STE WILLIAMS

Infosec 2012 Cloudy crypto firm Ping Identity is pushing the benefits of using cloud-based technologies to reduce, and perhaps even eliminate, password headaches.

The firm is using the Infosec show to promote Ping One, launched in late March as a way of offering ID-as-a-service. Ping Identity is also talking up the potential for single sign-on in the clouds to sound the death knell for passwords.

Ping One allows firms to offer workers access to a range of cloud-based applications (Salesforce, Google Apps etc) through a portal or virtual desktop that they only need to sign into once, avoiding the need to remember sign-in credentials for the multiple different applications they need to use. Information on what application a user is entitled to log into is taken from one central user directory, such as Microsoft Active Directory. Federated SSO protocols such as SAML, OAuth, and OpenID are used to exchange tokens that allow users to access applications.

Roger Oberg, VP of marketing at Ping Identity, said that unlike other vaguely similar services, Ping One avoids to need to either store passwords or manage duplicate end-user accounts in the cloud.

Single sign-on (SSO) has been a holy grail for segments of the security industry for years. And vendors have offered up appliances and services, largely targeted at enterprises, to do just that for some years. The technology is designed to cut down on help-desk calls by workers who have forgotten their passwords and other similar costly distractions.

In practice, IT managers have told us that SSO offers a way to reduce the amount of passwords corporates are obliged to manage – but that it cannot achieve the one-password-to-rule-them-all goal the marketing hype around the technology promises to offer. Oberg acknowledged that reduced rather than “single| sign-on was often the end result of deployments because as “soon as you get on app that isn’t anticipated” or one that lack SSO hooks, then users have to sign into it separately.

PingOne is being targeted towards SMEs, departments in larger firms and application providers. Developers can also subscribe to the service as a means to plug their technology into a cloud-based identity management service using its resource toolkit – without the heavy-duty security coding the process would otherwise involve, says Oberg. Other longer-standing services from Ping Identity, such as PingFederate, are targeted at large enterprises.

Ping Identity chiefly markets services designed to reduce the number of passwords enterprise users need to remember, so it has a vested interest in talking up the problem that multiple passwords can create. Unsurprisingly, Oberg is somewhat antagonistic towards password and user ID login credentials.

“Passwords are insecure and annoying,” Oberg told El Reg. “They have to go,” he added with all the passion of a pest eradicator eyeing a particularly long-standing cockroach infestation.

In place of passwords, Oberg favours multi-factor authentication using one-off four digit passcodes sent to mobile phones, as well as pattern-based authentication or biometrics (such as fingerprint readers). “Multi-factor authentication can reduce, if not eliminate, the number of passwords,” he said. “We should be moving towards strongly authenticated non password-based identity,” he added. ®

Log-in note

Oberg said one of Ping Identity’s corporate clients had gone all the way and actually killed off password logins across its whole infrastructure. He hinted it was a high-security organisation but didn’t say what it was, which market it operated in, or even whether it was in the private or public sector.

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/04/25/ping_identity/

Google is increasing the amount it is willing to pay to security researchers for bugs, with the most serious flaws now priced at up to $20,000.

Google’s security team has changed its payments plan and will now pay up to $20,000 for flaws that would allow code execution on its production systems. There’s a $10,000 bounty for SQL injection or similar flaws, and some information disclosure, authentication, and authorization bypass bugs. XSS, XSRF, and other high-impact flaws in highly sensitive applications are also due for a payout, if just $3,133.7.

“The new rules offer reduced rewards for vulnerabilities discovered in non-integrated acquisitions and for lower risk issues. For example, while every flaw deserves appropriate attention, we are likely to issue a higher reward for a cross-site scripting vulnerability in Google Wallet than one in Google Art Project, where the potential risk to user data is significantly smaller,” said the Google security team in a blog posting.

All awards are scrutinized and awarded by an internal committee before being handed out, but so far Google says it has paid out around $460,000 to over 200 security researchers since it started offering cash for flaws in 2010.

Google is far from alone in offering financial incentives for researchers who find bugs, with Mozilla, Facebook and Secunia among the companies that have a similar attitude. So far, Microsoft has resisted the temptation (it’s got a big cash pile but a hell of a lot of flaws as well) but Redmond isn’t above offering specific bounties for botnet controllers. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/04/24/google_ups_bug_bounty/

UK Science and Universities Minister David Willetts told assembled IT bods in London that companies should ‘fess up to their security boobs.

Speaking at the Info Sec conference this morning, Willetts, whose remit includes cyber security, urged companies to be very honest in reporting their cyber security problems and system breaches. He said:

I want large companies to be very frank about the problems they face and much more open about threats and cyber security attacks.

Willetts compared UK firms’ current treatment of online security problems with the manner in which banks treated cases of fraud a decade ago, when a policy of secrecy turned out to be counterproductive.

He also made the point that the firms’ reluctance to reveal breaches could later turn out to be embarrassing for them, noting that according to a report commissioned by the ministry into UK cyber security*, a majority of security breaches, particularly in large organisations, originated from insiders.

Willetts also warned firms about the dangers of intellectual property theft, which was highlighted as a growing risk in the new report. The minister said he had been “shocked by companies that don’t properly protect their IP”.

On a sunnier note, the minister added that the situation represented an opportunity for British companies in the security space and praised the range of strong and innovative companies that already exist, many of whom are showcasing themselves at the conference, which is currently underway at London’s Earls Court. He stressed that “private partners” were vital to the government’s cyber security policy.

He said:

We are different to the other EU countries in that we don’t treat cyber security as a solely military issue.

Sadly there is no such thing as perfect security, but businesses need to know what information is the most valuable and at risk, and how to reduce that risk.

®

*El Reg‘s analysis of the Price Waterhouse Coopers/Infosecurity Europe report released today can be found here

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/04/24/david_willetts_cyber_security_infosec/

Infosec 2012 Hackers are increasingly turning to automated software tools to launch attacks.

According to research from Imperva, more than 60 per cent of SQL injection attacks and as many as 70 per cent of Remote File Inclusion attacks (the two most common attack types) are automated. Remote File Inclusion attacks allows hackers to plant back doors on PHP-based websites.

Tools like Havij and SQLMap are used by miscreants to probe for vulnerabilities and execute SQL injection attacks. These tools also employ techniques to evade detection, such as periodically changing headers or splitting attacks through controlled hosts to avoid black-listing. In the past, using attack tools was purely for script kiddies but these attitudes are changing, according to Rob Rachwald, director of security strategy at Imperva.

Automatic attack tools aren’t just for the clueless anymore, he says. These tools can be used to attack more applications and exploit more vulnerabilities than any manual method possibly could, making them a useful adjunct for even skilled attackers. “Automated tools are becoming better quality. Both experienced and inexperienced hackers use them but experienced hackers use them with more finesse,” Rachwald explained.

By contrast, organisations still struggle to embrace automatic defences, often deploying technologies such as intrusion prevention systems in “alert only” mode. Rachwald argued that too much focus was being placed on attacks based on spear-phishing and malware (ie, advanced persistent threat attacks) at the expense of overlooking more commonplace assaults, such as SQL injection attacks.

Automated attacks have specific traffic characteristics such as rate, rate change and volume, all factors which can be used to fingerprint and block automated attacks. For example, IP addresses associated with automated attacks can be blocked. ®

Havij means “carrot” in Farsi, which is also the slang word for penis in Iran. The tool was developed by an Iranian blackhat with an obvious taste for crude humour. SQLMap, unlike Havij, is a command-line tool.

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/04/24/crackers_tools/

Cloud computing providers came under fire today from security experts who blamed them for giving cyber-criminals the tools to launch attacks more easily, efficiently and anonymously than ever before.

Speaking at the fourth InfoSecurity Summit in Hong Kong on Tuesday, SC Leung – a senior consultant at the city-state’s Computer Emergency Response Team – argued that crooks are making the most of the sudden rise of distributed number-crunching services.

“They are using it more efficiently for web hosting and they can subscribe to cloud services to get bandwidth on demand,” Leung told attendees.

“They can hack computers thanks to the computing power of Amazon and it’s very hard to trace them. We need to solve this problem with the cloud service providers.”

This isn’t the first time market leader Amazon has been blamed for helping out the bad guys. Its EC2 service was reportedly used by the hackers who broke into Sony’s Playstation Network last year and accessed data on over 77 million users. They were said to have supplied fake information to the cloud computing giant.

Infosecurity practitioners at the event also warned that they are losing the battle against zero-day threats (security vulnerabilities that are disclosed to world+dog before updates can be tested and deployed), adding that the cyber-criminals are better resourced, faster and more agile than themselves.

“It’s a question of how fast organisations can patch versus how fast malware writers can write malware,” argued SH Lim, head of information security at upmarket bookies the Hong Kong Jockey Club.

“How do we test our apps in just five days? Do we do a self denial-of-service by causing an app to fail because we don’t test a patch before applying it?”

However, not all of the panellists gathered at the event – no relation to the similarly titled London-based show taking place this week – were so glum.

Siu Fai Leung, SVP of security services in Asia at Bank of America Merrill Lynch, argued that IT teams actually need exposure to plenty of malware to hone their defences.

“Like humans we can’t survive without any viruses. If you don’t have an incident how can you make sure you’re protected?” he said. “A drill is a drill but when it comes to real life situations you need to put your systems to the test.” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/04/24/infosecurity_blame_cloud_computing/

Infosec 2012 Hacking attacks against Blighty’s top firms hit a record high according to figures for 2011.

On average, each large organisation suffered 54 significant digital assaults in that 12-month period, twice the level in 2010, while 15 per cent – one in seven – had their networks successfully penetrated by unauthorised parties.

The average cost of a major security breach at a big biz last year was £110k to £250k ($177k to $403k), a figure that drops to £15k to £30k ($24k to $48k) for small businesses. SMEs were less frequently targeted with an average of one assault a month.

Chris Potter, information security partner at PricewaterhouseCoopers, said: “Large organisations are more visible to attackers, which increases the likelihood of an attack on their IT systems. They also have more staff and more staff-related breaches which may explain why small businesses report fewer breaches than larger ones.

“However, it is also true that small businesses tend to have less mature controls, and so may not detect the more sophisticated attacks.”

The figures come from the 2012 Information Security Breaches Survey of 447 UK businesses by management consultants PwC and Infosecurity Europe. The poll, published every two years, is supported by UK.gov’s Department for Business, Innovation and Skills. One-fifth of those surveyed are public sector organisations.

Apart from hacking, the figures show that companies are experiencing many data-protection breaches. The vast majority of firms polled (93 per cent of large organisations and 76 per cent of small businesses) experienced a security breach in the last 12 months: the most serious breaches generally resulted from failings in a combination of people, process and technology.

The survey also found customer impersonation attempts were up threefold since 2008, with financial services organisations and government bodies affected most.

Despite the prolonged economic slowdown, most organisations are spending more on security. On average, companies spent eight per cent of their IT budget on infosec, and those that suffered a very serious breach spent on average 6.5 per cent of their IT budget on security.

By contrast, 12 per cent of bosses gave a low priority to security, with one in five spending less than 1 per cent of their IT budget on information security – possibly as a result of not being able to quantify and measure the business benefits from spending cash on defences.

Potter said: “Organisations that suffered a very serious breach during the year spent slightly below the overall average on security. The key challenge is to evaluate and communicate the business benefits from investing in security controls. Otherwise, organisations end up paying more overall.

“The cost of dealing with breaches and the knee-jerk responses afterwards usually outweigh the cost of prevention.”

Universities and science minister David Willetts, whose responsibilities include cyber-security issues, commented: “The survey demonstrates why the government is right to be investing £650m to improve cyber-security and make the UK one of the safest places to do business in cyberspace. We will use the findings to help design a new annual survey of cyber-security breaches beginning next year.” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/04/24/security_breaches_survey/

Infosec 2012 UK-based startup SureCloud is flogging a cloud-based auditing and compliance platform at mid-market businesses with high info-security standards.

SureCloud’s Unified Compliance Platform pulls together component elements such as vulnerability scanning, SIEM (security information event management), wireless intrusion detection (IDS) and configuration auditing into a single platform.

Richard Hibbert, SureCloud chief exec, said that the firm’s “security as a service” approach allows it to target SME and local government customers to meet compliance standards on a lower budget and without buying a variety of point products and services from the likes of Cisco, HP and Qualys.

The SaaS-based auditing and compliance automation service is designed to help mid-market organisations in regulated industries to simplify and reduce the cost of fulfilling their security management and information compliance obligations – making it easier for them to comply with the credit-card industry’s PCI-DSS regime, for example.

SureCloud’s hybrid offering ties together products from multiple third-party vendors, but the firm doesn’t disclose whose technology it is using.

The platform is designed to simplify the whole compliance process from data discovery through to providing actionable intelligence about vulnerabilities, via a single dashboard the provides data on threats and network activity. Customers gain the opportunity to significantly reduce their risk from data breaches as well as ability to manage their compliance commitments using fewer staff and without buying complex kit from multiple suppliers, says the firm.

“Customers can do more with less budget,” Hibbert said. “Our platform helps customers to minimise security monitoring and remediation costs,” he added.

Established in 2006, SureCloud is based in Reading and says it has more than 200 customers throughout the UK, which include a large number of local authorities and other customers in retail, financial services and gambling. The firm has aspirations to expand overseas, initially to English-speaking countries. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/04/24/surecloud_grc/

Infosec 2012 Bit9 is using the Infosec show as a launchpad for its move into Europe as part of its wider ambitions to displace traditional antivirus technologies from corporate desktops and data centres.

The firm is marketing its brand of trust-based application control and whitelisting as a better way of tackling the growing malware menace posed by targeted attacks on security suites from the likes of Symantec and McAfee. However, if one traditional antivirus firm we spoke to is any guide then traditional players are not going to go down without a fight.

Bit9’s Parity Suite uses the firm’s Global Software Registry – a repository of five billion records of software – and “qualified” trust in updated applications from the likes of Adobe and Microsoft, to restrict the types of software allowed to run on Windows PCs and servers. Bit9’s so-called “Advanced Threat Protection” platform also allows IT staff to set policies to block illegal and unauthorised software. Other components in its portfolio offer forensics capabilities.

The firm has set up operations in central London and in Munich in Germany to kickstart a channel programme it hopes will allow it to triple its sales in EMEA year-on-year. The firm already supplies its technology to customers ranging from various NHS trusts to Middle East Airlines.

Bit9’s chief executive Patrick Morley argues that the traditional antivirus model is broken and that businesses can benefit from moving to a trust-based model – enabled by Bit9’s technology, of course – which he compared to the Apple App store. Bit9’s Parity Suite is based on intelligent whitelisting and trust in the Microsoft update process, for example, rather than the detection of “something bad” from an analysis of the behaviour of software on PCs.

Whitelisting technology traditionally had a problem with false positives, falsely stopping legitimate business-critical applications from running. Morley conceded false positives with whitelisting technology were “bad in the early days” but said that by incorporating a “broad trust policy” for installers, intelligent whitelisting and cloud-based software reputation services, Bit9’s technology had long since overcome these types of teething problems. He added that although Bit’s technology offers a recording device on host end-points, it would be also be inaccurate to classify it as host-based intrusion prevention.

Bit9 is one of a number of firms talking up the benefits of smart application whitelisting at Infosec. Avecto and Faronics are also discussing the approach.

Morley said that although Bit9’s technology can be run on top of an antivirus, the aim is to eventually displace it. He added that this displacement has already happened on retail tills and data centres, where the software can be used to protect file servers and domain controllers (Active Directory servers) in the data centre.

“Antivirus doesn’t work and it’s only the addition of anti-spam, firewall, data loss prevention and other technologies that have kept customers buying it,” Morley told El Reg. “The model is broken and has been for a long time. It’s only in the last two years that people have realised this,” he added.

Morley justified buzzword-friendly claims that Bit9’s technology supplied superior protection against Advanced Persistent Threats (industry slang for targeted malware driven industrial-espionage attacks) by saying that its software blocked the malware that featured in the infamous RSA attack last year dead in its tracks. This assault featured an Excel spreadsheet containing a Flash file that Bit9’s software automatically deemed untrustworthy, Morley explained.

Eddy Willems, a security evangelist at anti-virus firm G Data, argued that whitelisting technologies are not without their shortcomings either, and ought to exist as a component of anti-malware suites, and not the replacement that Morley would like to see.

Willems, who as a consultant has installed whitelisting software, described it as “hard to tune and not easy to install”.

He also listed other problems such as “legitimate samples which turn into malware examples afterwards” and a failure to combat in-memory malware or certain strains of rootkit as other shortcomings of the technology.

“It’s a prevention method with no real removal capabilities, which is needed for several [strains of] malware,” Willems said, adding: “It’s part of the AV solution and not a solution on its own, we use it to prevent false positives so that it doesn’t remove important system files.” ®

Article source: http://go.theregister.com/feed/www.channelregister.co.uk/2012/04/24/intelligent_whitelisting/

Domain name overlord ICANN has been forced to delay its new top-level domain (TLD) expansion by another week as its techies attempt to analyse the fallout of an embarrassing security vulnerability.

Its TLD Application System (TAS), which companies worldwide have been using since January to confidentially apply for gTLDs such as .gay, .london and .blog, has now been down for 10 days due to a bug that enabled some applicants to see information belonging to others.

While ICANN maintains that it has fixed the problem, it now says that it needs at least another week to sift through its mountains of TAS logs, in order to figure out which applicants’ data was visible to which other applicants.

ICANN had been receiving reports about the bug since at least 19 March, but only pulled the plug on 12 April, just 12 hours before the final application submission deadline, when it realised how serious the problem could be.

It initially hoped to get the system back up and running by 17 April, but when that deadline passed it then promised to give users an update on the timing by Friday 20 April.

However, that update, which arrived over the weekend, merely promised to provide yet another update before the end of Friday 27 April.

“No later than 27 April 2012 we will provide an update on the reopening of the system and the publication of the applied-for new domain names,” chief operating officer Akram Atallah said.

While ICANN is declining interview requests from the media, it did publish a video interview between its head of media relations and chief security officer Jeff “The Dark Tangent” Moss on Friday, which explained some of the technical details of the vulnerability.

“Under certain circumstances that were hard to replicate users that had previously deleted files could end up seeing file names of users that had uploaded a file,” Moss said. “Certain data was being revealed to users that were not seeking data, it was just showing up on their screen.”

Moss confirmed that no outside attackers had access to data, and that the contents of the compromised files were not accessible by anyone but the applicant to which they belonged.

Nevertheless, the file names themselves could have proven valuable. Most gTLD applications have been filed secretly, without public announcement, in order to reduce the risk of competing applications being filed for the same strings.

Due to the way ICANN’s new gTLD programme is structured, a “contention set” of two or more conflicting applications could wind up in an auction. This has pressed the need for confidentiality on most applicants.

Because many companies uploaded files to TAS named after the gTLD string being applied for, confidential information may therefore have been compromised.

While no claims of foul play have yet been made, ICANN is promising to fully disclose – at least to the applicants themselves – whose data was viewable by whom.

“We’re putting everyone on notice: we know what file names and user names were displayed to what people who were logged in and when,” Moss said. “We want to do this very publicly because we want to prevent any monkey business. We are able to reconstruct what file names and user names were displayed.”

The delay in reopening TAS has not been well-received by some applicants.

“My advice to ICANN now: get your skates on!” said Stephane Van Gelder, general manager of the domain name registrar Indom, in an editorial on CircleID.

“Stop faffing about trying to verify every single bit of applicant data that may have been impacted by the glitch,” Van Gelder, who is also chair of ICANN’s influential GNSO Council policy body, added. “ICANN’s next update… should be: ‘in the interest of getting the new gTLD program back on track, we’ve decided to restart TAS now.'”

The organisation currently plans to reopen TAS for five business days before the final filing deadline, which now appears to mean 4 May at the earliest – 20 days late. As a consequence, its planned 30 April Reveal Day, when it publishes the applications for public comment, has been postponed. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/04/23/security_bug_delays_new_gtld_launch_again/

Broadcaster Sky News is being investigated by Ofcom over its admission that it hacked into emails for a story in 2008.

“Ofcom is investigating the fairness and privacy issues raised by Sky News’ statement that it had accessed without prior authorisation private email accounts during the course of its news investigations,” the regulator said in an emailed statement.

“We will make the outcome known in due course.”

Following a Guardian newspaper article, Sky News released a statement at the start of this month acknowledging the computer invasion, but claiming that the intrusion had been justified as it was “in the public interest” and that the hacking had led to criminal charges being brought.

The emails in question were those of “canoe man” John Darwin, who disappeared in a canoe on the North Sea in 2002. Darwin faked his own death so that his wife could claim his life insurance money and pensions, staying hidden until he turned up five years later pretending he’d had amnesia.

“The police described material supplied by Sky News as pivotal to the case,” the broadcaster said in its statement. “Mrs Darwin received a jail sentence of six-and-a-half years. More than £500,000 of assets have since been recovered and funds returned to the insurance companies and pension funds which were victims of the fraud.”

The Guardian article also mentioned a second case of computer hacking, this time while investigating a man and woman suspected of paedophilia. There wasn’t any story published after that investigation and Sky News didn’t mention that hack in its statement.

Today, Sky News reiterated its stance on the hacking.

“As the head of Sky News, John Ryley, said earlier this month, we stand by these actions as editorially justified,” a spokesperson said in an emailed statement.

“The Crown Prosecution Service acknowledges that there are rare occasions where it is justified for a journalist to commit an offence in the public interest.

“The Director of Public Prosecutions Kier Starmer told the Leveson inquiry that ‘considerable public interest weight’ is given to journalistic conduct which discloses that a criminal offence has been committed and/or concealed.”

The question for Ofcom will be its interpretation of Rule 8.1, which states that “any infringement of privacy in programmes… must be warranted”.

The courts usually allow for invasions of privacy by journalists where the information sought is “in the public interest”, which was often interpreted as anything anyone might be interested in, although the widespread phone-hacking scandal has seen a lot of criticism for legal leniency with the media.

However, written into that rule as an example of the public interest is “revealing or detecting a crime”, which is exactly what Sky News claims it was doing.

It’s still bad timing for parent BSkyB however, as the media giant is currently being assessed as to whether its owners and directors are fit to own a broadcast licence. BSkyB is of course 39 per cent owned by Rupert Murdoch, whose newspaper empire is at the centre of the phone-hacking scandal. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/04/23/ofcom_investigates_sky_news/