Canadian’s Online Privacy At Risk

From the “I can’t believe this is Canada” file, the government is pushing a new “lawful access” bill, basically granting the police and government officials the rights and means to freely and on a hunch, spy on your internet usage.  Assuming that if you have nothing to hide, you should have no fear of arbitrary search and seizure, of course.

Michael Geist has a good article about the bill and why it is crazy.  The insanity first becomes evident when Public Safety Minister Vic Toews tells people “You can stand with us, or you can stand with the child pornographers“.   As if everyone with a desire for online privacy and against widespread internet surveillance is somehow automatically “for” child pron!  Yep, there is no middle ground here.  Line up with the rest of ’em, mate.

I agree with Tech Dirt’s post, this is totally ridiculous, and a cynical political move that assumes the Canadian public is stupid and will just roll over.  I sincerely hope that is not true, that there is enough outcry against this bill that it is thrown out faster than last week’s Metro.  Yes, it may be difficult and time consuming to obtain a judge’s consent in the form of a warrant, but you don’t just subtract an individual’s rights from the equation in the name of expediancy and convenience for law enforcement.  You cannot and should not assume that the entire public is suspect, and then launch a witch hunt to see who floats and who sinks! Continue reading →

Metrics. Not Just For Breakfast Anymore

Over the past couple of years, I have found myself being drawn back to my IT roots, looking to solve the same old problems that plagued IT when I was so much younger had a full head of hair, and still had to learn that I hadn’t learned it all quite yet.  Back in the day, my boss asked me how the systems were running, and how IT was performing.

I thought a moment, and responded, “All of the systems appear to be running well, we haven’t had any downtime lately, and the server room is humming along nicely.”  He waited.  I broke the silence with “It’s all good.”  My boss, being the patient and well mannered fellow that he was, reiterated, “So the systems are all up, but how is IT doing?  Are we at capacity on any of the systems, and are our processes working like they should?”  I couldn’t respond honestly, so I admitted it.  He had never asked me before how our processes were working, so it must have been all that golf he had been playing lately that had gotten to him.  We were blind to whether we were doing the right things, and doing them well or poorly.  My engineers and I had put together some fantastic systems and processes for the company, reliable, scalable, capable, but had forgotten to consider how we would be able to measure when we needed to scale, improve, support, or replace them.  DOH!  We did have basic system health gauges, but that was just for monitoring CPU and RAM thresholds.  Time to think bigger, and smaller.

Why do we collect metrics?  Metrics are a critical component of Management, whether it be Information Security, or Projects, and Programs.  If you aren’t monitoring your exposures and measuring your results, how will you know whether you have been successful?  IT is all about strategy.  We implement systems in order to meet business objectives.  IT systems support the objectives of the business.  The business could still run without IT.  Much slower, ineffecively, inefficiently, and at a retarded pace, but the business could still run.  Without metrics, how do you prove the value that your IT or Security team is bringing to the organization?  How do you justify continued spending on improvements, new tools, new technologies? Continue reading →

Symantec Recommends Not Using PcAnywhere

Reuters reports that Symantec has taken the rare step of advising customers not to use one of its mainstay products, saying that remote control software product pcAnywhere is at increased risk of getting hacked after details and code were stolen.  Symantec is asking customers to temporarily stop using the product, until it releases an update to the software that will mitigate the risk of an attack. PcAnywhere is also bundled with other titles, like Symantec’s Altiris line of software for managing corporate PCs.

This is a serious step, and I applaud Symantec for coming clean on the risks of this powerful and popular product.  Most vendors woould simply warn users of increased risk and provide workaround and mitigation steps that may or may not be implementable or effective.  I hope that Symantec can release new code quickly, and overcome this unfortunate problem.

Cisco Q4-11 Global Threat Report

‘Tis the season for 2011 threat reports to start emerging, and here is Cisco’s contribution.  The Q4-11 report covers the period from 1 October 2011 through 31 December 2011.  This quarter’s contributors were Cisco Intrusion Prevention System (IPS), Cisco IronPort, Cisco Security Research and Operations (SR&O), and Cisco ScanSafe.

.

.

Highlights from the Cisco 4Q11 Global Threat Report include:

• An overall average of 362 Web malware encounters per month occurred throughout 2011.
• Enterprise users experienced an average of 339 Web malware encounters per month in the quarter.
• The highest average rate of encounters occurred during September and October (698 and 697).
• An average of 20,141 unique Web malware hosts were encountered per month in 2011, compared to 14,217/month in 2010
• During 4Q11, 33% of Web malware was zero-day, not detectable by traditional signature-based methodologies.
• The rate of SQL injection signature events remained steady, with a slight decrease observed as the quarter progressed.
• Denial-of-service events increased slightly over the course of 4Q11.
• Global spam volumes continued to decline throughout 2011. Continue reading →

Symantec Source Code Follow-up

In a follow-up to a previous post, it looks like Symantec has backed away from earlier statements regarding the theft of source code of some of its security products, now admitting that its own network was compromised.  In a statement provided to Reuters, the security software maker acknowledged that hackers had broken into its network and stole source code of some of the company’s security applications.

Symantec had insisted previously that hackers stole the code from a third party, but corrected that statement on Tuesday after an investigation found that Symantec’s own networks had been infiltrated six years ago.  The list of software has also increased, now including Norton Antivirus Corporate Edition, Norton Internet Security, Norton Utilities, Norton GoBack and pcAnywhere.

If you have these products installed, you may be at increased risk.  The best advice that I can offer is to make sure that you have secured these products to their fullest, that their exposure to potential threat vectors is minimized, and that any systems that use them are monitored for abnormal behavior and network traffic.

Microsoft Prepares Threat Intelligence Service

ThreatPost reports that Microsoft is testing a new service to distribute information from captured botnets and other sources to partners, including foreign governments, Computer Emergency Response Teams (CERTs) and private corporations.

Microsoft expects to offer three realtime feeds, which third parties could access for free.  Organizations would provide Microsoft with information on their IT infrastructure, such as an IP address block that they own.  Microsoft would then filter its threat feed by that information, supplying subscribers with data relevant to their infrastructure.  Companies could use the data to look for malware infections, or correlate data on botnet hosts with data on click fraud and other scams.  CERTs might be interested in threats relevant to their region. Microsoft hopes this service will also help smaller organizations battle large, powerful, global botnets, lowering the cost of monitoring and responding to infections.  The company wouldn’t give a timeline for the real time threat feed.

Despite the proliferation of “Bad Microsoft, just fix your code” comments on the ThreatPost site, I see this personally as the right track to take given the current state of things, and applaud the moxy Microsoft is showing in the battle against malware.  Yes, Microsoft and EVERY other vendor needs to constantly improve their code and coding practices.  Blah blah blah.  What will NEVER happen is one day we will wake up and all code will be impervious to attack and exploitation.  We have yet to perfect human creativity, and we are light years away from producing unflawed anything.  Give it a rest.

My concerns with this I hope are addressed before Microsoft opens the feed-gates.  How will the data that is captured from botnet command and control servers, and I suspect from data repositories associated with those C&Cs be managed?  Will it be handed over intact, leaving anyone infected subject to their own personal wiki-leaks in reverse (Government gets your goodies), or will it be properly sanatized to protect individual privacy?  How will this data cleansing be made transparent?  I trust everybody at the table, as long as I can cut the cards and watch the deal…

OpenSource DLP Releases New Version

The OpenSource (as in FREE!!!) Data Leakage Protection team has released version 0.4.3 recently.  I first blogged about this product back in May 2010.  If you are running this app, or are looking for an on the cheap solution to DLP, might want to wander over and have a look.

Arachni v0.4 Web App Security Scanner

Tasos Laskos at Zapotek reports that Arachni 0.4 Open Source Web Application Security Scanner Framework is now available, and this new version makes this tool even faster and more useful than ever.

If you are not familiar with Arachni, it is a feature-full, modular, high-performance Ruby framework aimed towards helping penetration testers and administrators evaluate the security of web applications.  The application trains itself by learning from the HTTP responses it receives during the audit process, and is able to perform meta-analysis to assess the trustworthiness of results and identify false-positives.

It takes into account the dynamic nature of web applications, can detect changes caused while travelling through the paths of a web app’s complexity, and is able to make adjustments accordingly. This way attack/input vectors that would otherwise be undetectable by non-humans are seamlessly handled by Arachni.

Arachni is versatile, covering a great deal of use cases, ranging from a simple command line scan, to a global high performance grid of scanners, to a Ruby library allowing for scripted audits.

The addition of the Grid scanning capability allows you to connect multiple nodes into a grid to perform lightning-fast scans.  Arachni distributes the workload granularly, down to individual page elements, to ensure optimal distribution, aggregating bandwidth and CPU.

It will work under any flavor of unix that supports Ruby, including Cygwin for Windows implementations.

New Goodies: Continue reading →

nCircle 360Suite Updated

 Vulnerability Management vendor nCircle has announced new versions of every product in the Suite360 product line, enabling organizations to improve security, manage change and configuration, measure and report on compliance.  The updates add new features, performance enhancements and increased coverage allowing nCircle customers to scan their networks for over 48,000 information security risk conditions.

nCircle products have always focused on creating actionable security and compliance intelligence.  This release adds valuable features that make it even easier for customers to achieve continuous monitoring, improve security and prove compliance.  I highly recommend them. Continue reading →

Carrier-IQ SmartPhone Monitoring Analysis

I am sure that everyone who reads this has already heard that there is a big gaffuffle raging over the potential monitoring and eavesdropping of smartphone based phone calls, text messages and even keystroke logging claims.

.

.

.

.

According to Dan Rosenberg’s blog, he has done some detailed analysis on the software, and has found the following to be true on his Samsung handset:

• CarrierIQ (on his particular phone) can record which dialer buttons are pressed, in order to determine the destination of a phone call.
• CarrierIQ cannot record any other keystrokes besides those that occur using the dialer.
• CarrierIQ cannot record SMS text bodies, the contents of web pages, or email contents, even if carriers and handset manufacturers wished to.  There is simply no “metric” designed to carry this information.
• CarrierIQ (on this particular phone) can report GPS location data in some situations.
• CarrierIQ can record the URLs that are being visited (including for HTTPS resources), but not the contents of those pages or other HTTP data. Continue reading →