer Research UK Giovanni Alberici, Archiving & Continuity Specialist, Symantec.cloud
I hope the shows are relevant to your organisation. As always, do feel free to get in touch with any thoughts on these topics or ideas for future ones.
For the webcasts, if you can’t make the live date of the webcasts you can of course watch them live in the archive at your leisure at http://www.scwebcasts.tv. The studio show you can watch whenever you like at http://www.scstudio.tv .
Tuesday, March 29, 2011
RSA Executive Chairman Art Coviello, in a posting on the RSA website Thursday, said a company investigation led officials to believe the attack is in the category of an advanced persistent threat. An APT refers to sophisticated and clandestine means to gain continual, persistent intelligence on a group such as a nation or corporation.
In a letter posted on the RSA website on Thursday, Coviello promised qualified transparency in addressing this problem. "As appropriate," he said, "we will share our experiences from these attacks with our customers, partners and the rest of the security vendor ecosystem and work in concert with these organizations to develop means to better protect all of us from these growing and ever more sophisticated forms of cybersecurity threat."
To help customers, RSA issued nine recommendations it says should strengthen SecurID implemantions (see RSA's 9 Recommendations to SecurID Customers).
SecurID consists of a token, either hardware or software, that generates an authentication code at fixed intervals - about once a minute, for instance - using a built-in clock and an encoded random key known as a seed. The seed is different for each token, and is loaded into the corresponding RSA SecurID server as the tokens are acquired.
Coviello said RSA's investigation revealed that the attack resulted in information being extracted from the company's IT systems. "While at this time we are confident that the information extracted does not enable a successful direct attack on any of our RSA SecurID customers, this information could potentially be used to reduce the effectiveness of a current two-factor authentication implementation as part of a broader attack," Coviello said. "We are very actively communicating this situation to RSA customers and providing immediate steps for them to take to strengthen their SecurID implementations."
Coviello said RSA has no evidence that customer security related to other RSA products has been similarly affected. "We do not believe that either customer or employee personally identifiable information was compromised as a result of this incident," he said, adding that RSA will give its SecurID customers the tools, processes and support required to strengthen the security of their IT systems in the face of this incident.
The attack came one day after the top cybersecurity executive at the Department of Homeland Security told Congress that government and private-sector IT systems are at risk from such attacks. "Sensitive information is routinely stolen from both government and private sector networks," Philip Reitinger, DHS deputy undersecretary for national protection and programs told the House Homeland Security Committee. "We currently cannot be certain that our information infrastructure will remain accessible and reliable during a time of crisis."
Sunday, March 27, 2011
Security vendor RSA is providing remediation steps for customers to strengthen their RSA SecurID implementations in light of an advanced persistent threat attack against the company, which it says was directed at its SecurID two-factor authentication product (see Hackers Target RSA's SecurID Products).
Here are the nine steps RSA recommends customers take:
1. Increase focus on security for social media applications and the use of those applications and websites by anyone with access to their critical networks.
2. Enforce strong password and PIN policies.
3. Follow the rule of least privilege when assigning roles and responsibilities to security administrators.
4. Re-educate employees on the importance of avoiding suspicious emails, and remind them not to provide user names or other credentials to anyone without verifying that person's identity and authority. Employees should not comply with email or phone-based requests for credentials and should report any such attempts.
5. Pay special attention to security around their active directories, making full use of their SIEM (Security Information and Event Management) products and implement two-factor authentication to control access to active directories.
6. Watch closely for changes in user privilege levels and access rights using security monitoring technologies such as SIEM, and consider adding more levels of manual approval for those changes.
7. Harden, closely monitor and limit remote and physical access to infrastructure that is hosting critical security software.
8. Examine help desk practices for information leakage that could help an attacker perform a social engineering attack..
9. Update security products and the operating systems hosting them with the latest patches.
"We strongly urge immediate customer attention to this advisory," the company said.
Friday, March 25, 2011
The CIO 2011 Global State of Information Security Survey tracks the trends and how they affect Australian businesses
Australia isn’t often heralded as being at the bleeding edge of technology on the global stage. A former CIO of the United States National Security Agency, however, says the country is leading the way in security.
The focal point for praise from Prescott Winter, now CTO of the public sector division at security vendor, Arcsight, is a voluntary code of practice established by ISP sector representative body, the Internet Industry Association (IIA). The ‘iCode’ recommends a set of best practice methodologies for dealing with botnets, educating customers and addressing deficiencies in network monitoring.
“Australia is going to be very interesting to watch,” he says.
The code isn’t set to go live until December 2010, but IIA’s CEO, Peter Coroneos, has already briefed the US Federal Communications Commission, the Organisation for Economic Cooperation and Development, and even the White House’s cyber security chief, Howard Schmidt, among others on the proposal — in the hope of seeing similar codes adopted globally.
But while some organisations are working towards global collaboration on information security issues, Winter does have a warning for CIOs: Understand your threat landscape, and proactively work to mitigate internal risks.
“They’re just now getting their hands wrapped around this problem,” he says. “But I’m afraid many are still reactive.”
The issue is borne out in the results of the CIO 2011 Global State of Information Security Survey. Conducted in 2010 by PricewaterhouseCoopers, the survey is made up of responses from 12,847 technology and business executives from 130 countries, including 754 answers from Australia.
One of the more alarming findings — there are several — is the number of Australian respondents who reported noticing one or more security-related incidents within their company over the last 12 months. In most cases, software and confidential customer or employee records were altered or compromised, with up to $500,000 in financial losses at stake. Worse, of the known sources of the threat, employees were the culprits in 27.7 per cent of cases, outstripping hackers, former employees and other external deviants.
Denial of service, vulnerable firewalls and compromised security at the hand of consumer technology in the workplace may remain a major concern for the CIO, but it appears the problem may be much closer to home.
It is a sentiment that Shoaib Yousuf agrees with. As an information security strategist and consultant, he has seen the worst of internal security risks. The Stuxnet worm that shook critical infrastructure across the world — including 30,000 computers in Iran — could be sourced to a single USB drive, plugged into the all-too-vulnerable SCADA network. The malware, according to Yousuf, has become a “wake up call” that has highlighted the gaps in endpoint security which could bring down an entire power, water or transportation grid.
“In the hacking and security world we used to use the term ‘weakest link’ all the time, but the threat landscape for critical infrastructure has changed,” he says. “Hackers are no longer targeting the weakest links.”
Winter agrees. Drawing from experience, he points to a nuclear energy producer which found two separate botnets operating within its network; another engineering firm discovered its network was the source of a distribution network for pornography. Internal reflection, he says, is ultimately vital to ensuring threats aren’t passed by without notice.
“There’s a lot of stuff out there that people don’t know, simply because they’re not looking.”
For better or worse, the mounting concerns have pushed security awareness amongst C-level executives through the roof. Despite the economic rollercoaster, 18.8 per cent of Australian respondents are forecasting increases to information security budgets by 10 per cent over the next 12 months, while a further 19.1 per cent will look to increase budgets by up to 30 per cent.
A little under half of all respondents claim security budgets in excess of $US50,000 in 2010. Information security has become much more than small change.
Third party security
Principal for the advisory service division of PricewaterCoopers, Mark Lobel, points to the survey results as a sign that expectations have been ‘reset’ among respondents.
“There’s a real sense of tension in this year’s numbers,” he says. Employee distrust aside, Lobel says much of the tension can be attributed to the increasing reliance companies must place on third parties for their security, “whether they like it or not”. “Those partners need access to your IT infrastructure and your data. That’s tough when times are good and scary when times are bad.”
But according to Andrew Milroy, vice-president of ICT practice at analyst firm, Frost & Sullivan, the trend toward third parties is inevitable.
“Security is just going to be built-in,” he says. “As a discrete issue, I think it will disappear over time because the service provider will offer service levels around privacy and data.”
Migration towards the Cloud, telecommuting and remote access will all accelerate that trend, Milroy says, as companies become accustomed to the notion of their sensitive and often confidential data moving at the speed of light over networks that are not their own, beyond the controls of a corporate firewall.
Vendors and service providers are gearing up for the trend too, boosting in-house security expertise and buying intellectual property outright as a means of integrating security portfolios without having to start from scratch. Intel’s $US11.5 billion McAfee merger, Juniper Networks’ SMobile buy and Verizon Business’ Cybertrust acquisition serve as examples.
Outsourcing the totality of security, however, may require some getting used to and, as Lobel says, perhaps a ‘reset’ of priorities. Australian companies remain ambivalent: Almost half of the survey respondents said increasing reliance on managed security services was either important or the company’s top priority for the coming year, but only 35.6 per cent were looking to reduce the amount of full-time security personnel on-site.
Survey results also indicate Cloud adoption continues to lag at a local level. About 36.4 per cent of Australian respondents said they used Cloud services, behind 52.4 per cent of companies in the rest of the Asian market. Some 47.7 per cent of respondents were apprehensive or lacked confidence in the information security of suppliers and partners, mainly due to a lack of control over others’ security policies. A total 50.6 per cent did not or were not considering any form of security outsourcing or management. Nonetheless, the more companies do outsource information security or the information itself, the greater the focus on service level agreements and ensuring compliance to security standards and strategies.
The latter rings true for Andy Pattinson, formerly from Carnival Australia. As interim IT director of a firm that represents six of the international cruise brands in Australia, including P&O Cruises, he had oversight of all information security, although strategies and priorities are ultimately dictated by global headquarters in the United States.
Unlike the rest of Carnival’s local operations, which are reported to through Carnival UK, security compliance and risk management go direct.
Two employees also oversee security risk and compliance and directly report back to US headquarters, bypassing Pattinson and local management.
As a result, most of Pattinson’s security duties largely revolved around ensuring Sarbanes Oxley (SOX) and Payment Card Industry (PCI) standards compliance, effectively amounting to 5 per cent of the company’s approximate $10 million operational expenditure. Ongoing enterprise risk assessments are carried out by three of his 20-strong IT team, and penetration testing is outsourced, but for a strong local organisation overlooking four major cruise ships there are no pressing security concerns.
“We have a baseline [that is] dictated by the group and we get to that level, then do whatever other work we need to do that might be pertinent,” he says.
The maturity of the systems has it advantages; six months into the interim role, Pattinson hardly had to lift a finger on the security side. “It was a pleasant surprise because it means you’re not firefighting issues, you’re not having to override concerns about the day-to-day operations,” he says. “It lets me focus much more on strategic aspects and actually takes a weight off my shoulders — it doesn’t mean you lose sight of it, but you know the processes are in place to maintain it.”
The CSO role in Australia
Given the importance of security in any organisation, it would seem logical to have an executive with absolute oversight direct report to the CEO or board of directors. Yet the roles of chief security officer (CSO) and its more specific variant, the chief information security officer (CISO), are rare creatures in the Australian business landscape.
Only eight respondents identified themselves as such in the survey and, while a greater proportion make mention of an existing CSO role within the company, the requisite mug shot is notably absent from executive lineups on company websites. Those who do exist are often tied directly to vendors — with a stake in the arena — and according to Milroy, the title is a luxury more than anything.
“It’s like having a chief Cloud officer — how many chief officers do you want on the board? You have to draw a line somewhere,” he says.
“Security really should be on the minds of a CIO or even a CEO across the board. Everybody should be onto it.”
Only 37.9 per cent of Australian survey respondents, however, said their equivalent security manager reported directly to the chief financial officer, chief executive or board of directors; the rest, it seems, are held back by restrictive governance structures.
“I think there’s a need for any security manager to directly report to management,” Yousuf says. “You can give him whatever title you like, but I’d worry more about his reporting functionality. These guys are responsible for approving your budget and strategy. If they don’t know what you’re talking about, the threats and issues, and if you don’t bring them to their attention, you will have a problem achieving your goals.”
The CSO’s role should extend beyond information security to physical fraud and internal corruption reviews within the company, he says. Its existence also provides a direct line of reporting and communication to executives and, therefore, a greater chance to be heard. It has ultimately been beneficial to Yousuf’s attempts to raise security awareness among the engineers and accountants within the organisations he works with.
“I used to struggle. I would send invites to the executives [for meetings], and they would send one person. Now, if I don’t send an invite they’ll actually ask me: ‘You’re not coming to the executive meeting? Are you not providing an update?’”
As a simple means of reporting, the CIO can fulfil much the same role, but the possibility of oversight afforded by a dedicated security executive allows for extension beyond the bits and bytes of information security threats.
Even those steeped in the technical aspects recognise a holistic security strategy must extend beyond the IT department to risk and compliance. For Yousuf, the ideal security environment would comprise four security professionals from IT, auditing, and risk and compliance departments to oversee various aspects of the company’s potential threats and developing mitigation strategies.
Security must be executed by IT, but both Yousuf and Pattinson concede that strategy and governance ultimately shouldn’t be led by it.
Cloud, green IT and governance
Governance and security priorities will likely continue to come at odds when it comes to implementing and sustaining information security, but it is clear the threat landscape remains vast and the number of potential vulnerabilities are no small feat to overcome. As issues on the periphery such as the Cloud, Green IT and governance undergo change, however, effective risk mitigation will follow suit.
For Yousuf, it is a matter of multi-tasking.
“I need to pick up on the small issues in the bigger picture, rather than going to the bigger picture and forgetting the small issues,” he says. “I believe breaches always come from the small issues, not the perimeter.”
In a climate where only 29 per cent of Australian companies appear completely satisfied with existing information security strategies, the area is ripe for improvement.
The 2011 Global State of Information Security Survey is the eighth such survey from CXO Media, publisher of CIO magazine and CSO magazine in the United States. Conducted globally with PricewaterhouseCoopers between 19 February and 30 April 2010, the survey comprised responses from 12,847 technology and business executives from 130 countries in roles ranging from analyst to the chief executive or president of the company. With 754 respondents Australia ranked fifth in the world in terms of response.
Refer here to read the original post on CIO Australia.
Wednesday, March 23, 2011
Over the past year, it has been hard to predict when, where and with what strength global economic conditions might improve.
So it isn’t surprising to discover this year, that – according to the results of the 2011 Global State of Information Security Survey® – executives across industries and markets worldwide have been reluctant to release funding supporting the information security function.
This financial restraint is in spite of clear evidence that as information security emerges from the smoke of a brutal year – and, in effect a “trial by fire”, as last year’s survey revealed – it is sporting a new hard-won respect, not just from many but from most of this year’s respondents.
This includes more than 12,000 CEOs, CFOs, CIOs, CISOs, CSOs and other executives responsible for their organisation’s IT and security investments in more than 130 countries.
- Asked about their expectations about security spending in the coming year, respondents are more optimistic than at any time since before 2005.
- This year’s spending drivers aren’t new. But here’s the surprise: almost every one of these factors are trending at, or near, four-year lows.
- For the second year in a row, increasing the focus on data protection is the single most common strategy worldwide.
- This year, there is a significant shift in the ongoing evolution of the CISO’s reporting channel away from the CIO in favor of the company’s senior business decision-makers.
Sunday, March 20, 2011
Web 2.0 Security Summit (Webcasts, March 16, 2011 or afterward on demand)
Hear from OWASP, SonicWALL, Accenture, Websense, Aberdeen Group, Fortinet and other security visionaries as they look into the new paradigm of web 2.0 security threats, the issues of privacy, and practical tips on how to prevent large scale data leaks from happening to you.
Social Networking and Security Risks (White Paper)
The popularity of social networking sites has reached astonishing levels. How protected is your company against risks from these platforms?
The Big Shift to Cloud-based Security (White Paper)
Keeping IT systems secure and running within regulatory compliance mandates seems next to impossible. There are many reasons for this — but fortunately, several recent technological trends show that it doesn't have to be this way.
How to Protect Your Organization against Advanced Persistent Threats (White Paper)
This paper outlines the evolution of APTs, explains the motivation behind them, and determines best practices for defending against these threats.
Security for Google Apps Messaging and Collaboration Products (White Paper)
Read this whitepaper to get a comprehensive look at the security controls, processes and technologies that we have implemented in Google Apps.
Friday, March 18, 2011
Just when you think you've filled all the gaps by investing in all the right technology, crafty criminals will come up with an unexpected way to commit fraud. Increased cross-border transaction volume means more opportunity not just for money laundering, but also for ACH fraud, card fraud and identity theft, and that means greater need for real-time transaction monitoring.
As global transactions increase, and political unrest in Northern Africa continues, U.S. regulators will more closely scrutinize compliance with the USA Patriot Act and the Bank Secrecy Act, to name two regulations.
In other parts of the world, such as Europe, where privacy mandates often conflict with U.S. policy, regulators are just as intent on ensuring standards and sanctions are adhered to by banks and businesses operating within their borders.
From an AML perspective, most international banks are complying well with existing regulatory mandates. But enhanced monitoring, going forward, will be a must.
Regulators are looking for more efficient monitoring, and now banks are going to be expected to have more streamlined fraud-detection tools. Centralizing data is the only cost-effective way to streamline.
Centralizing your data is so important, for fraud detection, as well as knowing your customer. After all, knowing your customer leads to better service and fewer fines in the long run
Compliance is always looked at as a cost center. But when you know your customers and how they behave, not only can you meet the requirements of regulatory compliance, but you also can more effectively target your customers and shape your products around what they need, rather than around what you assume they want.
Wednesday, March 16, 2011
Visa recently announced the launch of its Technology Innovation Program, designed to eliminate eligible merchants from the annual requirement to validate their compliance with the Payment Card Industry Data Security Standard. The program, which takes effect March 31, aims to fuel dynamic data authentication through the continued deployment of EMV chip terminals in all parts of the world except the U.S.
What is 'Dynamic Authentication'?
The concept of dynamic authentication is intended to promote the use of a dynamic variable that will be included as part of each transaction that flows through the payment system. And the notion is that if there is a dynamic variable that accompanies that transaction that changes with every transaction, then that information cannot be used in the future to replay a transaction for fraudulent purposes. So, the notion of dynamic data is very powerful in that, again, each transaction would be unique. EMV chip, in particular, promotes the transmission of dynamic data by generating a cryptographic message that accompanies the transaction, and thereby makes that transaction dynamic.
Refer here or here to read more details on this initiative.
Tuesday, March 15, 2011
Monday, March 14, 2011
Criminals are driving up the cost of data breaches for U.S. business, according to researchers at the Ponemon Institute and Symantec.
The U.S. Cost of Data Breach survey released today by the Ponemon Institute and sponsored by Symantec, showed the cost of a data breach rose for the fifth straight year to an average $7.2 million per incident, up 7 percent from 2009. That’s $214 for every compromised customer record breached.
The most expensive breach reported in 2010 was $35.3 million, and the least expensive was $780,000, both up from the previous year. A key factor in the rising cost is the fact that criminals account for a larger share of the data breaches and they significantly more expensive to contain and fix.
Deliberate, criminal attacks rose nearly 30 percent last year, now accounting for 31 percent of all attacks (negligence, like lost hard drives or document, still accounts for 41 percent of breaches) and the cost of malicious attacks is is rising even faster, jumping 48 percent, to an average of $318 per compromised, wrote Dr. Larry Ponemon, founder and chairman of the institute, on his blog.
Malicious attacks create more costs because they are harder to detect, the
investigation is more involved and they are more difficult to contain and
remediate. Another reason malicious attacks are so expensive is the criminal is
out to monetize their work; they’re trying to profit off the breach.
Other factors behind rising costs:
Better awareness: Breaches are less likely to go undetected and/or unreported. This is motivated by the threat of potential legislation and legislation. So far, 46 U.S. states have passed such measures, with varying definitions of a breach, deadlines for notifying customers and punishments for failing to comply.”
Faster (costlier) response: More companies favor a rapid response. This 43 percent of companies notified customers within 30 days.
From Dr. Ponemon’s blog:
For more details please refer here.
“For the second year, we’ve seen companies that quickly respond to data breaches pay more than companies that take longer. This year, they paid 54 percent
Saturday, March 12, 2011
HSBC is to issue all customers with a one-time password code reader that can be used without the need to insert a Chip and PIN card.
The device, which is small enough to keep in a wallet or purse, generates a unique PIN code each time a customer logs on to their accounts. Users must enter a personal four-digit PIN to generate the six digit passcode.
Called the HSBC Secure Key, it differs from the approach taken by other UK banks such as the Co-operative Bank, Barclays, RBS and Nationwide which have equipped customers instead with bulkier Chip and PIN card readers.
The device will be issued to all new HSBC customers that register for online banking from 23 March and will be rolled out to all existing customers over the coming months.
Thursday, March 10, 2011
To buy or not to buy? That is the question. When it comes to anti-virus software for your computer, most experts agree you need it if you have the Windows operating system and often go online, where dangers lurk.
But name-brand software could set you back $40 to $70 or more a year. Alternatively, some excellent products are available for free. What's a prudent consumer to do?
The short answer is that if you refuse to pay for computer protection software, at least use a free product in lieu of nothing. On that, experts agree. Beyond that, it's difficult to generalize with so many products available. But the difference basically comes down to this: Free software will help you discover a problem, such as a virus, and deal with it.
Paid software has more features that might help keep you from getting a problem in the first place, especially if you're inexperienced online or visit risky websites. Here are some considerations.
Popular free products include Avira AntiVir Personal, AVG Anti-virus Free Edition, Avast! Free Antivirus and Microsoft's own Security Essentials. Be aware that the many free products, while good at what they do, are essentially a marketing tool to persuade you to buy the same brand's paid version. Microsoft is an exception. It has no upsell.
Some reviewers claim the free anti-virus software might be all you need. Consumer Reports, for example, says that free products are "fine for most people."
Experts are quick to point out that you are likely to get broader protection and functionality using security software that you pay for. The free-versus-paid discussion is "an artificial wall," said Dan Nadir, senior director of product management for Norton security software, a paid product. "There is this perception you can get an apples-to-apples free version with a free product; it's not true," he said. "I think the way users should think about this is that if you're going online, you should get a paid product - even the free guys have paid products."
On their websites, many of the free products have charts showing how their paid products have more features that keep you safe online, while banking and shopping, for example.
Nadir conceded that free products do an excellent job of detecting viruses and removing them. "Everyone can do well on these static virus-scanning tests," he said. The value of a paid product is the "real world" protection offered by smarter software that can sniff out a threat even if it's never been told specifically about the threat - all without falsely alarming users, Nadir said.
Examples of features you might get with a paid product that you don't get with a free one are a firewall, parental controls, spam controls and browser toolbars to prevent phishing, scams meant to lure people into releasing sensitive information. Individual free products do many of those things, but a paid software suite gives you a common program to control everything.
Paid software also gives you technical support by phone, which free products generally won't offer. And some paid suites offer a backup function for your files. "Those are extras that are not critical, but are minor to moderate pluses," Reynolds said.
PCWorld magazine, using a recognized security testing company, recently rated highly Symantec Norton Internet Security 2011, which got top billing in many other reviews too. Kaspersky Internet Security 2011 and BitDefender Internet Security 2011 also rated highly.
For technical comparisons, check online at av-test.org and av-comparatives.org.
So, paid or free? PCWorld puts it this way: "With some exceptions, you get better customer support and more comprehensive security features with a paid product, but if you're willing to forgo these, it's definitely worth considering going free."
Tuesday, March 8, 2011
Boy-in-the-Browser attacks are hard to detect, BUT easier to execute
The Boy in the Browser is a sophisticated trojan, a "dumbed-down" version of MitB. In essence, a BitB is a less mature version of the MitB trojan, hence the name.
With a BitB, the trojan takes control of the victim's traffic and re-routes the information through an attacker's proxy site. It is very difficult to detect since the victim's address bar continues to present the address of the intended destination. For example, you as an infected victim are surfing to a bank's website, but in fact, that traffic is sent to the attacker. Yet, on your browser, you continue to the bank's normal website.
Once all traffic is re-routed via the attacker, the attacker can do whatever it wants with that data. For example:
- It can act as a proxy just logging sensitive information before passing the request on to the original destination.
- It can act as an "active" proxy modifying requests (for example, to transfer sum to a different bank account) before passing it on.
- Committing fraud schemes. For example, we have seen a scheme which defrauds Google.
This is a growing, resurging, trend amongst hackers, since, in short, it works. Since these trojans are so quick to evolve, anti-viruses do not always detect variants. More people fall prey to these attacks as they are so difficult to detect. Hackers have realized this and are continuing to release more and more variants of BitBs.
A Man in the Browser intercepts user requests and server responses while "sitting" on the victim's browser. In effect, it listens directly on that communication. For example, when the victim is authenticated to the bank and requests a transfer from his checking account to savings account. The trojan may modify that request in order to make a transfer from the checking account to an account in the Ukraine.
In the case of a BitB, the trojan redirects the traffic to a 3rd-party site which is an attacker-controlled server. This means that all traffic does not go immediately to the bank, rather it passes through that extra link. Only at that server, can the attacker modify the transaction request before continuing to pass it along to the original destination.
Let's consider first MitBs – these are a huge deal for enterprises and banks to deal with for the following three reasons:
- Impact user transactions.
- Very difficult to detect. - They last a long time.
Similarly to the MitB, BitB is just as dangerous and just as hard to detect. However, this sort of attack requires much less resources for attackers to execute. There are two main required resources:
1. The trojan code.
2. Attacker- controlled server.
As opposed to MitB, the BitB trojan code is much simpler to write. It is a very short piece of code to redirect the traffic. As for the server, they just require a domain. Today's automated tools will set up the server within just a couple of clicks. The BitB setup is a no-brainer. However, the MitB code is much more complicated. Consider your banking application. It has tabs for different operations, different options for transactions and in general, quite a complex application. The MitB code needs to be customized for each of these operations in order to hook into each of the application's feature. The big guns are required to carry out these MitB schemes.
Each of these Trojans have the same impact and scare banks and businesses alike. BitB is much easier for an attacker to pull off. However, they are most useful for a one-shot sting operation. Once uncovered, the attacker-controlled server is shut down and business is as usual. On the other hand, MitB attacks are a continuing process much more difficult to fight out once uncovered. In that case there is no single pain-point to bring down.
Imperva have witnessed BitB as a resurging as a tool of attack. Below are a couple of notable ones that they have seen:
1. Nine Latin American banks were targeted. This is one more supporting evidence that BitB is in fact a lucrative scheme. As hackers gain from this sort of attack, they continue to target numerous banks.
2. Click fraud. This is an interesting scheme since the target is not a banking application, rather it is used in order to commit fraud. In this case, to defraud Google. The victim accessing a regional domain of Google, for example www.google.co.uk would be redirected to the attacker-controlled server. When a user performs a query, the attacker would fetch the results and ads from Google, but serve them on his own page. The result is that when a user clicks on a specific ad, the commission is attributed to the attacker, and not to Google. 36 Google regional domains were targeted in this scheme showing that the attacker's aimed to target victims worldwide.
The Latin banks were a classic case which provided no visual clues as to the traffic take-over. On the other hand, with the click fraud campaign, the visual clues were ridiculously apparent as we show in our advisory on the site.
Imperva's research arm, the ADC, has established the Hacker Intelligence Initiative (HII). Under this initiative, the researchers attempt to understand the threat landscape. Their research methods involved:
1. Tapping into hacker forums
2. Monitoring and recording attacker traffic
3. Analyzing attacker resources
As part of the HII ongoing research, they witnessed these campaigns being carried out. The team started investigating and this lead to further understanding of hacking operations.
Although BitB is presumably the consumer's problem, one cannot expect the user to know that his browser is under an attacker's control. For sake of comparison – even anti-anti virus do not flag most of these Trojans as malware as they are so quickly being modified. It is time then for online services, such as banks and retailers, to recognize this problem and provide solutions. Similar to the car industry where accidents drove the manufacturers to deal with car safety by providing seat belts, anti-brake lock systems, air bags, etc, the online banks need to consider how to deal with infected customers.
Boy-in-the-Browser attacks have the same impact as a Man-in-the-Browser attack and are just as hard to detect, BUT they are easier to execute. Banks need to start paying more attention to these types of attacks and provide the correct response to deal with them.
Thursday, March 3, 2011
As you may have read recently, Cybercrime is now costing the UK $43.5 billion and around $1 trillion globally. Given the release of these statistics, I thought you might be interested in 3 of SC magazine’s upcoming webcasts (http://www.scwebcasts.tv/) which will offer valuable insights into the shape of these threats today and what can be done to avoid them.
I have pasted in details of the 3 webcasts below, SC have some great speakers lined up from companies including Capita and Vodafone so it may well be worth a listen:
1. BENCHMARKING YOUR SECURITY: HOW DO YOU MEASURE UP?
3pm, 29th March – view more info at http://www.scwebcasts.tv/
> As the cyber threat mounts and with mobile platforms changing the face of security, this webcast will give you some surprising statistics from real companies on how secure you really are next to your peers….
Speakers: Marco Ermini, Network Security Manager at Vodafone Group and Jim Acquaviva, VP of Product Strategy, nCircle
Register Now: http://www.scwebcasts.tv/
2. ONLINE VULNERABILITY MANAGEMENT: A 360º PERSPECTIVE
3pm, 6th April - view more info at http://www.scwebcasts.tv/
> With so many disparate online systems, this webcast will offer you a 360º insight into where companies are most commonly attacked and the PCI and other policy considerations you need to know about to stay safe online.
Speakers: Dave Whitelegg, Head of IT Security for Capita and Daan Dia, Director of Strategic Business Development for Outpost24
Register Now: http://www.scwebcasts.tv/
3. CYBERTHREATS: PUBLIC VS. PRIVATE SECTOR
3pm, 7th April - view more info at http://www.scwebcasts.tv/
> An interesting point to emerge from SC’s recent research with global IT Directors was the fact that online threats do differ from Private to Public sector. In this webcast you will hear more on the specific online security priorities of your particular sector to give you food-for-thought that will help streamline your efforts.
Speakers: Mark Jackson, security architect in Cisco's UK Public Sector operation & private sector focused colleague
Register Now: http://www.scwebcasts.tv/
Many of you have attended an SC webcast at some time or another but they involve a very easy one-off sign up process. They are also live to give you the ability to interact via questions and votes. If you can’t attend the live date by securing your free place to each webcast you will be able to access the archive.