[SecurityRatty] tag: safeguard

XTM? YAUSA, or Yet Another Useless Security Acronym

Mon, 11 Aug 2008 13:06:29 +0000

Sometimes, two negatives do make a positive. Gartner has avoided using the term UTM (that is, unified threat management) in our research because:

1. You can't (and wouldn't want to) manage threats.
2. UTM originally applied to products for small and midsize businesses (SMBs), but UTM has been recently co-opted by some enterprise security vendors under the guise of fresh marketing.
3. There is little evidence that many of the components in these platforms are integrated, much less "unified." Now, there is some promotion of the new acronym XTM (that is, eXtensible threat management) as a new generation of UTM. We're not referring to any product name, but the attempt to create a new and confusing acronym, and create another artificial market to size and make predictions about.

No matter what you call it, the arc of advancement of network security products for the SMB will continue: New threats will drive the development of new safeguards that will be included as an option in that same appliance. This is not true for the enterprise, where best-of-breed buying of point solutions will continue, with consolidation of products occurring in three places, aligned by buying center and safeguard profile (see "Introducing the Secure Web Gateway").

The next-generation firewall (NGFW) will serve the enterprise and combine firewall and IPS,; however, there will be no UTM for the enterprise (see "Magic Quadrant for Enterprise Network Firewalls, 2H07"). We are already seeing SMB multifunction firewall vendors optimizing performance by assigning separate ASICs, emphasizing that the inspection tasks on content and network processing are very different (see "MarketScope for Multifunction Firewalls for Small and Midsize Businesses"). Even among SMBs, we are seeing little evidence that many are deploying network, content and e-mail processing in the same platform, usually leaving e-mail security to a separate product or service.

The New Encryption Generation: Closing the Gap

Wed, 06 Aug 2008 09:00:00 +0000

(Source: Credant) Enterprises view encryption as a backstop to prevent information from ending up in the wrong hands. But first-generation encryption technologies may leave critical gaps in security or even foster operational compromises. This white paper examines those limitations and an alternative, multilayered approach that can automatically safeguard data without complicating essential IT and user operations.

Monday merger-mania in security

Mon, 28 Jul 2008 18:54:31 +0000

Not sure if it is because of the slumping market and economy or in spite of it, but there pace of merger activity has been picking up lately and the security industry has not been immune to it. Today saw two meaningful deals announced that could have an impact on the security landscape:

1. Sophos buys Utimaco - Saw this one when I woke up today, as it is a European deal. UK based Sophos is buying German based Utimaco, makers of the SafeGuard line of data encryption/protection/DLP product line. Sophos is paying cash $340 million US for in this deal. This means they are substantially dipping into the credit market, as this is far more than they reported cash on hand. So like the Brocade/Foundry deal, the acquiring company feels strong enough about the acquisition to mortgage the house to get it. In this case, I think Sophos is making a smart deal. They clearly say that to compete with Symantec, McAfee and Microsoft they are going to need a full endpoint security suite. AV alone is not just going to cut it. This gives Sophos a real play in DLP and data storage space.

Yes they could have just done a partner deal for this type of technology, but I applaud them for going out and buying the technology. I wondered if they would use this as a reverse merger entry to the public markets but it doesn't look like that. In any event it looks like Sophos is making the play and spending the bucks to be a player in the endpoint security suite game.

2. Motorola buys AirDefense - Well one of the air brothers finally found a taker. I always thought that for all of the press AirDefense, AirTight and AirMagnet receive, the revenue just didn't match the hype. Stand alone wireless security was a tweener. Would traditional security cover wireless or would traditional wireless cover wireless security. In any event a stand along wireless security play is a tough road. So with this answer Motorola says wireless handles wireless security.

My question is what does the future hold for Motorola. They are reportedly getting out of the cell phone business. Is their wireless business, even a secure one enough to support this giant? I don't know but there is a bit of "dead man walking" over there if you ask me.

I think the play is clear though that wireless providers are going to snap up wireless security companies. The real issue is at what prices. If anyone hears a price on this one, let me know.

Monday merger-mania in security

Mon, 28 Jul 2008 17:54:32 +0000

I think the play is clear though that wireless providers are going to snap up wireless security companies. The real issue is at what prices. If anyone hears a price on this one, let me know.

Marketers mucking up data-privacy efforts

Sun, 22 Jun 2008 20:00:00 +0000

Corporate data-privacy specialists think they’re influencing their organizations to safeguard customers’ sensitive personal information but marketers are often undercutting their efforts, according to a new survey.

AT&T management information on stolen laptop

Sun, 08 Jun 2008 14:28:48 +0000

Technorati Tag: Security Breach

Date Reported:
6/4/08

Organization:
AT&T

Contractor/Consultant/Branch:
None

Victims:
AT&T management personnel

Number Affected:
Unknown

Types of Data:
Compensation information, including employee names, Social Security numbers, and salary and bonus information.

Breach Description:
"An undisclosed number of management-level workers at AT&T have been notified that their personal information was stored unencrypted on a stolen laptop."

Reference URL:
PogoWasRight
SC Magazine
NetworkWorld

Report Credit:
PogoWasRight

Response:
From the online sources cited above:

An undisclosed number of management-level workers at AT&T have been notified that their personal information was stored unencrypted on a stolen laptop.
[Evan] Don't you think that a well known (and respected) company like AT&T would have had the forethought to encrypt laptops?

Employees were first alerted to the theft on the evening of May 22nd by email from Bill Blase, Senior Executive Vice President - Human Resources.

This is to alert you to the recent theft of an AT&T employee's laptop computer that contained AT&T management compensation information

The laptop was stolen May 15 from the car of an employee

The data on the computer was not encrypted -- a violation of company policy -- and included names, Social Security numbers and in some cases, salary and bonus information.

No customer or client data were on the stolen laptop.

the company would not disclose the number of affected individuals, but there is no reason to believe any of the data was being targeted when the machine was stolen.

AT&T repeatedly declined to disclose the number of employees affected "as a matter of policy."

"Usually these are property crimes in which the drive is wiped clean and resold for profit,"
[Evan] This used to be the case, but do you think the same still holds true today? If a thief is going to go through the trouble of wiping the drive, it seems plausible that he/she may also attempt to access/review the information contained on it. Hardware value = ~$1000, Information value = ~$10, $20, $50+ per record. Do the math and it soon becomes apparent that a thief can profit much more by selling the information. I presume that some thieves know this.

The employee who was in possession of the laptop when it was stolen has been disciplined.
[Evan] Was it the employee's responsibility to encrypt the information, or was it his/her responsibility to not store confidential information on it? If the employee was aware of his/her responsibilities, then I can understand the disciplinary action. If not, then AT&T has much bigger problems.

"There are a number of rules governing the handling of encrypted material and the mobile devices handling that material that employees must follow," Sharp said. "It is up to the employee to ensure that any sensitive material is encrypted."
[Evan] Really? It is "up to the employee" to ensure that sensitive material is encrypted? Most of the users I work with wouldn't know the first thing about how to encrypt information. This is why we usually implement policies, standards and procedures to encrypt the entire contents of hard drives as part of the standard laptop build. Encryption is then semi-transparent and we don't need to worry about an incident such as this. Take information security out of the hands of employees if feasible.

AT&T used the breach as a reminder that employees must follow policies.
[Evan] Hopefully this isn't the only time employees are reminded to follow policies.

We deeply regret this incident.

You will soon hear about additional steps we're taking to reinforce our policies to safeguard sensitive personal information and ensure strict compliance in order to avoid incidents like this in the future.

The telecom also says that it is "in the process of encrypting devices," but that may be small comfort to those whose data were on the stolen laptop.
[Evan] Sheesh, hundreds if not thousands of breaches involving lost and/or stolen laptops affecting millions of people and now AT&T is "in the process of encrypting devices"? To AT&T's credit, they do employ thousands of mobile devices which take time to encrypt and it's better late than never. Explain this to the people affected.

AT&T is offering free credit monitoring to those affected

Victim Reaction:
"I'm very disappointed in my company,"

"Eight days passed before we were notified ... and it took up to another 10 days to be informed about requesting a fraud alert and to be given instructions for signing up for credit watch."

"It is pathetic that the largest telecom company in the world -- with more than 100 million customers -- doesn't encrypt basic personal information,"

"I receive company internal e-mails reminding me to contact our legislators about relieving the company of the burdens of regulation," he says. "What happened here shows the company isn't ready to have those burdens lifted."

Commentary:
Excellent work at PogoWasRight.org. Their report contains copies of the actual AT&T correspondence. Obviously, AT&T should have known better.

The Breach Blog was notified via a comment from the wife of an affected employee on May 28th, but we did not have enough information to report. The comment was not approved by me either because the commenter used her real name (out of protection for her and her husband).

Past Breaches:
August, 2007 - AT&T Stolen Laptop, Unknown Number of Former Employees Affected

Breach at UCSF gets leadership response

Sat, 31 May 2008 06:34:08 +0000

Technorati Tag: Security Breach

Date Reported:
5/28/08

Organization:
University of California

Contractor/Consultant/Branch:
University of California at San Francisco ("UCSF")
Departments of Pathology and Laboratory Medicine

Victims:
Patients

Number Affected:
3,569

Types of Data:
"names, dates of pathology service, health information and, in some cases, social security numbers"

Breach Description:
"The University of California San Francisco is alerting a group of patients that it has discovered a security breach involving a computer that held personal patient information."

Reference URL:
UCSF News Release

Report Credit:
Kristen Bole, UCSF

Response:
From the online source cited above:

The University of California San Francisco is alerting a group of patients that it has discovered a security breach involving a computer that held personal patient information.

There is no indication that any patient files were accessed.

UCSF takes this situation very seriously and is therefore responding with the highest level of caution and concern.

During routine monitoring of the campus computer network on January 11, 2008, UCSF discovered unusual data traffic on one of its computers.
[Evan] Its good that the unusual traffic was detected through routine monitoring, but I wonder how long the traffic was present before it was detected. Later on in the news release there is mention that an unauthorized movie-sharing program was installed on the computer on or about December 2, 2007. It seems likely that the unusual traffic may have started on or about December 2, 2007. Why the time gap between presence and detection?

The computer was immediately removed from the network to prevent further access.

UCSF conducted a thorough investigation into the incident to assess how this breach occurred and whether any patient information may have been compromised.

The investigation was completed this month.
[Evan] This is a long investigation. January 11th, 2008 through May 1st, 2008 is more than 3 1/2 months.

During the investigation, UCSF determined that an unauthorized movie-sharing program had been installed on this one computer on or about December 2, 2007, by an unknown individual.
[Evan] Uh oh. If the installation of the program requires administrative access to the computer, it is conceivable that the local administrator credentials were compromised. The fact that the news release states "unknown individual" leads me to believe that the account used was potentially a shared account.

Installation of this program required high-level system access, which is why the incident is considered a security breach.

This computer contained files with lists of patients from the UCSF pathology department’s database.

The data included information such as patient names, dates of pathology service, health information and, in some cases, social security numbers.

The Department of Pathology has notified 2,625 UCSF patients whose information was contained on the computer.

The files also included 944 patients whose tissue samples had been referred by other health care providers to UCSF for analysis.

UCSF has established a special phone line (415) 353-7427 and a special email address PathHotline@ucsf.edu to answer questions from patients who receive the notification letters.

The security of protected health information at UCSF is of utmost importance

The campus has undertaken extensive work in this area, including upgrading system security and performing the monitoring that uncovered this breach.
[Evan] Great! I just want to point out that the word "undertaken" is past tense. Information security is a lifecycle employing continuous management, improvement, monitoring, etc.

this event and others nationwide have caused UCSF to redouble its efforts in this area.

UCSF Chancellor J. Michael Bishop has formed a top-level task force to improve the system of controls to protect patient information and other sensitive data.
[Evan] Excellent! This demonstrates good organizational leadership, of which information security is integral. It stinks that it took a breach affecting over 6,000 people before this action was taken.

This task force is composed of campus leadership and is chaired by Executive Vice Chancellor and Provost Eugene Washington.

Chancellor Bishop has charged the group with conducting a comprehensive, expedited review of actions already taken and future actions needed to protect sensitive data, including reviewing associated practices, systems and policies.

He also has charged the committee with implementing the changes needed to safeguard protected health information and other sensitive data and has asked the group to report to him weekly on their status, with an emphasis on actions taken and planned.

Commentary:
I commend UCSF leadership for the establishment of the new task force led from the top. Hopefully the momentum will continue. All organizations, non-profits and profits alike, need information security leadership that comes from the uppermost echelons in order to be effective.

Past Breaches:
University of California:
May, 2008 - Health care practices and UCSF patient records exposed
April, 2008 - University of California Irvine students are hit with mysterious breach

Storm Worm Hosting Pharmaceutical Scams

Fri, 30 May 2008 10:50:06 +0000

With Storm's recent SQL injection and introduction of several new domains within, the very latest additions to their domain portfolio are the following domains (naturally in a fast-flux provided by already infected hosts) hosting pharmaceutical scams :

producemorning.com
pressrose.com
posestory.com
picturewest.com
lowsmell.com
catsharp.com
printlength.com

All of the domain's DNS entries are set to update every 2 minutes, meaning they every 2 minutes another 20 different and infected IPs will be hosting the domains, which on the other hand logically have identical WHOIS entry records :

Administrative Contact:
WenFeng NO.397,zhuquedadao street,xian
City,shanxi Province xi an Shanxi 710061 CN
tel: 298 5228188
fax: 298 5393585
yayun22@163.com

It's also worth pointing out how they emphasize on the benefits of SSL based transactions, when none of the sites is supporting SSL, but is doing something a great number of phishers do - they've changed the favicon to a key lock looking one, since maintaining a SSL infrastructure on the infected hosts is both, unpragmatic, and a bit unnecessary if they social engineer the visitor :

"SSL Encryption or Https is a technique used to safeguard private information which is sent via Internet. To prove the site's legitimacy, the SSL encryption uses a PKI (Public Key Infrastructure) - public/private key, to encrypt IDs, documents, or messages to securely transmit the information in the World Wide Web. In order to show that our transmission is encrypted, most browsers will display a small icon that would look like a pad "lock" or a key and the URL begins with "https" instead of "http". SSL Encryption or https from a digital certification authority will helps the secure web site with confidential information on web. "

With pharma masters increasingly using fast-flux to increase the survivability of their domains participating in affiliation based pharmaceutical affiliate programs, Storm Worm is anything but lacking behind programs that connect scammers and (infected) infrastructure providers.

Related posts:
All You Need is Storm Worm's Love
Social Engineering and Malware
Storm Worm Switching Propagation Vectors
Storm Worm's use of Dropped Domains
Offensive Storm Worm Obfuscation
Storm Worm's Fast Flux Networks
Storm Worm's St. Valentine Campaign
Storm Worm's DDoS Attitude
Riders on the Storm Worm
The Storm Worm Malware Back in the Game

Managing Mobile Data with Endpoint Security for Laptops

Wed, 21 May 2008 09:00:00 +0000

(Source: Absolute Software) A NetworkWorld survey of IT professionals found that only 1 in 100 employees consistently follow data security policy. This paper outlines endpoint security for laptops that restricts data access beyond encryption to safeguard against insider threats and user error.Read this whitepaper to learn lessons from recent data breaches, limitations of traditional data security, and how to remotely wipe out data and monitor computers that go off the network.

HSBC lose a server

Mon, 12 May 2008 04:00:00 +0000

Another reported theft of a server containing customer data . This time from the HSBC bank in Hong Kong. "The bank said it had lost track of the server during renovation work at a Kwun Tong district branch in east Kowloon on April 26. Police are investigating and say the server was stolen. " Read all about it here and there's more here. This is a really careless way to lose data. I thought it might be fun to read the bank's own statement on data security.

Security is our top priority. The Hongkong and Shanghai Banking Corporation Limited ('the Bank') will strive at all times to ensure that your personal data will be protected against unauthorised or accidental access, processing or erasure. We maintain this commitment to data security by implementing appropriate physical, electronic and managerial measures to safeguard and secure your personal data.

Each visit I make to a business unit, one of the first things on my agenda is a visit to the server room where I'll check everything from the access log to the temperature of the air conditioning. Spend all you want on boxes of tricks to stop the hackers getting in, but forget to lock the door to the servers and it's game over. Risks increase if your office is within a building shared with numerous other businesses such as the case with this branch of HSBC in Hong Kong. I recall one particular far eastern office I visited not too long ago. The main door to the server room was locked fast and the IT manager took delight in demonstrating how secure the room was. Walking around inside the server room I noticed another door. "Where does that one lead to?" I asked. "Outside" was the response. "Is it secured?" was my next question. "Yes" the manager replied, "the sticky tape holds it shut."