Bots never sleep, even on the night before Christmas.

After a long hiatus, I’m back. Christmas was great, and New Years is upon us. The forces of evil have been busy, and, of course, they never take a vacation or a holiday. So, let’s see what’s been going on…

From PC World: Hackers Launch Major Attack on US Military Labs. Seems like Oak Ridge and Los Alamos are constant targets, and it shouldn’t surprise anyone that someone succeeded in getting through.

http://www.pcworld.com/article/id,140390-c,hackers/article.html

From SearchSecurity.com, the use of botnets to produce spam. 61% of all email is spam? 90% of all mail emanating from some countries is spam? That’s crazy! A brief primer on becoming part of the solution rather than part of the problem.

http://searchsecurity.techtarget.com/tip/0,289483,sid14_gci1277099,00.html?track=sy260&asrc=RSS_RSS-10_260

BankInfoSecurity.com has the 10 most important security stories in finance in 2007. The folks at TJX are there, of course, with their data breach now estimated to be 100 million credit card number and info. New guidelines and regulations also made the list as well.

http://www.bankinfosecurity.com/articles.php?art_id=660&pg=4

What a surprise! CIO Magazine writes that insider threats still remain a security problem. Do ya’ think? 35% of employees report circumventing company security policies just to get their job done… that’s a problem on a couple of levels.

http://www.cio.com/article/164552/Survey_Says_Insider_Threat_Remains_a_Serious_Security_Problem

A couple of very solid articles from SCMagazine will end this final post of 2007. The first is eight “New Years Resolutions” that one should make to ensure information security in the coming year.

http://www.scmagazineus.com/Eight-New-Years-security-resolutions-for-2008/article/100045/

A guide from Microsoft designed to help Office administrators secure Word, Excel and PowerPoint.

http://www.scmagazineus.com/Hot-or-not-Office-productivity-applications/article/99593/

Sorry for the long absence...

Been very busy with paying customers, which is nice. But, as you know, time marches on. Hey, yesterday I got one of those scam checks in the mail. It looked like a check from Black and Decker. They did a nice job on the check but they should have taken a second and run spell check on the accompanying letter. I can see how others, especially senior citizens, could be tricked.

Anyway, will wonders never cease? cio.com reports a researcher estimates that there are a 500,000 database servers on the net that do not have a firewall in front of them. And wait, that's no all: many of them are unpatched as well as unprotected. Morons.

http://www.cio.com/article/154701/Researcher_Half_a_Million_Database_Servers_Have_No_Firewall


SC Magazine has an interesting article on the hype surrounding PCI compliance. Many companies use PCI compliance as the lowest common denominator, while others use it as the rallying point to make their company secure as well as compliant.

http://www.scmagazineus.com/Avoid-the-PCI-hype-but-use-the-standard-as-a-rallying-point/article/58010/


Finally tonight, again from cio.com, comes an analysis of laptop value. The average value of a laptop with important information is over $500,000. Even laptops that contain just personal data have a value over $300,000. Yet most companies have no policy protecting data in transit on a laptop. Scary!

http://www.cio.com/article/153900/Lax_Laptop_Security_Can_Be_Dangerous...and_Expensive

How ya' doin' tonight?

According to IDGNET.com via Computerworld, Commerce Bank, NA suffered a web site related breach and recovered quickly. Hackers used a technique called sql injection to reach the back-end database.

http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9041879&source=rss_topic82

From The National Law Journal via law.com, new e-discovery rules at the state level are coming. Several states have them on the books and others are debating. This should provide some guidelines, along a wide spectrum ranging from reasonable to completely insane, for retention of electronic documents.

http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9041879&source=rss_topic82

Now undoubtedly there is more to this than is discussed here in Computerworld, but no matter what else is there and unknown, this is troubling. A student found confidential information on a colleges publicly accessible server, brings it to the school paper and to the attention of the college. The paper writes an article about the issue – without revealing any of the information – and the school goes after the paper, the student and the adult adviser. What a confusing time for whistle blowers.

http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9042098&pageNumber=1

Dark Reading editor, Tim Wilson, brings up a number of very good points in his article Hackers Prey on User Weaknesses. He contends the innate human desire to communicate and be accepted in a social context is being exploited in many hacking efforts and this cannot be mitigated through technical means alone. There have been at least one previous post on this blog about the need to watch employees and staff for suspicious behavior. Consider yourself warned.

http://www.darkreading.com/document.asp?doc_id=136090&f_src=drweekly

Morningstar News has a very interesting quote: “’The most effective ways to become more secure while reducing security spending are to avoid vulnerabilities — to ensure that security is a top requirement for every new application, process or product, whether built in-house or acquired from a vendor,’ said Ray Wagner, managing vice president for Gartner.” Gartner goes on to say there is no correlation between those enterprises that spend the most money and those that are most secure.

http://news.morningstar.com/news/ViewNews.asp?article=/BW/20071008005946_univ.xml

As if you did not know that have a good Intrusion Prevention System (IPS), word from Secureworks.com should confirm the obvious. It seems this managed security services provider is tracking a significant increase in attacks on utilities. Most of these attacks are being mitigated by well-monitored IPSs.

http://www.secureworks.com/media/press_releases/20071005-utilitiesincrease

I have a bunch of other articles, but I’m going to close up now and get these in… coming soon… the danger of internal attacks!

Finishing up the Month

You know how much I love the fallout from the data breach at TJX. Here is more info on the shear arrogance of the company. The new report out of Canada states: "... Canada's Privacy Commissioner, Jennifer Stoddart, blasted the parent of the TJ Maxx, Marshalls and A.J. Wright chain of stores, for failing to protect its customers. "The company collected too much personal information, kept it too long and relied on weak encryption technology to protect it—putting the privacy of millions of its customers at risk," Stoddart said in releasing the report." Why aren't heads rolling here? From Baseline Magazine:

http://www.baselinemag.com/article2/0,1397,2188613,00.asp?kc=BARSS03129TX1K0000628


Good news for consumers from CNN, Equifax Fraud Solutions Help Businesses Win the Fight Against Fraud.

http://money.cnn.com/news/newsfeeds/articles/prnewswire/CLW08726092007-1.htm


IT News, Australia, has an interesting article based on a presentation by McAfee's president. The one item that sticks out is the acknowledgment that cybercrime is now a $105B business, bigger than the word-wide illegal drug trade.

http://www.itnews.com.au/News/61497,cyberthreats-outpace-security-measures-says-mcafee-ceo.aspx



Well, it had to happen at some point. I've seen this a couple of places but this is from vnunet.com.... hacking tools are now for sale on eBay... how convenient!

http://www.vnunet.com/computing/news/2199102/hackers-training-sold-ebay


IT Security explains what it sees as The Top 10 Types of Cybercriminals. I'm not sure #5, Online Loan Sharks, is really accurate, but overall, it's a keeper.

http://www.itsecurity.com/features/top-10-cybercriminals-091007/


A little more specific topic, but if you are in a manufacturing or other environment that employs SCADA (Supervisory Control and Data Acquisition), this is yet another wake up call. SCADA, for those who do not use it, is used to control machine tools, robots, etc. SC Magazine relates a simulated event where a hacked SCADA device self destructs. Cool!

http://www.scmagazineus.com/Video-shows-simulated-hacker-attack-on-electrical-grid/article/35872/


SC Mag also highlights the unique position of colleges and universities relative to the cascade of multiple regulations and compliance.

http://www.scmagazineus.com/Back-to-school-Compliance-in-higher-education/article/35684/


And, last but not least, ComputerWorld talks about creating a data-centric, as opposed to a deveice-centric environment as the only real way to defend important information.

http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9038960&pageNumber=1


Onward to October!

posts from vacationland!

Excellent. Sunny Florida... taking some time to recharge... the villains never take vacation, though, so I continue my reading and posting, making what little contribution I can, regardless of how inviting the resort pool and the tray of gin and tonics may look.

In working with a prospect who is active in the database protection space I came across these two article. Both emphasize the importance of protecting the corporate database itself, and perhaps paying at least as much attention to it as to reducing spam. This makes sense. An increasing amount of exploits are coming from within companies, which circumscribe perimeter defenses. And the corporate database most often represents the crown jewels of a company. Protecting the jewels from inside exploits is certainly worth additional discussion.

From eWeek:
Data Governance Rises to Top of Compliance Efforts http://www.eweek.com/article2/0,1759,2055066,00.asp?kc=EWRSS05099TX1K0001011

From SC Magazine:
CISO, Talk to Your DBA: Barriers to Database Security
http://www.scmagazineus.com/CISO-talk-to-your-DBA-Barriers-to-database-security/article/35563/

From SearchSecurity.com, an article by Ed Skoukis on the potential threats to VoIP infrastructures. When Ed writes something, most people take note. As someone working at a company that does a lot of VoIP implementations, I suggest that, if you are considering such technology, you consider the content of Plentiful VoIP Exploits Demand Careful Consideration:

http://searchsecurity.techtarget.com/tip/0,289483,sid14_gci1260359,00.html?track=sy320&asrc=RSS_RSS-10_320


Also from SearchSecurity.com, a similar thesis by John Burke is a little more detailed in the threat area, and perhaps a bit more unnerving:

http://searchsecurity.techtarget.com/tip/0,289483,sid14_gci1260359,00.html?track=sy320&asrc=RSS_RSS-10_320


Enough for now... the beach beckons...

three strikes, and if you think toys with lead paint are all you have to worry about, think again

Wow... from Dark Reading, the sad, sad story of Pfizer's recent security debacle, Pfizer: Strike Three. Three major security breaches in three months, the latest the result of internal employee theft. My favorite quote: "A Pfizer spokesman called the breaches "three separate and distinct incidences" that bear no relationship to each other." Really. Are you out of your mind? Of course they are related -- they are related to a failure of leadership at the highest level in the area of FIXING their problems. Lay off the Viagra over there, and start thinking with your big head.

http://www.darkreading.com/document.asp?doc_id=133028&f_src=drweekly


On a positive note, from CIO.com, the German government is taking steps to prevent further hacking of its systems by China. Germany is working in conjunction with industry to protect government and infrastructure systems from attack. Excellent.

http://www.cio.com/article/135352/Germany_Aims_to_Protect_IT_Systems_With_Security_Plan


On the other hand, from FT.com: Chinese military hacked into Pentagon. OK, China is the one of the world's largest and fastest growing economies. That counts for something. The fact that they own a sizable amount of the US debt is another. But holy crap, don't we draw the line somewhere here?

http://www.ft.com/cms/s/0/9dba9ba2-5a3b-11dc-9bcd-0000779fd2ac.html


From Dark Reading, a short entry that makes a couple of very good points. Firewalled: What Have You Got to Hide? 61% of companies survey have a data classification policy, most say it is rarely enforced and many say it is out of date. So, if you don't know what data is critical to your business, you try to protect everything. Very often that drives the price of a storage security /business continuance solution WAY up, which means you elect to protect nothing. This deserves greater consideration.

http://www.darkreading.com/blog.asp?blog_sectionid=327&doc_id=132867


Hope you've decided what's critical to a great weekend. I'll be putting up tomato sauce... about as low tech as you can get!

name and location change

The blog's name and location were just a little too close to an established publication, so it was best to change to something else.

The title is the punch line from a joke that I first heard years ago. The version I heard went something like, the were two guys camping in woods. Just after they had crawled into their sleeping bags and nodded off they were awaken by the sound of their campsite being torn apart, punctuated by the frightening roars or an irate and hungry wild animal. Through the tent they could see, cast by the light of the full moon, the shadow of a bear standing upright on its hind legs lumbering towards the tent.

As the bear's claws began ripping through the canvas the first guy throws off his sleeping bag and yells, "It's a bear, run for your life!" The second guy rolls out of his sleeping bag and calmly begins to put on his sneakers. The first guy says, "What are you doing? Are you crazy? Bears can run at 30 mph! Your sneakers won't help you run faster than the bear!" To which the second guy replies, "I don't have to run faster than the bear, I only have to run faster than you."

This is very much like the situation we have right now in the security realm. There are bears out there. Lot's of bears. They run fast. They are hungry. And, very frankly, nothing you read here or anywhere will help you run faster than these bears. If they want to catch you, they eventually will.

It may sound heartless or defeatist or cynical, but the truth is we don't have to outrun these bears, either. We only have to outrun some of the other campers out here. We only have to make getting into our network or our applications or our website or our fileservers a little more difficult than the camper with the IP address adjacent to ours. We only have to make our authentication or our authorization or our access control just a little bit better than the guy who hasn't gotten out of his sleeping bag yet.

And, oh, yes... there is no shortage of campers who feel the same way about us.



Found this very sound advice about in Consumer Reports about avoiding identity theft. The downloadable checklist is a nice touch, too.

http://www.consumerreports.org/cro/money/credit-loan/identity-theft/identity-theft-what-you-can-do-305/overview/index.htm


Wow. Talk about uncomfortable. German Chancellor Angel Merkel is visting China. While there word comes out that the Chinese have been hacking Deutschland's government computers. Chinese Premiere Wen Jiabao said this was a grave concern, and that there was no connection between this incident and the new car from Cherry QQ that looks remarkably like a BMW 745i.

From Spiegelonline:

http://www.spiegel.de/international/world/0,1518,502169,00.html

and Computerworld:

http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9032898&source=rss_news6

a day of contrasts

OK... so according to Bloomburg, the top 20 hedge fund managers made 22,255 times the average wage, brining down $650 million each last year.

http://www.bloomberg.com/apps/news?pid=20601103&sid=a04iBUNutMDM&refer=us

Yikes!

On the other hand, today is the 2nd anniversary of Katrina hitting the Gulf Coast. This I'm a little better acquainted with than people making $650 million a year. Two years ago I was "between opportunities". In order to stop the hemorrhage of self pity that was slowly draining me, I decided to drive down to the Gulf Coast and see if I could help. I was blessed enough to go down to Mandeville, LA, twice, and it is something I will never forget. Pictures from those trips are here:

http://s28.photobucket.com/albums/c234/2daydrive/Louisiana%20Trip%20November%202005/

and here:

http://s28.photobucket.com/albums/c234/2daydrive/Louisiana%20Trip%20October%202005/


Now... on to our unusual topics...

The Computer Security Institute has released the The Computer Crime and Security Survey for 2006. The survey is conducted by CSI with the participation of the San Francisco Federal Bureau of Investigation's (FBI) Computer Intrusion Squad. DarkReading has a summary of the Survey here:

http://www.darkreading.com/document.asp?doc_id=99433&WT.svl=tease6_2

You can sign up with CSI and download the report here:

http://www.gocsi.com/forms/fbi/csi_fbi_survey.jhtml



Searchsecurity.com has an interesting and insightful article on the use of employee profiling to prevent "inside jobs". It's really more of an admonition to PAY ATTENTION to employee behavior... to quote: "Assuming the employee passes the pre-hiring screening, don't ignore on-the-job warning signs. Some of these signs include belligerent, intimidating or threatening behavior toward co-workers, arrogance or being disgruntled over something in the office."

duh.

You might think it obvious, but it's not. There is a story (and I can vouch it is true) that an employer fired a disgruntled employee at 4pm, but the request to shut down the employee's systems access was not submitted until after the company help desk had closed for the day. Oops. The company "thought" there may have been some monkey business but they weren't sure. Right. The article is here:

http://searchsecurity.techtarget.com/tip/0,289483,sid14_gci1250974,00.html?track=sy320&asrc=RSS_RSS-10_320

Oh, thank goodness for the ability to find humor in the mistakes of others.

Morning Musings

Well, just in case you thought that diseases in the virtual world might be an overwhelming problem, a new report from the World Health Organization sites 39 new pathogens since 1969 - a record number of new diseases that include SARS, HIV/AIDS and Ebola. Now if that doesn't get your blood pumping on a gorgeous Maryland morning, then you ain't livin' my friend. The New York Times has it here:

http://www.nytimes.com/2007/08/27/world/27disease.html?_r=1&oref=slogin


As if looking for a new job without your current boss finding out about it isn't stressful enough, word from Monster regarding 1.6 million stolen records might just ratchet that job-search stress up a notch or two. If you have ever used Monster or its ilk you have probably noticed that on its own it is a little spam factory. The more info you post about yourself the more penis enlargement/ hot stock opportunities/ foreign money laundering proposals you get. But this is really going to the next level, crime wise. From Computerworld via CIO.com:

http://www.cio.com/article/131950/ID_Attack_Widens_With_._M_Records_Stolen_from_Monster.com/1



From business.timesonline.co.uk via Computer Crime Research Center comes information about an innovative program being deployed by banks in the UK in order to reduce on-line bank fraud. Many are making the investment in user tokens and "chip and pin at home" devices. I'm guessing they are talking about credit card readers designed to attach to home computers. Interesting read, especially since its from the UK and the language is entertaining -- maybe not like watching Coupling on BBC America, but close.

http://www.crime-research.org/analytics/Internet-banking-security/


I had the opportunity to see Johnny Long present at ShmooCon in DC this year. Just let me say that we should all be glad this guy's on our side. His presentations, writing and web site are top notch and are as informative as they are entertaining; however, there is more to this fellow. His drive to help others has produced ihackcharities.org. Recruiting hackers to do pro bono work for charitable organizations -- excellent idea. If you have any talent or aspirations in this area you should really look into it. From DarkReading:

http://www.darkreading.com/document.asp?doc_id=132333&WT.svl=news1_1



Thanks for reading... it's off to my day job!

Day One.

I think the little introduction just about says it all. In an effort to stay informed about the risks to my customers I read a lot of stuff over the course of a month. Rather than keep it to my self, I thought this might be a good way to share what I find. Mainly, I want to highlight the risks associated with simply having an on-line presence -- and what business lacks that? Large, high-profile businesses have been aware of the battle taking place on their firewalls and IPSs and servers as they have been the primary battleground. Now, however, medium and small business are in the fray as well -- whether they like it or not, and whether they are aware of it or not. Where do you think all those millions of zombies and bots come from? Do the math. Do you think it's possible that there are millions of compromised computers being used for DDS attacks and none of them reside on the networks of small and medium businesses? HIGHLY unlikely. Education is the key here, friends and customers.

So... let's begin, shall we?

Read this first. From ITSecurity.com, Mafia 2.0: Is the Mob Married to Your Computer? A good summary of who, what why, when, and how of the criminal operations that are behind just about every security event today.

http://www.itsecurity.com/features/mafia-2-security-crime-011807/


Dark Reading is a great newsletter and site. You'll find over the course of our relationship that much of what I post comes from there. I'll take no offense if you decide to subscribe to Dark Reading directly and bypass my inane ramblings.

The Six Dirtiest Tricks of 2006 is a classic. This article is worth reading if for nothing else other than the firsthand description of the flask drive experiment. 20 flash drives left around a business... 15 of them inserted into company machines... doesn't matter how good your firewall is in that scenario, does it?

http://www.darkreading.com/document.asp?doc_id=113460


Again from ITSecurity.com : Ransomeware 101. Over 100,000 computers infected with ransomeware over the past eight months. The main message: pay us money or we will encrypt your files and close down your operations. Ah, yes, the value of having current backups.

http://www.itsecurity.com/features/ransomeware-101-082107/


From NetworkWorld via CIO Magazine: TJX Pegs Data Breach Tab at $118 Million. At least their sales are up.

http://www.networkworld.com/news/2007/081507-tjx-data-breach-cost.html


From CIO Insight: Security Reconsidered. An interview with George Westerman of MIT, co-author of of the new book IT Risk: Turning Business Threats Into Competitive Advantage. Westerman proposes a holistic approach to assessing and mitigating risk. Risk is not just an IT issue, you know, and approaching it in this way can actually provide an advantage in the marketplace.

http://www.cioinsight.com/article2/0,1540,2168713,00.asp


Well, that's a start for now. Let me know what you think.