The e-mail appeared to be an invitation from an old, junior high school friend. Yet when the hospital employee clicked on the link, it instead led her to a malicious site that installed a Trojan horse on her computer. In a little over a week, international cybercriminals used that beachhead to steal more than $600,000 from the woman’s employer, according to a terse description of the incident on the Information Systems Security Association’s Web site.

A number of similar incidents to this one highlight the threats of online crime facing small and midsize businesses (SMBs), says Stan Stahl, president of Citadel Information Group and president of the Los Angeles chapter of the ISSA.

“Typically, they say, ‘We have firewalls in place and have AV on all the desktops, so I guess we are secure,’” Stahl says. “But today cybercrime is so sophisticated that is not enough anymore.”

Read full article at http://www.darkreading.com/smb-security/security/attacks/showArticle.jhtml?articleID=225702557&cid=RSSfeed

Many trumpet increased availability as a reason to move to the cloud but what happens when your cloud provider is no longer available?

Some companies are faced with this very question this week as storage provider, EMC  announced its plan to shut down its Atmos Online cloud storage service immediately, according to a posting on its website.

EMC launched Atmos Online in May 2009, calling it “Cloud Optimized Storage [with] capabilities that can scale effectively, coupled with security and management tools.”  This placed EMC in direct competition with some of its service provider partners who used EMC’s Atmos technology to provide cloud storage to its customers.

EMC has now  downgraded Atmos Online to a development platform and is offering no guarantee as to the availability of user data moving forward. EMC used its web posting to “strongly encourage [companies to] migrate any critical data or production workloads currently served via Atmos Online to one of our partners offering Atmos based services,”

The provider going out of business is one of the many risks companies have to address when considering moving their critical data into the cloud. In this case, companies now have to spend resources doing the necessary due diligence in selecting an alternative cloud storage provider.

According to Morris Cody, CIO at Washington D.C. based Information Security Services Firm, Secure Intervention, companies moving to the cloud better consider the following:

What is the values proposition for allowing employees access to web 2.0 resources such as social networks?

Every other day, we hear about the risks. Compromised Twitter accounts, phishing via LinkedIN,  malicious Facebook apps were only a sample of an every growing landscape. Most enterprises, appreciating the threats these pose to an environment, simply deny access to social networks from company systems and networks.

Even within such organizations, there are user who need to access social networks to perform their job functions. LinkedIN has become a great tool for recruiting prospective new hires. More companies are using Twitter, Facebook, Myspace and others to promote their business an connect with customers.

But outside of that, is there a value in allowing employees, whose job function do not require it, access to social networks on company systems?

I’m prompted to ask this because last week I was at a meeting of the Northern Virginia chapter of the  Information Systems Security Association (ISSA-NOVA) and the speaker was the deputy CISO of the IRS, Devon Bryan. He spoke about how the IRS was dealing with the security challenges posed by Web 2.0, particularly social networking, Their current stance is to block all access except for those employees who job function required it. Most security  professionals would agree this is probably wise. However, he also added that they are looking at technology that would allow users to “view” social networking sites, but not allow them to “update” them. As he explained, or tried to, read vs. write/execute.

As this was an audience full of security professionals, it was quickly pointed out that drive-by malware downloads only require the user to browse the infected web page or one that is linked to an infected web page. To view is to infect, so to speak. There was then talk of how to mitigate that using virtual machines or proxies.

I have no doubt the technical challenges can be overcome. The hackers who now treat social networks as the new frontier will probably change tact to react as well. Besides wanting to keep employees happy, what’s the policy rationale for allow users to follow their subscribed tweets or friends updates? Never mind, the adverse effect this with have on productivity. Really, why bother?

There has been a lot of chatter in the news lately about the possibility of a “widespread coordinated” cyber attack against our critical infrastructure  and our ability to successfully defend against it.  Most of this infrastructure ( eg. utilities, finance, transportation, etc) is owned by private companies. Those currently responsible to protecting these networks will tell you that we are already under attack.  Is there a cyberwar going on?  Howard Schmidt, the White House’s Cyber Czar says “No”. But let’s not argue semantics. War, skirmish, tomfoolery…call it what you may. Many experts will confess the US is unprepared for a major cyberattack.

What is the government’s role in protecting these private networks? Should it have a role at all? Although some in the private sector are still debating these questions, the government has already moved in action. Last month, the DoD launched its new Cyber Command, headquartered at Ft. Meade, Maryland. Military observers still aren’t quite sure what this supposed to do. The Pentagon’s number two, Deputy Secretary William Lynn, in a gathering of cybersecurity officials and defense contractors,  floated the idea that the “Defense Department might start a protective program for civilian networks”.

According to Lynn, companies may “opt out ” of the program but by doing so would place us all at risk.  Does that mean, by default, all companies are considered in the program?

The congress also is taking action. A draft bill, co-sponsored by Sens. Joe Lieberman (I-Conn.) and Susan Collins (R-Maine), gives the Department of Homeland Security authority to keep “critical infrastructure” up and running during a “cybersecurity emergency”.

It would be interesting to see the bill’s definition of cybersecurity emergency.   All would agree that coordinated defense is essential. The federal government is probably the only entity able to provide that coordination on a national scale.  Coordination is one thing. Control, however, well that’s another animal.

Have you ever used your Google search history? If you are logged into any Google service, Google automatically keeps a history of your search queries ad web activities.

According to Google, Web History allows the following:

• View and manage your web activity.
  You know that great web site you saw online and now can’t find? From now on, you can. With Web History, you can view and search across the full text of the pages you’ve visited, including Google searches, web pages, images, videos and news stories. You can also manage your web activity and remove items from your web history at any time.
• Get the search results most relevant to you.
  Web History helps deliver more personalized search results based on the things you’ve searched for on Google and the sites you’ve visited. You might not notice a big impact on your search results early on, but they should steadily improve over time the more you use Web History.
• Follow interesting trends in your web activity.
  Which sites do you visit frequently? How many searches did you do between 10 a.m. and 2 p.m.? Web History can tell you about these and other interesting trends in your web activity.

If you don’t care to have that information recorded, you can and should “pause” it.

https://www.google.com/history

Talk about throwing out the baby with the bath water. The Financial Times reported on Monday that Google has begun telling new employees that they are no longer able to request Windows PCs, giving them the choice of Mac or Linux systems. Google has long offered its employees their choice of work operating system but will no longer do so. According to a Google employee, any exceptions will require will require CIO approval. [ I find that assertion questionable though ].

Google is apparently making this decision in response to the hacking attacks on late last year in China. The attackers  used vulnerabilities  in Microsoft’s Internet Explorer 6 to go after Google’s intellectual property, believed to be source code.  One could argue that if they had updated their browsers, the attacker would have had to find other vectors for attacks.

Could this be a strategic move by Google to prove that an Enterprise can survive WITHOUT Microsoft? With Google’s Chrome OS on the horizon, this may just be the warm-up act.

Source: http://www.ft.com/cms/s/2/d2f3f04e-6ccf-11df-91c8-00144feab49a.html

I completed an Internet Forensics training course this past week where the instructor made that statement. Of the twenty students in the class, only the instructor raised his hand. To which he declared ” Anyone who didn’t raise their hand is a liar!!” He was probably right.

I often fault security professionals and educators who speak in absolutes when trying to increase security awareness. Human nature isn’t absolutist. Any security doctrine that doesn’t account for reasonable human behavior is doomed to failure. Never do this! Never do that! Never use the same password with more than one account! And be sure to change them periodically. Naturally they must be complex passwords including upper and lower case letters, numbers and special characters. Really?

It’s not unusual today for an average Internet user to have 10 or more online accounts. That would mean 10 complex, constantly changing passwords. That would also mean the user will write them all down in a place that is readily available. Oh, I forget the never write passwords down mantra. Sigh.

I’ve taught course where as I went through my list of  “never do’s”, I would watch students’ eyes move from the gleam of interest to dull hopelessness. ” I could never do all THAT!”, someone would say.  Another would chime in, :” That’s why I don’t do online banking!”

Is have the same password for your Facebook and Twitter accounts the harbinger of doom??  Probably not. Myspace and your online bank account? That’s an absolute NO NO.

How do we increase security awareness in average computer users thereby strengthening the “weakest link” in our security posture? We certainly can’t continue to do it by burying them in an avalanche of rules.

As more vendors dive into the cloud computing market, every possible claim regarding the supposed benefits of moving to a cloud-based service is being made.  I ran across an article titled ” Why Cloud-based Monitoring is more reliable and secure than Nagios. ” The auth0r, who represented a cloud-based network monitoring company, contended that the Software-as-a-Service (SaaS) model offered by his company was better for companies than Nagios and other open source products.

The question is not  Cloud Computing vs. Open Source.  In fact, there are open source SaaS providers like MindTouch out there.  If considering a product like Nagios, a better comparison would be open source vs. commercial.  In many cases, cost is the determining factor for companies to look  to open source technologies. Other considerations include flexibility and security.

The more relevant  comparison would be hosting and managing a network monitoring system on site vs. moving to a SaaS provider. For many organizations,  IT is considered overhead and not the primary function of the organization. Companies move to the cloud for most of the same reasons companies out-source.  Can someone else do it better for less?  Cost is ually the easier consideration. Companies have to grapple with the ‘better’. Does it mean more security, availability, capacity? Many cloud providers would say ‘yes’ to all and then some.  Organizations have to really consider and make that determination themselves. Make a real comparision between their options and not just follow the typical vendor hype.

Metasploit provides useful information and tools for penetration testers, security researchers, and IDS signature developers. This project was created to provide information on exploit techniques and to create a functional knowledgebase for exploit developers and security professionals.

Update Summary

• Metasploit now has 551 exploit modules and 261 auxiliary modules (from 445 and 216 respectively in v3.3)
• Metasploit is still about twice the size of the nearest Ruby application according to Ohloh.net (400K lines of Ruby)
• Over 100 tickets were closed since the last point release and over 200 since v3.3

The full release notes can be found  here.