http://www.informationweek.comInformationWeeken-usCopyright 2012, UBM LLC.2011-04-25T14:51:06ZCompany employees still consistently send confidential and sensitive information via email in violation of rules and regulations, according to a survey by VaporStream.http://www.informationweek.com/news/229402183?cid=RSSfeed_IWK_AuthorsWhile not necessarily a surprise, secure email is a huge problem for enterprises. In <a href="http://news.morningstar.com/all/business-wire/20110425005150/vaporstream-survey-finds-737-percent-of-respondents-from-larger-companies-admit-to-compliance-violations-via-email.aspx">a survey of how people use email</a> shows that employees may be a bit too loose with their email use when it comes to sensitive and protected information, according to secure messaging service provider VaporStream. Of course, the results play into the services the messaging provider offers, but the results are nonetheless scary for any business--especially those in regulated industries. <P> For instance, respondents were asked: "Have your or any member of your organization ever sent information via email that was in violation of regulatory compliance?" An unexpectedly high 73.7% of those from companies with 100 or more employees said they did so accidently. Another 28% admitted to doing so intentionally. Smaller businesses faired better, perhaps because many of them escape the regulatory grip. Roughly 25% of those organizations answered yes to "accidentally" or "intentionally." <P> It also appears "sender's remorse" is a common affliction. About 50% indicated that they have worried about what might happen to emails after they sent them. Around 20% said that emails have "haunted" them after being sent. <P> A surprisingly low 3 out of 10 respondents said that they send private and confidential business information by email. One would think that figure would be close to 100%. <P> About 10% of respondents say they have accidently leaked confidential information. And 60% of those surveyed have accidently hit "reply all" when responding to an e-mail. <P> The question is, after about 40 years of using email, why don't we have a better handle on sharing data more securely with it? Security awareness training might help, but probably not a lot. Some companies may consider sanctioning employees who abuse email by sending regulated information insecurely, while others may let users know that their work emails are monitored.2011-04-21T11:52:20ZThe iPhone keeps track on its owner's whereabouts, but without that crucial location data, many services that help make the smartphone so popular wouldn't function.http://www.informationweek.com/news/229402104?cid=RSSfeed_IWK_AuthorsThere&#8217;s been a considerable amount of hullabaloo about how Apple's iPhone stores a record of the travels of its owner and on the system they use for synchronization. The data, according to Thomas Claburn&#8217;s story <a href="http://www.informationweek.com/news/security/privacy/229401960">iPhone Software Tracks Location Of Users</a>, is latitude and longitude coordinates and their corresponding timestamps. The data is stored in an unencrypted file on the computer and the iPhone. <P> I have a hard time getting worked up about this. First, location data is crucial for popular services such as &#8220;Find My iPhone,&#8221; and the many, many applications that depend on accurate location data to work. That&#8217;s the only way they can find the best sushi restaurant close to you, report your location to your favorite social media, or know the nearest theater with the movie you want to see. You get the idea. <P> Of course, these applications have logs. All of your computing devices pretty much log everything you do. <P> Second, many companies have this type of data. Many newer car models track everywhere the owner goes. Your credit card company, bank, and debit card provider knows everywhere you travel and everything you buy--unless you are one of the few who pay for everything in cash. Also, let&#8217;s not overlook the fact that mobile phone network providers have all of this data, and many of them <a href="http://www.eff.org/deeplinks/2009/12/surveillance-shocker-sprint-received-8-million-law">hold it for unknown lengths of time</a>. <P> And, it appears, phones based on the Android operating system do the <a href="http://www.ibtimes.com/articles/137143/20110421/android-phones-track-users-movements.htm">same thing</a>, essentially. The location information is stored in files named cache.cell and cache.wifi. <P> These are locally stored files, and if any data is sent to Apple--best I&#8217;ve been able to determine--the data is anonymized and used to build a location database of Wi-Fi hotspots. <P> And, the fact is, <a href="http://markey.house.gov/docs/applemarkeybarton7-12-10.pdf">Apple has already responded to government inquiries</a> about its location tracking abilities. <P> The fact that Apple has already answered these questions didn't stop <a href="http://www.franken.senate.gov/files/letter/110420_Apple_Letter.pdf">Senator Al Franken from sending a letter to Steve Jobs</a>, asking about "serious privacy concerns." <P> Franken wrote: <P> <em>"I read with concern a recent report by security researchers that Apple's iOS 4 operating system is secretly compiling its customers' location data in a file stored on iPhones, 3G iPads, and every computer that users used to "sync" their devices." </em> <P> And all of this over a locally stored database file, while real Fourth Amendment concerns, such as exactly what the state of Michigan is doing with their <a href="http://www.thenewspaper.com/news/34/3458.asp">mobile phone forensic devices</a> during traffic stops, doesn't get a quarter of the same outrage: <P> <em>The Michigan State Police have a high-tech mobile forensics device that can be used to extract information from cell phones belonging to motorists stopped for minor traffic violations. The American Civil Liberties Union (ACLU) of Michigan last Wednesday demanded that state officials stop stonewalling freedom of information requests for information on the program.</em> <P> Should Apple encrypt the files? Yes? Should the logs probably be cleared in a shorter period of time than a year? I think so. Is this as big of a deal as it's been made out to be? I don&#8217;t think so. <P> If this concerns you, encrypt your iPhone and encrypt your iPhone backups within iTunes.2011-04-19T13:03:04ZThe Iranian military has accused German electronics and industrial engineering firm Siemens of taking part in the development of the Stuxnet worm.http://www.informationweek.com/news/229401844?cid=RSSfeed_IWK_AuthorsWe'll probably never know conclusively who wrote and released Stuxnet. Consensus points to the United States and Israel, in an alleged attempt to damage the Iranian nuclear program at the Bushehr nuclear power plant. Previously, Iranian officials asserted that <a href="http://www.informationweek.com/news/security/vulnerabilities/227500803">the malware had not caused any damage</a> to its nuclear program. <P> Now, if a recent <a href="http://www.reuters.com/article/2011/04/17/us-iran-nuclear-stuxnet-idUSTRE73G0NB20110417">Reuters story is accurate</a>, an Iranian military commander accuses Siemens of helping in the creation of Stuxnet: <P> <em>Gholamreza Jalali, head of Iran's civilian defense, said the Stuxnet virus aimed at Iran's atomic program was the work of its two biggest foes and that the German company must take some of the blame. <P> Siemens declined to comment. <P> "The investigations show the source of the Stuxnet virus originated in America and the Zionist regime," Jalali was quoted as saying. <P> Jalali said Iran should hold Siemens responsible for the fact that its control systems used to operate complicated factory machinery--known as Supervisory Control and Data Acquisition (SCADA)--had been hit by the worm.</em> <P> I doubt Siemens had anything to do with the direct creation of the Stuxnet worm. And I certainly haven't read or seen any evidence that would point to this possibility being so. Most likely, whoever designed the worm--to the degree they needed or wanted assurance that it would work as designed--had the finances to purchase equipment that mirrored the equipment at Bushehr and designed the worm and payload accordingly. <P> If Siemens did play a role in the development of Stuxnet, it was probably a passive one: they provided the necessary software so that vulnerabilities could be uncovered. Or, perhaps they had their software evaluated at Idaho National Labs and--totally unknown to them--the U.S. took that opportunity to discover and pocket a number of zero days. <P> Additionally, not only is Iran talking about holding Siemens responsible, but a couple of months ago the Iranian Deputy chairman of the Joint Chiefs of Staff said the country would take <a href="http://www.tehrantimes.com/Index_view.asp?code=236455">"pre-emptive" strikes</a> against the powers it believes launched the attack. <P> How well would the U.S. fair in an attack on the power grid? Probably not very well if a recent Ponemon Institute survey is to be believed. <a href="http://www.informationweek.com/news/security/attacks/229401071">In its survey</a>, it found that three-quarters of energy companies and utilities experienced one or more data breaches in the past 12 months. Additionally, 69% of those surveyed believe another data breach is very likely to occur within the next year. <P> Let's hope they're wrong.2011-04-14T14:17:30ZSecurity capabilities shouldn't need to be bolted onto the mobile operating system, but unfortunately we're headed down the same painful path with smartphones and tablets that we took with desktops and notebooks.http://www.informationweek.com/news/229401638?cid=RSSfeed_IWK_AuthorsResearchers at North Carolina State University have developed software that aims to protect Android smartphone users' data from being stolen. My question: Is this really necessary? <P> The answer is probably "yes." But should it be? <P> Dr. Xuxian Jiang, an assistant professor of computer science at N.C. State and co-author of a paper describing the research, said in a statement, "There are a lot of concerns about potential leaks of personal information from smartphones." <P> No argument. <P> And to help Android users regain some control over their information, the team developed software they say will give users flexible control over what personal information is made available to what applications. They've named the software, Taming Information-Stealing Smartphone Applications, or TISSA. <P> In their <a href="http://news.ncsu.edu/releases/wms-jiang-tissa/">statement</a>, the team said TISSA works by creating a privacy setting manager that enables users to customize the level of information each smartphone application can access. Those settings can be adjusted any time that the relevant applications are being run&#8211;instead of just at their installation. <P> TISSA, currently in prototype, includes four possible privacy settings for each application: Trusted, Anonymized, Bogus, and Empty, according to their statement. "If an application is listed as Trusted, TISSA does not impose additional information access restrictions. If the user selects Anonymized, TISSA provides the application with generalized information that allows the application to run, without providing access to detailed personal information. The Bogus setting provides an application with fake results when it requests personal information. The Empty setting responds to information requests by saying the relevant information does not exist or is unavailable," they said. <P> Now, why wouldn't this be a good idea? Why wouldn't people want a Personally Identifiable Information firewalled? They would. That's not the problem. The problem is that these sort of capabilities shouldn't have to be bolted onto the mobile operating system. They should be built into the feature set of the phone. <P> But it won't be that way. We have anti-virus for mobile, firewalls, and now this type of information protection. We are going down the same painful path with smartphones and tablets that we took with desktops and notebooks&#8211;and we haven't learned a thing. <P> The paper, "Taming Information-Stealing Smartphone Applications (on Android)," was co-authored by Jiang; Yajin Zhou, a Ph.D. student at NC State; Dr. Vincent Freeh, an associate professor of computer science at NC State; and Dr. Xinwen Zhang of Huawei America Research Center. The paper will be presented in June at the 4th International Conference on Trust and Trustworthy Computing, in Pittsburgh, Pa.2011-04-11T11:43:27ZIf your organization is considering putting a secure application development initiative in place, you need to look beyond all of the technicalities and dig into the organizational challenges first.http://www.informationweek.com/news/229401322?cid=RSSfeed_IWK_AuthorsIf you haven't already, take the time to read Mathew J. Schwartz's piece, <a href="http://www.informationweek.com/news/security/app-security/229401098">Secure Coding Or Bust</a>. The column provides an interesting overview as to why secure software development is important. <P> It also provides a few good suggestions for a start, such as the Software Assurance Maturity Model (<a href="http://www.opensamm.org/">SAMM</a>), the Building Security In Maturity Model (<a href="http://bsimm.com/">BSIMM</a>), and Microsoft's <a href="http://www.microsoft.com/security/sdl/">Security Development Lifecycle</a>. <P> These are all excellent, but don't include some of the most important hurdles that need to be leaped before the program can get running at speed. We will dig into three of those below. But first I'd like to draw your attention to an important technical resource, the <a href="https://www.owasp.org">Open Web Application Security Project, or OWASP</a>. It's a vibrant security application development community that provides security how to guides, information on common threat vectors, attack techniques, and insight on most types of vulnerabilities that plague web applications. There's plenty to consume there. I suggest you dig in. <P> Now, onto the three essentials you'll need to win: <P> <strong>Get A Champion</strong> <P> Getting any application security program off the ground has as much to do with garnering executive backing than technical and application security prowess. Why? Because application security affects everything about your development program, from how much it costs to how defects are handled to developer training, and what developers are asked by the business to prioritize; it can even slow release times. Building application security into a program where it didn't exist before isn't easy. <P> What to do about it? Get an executive champion. Someone who is high enough up on the organization chart to provide the political air cover when things get tough. And they'll get tough especially when developers are being pressed to move an application forward to production rapidly--even when it has critical vulnerabilities that will "be dealt with later." Yes. That's when the knife fights start. Frankly, many--if not most--security teams don't have the power to slow down development times to address security concerns. They can advise, but they can't always make it so. An executive with this authority to slow development--when it's needed--is essential during certain times. And they'll help you with everything else you won't find in a security framework: such as getting the budget you need and convincing others that secure application development is in the best interest of the company. <P> Trust me: most executives don't get this stuff. And you'll need someone who has the power and the ability to fight your fight in the corner office. <P> <strong>Enlist The QA Teams</strong> <P> Having an executive champion for a secure application development program is also important to help change the way development functions. Now, rather than barging in on developers and declaring how everything they've coded until now has sucked and "you are about to show them how it is done right." You might want to try a different tact. That's could be to convince the organization that security defects should be treated and remedied as part of the normal Quality Assurance (QA) process. The reality is that many organizations don't treat security defects in the same way they treat software defects that affect performance and availability. However, making security defect vetting part of the normal QA process will go a long way to steer development teams on the right track than the security group acting like the new vulnerability sheriff is in town. <P> <strong>Fight The Urge To Do It All From The Beginning</strong> <P> Once you start looking for them, you are going to find more application vulnerabilities than can be possibly dealt with. Like flipping the light switch on a kitchen that was left neglected for awhile: the roaches and rats will be all over. Only when you illuminate your application security program it won't be insects and rodents you uncover, rather it will be more than a dozen of vulnerability classes such as cross-site scripting, buffer overflows, SQL injection, and username enumeration that occur over and over again in applications. There are probably too many vulnerabilities, depending on the size of your organization, in existing software to go back and fix every application. So start smart with a short list of common vulnerabilities you're finding in newly developed application. Start fixing those first. Slowly build from there by adding new vulnerabilities to the list that QA teams look for during their process. <P> You won't solve every software security problem with this, but it's certainly a leap in the right direction. And not as easy as downloading a secure application development framework and running with it.2011-04-10T14:32:45ZThe U.S. Department of Education has proposed a number of new initiatives aimed to better safeguard student privacy.http://www.informationweek.com/news/229401292?cid=RSSfeed_IWK_AuthorsThe goal, according to a <a href="http://www.ed.gov/news/press-releases/us-education-department-launches-initiatives-safeguard-student-privacy">news release</a> issued late last week, is to balance the needs of student privacy with the needs of the authorities to track student progress over time so that the government can judge the effectiveness of education programs. <P> The proposed privacy enhancements will fall under the purview of the Family Educational Rights and Privacy Act of 1974 (FERPA), and were published into the <a href="http://edocket.access.gpo.gov/2011/pdf/2011-8205.pdf">Federal Register</a> on Friday. <P> According to the statement, the move is designed to bring student record privacy protections up to date. "Over time, interpretations of FERPA have complicated valid and necessary disclosures of student information without increasing privacy protections and, in some cases, dramatically decreased the protections afforded students." <P> "Data should only be shared with the right people for the right reasons," said U.S. Secretary of Education Arne Duncan. "We need common-sense rules that strengthen privacy protections and allow for meaningful uses of data. The initiatives announced today will help us do just that," the statement continues. <P> Toward those goals, the education department has hired its first chief privacy officer. The privacy officer will head a new division that will promote responsible stewardship, collection, use, maintenance, and disclosure of information at the national level within the Education Department. The new officer will also coordinate technical assistance efforts for states, districts, and other education stakeholders, helping them understand important privacy issues such as minimizing unnecessary collection of personal information. <P> The Education Department has also said it will establish a Privacy Technical Assistance Center that will work within the National Center for Education Sciences. The Privacy Technical Assistance Center will provide educational institutions guidance on privacy, confidentiality, and data security. The Education Department has also started published a new series of briefs that offer best practices on data security and privacy. They are available here. <P> Also under the proposal: <P> -- Enforcement provisions of FERPA would be strengthened to ensure that every entity working with personally identifiable information from student education records is using it for authorized purposes only. <P> -- Schools will be able to implement directory information policies that limit access to student records, preventing marketers or criminals from accessing the data. <P> -- States can enter into research agreements on behalf of their districts to measure the success of programs, such as early childhood programs that effectively prepare kids for kindergarten. <P> -- High school administrators can share information on student achievement to track how their graduates perform academically in college. <P> The commenting period at www.regulations.gov will run until May 23, 2011.2011-04-07T22:44:39ZMany security teams may wish it was March once again. Last month Microsoft issued patches for just four vulnerabilities within three security bulletins.http://www.informationweek.com/news/229401206?cid=RSSfeed_IWK_AuthorsThis Tuesday won&#8217;t be nearly so tame. The company plans to release 17 separate bulletins that will fix 64 specific security related software flaws, according to its <a href="http://www.microsoft.com/technet/security/bulletin/ms11-apr.mspx">April Advanced Security Bulletin Notice</a>. <P> Nine of these bulletins are ranked "critical," the company&#8217;s most severe rating. These flaws can be remotely exploited, which is what makes them so troublesome. The flaws affect Microsoft Windows, Microsoft Office, Internet Explorer, Visual Studio, .NET Framework, and GDI+. <P> From the <a href="http://www.microsoft.com/technet/security/bulletin/ms11-apr.mspx">Microsoft Security Response Center</a>: <P> <em>This month we'll be closing some issues that Microsoft has already previously spoken to, including the SMB Browser (Critical) issue publicly disclosed Feb. 15. Microsoft assessed the situation and reported that although the vulnerability could theoretically allow Remote Code Execution, that was extremely unlikely. To this day, we have seen no evidence of attacks. <P> We are also planning a fix for the MHTML vulnerability in Windows, rated Important. We alerted people to this issue with Security Advisory 2501696 (including a Fix-It that fully protected customers once downloaded) back in late January. In March, we updated the advisory to let people know we were aware of limited, targeted attacks.</em> <P> As always, Microsoft will host a webcast on Wednesday, April 13 where more details about the bulletins will be discussed.2011-03-31T18:34:25ZLast month when we covered the attack on the Nasdaq's Directors Desk collaboration platform, we said the incident posed plenty of questions, while the Nasdaq proffered (at least publicly) few answers. It seems the National Security Agency agrees.http://www.iweek-interim.com/news/229400993?cid=RSSfeed_IWK_AuthorsLast month when we covered the attack on the Nasdaq's Directors Desk collaboration platform, we said the incident posed plenty of questions, while the Nasdaq proffered (at least publicly) few answers. It seems the National Security Agency agrees.According to A Bloomberg news report, the NSA is now involved in the probe into the attack on the Nasdaq systems that occurred last October. Bloomberg quoted an unnamed source saying the NSA got involved after evidence surfaced that the attack was more involved that was first disclosed. <P> After covered hundreds of breaches over the years, I can tell you that they often are. <P> And the involvement of the NSA into such matters is very, very rare. The Bloomberg story, <a href="http://www.bloomberg.com/news/2011-03-30/u-s-spy-agency-said-to-focus-its-decrypting-skills-on-nasdaq-cyber-attack.html">U.S. Spy Agency Is Said to Investigate Nasdaq Hacker Attack</a>, sheds some light into why the NSA is involved: <P> <blockquote>"By bringing in the NSA, that means they think they're either dealing with a state-sponsored attack or it's an extraordinarily capable criminal organization," said Joel Brenner, former head of U.S. counterintelligence in the Bush and Obama administrations, now at the Washington offices of the law firm Cooley LLP. <P> The NSA's most important contribution to the probe may be its ability to unscramble encrypted messages that hackers use to extract data, said Ira Winkler, a former NSA analyst and chief security strategist at Technodyne LLC, a Wayne, New Jersey-based information technology consulting firm.</blockquote> <P> At the time of our post, <a href="http://www.informationweek.com/blog/main/archives/2011/02/nasdaq_hack_lot.html">Nasdaq Hack. Lots of Questions. Few Answers</a>, Nasdaq claimed that its trading platform was not affected, and they made in clear in a statement that no Directors Desk customer information was accessed when the company determined: <P> <blockquote>that our web facing application Directors Desk was potentially affected. We immediately conducted an investigation, which included outside forensic firms and U.S. federal law enforcement. The files were immediately removed and at this point there is no evidence that any Directors Desk customer information was accessed or acquired by hackers.</blockquote> <P> Now, with the NSA in the investigation, it's looking less likely that the attackers didn't manage to get away with some form of valuable information. <P> for security and technology observations throughout the day, find me on Twitter as <a href="http://www.twitter.com/georgevhulme">@georgevhulme</a>.2011-03-30T12:50:59ZSecurity vendor survey at the RSA Conference 2011 shows more organizations planning and coordinating their security efforts across security and IT operations teams and risk management groups. But don't plan on a party and fireworks celebration just yet - the improvements are minor.http://www.iweek-interim.com/news/229400991?cid=RSSfeed_IWK_AuthorsSecurity vendor survey at the RSA Conference 2011 shows more organizations planning and coordinating their security efforts across security and IT operations teams and risk management groups. But don't plan on a party and fireworks celebration just yet - the improvements are minor.According to security vendor SenSage's recent and not so pithily titled The State of Security Information and Event Management Processes: A Survey of Security Professionals' Attitudes About Security Operations, Measurement and Data Analysis <a href="http://www.prnewswire.com/news-releases/new-study-indicates-most-organizations-cant-access-critical-security-data-118831419.html">report</a>, small steps in the right direction are being made. For instance, in 2010 about 42 percent of those surveyed at least planned and documented process coordination among IT operations, security operations, and risk managers, and a good portion of those actually measured the amount of process coordination in place. In their 2011 survey, that number jumped to 47 percent. <P> However, for you glass half-empty folks - that still means 53 percent range from no coordination to "reactive triage across teams." However, a year ago that number was an even worse 58 percent. <P> Of course, trying to hype the need for its technology, SenSage is hyping the relatively poor state of most enterprises' ability to measure security effectiveness. <P> However, the data does show an improvement, year over year. And it's a dramatic improvement from a few years ago when even reactive triage among these teams was a pipe dream in many companies. These stakeholders weren't even talking. At least now they are. <P> And there's more discussion among security managers around metrics and the ability to measure and improve security processes than ever before. It's good to see the security profession start to take these steps and grow up. There's much more work to do, of course, as the results from the survey below show, but at least the industry is heading in the right direction: <P> <blockquote>&#8226; Sixty-five percent of enterprises say that they have no measurement to benchmark the effectiveness of these processes, or that this measurement is inconsistent. <P> &#8226; More than a third (34 percent) of respondents said that they have no proactive efforts in place to improve the five processes, or that their improvement efforts have been inconsistent. <P> &#8226; As a result of this absence of coordination, measurement, and proactivity, most organizations (57 percent) perceive these five core areas of security management to be ineffective or "somewhat effective" at best.</blockquote> <P> Where is your organization? Are your operations and security teams working together? Is your organization mature enough now to be measuring your progress? We'd be interested in hearing about your experience. <P> For my security and technology observations throughout the day, you can find me on Twitter <a href="http://www.twitter.com/georgevhulme">@georgevhulme</a>.2011-03-27T19:28:23ZReports indicate that users of Facebook and the European music service, Spotify, have been exposed recently to malvertising attacks.http://www.iweek-interim.com/news/229400979?cid=RSSfeed_IWK_AuthorsReports indicate that users of Facebook and the European music service, Spotify, have been exposed recently to malvertising attacks.As was detailed on anti-malware vendor Sophos' Naked Security blog, the service Spotify was hit by malicious ads that were inserted into a legitimate advertising network. These ads exploited a vulnerability within Java that left an opening for attackers to insert malware on vulnerable systems. <P> Sophos also <a href="http://nakedsecurity.sophos.com/2011/03/26/malvertising-resurfaces-on-spotify-and-facebook/">reports</a>, from a tip that they received, that Facebook also served a number of malicious ads: <P> <blockquote>Naked Security reader John sent us a tip that there were malicious ads circulating on Facebook. <P> When you click on the ad on Facebook, you are redirected to a page saying you need to install Adobe Flash Player. The malware is served up when you click and is called AdobeFlashPlayer.exe.</blockquote> <P> Malvertising attacks like this have been a growing concern. According to Web security firm Dasient, in the last three months of 2010 attackers managed to serve more than 3 million malvertising impressions every day. <P> Also, a few weeks ago, malicious and bogus anti-virus selling software ads somehow made it on to the ad network that is used by the London Stock Exchange and Autotrader, as reported by the <a href="http://www.bbc.co.uk/news/technology-12608651">BBC</a>: <P> <blockquote>Tens of thousands of people could have been caught out by cyber criminals who put booby-trapped adverts on popular webpages. <P> The criminals racked up the victims by compromising the computers used by ad firm Unanimis to display adverts to popular websites. <P> The ads appeared on the websites of the London Stock Exchange, Autotrader, the Vue cinema chain and six other sites. <P> Unanimis said it moved quickly to pull the adverts once they were discovered.</blockquote> <P> More information about the plague of malvertising can be found at the website of the <a href="https://otalliance.org/resources/malvertising.html">Online Trust Alliance</a>. <P> For my security and technology observations throughout the day, find me on Twitter at <a href="http://www.twitter.com/georgevhulme">@georgevhulme</a>.2011-03-26T11:57:36ZSurvey conducted by the Ponemon Institute shows just how lax users really are when it comes to securing their smartphone devices.http://www.iweek-interim.com/news/229400978?cid=RSSfeed_IWK_AuthorsSurvey conducted by the Ponemon Institute shows just how lax users really are when it comes to securing their smartphone devices.The Ponemon Institute released its Smartphone Security Survey: A Study of U.S. Consumers &#91;.<a href="http://aa-download.avg.com/filedir/other/Smartphone.pdf">pdf</a>&#93;, which was sponsored by anti-virus vendor AVG Technologies. The stated goal of the survey was to understand users' perceptions about potential smartphone privacy and security risks. They surveyed 734 smartphone owners over the age of 18. <P> Here are a few things uncovered in the report: <blockquote> Most people - 84 percent - use their smartphone for both personal and work. <P> In addition to using it as a phone, 89 percent use their smartphone for personal email and 82 percent use it for business email. <P> Forty-two percent of consumers who use social networking apps say they allow smartphone versions of well-known social networking applications such as Facebook to access the same key chains, passwords and log-ins that they use of their desktops, laptops or tablet. <P> Despite security risks, less than half of consumers use keypad locks or passwords to secure their smartphones. </blockquote> <P> This highlights the dangers with the consumerization of IT in the enterprise. Not only is the data at jeopardy being stored unencrypted, unprotected on the smartphone - when the employee quits or is terminated from their job they're likely to keep any corporate data on their phone. The risk is exponentially increased when you consider many users are probably using cloud-based storage services (not sanctioned or managed by the business) that they can access from their phone - even after they're terminated or quit. <P> Situations like this pose a serious challenge to businesses that what to provide some level of device freedom to their employees - but still maintain some semblance of control over data. <P> If your business is facing similar situations, we'd be interested in learning how you're managing it. <P> For business and security observations throughout the day, find George on Twitter as <a href="http://www.twitter.com/georgevhulme">@georgevhulme</a>.2011-03-24T18:11:48ZEarlier this week a security researcher posted nearly three dozen vulnerabilities in industrial control system software to a widely read security mailing list. The move has Supervisory Control and Data Acquisition systems (SCADA) system operators scrambling, and the US CERT issuing warnings.http://www.iweek-interim.com/news/229400973?cid=RSSfeed_IWK_AuthorsEarlier this week a security researcher posted nearly three dozen vulnerabilities in industrial control system software to a widely read security mailing list. The move has Supervisory Control and Data Acquisition systems (SCADA) system operators scrambling, and the US CERT issuing warnings.The story, as covered by our Mathew J. Schwartz yesterday in his story, <a href="http://www.informationweek.com/news/security/vulnerabilities/showArticle.jhtml?articleID=229400160">SCADA Attack Code Released For 35 Vulnerabilities</a>, sums it up well: <P> <blockquote>The vulnerable systems include Siemens Tecnomatix FactoryLink 8.0.1.1473 (six vulnerabilities, though one is DOS-only), Iconics Genesis32 and Genesis64 10.51 (13 vulnerabilities), 7-Technologies IGSS -- Interactive Graphical SCADA System -- 9.00.00.11059 (8 vulnerabilities), and DATAC RealWin 2.1 (8 vulnerabilities). US-CERT's Industrial Control Systems Cyber Emergency Response Team released four related security bulletins. <P> Most of the detailed vulnerabilities involve buffer overflows and other threats which, according to experts cited by Wired News, pose little danger except the threat of a system crash. But there are at least two exceptions: The Siemens software can also be made to download a file, raising the possibility of a remote code execution attack. In addition, the IGSS software is vulnerable to arbitrary file execution.</blockquote> <P> The security of these industrial systems - which help to manage chemical, manufacturing, energy, and distribution networks - is critical. That goes without saying, and many have been decrying the security of SCADA systems for years. Researchers I've interviewed in recent months have said that not only are the SCADA systems themselves inherently full of flaws (and who could argue after this week's vulnerability dump?), but that operators also fail to keep these systems adequately segmented from the Internet, enforce encrypted access, or even use strong authentication. <P> <a href="http://www.informationweek.com/news/security/attacks/showArticle.jhtml?articleID=229218562">Stuxnet</a>, especially, highlighted the dangers of such complacency. <P> The current sad state of affairs with SCADA security reminds me the pre-Windows XP Service Pack 2 days - when dozens of operating system vulnerabilities and worms hammered the operating system. The inherently insecure operating system required one of the most aggressive security overhauls of any operating system before - or since - just to make the software marginally more secure. <P> This week's disclosure is another sign that shows SCADA developers are going to have to undergo a similar evolution if they're to be trusted. These systems are going to have to be <a href="http://en.wikipedia.org/wiki/Fuzz_testing">poked, prodded, and fuzzed</a> by these vendors. And, if they don't, expect more vulnerability dumps like the one we saw this week - and more Stuxnets. Hopefully, the worm won't be aimed at U.S. systems next time. <P> For my security and technology observations throughout the day, find me in Twitter <a href="http://www.twitter.com/georgevhulme">@georgevhulme</a>.2011-03-18T12:47:52ZRSA, the information security division of EMC Corp., disclosed in an open letter from RSA chief Art Coviello that the company was breached in what it calls an "extremely sophisticated attack." Some information about its security products was stolen. Customers are bracing for more details.http://www.iweek-interim.com/news/229400962?cid=RSSfeed_IWK_AuthorsRSA, the information security division of EMC Corp., disclosed in an open letter from RSA chief Art Coviello that the company was breached in what it calls an "extremely sophisticated attack." Some information about its security products was stolen. Customers are bracing for more details.RSA, the information security division of EMC Corp., disclosed in an open letter from RSA chief Art Coviello that the company was breached in what it calls an "extremely sophisticated attack." Some information about its security products was stolen. Customers are bracing for more details. <P> RSA has more than 70&#37; of the two-factor authentication market, according to IDC. It has shipped some 25 million authentication devices so far. RSA's SecurID tokens periodically generate a random numerical value that is used to access IT resources. Typically high-value resources. <P> That's why many customers, including two I spoke with last night, were disheartened to learn that RSA not only suffered a significant breach that was characterized as an Advanced Persistent Threat (<a href="http://www.darkreading.com/database-security/167901020/security/attacks-breaches/222600139/index.html">APT</a>), but that its SecurID system was compromised to some extent as detailed in <a href="http://www.rsa.com/node.aspx?id=3872">Coviello's letter</a>: <P> <blockquote>Our investigation also revealed that the attack resulted in certain information being extracted from RSA's systems. Some of that information is specifically related to RSA's SecurID two-factor authentication products. While at this time we are confident that the information extracted does not enable a successful direct attack on any of our RSA SecurID customers, this information could potentially be used to reduce the effectiveness of a current two-factor authentication implementation as part of a broader attack.</blockquote> <P> When discussing the situation with the security manager at a bank based in the midwest, that uses the SecurIDs to protect its administrative systems, he expressed considerable concern about the viability of the devices to adequately protect the bank: of part of the cryptographic algorithm has been compromised. "We're going to be extraordinarily vigilant for anything out of the ordinary around our access controls until we learn more," he said. He asked not to be identified. <P> In an e-mail exchange with Scott Crawford, managing research director at Enterprise Management Associates, he said it would be speculation to try to determine the nature of the risk. "But as they say, "reducing the effectiveness" would seem to mean that attackers were seeking ways to circumvent or defeat SecurID in some way. Two-factor authentication is typically used to protect higher-sensitivity access or assets, and SecurID is a popular two-factor authentication product, so the objective would appear to be to find ways to gain access to assets/resources protected by SecurID," he said. <P> "There is a larger issue here," Crawford added. "The security of security measures themselves. If you can gain control of the measures that control and protect an asset, you may gain the asset itself...something for security and management vendors -- and their customers -- to consider more seriously." <P> In an interview with the New York Times, cryptography expert and inventor Whitfield Diffie, a VP with the Internet Corporation for Assigned Names and Numbers, speculated that the attackers may have pilfered the "master key used as part of the encryption algorithm." <P> The worst case, he said, would be that the intruder could produce cards that duplicate the ones supplied by RSA, making it possible to gain access to corporate networks and computer systems. <P> That's something many RSA customers are considering quite seriously today. <P> <strong>SEE ALSO:</strong> <a href="http://www.informationweek.com/news/security/attacks/showArticle.jhtml?articleID=229301301">RSA SecurID Customers Fear Fallout From Targeted Attack On Security Firm</a>2011-03-16T19:49:51ZAnti-malware vendor Panda Security's PandaLabs has found that the number of threats . . . surprise, surprise . . . have risen significantly year over year. What's interesting is how large a percentage of attacks Trojans have become.http://www.iweek-interim.com/news/229301243?cid=RSSfeed_IWK_AuthorsAnti-malware vendor Panda Security's PandaLabs has found that the number of threats . . . surprise, surprise . . . have risen significantly year over year. What's interesting is how large a percentage of attacks Trojans have become.According to PandaLabs, the number of threats in circulation has risen significantly since last year - with an average of 73,000 new strains of malicious software hitting each day. That's a 26 percent rise over the same year ago quarter. <P> What stood out to me is the fact that PandaLabs calculate that Trojans account for 70 percent of all new malware created. If anyone doubted that the primary motivation behind malware isn't theft, that data point alone should change minds. <P> PandaLabs also found that both fake anti-virus and rogueware have decreased and bots have remained steady. Not so surprisingly, because of their utility, and how small they are, downloaders are on a considerable rise. <P> Downloader Trojans are relatively small snippets of code that will subsequently download scripts and other programs onto the infected system that can be used to steal data, use the infected system as a launch pad for deeper attacks into the business, or even install bots that became part of broader denial-of-service attacks. It's very easy for traditional anti-malware defenses to miss these types of attacks. <P> Luis Corrons, technical director of PandaLabs, pointed out in a <a href="http://press.pandasecurity.com/usa/news/creation-of-new-malware-increases-by-26-percent-reaching-more-than-73000-samples-every-day-according-to-pandalabs/">statement</a> that the technical acumen necessary to create such attacks is becoming quite low. "The proliferation of online tools that enable non-technical people to create Trojans in minutes and quickly set up illegal business - especially when it provides access to banking details - is responsible for Trojans' impressive growth," he said. <P> For my security and technology observations throughout the day, find me on <a href="http://www.twitter.com/georgevhulme">Twitter</a>.2011-03-12T20:12:16ZThe North American Electric Reliability Corporation (NERC) recently announced the formation of a Cyber Attack Task Force. The task force will be charged with identifying the potential impact of a coordinated cyber attack on the reliability of the bulk power system.http://www.iweek-interim.com/news/229300868?cid=RSSfeed_IWK_AuthorsThe North American Electric Reliability Corporation (NERC) recently announced the formation of a Cyber Attack Task Force. The task force will be charged with identifying the potential impact of a coordinated cyber attack on the reliability of the bulk power system.According to this <a href="http://www.nerc.com/fileUploads/File/News/PR_Cyber_AssetTF_02MAR11.pdf">release</a>, the task force "will identify opportunities to enhance existing protection, resilience and recovery capabilities associated with power system operations practices, plans and procedures, as well as the tools and systems that operators rely upon to manage the reliable operation of the bulk power system." <P> The goal is to<a href="http://www.nerc.com/docs/cip/catf/NERC_Cyber_Attack_Task_Force_Scope.pdf"> develop flexible options</a> so that potential attacks can be spotted and rapidly mitigated. <P> So far, the task force comprises roughly 40 volunteers, and is chaired by Mark Engels, director of Information Technology Risk Management at Dominion. Charles Abell, supervising engineer of Transmission Operations Technical Support at Ameren Corporation, is vice chair. <P> The creation of the task force is part of the "Coordinated Action Plan" that was developed as part of a cooperative effort between NERC and the Department of Energy. That report concluded that the best way to manage a cyber event would be through a coordinated effort between the bulk energy industry and NERC-led initiatives. The June 2010 report, High Impact, Low Frequency Event to the North American Bulk Power System can be found <a href="http://www.nerc.com/files/HILF.pdf">here</a>. <P> The resulting coordinated response to an attack that arrives from the Coordinated Action Plan is supposed to model "extreme conditions that would make bulk power system operations much more challenging than would normally be considered by electricity entities through their usual planning and preparedness activities," the initiative's scope document states. <P> A separate Smart Grid Security Task Force is being established to address security issues related to smart grid. <P> "NERC and the electricity industry have been actively addressing cybersecurity risks for some years now," said Gerry Cauley, president and CEO of NERC said in a statement. "This initiative will more thoroughly examine the potential impact of a targeted cyber attack and how the industry should best coordinate the preparedness and response actions of cyber security experts with power grid operators." <P> Let's hope so. <P> For my security and technology observations throughout the day, find me on <a href="http://www.twitter.com/georgevhulme">Twitter</a>.2011-03-11T18:19:09ZAccording to a report released by The European Network and Information Security Agency the current ways botnets are measured are lacking - and it just may be hurting the fight against the zombie plague.http://www.iweek-interim.com/news/229300870?cid=RSSfeed_IWK_AuthorsAccording to a report released by The European Network and Information Security Agency the current ways botnets are measured are lacking - and it just may be hurting the fight against the zombie plague.The report, <a href="http://www.enisa.europa.eu/act/res/botnets/botnets-measurement-detection-disinfection-and-defence">Botnets: Measurement, Detection, Disinfection, and Defence</a> says the fuel behind the success of botnets are threefold: 1) The ease and cost of infecting a user's PC with malware; 2) The profit which can be gained by running a botnet (which is related to the effectiveness of defensive measures against up-and-running botnets), and 3) The probability and severity of criminal sanctions against the perpetrator. <P> In short, botnets are easy to propagate, highly profitable, and provide operators a low risk of being busted by the authorities. That's the perfect set of market ingredients to bake many, many botnets. <P> Unfortunately, the 150 page report found that's not likely to change any time soon. That's because current methods used to measure the size of botnets aren't accurate and researchers really don't know how big these networks get. Additionally, the size of the network, the report states, isn't the best way to measure the risk of these things. That's because these networks can't be easily morphed, thereby changing the threat they pose. <P> Fighting botnets is part technological, part end user awareness, and as the report found, part regulatory and through increased international cooperation. From the report: <P> <blockquote>&#8226; The current legal frameworks of various EU Member States and their national diversity in the context of cybercrime are a key factor in the efficiency of the fight against botnets. The applicability of promising detection and mitigation approaches is also limited through certain conflicts between data protection laws and laws that ensure a secure operation of IT services. Finally, working processes increase the reaction time to the extent that they can be evaded with little effort by criminal individuals, capitalising on the ease with which botnets can be configured. For more information on the legal issues identified in the context of botnets. <P> &#8226; The global botnet threat is best countered by close international cooperation between governments and technically-oriented and legislative institutions. For an efficient supranational mitigation strategy to work, cooperation between stakeholders must be intensified and strengthened by political will and support. In this context, the standardisation of processes for information exchange plays an important role. This includes reports about incidents, identified threats, and evidence against criminal individuals, ideally leading to their arrest, as well as mechanisms for maintaining the confidentiality of shared information and establishing the trustworthiness of its source.</blockquote> <P> Just as is the case with viruses, spyware, and other types of malware - the battle against botnets is a long haul, and more about managing the risk than it is about defeating it outright. <P> For my security and technology observations throughout the day, find me on <a href="http://www.twitter.com/georgevhulme">Twitter</a>.2011-03-10T10:35:04ZWe tend to focus attention toward online data and identity theft and forget that we can be targeted just as easily offline.http://www.iweek-interim.com/news/229300856?cid=RSSfeed_IWK_AuthorsWe tend to focus attention toward online data and identity theft and forget that we can be targeted just as easily offline.A couple of years ago I noticed strange, and hefty, charges were quickly racked up on one of my credit cards. I had only used that card at one restaurant in the month prior, so I had a pretty good idea where the card account data was stolen. It wasn't a big deal getting the charges removed from my account and reopening a new one. It was a couple hours on the phone and some paperwork. Done. <P> Fortunately, it was much easier than what had happened fifteen years ago at a gym where I often worked out at the time. In that incident, I returned to my locker only to find the neck of the combination lock sliced with bolt cutters and on the floor. My gym bag was shuffled and my wallet gone. It wasn't long before I noticed items I hadn't bought on my statements, and I started getting collection calls from accounts I hadn't opened. <P> Nightmare. That incident took months to clean up and a year to get my credit report back into proper shape. Only thing fortunate was that I didn't need new credit for anything that year. <P> Those two incidents are why I can empathize so easily with the victims of the latest batch of credit card skimming attacks in Southern California. According to prosecutors, two men face felony charges for planting card skimming devices inside several gas pumps in Los Altos and Mountain View late last year. <P> From the <a href="http://losaltos.patch.com/articles/men-charged-with-theft-of-3600-credit-card-numbers-from-los-altos-mountain-view-gas-pumps">LosAltos Patch</a>: <P> <blockquote> Deputy District Attorney Tom Flattery said Wednesday that he received several phone calls from people who stated that they had been victims of identity theft and that they had used those gas pumps. <P> "If you know you've been a victim and you know you frequented one of these stations, it's logical to assume that it may have been at one of these stations," he said, adding that consumers should take really good looks at their credit card statements for irregularities. "If you see small charges like &#36;1 to &#36;2 that could be a test charge in preparation for a big hit." <P> Flattery said authorities believe that some 3,600 credit card numbers collected by the skimmer had not been compromised that is, used criminally, because they remained on the card skimmers when the pair was arrested. Usually, Flattery explained, these devices just collected the numbers and then the numbers would get dumped into a computer.</blockquote> <P> While big data breaches make the headlines, small operations like this are stealing from thousands of people as they try to go about their daily business every day. <P> For my security and technology observations throughout the day, find me on <a href="http://www.twitter.com/georgevhulme">Twitter</a>.2011-02-28T17:55:17ZS21sec, a Spanish information security firm, claims to have spotted a new Trojan with advanced infiltration and attack techniques.http://www.iweek-interim.com/news/229300887?cid=RSSfeed_IWK_AuthorsS21sec, a Spanish information security firm, claims to have spotted a new Trojan with advanced infiltration and attack techniques.This Trojan, named Tatanga, like most banking Trojan, possesses man-in-the-browser capabilities, can inject malicious HTML code into many popular browser types. According to S21sec, the Trojan can conduct banking transactions in the background. The Trojan can display a fake balance, which the end user perceives as the real account balance, while their account is being fleeced. <P> "The trojan in question is rather sophisticated," the company posted in its <a href="http://securityblog.s21sec.com/?sec=84">research blog</a>. "It is written in C++ and uses rootkit techniques to conceal its presence, though on occasion, its files are visible. The trojan downloads a number of encrypted modules (DLLs), which are decrypted in memory when injected to the browser or other processes to avoid detection by antivirus software," it continued. <P> Some of those libraries grab email addresses, encrypt and manage the malware's processes, remove other forms of malware on the machine, as well as block installed antivirus applications. <P> The Trojan can also grab user credentials during the session, including one-time-passwords. The malware relies on both technical attacks as well as social engineering tactics designed to walk users through a transfer they think is a demonstration transfer. <P> S21sec has a snippet of the Trojan's code on its <a href="http://securityblog.s21sec.com/?sec=84">site</a>. <P> While the Trojan is currently targeting European banks, mainly in Spain, United Kingdom, Germany, and Portugal - these attacks rarely remain localized. <P> Unfortunately, according to the security firm, the anti-virus detection rate of this Trojan is currently very low. <P> For my security and technology observations throughout the day, find me on <a href="http://www.twitter.com/georgevhulme">Twitter</a>.2011-02-27T11:32:38ZResearchers at anti-virus firm Sophos say they've identified a new Trojan designed to infect Mac OS X users.http://www.iweek-interim.com/news/229300885?cid=RSSfeed_IWK_AuthorsResearchers at anti-virus firm Sophos say they've identified a new Trojan designed to infect Mac OS X users.Perhaps it was only a matter of time, considering the success of the Apple brand and the growing marketshare of OS X, that malware created to explicitly target OS X would surface. <P> The Trojan has been named the Blackhole RAT (for Remote Access Trojan), and according to Sophos researchers, the backdoor is not yet completely written. However, their analysis shows that it's a revise of a common Windows RAT, known as darkComet. <P> According to <a href="http://nakedsecurity.sophos.com/2011/02/26/mac-os-x-backdoor-trojan-now-in-beta/">Sophos</a>: <P> <blockquote>The Mac OS X version is very basic and there appears to be a mix of German and English in the user interface. Its functions include: * Placing text files on the desktop * Sending a restart, shutdown or sleep command * Running arbitrary shell commands * Placing a full screen window with a message that only allows you to click reboot * Sending URLs to the client to open a website * Popping up a fake "Administrator Password" window to phish the target</blockquote> <P> The author has also included a welcome note within the Trojan: <P> <blockquote>"I am a Trojan Horse, so i have infected your Mac Computer. I know, most people think Macs can't be infected, but look, you ARE Infected! I have full controll over your Computer and i can do everything I want, and you can do nothing to prevent it. So, Im a very new Virus, under Development, so there will be much more functions when im finished."</blockquote> <P> While such Trojans don't spread like worms or viruses, they can easily infect users through vulnerabilities within their browser and tainted applications and files. <P> For my information security and technology observations throughout the day, find me on <a href="http://www.twitter.com/georgevhulme">Twitter</a>.2011-02-24T12:31:33ZWhile application vulnerabilities, mobile computing, and malware top the list of IT security vulnerabilities and threats, a just released survey from ISC2 and Frost & Sullivan reveals an underlying, more systemic threat.http://www.iweek-interim.com/news/229300879?cid=RSSfeed_IWK_AuthorsWhile application vulnerabilities, mobile computing, and malware top the list of IT security vulnerabilities and threats, a just released survey from ISC2 and Frost & Sullivan reveals an underlying, more systemic threat.The <a href="https://www.isc2.org/workforcestudy/Default.aspx">2011 (ISC)2 Global Information Security Workforce Study</a> (GISWS) shows what many might suspect when looking at the state of information security: cloud computing, mobile devices, and shoddily written software are all pressing risks. No big shocker here. <P> However, the survey showed that security professionals are spending an incredible amount of time on issues peripheral to keeping their systems secure, such as researching new technologies (49 percent), internal politics (46 percent), and meeting regulatory compliance (45 percent) topped out the top three. The next batch of activities included developing polices, auditing IT security compliance levels, and implementing new technologies. <P> This paints a picture of an industry playing security catch-up with new technologies and services, such as cloud computing and social networking - and struggling to bolt security onto these systems after they've been adopted. It also hints at the damage regulatory compliance has done to the security profession as security teams are ensuring that their systems are secured to a level that won't illicit government fines or industry sanctions - but not necessarily to a level that won't get hacked. <P> IT security is about security professionals trying to install the proper breaks onto a runaway train, while also ensuring that the cars and cabin are maintained to proper specifications during the crises. <P> This condition is taking its toll on the profession, as Tim Wilson at Dark Reading reported on the same survey in his story <a href="http://www.darkreading.com/security-monitoring/167901086/security/security-management/229219084/under-growing-pressure-security-pros-may-be-ready-to-crack-study-says.html">Under Growing Pressure, Security Pros May Be Ready To Crack, Study Says</a>: <blockquote> The (GISWS) says new threats stemming from mobile devices, the cloud, social networking, and insecure applications have led to "information security professionals being stretched thin, and like a series of small leaks in a dam, the current overworked workforce may be showing signs of strain." <P> "In the modern organization, end users are dictating IT priorities by bringing technology to the enterprise rather than the other way around," said Robert Ayoub, global program director for network security at Frost & Sullivan. "Pressure to secure too much and the resulting skills gap are creating risk for organizations worldwide ... They are being asked to do too much, with little time left to enhance their skills to meet the latest security threats and business demands." </blockquote> <P> Doesn't take too many intellectual cycles to look at the trends of the accelerating adoption of new technologies in the enterprise, coupled with little improvement in secure application design and system implementations, the focus on compliance check box rather than enterprise security to see that this is only likely to get worse. <P> That is, unless the IT industry starts to take long term thinking about security seriously and starts building secure applications and implementing secure systems from the beginning. And that's about as likely as . . . Wait . . . Is that a flock of flying pigs? <P> For my security and technology observations throughout the day, find me on <a href="http://www.twitter.com/georgevhulme">Twitter</a>.2011-02-22T11:56:56ZResearchers from the University of California, San Diego are warning that traditional methods to clear data from hard drives may not work as well on Solid State Disks.http://www.iweek-interim.com/news/229219252?cid=RSSfeed_IWK_AuthorsResearchers from the University of California, San Diego are warning that traditional methods to clear data from hard drives may not work as well on Solid State Disks.For those who need to make certain that sensitive data is cleared from their drives after systems are decommissioned, or if they're being transferred to other employees or users &#8211; SSD drives may pose a serious challenged. <P> According to <a href="http://www.usenix.org/events/fast11/tech/tech.html#Wei">this study</a>, the researchers evaluated 12 SSDs, of those that had built in ATA and SCSI commands for wiping data &#8211; only eight of the twelve &#8211; half of the wiping routines on those eight didn't work. <P> The researchers suggest, instead, that disks be encrypted as soon as the initial system image is created. <P> They found that degaussing the drives (using magnetism to destroy the structure of the data) didn't work properly. And software wiping of individual files could not be relied upon to properly work with native routines. However, wiping the entire drive with software routines worked often, but not always. <P> The team provided tools they believe make file sanitation more effective. "Overall, we conclude that the increased complexity of SSDs relative to hard drives requires that SSDs provide verifiable sanitization operations," the report concluded. <P> This news is troubling for those in industries with highly-sensitive, confidential, or regulated industries who must ensure drive data is properly destroyed. <P> Colleague Mathew J. Schwartz covers more detail in his story, <a href="http://www.informationweek.com/news/storage/data_protection/showArticle.jhtml?articleID=229219009">SSDs Prove Tough To Erase</a>: <P> <blockquote>How can SSDs be effectively secured or disposed of, short of physically destroying them? The researchers propose encrypting all data from the start, then destroying the encryption keys and overwriting every page of data to securely wipe the SSD and block future key recovery. <P> Implementing such an approach requires planning. "To properly secure data and take advantage of the performance benefits that SSDs offer, you should always encrypt the entire disk and do so as soon as the operating system is installed," said Chester Wisniewski, a senior security advisor for Sophos Canada, in a blog post. Based on the researchers' findings, "securely erasing SSDs after they have been used unencrypted is very difficult, and may be impossible in some cases," he said.</blockquote> <P> For my security and technology observations throughout the day, find me on Twitter as <a href="http://www.twitter.com/georgevhulme">@georgevhulme</a>.2011-02-21T18:19:54ZSecurity firm McAfee expects 50 billion mobile and connected embedded devices by the year 2020. And guess who is promoting new tools promising to protect them. But is this a layer of protection we are going to need?http://www.iweek-interim.com/news/229219255?cid=RSSfeed_IWK_AuthorsSecurity firm McAfee expects 50 billion mobile and connected embedded devices by the year 2020. And guess who is promoting new tools promising to protect them. But is this a layer of protection we are going to need?Based on recent events, I'd have the say the answer is a resounding "Yes." <P> Last year we were introduced to Stuxnet, which proved that <a href="http://en.wikipedia.org/wiki/SCADA">SCADA systems and Programmable Logic Controllers</a> (PLCs) are viable targets for worms and viruses. We've seen a number of Trojans and other forms of <a href="http://blog.mylookout.com/2011/02/security-alert-hongtoutou-new-android-trojan-found-in-china/">malware aimed at smart phones</a>, and even a new attack that <a href="http://threatpost.com/en_us/blogs/attack-can-extract-crypto-keys-mobile-device-signals-021611">can pull cryptography keys</a> directly from mobile device signals. <P> Then there's the story that broke just last week about the ATM machine that was programmed to give cash away. <a href="http://www.nbcchicago.com/news/local-beat/atm-thefts-116435289.html">From NBC Chicago</a>: <P> <blockquote>Authorities said Thursday that more than &#36;140,000 has been stolen since December of 2010 from private cash machines installed by Maryland-based ATM Systems. <P> The thieves used special codes to reprogram the machines to spit out more money than they should during a single transaction.</blockquote> <P> We are going to have the same types of threats targeting mobile and embedded devices, clearly. Which is why it's not a big surprise to see security software maker McAfee and Wind River (Intel properties, both) announce plans to integrate some of McAfee's software with Wind River's mobile and embedded device software, such as those used in ATMs and SCADA systems. <P> Kelly Jackson Higgins at <a href="http://www.darkreading.com/security-monitoring/167901086/security/application-security/229218873/mcafee-wind-river-team-to-build-security-protection-for-embedded-mobile-devices.html">Dark Reading covered the partnership</a>, made public at last week's RSA Conference 2011: <P> <blockquote>The first products from the development initiative are planned for the second half of the year, initially with McAfee's ePolicy Orchestrator (ePO) security management agent added to Wind River's software. "We'll do reporting and compliance and whitelisting," said Dave DeWalt, president and CEO of McAfee. Network access control, DLP, and host intrusion prevention also will be integrated into Wind River's software over time, he said. <P> Ken Klein, president of Wind River, which was acquired by Intel in 2009, says the booming number of connected devices need to be secured. "This is purpose-driven protection for all layers of the stack" that specifically addresses the power and performance constraints under which these devices must operate, he said. The companies will integrate their sales, support, and joint marketing efforts for the new product line.</blockquote> <P> Expect to see, in the coming months and years, much more news on securing the extended Internet of embedded and mobile devices. <P> For my security and technology observations throughout the day, find me on Twitter as <a href="http://www.twitter.com/georgevhulme">@georgevhulme</a>.2011-02-20T15:32:14ZCBC is reporting that attacks from IP addresses based in China have managed to successfully breach networks within the Finance and the Treasury Board of Canada, as well as Defence Research and Development Canada. The attack is the latest in a string of attacks aimed at high level government agencies.http://www.iweek-interim.com/news/229219198?cid=RSSfeed_IWK_AuthorsCBC is reporting that attacks from IP addresses based in China have managed to successfully breach networks within the Finance and the Treasury Board of Canada, as well as Defence Research and Development Canada. The attack is the latest in a string of attacks aimed at high level government agencies.From the <a href="http://www.cbc.ca/news/technology/story/2011/02/16/pol-weston-hacking.html">CBC</a>: <P> <blockquote>An unprecedented cyberattack on the Canadian government also targeted Defence Research and Development Canada, making it the third key department compromised by hackers, CBC News has learned. <P> The attack, apparently from China, also gave foreign hackers access to highly classified federal information and also forced the Finance Department and Treasury Board - the federal government's two main economic nerve centres - off the internet.</blockquote> <P> So how did they get in? <P> The CBC reports that it was a standard spear-phishing attack, just as we've seen with the Aurora attacks against Google and many other high-profile companies in the U.S. According to the report, attackers gained access to systems by pretending to be federal executives. Under that pretense, they approached technical workers who provided the passwords needed to gain access to sensitive networks. <P> At the same time, reports indicate, the attackers sent staff members e-mails with attachments laced with malware designed to infiltrate systems further. <P> This is the latest in what has become a serial of attacks on Western interests that appear to be stemming from China. Including the <a href="http://www.informationweek.com/blog/main/archives/2010/01/nothing_new_in.html">Aurora attacks</a>, attacks on the U.S. government, as well as recently reported <a href="http://www.informationweek.com/news/security/attacks/showArticle.jhtml?articleID=229218811">attacks on energy firms</a>. <P> For my security and technology observations throughout the day, find me on Twitter as <a href="http://www.twitter.com/georgevhulme">@georgevhulme</a>.2011-02-17T19:44:43ZRather than wait for a catastrophic event, government and private industry should develop a framework for dealing with state sponsored attacks aimed at the critical infrastructure.http://www.iweek-interim.com/news/229219197?cid=RSSfeed_IWK_AuthorsRather than wait for a catastrophic event, government and private industry should develop a framework for dealing with state sponsored attacks aimed at the critical infrastructure.Although, after watching the panel, one wasn't left with any level of confidence that such a plan would be put into place. <P> The panel, Cyberwar, Cybersecurity, and the Challenges Ahead, moderated by James Lewis, director and senior fellow at the Center for Strategic and International Studies included Michael Chertoff, former Secretary of Homeland Security; Bruce Schneier, chief technology security officer at BT; and McConnell, former director of national intelligence and former director of the NSA. <P> To kick things off, James Lewis asks the audience if Stuxnet, operation Aurora, and other similar attacks are, indeed, acts of cyberwar. Some hands went up in agreement that those types of events are acts of war, more attendees however didn't think so. <P> The panel seemed no more capable of hanging a definition to the term, either. But they did agree, generally, that there is a lot of nastiness that needs to be better controlled. As CSIS' Lewis put it: "We are not in a state of cyberwar, but we are in something that is dangerous." <P> What do we do about it? Chances are the nation will wait for some catastrophic event argued former intelligence chief Mike McConnell. McConnell expressed doubt that the nation would come together to put into place the policies and public/private partnerships necessary to defend state-sponsored advanced attacks against the critical infrastructure. <P> McConnell and Chertoff also agreed that vanilla digital espionage and information theft don't rise to Cyberwar. And any such designiation would depend on the scale and the amount of data destroyed in an attack. "I tend to look at security as a spectrum of challenges, and I draw a bright line between theft and espionage and then the destruction of systems," Certoff said. "It depends upon the scale &#91;of the destruction&#93; and its genesis as to whether it is war," he said. <P> To crystallize his point, Certoff said that as a nation we tolerated state-level spying and the stealing of national secrets without labeling it an act of war, but added that "stealing and espionage are much different things that a sustained attack on the power grid." <P> Schneier, however, made a case that Cyberwar is a sexy term and a term that sells and opens government budget coffers. "There's a lot of push for budget and power and overstating the threat is a good way to get people scared." <P> Regardless, it's a dangerous Internet and likely to stay that way for some time. As for potential solutions, the panel put forth little more than increasing regulatory demands on companies to secure their networks and increasing the liability responsibilities for those that fail to protect their systems. <P> So, as we've dealt with viruses, e-mail based attacks, worms, network breaches, and most every other type of attack - so too will we probably deal with state-backed cyber attacks. And that's to deal with it after the fact, just as McConnell predicts.2011-02-15T01:20:52ZSecurity is both hard to do right, and easy to make the simple mistakes that could jeopardize the security of most any organization. It may be a mistake that comprises of being a single digit off. And that one number could be the difference between a secure network and one that is readily breached. That was the overriding message in a Security B-Sides Conference presentation given today by Mike Lloyd, chief scientist at security software maker Red Seal Systems.http://www.iweek-interim.com/news/229219217?cid=RSSfeed_IWK_AuthorsSecurity is both hard to do right, and easy to make the simple mistakes that could jeopardize the security of most any organization. It may be a mistake that comprises of being a single digit off. And that one number could be the difference between a secure network and one that is readily breached. That was the overriding message in a Security B-Sides Conference presentation given today by Mike Lloyd, chief scientist at security software maker Red Seal Systems."Manually maintaining network security is very difficult," said Lloyd. "Especially if you are asking people to look at reams of listings of numbers, it's just not something people are good at," he said. <P> In his presentation he offered real-world examples of how security and network teams can make errors that can go unnoticed for weeks, months, and years. One of the examples he showed an actual customer's network configuration that showed how a partner could connect to virtually any port on the company's network. That connection &#8211; a serious vulnerability &#8211; should only had of permitted access to a specific service on one specific port. Lloyd explained how it took himself and another security expert a significant amount of time to find the error that was caused by a single keyword that was omitted from the firewall rule-set. <P> His presentation showed slide after slide of how the simplest of network layer errors could lead to a considerable breach. <P> My take-away: while it's important to focus on the high-level security strategy, it's just as important to make certain the minute details of your network infrastructure are configured properly. Because a single mistake can blow a hole in the side of the best laid security plans. <P> For my security and technology observations throughout the day, find me on Twitter as @georgevhulme.