Plausible Deniability

A recent report by research firm Infonetics makes the claim that network access control (NAC) appliance sales have been among the hardest hit in the current economic climate; outpacing the rest of the network security space.

The report states that the NAC market fell by 32% between the third and fourth quarters of 2008. Given the scale of the economic meltdown, and that an important NAC customer base lies with financial institutions that were hit hardest, this shouldn’t be surprising. But don’t despair: Infonetics forecasts NAC will be back on top by the end of 2009; and riding high as a $700m industry by 2013.

We don’t participate in market sizing or forecasting of the hard-numbered type. What we can say is that there’s been a considerable amount of movement in the NAC space over the past six months. Autonomic Networks and Nevis Networks have submerged while other players have managed to hold tight and even grow. In February 2009 StillSecure branched into managed services with ProtectPoint, while Trustwave acquired Mirage Networks; both deals combine NAC chops with managed services plays. Appliance vendor Nevis has decamped to India while ConSentry has recapitalized with a valuation far lower than the $80m to $90m put into the company. We expect this kind of movement and consolidation to continue over the next few quarters until NAC, along with the rest of the network security market, can pull itself out of this slump.

– Lauren Eckenroth, Research Associate, Enterprise Security, contributed to this blog entry.

What’s the cost to companies for lax security that leads to identity theft? About $.10 per stolen identity, as it turns out.

TJX announced Tuesday it had reached a $9.75m settlement with the group of 41 State Attorneys General investigating the now infamous 2006 breach that exposed up to 94 million credit and debit card numbers. The group was led by Massachusetts Attorney General Martha Coakley with the help of Attorneys General in Arkansas, California, Connecticut, Florida, Illinois, New Jersey, Ohio, Oregon, Pennsylvania, Tennessee and Vermont.

Under the terms of the settlement, TJX must pay $1.75m to cover the cost of the states’ investigation and $2.5m to establish a Data Security Trust Fund available to states Attorneys General to enforce policy developments in data security and consumer protection. This leaves a paltry $5.5m in settlement fees to be split among the 41 states for use in data security initiatives; Massachusetts is slated to receive $951,000. Given the scope of the breach TJX has gotten off easy; paying out roughly $0.10 per exposed credit or debit card number. The funds will come from a $107m reserve set up by TJX in 2007 to cover costs associated with the breach.

In addition to the monetary penalty, TJX must comply with an information security program laid out by the Attorneys General. The company must obtain a third party assessment and report “regularly” to the group. Among the actions mandated by the program, TJX must agree to: upgrade its WEP systems to wired or Wi-Fi protected access systems; safely discard consumer account data once it has been processed for legitimate business purposes; implement firewalls, access controls, etc to segment the areas of the TJX network that process personal information; and implement appropriate password management system for that part of the network that handles personal information.

Of course, this settlement is only the latest development in the storm created by the largest reported data breach to date. TJX has already settled with major credit card companies Visa (for $40.9m) and MasterCard ($24m). In August 2008, 11 people were arrested and charged with aggravated identity theft, conspiracy, and computer intrusion related to the breach; and in January 2009, a Ukrainian hacker linked to the TJX breach was sentenced to 30 years in a Turkish prison (yikes).

To combat breaches of this nature Massachusetts has since passed a data privacy law that requires all companies that “own, license, store or maintain personal information” to comply with broad regulations for handling transaction and personnel-based data.That law sets a higher bar for breaches: $5,000 per violation. By that measure, TJX would have had to pay out far more — around $470 billion — in penalties.

Amidst all the breathless commentary on how Google Wave is what email would be like if we only knew then what we know now, what has gone unnoticed is that Google is essentially using SMTP as the jumping off point for an entirely new model for federation. Federation in its current iteration amounts to securely facilitating cross-domain authentication and lightweight authorization through metadata exchange between two parties. What Google Wave entails is an any-to-any dynamic message transfer between two participating ‘wave servers’. The connection is based on the ‘handshake’  process between two servers that have deemed the other party an acceptable  based on its globally unique wave id, which is a pair of a domain name and an id string. However, Google has advanced down the path of developing a protocol that will define the parameters of how a user can interact with a living document - using the principles of operational transformation.

The potential to pull in work done in the area of messaging protocols  (like AMQP) and and data classification through extensions to the protocol is, from my perspective, huge when seen in the context of mapping actual business process to policy logic. Thousands of Wave servers can subscribe to a policy server, allowing for large-scale automation of access and collaboration decisions, as well as the creation of a standalone, abstracted policy management tier with direct interaction with the policy decision tier.  Also, the Wave model not only allows for 1 to n connectivity , but also the ability to establish hierarchies within federated relationships.  This is an important advance when you consider the need to balance privacy (or degree of data lockdown) and openness - which could be paraphrased as “share as much as you need to when you have to”. The ability to establish hierarchical sharing constructs based on resource and user profile - what Google describes as winnowing - by takcling inherent tension between security, privacy and access, will ultimately have critical repercussions.My thanks to Chris Swan for highlighting this aspect of the Wave initiative.

There’s been some speculation that SharePoint is the target here. Given SharePoint’s success, that’s certain a possibility - although Google claims that Wave has been in development for four years, predating the rise of SharePoint. Instead, what Wave could offer is the integration of Geneva Server and SharePoint, with possibly a Ping Identity or TriCipher acting as a clearinghouse. Either way, identity management players are going to have to make an explicit strategic decision at some point in the not too distant future: either for or against Google Wave.

A growing number of firms are trying to capitalize on the trend toward proactive intelligence and prevention of e-crime, and the announcement today of the acquisition of Arlington, VA-based cyber intel firm Cyveillance by defense contractor Qinetiq speaks directly to the fundamental underlying trend behind this.

As we wrote recently in our ESP Quarterly, ‘The Evolving Endpoint Agent‘, the past three years have witnessed a revolution in malicious code writing. Professional, well-funded organized criminal groups have poured resources into the development of more powerful and versatile programs. Their goal is the theft of personally identifiable information, the theft of intellectual property, and the enrollment of millions of hosts into large botnet armies designed to distribute tasks, generating the computing power necessary to perpetrate fraud, theft and brute-force attacks.

More important, the criminal groups committing these crimes have become larger and more sophisticated. As criminals go, so do terrorists and those who seek to fund terror. For the first time, this brings the world of viruses, phishing scams and other fraud out of the realm of commerce and smack into the world of nation-state intelligence services: when your enemy is funding his operations through phishing, phishing becomes a security priority. For government, leaving commercial, public networks out of the picture when it comes to cyber security is simply no longer a tenable option.

This is not to suggest that government has responded in an organized or consistent fashion to the threats at hand: it has not. Lumpy and uneven distribution of understanding of the core issues; a notable lag in government agencies’ ability to formulate a response, lobby for budget and gain mandates to conduct cyber-intelligence operations; and internecine squabbling over turf and other issues have plagued efforts to enumerate, let alone catch, bad guys. But the will is there, efforts are underway and the response will come – it’s just a question of working the system until it’s good to go.

At the same time, those at the business end of the battle over cyber crime and cyber terror – financial institutions, mainly – are facing challenges like never before. Some time ago, we saw a sea change: banks began to cooperate in ways previously unseen in terms of the sharing of information about common threats. Until very recently, this kind of information was considered to be competitively sensitive – by revealing specific threat vectors, one risks having a rival reverse-engineer an IT landscape in the same manner as it has been reverse-engineered by a cyber criminal creating malware that specifically targets a given bank.

Yet the volume of attacks and their sophistication increased so dramatically that banks had no choice but to begin teaming up to confront a common enemy. The National Cyber-Forensics and Training Alliance (NCFTA), for example, was created to be a neutral collaborative forum in which critical and confidential information about cyber incidents could be shared among industry, academia and law enforcement.

Conversations with information security professionals of the type that would join NCTFA, informal polling of banking IT security professionals and general industry scuttlebutt holds one thing to be true: at this point, we are approaching the ceiling of what we can do reactively. People want proactive tools.

Not to put too fine a point on it, people want aggressive preemptive action taken against bad guys. The use of force, something which is rare to hear information security professionals talk about, is now being discussed at least theoretically. But to even consider any kind of action, you have to find out who’s doing what, when, to whom, and how. Then at least you can have discussions about a range of pre-emptive moves. Until you do that, you’re shouting at the surf.

Cyveillance gathers intelligence about the villainous and illegal use of digital content, and the misrepresentation and resale of digital content into real-world assets. The high-level issues that concern Cyveillance’s client organizations around the world involve cyber-squatting for the purposes of fraud and phishing; online sales of counterfeit and stolen goods; and the peddling of stolen digital assets. In addition, the vendor can provide valuable insight into a slew of other areas, from mere smut peddling, distribution of dangerous child pornography and criminal communications to other spooky stuff. Typically, Cyveillance messages around the first three areas, and conducts the latter quietly on behalf of various government and law enforcement agencies.

We have written a deal analysis of the acquisition which runs tonight in our TechDealmaker service containing target and acquirer profiles, deal rationale and deal details.

Last week in London I did a panel on the Dynamics of e-Crime at the excellent InfoSecurity conference. What follows is the really high level introduction that I gave to the conversation, and a link to the PowerPoint deck I used.

Panelists:

James Brokenshire MP, Shadow Crime Reduction Minister And Member of Parliament for Hornchurch
Mike Humphrey, Head Of Information Assurance & Accreditation Serious Organised Crime Agency
Howard Schmidt, President & CEO Information Security Forum Ltd. UK

Introductory Remarks
Nick Selby, VP & Research Director, Enterprise Security, The 451 Group:

As the availability of broadband Internet continues to rise, and computing power and Internet access continues to democratize, holes in the regulatory landscape have appeared. The crimes themselves – fraud, social engineering, theft – have not changed. Nor have the motives – profit seeking, fundraising for illegal activities or terror, money laundering of illicit gain, the list goes on.

What has changed is the medium in which these crimes are committed, and with that change in medium came a change in scale. Criminals are now able to reach a larger pool of targets faster and more effectively than ever before. At the same time, lawmakers struggle to understand technological advances, and are frequently concerned that laws to restrict criminal activities will stanch commercial initiatives.

Law enforcement is faced with a vexing problem: trying to understand jurisdictional issues and rapidly changing regulations.

Criminals, terrorists, drug dealers and others seeking to hide and monetize illegal activity and launder ill-gotten gains are taking keen advantage of this lag. Their risk in doing so is relatively low compared to other criminal endeavours, their chances for success high, and the scale of success even larger. The risk of being successfully prosecuted even if caught is even lower, and their risk of doing serious jail time even lower due to the process of adapting and creating laws to deal with these types of crime.

At the same time, the worldwide economic slowdown has created desperation among many. Many are more tempted than ever to find ways to get rich – or even get liquid – quick. Some of this large and growing number of people will do the maths I just set forth and turn to crime, while others will become victims of fraud.

This is the environment in which we currently find ourselves. Our panel today will discuss these issues in more specific detail. We will break the subjects generally into three categories: how citizens aren affected by these trends, what government and law enforcement can do, and finally we will discuss some of the opportunities available to entrepreneurs and private industry.

–End of remarks–

Download the presentation

I thought the panel went well and was well-attended. We had some interesting questions, especially the one from Steve Howarth, a detective inspector from the Met police’s e-Crime unit. He mentioned the appalling lack of resources his team has. More on that in another post, soon to come.

I’m here with the rest of the 451 security team at the annual RSA Conference and looking ahead to a busy day of briefings today, tomorrow and Thursday, after a more manageable day yesterday. With all the information that streams at you at a big show like this, it can be tough to keep your bearings and see through all the marketing hype. RSA can be a launching pad for interesting, new businesses, and even entire new categories of firms. As an example, this year’s RSA innovative new company is AlertEnterprise, a converged physical and IT security outfit that appears to be targeting the energy vertical. Very “Dr. No” type stuff. Very cool. I’m gonna stop by their booth.

Of course, there’s no guarantee that those companies or their technology will have staying power. One need only look to past years’ “Tomorrowland” visions around things like converged security or even more quotidian visions, such as network access control, to be reminded that marketing spend != viability.

One good mental yardstick I like to use is to ask myself (and often the companies I’m talking with) why an enterprise _needs_ to own their technology. In the case of NAC, which came about as a way to stop virus and worm outbreaks behind the firewall, there was no one thing compelling companies to make a big investment, though almost everyone agreed on the usefullness of NAC in the abstract. On the flip side, The Payment Card Industry’s PCI DSS gave an enormous boost to vulnerability management firms, anti virus firms and, now, companies that make Web security products like secure Web gateways and Web application testing tools: PCI audits specifically called for the use of those technologies, compelling companies to make an investment, or at least come up with some form of compensating controls.

This year, I’m looking for the impact of new and toughened data privacy laws, such as Massachusetts’ new data privacy provisions, the FTC’s Red Flag Rules and a toughened, toothier HIPAA from DHHS and the federal government (much more on that later!) Which companies stand to benefit (or not) from the provisions of these new laws concerning protection of consumer information, financial data and health information? Its early days here at RSA, but I’ve already briefed with two firms in an fast developing sector that plays right into the increased focus on data privacy: Camouflage and Dataguise. Both sell data masking tools that allow companies to protect sensitive information in databases that are used for testing and other development purposes. The concept here is fairly simple: companies that do application development want to be able to use the best data possible to test their applications. Often, that means using actual, production data. But the loose security practices that often characterize development environments, not to mention the increased use of outsourcing, preclude the practice of piping production data into a test environment. Enter data masking firmslike Dataguise and Camoflage, which sell technology that can replace sensitive data with fake test data without compromising data integrity (i.e. credit card and social security numbers still look like credit card and social security numbers, etc.) Vendors point to regulations like PCI Section 6.3.4, which calls on companies to look at data used in testing, as a major driver -but not the only one. IBM’s been in this space since at least 2007,and some of these firms have been around -in one form or another - for almost a decade. Still, the data masking issue is picking up steam: Forbes recently addressed it in an article, and its likely to get a lot more attention as companies become more attuned to the gaping hole that internal development efforts punch in their data security and data protection plans. 

I suppose I can thank Oracle for providing me with a reliable conversation topic over the next few days at RSA. My perspective is that although IAM specifically is unlikely to have figured prominently in the deal deliberations, the acquisition will likely have far-reaching repercussions for the IAM market.

While Oracle is a recent entrant to the market relative to Sun, IBM and CA with technology derived entirely from acquisition, it is generating the fastest growth and has put the incumbents on the back foot. There is more overlap in terms of product portfolio, thorny integration issues and open source questions ahead compared with an IBM acquisition, but we expect that a shiver has run down many spines at IBM and CA. Sun has suffered from a weak sales organization even as product development has remained strong. Clearly, there are significant integration risks, but at a high level, Sun products will now have a favorable sales model behind them.

Oracle will gain Sun’s directory and federated identity technology and in theory Sun will have Oracle’s Entitlement Server, Adaptive Access Manager for risk-based authentication and upcoming data governance integration at its disposal. But outside of those complementary areas, there will be plenty of overlap in provisioning and Web access management (although a shared SSO OEM in Passlogix). The integration issues are ameliorated by a common Java technology platform but the the challenge should not be over estimated, particularly in light of Sun’s open source approach and emphasis on services layer.

Rivals may have some window of opportunity as the decision process takes it course - since it is unlikely to have been given that much thought in the deal run up - but we expect that to be shortlived. Of all the major IT vendors, Oracle has proven the most adept at minimizing acquisition and integration disruptions.

I can’t comment on the technical challenges involved - but the delay of close to a year in the release of Microsoft’s Identity Lifecycle Manager (ILM) 2.0 is clearly a blow to the Microsoft identity ‘ecosystem’. There are sure to be competitors who feel like they can breathe a sigh of relief, but not having a strong Microsoft set of products for provisioning and credential lifecycle management has to be seen on balance as a negative for the market as a whole and certainly technology buyers. Given that there is a natural community for whom the downside of the delay is significant, the question in my mind, is whether the need to delay the release could have been diminished by adopting some open source approach. This is not just an attempt to set the cat among the pigeons (or any other number of other metaphors for creating controversy). I think it’s a legitimate question whether the transparency of an open source project and combining the talents and expertise of a like-minded community with a specific, shared goal would have smoothed out the development process, or at least made the debugging process more efficient and productive.

Read more »

ESTRAGON: In my opinion we were here.
VLADIMIR: (looking round). You recognize the place?
ESTRAGON: I didn’t say that.
– Waiting for Godot, Act 1. Samuel Beckett

I’m going to have to excuse myself for sitting out most of the hype storm about the coming Conficker worm conflagration but, to be honest, I’ve been here before.

I’ll explain what I mean by that. But first, for those PD readers that have been hiding in a cave, here’s where things stand:

Conficker is a widespread Windows based worm and information stealing Trojan that is poised to launch a coordinated “action” on April 1st that will, depending on who you talking to, bring the Internet to its knees, or flop harder than A-Rod in an ALCS playoff game. It first appeared in late November and — like most computer viruses — also has more aliases than Jason Bourne. You might also have heard mention of Downadup, or Kido or Pakes? They’re all the same beast. Conficker spreads over computer networks by exploiting unpatched Windows machines (again, for the cave dwellers, MS08-067 is the patch you need) by exploiting a vulnerability in the Windows Server service (SVCHOST.EXE) and by brute force attacks on networked computers and file shares that are secured with weak administrator passwords.There’s an excellent writeup on the worm available on Ars Technica. Read up, then apply the patch. A more technical analysis from SRI International is available here. (Thanks to SANS’ ISC for the link.) The Honeynet Project also has an analysis of Conficker available on its Web site.

With the deadline fast approaching — indeed racing across Conficker infected countries like South Korea — the media hype (including a sensational(ist) piece by 60 Minutes correspondent Lesley Stahl) has set the stage for a Y2K style conflagration, but (willingly) overlooked the consensus opinion of security experts, which is that Conficker’s April 1 surprise will be a big nothing. Indeed, SANS Internet Storm Center predicts “business as usual” on April 1st.

Rest assured, this won’t be the first or the last time that the public is treated to a media-induced roller coaster ride about computer security. If you remember, the Code Red Worm had a similar “attack” programmed into its code back in 2001. That denial of service attack was directed at an IP address that corresponded to the Web site of the Whitehouse. Government officials sidestepped the attack by pointing the Web site to a new IP address — an early victory for the administration of George W. Bush.

Read more »

I recently contributed an opinion piece to a new, online security news Web site on the topic of mobile phone security. In it, I pushed a couple different ideas. The main thesis, which I based on conversations with anti malware vendors, was that the consumerization of IT — evident in adoption of platforms like the Blackberry and iPhone — had opened a gulf between mobile device users and their employers. In contrast to five years ago — or even two years ago — employees are using their mobile devices to surf the Web, e-mail, IM and access enterprise resources. However, most enterprises still don’t have an easy way to track and manage those mobile devices or ensure that they adhere to corporate IT security policies for data protection. In fact, mobile security management tools offered by companies like Symantec and Trend Micro still don’t support the iPhone or Blackberry, despite widespread adoption by employees. As I point out in my piece for Threatpost, this is another manifestation of the loss of control that goes along with the “consumerization of IT” — user adoption of cool new tools and gadgets that runs far ahead of the ability of enterprise IT shops to keep up.

Not that security software vendors are all to blame. In the case of the iPhone, the word is that Apple doesn’t want to give third parties access to kernel level APIs they need to do realtime threat protection or data encryption.  In the meantime, the company’s development efforts haven’t prioritized enterprise concerns. As my collegue Chris Hazelton noted in a recent report, the latest rev of the iPhone OS, Version 3.0, did little to advance the iPhone’s enterprise readiness. In particular, it failed to add the ability for one or more third party applications to run in the background, limiting security (i.e. encryption) and management features. 

This leaves security  and mobile device management vendors to do what they can. Sybase’s announcement this week of a new version of its iAnywhere suite is a good example. The company’s iAnywhere Mobile Office, which includes e-mail, calendar, tasks and contacts, as well as Exchange and Lotus Notes integration, offers the kinds of features enterprises want: password protection, data encryption and remote data wipe…but only for data resident in the iAnywhere Mobile Office application. The company tries the spin this as flexibility…enterprise security “without compromising user’s personal information,” but isn’t it just “encryption for me, but not for thee”? Whatever the case, its hard to see how islands of security on a multi function device like iPhone will work practically, or how they advance the interests of companies or the community as a whole.  

In the meantime, another major anti malware vendor told us that it is at work on its own secure Web browser for the iPhone that will allow it to integrate Web reputation technology that it has long offered to PC users. As with Sybase, however, users will have to download and install the third party Web browser to get the protections, rather than leveraging it as a plug-in to the native iPhone implementation of Safari. We can expect more of the same from other vendors (encryption, anti malware, management) who are hot to trumpet “iPhone support” to their enterprise customers in any guise. The result? Expect the balkanization of the iPhone  desktop to contiunue, at least until the Mandarins in Cupertino make good with the tools that third party developers need to do iPhone security right.   

With the rumors now being publicly aired of an IBM acquisition of Sun, our inquiring minds turned to the specifics of how the combination of two of the Big 5 identity management vendors would play out. (Our colleagues at Inorganic Growth have looked at the implications for the server market). Although both Sun and IBM have seen themselves outflanked by an aggressive Oracle in identity and access management, the combination of the two identity management businesses could significantly shift the balance of power in the market. (Alternatively, there’s not a small risk that it could further undermine their combined market position if integration slows down product development and creates confusion over product strategy, playing directly into the hands of competitors). Sun has taken an open source approach to IAM that emphasizes services and support as a source of revenue. Sorting out the overlap with IBM’s portfolio may indeed prove intricate, but as we speculated earlier on the likelihood that the industry goes down the path of consolidation, there is scope for capturing Sun’s install base and using the open source versions of the technology as a means to expand its ability to address different market segments. IBM’s sales strategy is heavily weighted toward its install base, and Sun’s open source software may prove a useful vehicle to expand into the mid-tier, where its current license and implementation cost structure is prohibitively high.

There are sure to be some difficult product rationalization issues, complicated by Sun’s still in progress transition toward open source development and business model. However, in some areas, the product portfolio strengths are complementary. Sun, for instance, has led the market in enterprise directories (although its product has grown long in the tooth and the OpenDS open source version has yet to reach full product maturity) and the acquisition would supply IBM with federated identity and role management technology where the company has lagged the market. There seems to be some difference of opinion over the relative value of Sun’s directory server over IBM’s equivalent, but in terms of market segment penetration, we would postulate that Sun’s is larger (although under attack) and spread across a broader set of businesses.

The rumored deal would certainly provide one possible explanation for why IBM has been so quite on the acquisition front.

After a year at the helm of Cisco’s Security Technology Business Unit, Scott Weiss, the former CEO of IronPort, is leaving the company. Weiss will be replaced with fellow Ironport co-founder Tom Gillis, who has taken the helm at the SBTU. Nick Edwards, who is senior manager of product management in charge of Cisco’s e-mail products said that Weiss is still technically on board at Cisco and is working as an “adviser” to Brett Galloway, SVP for Wireless and Security Technology. In that position he’ll “help assist in a smooth transition” (translation: not freak too many Ironport employees out by leaving abruptly), but after that it’s happy trails, with Weiss - wait for it - “spending more time with his family.”

Edwards, himself an Ironport-er, said that the loss of Weiss — who got high marks on leadership and vision — was going to be tough. But he put a good face on it all the same. “We get to retain the Ironport DNA and history (with Gillis),” he said.

Of course, there’s nothing surprising about a former CEO like Weiss chaffing under the constraints that come with a role down the org chart in a mega corporation like Cisco. Sounds like Scott gave it the old college try, but has decided to move on to his next act. The surprise, I suppose, comes as a result of the big vision that his appointment at the head of the SBTU set for Cisco’s overall security strategy. Cisco’s security portfolio had grown long in the tooth in recent years, and Weiss came in talking big about reinventing Cisco’s security portfolio. In part, that would come from integrating smarts from the IronPort platform across the other Cisco products. That includes reputation intelligence from the SenderBase online reputation system and from the global deployment of IronPort appliances.  With him gone, its not clear what happens to that vision and whether Gillis will have the clout and vision to carry it forward. Cisco staff insist that Weiss’s departure has nothing to do with the SBTU’s 2008 numbers or a difference in vision with other Cisco brass. That could be true (and we’re waiting on specifics on the SBTU performance that might confirm it either way), but we’ll be waiting to see what the next few months bring.

“And, yay, the call for compliance did ring out across the land. And the vendors of role management software did declare: through us will your access be certified. And the security priests and business kings did see that compliance was good for no longer would a user access resources, each to his own way. Yet, they looked upon those who could access their resources and saw that they were many and different - among them too were consultants and partners. And they inquired of themselves: “Verily, how we will institute access control systems and points of enforcement so that we may trade profitably and remain free from thieves and scoundrels?”

Babylonian seals

Anti malware firm Kaspersky Lab spent much of Monday responding to reports that it was the victim of a hacker over the weekend and - worse - that customer data and proprietary product activation codes had been snatched. The truth, it seems, might be something less than that: 25,000 product activation codes could have been accessed by the hacker, as well as 2,500 customer e-mail addresses. Payment information (as far as we know) does not appear to have been exposed. Kaspersky’s line is that its defenses were strong enough to repel all but the most sophisticated hackers. The hacker’s line, no surprise, is that he’s grey hat, not black hat, and had no interest in probing around and taking data — which was there for the taking if he wanted. We’ll never know the truth.

The fact of the matter is that this incident is a big blow to Kaspersky, which is going to great lengths to build up its image in the U.S. and globally. Suffice it to say that a company getting hacked that promises to protect you and your computer from hackers is troubling, and Kaspersky spokesman Roel Schouwenberg admitted as much in a conference call with the press. The company now says that it has hired Next Generation Security Software’s David Litchfield to give its database a good hard look, and that it will be scrutinizing its Web sites for flaws like the SQL injection attack that was behind this breach.

A couple take-aways from this incident:

• If the perp here is to be believed and no sensitive data was exfiltrated from Kaspersky, then the company is lucky. In some ways, this whole incident is very old-school. Some enterprising grey hat finds a fat vulnerability, pokes around, gives the company 15 minutes to respond (ok - Kaspersky said it was more like an hour) and then posts what he’s found on the listserv/Web site of choice.  If this guy was partying like its 2009, instead of 1999, he would have taken the product activation codes, customer e-mail and — ideally — some billing info and fenced them along with access to the Kaspersky domain itself.
• The circumstances of this hack shine a glaring light on a problem that’s facing companies both within and outside the Tech sector (banking, financial services and e-commerce are also highly exposed) namely: how to monitor the security of a corporate Web infrastructure that’s growing faster than your ability to monitor it. This is especially true of fast-growing companies (like Kaspersky) or decentralized organizations with branch offices, third party partner relationships and the like. Kaspersky has already owned up to the fact that its US subsidiary was an amalgam of code developed by Kaspersky in Russia, and code developed by a third party contractor. The company claims it was the code from the outside contractor (a customer support forum) that ultimately provide access to Kaspersky’s back end database.  Who knows. What matters is that the company develops processes, in the wake of this attack, that contain online sprawl and ensure better code auditing and review procedures.
• SQL injection is a big deal. IBM’s ISS X-Force threat report for 2008 says that SQL Injection attacks increased thirty fold in the last six months of 2008. The attack also figured prominently in the SANS recent list of the Top 25 Programming Errors. One big reason is that they’re quite easy to perpetrate. Often all you need is a Web browser, a passing knowledge of the SQL query language and of how databases work to begin poking around. While plenty of products and services exist to sniff out SQL injection attacks, the differences between legitimate and illegitimate queries can be subtle. This puts the onus on application developers to build their code to resist tampering and QA departments to give application code a thorough vetting before it is publicly released. As Kaspersky’s woes indicate: the downside of failing to do so can be considerable.

An interesting article by Andrew Jacobs in yesterday’s New York Times got me thinking more about the cat and mouse game that is Web content filtering. Jacobs was writing about China’s efforts to stay on top of the Web surfing habits of its estimated 300 million Internet users.  Using a recent example of a comedy show called “Shanzhai” (which translates as “knockoff”), Jacobs writes about how the show — after having fallen out of favor with broadcast advertisers — was pushed to the Web, only to be snuffed out by China’s censors. The incident was one of many in recent months, as theruling Chinese Communist Party tries to crack down on dissent. As an example, Jacobs cites Bullog, a blogging site that was shut down after authorities accused it of hosting “large amounts of harmful information on current events”  – a notion that, in itself, is amusing. The real issue appears to be that Bulldog had posted a copy of Charter 08, an online petition calling for democratic reforms in China.

In response to such state-sponsored actions (not to mention those pesky Twitter outtages), digital rights activists have launched Herdict.com (a portmanteau of “herd” and “verdict”), an online service conceived by Prof. Jonathan Zittrain at Harvard’s Berkman Center for Internet & Society. The service relies on crowd sourced reports from volunteers around to world to pinpoint Website outtages and determine whether they are global- or merely local phenomenon.  

But the cat and mouse game between China’s yearning masses and its worried censors is actually just one skirmish in a much larger battle over access to Web content that’s been bubbling for a while. And the battle runs both ways. In the US, it’s reaching a high boil with the growing popularity of Web based services like social networks and broadband content distributed through services like YouTube.com, hulu.com, and countless other sources. Enterprises are wary of both worker productivity losses, NSFW content that violates workplace decorum and — importantly — Web and application based attacks that can compromise network security. Employees and end users want access to the growing universe of cool tools (and fun distractions) that are available on the Web. An IT director for a public school district in rural Texas told me that he spends an inordinate amount of time playing cat-and-mouse with students who are using proxies to evade their secure Web gateway. He’s counting on his Web security gateway vendor to keep their list of Web proxies current and turning to traffic shaping and rate limiting tools to simply punish  those he catches evading the Web gateway with dial-up level access, rather than issuing collective punishment by limiting Web access for all students. Up at 20,000 feet, IBM’s ISS group is seeing a doubling of anonymous Web proxies between 2007 and 2008, as it reported in its X-Force trends report (available in PDF format here). X-Force also says that attacks based in Adobe Flash video, Acrobat files and Active X conent are on the upswing as of Q4, 2008. 

All this is going to combine to make 2009 an eventful year for companies that sell Web content filtering, traffic shaping and other technologies. In fact, in a forthcoming report on companies that will stay hot in the cooling economy, Web security will be an area we talk about quite a bit.

The goals of companies that are shopping for this stuff are threefold:

1. Stop malicious content that’s streaming to end users in video clips, e-mail messages (including Web mail), blog comments and Facebook wall posts. 
2. Avoid hamstringing employees with draconian Web use policies. 
3. Priortize access to mission critical applications on their network, such as VoIP, as well as applications and services that are running in the cloud.  

Look for vendors who move in the space to move to address these pain points. In fact, its already happening. In recent weeks, we’ve seen Websense pick up blog antispam firm Defensio to try to boost visibility into blog comment spam. It says it plans to offer much tighter integration between its port authority data leakage wares and its on-prem and SaaS based Web security products. Riverbed picked up network visibility firm Mazu, and Barracuda has told us that it sees bandwidth optimization and traffic shaping as areas into which it needs to extend its reach. There’s more to come. Stay tuned. 

Most of us have been numbed by the steady drumbeat of information on data breaches at major retailers, credit card processors, data aggregators and the like. But news today out of the Washington Post about a breach at a Heartland Payment Systems shows that these crimes still have the power to astound. If the Post is right, a malicious program planted on Heartland’s payment processing systems may have netted the credit card details on…well…just about everyone in the U.S. who uses a credit card. The official number that’s being bandied about is data on 100 million consumers, but that figure simply represents the number of transactions that Heartland processes a month, and the company’s CFO has said that he doesn’t know how long the malicious sniffer program was on the company’s network, so we actually don’t know.  

Like CardSystems breach before it (which netted details on an estimated 40 million transactions), Heartland is an example of hackers “fishing where the fish are,” by going after the small, less visibile companies that process card transactions for thousands or (in the case of Heartland) hundreds of thousands of merchants. Frequent diners beware: around 40 percent of Hearland’s business came from restaurant transactions. I knew I should have ate in! 

The January, 2007, hack of Tj Maxx and a handful of other large retailers netted hackers data on some 45 million consumers. This week, it landed one of the conspirators a long jail term. Turkish courts have convicted a Ukrainian hacker of breaching the networks of 12 Turkish banks. In one of the longest sentences ever handed down to a cybercriminal, Maksym Yastremskiy (AKA Maksik) was sentenced to 30 years in prison. And, for those of us who grew up with images from Midnight Express burned into our memories, nothing says “hard time” like Turkish prison. 

Yastremskiy was arrested in July 2007 at a nightclub in Kemer, Turkey.  It was not until after his arrest in July 2007 that authorities realized he had been fencing credit card information stolen in the TJX breach. Yastremskiy had worked with 10 other hackers, including Albert “Segvec” Gonzalez of Miami, the alleged mastermind of the heist. 

In August 2008 the United States charged the 11 hackers with aggravated identity theft, conspiracy, and computer intrusion. If he’s ever extradited to the US Yastremskiy will face these charges as well as charges related to fencing the stolen information.  

As reported elsewhere, a patent infringement lawsuit filed in the Eastern District of Texas has set its sights on the biggest names in the security industry, including Microsoft, Symantec, McAfee, Trend Micro, Sophos, Check Point and a slew of other security firms. The suit, filed on Dec. 30, 2008, is on behalf of that IT security stalwart Information Protection and Authentication of Texas LLC (Wait…WHO?!?!), a company that appears to exist solely for the purpose of exercising its patent ownership rights in court. At issue are two separate patents filed in the early 1990s and granted in 1994 and 1995, respectively, to one Addison Fisher of Naples Florida. They’re broadly written and appear to cover methods for doing application behavior monitoring and application control. The patents describe a method by which a “system monitor” limits the execution of other applications to “predefined resources (e.g., data files, disk writing capabilities, etc.)” which are defined as “program authorization information” or PAI. Once defined for an application, PAI is monitored while programs are running to confirm that the operation is within the defined program limits and to prevent actions that fall outside the authorized limits.

The firms named in the suit are a Who’s Who of enterprise IT security: Microsoft, Symantec, McAfee, Trend Micro, Check Point, Sophos, CA, Kaspersky, Novell, F-Secure, ESET, Webroot, PC Tools, Comodo, and so on. What’s surprising to us is that the suit doesn’t extend to application whitelisting vendors like Bit9, Solidcore, Websense and so on — especially given that the patents explicity mention methods of application control that involve “including a digital hash of said program to be executed as part of the program authorization information data structure,” but the owners might have figured there are plenty of dollars to shake loose from the companies named.

While Protection and Authentication of Texas LLC may be hoping for a quick payout of “leave us alone” money, we’re expecting the parties named to fight this one hard. First of all, they can. Second, recent Supreme Court rulings appear to be on their side — with the High Court ruling unanimously in recent years to take a tougher stand on so-called patent “obviousness.” The key case here is KSR vs. Teleflex, which was handed down in April, 2007 and overturned lower court rulings that were based on previous patent law standards that made it difficult to challenge granted patents on the grounds that they covered “obvious” applications of existing technologies or ideas — not really new inventions. While its unclear how novel the Texas company’s patents are, the legal environment has certainly changed from recent years, and the company can expect to face well financed defendents.  

We’ll be watching this one to see how it turns out.

There’s a small, but great scene near the beginning of the classic, late 90s film Election in which Paul Metzler — the nice-guy football star (played by Eric Klein) who’s a foil to Reese Witherspoon’s Machiavellian Tracy Flick character — breaks his leg. It’s really just an establishing shot that explains how the leg break (which will end his football career and push him into an unlikely run for class president against Flick) happened. In the scene, Metzler extreme skis off the lip of a 40 foot rock precipice and takes a nasty fall when he lands, rolling head over heels while his gear flies off. The camera zooms in to a close shot of Metzler sitting up in a snow drift at the bottom of the cliff, clutching his leg as he screams in pain “why me??!!?”

Somehow that scene came to mind today as I surveyed the mood of teeth gnashing and garment rending that has accompanied this weekend’s high visibility attack against Twitter accounts. As with the outcome of Mr. Metzler’s little skiing stunt, the consequences of Twitter’s “we’re all friends here” approach to security were utterly predictable.

For those of you who are still emerging from your holiday torpor, news reports began surfacing over the weekend about phishing attacks that were spreading over the Twitter micro blogging network. The attacks began as direct mail messages between Twitter users that contained an enticing message and a link to a phishing Web site. That site, which appeared to be a twitter-sponsored site (i.e. twitter.access-logins.com), harvested account login information from victims…with predictable results. By Monday morning, the scam had claimed some high profile scalps: the Twitter accounts for Fox News (@foxnews) and that of CNN anchor Rick Sanchez, (@ricksanchezcnn), too. Barack got tagged, and unless Britney Spears is suddenly exploring the ancient myths of vagina dentata, she got hacked, too. (And she’s been doing so much better, lately!). The attacks are virtually indistinguishable from Web site phishing attacks, but for the fact that they originate within the Twitter environment, use Twitter’s direct mail (or “DM”) feature instead of traditional e-mail and are designed to steal Twitter credentials. The targets are also no surprise: they’re highly connected Twitter accounts from which spam or phishing messages can be broadcast to thousands or tens of thousands of “followers” (Sanchez, alone, has 40,000 of them). As researchers at Sophos have pointed out, as well, netting Twitter logins and password info is a passcard to even greater riches, as overburdened Web users just re-use passwords for work and personal accounts.

The folks at Twitter warned users about the spreading scam on Saturday and advised them not to share account information (as if this even needs to be stated). They have since posted a status update (”Multiple accounts hacked. Situation stable”) that sounds like it was issued from the control room of Reactor 4 at Chernobyl. Its unclear whether the attack is still spreading. Like other Social Networks, but unlike those fighting e-mail or Web based attacks, Twitter admins have the advantage of central control over network activity and, thus, can stamp out attacks quite efficiently. As I wrote in a recent column for ZDNet, attacks that leverage social networks like Twitter and Facebook are certain to increase this year, as use of those platforms reaches the critical mass that finally attracts the attention of spammers, identity thieves and the like. As this happens, the environment of implicit trust that has governed “in the know” communities like Twitter will disappear. Inboxes will fill with spam or some approximation thereof and users will think twice before they click on URLs in Tweets or Wall postings.

Clearly, the network providers will need to do much more. Twitter, Facebook and the like should force users to harden passwords. [NOTE: As this report from Wired makes clear, it was a weak password combined with a dictionary attack that led to the compromise of a Twitter administrative account.] They should also monitor activity both on their networks and on the Internet more closely, filtering content for phishing attacks and other scams. As an example, Bank of America and other financial institutions long ago started paying attention to who was registering domains that could plausibly be used in phishing attacks against their customers. Twitter should take note when a domain like “twitter.access-logins.com” is registered. Finally, organizations of all stripes are going to have to weigh the cost-benefit ratio as they wade into a new medium like Twitter. On the same day that the Twitter phishing attacks nabbed CNN and Fox News, a journalist whose feed I follow posted a link to a list of all the newspapers that Twitter. My guess is that most of them have jumped in with both feet without stopping to consider whether or how their accounts could be used to attack their followers or otherwise besmirch their good name. For those organizations that understand the risks and decide that Tweeting is worth it, better account management and hygiene (strong passwords, etc.) as well as training and clear policies on how to interact with followers and what to watch out for are in order.