Black Hat Roundup: Keeping Tabs on the Ones That Got Away

B. Ostergaard
B. Ostergaard

Summary Bullets:

  • With the annual Black Hat event in Las Vegas, the global Internet community celebrates its felons.
  • Like physical combat, Internet security requires a good understanding of enemy black hat strategies.

Last week saw Las Vegas hosting the 15th annual Black Hat event.  From its inception in 1997, Black Hat has grown from a single annual conference in Las Vegas (still the main event with the highest stakes) to a global conference series with annual events in Abu Dhabi, Barcelona, Las Vegas and Washington, DC.  From its nefarious roots, it spouts uncomfortable truths about the insecurities we face every day as global net workers.  It’s difficult to find any other industry where crime and passion are so closely aligned and where ‘respect’ and ‘respectable’ are terms so far apart.  Cyber-warfare for profit and power lacks any basic ‘Geneva Convention’ that could specify global rules of conduct and the means to prosecute felons. Continue reading “Black Hat Roundup: Keeping Tabs on the Ones That Got Away”

Federated Identities: Is Secure Ease-of-Access Keeping Up with Cloud Usage Patterns?

B. Ostergaard
B. Ostergaard

Summary Bullets:       

  • Business users are pushing companies into a multi-cloud environment.
  • The automated mechanisms for handling multi-cloud access securely are not yet in place.

It’s not just the European summer weather that’s cloudy; so too is the future IT paradigm.  In this emerging multi-cloud near-future, business users will want easy access to corporate cloud resources from their private cloud, as well as the ability to launch apps in a platform-as-a-service (PaaS) environment and the ability to access a variety of ever-changing external SaaS clouds.  Users would prefer not to have to log in to these clouds individually with different passwords and log-in procedures, which just results in people keeping lists of passwords on yellow stickers or Word files on their desktop computers, clearly breaching any corporate security policy.  Public cloud destinations such as Amazon mostly rely on user-centric passwords (i.e., not aligned with the password used for corporate data site access), and even if a cloud site such as Salesforce.com (SFDC) is linked to a specific corporate account, it will still not sync with the user’s corporate password.  If the company wants to make such cloud access easy and safe (and keep password lists off user desks), the solution lies in storing individual passwords in the company’s Active Directory (AD) and subscribing to a federated identity service that automates access to multiple clouds based on the user information in AD.  With a federated identity service, users get a single sign-on service that may be either single-factor or require two-factor authentication for access to sensitive data. Continue reading “Federated Identities: Is Secure Ease-of-Access Keeping Up with Cloud Usage Patterns?”

Hunting for Big Data in Cloud Services: Customers Need a Better Security Standards Map

B. Ostergaard
B. Ostergaard

Summary Bullets:       

  • The lack of cloud security standards and the expanding range of cloud providers complicate RFPs.
  • The Current Analysis Cloud Security Study shows IT SPs ahead of carriers and the U.S. ahead of Europe.

The decision to migrate to the cloud is complicated by the expanding number and variety of cloud service providers (typically carriers, IT SPs, vendors, or dedicated cloud SPs), each with its own legacy of strengths and weaknesses, coupled with a dearth of specific cloud security standards to put into a request for proposal (RFP).  Apart from PCI DSS in the retail sector and FedRAMP for the delivery of cloud services to the U.S. government, security standards pertaining to cloud services are related to general business process quality (ISO9000), data center management processes (ISO27001-5), auditing (SSAE 16), and a slew of more vertical industry-specific requirements around handling of sensitive personal data.  Corporate customers are still relying on best-practice guidelines from standards bodies such as NIST in the U.S. and ENISA in Europe, as well as the user/industry forums such as the Cloud Security Alliance with its Cloud Matrix tool.  Still, what does the cloud security playing field look like from the service provider side?  How can they assess their service offerings to amorphous customer requirements, as well as the other providers in the market? Continue reading “Hunting for Big Data in Cloud Services: Customers Need a Better Security Standards Map”

APT Threats Today Need a Different Kind of Response

B. Ostergaard
B. Ostergaard

Summary Bullets:       

  • The ‘Flame’ advanced persistent threat (APT) is invisible to commercial AV defences and may lie dormant for years.
  • Combating APTs may create a new role for the ITU and further international anti-malware efforts.

The latest news on the (often purported to be state-sponsored) APT front is a massive piece of spy software, dubbed ‘Flame,’ which seems to have been around for many years – at least since 2010.  The worm was discovered by accident when security vendor Kaspersky was looking for another mystery APT dubbed ‘Wiper,’ which has been deleting files on servers in the Middle East for some time.  Much like earlier APTs such as ‘Stuxnet’ and ‘Duqu,’ Flame exploits software and hardware vulnerabilities that evade any of the known AV defences and infects desktops and servers in multiple ways (USB, LAN, drive-by etc.); similar to these other APTs, it appears to harm or spy very selectively, so it may reside dormant on a large number of Windows PCs.  Flame is different in that the remote controllers can install different modules (e.g., taking control of the PC’s microphone to record conversations) on infected machines depending on what kind of information the controllers want to steal.  So, the net-net is we do not know if our desktops or data centres are infected, and consequently whether they are actively or passively spying on us and stealing our data.  We might seek some comfort in the belief that this malicious (often Middle Eastern) activity is politically rather than commercially motivated, but state-sponsored industrial espionage is an obvious use as well. Continue reading “APT Threats Today Need a Different Kind of Response”

Telephone DoS: Who Are You Gonna Call?

B. Ostergaard
B. Ostergaard

Summary Bullets:

  • Recent hacktivist attacks have been aimed at the corporate phone lines, criminal hackers will launch combined DDoS/TDoS attacks
  • The good news is that MSSPs are bringing on TDoS mitigation solutions

On April 12, 2012 a hacktivist group with the ominous name ‘TeaMp0isoN’ targeted the UK counter-terror agency, MI6, claiming to be motivated by the recent decision at the European Court of Human Rights allowing suspected terrorists to be extradited to the United States. However, the attack was not the usual DDoS barrage against the MI6 Web presence. Instead, the group created a wall of phone calls for a period of 24 hours, which meant nobody else could get through. They used a script based on the Asterisk software with a SIP protocol to make calls to the agency’s offices non-stop, basically launching a telephone-based denial-of-service (TDoS) attack. Continue reading “Telephone DoS: Who Are You Gonna Call?”

Taking Your BYOD on Easter Vacation – Securely

B. Ostergaard
B. Ostergaard

Summary Bullets:

  • With the holidays, we take corporate data on our mobile devices to exotic locations.
  • We are not always the best people to ensure the safety of that data.

As we all get into the Easter vacation spirit and pack our bags for holiday destinations, the mobile device and the tablet are right there with us. However, not everyone heading to a sunny destination has the same state-of-the-art mobile gadgets as the average American or European traveller has these days, and a lot of devices with corporate data on board are about to change hands, albeit illicitly.  So, what should a mobile device ‘sun screen option’ provide us holiday-makers with to protect our data, and who should be managing the device from a corporate perspective? Continue reading “Taking Your BYOD on Easter Vacation – Securely”

Apple’s New iPad Will No Doubt Sell, but Will It Protect?

B. Ostergaard
B. Ostergaard

Summary Bullets:         

  • The new iPad will fast-forward the number of powerful mobile devices used by executives.
  • Managing the security of these devices requires a clear company policy and IT staff support.

The new iPad is out of the Apple bag and it will hit select retail shelves in just two weeks’ time.  This will no doubt ignite a new round of tablet feeding frenzy and increase the BYOD factor in companies around the world over the next three to six months.  However, apart from the added pressure on enterprise IT to cater for yet more powerful mobile devices, what will be the impact on the support organization from a security perspective?  We know from global statistics that lost or stolen mobile devices constitute a glaring security hole in the corporate and public sector ranks.  With a lot more (very attractive) mobile devices out there, it sounds logical that a lot more corporate data is about to change hands – literally. Continue reading “Apple’s New iPad Will No Doubt Sell, but Will It Protect?”

Enterprise DLP Strategy – Breaking Trust is a Dangerous Option

B. Ostergaard
B. Ostergaard

Summary Bullets:

  • Misusing certificates for data leakage prevention (DLP) purposes is not a good idea
  • Deploying big data analytics to weed out deviant data and traffic behavior is much less intrusive

I have been talking to several MSSPs in connection with their rollouts of DLP services. A pressing issue for them is to explain to customers how effective their DLP services actually are. Two weeks ago Trustwave, an SSL certificate authority, confessed to selling a subordinate root certificate that allowed a customer to monitor employees’ Web communications – even if the staffers relied on HTTPS. Trustwave explains that the man-in-the-middle gear was designed as tamper-proof and limited to its unnamed client’s compound. I would suspect that other certificate authorities have issued similar certificates to enterprise customers for DLP purposes. Despite these precautions, Trustwave revoked the offending certificate admitting that the whole approach was ill conceived. Continue reading “Enterprise DLP Strategy – Breaking Trust is a Dangerous Option”

Please, Delete Me: The EU Addresses Our Personal Right to be Forgotten

B. Ostergaard
B. Ostergaard

Summary Bullets:
•    The upcoming EU Privacy Directive aims at a moving target
•    Reviewing internal data management policies may be one good outcome
We all know that the Internet can come back to haunt us with personal information that we wish had been deleted a long time ago – from youthful debauchery and outdated purchasing habits to run-ins with the law. We also know that many Web sites storing this information show little interest in complying with such deletion requests from individuals. Given its commercial value, we also see that companies with such information are very loath to make it easy for individuals to move such information about themselves to other platforms. A third issue that needs to be addressed is the wide range of different national privacy policies that makes life difficult for companies storing personal data across many countries. Any new legislation must strike a critical balance between an individual’s right to privacy and what’s feasible (i.e., what can companies ‘reasonably’ do, what can authorities monitor and enforce, and how is privacy actually perceived by specific user communities – especially in social networks where users want to follow each others’ private lives). The legislation is clearly addressing a moving target and will be criticized severely, no matter how it shapes up. But retaining legislation that everyone agrees is obsolete is clearly not an option – so whatever comes out in the end – it will require a rethink across the industry. Continue reading “Please, Delete Me: The EU Addresses Our Personal Right to be Forgotten”

ICANN Launches Generic .dot Addresses for Any Legal Entity

B. Ostergaard
B. Ostergaard

Summary Bullets:         

  • The Internet address universe is expanding.
  • New security challenges must be weighed against giving customers a more personalized experience.

After six years of debate, ICANN, the Internet global domain name manager, has thrown open the gates and set the price bar ($185,000) for any legal entity to acquire its own generic top-level domain name (gTLD).  Examples include company brands and geographic locations below the country level (typically city names).  These also include suffixes using non-Latin and non-ASCII characters, specific product category names and general activity terms such as sports or .music.  This can become a real cash cow for the non-profit ICANN, which expects to receive between 1,000 and 1,500 applications: about two-thirds for ‘dot-brand’ gTLDs such as Hitachi (.hitachi), Canon (.canon) and Deloitte (.deloitte), and 10% from .dot cities such as London, New York and Las Vegas.  However, the TLD universe has been expanding for some time now.  In 2009, ICANN launched IDN (internationalized domain name) TLDs with non-Latin alphabets (the first being a group of Arabic names for the countries of Egypt, Saudi Arabia and the United Arab Emirates). Continue reading “ICANN Launches Generic .dot Addresses for Any Legal Entity”