[SecurityRatty] tag: secureworks

Managed security services: Outsourcing threat management

Wed, 08 Oct 2008 20:00:00 +0000

As prices fall, managed security services from such companies as SecureWorks and Perimeter eSecurity entice enterprises looking to offload the tedious work of monitoring intrusion-detection, intrusion-prevention and other security systems.

PCI Bans WEP SecurityStarting 2010

Mon, 06 Oct 2008 05:38:19 +0000

Version 1.2 for the PCI Data Security Standard was released last week.

One interesting outcome is that the insecure wireless WEP protocol will be banned…but not until June 2010. Says Ars Technica:

Although TJX has become the poster-child for consumer data theft over WiFi, it is (by far) not the only company to use insecure wireless technologies. Wireless security manufacturer AirDefense released a report in late 2007 saying that a quarter of the 4,748 retail access points it surveyed across the US had no security whatsoever, while another quarter only used WEP, “one of the weakest protocols for wireless data encryption.” Just under half (49 percent) of the surveyed hotspots used WiFi Protected Access (WPA) or WPA 2—much stronger encryption protocols than WEP.

If you’re wondering about what other impacts will have, you might want to read through the PCI site or sign up for the SecureWorks webcast on October 14th to learn more.

Call out a phisher, get attacked by malware

Tue, 26 Aug 2008 09:00:00 +0000

If you're the target of a phishing attack, one thing you probably shouldn't do is backtalk, said Joe Stewart, director of malware research at SecureWorks. Otherwise, you may be the target of a follow-up attack.

Links for 2008-07-11 [del.icio.us]

Fri, 11 Jul 2008 20:00:00 +0000

Prevent Fraud and Increase Revenue by 6% « Payment Card Security & IT Controls Explained
iPhone Smackdown: Security vs. Consumerization - Desktop Security - Dark Reading
What the heck is IT consumerization? | Tech news blog - CNET News.com
ha.ckers.org web application security lab - Archive » What Was Your Epiphany?
SANS Internet Storm Center; Cooperative Network Security Community - Internet Security - isc
Jeremiah Grossman: Can WAFs protect against business logic flaws?
Not Bad For a Cubicle » Blog Archive » On Compliance
If it sounds like a duck, quacks like a duck its Security. I believe IRM is a marketing scheme for non-security professional to dictate security controls through business models. Security does use risk management principles to identify threats and should
News Blog - Media - SecureWorks
In the review, Greg attributes the problems he had to SIEM products still being immature even though they’ve been on the market for 10 years. I believe that’s true, but I also think it’s because SIEM products – even those at the leading edge of th

Whats driving the MSSP craze - critical, but non-core functions are fair game for outsourcing

Thu, 12 Jun 2008 23:29:37 +0000

I don't know what it is, but lately everyone I am speaking to is talking SaaS, outsourcing and MSSPs. Just today I was reading Neil Roiter's column on the latest acquisition by Perimeter eSecurity. The MSSP acquisition kings have now bought Edgeos, a vulnerability scanning service. I don't really know alot about them, but it seems their vulnerability service does not utilize a distributed or local server at the customers location. I am not sure how they deal with things like firewalls and such that would result in very different results from an internal scan, but that isn't the point here. The fact is that MSSP service providers, whether it be large carriers line Verizon or ATT or dedicated security MSSPs like Perimeter or SecureWorks or smaller MSSPs like ProtectPoint here in Florida, are finding fertile ground. I will talk more at the end of the article about what kind of MSSP will likely be your MSSP in the future.

Why are they seeing such success and who are they seeing this success with? My experience with this goes back to my days at Interliant, one of the early ASPs and managed security provider. At one time (late 90's, early 2000) we were probably the largest Checkpoint firewall provider in the eastern US. We managed a bunch of firewalls and that passed for MSSP back than. Still does for a lot of folks today. One of the critical lessons I learned at Interliant was that people will not outsource everything. You can break down what most any organization does into three categories. There are non-critical, non-core activities, critical, but non-core activities and core and critical activities. A company is never going to outsource core, critical activities. Outsourcing non-critical, non-core activities are a no brainer. Showing companies that outsourcing critical, non-core activities is the key to success of the service provider market. These are activities that are critical and therefore must have services for the organization, but they are not core to the organizations functionality and they probably don't have deep expertise in that area. Analysis will show that it is better business to outsource this non-core but critical functionality.

Security is squarely in the sweet spot here. Most organizations acknowledge that security whether for compliance or other business reasons is critical to the business function. However, it is not the core expertise of these companies. Therefore outsourcing it is a smart business move. For the most part, companies do not have the in house expertise to run their own security. Part of the blame lies with security vendors, we make our products to damn hard. Part of the problem is the complexity of the problem to be solved. Security is hard. Another part of the problem is in house security just does not, for the most part, get its fair share of the resources in order to do the job. In any event, I think outsourcing security is not just a fad and is here to stay. It will continue to grow in the years to come.

Just a couple of other things though. Finance is an exception here. Security is a core function in finance, as the security of your money and information is core to a financial institutions function. However, at the mid-size level and below, financial institutions do outsource security. I have seen several MSSPs who specialize in this vertical. Lastly, I think the real battle will be who do you get your managed security from. Do you get from a general purpose network vendor, like Verizon, ATT or IBM or HP? Do you get it separate from your network, from a security expert like Perimeter or SecureWorks? That is where the real battle is going to be over the coming months.

Flash Player + Windows = Threat of SQL Injection

Thu, 29 May 2008 11:59:09 +0000

Apparently Adobe Flash players that aren’t patched and up to date on Windows might be vulnerable to a new SQL injection–there are apparently 18 variants of the new exploit. SecureWorks has the details:

Attackers insert SCRIPT and IFRAME tags into the content of trusted, legitimate web sites via a known SQL injection attack. Those tags redirect the user to the attacker’s server which hosts the Flash exploit. Tens of thousands of web sites are vulnerable to the SQL injection attack, meaning the distribution potential is high.

The vulnerability is not “zero-day”; however, these are the first known public exploits targeting it. The SecureWorks Counter Threat Unit (CTU) has analyzed 18 variants of the exploit, and all attempt to leverage the integer overflow vulnerability originally discovered by Mark Dowd (CVE-2007-0071), which was patched by Adobe with release of version 9.0.124.0 of the Flash Player. While some have reported that the latest version is vulnerable, the CTU was unable to duplicate these results with samples taken from known exploit sites. The only confirmed vulnerable version is (pre-patch) 9.0.115.0.

Links for 2008-04-25 [del.icio.us]

Fri, 25 Apr 2008 20:00:00 +0000

Pushdo - Web Based Malware as Usual

Wed, 19 Dec 2007 15:01:44 +0000

Interesting assessment, especially the explanation of the GET variables, however, such descriptive use of POST variables to a malware's C&C server have been around for the last couple of years. What has logically changed is the added layer of obfuscation and complexity to make it hard to assess what does such a URL actually mean :

"The malware to be downloaded by Pushdo depends on the value following the "s-underscore" part of the URL. The Pushdo controller is preloaded with multiple executable files - the one we looked at contained 421 different malware samples ready to be delivered. The Pushdo controller also uses the GeoIP geolocation database in conjunction with whitelists and blacklists of country codes. This enables the Pushdo author to limit distribution of any one of the malware loads from infecting users located in a particular country, or provides the ability to target a specfic country or countries with a specific payload."

This is an excerpt from a previous post on "Botnet Communication Platforms" including various graphs courtesy of botnet masters circa 2004/2005 :

"The possiblities with PHP and MySQL in respect to flexibility of the statistics, layered encryption and tunneling, and most importantly, decentralizing the command even improving authentication with port knocking are countless. Besides, with all the buzz of botnets continuing to use IRC, it's a rather logical move for botnet masters to shift to other platforms, where communicating in between HTTP's noise improves their chance of remaining undetected. Rather ironic, the author warns of possible SQL injection vulnerabilities in the botnet's command panel."

Here're some C&C IPs related to Pushdo :

208.66.195.71

208.66.194.242

66.246.252.215

66.246.252.213

66.246.72.173

67.18.114.98

74.53.42.34

74.53.42.61

talkely.com

Talkely.com (217.14.132.178) is also responding to arenatalk.net and worldtalk.net. There's also another bogus message next to the one mentioned in SecureWorks analysis - and it's "Under Construction Try google".

Related posts on Web Based Malware :

The Nuclear Malware Kit

The Cyber Bot

The Black Sun Bot