IT Security Blog

Do you remember that time my husband clicked on scareware? Or that story I tell about before I started blogging for McAfee, the kids downloaded a virus onto the computer that we couldn’t get rid of and we had to send the pc back to the store?

I bet I never told you about how I set my mom up with an account on our McAfee Family Protection so I could make sure she didn’t go to certain sites or have access to different programs on my computer. I was worried about her accidently deleting a file or downloading a keylogger.

All of these things took time – sometimes days or weeks to fix. Being the resident techie in charge of fixing these problems meant that I had to do the dirty work. Friends would usually suggest I go to a big box store to get it fixed. They often would complain about the price of those services in the same breath! Luckily I can handle most basic problems on my own, but my time is valuable.

As a busy mom, sometimes I just have other things to attend to rather than spending time recovering a lost document, you know?

Well, McAfee has unveiled a new service called McAfee TechMaster (https://techmaster.mcafee.com/) to help us with any technical issue that you can imagine. It’s everything from setting up a new (or fix an old one) computer or home network to virus removal and data recovery. Plus, they don’t need to come to your house. It’s done via phone or remote login to your computer depending on what you need help with.

What’s really cool are the two annual concierge services, which for a decent price if you can get 24/7, unlimited support. Add up all of the times you needed tech help (maintenence, set up and just random issues) with your multiple computers, phones, tablets, printers, home networks and routers. I have! Or, there are services that help you per incident starting at $69.95. I think that is a small fee to pay for great support!

Check it out for yourself and let me know what you think!

Stay safe out there!

Tracy

Today Google announced its Bouncer security service for the Android Market. This is a good initial step in protecting Android users.

Respect the Bouncer
To keep out known troublesome apps, the service performs a malware and spyware scan on all submitted material. It also uses behavioral analysis to determine if a given app is trying to do something suspicious. Google doesn’t stop there; it also does fraud and abuse detection to ban and remove malware writers posing as legitimate developers.

Other Protections
Aside from Bouncer, Google has older methods of protecting users from bad apps. The company cites its “remote app removal switch,” which allows Google to remotely uninstall apps that violate its policies and or are malicious. Although this is good for handling most basic Android malware, additional measures are sometimes necessary.

Sandboxing apps is very useful but is also a double-edged sword. On one side it keeps the average malicious app from accessing user data in other apps; on the other, however, it prevents Google and other security vendors from easily cleaning a device of advanced malware. In the case of malware such as Android/DrdDream or Android/DrddreamLite, which use root exploits to gain total control of a device, it’s necessary to go a step further. These threats that use root exploits completely bypass app sandboxing, requiring stronger methods to remove them. Google now provides a tool that runs on infected devices and removes all malware that were impossible to clean up with the remote removal function.

Alternative App Markets and Malware
Bouncer was able to reduce by half the amount of malware available on the official Android App Market during the past year. That’s an impressive figure. It’s also not the entire picture for Android malware. Android’s openness is great for developers and for users. It’s easy to get started developing apps and distributing them. It’s also easy for users to get an app that does what they need. These were keys that helped to make MS-DOS the most popular operating system in its day: Although MS-DOS was afflicted with viruses and other malware, they were always orders of magnitude smaller than the available number of legitimate applications.

The official Android App Market is not the only source for apps on Android devices. In China, it’s not even the only app store. There are reports of as many as 70 app stores in Beijing alone. In a presentation I gave last year at the security convention DefCon, we found that on a nearly two-to-one basis China was affected by for-profit mobile malware. The majority of this malware was Android based and downloadable from some of these alternative app markets. China has a large number of mobile users and the tactic of local cybercriminals was described by a colleague as “steal a little from a lot.” Even a single dollar from a million users is a good haul for a criminal.

Is a ‘Bouncer’ Enough?
We haven’t yet seen many details about Bouncer internals, but what we’ve seen so far bodes well for Android security. By itself Bouncer is not enough to clean up all infected devices or to keep all malware out of the market. There will still be a need for further innovation in security software and for defense in depth. The Android security team has a lot of clever people on it and no doubt they will continue to improve security while maintaining Android’s open nature.

I recently read an article in Computerworld that really got me thinking about servers: what they are, what they do and what they hold. Traditionally, the insurance industry has offered risk protection from tangible events – even if they are unpredictable.  Hurricane and earthquake insurance are factored by damages and physical loss; but how would cyber insurance be factored? Although we’ve made great strides, we still cannot predict or easily measure the impact of a future data breach. So the question is, how can companies provide any reasonable cyber insurance?

Cyber insurance can account for the physical aspect of a server being lost or stolen, and guess the value of the data that would be lost during a server compromise. But what if a server is unable to perform its job due to cyber incident or vulnerability?  Does the insurance consider the loss in productivity that would occur if a compromise affected server performance or availability?  And how does this extend to our partners’ datacenters, cloud services and mobile computing capacity?

The fact is, a strong, strategic security policy and holistic security framework can assist in providing visibility and actionable tasks that will have the most impact against the highest risks. In other industries, taking responsible actions to mitigate risk helps companies reduce their premiums, as well as predict the amount of necessary coverage, so they don’t over-extend. It’s too soon to tell, but it will be interesting to see how cyber insurance and security risk management will continue to mature in the next few years.

For more information on this topic, check out my podcast below, and be sure to visit our website to learn more about how the McAfee Security Connected framework can help your business enable centralized, efficient, and effective risk mitigation.

Welcome to our Weekly News Roundup. Read on to learn about the latest this week in the world of security, put together for you by our marketing team. Enjoy!

1. Android users potentially hit by malware attacks: Two possible Android attacks, one, according to Symantec, due to thirteen applications from three different developers that have been collecting data and performing tasks without the user’s knowledge (Millions Of Android Users Potentially Hit By New Malware Attack, by Oliver Haslam). Another is a bug unique to HTC smartphones that allows some applications to send the user’s Wi-FI network username, password, and SSID information to a remote server for collection (HTC Android phones allow apps to harvest users’ Wi-Fi password by Zeljka Zorz).
As a footnote to this news – Google announced a new service on February 2nd, 2012 called “Bouncer” that would automatically scan Android apps for malware. Check out this post by Elinor Mills at CNET to learn more.

2. Government web applications contain the most vulnerabilities by the SC Magazine Staff (@scmagazineUK). After carrying out over 600 penetration tests on custom-built applications, Context Information Security found that UK government web applications contained the highest number of vulnerabilities. Interestingly here at Veracode we have also seen similar patterns in the US and we blogged about this earlier this year.

You can download the full State of Software Security, Volume 4 report here.

3. Twitter Censoring Tweets in Various Countries: Twitter Censorship Movie Sparks Backlash: Is It Justified? by David Kravets (@dmkravets). By announcing Thursday that it would exercise its ability to withhold content from users in a specific country, Twitter sparked a massive debate in which participants toyed with the ideas of a company abiding by the law, the responsibilities of the messenger, and freedom of speech.

4. The DMARC coalition bands together to stop phishing: Google, Facebook, and Others Join to Write New Email-Authentication Spec Called DMARC by Dennis Fisher (@DennisF). Google, Yahoo, AOL, Microsoft, and others have joined forces in order to develop a new framework for email. The new specification will be called the Domain-based Message Authentication, Reporting, and Compliance, and aims to stop phishing schemes and other email-borne attacks.

5. Committee in the UK pushing for cyber security education, awareness campaigns, secure public sites, and safety standards on software: Demand for safety kitemark on software stepped up by John Leyden (@regvulture). Political types on the Science and Technology Select Committee in the UK have called for the expansion of the Get Safe Online and similar campaigns, in order to dispel fears and encourage secure usage behaviors on the Internet. Perhaps the most significant of the demands is for, “safety standards on software sold within the EU, similar to those imposed on vehicle manufacturers.” Also be sure to check out the comments.

6. Finally, this weekend is home to Superbowl! The New England Patriots will be taking on the New York Giants this Sunday in Indianapolis, but what may not be as apparent as the fans, food, and commercials is the security. By utilizing defense contractor SAIC, an $18 million Regional Operation Center, a Mobile Command Center, and even gamma-ray scanners, this Superbowl will be the most technologically secure in history. Game On: Gamma Ray Scanners To Guard ‘Most Technologically Secure’ Super Bowl Ever by Christopher Brook (@threatpost)

I just got an email from my accountant:

Attached, please find your 2011 Tax Organizer, which has been password protected. The Password is the FIRST FOUR digits of the taxpayer's social security number.

This seems reasonable. After all, your card for ATM machines has only a 4 digit PIN number. In addition, since the LAST 4 digits is so often used, many people know it, so they chose 4 digits that somebody else wouldn't know.

But of course, the problems with this are obvious to any professional.

There are three reasons why 4 digits work for ATM machines, and why they don't work here.

• The ATM card itself the PRIMARY security, the PIN number is only SECONDARY.
  
• Guessing the PIN number is "online" (you can only guess a few numbers before the ATM machine eats your card), but PDF guessing is "offline" (you can make as many failed guesses as you want).
  
• The third reason things are different is that stealing money from an ATM is limited to only a few hundred dollars, whereas documents from your accountant can lead to loss of all your money.
  

I can pay my neighbor's kid $20 to sit in front of a computer for a couple hours trying all 10,000 combinations until they guess the right password. The kid might get smart and google social security number prefixes and reduce the number of attempts by quite a lot. Indeed, if he could figure out where I was born, he might reduce his search to only a few hundred attempts, because the first three digits are assigned by which state you are born in. Which is why people ask you for your last 4 digits rather the first 4 digits, because they are so easily guessed.

Or, I can download free software to do it for me. I downloaded this program and after 2 seconds of crunching numbers, it came up with the right password:


(This image is edited, of course, my SSN# does not actually start with "5967".)

So, what's the right solution? You can't send an encrypted PDF and the password in the same e-mail (as some people do), because then hackers yet again and decrypt the PDF. Instead, you have to exchange passwords "out-of-band", such as on the phone or when you visit the office. The encryption is only as strong as the password, so you have to choose a long one (more than 12 characters that are hard to guess).

The REAL correct solution is for vendors to better integration PGP or S/MIME into email systems. PDF encryption was chosen in this case because it's built-in. Likewise, generating public/private keys should be built into every e-mail system -- but it's not.

If your organization had an unlimited budget to spend on your enterprise security program, in what areas would you focus investments? Application security? Mobile strategy? Web Application Firewalls?

Wendy Nather from the 451 Group and Veracode’s CTO Chris Wysopal presented the latest research on enterprise security spend, and discussed how to “make the case” for security initiatives in a recent webinar. This popular webinar also generated a large number of questions from attendees, and the highlights of the Q&A session are posted below. You can access a full recording of the webinar here.

For those of you who missed the webinar but still have questions or comments, we’d love to keep the conversation going, please leave your remarks!

Q: How would you recommend that security professionals engage the development community about security testing?

Wendy Nather: I’ve always been a fan of bribery myself, “constructive bribery”, pretty much anything that works. Make no mistake; what you’re talking about here is really a form of social engineering… it really helps if you sit down with the developers and show them that you have the same goals as they do, and show them that you can possibly be of help to them in achieving their goals. If you do this they’re going to be a lot more receptive to any changes you’re going to ask them to make. Doing anything casually rather than bringing it down as an edict, starting slowly, getting to know them and their issues and applications, goes a long way as far as building a good foundation for working together.

Q: If WAFs (Web Application Firewalls) are as problematic as you say, why is this one of the fastest growing Application Security technologies? It seems like a WAF is a no-brainer to put up until you fix the underlying problem, isn’t it better than just being exposed?

Wendy Nather: You are absolutely right – it does seem like a no-brainer, and at least in our market place it is the fastest growing segment partially because it is so straightforward. It is a lot easier to buy technology than it is to go in and fix legacy code. The problem is not that you buy the web application firewall and you slot it into your network and try and figure out how to pipe all yourtraffic through it, the problem comes when you start changing it. It’s not binary, turning it on or off… there’s a lot of interpretation in the application and specific tuning that needs to be done and it’s there that we see a lot of enterprises dropping off the effort.

Q: What approach do I take if the majority of my applications are outsourced and I work for a global company?

Wendy Nather: That’s always been a big problem … people are realizing that software security applies across the board. One thing you can do is make good friends with your procurement team and if you don’t already have security language in your contracts with your third party providers, it’s time to try and get some. I have actually managed to get into contracts stating that the vendor would take care of any discovered security problems at their own expense, regardless of when the problem was found for the life of the contract. You’ll be surprised at how many vendors don’t read the contract before they sign it and that sort of thing! At least going forward you can start to put more weight legally to enforce these. With things you already have in place you can threaten to go to the competition because they are more secure. There is a lot of unseen power in the hands of consumers, and if they put that together the market will generate a lot more than there might have been.

Q: Per the title of the talk, how do you monetize the concepts you’ve been presenting?

Wendy Nather: How to monetize the concepts – have to go back and agree with you Chris – groups like Denim Group have actually been doing this together with other companies… the problem is that until you know the extent of what you are actually dealing with you don’t know what the expenses are going to be. You may want to start budgeting for one or two full out re-writes, and if you’re lucky they don’t have to be rewritten and you can use that budget to address some of the more common problems across the board. But knowing how much money you’re going to be spending upfront is a challenge until you have the application inventory, until you know what your risk tolerances are, and until you have a fair idea of what the problems are. You’ll have to start slow and realize the number may grow to a certain extent before you really know what you are doing.

Q: You mentioned a disparity between what is getting attacked – for example, applications – and where the money is being spent, like on networks. Why do you think that is and what can be done to correct the imbalance?

Wendy Nather: Again, network security and OS layer security have been around for a long time, people understand it well, even IT executives and business executives have a pretty good idea of what it entails. They say, “Can’t we just put a firewall in here?” That’s pretty well understood. But the problem is the implications of addressing application security are so customized per enterprise and for the types of application that they have, it’s just not as straightforward. So for the reasons that I explained before, there’s a perception that this is hard. There a lot of unknowns in it before you start and I think that’s why it hasn’t been widely adopted. But, certainly taking baby steps as Chris described and starting just to get the lay of the land and start to talk about it – because talk is cheap – and trying to raise awareness there are a lot of things you can do on a small budget to start.

You can access a full recording of the webinar here.

In this webcast, Kaspersky Lab senior security researcher Roel Schouwenberg talks about the Diginotar certificate authority breach and the implications for trust on the Internet. Schouwenberg also provides a key suggestion for all major Web browser vendors.

The Cybermum India household is all agog with excitement, for yours truly has FINALLY relented and given in to the unanimous coaxing of the household to buy a smartphone. Sample the arguments I faced. “These are quite affordable these days, you know,” said the geek. (Round One to kiddos-they know my weak points)

“Think how helpful it will be when you travel. You will always be in touch with work and check mails. You needn’t lug around your lappy everywhere,” tempted netizen daughter. (Round two also- carrying a laptop is CUMBERSOME).

“And you will be able to tweet continually from wherever you are-giving real-time feedbacks and reports,” masterstroke from the geek. (Round Three to them-and I accept defeat).

I throw up my hands. “OK, OK… I will check out the different models soon.”

“Whoopeee!” cried the geek and added cheekily, “And Mum, while there, check out the gaming console you have been planning to buy me since ages .”

If you too have bought, or are planning to buy, any Internet-enabled device, then you need to read the latest report from McAfee on securing such devices. I don’t know whether you are aware of this but globally people have digital assets worth over $37,000 stored on their devices as per another recent McAfee survey. You can read my blog discussing the findings of the survey here.

McAfee offers 10 simple precautions that you can take to secure your devices:

1. The first thing you do upon purchasing an Internet-enabled device is to install a comprehensive security software, just like you do for your PC
2. Transfer your PC best practices to your Apple products too: McAfee Labs has found that there were 5,000 malware targeting the Mac platform in 2010 and this is increasing by 10% per month!
3. Ensure your security software has data back-up and restore facilities, besides an anti-virus, a two-way firewall, anti-spyware, anti-phishing and safe search capabilities
4. Avoid downloading free security software as these are basic and can leave you and your device vulnerable
5. Use a website safety advisor to search and shop safely: The McAfee® SiteAdvisor® is included in all of the McAfee consumer security suites
6. Be aware of “scareware,” and don’t buy anti-virus software through pop-up ads
7. Ensure your family is aware of online dangers and monitor your kids’ online activities: You can get more information on keeping kids safe online at www.mcafee.com/family
8. Secure your gaming devices too for they connect to the Internet and are hence open to online dangers
9. Use a secure, encrypted USB stick to encrypt your data so that it can’t be read and misused in case the device is lost or stolen
10. Keep abreast of the latest malware, phishing & spams targeting mobile phones

For more such consumer tips, check out: http://blogs.mcafee.com/consumer/securing-new-devices.

Watch A New World of Threats to find out about the threats to your devices and learn how you can secure all your devices with just one software- the McAfee All Access.

The following is a brief summary of all of my posts at Webroot's Threat Blog for January, 2012. You can subscribe to my Webroot's Threat Blog RSS Feed or follow me on Twitter: 01. Millions of harvested emails offered for sale 02. Email hacking for hire going mainstream 03. Mass SQL injection attack affects over 200,000 URLs 04. A peek inside the PickPocket Botnet 05. A peek inside the

The following is a brief summary of all of my posts at ZDNet's Zero Day for January, 2012. You can subscribe to my personal RSS feed, Zero Day's main feed, or follow me on Twitter: 01. 'Most beautiful' scams proliferate on Facebook 02. Android users hit by scareware scam 03. 'Remove Facebook Timeline' themed scam circulating on Facebook 04. Fake Kim Jong-il video distributing malware 05.