Security Trends Report
CIA endorses cloud computing, but only internally
While it can improve security, the agency won't be outsourcing data to Google or
By Patrick Thibodeau
October 7, 2009 06:06 AM ET
ne of the U.S. government's strongest advocates of cloud computing is
also one of its most secretive operations: the Central Intelligence Agency. The CIA has adopted cloud computing
in a big way, and the agency believes that the cloud approach makes IT env
ironments more flexible and secure.
Jill Tummler Singer, the CIA's deputy CIO, said that she sees enormous benefits to a cloud approach. And while
the CIA has been moving steadily to build a cloud
it has adopted virtualization, a
cloud computing is still a relatively new idea among federal agencies.
"Cloud computing as a term really didn't hit our vocabulary until a year ago," said Singer.
But now that the CIA is building an internal cloud, Singer sees numero
us benefits. For example, a cloud
, in part, because it entails the use of a standards
based environment that
omplexity and allows faster deployment of patches.
"By keeping the cloud inside your firewalls, you can focus your strongest intrusion
sensors on your perimeter, thus gaining significant advantage over the most common attack vect
Internet," said Singer.
Moreover, everything in a cloud environment is built on common approaches. That includes security, meaning
there's a "consistent approach to assuring the identity, the access and the audit of individuals and systems," said
Singer. But there are limits. The agency isn't using a Google model and "striking" data across all its servers;
instead, data is kept in private enclaves protected by encryption, security and audits.
The CIA uses mostly Web
based applications and
, reducing the need to administer and secure
individual workstations. And it has virtualized storage, protecting itself "against a physical intruder that mi
intent on taking your server or your equipment out of the data center," said Singer.
Speaking at Sys
Con Media's GovIT Expo conference today, Singer not only provided a rare glimpse into the IT
approaches used by the agency, but also talked about o
ne of its greatest challenges: the cultural change cloud
environments bring to IT. A move to cloud environments "does engender and produce very real human fear that
'I'm going to lose my job,'" she said.
In practice, highly virtualized environments reduce
the need for hardware administration and, consequently, for
system administrators. Barry Lynn, the chairman and CEO of cloud computing provider 3tera Inc. in Aliso Viejo,
Calif., said a typical environment may have one systems administrator for every 75 p
hysical servers. In contrast,
based environment may have just one administrator for every 500 servers or more.
The CIA has "seen a significant amount of pushback, slow
rolling [and] big
process engineering efforts to try to
build another human
ensive process on top of enterprise cloud computing," said Singer. "It will take us a good
long while to break that."
One thing the agency will do to address resistance will be to base contract competitions on performance, not
head count, "where it's to [
a service provider's] benefit to do the work with fewer bodies and make more profit for
their company," said Singer.
Federal CIO Vivek Kundra is encouraging agencies to adopt cloud computing, and he recently opened an
that enables federal agencies to buy cloud
based services from Google, Salesforce.com and other
vendors. That's s
omething the CIA will not do; its data will remain within the agency's firewalls, said Singer.
Government market research firm Input has revised its forecast for federal cloud
related spending upward; it now
expects the government's cloud expenditures to
grow from $363 million this year to $1.2 billion by 2014. "I think
this is probably a conservative estimate, considering the push from the administration," said Deniece Peterson,
an analyst at Reston, Va.
Obstacles to the adoption of cloud com
puting, including concerns about security and loss of data control, may
slow momentum, but "I think we'll see broader adoption and higher spending after the administration makes
progress in some of the pilot programs it has planned," said Peterson.
said the CIA's IT department was moving in the direction of cloud computing, even if it wasn't using that
term, when it widely deployed virtualization technology. Abstracting the operating system and software from the
hardware "is the foundation of the cl
oud," Singer said. "We were headed to an enterprise cloud all along."
PCI DSS Compliance Survey
(September 23, 2009)
According to the PCI DSS (Payment Card Industry Data Security Standard) Compliance survey, commissioned
by Imperva and conducted by the Po
nemon Institute, approximately 70 percent of entities that handle payment
card transactions view compliance as a box checking exercise rather than as central to their operations.
Companies that implement PCI DSS as part of their strategic approach are les
s likely to experience breaches.
Nearly 80 percent of those surveyed said their organizations had experienced a data security breach. Fifty
percent of responding organizations said they protected payment card data but not other customer data, like
cial Security numbers (SSNs), driver's license numbers and financial account information. Of the small
businesses (501 to 1,000 employees), 28 percent are PCI DSS compliant; of large businesses (75,000 or more
employees), 70 percent are PCI DSS compliant.
The top reason for non
compliance is the cost associated with implementing new security programs.
Attack Preys on Online Banking Customers
(September 18 & 24, 2009) In a new twist on phishing, cyber thieves are posing as employees i
n a bank's fraud
detection department in a live chat. Users are directed to the site through a phishing email and are asked to
type in their login credentials. The chat window then opens, and the attackers tell the victims that the fraud
department of th
e bank is requiring additional information, including challenge questions, to validate their
accounts. The cyber criminals are using the Jabber IM protocol to conduct their online conversations with the
victims; the attack is being hosted on a fast
Hackers pay 43 cents per hijacked Mac
Russian cyber crime gangs after Apple's Macs, too, says researcher
By Gregg Keizer
September 25, 2009 01:58 PM ET
A network of Russian malware writers and spammers paid hackers 43 cents for e
machine they infected with bogus video software, a sign that Macs have become attack targets, a security
researcher said yesterday.
In a presentation Thursday at the Virus Bulletin 2009 security conference in Geneva, Switzerland, Sophos
Dmitry Samosseiko discussed his investigation of the Russian "Partnerka," a tangled collection of
Web affiliates who rake in hundreds of thousands of dollars from spam and malware, most of the former related
to phony drug sites, and much of the latter tar
geting Windows users with fake security software, or "scareware."
But Samosseiko also said he had uncovered affiliates, which he dubbed "codec
partnerka," that aim for Macs.
"Mac users are not immune to the scareware threat," said Samosseiko in the researc
h paper he released at the
conference to accompany his presentation. "In fact, there are 'codec
partnerka' dedicated to the sale and
promotion of fake Mac software."
One example, which has since gone offline, was
, said Samosseiko. "Just a few
months ago it
was offering [43 cents] for each install and offered various promo materials in the form of Mac OS 'video
players,'" he said.
Another Sophos researcher argued that Samosseiko's evidence shows Mac users, who often dismiss security as
m only for people running Microsoft's Windows, are increasingly at risk on the Web.
"The growing evidence of financially
motivated criminals looking at Apple Macs as well as Windows as a market
for their activities, is not good news
especially as so man
y Mac users currently have no anti
protection in place at all," said
, a senior technology consultant at U.K
based Sophos, in
Mac threats may be rare, but they do pop up from time to time. In June 2008, for example, Mac security vendor
an active Trojan horse
that exploited a vulnerability in Apple's Mac OS X. Last January, a
different Trojan was found
piggybacking on pirat
of Apple's iWork '09 application suite circulating on
Mac OS X's security has been
ed by vulnerability researchers
, but even the most critical have
acknowledged that the Mac's low market share
it accounted for
of all operati
ng systems running
machines that connected to the Internet last month
is probably enough protection from cyber criminals for the
Protect your privacy on Facebook and Twitter
Here's how to safeguard your identity and your personal data in the ag
e of the
By Tony Bradley
September 25, 2009 09:30 AM ET
Web surfing is no longer a solo affair.
, and other
social networks have quickly
become an integral part of the online culture, and with them comes a whole new array of potential security
threats. In this article, I'll identify some of the key dangers of
and offer a few easy steps that
you can take to stay safe online.
Social networking is built on the idea of sharing information openly and fostering a sense of community.
ely, an online network of individuals actively sharing their experiences and seeking connections with
minded people can be easy prey for hackers bent on social
engineering and phishing attacks. It's
important to be aware of the threats, and to m
aintain a healthy skepticism in your online interactions.
Be careful what you share
For starters, even in an open community of sharing, you should observe some boundaries. As
in his address to schools earlier this month, "be careful what you post on Facebook. Whatever
you do, it will be pulled up again later somewhere in your life."
The core truth of that statem
ent can be applied to any social networking site, and possibly even to the Internet
as a whole. As a general rule, refrain from posting things online that you will regret later. Odds are good that
someone, someday, will stumble across it, and it may come b
ack to haunt you
especially if you are planning to
run for public office.
Aside from simply abstaining from posting embarrassing or inflammatory comments online, take two
fundamentals to heart: Remember who your friends are, and know that a friend of a
friend can be an enemy.
Remember who your friends are
When you write a Twitter tweet or post a Facebook status update, you have to keep your audience in mind. More
and more these days, we hear stories of people who have forgotten that their boss is part of
their network and
have said things online that have gotten them reprimanded, even
The consequences of inappropriate online comments have become so common that they have earned an e
in the Urban Dictionary:
. Saying something as obvious and seemingly innocent as "I'm bored" in
a status update during work hours can have dire consequences if
the wrong people see it.
With services like Twitter, or the recent changes to Facebook that allow anyone to view and search updates, you
really have no way to hide.
Friends of friends may see your post
So, you've thought it through. You want to shout to t
he world what you really think about your boss's forcing you
to work overtime and making you come in on the weekend. You've checked and double
checked, and you've
determined that your boss is not in your network, so you let loose on the keyboard and speak
Unfortunately, you're not out of the woods just yet. Being outside of your network, your boss can't see your post
directly, but if one of your Facebook friends who are connected with your boss comments on your status update
even just to say "
your boss may be able to click on the link through the common friend and
see your post anyway.
Go ahead, be social
share your trials and tribulations with your growing network of adoring followers. To be
safe, however, do so with one ru
le in mind: Don't ever post anything online that you aren't comfortable with
everyone seeing, because eventually they probably will.
Marrying privacy and social networking may seem unintuitive. How can you be social and open, yet protect y
privacy? Well, just because you are choosing to share some information with a select group of people does not
necessarily mean that you want to share all of your information, or that you want the information you share to be
visible to all.
particular has suffered from a number of issues related to privacy concerns. If you have used
Facebook for a while, you may have noticed ads with your friends' names or photos associated with them.
Facebook does provide privacy controls for you to customiz
e what types of information should be available to
party applications. If you look at the Facebook Ads tab of the privacy controls, though, you'll notice that it
offers no way for you to opt out of the internal Facebook Ads. It merely states that "Fa
cebook strives to create
relevant and interesting advertisements to you and your friends."
What do quizzes reveal about you?
For many users, one of the primary attractions of Facebook is the virtually endless selection of games and
quizzes. Part of the lur
e of the games and quizzes is the social aspect. In the games, friends can compete
against one another; through the quizzes, you can learn more about your friends while being briefly entertained.
ACLU exposed problems
with how much information these quizzes and games share, though. When a
Facebook user initiates a game or quiz, typically a notice pops up to declare that interacting with the application
uires opening access to information; the notice also provides the user the opportunity to opt out and cancel,
or to allow the access to continue.
The permission page clearly tells the user up front that allowing "access will let [the application] pull your
information, photos, your friends' info, and other content that it requires to work." One might wonder, as the
ACLU has, why any game or quiz application would "require" access to your friends' information in order to work.
Canada says 'no way'
cebook's privacy, or lack thereof, has also run afoul of the Canadian government. The Privacy Commissioner
of Canada has determined that
k's privacy policies and practices violate Canadian privacy regulations
and has recommended a variety of changes that Facebook should make to be compliant.
One of the major concerns involves the permanence of accounts and account data. Facebook offers a
disable or deactivate an account, but it doesn't seem to have a method for completely deleting an account.
Photos and status updates might be available long after a user has shut down a Facebook profile. And like the
ACLU, the Canadian government is
concerned about the amount of information shared with third
Control what you can
While the concerns of the ACLU and the Canadian government run a little deeper, Facebook does in fact offer
that restrict or deny access to information. Since Facebook is a social networking site designed
for sharing information, many of the settings are open by default. It is up to you to access the
and configure the options as you see fit.
For each of the available settings, you can choose to share information with Everyone, My Networks and
Friends, Friends of Friends, or Only Friends; if you prefer, you can customize the settings t
Hijacking and phishing
Social networking, by its very nature, is about socializing, which means users are letting their guard down and
sharing information. They're expanding their professional networks, connecting with old frien
communicating in real time with pals and peers. And for bad guys who favor social
engineering and phishing
attacks, taking advantage is like shooting fish in a barrel.
Beware friends seeking money
Most people know enough to not respond to e
quests from exiled Nigerian royalty promising millions of
dollars if only you will help them smuggle the money out of the country. Anybody who doesn't know better
probably shouldn't be on the Internet; such people are a danger to themselves and others.
what if your good friend from high school whom you haven't seen in 18 years sends you a message on
Facebook explaining how their wallet was stolen and their car broke down, and asks you to wire money to help
them get home? You might not be as apprehensive
but you should be.
Attackers have figured out that family and friends are easy prey for such sob stories. Using other attacks or
methods, they gain access to a Facebook account and hijack it. They change the password so that the
legitimate owner can't
get back in, and then they proceed to reach out to the friends of the hijacked account and
attempt to extort money from those friends through social engineering.
How do you resist such techniques? Assume that a relative or friend close enough to ask you fo
r money would
probably have your phone number, and that Facebook or e
mail would not be the first choice for contacting you
in an emergency. If you get such a Facebook message or e
mail plea, and you aren't sure, pick up the phone
and call the person direc
tly to confirm.
What's behind that tiny URL?
Another threat that has emerged as a result of social networking is the tiny
URL attack. Some URLs are very
long and don't work well in e
mail or in blog posts, which created a need for URL
with its 140
character limit, has made the use of URL
shortening services like Bit.ly a necessity.
Unfortunately, attackers can easily exploit a shortened URL to lure users into accessing malicious Web sites.
Because the shortened URL is a random
collection of characters that has nothing to do with the actual URL,
users cannot easily determine whether it is legitimate.
TweetDeck, a popular application for Twitter, provides a 'Show preview information for short URLs' option, which
offers some protec
tion. The preview window shows details about the shortened URL, including the actual long
URL it leads to.
If you aren't using TweetDeck for Twitter, or if you need to deal with shortened URLs on other sites and services,
maintain a healthy dose of skeptic
ism and remain vigilant about what might lie behind that obfuscated address.
Botnet PCs Stay Infected for Years
A hardcore of PCs controlled by botnets stay that way for years, an
analysis from security vendor Trend Micro has found.
By John E. Dunn, TechWo
September 22, 2009
A hardcore of PCs controlled by botnets stay that way for years, an analysis from security vendor Trend Micro
According to an unpublished research note, the average length of time a PC stays part of a botnet, or is
infected by it or another bot, varies from country to country, with China not surprisingly leading the way in
absolute numbers of infections.
But Trend's figures culled from 100 million compromised IP addresses suggests that eighty percent remain
omised for more than a month, with the global median time for infection being over 300 days.
The majority of botnet
infected PCs, 75 percent, belong to consumers, but a surprising quarter of the IPs were
associated with business domains. Trend Micro assume
s that this equates to a much higher level of business
botnet infection as a business IP address will usually hide a larger number of possibly infected machines.
The three biggest botnets are associated with the Facebook
targeting Koobface, Zeus/Zbot and t
established Ilomo/Clampi, the company says, representing possibly 100 million compromised machines.
"This means that cybercriminals have more computing power at their disposal than the entire world's
supercomputers combined. Small wonder that more
than 90 percent of all email worldwide is now spam," the
Trend researchers says.
It is not a new insight by any means, but the analysis nevertheless detects a surprisingly large group of PCs that
appear to stay compromised indefinitely, undermining efforts
to fight the botnet phenomenon.
Every country measured by Trend showed this spike (including the UK) and the numbers are significant, from
tens of thousands to hundreds of thousands of PCs that exist as loyal botnet zombies for years at a time. The
s of old zombies far outnumbers the numbers of new zombies
those which have been infected for
between one and three days
by some distance.
Site Offers Facebook Account Break
Ins for $100
Security vendor PandaLabs has discovered an online service
help those so inclined to hack into any Facebook account they choose for
a price: $100.
By Jaikumar Vijayan
September 18, 2009
Security vendor PandaLabs has discovered an online
to help those so inclined to hack into any Facebook account they choose for a price: $100.
However, those who sign up for the service could find themselves becoming the victims instead, PandaLabs
The Facebook hacking service,
which is delivered via a professional looking Web site, was discovered by
PandaLabs earlier this week.
Users of the service are required to first register with the site and then provide an ID of the Facebook account
they want hacked, said Luis Corrons, te
chnical director of PandaLabs. Users who enter the ID and click on a
"Hack it" button are then presented with the username of the owner of the Facebook account. They then have
the option to "Start Facebook hacking."
Those who follow the instructions are ev
entually told that the hack was successful and a password for the
account was retrieved. But to actually get the password, the user is then required to send $100 via Western
Union to an individual in Kirovohrad, Ukraine. It's not clear whether sending the
money will yield any login and
passwords, Corrons said.
But the way the site has been designed and the ease with which a potential client can interact with it lends it a
certain degree of credibility, he said. The site contains an FAQ section, which claims
the site has been in
business for more than four years.
The site even provides a link to a Webmoney account that in fact does appear to be four years old, Corrons said.
However the domain itself appears to have been registered by someone in Moscow only a
couple of days ago,
"We've been looking at it and we are 99.9% sure it is a ruse," to get people to pay up money in exchange for
what they think will be legitimate Facebook credentials, he said.
At least as of the last time PandaLabs inspected the
site, it was not downloading or distributing any malware and
seems to have been set up purely to scam those seeking to gain illegal access to Facebook accounts, Corrons
Those who do fall for the scam are unlikely to go to law enforcement to report i
t, he noted.
Researchers Overwhelm Vendors with Security Flaws
Booming numbers of security researchers are uncovering so many flaws
that vendors are finding it almost impossible to patch them all in a
reasonable timeframe, the latest SANS report has found
By John E. Dunn, TechWorld.com
September 22, 2009
Booming numbers of security researchers are uncovering so many flaws that vendors are finding it almost
impossible to patch them all in a reasonable timeframe, the latest SANS report has found.
aradox is one of a number of findings contained in the
Top Cyber Security Risks report
, which the
organisation now plans to publish twice yearly in association with data provided by customers
TippingPoint and Qualys, upgrading the annual reports it has produced for some years.
More researchers hunting for flaws should be a good thing, but the report for March to August 2009 suggests
that this has created logistical problems for an
industry that is still heavily focused on adding features and
product enhancement as its main priority.
Attackers now look to undermine systems through application vulnerabilities, with server
side and OS flaws
declining in significance. Simultaneously, le
gitimate researchers have started finding the same types of flaws,
which has caught some vendors in a pincer of malicious attacks and honest disclosures they often don't seem to
have allocated the resources to deal with.
"There is a corresponding shortage
of highly skilled vulnerability researchers working for government and
software vendors. So long as that shortage exists, the defenders will be at a significant disadvantage in
protecting their systems against zero
day attacks," note the report's authors.
The applications being attacked are significant in that they probably live on almost every PC in the world. The
leading culprits identified by SANS are Microsoft's Office, Adobe's Acrobat Reader and Flash programs, and
Sun's Java, and the various browsers
in which such program often run as plug
ins. Apple's Quicktime is another
rising vulnerability star notable because it is popular across more than one operating system.
The arithmetic is daunting. More flaws, including zero day flaws, are being are being d
iscovered in software that
is ubiquitous, which has led to increased patching times. This is partly to do with the time it takes to produce a
patch and partly down to organisations misunderstanding the risk of app flaws and taking too long to apply
"On average, major organisations take at least twice as long to patch client
side vulnerabilities as they take to
patch operating system vulnerabilities. In other words the highest priority risk is getting less attention than the
lower priority risk," sa
ys the report.
According to Wolfgang Kandek of Qualys, one of the major contributors to the SANS data, a third issue was how
to roll out security updates to consumer PCs in an efficient way.
"The problem today is that it is splintered on six [or more] diff
erent updaters." Just coping with application
patching on a single PC had become a major challenge, he said, which suggested a new integrated mechanism
was needed to make patching more seamless. Kandek praised Google's Chrome browser, where patching
ed transparently and without user intervention, as a model for the future.
"It can be quite challenging if you are focused on development to understand that software gets abused."The
issue of patching cycles and patch application is already well
by Qualys's own
annual Laws of
, so the latest blast from SANS says nothing organisations shouldn't already be aware of.
The bigger lesson is for software vendors, which need to employ more researchers of their own and more people
to relate their discoveries to the complex process of patching vulnerable apps. Microsoft has done a lot of hard
work in this area with its much
vaunted Software Development Lifecycle (SDL), which is supposed to have
changed the way apps get written from the first line of code. Others have much work to do
Adobe take note.
Is Your Office Printer Secure?
A new program from ICSA Labs aims to tackle
a problem they believe is overlooked and poses serious risks
, Senior Editor
September 21, 2009
Hackers may be using your office printer as a conduit for criminal activity. Think about it: A printer in today's
office environment often saves on its hard drive all images of documents that are printed, scan
ned or faxed.
Therefore, hackers who know anything about accessing files on a network might easily gain access to that
sensitive data . This kind of threat is too frequently overlooked, according to ICSA Labs, a security products
testing and certifications
firm. ICSA said Monday it is introducing new certification and assessment programs
that will address security threats posed by networked devices such as printers, fax machines and security
cameras. The programs, known as Network Attached Peripheral Securi
ty (NAPS), will include a vendor
certification program. The class of network
connected devices addressed by the program will include printers,
sale systems, copiers, ATM machines, digital signs, proximity readers, security cameras, and
lity management systems for power, lighting and HVAC systems, said George Japak, managing director,
"You have UPS systems, you have power strips, I could go on an on about the different devices that are being
connected with this functionality"
connected devices, according to Japak, can pose as much risk as an unsecured server on the network
but are often ignored and are typically not securely installed or configured by end
users, he said. Network
attached devices, like network servers,
are at risk for unauthorized access and data breach, denial of service
attacks and can even propagate worms like Code Red Nimda. However, specific statistical data to back up the
severity of the security issues posed by network
connected devices is scant.
ICSA referred to figures from the
Verizon Business 2009 Data Breach Investigations Report which finds many breaches occur through what is
called "unknown, unknowns," which can involve systems such as printers and faxes. No further data about
ks or incidents was available from ICSA.
"Based on the feedback from current and prospective customers, this is going to be or have the potential to be a
significant issue and problem with enterprises as they continue to deploy these devices," said Japak.
device security is certainly not a new issue and the potential for security problems with devices has
been talked about for several years now. Printer security has also received attention from other organizations.
Earlier this year, the IEEE re
leased new security standards for networked printers that include specifications and
a checklist for printer security requirements. The standards, known as the 2600 Profile requirements, were
created by IEEE in a joint effort with Xerox and were created to
give printer vendors basic security requirements
when developing devices. Japak said ICSA is still reviewing the IEEE standards to determine who they will fit in
with the NAPS program.
The NAPS certification will target device manufacturers and will incl
ude rigorous testing that examines several
different aspects of a device and how each impacts its overall security. ICSA is also hoping to gain attention from
enterprise clients concerned about device security with a NAPS assessment program that offers an
and report with results of testing and recommended configuration instructions.
A heap of blogs and articles popped up
recently about the shift attackers are making to attacking applications
instead of operating systems
Ostensibly because operating systems are more
secure today, due to vendor design decisions and user/organizational patching effo
So the reasoning is that
this leaves applications as the weak security link.
Is this really news?
In our rush to fight the
criminal assaults against our operating systems and LAN/WAN devices, we have typically
overlooked applications ru
nning on servers and other endpoint devices.
Organizations which tried to assess
their ability to patch other applications found themselves hampered by the lack of effective, centrally managed
This is better today
at least for Windows
with the introduction of Microsoft’s
solution, but there is still a gap
a big one.
The average medium
sized business might have
hundreds of applications spread across hundreds or
thousands of end
The problem is propagated by the unwillingness of many organizations to
remove local administrator access from users who don’t absolutely need it to do their jobs.
problem is the tendency for IS teams to ignore desktop application patching because it is just “too hard.”
This set of conditions creates a big opportunity for people like Henry
B. Hacker (fictional character I made up…).
In the past, Henry foc
used on Windows to gain access to data he could sell to the highest bidder.
however, Windows is getting harder to crack.
Not because it is completely hardened, but because Microsoft and
its customers have gotten smarter about patching and general de
So Henry, looking for an
attack surface with a lower work
factor, is beginning to go after installed endpoint application vulnerabilities.
general lack of application
level processes and tools deployed across Henry’s target industries
results in a rich
The application vulnerabilities have always been there.
And no, I’m not just talking about Adobe products or
These high profile applications are typically addressed.
It is the other applications, which are
managed by IS, which present the biggest problem.
For example, an entire department might have decided to
download and install a cool freeware application they just can’t live without.
A satellite location may have
purchased an application,
comprised in part by commonly
used and potentially vulnerable components, to
process protected health information.
On top of all this, many vendors don’t bother issuing patches.
organization hasn’t locked down endpoint devices, applications like t
hese have been infiltrating its network for
The effect is the need to once again play catch
As we’ve largely ignored problems associated with “user
approved” applications, Henry has been working hard to come up with ways to exploit them.
two solutions to the current, well
publicized shift to attacking applications.
Deal with existing applications
If your organization still provides users with local administrator
access, you have to assume they’ve installed a large number of a
unknown to you.
have to make sure those applications IS actually installed and supports are protected.
So the first step is
deploying a solution, like SCCM, which can identify and report on installed applications.
SCCM probably cannot identify all third party applications, but it’s a good start.
processes to identify vulnerabilities or patches as they’re announced.
Once of the best resources for this
National Vulnerability Database
Another excellent resource, which includes whether patches are
available for specific vulnerabilities, is
In other w
ords, know what’s installed and deal with
TAKE AWAY LOCAL ADMIN ACCESS
doubtful you can
track all applications users install on their
The only way to control this problem is to take away their ability to install anything not approved
and packaged by the organization.
And let’s not forget that taking away privileged access helps keep bad
stuff from installing surreptitiously.
New Trojan gives criminals full
service bank theft
By Robert McMillan
September 30, 2009 02:26 AM ET
Security experts agree that cyber
criminals are getting better, but a new Trojan takes things
to a whole new level.
The URLzone Trojan, identified by researchers at Web filtering vendor Finjan Software earlier this month,
represents "the next
generation of bank Trojans," said Yuval Ben
Itzhak, Finjan's chief technology officer.
After it infected about 6,400 computer users last month, the Trojan was clearing about €12,000 (US$1,750) per
day. That puts it on track to rake in as much as €7.3 milli
Criminals installed the Trojan by luring visitors to infected Web sites and leveraging a variety of PC software
flaws. They managed to infect about 7.5 percent of the 90,000 computers they attacked before Finjan got access
to their command
control server, the company said.
More widespread Trojans such as Zeus and Clampi have been siphoning millions of dollars per day out of banks
by stealing victim's online credentials and then moving money to unsuspecting "money mules" who then transfer
e cash offshore. These mules are often recruited from job sites such as Monster.com and they typically believe
they're doing legitimate payroll work for overseas companies, and not organized criminal enterprises. Once they
send the stolen money offshore, t
hey can be the ones who are held accountable for the loss.
But URLzone is even more sophisticated than its predecessors, Ben
Its sophisticated user interface lets the bad guys set some controls that help keep fraud detection systems at
om a central server, they can, for example, set the system to ensure that the account's balance never
drops below zero; they can pre
set the system to make a series of small withdrawals that will appear
unsuspicious; and the software will change the way th
e victim's banking page is displayed so the true
transactions don't get displayed.
"Basically they say, 'I will steal from you €5,000, but I want to make sure at least 5 percent will remain in your
Organized Cybercrime Revealed
The shadow economy for stolen identity and account information
continues to evolve
September 28, 2009
As if CSOs don't have enough on their plates, they now n
eed to beat back made men, capos and the other
elements of the Mafia. Yes, the Mafia is formally involved in cybercrime, or so alleges the U.S. attorney for
Florida, who filed charges against associates of the Bonanno crime family that included pilfering d
ata from Lexis
The Mafia engaging in cybercrime might sound like your grandmother joining Facebook. In fact, "the majority of
data breaches are the result of organized crime," says Nick Holland, an analyst at Aite Group in Boston. That
it's the conventional Mafia pulling the strings
though it can be. In fact, it's hard to tell just who is
in control sometimes. For the most part, cybergroups that become notorious, like the Rockfish or the old Russian
Business Network, do so because very
few cybercrime groups publicize themselves, says Steve Santorelli of
. (Cymru, pronounced cumri, is the Welsh word for Wales.)
In fact, observers sometimes disagree on just who's behind a crime. Take la
RBS Worldpay scam
which saw hackers not only make off with 1.5 million records from the electronic payments processor, but make
fake ATM cards used to withdraw more than $9 million in 49 ci
ties around the world in a one
hour period. Frank
Heidt, CEO of Leviathan Security in Seattle, thinks this was a case of an extremely well
organized group with
roots in Russian organized crime. Peter Cassidy, director of research at Triarche Consulting Gro
Cambridge, Mass., says it looks like a franchise
style operation in which the data and details on how and when
to use it was sold to groups operating in different regions.
Either way, it's organized crime. Just a few years ago, most hackers either a
cted for the glory of spreading a
virus they'd written, or handled all aspects of an operation, from phishing to building fake websites to cashing in
on the fraud. Since then, cybercriminals have discovered Adam Smith. They specialize, they create markets
above all, they're entrepreneurial. And because of the Internet, "you get radical distribution of labor and a
radically fast ability to recruit skills," says Cassidy.
These organizations adopt various structures. The crime family model obviously still
applies when the Mafia is
involved. Some groups that seem independent of the Mafia, like the people who ran Carder's Market
underground site for buying and selling credit card information
also use a Mafia
like structure and terminology.
tend to work like Japanese keiretsu, says Cassidy, who is also secretary of the
. Cybercriminals sometimes use a hub
spoke model, where a criminal mastermind puts
tools and people needed to pull off a job. Want a botnet? A Symantec study found that on
average, you could gain use of one for $225. Need a keystroke logger? Average price: $23. Want someone to
host a phishing scam? That can be had for as little as $2. A
specific vulnerability in financial sites might cost
You can even get specialized versions of malware, websites, etc.
the Verizon 2009 Data Breach report found
that 59 percent of the malware it saw was customized. Sometimes the criminals adopt mo
dels that look like the
software business. You can literally buy "fraud as a service," where criminals subscribe to hosted services
story first illuminated in CSO's September 2007 article, "Inside the Global Hacker Service Economy" (see
Between 70 percent and 80 percent of malware now comes from organized groups, estimates Bogdan Dumitru,
CTO at BitDefender, an antivirus firm based in Romania. Lone hackers still break new ground: Dumitru says
Twitter malware that's popp
ed up recently was "developed by a kid. But in the next two months we'll probably
see organized entities taking advantage of it."
The fluidity of cyberorganizations can make them more difficult for law enforcement to penetrate than their real
world counterparts. But it's not impossible.
DarkMarket, a spam and phishing forum, eventually was taken over
and hosted on FBI servers. J. Keith Mularski,
the supervisory special agent at the FBI assigned to the National
Cyber Forensics and Training Unit, ran this site undercover, posing as a spammer named MasterSplynter.
DarkMarket started leading to arrests of prominent spammers and phishers in May 2007.
It eventually closed in
October 2008, after the arrest of DarkMarket's boss, a Turkish hacker whose handle was Cha0, leaving Mularski
as the last leader standing. Ultimately, sixty people
most of them the most powerful members of DarkMarket
in at least four countries: Germany, Turkey, the U.K. and the U.S. The FBI also got six complete
malware packages and may have prevented $70 million in losses at financial services firms. Plus, it arrested
Cha0 and his seven
member gang in Istanbul before
they could ship out about 1,000 ATM skimmers, which
prevented an additional $33 million in losses.
"Sure, they'll reorganize, but with every law enforcement action, it's a little bit harder to regroup," says Mularski.
The DarkMarket operation has at leas
t temporarily driven many cybercriminals off of Internet Relay Chat and
bulletin boards, says Team Cymru's Santorelli. They've opted instead for private instant messenger groups that
they control, says Santorelli.
DarkMarket involved law enforcement group
s working together across borders. That's a good step in what
remains a challenge. Cybercriminals "are good at finding cracks in international law," says Yuval Ben
CTO of security firm Finjan. A group might be based in one country, use servers in a
second and commit crimes
in a third.
This problem has led to calls for better international law. For instance, Brazil has become a hotbed of bank fraud,
phishing and Trojan activities since the penalties there are very light. Some are even calling for a
group that can
force Internet service providers to cut off servers that obviously house phishers.
More countries may be taking cybercrime seriously. While Eastern Europe is seen as a kind of Wild Cyber West,
last year, Romanian police arrested 20 people i
n Ramnicu Valcea and Dragasani, towns known for organized
eBay scams (one tried to auction off a Romanian city hall). Florin Talpes, BitDefender's CEO, says joining the
European Union in 2007 has changed attitudes in Romania and in Bulgaria, which have cre
ated stronger legal
frameworks for fighting cybercrime.
Mularski, however, cites Romania as a country where traditional organized crime clearly has become involved in
cybercrime. The FBI arrested 35 Romanians running a phishing and ATM skimming scam in Lo
s Angeles, and
Mularski says they were connected with Romanian organized crime. He concedes that the FBI did work with
Romanian law enforcement to make 80 arrests in the two countries in a separate case. At least there are arrests
in Romania. That rarely h
appens in a place like Russia, although two unnamed Russian hackers were recently
indicted in the Heartland and Hannaford hacking cases
along with US
based alleged mastermind Albert
even cybercrime groups suffer from market forces. They've so flooded the cyber black market with credit
card data that prices are falling. Organized crime has shifted its targets. They're after medical records, which are
valuable. They target company CFOs,
aiming to get access to corporate bank accounts and wire money out of
them. That tactic has had success: In late July, The Washington Post detailed how stealth Trojans had been
used to infect a PC used by a county treasurer, a school district and the head
of a small business. Hundreds of
thousands of dollars were wired to money mules who then sent the funds on to bank accounts in the Ukraine
Targeted industries are also shifting. While financial firms make the juiciest targets, Borenstein says
that RSA is
seeing more activity around the healthcare, manufacturing and government sectors.
Also on the rise are call center scams. Organized criminals may get access to someone's bank or brokerage
account but be unable to transfer money because of Web
protections put in place by financial firms. So the
criminals call customer service to complain and even bully, hoping to get help in transferring money out.
Meanwhile, social networks "are gold mines to social engineers, to someone who wants to get to t
he CFO of an
organization to attack them," says Joshua Corman, principal security strategist at IBM Internet Security Systems.
Corman says CSOs need to tell employees not to answer things like those "25 Questions" surveys that run
rampant on sites like Fac
ebook because the answers often include information used as hints for account
BATTLING BACK AGAINST ORGANIZED CYBERCRIME
Even as cybercriminals get more sophisticated, the best ways to stop them are often the simple ones. Verizon's
that many credit card breaches occurred at firms with minimal PCI compliance. It also found that 51
percent of firms breached had never changed the default vendor passwords for equipment.
Equipment itself gets overrated by CSOs and CISOs, says Michael Lev
in, former deputy director of the National
Cyber Security Division of the Department of Homeland Security. "They are wasting money on hardware and
software," he says. Instead, they should do things like tell employees not to click on e
mail attachments and
other basics. Levin has cofounded the Center for Information Security Awareness in Fairfax, Va., which has
prepared the free, online awareness training offered through Infraguard, the FBI's regional effort to work more
closely with private companies on cy
CSOs should get involved with groups like Infraguard or develop relationships with regional FBI or Secret
Service agents and local law enforcement. They should also regularly assess their risk levels. "You have to
assess every record and every p
iece of data in the place for its value to criminals," says Cassidy.
CSOs should also be prepared to do much of their own forensics work before going to law enforcement. Levin
says once law enforcement is involved, they may need a search warrant or even a
grand jury subpoena to do
things like explore company computers for malware, slowing the process.
Above all, talk to people outside of the security department or IT, and talk to peers at other companies,
especially financial firms, which are on the front
lines of the corporate cyberwars. The cybercriminals don't
cloister themselves, and CSOs can't either.
U.K. High Court serves injunction using Twitter
By Jeremy Kirk
October 2, 2009 06:55 AM ET
IDG News Service
For the first time, a U.K. court deliver
ed an injunction over Twitter on Thursday, a ground
breaking embrace of technology by a traditionally slow
moving legal system.
The injunction orders an anonymous person to stop impersonating Donal Blaney, a prominent right
and owner of the G
riffin Law firm based in Hawkhurst, England.
The impersonator had set up a Twitter account that used Blaney's photo from his blog, linked to his blog posts
and tweeted with the same style and tone of writing. While parody could be a defense, in this case "
it was clearly
designed to encourage people to think it was truly me," Blaney said.
Blaney's attorney went to the U.K.'s High Court in London on Thursday morning. The injunction was delivered by
Twitter's direct message feature to the impersonator, so it i
s not public. The tweet contained a link to the
injunction, which orders the person to reveal their identity and stop impersonating Blaney on Twitter.
The judge, who was familiar with Twitter, also knew of a case in Australia where court proceedings were
elivered over Facebook, Blaney said.
The delivery of an injunction over Twitter is innovative and "will make it harder for people who are abusing the
Internet and abusing the cowardly cloak of anonymity to harass and bully people," Blaney said.
If the impe
rsonator doesn't get in touch with the court, Blaney has a couple of options, although identification of
the person could be difficult. He could get a penal notice from the court, which would warn that the impersonator
could be held in contempt of court fo
r not coming forward.
However, penal notices must be served in person, Blaney said, and it's unlikely a judge would allow one to be
delivered over Twitter.
Another option would be to file separate proceedings against Twitter in California to reveal the IP
Protocol) address of the computer that posted the tweets. Then, it would be possible to ask the ISP (Internet
service provider) to reveal the subscriber's identity or location of the computer. That is a "slow and expensive
process," Blaney said.
The impersonator's account was still active as of Friday morning, he said.
Blaney said he went directly to the court instead of immediately contacting Twitter because the service can take
a week to remove a fraudulent account, based on his experience wit
h one of his clients. He sent an e
Twitter this morning asking for the account to be removed.
Part of his frustration stems from the fact that Twitter has no public phone line to report complaints, and users
who feel there is inappropriate contact
must just send an e
mail, Blaney said.
"It is unacceptable that a site as powerful as Twitter is behaving in the same manner as an ISP a decade ago,"
Because of increasing abuse by spammers, phishers and other scams, ISPs have generally improv
response times now when alerted to problems on their networks. Social networking sites such as MySpace and
Facebook, which grew very rapidly, have also made efforts to improve their reaction times.
Twitter could not be immediately reached for com
Researchers advise cyber self defense in the cloud
By Dan Nystedt
October 12, 2009 06:16 AM ET
IDG News Service
Security researchers are warning that Web
based applications are increasing the risk of
identity theft or losing personal data more th
an ever before.
The best defense against data theft, malware and viruses in the cloud is self defense, researchers at the Hack In
The Box (HITB) security conference said. But getting people to change how they use the Internet, such as what
personal data th
ey make public, won't be easy.
People put a lot of personal information on the Web, and that can be used for an attacker's financial gain. From
networking sites such as MySpace and Facebook to the mini
blogging service Twitter and other blog sites
like Wordpress, people are putting photos, resumes, personal diaries and other information in the cloud. Some
people don't even bother to read the fine print in agreements that allow them onto a site, even though some
agreements clearly state that anything
posted becomes the property of the site itself.
The loss of personal data by Sidekick smartphone users over the weekend, including contacts, calendar entries,
photographs and other personal information, serves as another example of the potential pitfalls
of trusting the
Cloud. Danger, the Microsoft subsidiary that stores Sidekick data, said a service disruption almost certainly
means user data has been lost for good.
Access to personal data on the cloud from just about anywhere on a variety of devices, fro
m smartphones and
laptops to home PCs, shows another major vulnerability because other people may be able to find that data, too.
"As an attacker, you should be licking your lips," said Haroon Meer, a researcher at Sensepost, a South African
ny that has focused on Web applications for the past six years. "If all data is accessible from
anywhere, then the perimeter disappears. It makes hacking like hacking in the movies."
A person who wants to steal personal information is usually looking for f
inancial gain, Meer said, and every bit of
data they can find leads them one step closer to your online bank, credit card or brokerage accounts.
First, they might find your name. Next, they discover your job and a small profile of you online that offers f
background information such as what school you graduated from and where you were born. They keep digging
until they have a detailed account of you, complete with your date of birth and mother's maiden name for those
pesky security questions, and per
haps some family photos for good measure. With enough data they could
make false identification cards and take out loans under your name.
Identity theft could also be an inside job. Employees at big companies that host e
mail services have physical
mail accounts. "How do you know nobody's reading it? Do you keep confirmation e
passwords there? You shouldn't," said Meer. "In the cloud, people are trusting their information to systems they
have no control over."
Browser makers can play a
role in making the cloud safer for people, but their effectiveness is limited by user
habits. A browser, for example, may scan a download for viruses, but it still gives the user the choice of whether
or not to download. Most security functions on a brows
er are a choice.
Lucas Adamski, security underlord (that's really what his business card says) at Mozilla, maker of the popular
Firefox browser, offered several bits of cyber self defense advice for users, starting with the admonition that
people rely on f
irewalls and anti
virus programs too much.
"You can't buy security in a box," he said. "The way to be as secure as possible is about user behavior."
There is a lot of good built
in security already installed in browsers, he said. If you get a warning not
to go to a
site, don't go to it. When you do visit a site, make sure it's the right one. Are the images and logos right? Is the
URL correct? Check before you proceed with filling in your username and password, he counseled.
Software updates are vital. "Mak
e sure you have the most up
date version of whatever software you use," he
said. Updates almost always patch security holes. Key software programs such as Adobe Systems' Flash Player
and Reader are particularly important to keep updated because they're
used on so many computers and are
prime targets for hackers.
He also suggested creating a virtual machine on your computer using VMWare as a security measure.
"It's really hard to get people to change their browsing habits," he said. People want to surf th
e Web fast, visit
their favorite sites and download whatever they want without thinking too much about security. "Educate them,
move them along, but don't expect them to become security experts."
Internet browser makers take great care in building as much
security as possible into their products and putting
them through rigorous testing.
The security team for Google's Chrome browser, for example, will take the first crack at any major update to the
software, hacking away to find vulnerabilities or ways to i
mprove security, said Chris Evans, an information
security engineer at Google.
After the Chrome security team takes a whack at the software and it is reworked to fix the holes they found,
other security teams at Google will have a go at the product to see
what trouble they can cause. Finally, the
software is released in beta form, and private security researchers and others can hack away. Any problems are
fixed before the final release goes out and then the Chrome team stands ready to make new patches for
other security issues that crop up.
Despite all the testing, browser makers are only one part of the security solution because they have no control
over Web software or user browsing behavior.
The cloud is the Wild West: hackers and malware makers abo
und, phishers seek passwords and users do
whatever they want to, recklessly surfing and downloading potentially dangerous content as judged by security
Companies developing Cloud applications and services will need to do more for Web security.
its Web Services and Google as it moves forward with initiatives, such as Google Docs, that attempt to draw
people to Web applications and away from computer applications will need to work more closely with security
researchers, Meer said.
And Google's work on the security in the Chrome browser highlights the reason why: Computer applications
such as Chrome face intense scrutiny by security researchers throughout the Web, while Web applications do
"Reverse engineering keeps [big softw
are companies] honest," said Meer. "If they hide something in the
software code, sooner or later someone finds it. With Cloud services, you just don't know because we simply
cannot verify it."
Cloud applications are built by one company, and nobody is look
ing at the code or how safe it is, said Meer.
Applications for computers are different. They can be ripped apart by security experts then put back together
stronger so there are no security holes, he said.
"Trust but verify," said Meer. "Just because a guy
does no evil today, we cannot trust that they will do no evil
tomorrow because we simply cannot verify it."
UC Berkeley tightens personal data security with data
By Ellen Messmer
October 12, 2009 02:05 AM ET
To better safegu
ard the personal data of its students, the University of California at Berkeley
) has adopted a specialized data
masking technique in its application development work tha
hide data in plain sight
by mixing it up.
Data such as students' first and last names can be switched around to camouflage the real names, and sensit
information such as student identification numbers also undergoes a gentle jumbling so what appears to the eye
is not the true number. It's done with a tool called datamasker from dataguise. Steve McCabe, associate director
of information in UC Berkele
y's residential and student services program, says the advantage in using the
dataguise tool is it significantly reduces security risks around personal, sensitive data.
"Student IDs paired with names becomes restricted data here," says McCabe, describing s
ome of the data
privacy rules that the university must follow. But the challenge has been how to enforce restrictions in a
development environment where constant work by several developers is ongoing to support UC
pplications for SQL Server, such as the housing and assignment system.
McCabe says the data
masking approach, in which the dataguise tool mixes up names, sensitive numbers and
other data prior to developers seeing it (dataguise calls it "de
), has worked out well because the
data columns maintain the necessary structure but the content is effectively concealed to the naked eye.
"We do a lot of application development and handling large volumes of student information, and we wanted a
way to re
strict that data," McCabe says. "So we randomize the IDs, and first name, last name, date of birth, and
While one main copy of a production database is preserved, with the genuine student information, developers
can freely work on copies that ha
ve undergone the dataguise data
masking treatment in what McCabe calls a
"sanitized version" without concern of a potential data breach.
"It maintains the relationship and updates with scrambled data," McCabe says. Though the production database
has to be
protected through other means, the risks associated with data exposed to developers and testers in
the course of their work has been vastly reduced since UC Berkeley started using the tool about six months ago.
UC Berkeley, like
, has suffered consequential data breaches. In May, UC Berkeley
in which it said hackers broke into its health
services databases, compromising
related information on about 160,000 individuals.
How hackers find your weak spots
er 19, 2009 (
While there are an infinite number of
social engineering exploits, typical ones include the following:
In this common maneuver, the hacker uses information from a social networking profile to
guess a victim's password reminder question. This technique was used to hack Tw
itter and break into Sarah
In this scenario, a hacker gains the trust of an individual or group and then gets them to click on links
or attachments that contain malware that introduces a threat, such as the ability to exploit a
weakness in a
corporate system. For example, says Netragard CTO Adriel Desautels, he might strike up an online conversation
about fishing and then send a photo of a boat he's thinking of buying.
Impersonation/social network squatting:
In this case, the
hacker tweets you, friends you or otherwise
contacts you online using the name of someone you know. Then he asks you to do him a favor, like sending him
a spreadsheet or giving him data from "the office." "Anything you see on a computer system can be spoof
manipulated or augmented by a hacker," says Desautels.
Posing as an insider:
Imagine all the information you could extract from an unknowing employee if you posed
as an IT help desk worker or contractor. "Roughly 90% of the people we've successfull
y exploited during
[vulnerability assessments for clients] trusted us because they thought we worked for the same company as
them," Desautels says.
On the Netragard blog, he describes an exploit in which a Netragard worker posed as a contractor, befriend
group of the client's workers and set up a successful phishing scheme through which he gleaned employee
credentials, eventually gaining entry to the entire corporate infrastructure.
Hijacked Web sites attack visitors
October 19, 2009 (
Some malware attacks target site visitors rather than the site brands themselves.
Here's the scenario: Attackers compromise a major brand's Web site. But instead of stealing customer records,
the attacker installs malware that infects the computers of thousands of visitors to the site. The issue goes
unnoticed until it's exposed publ
Such attacks are a common occurrence, but most fly under the radar because the users never know that a
trusted Web site infected them, says Brian Dye, senior director of product management at Symantec Corp.
When his company tracks down the source o
f such infections, it often quietly notifies the Web site owner. But
word can get out, leaving the Web site's customers feeling betrayed, and seriously damaging a brand's
Attackers, often organized crime rings, gain entry using techniques suc
h as cross
site scripting, SQL injection
and remote file
inclusion attacks, then install malicious code on the Web server that lets them get access to the
end users doing business with the site.
opting machines that can be part of botnets tha
t send phishing e
mail, that are landing sites for traffic
diversion and that host malware," says Frederick Felman, chief marketing officer at MarkMonitor. But because
the business's Web site isn't directly affected, the administrators of most infected Web
sites don't even know it's
That possibility is one of Lynn Goodendorf's biggest worries as global head of data privacy at InterContinental
Hotels Group. "I worry about attacks that use a combination of malware and botnets," she says, adding t
has watched this type of activity increase steadily over the past two years. "That's very scary," says Goodendorf.
Most victims haven't associated such attacks with the Web sites that inadvertently infected them. But that may
atest versions of Microsoft's Internet Explorer browser and Google's search engine detect sites infected
with malware, issue a warning and block access to the site. "To me, this is serious online brand damage," says
Garter analyst John Pescatore, and it ca
n be disastrous for small and midsize businesses that totally depend on
search engine traffic. The next frontier, says Dye, may be attackers who use these types of exploits against the
Web sites of high
profile brands and then publicize
or threaten to p
Preventing attacks like SQL injections requires using enterprise
class security tools, such as intrusion
detection systems, with a focus on behavioral analysis to spot attacks, Dye says. But Pescatore sees a
e fundamental problem: rushing through Web site updates and ignoring development best practices
designed promote security.
Most organizations follow formal processes for major upgrades, but not for the constant "tinkering" that takes
place. The result: V
ulnerabilities creep into the code. "Security groups often are forced to put Web application
firewalls in front of Web servers to shield [these] vulnerabilities from attack," says Pescatore.
How data security can vaporize in the cloud
October 15, 2009 (
IT managers should consider security, legal issues before signing up for hosted storage services.
While hosted cloud computing may be all the rage for reducing cost of ownership and management,
managers say hosted storage services present dramatic security challenges and legal implications that need to
Arthur Lessard, chief information security officer at toy manufacturer Mattel Inc., in El Segundo, Calif., said
during a presen
tation at Storage Networking World on Wednesday that cloud computing is appealing, even if
many end users don't know what the word "cloud" means. For example, many confuse cloud computing with
pure server and storage virtualization or simply backing up dat
a to a remote site.
True cloud services should be characterized by grid
architected hosts with central management, applications
that can be ported seamlessly from system to system, capacity that is easily provisioned and significant data
redundancy, he sai
"We're talking software as a service," Lessard said.
When storage is hosted offsite in a virtualized server and disk array environment, cloud computing presents real
limitations around authentication and auditing
especially auditing of logging. The la
ck of auditing capabilities
may affect the ability to record user logins, administrative actions and data writes, Lessard said.
"What I can't find out is who has been reading the data files, and ... depending on what business you're in, that
might be impor
tant," he said.
Also, there's usually no indication of login anomalies, such as repetitive attempts to log into a site under an
incorrect name and password. That information is kept by the vendor and is usually part of a contract negotiation
respect to authentication, or who sets up the accounts and what control you have over accounts
and how they're provisioned, most vendors offer self
registration into your applications, "and that can have
holes," Lessard said.
"Most authentication in a clou
d environment is done through user name and password only, so if I had a nifty
factor authentication set up or biometrics, it's no longer offered," he said.
Most service providers also have restrictions against penetration testing of the cloud by their
"To be honest, I can't blame the vendor because by doing penetration testing against their environment for your
applications, it could impact someone else's applications," he said. "Remember, it's a cloud, and you don't have
a lot of control ov
er where my stuff is running or where it sits."
Hackers can exploit security holds associated with hardware and software cloning in virtual server environments.
Most operating systems have unique or personalized components when they're installed on hardwa
re, and the
OSes rely on the hardware to generate random numbers for public and private encryption key pairs and user
IDs, even when they're being cloned onto new systems.
When operating systems are cloned in virtual environments where new servers and sof
tware are stamped out to
meet user demand, service providers may use pseudo
random number generators. These create values that
appear to be random and for the most part are spread out over a range, but they aren't truly random and can be
At the last Black Hat hackers convention, there was an attack proposed that would exploit resources in the cloud
based on pseudo
random number generation.
"If you have multiple systems, and they're all cloned and you have some idea of when a parti
cular instance was
cloned and created, you can start making some pretty good guesses about the pseudo
generator in that operating system, and that means you can start making some pretty good guesses about public
and private key pairs that got
generated when an operating system got cloned."
One of the stickier legal ramifications of storing data with a cloud service provider falls under the government's
right to search and seize that information during the course of a criminal investigation.
cording to Lessard, the U.S. government has also asserted that it has a right to serve a warrant to a third party
service provider in order to see data on their systems wihtout notifying the provider's customers prior to the
Because one company's d
ata may be kept on the same disk as another's by a service provider, a criminal
investigation could expose data to authorities or simply limit the ability to access data through that cloud service
provider, Lessard added.
"Essentially, you're losing your r
ight to answer warrants served by the government," he said. "To use a technical
term, cloud computing is probably going to give your legal department the heebie jeebies."
Other IT managers also had security concerns about cloud services, some of whom overc
ame them after
becoming SaaS customers and others who weren't convinced the security around such services is sufficient.
Gordon Peterson, director of information technology for the city of Carlsbad, Calif., recently began using
Microsoft's Live Mesh cloud
computing service to host collaborative applications, such as Exchange, Office
Communicator and Live Meeting in order to spend less time on maintaining back office systems and more time
on technology innovation.
Peterson, who has a staff of 25, said he def
initely had security concerns, mainly about Microsoft employees who
would be able to see internal e
"We do have justice system traffic, after all," he said. "But I think what helped was realizing somebody else can
probably do security better
than I can."
Peterson said his main concern was Microsoft's hiring and firing procedures and whether employee background
checks were thorough. A trip to Microsoft's hosting facilities helped alleviate those concerns.
"Their procedures are very similar to o
urs," he said. "They told me that if they mess up, the online community is
Norton Healthcare Inc., a private, nonprofit hospital system based in Louisville, Ky., is in the middle of rolling out
virtualized servers, desktops and storage to ser
ve four acute care hospitals and other health care facilities in
Kentucky and southern Indiana.
Brian Comp, associate vice president of technology at Norton Healthcare, said cloud computing, with its ease of
use is definitely in the hospital's future, just
not the near future. Comp said over the next five years, as cloud
computing providers and technology mature, it will become more reliable and secure, allowing him to put non
clinical systems on a distributed architecture.
"I wouldn't say I'm uneasy about
security in the cloud, but I do have reservations about it. It's about having data
offsite. I just want certain assurances. Nobody wants to be on the front page of a newspaper because of security
problems," he said. "But I do think cloud vendors will work
that out over time."
Their phone, your headache
By , Ojas Rege, vice president of products and marketing, MobileIron
October 16, 2009 10:48 AM ET
For years analysts have encouraged the consumerization of IT to enhance collaboration and
productivity. It began with adoption of consumer instant messaging applications and continued with Web 2.0
technologies such as Wikis and social networking. Now, as employees start bringing their smartphones to work
and request IT to provide access to ema
il and other corporate applications, we are seeing the consumerization
of not just an application but an entire computing platform.
At first glance this looks like a great idea. IT increases employee satisfaction, reduces OpEx costs by having
t part of the wireless bill, and cuts CapEx costs by ducking the cost of the pricey phones. What’s
more, employees with smartphones devote more personal time to work so there is a productivity gain.
Early data from the Aberdeen Group shows that 20% of comp
anies surveyed allow their employees to use
personal devices for work.
But securing employee
owned smartphones is not the same as securing corporate
owned devices. In the
corporate model, if an employee leaves the company, standard procedure is to retrieve
the phone and “brick” it,
wiping it clean of all data and resetting it to factory defaults. In the new model, when an employee leaves the
company the phone goes too, packed as it is with personal pictures, videos, contacts, applications, music and
ntial corporate information.Is it fair to wipe all personal information from a phone just because an
employee tried to be more productive for the company? At the same time, is it damaging to the company’s
business to compromise security levels just because
that employee happens to own the phone?
Enterprise data boundary
The way to address this issue is to start by adopting a framework that provides visibility into corporate data on an
employee’s smartphone and allows administrators to set boundaries around
this data. This doesn’t have to be
something as fancy as tagging or fingerprinting mobile files. It can start with simply drawing a line between
media files on one side and xls, doc, ppt, and pdf documents on the other.
The key is that however this enterpr
ise data boundary is drawn, if an employee leaves the company, he or she
should be able to take the phone with personal data intact, while IT should be able to ensure that any corporate
information has been safely removed. The process should be simple and
transparent to all.
In addition to segmenting personal information from corporate, IT must have an honest dialogue with employees
about the trade
offs that exist when attaching a personal smartphone to the enterprise. For instance, regulatory
licies may mandate that corporate communications be archived for e
discovery purposes. These
communications can include SMS messages, therefore, the employee must weigh the privacy concerns of
having SMS archived in the same manner as corporate e
will likely find that different policies will apply between corporate
owned and employee
owned phones, so it’s
crucial for the policy enforcement framework to delineate between phones based on ownership.
Finally, the overall governance structure for mobili
ty must move from one of command
control to one of
partnership. Employees and IT must take responsibility for the corporate data on employee phones. IT cannot be
the sole policing function; accountability and responsibility have to move to the employee
Security systems have traditionally focused on inbound reporting of exceptions to IT and security staffs. Mobile
management systems have to be just as focused on outbound reporting of exceptions to employees so they can
do something about it. Employees m
ust be engaged, understand their role in the partnership, and have the tools
to live up to their part of this cooperative security bargain.
While shifts in enterprise security models have often led to battles between employees and IT staffs, the
owned smartphones may be an exception. Here, employees have an incentive to securely
operate their personal smartphones because they genuinely want to use them for both work and life. What IT
needs to do is provide these employees the tools to b
e able to strike that balance without compromising
enterprise security or personal usage.
Five Problems Keeping Legacy Apps Out of the Cloud
By Kevin Fogarty
October 15, 2009 11:35 AM ET
The hype about cloud computing has gotten so loud that Gartner
Group used Cloud as the lead in its
parazzi special report
Hype Cycle 2009
. The sharply sloping graph in the report places cloud, along with e
book readers, wireless power and social softw
are suites, at or near the "Peak of Inflated Expectations,"
preparing for a dive into the "Trough of Disillusionment."
One thing that may drive it into that trough
other than the unrealistic projections by some providers of cost
savings and easy capacity
is the difficulty in getting certain applications to run on it effectively,
according to analysts and vendors selling technology to help bridge the gap.
What are the difficulties? Here's a look at five key hurdles.
1. Today's clouds are not ali
ke No one "cloud platform" exists
each is different, meaning the specific migration,
support, cost and capacity issues vary from vendor to vendor. And moving a legacy application to the cloud
means taking a proven quantity in a known environment and movi
ng it to a new environment that will make
almost everything about it different, according to Bernard Golden, CEO at HyperStratus, and
"Legacy applications come with a lot of integr
ation with your other systems, and usually they had to be done fast,
so you have a lot of direct database calls from one application to another and that kind of thing that may not
work when one endpoint is outside the perimeter," according to Golden.
e's the tiny straw issue, too; there is an order of magnitude more bandwidth available inside the data center
than outside it. And you have to decide whether it's important that you manage everything from one pane of
glass, because the management tools are
not up to doing that with cloud and legacy applications yet," Golden
says. "There are a lot of basic technical issues that are often not addressed."
2. Security worries Security gets top billing as a risk of cloud computing because the idea is new and the
aren't as fully tested as those on legacy applications. At least as big an issue for many companies is knowing
who is using the applications or accessing the data, whether they have permission to do so or not, according to
Chris Wolf, infrastructure
analyst at The Burton Group.
Cloud Security: Danger (and Opportunity) Ahead
"For enterprises that have security or compliance concerns, multitenant cloud infrastructures are just non
starters right now, be
cause the tools to monitor or control that has not been addressed yet," he says.
that is, cloud platforms a company owns and manages itself
only solve part of that issue.
Being able to physically limit access to the cloud by contro
lling the rest of the IT infrastructure makes the
contained cloud safer, but still doesn't provide the detailed audit trail many companies need to comply with
financial or privacy regulations, Wolf says.
3. Licensing and interoperability concerns Legacy ap
plications are supposed to be the creaky inflexible problem
when it comes to migration, but neither major software vendors nor cloud providers are making the migration any
easier, Golden says.
While most legacy applications have been upgraded from the home
standards era of corporate
computing, most are built with databases, communications or data
translation modules and other commercially
licensed technology. That means vendors like Oracle, Siebel, SAP and others would have to change their
icensing to support "three weeks running on three servers, then one week per month expanding to ten and only
paying for the capacity you use," Golden says. "Most licenses are still tied to one physical box, although Oracle
has made some movements in this d
Legacy apps typically also don't typically support the newest technology except in the user interfaces that aren't
part of their cores
exactly the technologies on which cloud platforms are built. Microsoft Azure is based on its
architecture, which most legacy apps are not. Google's App Engine is designed to support
software written in Python
friendly language popular with developers of PHP
based software running on
Web servers. Salesforce.com has a proprietary applicatio
n and data structure.
4. You don't know your own legacy Your company may live and die by its line
business applications, but that
doesnt mean you know everything going on behind the endlessly
customized codes, interfaces and forms that
started out as bu
siness automation and turned into a rigid legacy application, according to CEO Mark Cashman
and CTO Steve Yaskin of
Queplix's tools are designed to extract data, metadata, business logic and security informat
ion from legacy
applications using a mix of custom
written and canned analysis and conversion utilities, so the resulting code
can be run on cloud computing platforms
usually internal clouds rather than public ones.
With all the data, data structures and
policy guidelines extracted, Queplix can analyze security, data
compliance rules from both commercial and homegrown apps
often finding huge holes in the process.
"We run a report that will show big holes in security that security people don't
know about and they don't like
when they see it," Yaskin says. "Siebel isn't designed to share [access control list] data with SAP and vice versa,
so no one knows users have all this access; when we take all that out, you can see the access points and
ential breaks in security and turn them to your advantage."
Queplix sells a set of software development, analysis and conversion tools designed to extract data, business
logic and security information from legacy apps so they'll run in cloud
5. Migration is manual and darn few tools will help Even at their best, Queplix and its competitors
management (MDM) providers such as Siperian and Initiate Systems
convert only a portion of the application
and data, leaving the e
user or service provider to deal with the rest, according to John Abbott infrastructure
analyst at The 451 Group, who published an evaluation of Queplix recently. Yaskin estimates Queplix' best shot
automates 85 percent of the migration. When will the s
VMware, which bought application
devel oper Springsource earlier this year, is working on the
problem, but not for legacy applications. Smaller companies such as the Israeli firm Gizmox will put an AJAX
GUI on a legacy a
pp and run that in the cloud, but don't take care of its guts.
SAP and IBM
both of which have extensive custom
development and migration divisions
are also working on
cloud migration tools, as is Oracle and Cobol
stalwart Micro Focus, Abbot s
ays. So does Oracle, which
is adopting technology developed by Sun.