13 posts from April 2011
April 29, 2011
 Kate and William: Till Malware Do Us Part
Pin It

Everyone loves a good wedding and it appears hackers are no different. At InfoSec London, we did a survey of security professionals which found:

  • 38 percent of security professionals have witnessed the nuptials being used for malvertising
  • 34 percent have seen wedding related spam
  • 20 percent incidents of search engine poisoning


While we’re not surprised by the results it is worrying that criminals are systematically jumping on every opportunity to illegally make money by identifying, and utilising, revenue generating opportunities that utilise stolen credentials or inject malware.


April 22, 2011
 Could Regulations for Intellectual Property be Next?
Pin It

Last week McAfee and SAIC published their latest report based on a survey of more than 1000 security decision makers in organizations. The survey raised an important distinction regarding the types of compromised data being reported. Compromised customer data (credit card numbers, PII and user credentials) are disclosed. However, the compromise of intellectual property goes un-reported.

In the past, governments worldwide reacted to data breaches and privacy violations by implementing various types of legislation. Recent regulations such as the California Data Breach Act (implemented in nearly every US state), UK’s ICO and German’s privacy laws have forced companies to publish breaches where citizens were affected. France, Spain, Mexico and China have their own versions as well. On the other hand, intellectual property does not fall under any current regulation.

As individuals (translation: voters), we see the data privacy mandates as necessary to protect our personal data we surrender to third parties. It’s intuitive. But will individuals – do we really care whether some large enterprise, for instance, lost its secret formula for a certain drug?

In the case of a publicly-traded company, a compromise of the company’s intellectual property is sure to affect the value of the company, and ultimately concern all its shareholders. If you need an example, just look at what is currently taking place at Renault in France where executives stole intellectual property. Renault’s CEO has even offered to resign. (At InfoSec London, a French journalist told me that Renault has a history with IP loss: an foreign intern took Renault documents and emailed them to a car maker back home. An intern! This should make Monica feel better).

We’re seeing more and more IP theft also coming from state-sponsored attacks. In this SkyNews piece, they talk to a hacker who was asked by the Chinese government to steal IP from an overseas company who was competing with a Chinese national firm.

Will IP breaches get regulated? It would be easy for lawmakers to do so. By simply extending current legislation to include IP could be enough in some regions to compel companies to require notification of any IP breach to all shareholders of a company. A less likely scenario would have private industry enact self-regulation a la PCI—an “IPPS” (intellectual property protection standard).

Mike Rothman pointed in his blog that IP theft is quite distorted in terms of how we maintain metrics:

Each incidence of lost intellectual property was typically counted as a single lost record. So IP theft is inherently ranked much lower in studies like the DBIR than credit card breaches, which always involve more records per incident. But the F-14’s avionics schematics probably command a slightly higher value than a single credit card…

IP security regulations seem farfetched? Anyone remember SOX? That was implemented primarily due to two corporate incidences: Enron and WorldCom. All it takes is one high-profile IP breach for lawmakers (or even private industry) to move.  


April 21, 2011
 iPhone keeps record of everywhere you go
Pin It

Good article from today's Guardian in the UK about how the iPhone keeps a record of your physical location. (Just in time for our mobile security webinar and Apple's earning's report.)

One of the researchers who discovered the capability said:

Apple has made it possible for almost anybody – a jealous spouse, a private detective – with access to your phone or computer to get detailed information about where you've been, said Pete Warden, one of the researchers.

He's right but he missed a major constituent--hackers.  The article focuses too much on the implications of data privacy, i.e., Apple doing something immoral with user location information.  This is a valid concern.  However, as we all know, hackers are innovators and will quickly jump all over iPhones to devise attacks using geo location.

What would possible hacks look like?

  • Commercial hackers interested in making money would use geo location to accurately localize their scams.  They could develop malware, for example, to focus French scams in Quebec.  Attacks could be even further targeted to offer scams that come from a local café or restaurant you visit:  "Send us $100 now and we'll give you a free Armani suit next week."
  • Government-sponsored hackers (APT) could use this information to help track the movement of key people they’d like to follow.  For example, let's say a government wants to find out the location of an adversary's secret facility (lab, intelligence center, etc...).  They know the employees who work there, but not the location.  In this case, hackers would develop malware, target specific people's iPhones and then hope to uncover the location.

And here's what it looks like:



April 20, 2011
 Mobilizing for Enterprise Mobile Security Webinar
Pin It

IStock_000013989437Small As businesses become more reliant on mobile devices, the demand for both employee-facing and customer-facing apps will continue to grow.

Who is securing these applications from unauthorized access and attack?

As with many technology innovations, security considerations often lag far behind business hype.

The April 26th webinar featuring Rob Rachwald, Director of Security Strategy, Imperva and Ron Perry, CTO, WorkLight will:

  • Explore recent trends in mobile computing
  • Highlight key mobile computing security implications for enterprises
  • Present recommendations for security teams to address the risks associated with mobile computing



April 19, 2011
 PCI's Impact on Security Quantified
Pin It

Today, we released our second survey on PCI.  In this survey we set out to gauge just how effective PCI has been in reducing data breaches.  The answer was somewhat surprising:  PCI is very effective in reducing breaches but it seems many companies don't believe it.  Why the disconnect?  There are many possible answers including:

  • PCI is a chore and, by definition, is no fun.
  • Companies don't have a breach benchmark.  Without it, you can't see how effective your own efforts versus your peers.

Here's a summary of what we consider the most interesting highlights.

Highlight #1: There is a dramatic difference with respect to number of breaches between compliant and non compliant organizations.


 This is true for both card holder data related incidents and general incidents. 99% (!) of compliant organization suffered no more than a single CC related breach compared to 85% of non-compliant organizations, with 64% of compliant organization suffering no breach at all (compared to 38% of non-compliant). Only 1% of compliant organization suffered more than one breach related to CC data compared to 15% of non-compliant organizations. 63% of compliant organization suffered no more than a single breach overall compared 22% of non compliant, with 26% percent of non-compliant organizations suffering more than 5 breaches compared to only 3% of compliant organizations.  We published a blog where we cited that in 2009, for example, 130M+ credit cards were taken from Heartland Payment Systems alone.  But in 2010 the total amount of data stolen was just over 11M records.  Why the drop?  PCI was a factor we think, among many other things.

Yet, there is a perception that PCI compliance is not contributing to reducing the number of breaches. 88% of respondents did not support the claim that PCI compliance has a positive effect on the number of breaches and only 39% mentioned data security improvement as one of PCI-DSS value proposal to organizations.

In fact only 33% percent believe that PCI-DSS compliance expenditure is covered by the value it brings to organization. Looking at the figures regarding the actual decrease in data breaches and recent figures regarding the cost of data breaches, it seems that many practitioners have a much subverted perception of the value of PCI-DSS compliance

We can probably see some decline in the population that is favorable towards PCI but this is not very significant (25% vs. 27%). More troubling is the increase in those that are “cynical” (27% vs. 19%). It seems that “checkbox” group has decreased dramatically. Why? People are either doing it for real or not doing it at all. 

Highlight #2:  Almost two thirds of respondents achieved substantial compliance with PCI vs. 50% in 2009.

Only 16% of organizations have not achieved any level of PCI compliance vs. 25% in 2009. This is due to a maturity and the PCI deadlines that occurred between 2009 and today.

Highlight #3:  While the trends regarding the most commonly used technologies remain the same (firewalls, anti-virus, and traffic and disk encryption) we see some shift in trends regarding technologies related to the most difficult requirements of the PCI-DSS.  Code review, for instance, saw the biggest decline.

PCI tech
About 49% of respondents considered access restriction on a need-to-know basis to be most difficult requirement to comply with followed by developing and maintaining secure applications (section 6) with 45%. Though the former is mostly an organizational difficulty (establishing the exact list of required privileges per individual is very difficult) we see a slight shift from using “Access governance systems” to “Identity and access management systems”. A much more noticeable shift is observed with respect to technologies that enable compliance with section 6 of the standard where WAF has gone up 6 points (~13%) and code review going down 8 points (~13%). This is no surprise as WAF has traditionally been considered to be more cost effective and code review much more expensive and tedious.

Highlight #4: Achieving effective compliance greatly depends on finding cost-effective solutions rather than spending more money.

We’ve analyzed the information about available PCI budget against the breach information. In a somewhat counter-intuitive manner those organizations who suffered no breaches are not necessarily those who spent the biggest budget. This comes to prove our claim from the previous survey that achieving effective compliance greatly depends on finding cost-effective solutions rather than spending more money.

Highlight #5: Business Unit Leader are taking over PCI management.

What does this mean?  We see confirmation that security is evolving into a business process.



 Interviews With Chinese Hackers
Pin It

SkyNews gets a rare look into the hacking industry in China.

Well worth a read and be sure to watch the video.


April 14, 2011
 Coreflood Stops Flooding
Pin It

A new way to dismantle a botnet: for the first time, US federal prosecutors were able to obtain a court order allowing them to build an alternate C&C server to the Coreflood botnet C&C server. As a result, zombie machines in the Coreflood network are being re-routed to communicate with the server controlled by law enforcement agencies. The “good” server can then issue commands to stop the malware execution on the compromised machines.

In a rather thoughtful move, this server is also logging IPs of the machines communicating with it – i.e. the victims. Agencies can then work with the ISPs so that they can accordingly inform the victims. To emphasize that last point: what this means is to have ISPs actually inform the victim, provide information on the removal of malware and increase security awareness.

This is the correct move. ISPs should not play cop by removing suspected infected machines from the Internet. Rather, businesses should know how to deal with infected machines and provide them with the tools to deal with threats.


April 11, 2011
 Files on the Move to Database Giant
Pin It

Last week we were piled high with data breaches resulting from file “insecurity”. This week the number of incidents continues to rise. Recent media headlines report that HP is suing a former employee on the theft of proprietary data. According to HP, the ex-employee, knowing that he was about to be terminated downloaded hundreds of documents and thousands of emails to a portable USB drive. Five days later the employee quit and a month later “defected” to Oracle, taking the business data to the database giant.

Surprising? Not really. Look at the results of a November UK street survey which surveyed over 1000 individuals. The survey showed that 70% of respondents had clear plans to take something with them upon leaving their job – the most popular data cited was intellectual property. In addition, 59% of respondents felt they had personal ownership of the data and 53% of respondents claimed ownership if they knew they were about to be dismissed.


April 08, 2011
 File Security Takes Flight
Pin It

One more file-related security breach. According to reports, the personally identifiable information (PII) of 3,000 US Airways pilots was compromised. This included names, addresses, social security numbers, and conceivably passport details. The source of the breach seems to be an Excel file which was sent to an external party. The file was supposed to contain only the names of the pilots so this unnecessary exposure of PII is being investigated.

In fact, many enterprises face similar issues where sensitive data inadvertently appears in files which are later disseminated and distributed. Keeping track of, and monitoring, sensitive information is challenging many companies. According to IDC, 80% of business information is stored in files and this number is expected to grow by 60% annually. Furthermore, our recent survey of security professionals has shown that 65% of those polled were unsure who has access to sensitive files at their companies.

It is important to recognize that the heart of this information lies at the data center. It is from there that the sensitive data is disseminated in different ways. Accordingly, a solution should be put in place for tight monitoring and control at the data center. Once this control is set up, it is possible to address the following questions:

  • Who accessed the data and with what application?
  • When was the data accessed?
  • What, and how much, data was retrieved?

In the case of the pilots' breach, such controls could have been used to alert that sensitive information regarding the pilots was extracted from the database. Similarly, if the file containing the exported PII was stored on a shared file server, an audit trail of who accessed the file would also be available. Classifying the file to indicate that it held sensitive information would have helped as well, and appropriate alerts could have been issued based on access patterns.


April 06, 2011
 File Security Survey
Pin It

Today we released a survey on file security that we conducted at RSA.   This year, we decided to gauge the impact of Wikileaks.  We talked to 150 security professionals with some interesting results.

Not surprisingly, an overwhelming majority (82%) of respondents reported that breaches such as WikiLeaks made them reconsider their company’s data security policies. However, only 18% of respondents said that they knew the exact number of sensitive files they had, and just 39% could say for sure where those files were located on their servers. Even more startling, 65% of those polled said that they were unsure who has access to these sensitive files.

Specifically, we asked:  Has Wikileaks made you reconsider your company’s data security policy/habits?

Although everyone is thinking about it, the rubber hasn’t quite started to hit the road.  The other question we asked was:  In the wake of Wikileaks will you invest more money in data security?




Find Us Online
RSS Feed - Subscribe Twitter Facebook iTunes LinkedIn YouTube
Monthly Archives
Email Subscription
Sign up here to receive our blog: