269 posts categorized "Rob Rachwald"
January 31, 2013
 The NY Times Response to Antivirus Proponents
Pin It

Today’s front page NYT story is about how the Chinese went after the NYT for publishing disparaging stories about Chinese government officials.  The same reporter who wrote the NYT story on antivirus also wrote this story about Chinese hackers.  Note something interesting:

Out of the 45 different pieces of malware planted on the Times‘ systems over the course of three months, just one of those programs was spotted by the Symantec antivirus software the Times used…

One out of 45 is about 2%, very much like the results of our antivirus study, which was referenced in this Forbes article bashing Symantec:

… analysis performed by the security firm Imperva along with the Technion Israeli Institute of Technology found that antivirus managed to detect only 5% of new threats, and that it took an average of four weeks for antivirus firms to identify a new piece of malicious code. “Although vendors try to update their detection mechanisms, the initial detection rate of new viruses is nearly zero. We believe that the majority of antivirus products on the market can’t keep up with the rate of virus propagation on the Internet,” their paper reads.

Here’s the message for security:  rebalance the security portfolio.  Use free antivirus and spend some money modernizing your security strategy.

I recently talked to a CISO who said he buys AV because of legal reasons.  If someone is infected, which he knows will happen, he has a legal defense to say ‘I did what I could.’  But he also knows AV won't work.  If customers are buying AV to appease lawyers versus protecting an enterprise, something isn't right.

Symantec’s response essentially blaming the Times--their customer!--for the failure gives some insight into what isn't right.  Their reaction reminded me of a key tenet Clayton Christensen's The Innovator's Dilemma.  In the book, Christensen notes that big companies fail to innovate because customers often ask for better versions of current products when they really need a new technology.  Customers, according to Christensen, become a barrier to innovation.  Symantec's reaction, explaining that if the Times had turned on more functionality they'd have been safer, is the best illustrations of the innovator's dilemma you'll ever see.


January 29, 2013
 Imperva and Cisco Collaboration
Pin It

This week in London is Cisco Live.  We are proud to continue our collaboration with Cisco to significantly enhance the deployment and management of the SecureSphere Web Application Firewall (WAF) in Cisco Nexus 1000V based virtual switching environments.  We think this helps security teams tremendously.

How?  SecureSphere will capitalize on Cisco’s feature rich virtual switching and software-defined networking technologies built into Nexus 1000V – a multi-hypervisor ready virtual switch – and is designed to simplify deployment, maximize uptime, and support live virtual machine migration in virtualized data centers as well as multi-tenant private and provider clouds.

For securing virtualized and cloud environments, customers need defense-in-depth security architecture that demands multiple virtual firewalls, including zone-based firewall, tenant-edge firewall and web application firewall (WAF).  The Imperva SecureSphere WAF, in conjunction with Cisco’s Virtual Security Gateway (VSG) and ASA 1000V cloud firewalls, can offer customers a comprehensive multi-tier virtual firewall solution.  Furthermore, the Cisco Virtual Service Datapath or vPath technology embedded in Cisco Nexus 1000V would enable insertion and deployment of multiple virtual services on a per tenant basis. 

At Cisco Live in London this week, Imperva is demonstrating integration of SecureSphere with the Cisco Nexus 1000V.  What does this mean to customers?  It makes it much easier for organizations to provision Web application security, enabling customers to rapidly on-board and protect new applications and tenants. With support for Cisco’s vPath technology, customers can transparently steer a tenant’s virtualized application traffic to SecureSphere through pre-defined policies and also enable service chaining across multiple virtual network services.  SecureSphere’s vPath awareness would ensure that security policies remain in place even when virtual machines move.  Together, the joint solution simplifies deployment of Web application security in virtualized datacenters.

We believe that more and more companies are virtualizing their data centers. Virtualized environments, just like their non-virtualized counterparts, must be highly secure and available.  This new joint solution, which follows on the heels of our Cisco Nexus 1010/1110 announcement in September, allows Imperva to extend its best-of-breed security, manageability, and flexible deployment options to Cisco Nexus 1000V virtual switching environments.

The SecureSphere WAF with Cisco Nexus 1000V vPath support helps customers to:

  • Steer Web traffic through the SecureSphere WAF, even in complex and heterogeneous datacenters with multiple virtual services.
  • Migrate SecureSphere WAF virtual machines to new host machines without impacting application sessions.
  • Maximize application uptime through fail open Web application firewall configuration.

Imperva is hosting a technology preview of the Cisco Nexus interoperability at Cisco Live London starting January 28, 2013. The demonstration showcases the Imperva SecureSphere WAF hosted on the Cisco Nexus 1110 and the SecureSphere WAF interoperating with Cisco Nexus 1000V. Please visit us in booth E1.

You can see Cisco's blog on our collaboration here.


January 25, 2013
 Social Engineering Hits the Classifieds
Pin It

Interesting ad:

Do you have an open mind, a sense of adventure and the desire to make some serious cash? We're a group that specializes in extracting key pieces of information from business leaders by seducing them with beautiful ladies such as yourself. Each assignment pays between $5K and $20K depending on the value of the information and how long it takes to obtain it. We also reimburse for travel expenses, if any. We have immediate needs for beautiful, sophisticated ladies who will do anything it takes to find out what we need to know! Please send photos and tell us something about yourself.

It isn't just malware that targets executives.



January 08, 2013
 How American Banks Were DDoSed by Hacktivists
Pin It

Great blog and research by Incapsula.

A nice toxic mix of PHP and backdoors.


December 17, 2012
 From A to V: Refuting Criticism of Our Antivirus Report
Pin It

Our anti-antivirus study got a lot of attention (you could say it went viral).  Most interestingly, people called our methodology “flawed.” 

While our report acknowledged the limitations of our methodology, we believe that, fundamentally, the model for antivirus—and not our methodology—is flawed.  Antivirus was built years ago during an age when mass infections was the name of the game.   Today, malware is deployed to target SPECIFIC individuals—CEOs, researchers, politicians, executives—and not everyone’s mom. 

One reaction to our study asserted that a virus can be blocked based on source IP:  “email with the malware attached, or the included URL… could have been blocked based on its source IP.”   This approach, however, addresses an old threat model in which the attacker would try to infect as many as possible targets with a single campaign – that included reusing URLs to hoax the malware and IP addresses to send an email. Reusing IPs allowed security companies to have blacklists for both IPs and URLs. However, in today’s threat scape, where we consider attackers that are specifically targeting a specific victim, they create a dedicated URL to host the malware and use a dedicated IP address to send malicious mail, easily overcoming blacklists.

Our study concluded that antivirus solutions are very effective in fighting widespread malware, and slightly less effective for older malware (2-3 month old).  But for a new malware, there is a good chance it will evade the antivirus.  In fact, our results are consistent with other studies.    For example, let’s look at the AV-TEST Institute’s results.  

The AV-TEST Institute, according to their site, is a “leading international and independent service provider in the fields of IT security and anti-virus research.”  According to AV-TEST’s website, in order to test the protective effect of a security solution, AV-TEST researchers simulate a variety of realistic attack scenarios such as the threat of e-mail attachments, infected websites or malicious files that have been transferred from external storage devices. When carrying out these tests, AV-TEST takes the entire functionality of the protection program into account. But even when all of the Anti-virus functionality enabled, the results reveal a worrisome security gap:


While antivirus solutions are very effective in fighting widespread malware and slightly less effective for older malware, for a new malware, there is a good chance it will evade the antivirus solutions.  That’s exactly what we found.

Finally, one should ask a question CEOs are asking CISOs worldwide:   if antivirus software is so good, how come we see so many successful attacks based on infected computers (Coca-Cola, South Carolina DoR to name a few)? And the obvious answer is that antivirus is not perfect and needs to be augmented with data security solutions, as was honestly acknowledged by antivirus veteran researcher, Mikko Hypponen “Antivirus systems need to strike a balance between detecting all possible attacks without causing any false alarms. And while we try to improve on this all the time, there will never be a solution that is 100 percent perfect. The best available protection against serious targeted attacks requires a layered defense.”


November 14, 2012
 What is the best Cloud App Protection?
Pin It

Great comparison in E-Hacking News between Incapsula and Cloudflare.


November 01, 2012
 Lessons From the South Carolina Breach
Pin It

The governor of South Carolina, after the big breach, is claiming that "nothing could have been done to block the attacks."  She then sites the "holes in the system" and the she says that the state followed "best practices."

Not so fast.

Interestingly, Deloitte just released a new survey that may help shed light on why the breach occurred. Several interesting data points all seem to congregate gem on p 23:

  • The survey "shows that the majority of states continue to conduct internal and external system penetration testing on an ad-hoc basis only. In fact, the number that test on a quarterly basis has fallen slightly since 2010." 
  • Figure 17 shows that application security vulnerability scans take place on an ad hoc basis 62% of the time.
  • A pull out explains how North Carolina (!) has implemented a rigorous application vulnerability program.

Couple the above with our SQL injection rant from yesterday and you have a strong idea of how and why this breach took place and that something could have been done to stop it.




October 31, 2012
 SQL Injection Disconnection
Pin It

This week, Imperva's ADC released the latest Hacker Intelligence Initiative Report.  Our focus this month was hacker forums. 

The purpose of studying hacker forums is simple:  learn about the hacking community by studying their chatter.  I have to give credit to Ericka from Dark Reading whose title best summarized our findings so I'm stealing her title:  The SQL Injection Disconnection.

Hackers are focusing a lot on this vulnerability for several reasons:

  1. SQL injection supports a proven, profitable business model:  steal data and sell it.  For hacktivists, stealing data helps demolish a company's value--just look at Sony's stock price the day after it was breached on March 15, 2011.
  2. Many tools exist to automated the attacks.  See our old blog on this.  
  3. Security teams continue to rely on IPS, network firewalls and antivirus--all of which don't even know a SQL injection from a hole in the wall.

The question is:  Why does SQL injection continue to be ignored?  One security journalist I spoke to was frustrated by constantly writing stories about how SQL injection with little impact.  Why is this?  Here are some possible reasons (and feel free to submit your own):

  1. Security is driven by renewals as Imperva's CEO Shlomo Kramer explained in this Forbes interview, "IT managers at large companies — typically chief information officers (CIOs) — prefer to sign checks for the same, established software to protect their web applications, rather than make the uncomfortable changes necessary. It’s easier to do the former than change how money is spent, which can require all manner of approvals."
  2. A strong reliance on traditional security technologies--IPS, AV and network firewalls--means many people simply aren't seeing how their applications are being attacked.  You can't protect yourself if you don't know what is hitting you.
  3. Compliance requires older technologies.  Many compliance mandates emphasize technologies that don't stop SQL injections (PCI is a notable exception).

For more on stopping SQL injections, please visit our extensive blog on the topic.

Our report is available here (no reg required).





October 17, 2012
 Beating Automated SQL Injection Attacks
Pin It

Recently, US banks were warned about automated attacks coming from Havij, a SQL injection attack tool. While we've blogged on stopping SQL injection in the past, it is a topic always worth revisiting. 


First, let's make clear what WON'T help.  Earlier this month, Kevin Mitnick gave a talk at the US Naval Academy.  The first lesson?

All the firewalls and intrusion detection systems in the world won’t be a guarantee that networks won’t be breached.  There’s no such thing as an impenetrable system, and no such thing as bugless software. Kevin’s demonstration of exploiting vulnerabilities in widely used commercial software proves this. Moreover, this isn’t just software being used in the private sector.  Many of the exploits he demonstrated take advantage of software that’s become an integral part of the way the military handles its information.

Havij exploits vulnerabilities in software and is totally invisible to network firewalls/IPS.  Havij relies on a blind SQL injection vector, so if you protect against it you are safe.  Here's how:

  1. Negative security model:  Protect against SQL Injection by blacklisting certain known SQL injection manifestations.
  2. Positive security model:  Every injection violates the normal application usage profile.
  3. Identifying automated interactions:  Havij is not human and behaves like a robot.  You can detect it by merely detecting the specific user agent string but also more subtle details such as constant values within the SQL attack itself.
  4. Clean code.

From a technology standpoint, only three types of products will help defeat Havij:

  1. Vulnerability scanners
  2. Code scanners
  3. Web application firewalls

Often, we see companies using vulnerability scanners and, to a much lesser extent, code scanning.  These technologies are very important but they only find issues.  Scanners tell you have problems but you have to figure out where they may be.  Code review gives you a specific line to remediate, but this takes time.  If you are under an imminent Havij attack, these products won't help with immediate risk. 

OWASP has argued in the past that technologies focused on finding vulnerabilities are useful but have one major problem:  they don't block attacks.  This is why they recommend a web application firewall.  (Full disclosure:  we are a WAF vendor.)  WAFs do provide a shield against immediate attack and--at least in our case--we can recognize Havij and stop it.  Havij does come with some WAF evasion functionality--but it only works on Web Knight and ModSecurity.


October 02, 2012
 How to Spear Phish the White House
Pin It
Apparently there has been a cyber attack on the White House’s network.  The reported attack vector?  Spear phishing.  At least it appears that no data theft took place, yet. 

This incident reminds us how easy it is as an organization, even as secure and well funded like the White House, to get infected since antivirus is so porous.  Lucky for the White House, their team of security specialists were able to find the compromised entity, but it is not trivial and usually happens very late, if ever.

While "phishing" is a technique which by hackers mimic sites such as IRS , or your Bank etc, in order to lure you to submit your credentials.  “spear phishing” is the targeted technique of identifying an individual in an organization that the hacker wishes to compromise,and uses different techniques in order to lure that individual to activate malware on his/her computer. Effectively, creating the compromised insider.

As you can see below, finding an individual to target is fairly easy in todays social networking world. All a hacker has to do is look for “White House” as the current position and select which is pertinent:


There are several known as infection methods, the three most common include:

  • Email attachment of either executable in an EXE form ( less common now ) or a PDF with malicious code in it
  • Link distribution of an infected site, that once you go into you get infected. Can come via email or any form.
  • A gift. Something as simple as a USB given at a convention that contains malware

We would encourage you to read our “The Quantum Mechanics of Spear Phishing” blog to get yourself more familiarized with how it works.

As we said before, here is what you can do to protect yourself as a company or an individual :

  1. Assume you've been compromised.  For more, read this
  2. Treat Social Network messages like you do with your Emails. Check who is it from and understand context before you choose to reply.
  3. Make sure that in your social networks profiles, you are not sharing your contact information, unless you explicitly approve them.
  4. As an organization, have the tools to protect your employees from such scams, and a policy in place.
  5. Education:  train employees and raise the levels of awareness.

(NOTE:  An old Sunday School teacher taught, "repetition is the art of learning."  Let's hope that applies for spear phishing).



Find Us Online
RSS Feed - Subscribe Twitter Facebook iTunes LinkedIn YouTube
Monthly Archives
Email Subscription
Sign up here to receive our blog: