[SecurityRatty] tag: roman

A Diverse Portfolio of Fake Security Software - Part Fourteen

Thu, 27 Nov 2008 04:47:55 +0000

You didn't even think for a second that the supply of typosqutted domains serving packed and triple crypted to the point where the binary is not longer executing, fake security software domains is declining? With the upcoming holidays and the usual peak of web traffic, malicious activity on all fronts is prone to increase during December. YEWGATE LTD, Sawert Alliance, and Sagent Group, personal favorites affiliate participants in a revenue sharing program for serving fake security software, try to maintain a decent rhythm in their typosquatting process, always worth taking a peek at. The very latest rogue security software additions include :

micro-antiv2009 .com (91.208.0.223)
micro-antivir2009 .com
micro-antivirus-2009 .com
micro-av-2009 .com

Sawert Alliance
Peltonen Martti seodancer@gmail.com
33 New Road, Upper Flat
Belize City
Belize
Tel: +7.9602578790

avmyscan .com (91.203.92.186; 78.157.143.184)
go-your-scan .com
bestproscan .com
avproscan .com
goyourscan .com
iabestscan .com
avmyscan .com
best-scan-pro .com
avscan-pro .com
bestscanner-pro .com
avscanpro .com
iascannerpro .com

Jaroslav Voltz
Email: mensfult@gmail.com
Organization: Private person
Address: Biskupsk 9
City: Praha
State: Praha
ZIP: 11000
Country: CZ
Phone: +420.2224811382

virus-labs2009 .com (66.232.113.62)
virus-trigger .com
virusresponse2009 .com
virusresplab .com
virus-response .com

Roman Spitsikov
Uus-Sadama 12
Tallinn, Tallinn 10120
Estonia
Roman.Spitsikov@gmail.com

virusremover2008plus .com (77.245.61.80; 93.190.139.229)

Sagent Group (sergbelo@gmail.com)
Brignal Solutions
P.O. Box 3469 Geneva Place, Waterfront drive
Road town, BVI
BZ
+1.14193017015

antivirus-pro-scan.com (84.243.197.183)
anti-virus-defence.com
protection-livescan.com

Aleksey Kononov cndomainz@yahoo.com
+74954538435 fax: +74954538435
ul. Yakimanskay 34-56
Moskva Moskovskay oblast 112745
ru

rapidantivir .com (91.208.0.220)
rapidantivirus-2009 .com
securityscanner2009 .com
rapidantivirus2009 .com
rapid-antivir .com
extraantivir .com
rapid-antivirus .com
rapidantivirus .com

Sawert Alliance
Peltonen Martti seodancer@gmail.com
33 New Road, Upper Flat
Belize City
Belize
Tel: +7.9602578790

sgscanner .com (116.50.14.185)
sguardscan .com
scansguard .com
getsg2008 .com

What's Happiness Got to Do With It?

Wed, 29 Oct 2008 07:00:44 +0000

Gartner's own John Pescatore has issued a 12 world post:

The best security program is at the business with the happiest customers.

Happiness? Really? That's the measure of program effectiveness? I would see those 12 words and raise them one word (13 if you're scoring at home):

There's a fine line between happy customers and playing piano in a bordello.

I mean the people running hedge funds and derivative books at AIG, Lehman and friends had lots of happy customers for the last decade!

To me the happy customer is a classic IT copout "we just did what the "business" asked". Like we're just a bystander or something. Its our job to create business value and be business like. We should seek to empower out customers, not make them happy.

Please understand I am not that guy who says IT security has to be the "bad cops" who deny everything the business wants to do. Just saying it is our job to raise the bar where we can. Raising the bar does not always create super happy customers in the short run, but it does empower companies.

Unfortunately, playing piano in the bordello is what a lot of security groups do and even big analyst firms. The path of least resistance ain't always the way. Here is an example. I was at a client many years ago, they wanted to build a big Identity Management solution, so of course they wrote a big RFI got responses from Sun, IBM, Oracle and friends. The bids were in the $3-5 million range. Pretty big projects for an Infosec team. So what do you do? Call up a big analyst firm and get some advice, right?

A week goes by and we get an audience with the "guru" from the Big Analyst Firm. The client has pretty detailed requirements, what systems they want to connect to, what use cases they are looking to solve for, and so on. We anxiously await the knowledge the analyst is about to transfer to us. His response was as follows - "what kind of shop are you? IBM shop? Oracle shop?" "Ummm...we are a huge company we have everything." "Well if you are more of a IBM shop you should go with them. If you are more of a Oracle shop you should go with them." That was the extent of a 30 minute conversation. True story.

Of course, the one value proposition of the Big Analyst Firms is that they supposedly can tell you what everyone else is supposedly doing. There is some value in this I grant you. And it does make for happy customers because even when you force your customers to change, you can say "Well geez, I know its hard but the Big Analyst Firm says that everyone is doing it." But is this security improvement?

Back in 2004, I went to a great security conference, it was Information Security Decisions (they are back in Chicago next week). It was in Chicago, downtown on the river. Tom Davern even took us all out on a boat for lunch one day. Anyway, there was one truly great talk there. It wasn't Fred Cohen debating Gary McGraw on application security which was outstanding (in which Fred uttered the memorable line "I agree with Gary everywhere he agrees with me." (Gary won the debate, his best line - "We know how to win the software security war, but we don't know how to manage the peace" still the problem today actually)) It wasn't Pete Lindstrom showing his security metrics framework (which is still a great starting point). it wasn't Dan Geer's fireside chat.

The truly great talk, though, was by the now departed Robert Garigue. It was called "Its the End of the CISO as I Know It, (And I Feel Fine)." The whole end to end talk was wonderful, there are several things in there that I still use every single day like the separate security models for Infostructure and Infrastructure but the point I want to talk about is the CISO role.

Garigue talked about the two most prevalent CISO models - the jester and the bad cop. The jester CISO

Sees a lot
Can tell the king he has no clothes
Can tell the king he really is ugly
Does not get killed by the king
Nice to have around but…how much security improvement comes from this ?

The jester has happy customers! At least for awhile.

Again I grant you bad cop is not the way to go either (and while this already long post could read harsh on John Pescatore's pithy summary, I give him a lot of points for saying that security needs to be customer conscious).

We have all seen bad cop CISOs who

Changes happened faster that he was able to move
Did not read the signs
Good intentions went unfulfilled
A brutal way to ending a promising career
Sad to have around but…how much security improvement comes from this ?

Obviously these models of CISOs are not solving our information security problems. Instead Dr. Garigue points us to Charlemagne as a better model

King of the Franks and Holy Roman Emperor; conqueror of the Lombards and Saxons (742-814) - reunited much of Europe after the Dark Ages.
He set up other schools, opening them to peasant boys as well as nobles. Charlemagne never stopped studying. He brought an English monk, Alcuin, and other scholars to his court - encouraging the development of a standard script.
He set up money standards to encourage commerce, tried to build a Rhine-Danube canal, and urged better farming methods. He especially worked to spread education and Christianity in every class of people.
He relied on Counts, Margraves and Missi Domini to help him.
Margraves - Guard the frontier districts of the empire. Margraves retained, within their own jurisdictions, the authority of dukes in the feudal arm of the empire.
Missi Domini - Messengers of the King.

This is the way forward! Find software security champions in the architecture and development groups,help them understand the real security issues. They will find solutions you have not thought of. Same for DBAs, same for business analysts even. Its all about beating the bushes, education, and decentralizing security services. Specifically, he points out this important mandate for IT security

Knowledge of risky things is of strategic value

How to know today tomorrow’s unknown ?
How to structure information security processes in an organization so as to identify and address the NEXT categories of risks ?

To me this is our mandate and measure of effectiveness. Empower our customers, educate, and create business value. If I am a CISO I don't want 20 people reporting to me who do firewall ruleset changes. I want one champion in 20 different groups - development teams, architects, DBAs, business analysts.

A concrete example, infosec can continue to go along with the herd and follow the "what everyone else is doing architecture" meanwhile developers are connecting every single thing in your business to the Web. I have been doing integration and new technology projects for a long time, and let me tell you - Change does not always create happy customers in the short run. But the chart below shows that information security is maybe more concerned with not causing waves rather than adapting.

How long can developers evolve, connect everything and security people not change anything? Herb Stein said, "things that can't go on forever, don't. "At some point these chickens are coming home to roost, there is a yawning gap between rapidly evolution connecting the enterprise and the 13 year old and counting security architecture that "Everyone else is using" and when those chicken come home to roost you may not have happy customers then. Here is my 12 words:

The best security program is at the business with sustainable competitive advantage.

Do You Speak E-Discovery? You Should, Even in Europe

Thu, 24 Jul 2008 08:05:25 +0000

How often have you watched the news on television and seen people carrying boxes full of electronic media and digital files out of some well-known company's headquarters? It's a familiar scene in the United States, because of the number of companies subject to e-discovery actions. But even though this subject is disturbing the sleep of CIOs in companies large and small in the U.S. - and even though vendors of tools supporting e-discovery are all looking for the next "killer app" - most Europeans just look on and say, "What on earth is this 'e-discovery'?"

The concept of legal discovery (called "e-discovery" when electronic information is involved) is unique to the "common law" countries - notably the U.S., the U.K., Canada, Australia and New Zealand. Discovery in common-law civil litigation is a form of interrogatory in which both parties agree to the pretrial exchange of information, so that the plaintiff can prosecute a cause for action and the defendant can build a defense. By contrast, in countries with legal systems based on the Roman or Napoleonic traditions - which is to say, most of continental Europe - the obligation to produce information that is relevant to the cause for action is nowhere as comprehensive as the obligation attached to discovery in common law.

There is an important difference between criminal and civil litigation, irrespective of a country's legal system. In a criminal case, if the authorities have a warrant or an indictment, the subject is obligated to produce relevant information, and this is true both in common-law countries and in continental Europe. In civil litigation, however, only common law requires the pretrial production of information and its exchange between affected parties. In non-common-law civil litigation, the relevant information is produced before the judge for consideration and evaluation.

Despite these differences, there are some important lessons for all Europeans about e-discovery and about legal discovery in general. The first is that if an external party demands information, whether during civil or criminal proceedings, it pays to deliver that information quickly. Gartner has seen many cases where enterprises simply didn't know how to find the requested information or couldn't produce it for several days - just long enough to generate some damaging media coverage.

The second lesson: It also pays to be able to deliver precisely the information requested. Law enforcement officers may seize folders and binders, disks and tapes, files and e-mails, reports and logs - anything they can get their hands on, really. This may include information that is not relevant to the case, and it may include information that is highly sensitive. This information will be reviewed, processed and analyzed, and some of this sensitive information might leak to the public or to competitors. It's much better to be prepared to hand over just the requested and required information.

The e-discovery landscape is made even more confusing by international jurisdictional differences. In the global economy, a business relationship with an entity in the U.S. is becoming more the rule than the exception. But a company's duty to release information following a U.S. legal discovery claim - for example, for a European subsidiary - and how that would be seen in relation with European privacy legislation remain unclear at best. E-discovery rules require quick delivery of information that has not been tampered with, but privacy protection requires that personal data be removed first.

E-discovery simply does not exist in most European legal systems, but European companies would be well-advised to familiarize themselves with the concept, in case an e-discovery claim originates elsewhere. Companies that have processes and automation for information archiving and retrieval, document and records management, and a retention policy (including disposal when information is no longer needed) will be well-prepared for any e-discovery claims that arise.

Thieves steal four Diocese of Providence computers

Mon, 04 Feb 2008 05:48:02 +0000

Technorati Tag: Security Breach

Date Reported:
2/1/08

Organization:
Roman Catholic Diocese of Providence

Contractor/Consultant/Branch:
None

Victims:
Current and former Catholic school employees

Number Affected:
about 5,000

Types of Data:
Names, addresses and Social Security numbers

Breach Description:
Sometime during the weekend of January 27th, 2008 thieves broke into the Chancery of the Roman Catholic Diocese of Providence and stolen four desktop computers, one of which contained sensitive personal information belonging to current and former Catholic school employees.

Reference URL:
The Diocese of Providence online announcement
The Providence Journal online story

Report Credit:
The Diocese of Providence

Response:
From the online sources cited above:

An individual or individuals broke into the Diocesan Office Building (also known as the Chancery) located at One Cathedral Square in Providence. The perpetrator(s) gained access by breaking through an office window in the Catholic School Office suite.

Once in the building, the perpetrators forcibly entered through two locked office doors where they stole desktop computers and other equipment.

The office suite that was burglarized did not have an alarm system
[Evan] It was reported that the Diocese does employ a security guard, but it is not known where he/she was at the time of the break-in. The fact that the timeframe in question is 8 hours (10 PM Friday - 6 AM Saturday) is interesting. Typically security guards are expected to make regular rounds (~ once every hour or two) throughout the area being guarded. Eight hours is a long time for a break-in to go undetected, so an alarm system would have been very beneficial as an alert if not a deterrent.

One of the stolen computers (a desktop computer, not a laptop) contained a substantial amount of data that included personnel information on present and former Catholic school employees throughout the Diocese of Providence.

The Rhode Island State Police have been notified of this incident. Additionally, the Providence Police Department has assumed responsibility for the investigation.

Thus far, the stolen equipment has not been recovered however, the Catholic Schools Office is fully cooperating with law enforcement who are investigating the situation.

Present and former employees of Rhode Island Catholic schools may be affected.

A number of safeguards are in place such as: locked offices, password protected computers, local administrator account password protected, guest accounts disabled.
[Evan] These are all good security practices.

Employees have unique passwords that they are required to change every few weeks
[Evan] Another good security practice, but every few weeks might be a little too often. If we make people change their passwords too often we increase the chances that they will write them down.

Additionally, personal information of students, teachers, parents and others associated with the Catholic Schools Office are prohibited from storage on lap top computers.
[Evan] Yet another good security practice.

Personal information of students and their parents and or guardians was not stored on the stolen equipment.

In addition to notifying current and former employees by letters sent to last known addresses, the Catholic Schools Office has created this page on the web site and established a special phone number, 401/278-4678 to answer inquiries from those who feel they may have been affected

Another diocese office was broken into about a year ago and a computer stolen

“The Catholic schools office sincerely apologizes for any inconvenience this incident may cause its current and former employees,”

Commentary:
Judging from what the Diocese has told us about their security practices it is easy to see that they have made a conscience effort to secure confidential information. They put some sound information security practices to use, but now we understand that it wasn't enough. At least two vital information security controls were missed; data at rest encryption and adequate physical security (alarm system missing). There is no mention as to whether or not the Diocese or Chancery are surveilled.

Past Breaches:
Unknown