July 2009

DEFCON – Las Vegas – Riviera

If all goes well, I’m sitting in on these talks Friday.

10:00-10:50 Track 2
Perspective of the DoD CSO
Robert Lentz

11:00-11:20 Track 2
Asymmetric Defense: How to Fight Off the NSA Red Team with Five People or Less
Efstratios L. Gavas

11:30-12:20 Track 1
Q & A with Bruce Schneier

13:00-13:50 Track 3
Hacking WITH the iPod Touch
Thomas Wilhelm

14:00-15:50 Track 4
Defcon Security Jam 2: The Fails Keep on Coming
David Mortman, Rsnake, Maynor, etc
@mortman @rsnake @donicer

16:00-16:50 Track 2
Three Point Oh
Johnny Long
@ihackstuff

17:00-17:50 Track 3
BitTorrent Hacks
Michael Brooks and David Aslanian

18:30-19:20 Track 1
Something about Network Security
Dan Kaminsky
@dakami

{ Comments on this entry are closed }

43 years old “UFO eccentric” hacker Gary McKinnon just loses appeal against his extradition to the States for computer crimes he committed 7 years ago.

If you’ve lived under a rock during the last few years what this dude did was basically break into .gov computers looking for UFO related material.

Probably the last case of recreational hacking I’ve heard about.

So his case is obviously going to be a classical “Strike one to educate one hundred” kind of message to every hacker attacking american computer systems: we can reach you everywhere you live and have you extradited to our country where we will sentence you to life in prison.

Unless you are a multi millionaire cyber criminal living in Russia or a chinese spy, of course.

{ Comments on this entry are closed }

I’ll leave it up to you to figure who’s who [I'm the one with the 'good' accent,] but Craig Balding from Cloudsecurity.org and I have teamed up to host a regularly-scheduled (whatever that means) podcast on Cloud Security.

It’s called…wait for it…

The Cloud Security Podcast.

You can find it, and the show notes of our very first (and dodgy) version right here, homed at libsyn. We’ll stick it on iTunes shortly.

We had issues with drop-out over Skype, so I apologize for the annoyances there.

This (last) week’s coverage focused on:

• What we mean by Cloud Computing?
• Upcoming Cloud Security Events/Talks
• Clouds News: Cloud FUD
• Need to get past the FUD, how can you shape Cloud security today?
• Non security specific Cloud linkage

Please do comment on our performance.

/Hoff & Craig

{ Comments on this entry are closed }

By Rod Kay

Knowing what’s happening on the LAN, much less controlling it,  is becoming quite complex.  We hear concerns about managing access rights and other control issues all the time from our customers, across every industry, and the message is always the same. With the rapid increase in the number and types of users, applications and devices on LANs today, IT managers are losing visibility and control at an alarming rate.  To better understand this situation, and to get from anecdote to real data, we commissioned Loudhouse, an independent research consultancy, to interview IT decision makers in both the US and UK on these issues.

Loudhouse asked respondents to consider how their LAN had grown over the last two years and about anticipated growth over the next two years.  A key finding is that LANs have grown at fairly consistent rates across a wide range of axes and are expected to maintain this multi-dimensional growth over the next two years. Loudhouse calls this multi-dimensional growth “LAN Sprawl” – the combined effect of more and different types of users, applications, and devices and their inter-dependencies. Cross-functional users, third-parties, more diverse applications, and corporate, personal, and non-user IP devices are all in the mix, contributing to LAN Sprawl.

For IT organizations being asked to do more with less, this sprawl has become quite a problem. The video below provides survey results on the LAN Sprawl issue and some of the concerns IT has in dealing with this situation. If you’re having trouble viewing this video or text, click here for a larger slideshow with the full results.

We’d love to hear from you on this topic – are you feeling the effects of LAN sprawl? What steps are taking to regain control?

The survey, conducted in June 2009, is based on 200 interviews with IT decision makers from mid-size (250+ employees) to large enterprises (1000+ employees) across the US (100) and UK (100) regions.

Key Findings: LAN Sprawl Growth

1. 30% average growth in LAN size from 2007-2011 (average across all areas of growth)
2. The largest areas of growth in the network overall over the last two years are:
         *Number of applications (16.8%)
         *Smart/mobile devices (16.6%)
         *Remote working employees (16.6%)
3. The greatest area of risk for UK respondents: ability to control access in remote locations (50%)
4. The greatest risk for US respondents: inability to enforce appropriate usage policies (40%)

Key Findings: Resources and Growth

Key Findings: Resources and Growth
1. The greatest areas of growth are increases in:
         *Approved business applications
         *Number of applications supported by the network
         *Smart/mobile devices
         *Remote working employees
2. Over next two years, 55% of US companies expecting greater growth, and 44% of UK
         *The largest growers are also more likely to increase the pace of LAN growth
3. However only 42% of businesses have sufficient investment for IT to support their business goals 
         *37% say that staffing levels have increased to support LAN growth

{ Comments on this entry are closed }

Last week we announced an exciting new offer for all businesses in the US - a free silent business audit with forensic analysis.

This service will help network administrators understand how well their current security products are working, improving network security and employee productivity. The silent business audit and forensic analysis will accomplish this by sitting behind an organization's normal firewall and monitoring spam, malware and Internet usage trends to determine what is getting by the firewall and spam filters.

At the end of the 14 day audit period Astaro will provide the organization with a report detailing what malware passed through the firewall. As an added bonus, the appliance will also block the transfer of any malware and spyware that makes it passed the normal web filter to avoid the spread of infections. To register for a silent business audit and forensic analysis click here.

{ Comments on this entry are closed }

Dark Reading published an article titled "Booming Underground Economy Makes Spam A Hot Commodity, Expert Says" regarding the ease of using botnets for spam activity and how this makes spamming profitable.

Some of the more startling statistics show that "For about $10, [a spammer] can send a million emails". Even if 2 people order a product that they are selling for $10, that's a 100% profit over the cost of the use of the botnet. Assuming the actual production of the product is cheap enough, that's a good margin

How are botnets so inexpensive, though? And, why are there so many available? If you look at Commtouch's Malware Outbreak Center you will notice that the vast majority of detected malware seems to be botnet downloaders. Gone are the times when malware consisted of cute "look what I can do" code we are now in the time of real revenue-generating malware. All a botnet "commander" needs to do is create the code, send it out and let it propagate through the Internet. Eventually, there will be enough zombie hosts to really make money.

The strategies in use now should provide a good-enough deterrent to spammers, but there are simply not enough people using current protections. So long as host-based malware detection is in use and network based protections such as IDS/IPS, malware scanning and firewalling are in use, then the amount of zombies on the internet will be reduced enough so that spamming will not be profitable. Then we can look at our in boxes with confidence. We haven't reached that point yet, because there just simply aren't enough people using adequate controls of network traffic.

According to Commtouch again, in the Western world, zombies are not as common as developing nations. Unfortunately for the Western world, we feel the effects of others' lack of controls. Judging from all of this information, all the world needs to do in order to stop spam is make sure we are using currently available controls for our networks. This will make spamming unprofitable and make spammers use their tricks for other means. Until that day, the back-and-forth between spam and anti-spam will continue.

{ Comments on this entry are closed }

On Sunday, the Boston Globe printed a portion of a letter to the editor I sent in regards to one of the paper's articles. The opinion discussed the mandating of electronic health records and the importance of security for such records. Below is the complete letter.

One of the hot-button issues facing the country today is healthcare reform. President Obama has identified widespread electronic medical records as a major benchmark towards achieving the goal of affordable health coverage for all. Scott Kirsner did an excellent job describing some of the technologies Massachusetts companies are creating that will make universal electronic health records possible in his article State helping to shape US efforts to digitize health records for all.

The article neglected to examine the network security concerns of such a system. One may say "Moving medical records online will mean less privacy for everybody." In reality less privacy is not an issue if proper security is in place. Therefore, moving medical records to electronic storage will increase the need to secure networks. The truth is that records are no less secure when stored electronically, as long as the network is secure. In fact, there are gains in privacy. The biggest risk involved is that making all records electronic does allow a person to attempt to gather information remotely by compromising a network. As long as medical facilities deploy network security technologies and maintain them, this should not be a widespread problem.

With paper records, someone who wanted to steal medical information can be successful, but would need to get a hold of a physical copy of the record. This means that an attacker would need to take a risk and go to the location of the records storage. Paper records also pose a risk to patient privacy as medical staff bring records home with them so they can work outside of the hospital. Recently, an employee at a Boston hospital accidently left records on the "T". If the records were accessible electronically through a secure network connection, this wouldn't have happened.

Electronic medical record keeping also provides for a more secure data backup process. Hospitals using electronic records will need redundant hard drives, servers, data storage and other important infrastructure to ensure medical information is never lost. With all those backups, many fear that it will be easier to gain unauthorized access to patient information. In actuality, the electronic backups will be easier to secure than the current system of paper charts. Currently paper records are sent to storage vendors and the vendor's employees have access to the information in clear text.

The best security that you can provide without destroying the information is to send the charts in a locked receptacle. In an electronic system, data can be encrypted and stored at vendors' facilities without fear that the vendor will be able to read the data. This adds to the locked receptacle, because you can lock storage medium in a case, then if that case is compromised, you also have the data in an illegible form. You can also deploy hashing functions to ensure that no data is tampered with. To address one of the biggest fears, properly deployed medical networks will not send information in a manner that is easy for someone to simply capture. With electronic medical records, you will need to make sure that there is no path for the records to be sent over the open Internet. Instead records should be sent over secured VPN networks specifically designed to protect this information.

Nobody should have access to the network that does not need access. Congress has already acted to ensure that this guideline is followed, through the HIPAA and HITECH acts. However, these acts stop short of dictating the security standards and focus on the penalty for if a record is compromised. Creating an electronic medical records system will benefit the healthcare system in America in many ways, including increasing the security of medical records However, if the country is to move towards mandating electronic medical records, then congress should create additional acts creating security standards.

{ Comments on this entry are closed }

There are three measures network administrators can take to avoid the types of network attacks that plagued US and South Korean websites including www.whitehouse.gov, NASDAQ, NYSE, Yahoo!'s financial page and the Washington Post. The three areas to focus on are network based mitigation, host based mitigation and proactive measures.

Network based mitigation:

• Install IDS/IPS with the ability to track floods (such as SYN, ICMP etc.)
• Install a firewall that has the ability to drop packets rather than have them reach the internal server. The nature of a web server is such that you will allow HTTP to the server from the Internet. You will need to monitor your server to know where to block traffic.
• Have contact numbers for your ISP's Emergency Management Team (or Response team, or the team that is able to respond to such an event). You will need to contact them in order to prevent the attack from reaching your network's perimeter in the first place.

Host based mitigation:

• Ensure that HTTP open sessions time out at a reasonable time. When under attack, you will want to reduce this number.
• Ensure that TCP also time out at a reasonable time.
• Install a host-based firewall to prevent HTTP threads from spawning for attack packets

Proactive measures:
For those with the know-how, it would be possible to "fight back" with programs that can neutralize the threat. This method is used mostly by networks that are under constant attack such as government sites.

{ Comments on this entry are closed }

Astaro earned multiple VMware Ready™ certifications for its security products.

Astaro Security Gateway, Astaro Mail Gateway and Astaro Web Gateway have all been certified as VMware Ready, and Astaro is the only Unified Threat Management provider to have submitted to and passed VMware Ready validation. For more information, check out the press release here.

{ Comments on this entry are closed }