« March 2010 | Main | May 2010 »

April 2010

Friday, 30 April 2010

Four questions to ask your firewall vendor and Gartner on the future of firewalls

Gartner's John Pescatore blogged about his view on the future of firewalls today. Many pundits have opined about enterprise deperimeterization. Not so says Pescatore, although the functionality of the firewall is changing to respond to the changes in technology and the threat landscape. Gartner calls this new technology, "next-generation firewalls."

It is really just border control – we don’t declare countries “deperimeterized” because airplanes were invented, we extend border control into the airport terminals.

Unfortunately every firewall vendor in the industry has jumped on the term. So in order to help you separate marketing fluff from reality, whenever you are speaking to a firewall vendor, be ready with these questions:

  • How have you adapted your stateful inspection engine in your next-generation firewall?
  • When in the firewall's packet/session analysis is the application detected?
  • Is all packet analysis performed in a single pass?
  • How does your appliance hardware support you analysis approach?
  • is there a single user interface for all aspects of policy definition?
  • What is the degradation in performance as functionality is turned on?

If you like the answers, ask for more thing - show me.

Posted at 08:56 PM in Application Security, Innovation, IT Security 2.0, Network Security, Next Generation Firewalls, Web 2.0 Network Firewalls | | Comments (0) | TrackBack (0)

Technorati Tags:

Wednesday, 28 April 2010

Blippy's security/privacy strategy - do they deserve to survive?

Earlier this week, the CEO of Blippy posted an extensive explanation of the breach they suffered and the steps he is planning to take to improve the site's security and better protect the privacy of the users. I can only hope his explanation of the breach is accurate.

As to his "Plan" going forward, it reveals a shocking, but not untypical, heretofore lax attitude toward protecting the site's users.

I like their Rules page. The intent is to inform Blippy users of "Inappropriate Content and Use of Blippy," However, if I were considering signing up for Blippy, I might consider some of them the risks of using Blippy. Here are examples: 

Impersonation: You may not impersonate others through our services in a manner that does or is intended to mislead, confuse, deceive, or harass others.

Serial Accounts: You may not create serial accounts or relationships in order to evade the block tools or to otherwise disrupt the Services.

Name Squatting:You may not engage in name-squatting (creating accounts for the purpose of preventing others from using those account names or for the purpose of selling those accounts). Accounts that are inactive for more than 9 months may be removed without further notice.

Links: You may not publish or post content that disguises the content of a link in a misleading or deceptive way.

Malware/Phishing: You may not publish or link to malicious content intended to damage or disrupt another user.s browser or computer or to compromise a user's privacy.

Social Network Spam: Blippy provides a variety of ways for users to interact with one another. You may not abuse these tools for the purpose of spamming users. Some of the behaviors we look at when determining whether an account is spamming include:

  • The user has followed and unfollowed people in a short time period, particularly by automated means.
  • A large number of people are blocking the profile.
  • The number of spam complaints filed against a profile.

And I can only hope that Blippy is taking steps to reduce the risks of these actions and worse. How long will it be before Koobface infiltrates Blippy, or there is a new botnet specifically targeting Blippy called "ypblip?"

Posted at 08:58 PM in Breaches, IT Security 2.0, Malware, Phishing, Privacy, Risk Management | | Comments (0) | TrackBack (0)

Monday, 26 April 2010

Treasury Department estimates up to 1.2 million hiding income by using stolen Social Security numbers

If the IRS is coming after you for not paying taxes on unreported income, it may be that someone used your Social Security Number on his W-4. According to the Treasury Department's Inspector General for Tax Administration, it happened as many as 1.2 million times in 2007.

Thanks for the pointer from the Office of Inadequate Security (databreaches.net).

What is worse, the full article on WebCPA says that the IRS lacks the procedures to identify this type of identity theft:

TIGTA assessed whether the IRS has procedures to effectively handle collection issues related to ITINs [Individual Taxpayer Identification Number]. It found that the IRS lacks internal guidelines for its employees to follow to assist either the taxpayer whose wages are being attached or the legitimate holder of the Social Security number (who may unknowingly be the victim of identity theft).

Just another way identity theft can bite you!! It appears there is no way to protect yourself against this one. Perhaps the credit agencies could detect this.

Posted at 06:54 PM in Identity Theft | | Comments (0) | TrackBack (0)

47 health care provider breaches between 9/22/09 and 2/15/10

Health Data Management Magazine's May issue notes that the Office of Civil Rights (OCR) of the Department of Health and Human Services (HHS) posted 47 breach of unsecured protected health information in the United States between September 22, 2009 and February 15, 2010.

The criteria for posting is at least 500 individuals must be affected. In one case, 500,000 people were affected. The actual list is here. As of today there were seven more breaches posted.

Unfortunately the information on the list is very disappointing. There are no details of any significance about the breaches. For example, here is the latest one on the list (as of 4/26/10): 

Tomah Memorial Hospital
State: Wisconsin
Approx. # of Individuals Affected: 600
Date of Breach: 3/19/10
Type of Breach: Other
Location of Breached Information: Other

While creating this "wall of shame" has some value, posting more details would surely be more valuable to all health care provider security practitioners.

Posted at 06:26 PM in Breaches, Health Care, HIPAA | | Comments (0) | TrackBack (0)

Technorati Tags:

Google discovers privacy flaw in Facebook Graph API

The UK-based Guardian posted a story today that an engineer from Google discovered a flaw in Facebook's Graph API where all events you have participated in or are planning to participate in cannot be kept private.

My reactions are (1) given Facebook's privacy policy trajectory, I am not surprised, and (2) given the threat that Facebook represents to Google, I am not surprised that a person from Google found the flaw.

If anything is going to blunt Facebook's popularity, it's going to be privacy issues. And I say this despite the long history of consumers willingness to give up privacy to gain convenience, e.g. Debit Cards.

Posted at 02:31 PM in Privacy | | Comments (0) | TrackBack (0)

Technorati Tags:

Sunday, 25 April 2010

Aurora - Why was Gmail China's Target?

Larry Seltzer has an interesting post about a conversation he had with Mikko Hypponen of F-Secure about the reason for the Operation Aurora attack in China against Google's Gmail service.I wrote about Aurora here and here. However, the question remains - why Gmail and not Yahoo or Microsoft's free email service?

Perhaps it's because only Gmail offers SSL encryption which prevents sniffing on the wire to read emails. Because the other free email services don't offer SSL, you can simply sniff the wire to read the emails on those services.

End users who have some level of security consciousness gravitate to Gmail. And if you want to read messages on Gmail, you have no choice but to hack the service itself as you are not going to crack SSL.

Posted at 09:08 PM in Breaches, Privacy | | Comments (0) | TrackBack (0)

Technorati Tags:

Facebook accounts for sale starting at $25 for 1,000 accounts

Dark Reading published a story based on VeriSign's iDefense's research of an underground black market for stolen social networking credentials. One criminal was selling 1,000 Facebook accounts with 10 or less friends for $25, while the price for 1,000 Facebook accounts with 10 or more friends is $45.

While this should not be surprising, it is worth noting again the level of cybercrime organization.

Posted at 08:42 PM in IT Security 2.0, Privacy | | Comments (0) | TrackBack (0)

Technorati Tags:

Saturday, 17 April 2010

Apache infrastructure breach analysis is a model of forthrightness and a learning experience

Last week, the Apache infrastructure team disclosed a breach to their issue tracking software where an XSS exploit led to root access which led to compromised passwords. What makes it interesting is the level of detail they provided about the breach, which security policies worked, which did not work, and what they are changing to reduce the risk of another such breach. No attempt at security by obscurity here. McAfee Labs did a nice blog post on it.

Do you think the use of Apache is going to go up or down? IMHO, the breach will have no effect or might actually increase Apache usage. The reality is that all organizations have breaches regularly. Sharing detailed information like this helps us improve our security.

BTW, if your organization is not experiencing breaches, it's due to lack of visibility.

Posted at 06:24 PM in Breaches | | Comments (0) | TrackBack (0)

Technorati Tags:

Thursday, 15 April 2010

Conventional password policy recommendations questioned

Microsoft researcher Cormac Herley recently published a paper casting doubt on the economic value of following conventional password policy recommendations. Whether you agree with Herely or not, his economic analysis is well worth reading.

Security Watch has a nice summary.

Posted at 08:03 PM in Security Policy | | Comments (0) | TrackBack (0)

Technorati Tags:

Sunday, 11 April 2010

More PDF exploits - time to stop downloading PDFs

It seems like there is a constant flow of PDF vulnerabilities. Two new ones are highlighted here.

It's time to stop using PC-based PDF readers.I've switched to a browser plug-in called gPDF which works with IE, Firefox, and Chrome.It opens the PDF file in Google Docs. Google Docs gives you the ability to print it without downloading it. The one issue I have is, there is no apparent way to save the document in Google Docs for future reference. So for that, I save the link in Delicious.

I'm done with downloading PDF's for now - just not worth the risk.

Posted at 06:49 PM in Malware | | Comments (0) | TrackBack (0)

Technorati Tags:

Next »

About

Subscribe to this blog's feed

Recent Posts