March 9th, 2008

Moving on

Posted by Richard Stiennon @ 11:00 am

Categories: Security Industry News, Security blog

Tags: Network, Blog, Blogging, Security, Internet, Richard Stiennon

I travel a lot. It has been almost ten years since I had a job that was based in the same place I live. Whenever I get a call from friends and family the first question I get is “where are you?” People who have known me for years but do not stay in touch have a different question: “What are you doing now?” Other than a four year stint at Gartner I have never had the same employer for more than two years.

Followers of this blog will remember when it moved from the independently hosted ThreatChaos.com to ZDNet two years ago. That was coincident with my departure from Webroot Software, the anti-spyware company. (see Webroot loses voice). Well, it has been a great two years here at ZDNet. The folks at CNET (ZDNet is part of CNET not the troubled ZiffDavis. That still confuses people.) have created the most mature collection of tech blogs on the Internet and I have enjoyed being part of the ZDNet blogging community. But, I think they are pretty well covered on security now with the likes of George Ou, Larry Dignan, and newly joined Nate McFeters.

UPDATE November 6th ‘08:   One more move.  I hope the last as the Stiennon Security blog comes full circle. First it was at www.threatchaos.com, then it was at ZDNet, then it was at NetworkWorld. Now my blog is coming home to the re-born www.threatchaos.com! 

For  thoughts and coverage on hacking, cyber crime, cyber warfare, and malfeasance visit www.threatchaos.com

January 18th, 2008

Anniversary of TJX breach announcement

Posted by Richard Stiennon @ 12:00 pm

Categories: CyberCrime, Data Security, Security, Security blog

Tags: Credit Card, TJX, TJX Story, Public Relations, Sales Channel, Financial Services, Security, Marketing, Corporate Communications, Sales

Jaikumar Vijayan over at Computerworld has a great round up of “lessons learned” from the TJX break ins first announced a year ago today. To his five points listed below I would add a couple of observations.

Breach disclosures don’t always affect revenue or stock prices …

… but they can be costly

PCI remains a work in progress

The card payment process has issues

The bad guys remain hard to catch

All great points. I would just point out two more of my own:

Reading the the news can be very helpful. If those responsible for TJX’s security and compliance had had their eyes open they would have clued in to the attacks against Lowe’s and DSW and perhaps been able to avoid the credit card losses altogether.

TJX is becoming the poster child for how not to handle the PR around a data breach. Their management should come clean on the exact techniques that were used (with simultaneous assurances that the technical problems have been addressed). Was it WiFi? Was it kiosks in the back of the store? Was TJX aware of the breaches well over a year ago? If not how did law enforcement officials file briefs in a Florida court citing these breaches months before TJX’s announcement?

The TJX story is far from over. I just hope the rest of the retail industry is reading the media. Especially security blogs. :-)

December 19th, 2007

First prediction for 2008 to come true

Posted by Richard Stiennon @ 10:22 am

Categories: Security blog

Tags: Google Inc., Orkut.com, Social Networking, Online Communications, Marketing, Advertising & Promotion, Richard Stiennon

Google’s social network, Orkut, has been attacked by a worm that uses “scrap book” messages to propogate. It’s only action is to spread and add Orkut members to a group called “infected by the Orkut virus.” according to this IDG news article.

From the blogger that is covering this, Kee Hinkley:

You get an email notification (or find out on Orkut) that you have a new scrapbook entry. It’s from a friend. It says.

2008 vem ai… que ele comece mto bem para vc

There’s no need to click on anything, just viewing it does the trick. The scrap deletes itself, and adds you to the Orkut Community “Infectados pelo Vírus do Orkut”. That group, as I write this, is gaining members at a rate of at least one hundred per minute.

Let’s see, that was my first and second predictions for 2008, that social networks will be attacked. Luckily this attack took the form of a benign hack to demonstrate a vulnerability (much more effective then publishing a Top Ten Threats list!).

More to come of course….

Update 13:30 Pacific. More technical details of the Orkut virus here.

November 7th, 2007

Phishing attacks against salesforce.com the least of their worries

Posted by Richard Stiennon @ 10:25 am

Categories: CyberCrime, Data Security, Security, Security blog

Tags: Vulnerability, Phishing, Cyberthreats, Spam, Security, Viruses And Worms, Spam And Phishing, Richard Stiennon

David Berlind comments in his blog about recent successful phishing attacks against Salesforce.com employees and customers. He points out that as SFDC approaches one million users it is being honored with the attention of phishers. As I start to work on my 2008 predictions I have been thinking about the various “application platforms” and their vulnerability to hacks from a malicious application provider.

I think applications running on these new platforms will be as fraught with bugs as any applications and that hackers will use vulnerabilities to steal information. The risk with SFDC is that the 700+ applications available in the AppExchange quite often have access to a company’s most critical data store: its customer database which includes revenue, and pipeline information. Scary.

August 13th, 2007

Where is security going?

Posted by Richard Stiennon @ 4:39 pm

Categories: Compliance, CyberCrime, Secure Network Fabric, Security Industry News, Security blog

Tags: Security, Firewall, Router, Richard Stiennon

Or more specifically, where is the security industry going? When faced with this question Rotham’s and Newby’s security blogs read like the ramblings of ecclesiastical old men who are tired of their own industries. They are too close to it to scent the excitement maybe?

First of all there are huge changes looming in the security industry. You won’t catch me writing about them as often as I used to because it is hard to be viewed as objective when you work for a security vendor. But let me chime in on this topic.

Change in the security space is, as always, driven by threats. The threats are growing on the criminal as well as state sponsored fronts. What does that mean for the industry?

First, Rothman and a slew of other analysts are right when they say security will have to be embedded everywhere. But what does that mean? What is “everywhere”? Quite simply it means in switches, routers, servers, desktops, cell phones and all devices. So to see change you might have to look beyond the ten or so publicly traded pure plays in security. What are IBM, EMC, HP up to for instance? It will not be long before secure phones, secure routers, secure computers start to show up on the scene.

The trends will be hard to measure because when a $10 billion router vendor adds firewalling to their routers it may not even be picked up on by the research community. When does a router cross over into being a security device? When does an ACL (access control list) become a firewall policy? Look for network deployments *without* firewalls behind the routers and you will start to see this trend in action.

Other areas of excitement include behavior based transaction monitoring, video surveillance, and yes Denial of Service Defense.

And don’t forget to check out the surge in what I would have to call Managed Security Services 2.0: security in the cloud. If 1.0 was event monitoring and reporting ala Counterpane, Riptech, and Guardent, 2.0 is a collection of services built around anti-spam, anti-virus, web content filtering and IPS as well as firewall/VPN and network management. There are hundreds of companies jumping into this space. I see managed services and in-the-cloud services as the hottest growing area in all of security.

August 3rd, 2007

China's golden cyber shield? Not.

Posted by Richard Stiennon @ 2:24 pm

Categories: CyberCrime, Data Security, Security, Security blog, State Sponsored Hacking

Tags: China, Richard Stiennon

On my recent travels in China I had an opportunity to experience first hand China’s so called “Golden Wall”. In each hotel I would try
to get to several sites. For some reason this security blog is censored throughout China. How does that make you feel Mr. Hoff? And a Google search on “Tibet” will have the usual results but you cannot click through to any of the links on the first page of results. I did not search on Falun Gong for fear of really setting off the alarms and reprisals. Next time I think I will set up GoToMyPC at home and use it as a poor man’s proxy.

There is a good article at Forbes.com that postulates that China’s control over Internet access will be a benefit if they ever go to cyber war. I find myself agreeing with Schneier and Ranum when they say -not likely-. While the Chinese government might have a pretty good strangle hold on freedom of expression the network is still full of holes, ones that are easy enough to punch through.

On the eventuality of cyber war with China the article says:

The first shots may have already been fired: In August and September 2006, Chinese computers penetrated the State Department and the U.S. Department of Commerce’s Bureau of Industry and Security. The attack, known as “Titan Rain,” forced the government to replace hundreds of computers and take others offline for a month.

All this talk of cyber war makes one think that the US has a command and control center somewhere where they are monitoring and responding to malicious forays from nation states. You wish. At least from funding levels that have been made public the US is not prepared to defend itself in the event of a cyber attack. Scenes from Die Hard 4.0 that showed the FBI’s SOC (Secure Operations Center) are pure fiction today.

July 26th, 2007

Threat hierarchy: experimental hacking

Posted by Richard Stiennon @ 12:20 pm

Categories: CyberCrime, Security, Security blog, Stupid Criminal stories

Tags: Password, Hacking, Network, Richard Stiennon

There are five levels of threats. In the next few days I will walk though each of the levels, starting with the lowest level: experimental hacking. (I will be in Reykjavik for most of next week where I assume I will have no trouble getting online but you never know.)

Experimental hacking has been with us since the first days of computers and networks. Can you remember using gopher or Archie to “surf the net”? If you found a US Air Force server in Antarctica you tried to login regardless of what the warning page said. Some other examples of experimental hacking include:

- URL editing. Ever see something like “SID=01459″ in the URL window of your browser when you were logged in to a site? Just change that Session ID to a lower number and you are logged in as another user! A malicious experimenter would then browse to the “preferences” page and change that person’s password. This is called session hijacking.

- Network neighborhood browsing. Thank you Microsoft for making the internal network so visible! Thought experiment: put a server on your corporate network called “Payroll”. Put a document in an open file share called “salaries.doc”. How long will it be before everyone in the organization is aware of the contents of that document?

-Password guessing. This is so easy. In way too many instances users choose the word “password” as their password. Try it next time you get a 419 type scam from a Yahoo email address. Log into the sender’s Yahoo account. Do your vigilante duty and change their password to Jn&756c/?>.

Even though experimental hacking is the lowest level in the threat hierarchy that does not imply that you do not have to guard against it. You have to design your applications and networks to prevent any possibility of someone using tried and true techniques to get in. Are you still using telnet and anonymous ftp? Is your firewall set to allow all higher level ports? Do you use sequential session IDs? Fix those and meanwhile you can start worrying about the next threat: Vandalism.

July 24th, 2007

Espionage on the rise

Posted by Richard Stiennon @ 6:23 am

Categories: Security, Security blog, State Sponsored Hacking

Tags: Australia, Espionage, Richard Stiennon

Espionage is evidently a growth industry once again. An article in The Australian reports that the number of Russian and Chinese spies in Australia are approaching the level they were at during the Cold War. Australia is trying to build out its counter-espionage capabilities. I wonder if there are any modern innovations to trade craft? Encrypted USB thumb drives instead of microdots?

The growing Russian threat comes on top of an even larger rise in the number of Chinese agents operating in Australia in recent years, as a booming economy and record defence spending provide a wealth of new opportunities for traditional espionage.

Russia is obviously doing a lot of saber rattling lately: expelling British diplomats in a classic tit for tat over the murder of a British citizen and ex-KGB operative, Alexander Litvinenko.

The upside of all of this is that maybe John le Carre will start writing spy novels again instead of fantasies about drug companies (Constant Gardener) and Bush conspiracies (Absolute Friends).

May 16th, 2007

$10 million to fight cyber crime

Posted by Richard Stiennon @ 11:36 am

Categories: CyberCrime, Security blog

Tags: Crime, U.S. Secret Service, Richard Stiennon

Law makers in Washington introduced a bill Monday called the “Cyber-Security Enhancement Act of 2007″. Brian Krebs gives it good coverage. The bill would make additional funds available to the Secret Service, which is responsible for handling credit card theft in addition to their body guard duties, as well as the Justice Department and FBI. The $10 million for each department is way too little money to be effective if it is spread around the hundreds of FBI, Secret Service and AJ offices. But, if it is concentrated in hiring a few good investigators it could have a big pay back in terms of thwarted crimes.

In the meantime the real payback will come from international cooperation between law enforcement agencies. The G8 countries actually began talking amongst their respective cyber crime units in 1997. Unfortunately it appears that cyber crime and high tech crime cooperation got derailed post 9/11 when the Lyon group that meets three times a year added terrorism to their purview. Either the G8 nations are very secretive about their levels of cooperation or, as I suspect, they are not doing much to further the fight against cyber criminals.

The new law, if passed, is going to help somewhat by beefing up definitions and penalties and even the additional allocations will have positive results. But cyber crime does not recognize national boundaries. We will not be able to combat cyber crime until jurisdictional barriers are brought down.

May 2nd, 2007

Wow, the security industry is consolidating!

Posted by Richard Stiennon @ 9:16 am

Categories: Data Security, Security, Security Industry News, Security blog

Tags: Security, Consolidation, Industry, Websense Inc., Richard Stiennon

All right I'll be the first to admit it - Websense acquiring a competitor, Surf Control, is indeed industry consolidation. The news broke last week and, as could be expected, it was labeled "security sector consolidation". I am somewhat constrained from commenting on industry matters now that I am not an independent analyst.  But, because I have been ranting for years that the industry was *not* consolidating, I must chime in. (See previous blog postings here, here, here, here, here, here, here and this column here).

This event is so unusual that it deserves to be highlighted. It is just about the only industry consolidation move since Secure bought Cyberguard.  All of the big acquisitions in the last two years have been of two types. The first is when a security company buys into a developing sector to round out their portfolio. McAFee buying Onigma and Websense buying PortAuthority to get into the nascent leak prevention space are great examples. Checkpoint buying PointSec is another good example. The other type is when a big infrastructure company buys a security player to add security cred to their brand. EMC+RSA and IBM+ISS are the prime examples. 

But consolidation is different. To see signs of that you have to look for companies in the same space, competitors, that get bought up. If consolidation were the game of the day you would see well funded roll-ups occurring. Some private equity group would decide they wanted to own the SMB appliance space and buy up Watchguard, Sonicwall, Borderware and Barracuda. This is not happening and I doubt it will. The risks from disruptive innovation are too great. This type of merger activity does not make sense until the day that the threats stop changing.  And that day is a long way off. 

So what about Websense and SurfControl?  This is consolidation pure and simple. It creates a much bigger Websense with a bigger footprint, more customers, and more products.  So maybe it is time for the industry to consolidate. But contrary to Art Coviello's prediction this past February that there would be no stand alone security players by 2010, I believe that three years from now there will still be a handful of large security companies, about 2,000 point product companies, and yes most large IT infrastructure companies will finally have security components in their offerings.  In other words, there will still be work for security industry analysts! 

Disclosure:  I work for Fortinet, Inc. A competitor to every company mentioned in this post.