26 01/2012

The Weakest Link in Phishing Attacks

by Dave Pack

Enterprises today are most vulnerable to phishing exploits at the user level.  Understandably, users are an easier target than the other hardened, internet-facing systems in any enterprise. Phishing campaigns are getting more sophisticated and frequent, with greater effort being focused on making the information in the emails more and more believable – even targeting specific people within an organization.  Thus, users are growing less and less capable of discerning legitimate email from phishing campaigns.

This video describes the steps enterprises should take to catch these types of exploits before any data gets moved out of the network.  These guidelines include, but are not limited to:

  • Educate users
  • Assume a user in your organization is going to get exploited
  • Maintain visibility — look for activity you’re likely to see AFTER the exploit happens
  • Identify and target “attractive” data in the enterprise
  • Focus on the activity in-and-around “attractive” data
  • Move out from this central location, monitoring & investigating accounts and users accessing “attractive” data
  • Set up baseline monitoring
  • Watch for anomalous activity (after hours, simultaneous authentications from multiple locations, etc.)
  • Watch for activity that occurs AROUND the potential exploit.

In short, focus on attempting to find the activity AROUND the exploit, rather than soley focusing on the exploit itself.

0 Comments | SecurityUncategorized

 
 
24 01/2012

Is your Security Policy up to date?

by Brian Albrecht

It seems that every day we see a story in the news about an organization that has been affected by a data breach. And it also seems that these organizations may not have been maintaining a secure infrastructure with which to protect their data. Although this may seem illogical, this is often the case. An organization may have the stoutest and layered defense in place, but a well targeted attack, or “spear phishing” attack can bypass these controls quickly and easily. Since a task as simple as opening a malicious file in an email can compromise the data of an entire organization, this highlights the importance of an organization’s overall information security policy, specifically any administrative controls that may be in place.

These spear phishing attacks will often target specific individuals within an organization with emails that appear to be legitimate. If these email messages look authentic enough, they will often entice the recipient to open a malicious attachment, disguised as a legitimate document or spreadsheet. Once this is done, the attacker may potentially gain access to the recipient’s computer or beyond.

In this day and age, ensuring that your employees are knowledgeable and up to date on relevant security policies and procedures is critical to the reducing the risk of targeted attacks within your organization. This should begin with basic messaging to your employees that outlines your security policy, including acceptable use criteria and specifically outlining what to watch for in a potentially malicious email. In addition, annual or semi-annual testing or certification will also help to ensure that your employees are made aware of your security policies and have confirmed this knowledge.

This may seem like an overly simple and meaningless task, but it’s one that is often overlooked. While logical controls, like your firewalls, routers and IDS/ISP devices, will hopefully mitigate the majority of questionable messages and traffic patterns into your organization, knowledgeable and vigilant employees are often an important last line of defense in protecting your organization’s information assets.

0 Comments | ComplianceDigital ForensicsSecurity

 
 
18 01/2012

Why Click Fraud Matters

by Richard Patrick

Spending on Internet advertising in the US alone eclipsed $10 billion in 2010. Unfortunately, online sponsored advertising has a major downside: Click Fraud. Industry rivals, or other interested parties impersonate consumers by clicking on paid ads with no intent of making a purchase. These fraudulent clicks effectively drive up a company’s advertising costs without increasing sales. Click Fraud has become such a widespread issue that in the eyes of LinkShare CEO Stephen Messer, it “could wipe out ROI in search marketing.”

Initially, advertisers placed their trust in search companies such as Google, Yahoo and Microsoft to police fraudulent clicks. In 2006, Google CEO Eric Schmidt compromised that trust when he stated:

“Eventually the price that the advertiser is willing to pay for the conversion will decline because the advertiser will realize that these are bad clicks. In other words, the value of the ad declines. So, over some amount of time, the system is, in fact, self-correcting. In fact, there is a perfect economic solution, which is to let it happen.”

His statement led many companies to question the commitment of their providers to preventing Click Fraud.

At the heart of Click Fraud is the act of simulating a click. This is accomplished through multiple means. The simplest is to employ individuals who spend their time clicking on ads without ever purchasing an item. This act is both costly and time consuming if done inside the United States. In developing countries, this is not the case. In the words of Nir Kshetri, the fraudster “must often decide to employ the seemingly bottomless source of human clickers in developing countries, or use technology.” Kshetri goes on to point out that employing human labor becomes less attractive as PPC providers and advertisers become more adept at employing invalid click detection. Because the IP address of a human clicker is usually consistent, PPC providers can easily block traffic from it.

Another method for performing fraud is to write a program that simulates clicks. To do this, the program must perform many tasks normally undertaken by a web browser. The program must first execute JavaScript code to retrieve the HTML code of a web advertisement. It then parses the HTML code for links and sends an HTTP request to the advertiser’s web server. Since this type of fraud is simple to detect, the perpetrator must distribute the program across the Internet using a botnet. The botnets find their way onto unsuspecting users’ computers through many means. Tempting offers of free software, games or other goods from illegitimate websites lure many consumers into loading botnets unknowingly. Computers can also be infected by visiting legitimate websites that have been compromised by Click Fraudsters.

Unlike many other online crimes, Click Fraud has no offline counterpart. One impact of Click Fraud is that the legal system has not been able to keep pace with it. Online crime is growing at a rapid rate that legislators have been unable to match. Adding to the problem is a lack of regulation across borders. While new antifraud laws are slowly being passed in the United States and the European Union, other countries have little or no regulation. In India in 2006; for example, advertisements looking to hire people to click on ads ran in national newspapers.

As an industry, online advertising is not going away anytime soon. Click Fraud will not be going away either. Given my background in law, it is obvious to me that just like with other legal issues regarding technology, legislators cannot keep up with the rapid pace with which Click Fraudsters change their tactics. Add in the challenges of enforcing laws across international borders and the problem becomes even direr. It is therefore obvious that legal changes will not come soon, so other methods are necessary. With legal recourses lagging behind, it is up to industry to find ways to protect itself.

0 Comments | GeneralIT Optimization

 
 
5 01/2012

Twitter: To log or not to log: Is that the question?

by Zachary Wolff

As Twitter continues to thrive as the communications tool of choice amongst activists, dissenters and occupiers worldwide it should be no surprise that the San Francisco-based company is drawing heightened attention from US law enforcement agencies. Most recently, and likely to the surprise of even the most conspiratorial privacy advocates has been the Boston Police Department’s subpoena for data on a hashtag, #bostonPD. Yes, a supeona on a hashtag.

While Twitter has fought back against law enforcement agencies’ attempts to get their hands on user data in the past, it seems to be losing more than its winning. Twitter’s defiance towards LEAs has been its policy to notify users when their accounts have been subpoenaed, a policy that LEAs have sought to bypass.

This attention from LEAs has lead WikiLeaks to recommend a seemingly elegant solution: 

 

 

With the support of WikiLeaks the #NOLOGS hashtag is catching on quickly. No surprise there. as from an activist’s perspective this seems like a winning move against the ever-growing Big Brother state. The question that needs to be asked though is, would this actually provide the protection that activists are looking for and need? Also, probably more importantly, what kind of effect would a switch to a #NOLOGS policy have on Twitter’s 140 character worldwide conversation?

First let’s look at Twitter’s Privacy Policy to see what they Log:

Log Data: Our servers automatically record information (“Log Data”) created by your use of the Services. Log Data may include information such as your IP address, browser type, the referring domain, pages visited, your mobile carrier, device and application IDs, and search terms. Other actions, such as interactions with our website, applications and advertisements, may also be included in Log Data. If we haven’t already deleted the Log Data earlier, we will either delete it or remove any common account identifiers, such as your username, full IP address, or email address, after 18 months.

And what that data is used for:

Law and Harm: We may preserve or disclose your information if we believe that it is reasonably necessary to comply with a law, regulation or legal request; to protect the safety of any person; to address fraud, security or technical issues; or to protect Twitter’s rights or property.

From a logging perspective it’s important to consider the amount of data we are talking about here. Twitter claims to have 175 Million users, a statistic that some debate. However, from a logging perspective it matters not if the account is fake or real, they  are still getting logged.  Regardless of how this data is compressed and stored, this is a LOT of data, every single day. While the average tweet is only 140 characters, when you count the included metadata (IP, Location, Date, Time, browser type, the referring domain, pages visited, your mobile carrier, device and application IDs, and search terms) we are talking about a massive amount of log data. From a management perspective this is a lot of work. Storing and accessing that volume of data is likely not as easy as many would think and from that perspective alone it would seem like Twitter would love to adopt a #NOLOGS policy.

However, if we dig a bit deeper into what this data may also be used for, beyond incriminating journalists and activists worldwide it would seem like the chances of this ever happening are slim. According to their Privacy Policy, log data is also used for Fraud, Security and Technical reasons.

Consider that account X is being reported as spam by a high percentage of users, why not cross reference the IP address its been connecting from (or even address block) to other accounts recently being flagged as spam? Simple algorithms like this could potentially be an integral part of keeping Twitter safe and usable. It would certainly seem like sites like Facebook are using similar systems to thwart fraud as well. Consider the following screen shot, captured after Facebook detected malicious activity.

Beyond fraud and security data, it’s hard to imagine that Twitter is not capitalizing off visited link data as well.  If that’s the case, adopting a #NOLOGS policy could potentially have financial implications for the company.

It would seem like Twitter understands the situation, and the ferocious opposition that can be felt when privacy is sacrificed for security, but should the question be around Twitter’s logging policy or the US LEA’s desire to be omnipresent?

Either way, it will be interesting to see if the #NOLOGS hashtag trends on or if this mission loses steam and is forgotten. While the privacy of its activist user base is clearly important to Twitter, when you weigh in all options it seems unlikely that they  will adopt such a policy.

If Twitter does remain the activist’s communication tool of choice, one thing is clear: it will be increasingly difficult to appease both US LEA’s and the activist/privacy-supporting section of its user base.

2 Comments | GeneralUncategorized

 
 
30 12/2011

Top 2012 Predictions

by Seth Goldhammer

Happy New Year’s Everyone!  Here are my top 5 network security predictions for next year:

1) More Hacktivist events: Anonymous moved from online to meatspace with their  Occupy political events. While Anonymous may lose their luster throughout 2012, expect more online and offline gestures from hacktivists using data theft, DDoS, and website defacement as ways to embarrass governments and private corporations alike.
2) More hacks on industrial equipment: In 2011 we saw Stuxnet and Duqu take aim at industrial equipment via hacks into control software systems. Expect greater volume of attempts on control systems, be it for political espionage or generic nefarious misconduct.
3) Continued rise in popularity of hacking: We have seen a growing trend of hackers using social media to trade secrets, tools, and sell stolen or illegal data to each other. This will continue to help popularize and glamorize hacking as tools get more sophisticated.  Expect more formalization of hacking marketplaces (want to buy a busy signal?) to provide a catelog of tools at anyone’s disposal.
4) More spending on network security products: In response to many of this year’s events, we will see spending on network security products continue to rise. However, data breaches will also continue to grow. Many customers will purchase point security products without setting or understanding a greater security strategy that as a result will leave holes and vulnerabilities open.  Others will outsource their security needs by seeking help from managed security service providers fostering a large growth area.
5) Network security ingrained in the Military Industrial Complex: If anything, 2011 may be known as a turning point when hacking, data theft, espionage, and sabotage moved to cyberspace in as official a capacity as you can have in spy games. In 2012, we will see nations using both defensive and offensive mechanisms in announced campaigns and treaties and allocate additional resources to fund these programs.

I hope that everyone has a great and safe 2012!

0 Comments | Uncategorized