STE WILLIAMS

5 ways to prepare your advertising infrastructure for disaster

The notorious online drug market Silk Road has been shut down by the FBI, its suspected operator arrested and charged with narcotics trafficking conspiracy, computer hacking conspiracy, and money laundering conspiracy, and $3.6m worth of the bitcoin crypto-currency has been confiscated by federal agents.

The site’s alleged founder and main operator Ross William Ulbricht, aka “Dread Pirate Roberts” (DPR) was arrested in a public library in San Francisco on Tuesday. Silk Road’s Tor-based drug bazaar was shut down on Wednesday and users visiting the site were met with an FBI takedown notice.

Ulbricht made a number of operational security mistakes that linked his identity with various online personas associated with Silk Road, according to the FBI court complaint. However, there is no detail in the filing about how the FBI gained access to a Silk Road Tor server on which the site was based – an omission sure to disturb members of the security community at a time when new information is coming to light about the advanced capabilities of the American spy organization, the NSA.

“Silk Road has emerged as the most sophisticated and extensive criminal marketplace on the Internet today,” FBI agent Christopher Tarbell wrote in the FBI’s criminal complaint. “From in or about January 2011, up to and including in or about September 2013, ROSS WILLIAM ULBRICHT, a/k/a “Dread Pirate Roberts,” a/k/a “DPR,” a/k/a “Silk Road,” the defendant, owned and operated an underground website known as “Silk Road,” that provided a platform for drug dealers around the world to sell a wide variety of controlled substances via the Internet.”

Silk Road shut for business’

Silk Road ran on Tor, a hidden computer network, and only accepted payments in the pseudo-anonymous BitCoin cryptocurrency. The FBI gained access to a Tor server on which the site was hosted and made a snapshot on July 2013.

The price of BitCoins crashed on Wednesday morning after news of the shutdown broke, adding grist to the Benjamin Lawsky, superintendent of the New York Department of Financial Services, characterization of the currency as “a virtual Wild West for narcotraffickers and other criminals“.

The Bitcoin exchange rate slumped after the site was taken down

The FBI says in its statement the it had “located in a certain foreign country the server used to host the silk road’s website,” and had gained access to it via a “mutual legal assistance request”.

This calls into question many of the widely-held beliefs about the security and anonymity of the Tor service.

There is also evidence that Ulbrich may have implicated himself and through lax security policies betrayed the details of the Tor servers.

One slip up was a posting on programmer QA site Stack Overflow under the name Ross Ulbricht that asked “How can I connect to a Tor hidden service using curl in php?”, before changing the account name to “Frosty”. A subpoena by the FBI showed the original account name.

Another screw up came with postings on two forums under the user name “Altoids” in early 2011 advertising the Silk Road, before posting several months later under the “Altoids” username on a Bitcoin forum asking for “IT pro in the bitcoin community” to help out on a “venture-backed company,” then advising them to contact the email address rossulbricht at gmail dot com.

The FBI also obtained data from Google on this Gmail account which closely associated access with separate logins to the Silk Road from similar locations in San Francisco.

Ulbricht had also arranged to have some nine fake identities sent to him for the purpose of procuring new servers. These documents were intercepted by customers and border patrol officials in early July, 2013, and led them to pay a visit to Ulbricht in San Francisco on July 26.

Ulbricht’s alleged online alias of ‘Dread Pirate Roberts’ had made numerous postings on Silk Road seeking identity documents from users. This is a rookie mistake that breaks dead rapper the Notorious B.I.G’s advice to dealers and lowlifes – “don’t get high off your own supply”.

A further point of compromise was that Ulbrich’s real life Google+ profile had shared videos from obscure economics thinktank the Ludwig von Mises Institute – the same videos were linked to by the signature of the Dread Pirate Roberts account on the Silk Road.

According to the complaint, Ulbricht employed several administrators on the Silk Road paying them $1,000 to $2,000 a week. They called him “boss” and “captain” the FBI said.

Bitcoin murder contract

The indictment states Silk Roads made scads and scads of cash, generating some $1.2bn in bitcoin transactions of which $80m was siphoned off by Dread Pirate Roberts during the course of its life. But it was not without problems the FBI claims.

The complaint accuses Ulbricht’s alleged online alias Dread Pirate Roberts of paying a third-party to murder another user of the site, who was trying to extort him.

The Dread Pirate Roberts was contacted in March 2013 by a Silk Road user “FriendlyChemist” claiming to have the details of thousands of the buyers and sellers on the anonymous illegal drug and services marketplace.

“FriendlyChemist” attempted to extort some $500,000 from him in exchange for the information, and eventually stated he needed the money because they owed money to a group of suppliers that used the Silk Road handle “redandwhite”.

Dread Pirate Roberts allegedly got in touch with redandwhite and, when FriendlyChemist continued attempting to extort him, asked if they could have the user killed. Dread Pirate Roberts then supplied them information on FriendlyChemist, including the person’s whereabouts (British Columbia, Canada), the FBI state.

“I would like to put a bounty on his head if it’s not too much trouble for you. What would be an adequate amount to motivate you to find him? Necessities like this do happen from time to time for a person in my position,” Dread Pirate Roberts wrote to redandwhite, who suggested a cost of between $150,000 and $300,000. They settled on a price of $150,000, which was transferred in bitcoins.

Though redandwhite claimed to have offed the person in question, and at the request of Dread Pirate Roberts sent a photo of the body, the FBI says the Canadian Police are not aware of any homicide associated with this case. Nor do they have information on anyone with the details of the aforementioned “FriendlyChemist”.

The shutdown of Silk Road follows the vanishing of Tor-hosted file sharing service Freedom Hosting in early August, and the similarly unexpected and unexplained shutdown of rival Tor-hosted drug mart in September.

“Regrettably it has come time for Atlantis to close its doors. Due to security reasons outside of our control we have no choice but to cease operation of the Atlantis Market marketplace. Believe us when we say we wouldn’t be doing this if it weren’t 100% necessary. Due to the urgency we are allowing all users to withdrawal all their coins for one week before the site, and forum, are shut down permanently,” Atlantis wrote at the time. Perhaps they knew something the Dread Pirate Roberts didn’t? ®

5 ways to reduce advertising network latency

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/10/02/silk_road_shutdown/

As a penetration tester, Mauricio Velazco frequently looked for the information on the latest attacks because corporate information systems were rarely patched against the exploitation of just-reported vulnerabilities.

When he moved over to the other side of the firewall, Velazco–now the head of threat-intelligence andvulnerability management at The Blackstone Group, an investment firm–duly implemented a patching process for his company that attempted to keep up with its regulated responsibilities. It quickly became clear, however, that fixing vulnerabilities using the criticality of the bugs to prioritize patching kept the IT staff busy, but did not make the company much safer.

Thinking back to his time as a penetration tester, Velazco realized that patching the vulnerabilities he chased as an attacker would be a much better use of his time. The strategy paid off: Compromises within the company fell, he says.

“The intelligence part is important: People should, instead of focusing on the vulnerabilities and on the numbers, focus on the attackers,” Velazco says. “We have to mitigate risk before the exploit happens. If you try to mitigate after, that is more costly, has more impact and is more dangerous for your company.”

Velazco will present his experiences using intelligence on attackers to create a better vulnerability management program next week at the Information Systems Security Association (ISSA) conference in Nashville, TN.

The idea of intelligence-driven defense–using information on risk and attacker behavior to inform decisions–is not new. In 2011, security researcher Dan Guido analyzed the vulnerabilities exploited by the top toolkits in the cybercriminal underground and found that only 27 of the possible 8,000 vulnerabilities released over two years were actually included in the kits. Two simple steps could protect systems against those attacks, he found.

Guido recently updated the presentation and found that companies could be protected from every attack in current exploit kits by upgrading to Windows 7, not using Java in the Internet zone, enforcing data-execution protection, securing Adobe Reader, and using Microsoft’s Enhanced Mitigation Experience Toolkit to lock down systems. Just by observing attacker behavior, it’s obvious that they focus on a few applications–Microsoft Office, Adobe Reader, Java and Internet Explorer–to get the maximum impact from their exploits, he says.

“You don’t really have to be in quote-unquote threat intelligence to understand that trend,” says Guido, now chief technology officer at Trail of Bits, a security consultancy. “That should have been drilled into people over the last five or six years, well enough that, if you are not patching those applications within days of the sixes coming out, you are failing.”

[Attackers are increasingly cribbing code from existing exploits, rather than creating new ones. See Expert: Attacks, Not Vulnerabilities, Are Keys To IT Defense.]

Some vulnerability management firms provide an exploitability metric to help companies prioritize their patches. Qualys, for example, created a metric two years ago that allows companies to filter their vulnerabilities by exploitability rating. Yet, only about 600 customers are currently using it, says Wolfgang Kandek, chief technology officer for the vulnerability management firm.

While compliance mandates require a more comprehensive approach to patching, a mature company should have two tracks for patching vulnerabilities: A fast track for the most critical and a more measured track for fixing the rest, he says.

“As a first good challenge, fixing all the vulnerabilities which have exploits available in any of the major databases is a good step,” Kandek says.

Measuring criticality by the Common Vulnerability Scoring System (CVSS) score is not a good approach, as researchers have already found that the scores are not good indicators of exploitability. In a presentation at BSides Las Vegas, Michael Roytman of Risk I/O found that fixing a random CVSS-10 vulnerability gave a firm only a 3.5 percent chance of having patched a critical flaw. While fixing a random vulnerability exploited by the Metasploit project increased that chance to 25 percent.

In addition, companies need to scrutinize the common vectors more closely, says Trail of Bits’ Guido. Just patching the latest vulnerabilities is not enough, because that is protecting the company against unknown vulnerabilities.

“There is a wealth of vulnerabilities out there, and you are not going to find them all, and people are not going to tag them all with CVE numbers,” Guido says. “So you have to make it so you know if someone takes advantage of one and have a response to that.”

Have a comment on this story? Please click “Add Your Comment” below. If you’d like to contact Dark Reading’s editors directly, send us a message.

Article source: http://www.darkreading.com/vulnerability/securing-more-vulnerabilities-by-patchin/240162177

LAS VEGAS–(BUSINESS WIRE)–McAfee today announced an end-to-end solution to help organizations combat the increasing challenges of advanced malware. McAfee’s approach to comprehensive threat protection allows organizations to respond to attacks faster and seamlessly move from analysis and conviction to protection and resolution. McAfee goes beyond single-feature, static analysis sandboxing products to address all three key requirements needed to counter today’s stealthy threats: the ability to find advanced malware with the new McAfee Advanced Threat Defense appliance, the ability to freeze the threats with McAfee network solutions, and the ability to initiate a fix with McAfee Real Time.

“The gap between recognizing advanced attacks and remediating them with a high degree of confidence has remained wide”

Enterprises are struggling to meet the threat defense challenges facing them today. Malware is now more sophisticated and stealthy. Many organizations are relying on their legacy security products and waiting for additional advanced malware protections to be incorporated, thereby exposing their organization to malware threats. Or they are using standalone malware products and plugging in third party products that are not integrated with the rest of the environment. While this may be expedient it is not a good strategy and can end up costing more money in the long run. Dealing with multiple contracts, multiple deployments, support headaches, development tasks, or paying a premium for connectors to enable the integration are just a few of the issues for organizations.

McAfee is the first company to Find, Freeze and Fix advanced threats via an end-to-end solution:

Find: Innovative analysis technologies work together quickly and accurately to detect today’s sophisticated threats across multiple protocols

Freeze: Integration with McAfee network solutions freezes the threat from infecting additional devices

Fix: McAfee Real Time identifies the device(s) that require remediation and streamlines the response, enabling automated investigation across all endpoints resulting in cost-effective remediation

“Advanced malware is a difficult problem facing organizations of all sizes,” said Pat Calhoun, general manager of network security at McAfee. “Detecting malware is only one piece of the whole solution. You also have to stop it from further infecting the network and remediate any infections. Difficult problems don’t require difficult solutions. McAfee combines superior threat detection with network and endpoint protection resulting in lower total cost of ownership for businesses.”

McAfee Advanced Threat Defense and McAfee Real Time are part of the McAfee Security Connected framework. Integration with network protection ultimately lowers the cost of training, implementation and ongoing maintenance. A centralized, multi-protocol malware analysis model eliminates appliance sprawl and eases integration with existing technology investments. Unlike standalone sandboxing products, McAfee Advanced Threat Defense layers full static code analysis on top of an advanced dynamic analysis engine for more cost effective, efficient and accurate detection.

“The gap between recognizing advanced attacks and remediating them with a high degree of confidence has remained wide,” said John Grady, research manager for Security Products at IDC. “With employees being more mobile and multi-device oriented than they’ve ever been, it is impossible to defend against all attacks with a single product. Integrated solutions that combine network and endpoint-level visibility and controls are the best way to combat targeted attacks and quickly enable remediation.”

Availability

McAfee Advanced Threat Defense and McAfee Real Time are expected to be available in Q4 2013. For more information visit:www.mcafee.com/advancedthreatdefense. McAfee also announced today a new SIEM solution to help organizations respond to advanced attacks.

McAfee Security Connected

McAfee Security Connected brings McAfee Network Security, McAfee Endpoint Security and McAfee Mobile Security together through an extensible framework of centralized management through the McAfee ePolicy Orchestrator platform. Integrated with McAfee Global Threat Intelligence, enterprises gain unprecedented visibility across all threat vectors, delivering unmatched protection from new and advanced cyber-attacks. The McAfee Security Innovation Alliance extends Security Connected with a network of more than 150 partners who integrate their solutions with McAfee through an open architecture.

About McAfee

McAfee, a wholly owned subsidiary of Intel Corporation (NASDAQ:INTC), empowers businesses, the public sector, and home users to safely experience the benefits of the Internet. The company delivers proactive and proven security solutions and services for systems, networks, and mobile devices around the world. With its Security Connected strategy, innovative approach to hardware-enhanced security, and unique Global Threat Intelligence network, McAfee is relentlessly focused on keeping its customers safe. http://www.mcafee.com

Article source: http://www.darkreading.com/management/mcafee-offers-solution-to-remediate-adva/240162152

LAS VEGAS–(BUSINESS WIRE)–McAfee today announced the industry’s first “endpoint aware” security information event management (SIEM) solution that adds real time system state information to enhance situational awareness and streamline incident response. This innovative solution brings together big security data management capabilities of McAfee Enterprise Security Manager (ESM) with deep endpoint insight of McAfee Real Time. SIEM event data is combined with the proactive ability to immediately query, collect and analyze extensive endpoint context, including running processes, files, as well as system and security configuration.

Thwarting advanced threats demands greater situational awareness. According to the 2013 Verizon Data Breach Report, 69% of breaches went from initial compromise to data exfiltration within hours. Conversely, over a third of breaches took weeks to months resolve.i To minimize the damage of attacks and protect the business, it is essential that security analysts are able to swiftly identify attacks, determine the root cause and remediate the threat.

McAfee ESM integrated with McAfee Real Time is the only solution that goes beyond passive monitoring and provides endpoint aware security analytics about what’s happening within systems at the minute that it’s occurring. Having this real time information provides clarity into any breach, and speeds up response time needed to resolve advanced threats.

Ken Levine, senior vice president and general manager, Security Management at McAfee, commented on McAfee’s situational awareness initiative, “McAfee is continuing to lead the market for situational awareness by redefining security intelligence and turning the tables on attacks. We are able to achieve this by leveraging our big security data management system and the deep system insight only McAfee can provide. We understand this need unlike anyone else and we’re arming our customers with the intelligence, speed and context to win the battle against advanced threats.”

McAfee ESM with McAfee Real Time delivers the industry’s first “endpoint aware” SIEM, which enables organizations to proactively query, collect and analyze in real time information about the internal operations and configuration of endpoints across the enterprise. The ability to gather this important contextual data, previously unavailable to SIEM, allows security analysts to immediately determine the root cause of attacks, identify systems subject to the same compromise, and gain actionable intelligence for precise remediation – all in real time and from a single console. Furthermore, with Security Connected, security analysts can turn this actionable intelligence into intelligent action – issuing policy change, quarantine and vulnerability scan commands directly from the SIEM. This solution is just another proof point of the McAfee Security Connected platform of integrated, intelligent and connected security solutions that are needed in the battle against advanced threats.

Availability

McAfee ESM along with McAfee Real Time is expected to be available in Q4 2013. For more information visit: http://www.mcafee.com/siem. McAfee today also introduced the McAfee Advanced Threat Defense solution to help organizations build up their comprehensive threat protection.

McAfee Security Connected

McAfee Security Connected brings McAfee Network Security, McAfee Endpoint Security and McAfee Mobile Security together through an extensible framework of centralized management through the McAfee ePolicy Orchestrator platform. Integrated with McAfee Global Threat Intelligence, enterprises gain unprecedented visibility across all threat vectors, delivering unmatched protection from new and advanced cyber-attacks. The McAfee Security Innovation Alliance extends Security Connected with a network of more than 150 partners who integrate their solutions with McAfee through an open architecture.

About McAfee

McAfee, a wholly owned subsidiary of Intel Corporation (NASDAQ:INTC), empowers businesses, the public sector, and home users to safely experience the benefits of the Internet. The company delivers proactive and proven security solutions and services for systems, networks, and mobile devices around the world. With its Security Connected strategy, innovative approach to hardware-enhanced security, and unique Global Threat Intelligence network, McAfee is relentlessly focused on keeping its customers safe. http://www.mcafee.com

Article source: http://www.darkreading.com/management/mcafee-delivers-situational-awareness-wi/240162153

Supercharge your infrastructure

Nation-state driven cyber attacks often take on a distinct national or regional flavours that can uncloak their origins, according to new research by net security firm FireEye.

Computer viruses, worms, and denial of service attacks often appear from behind a veil of anonymity. But a skilful blending of forensic “reverse-hacking” techniques combined with deep knowledge of others’ strategic cultures and their geopolitical aims can uncover the perpetrators of attacks.

Kenneth Geers, senior global threat analyst at threat protection biz FireEye, explained: “Cyber shots are fired in peacetime for immediate geopolitical ends, as well as to prepare for possible future kinetic attacks. Since attacks are localised and idiosyncratic—understanding the geopolitics of each region can aid in cyber defence.”

Estonia was able to point the finger of blame towards the infamous (and ultimately politically unsuccessful) cyberattacks against its systems in 2007. FireEye argues that understanding the geopolitical context of cyberattacks can be used to unpick their origins or to better prepare for attacks.

“A cyber attack, viewed outside of its geopolitical context, allows very little legal manoeuvring room for the defending state,” said Professor Thomas Wingfield of the Marshall Centre, a joint US-German defence studies institute.

“False flag operations and the very nature of the internet make tactical attribution a losing game. However, strategic attribution – fusing all sources of intelligence on a potential threat – allows a much higher level of confidence and more options for the decision maker,” Professor Wingfield continued. “And strategic attribution begins and ends with geopolitical analysis.”

Cyber attacks can be a low-cost, high payoff way to defend national sovereignty and to project national power. According to FireEye, the key characteristics for some of the main regions of the world include:

• Asia-Pacific: home to large, bureaucratic hacker groups, such as the “Comment Crew” who pursues targets in high-frequency, brute-force attacks.
• Russia/Eastern Europe: More technically advanced cyberattacks that are often highly effective at evading detection.
• Middle East: Cybercriminals in the region often using creativity, deception, and social engineering to trick users into compromising their own computers.
• United States: origin of the most complex, targeted, and rigorously engineered cyber attack campaigns to date, such as the Stuxnet worm. Attackers favour a drone-like approach to malware delivery.

FireEye’s report goes on to speculate about factors that could change the world’s cyber security landscape in the near to medium term, including a cyber arms treaty that could stem the use of online attacks and about whether privacy concerns from the ongoing Snowden revelations about PRISM might serve to restrain government-sponsored cyber attacks in the US and globally.

The net security firm also looks at new actors on the cyberwar stage – most notably Brazil, Poland, and Taiwan. Finally, it considers the possibility that such attacks mights result in outages of critical national infrastructure systems, a long-feared threat over the last 15 years that has thankfully failed to materialise.

Squirrels have caused frequent power outages by doing things like chewing through high-tension power cables (or even touching them, to fatal effect for the furry little rodents) but El Reg‘s security desk hasn’t come up with even one verified example where hacking has triggered a blackout – except in the imaginations of Hollywood execs, of course.

FireEye’s report, titled World War C: Understanding Nation-State Motives Behind Today’s Advanced Cyber Attacks, can be found here (PDF). ®

5 ways to prepare your advertising infrastructure for disaster

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/10/02/nation_state_cyberattack/

Channels Forum 2013 Claims that NSA spooks are snooping on everyone’s internet connections have alarmed libertarians and digital-rights activists around the world.

But despite the fact that such electronic eavesdropping has been going on for decades, the leaks from whistleblower Edward Snowden could net IT vendors and the tech distribution channel a tidy windfall.

That’s assuming said firms are prepared to go head to head with the might of the US intelligence community.

Canalys CEO Steve Brazier, opening his research firm’s Channels Forum 2013 shindig in Barcelona, said the Snowden scandal had real implications and yet offered real opportunities.

“For the last 20 years, politics hasn’t mattered to our industry. Suddenly, politics is important,” said Brazier.

But he added that, judging by his own figures, a good chunk of channel companies are unaware of the summer’s stream of revelations of how far the US, the UK and their pals have apparently compromised internet providers, security technologies and on-premises hardware.

Brazier predicted three key outcomes – even if much of what has been revealed turns out to be “untrue”.

Firstly, he said, there will be a change in how vendors and service providers incorporate security and market themselves around it. He cited the example of file-sharing biz Lockbox, which offers clients end-to-end encryption, or search engine DuckDuckGo, which doesn’t track its users’ searches and therefore can’t (in theory) be forced to hand them over to the Feds.

He predicted the Snowden leaks will also drive the adoption of open-source software on the basis that any compromise by the likes of the NSA or anyone else will be clear to the rest of the open-source community.

Perhaps most interestingly, Washington’s effort to document the world could lead to increasing localisation of hardware, software and services. Rather than trusting the big US-based providers, customers may look to providers in their own countries to protect their bytes.

“We expect customers will insist their data will stay in their country,” he said. He cited the example of Deutsche Telekom, which has launched a “made in Germany” email service that attempts to guarantee that messages never touch US networks unless absolutely necessary. Brazil, too, was contemplating legislation that would force service providers to site data centres in the South American country.

Given that the NSA’s backdoors may have been secretly implanted in on-premises networking equipment, customers and foreign governments may consider non-US manufacturers of said tech. Given that phones in the UK have to be certified before they can be plugged into Blighty’s landline network, Brazier speculated that similar regimes could be implemented for IT products and services.

“That will be complicated for the multinationals … it may provide some opportunities for local companies,” he predicted. ®

Article source: http://go.theregister.com/feed/www.channelregister.co.uk/2013/10/02/nsa_scandal_business_opportunity/

About a year ago I wrote a post at Securosis describing the big changes I see in the practice of security over the next ten years. While there never seems to be a shortage of town criers singing out the doom of our industry, I actually think we are at the start of some insanely positive changes. I don’t mean nebulous concepts like “influencing the business,” “baking in security early,” or “getting a seat at the table.” I mean honest-to-goodness security technologies and techniques that will not only materially change how we approach security, but are pretty darn interesting and compelling.

These days many security professionals are relegated to roles that often are only tenuously related to directly improving the security of the organization. Now I’m drawing some big generalizations here, but if this doesn’t describe your job, the odds are you know someone it does describe. Managing directory servers, pushing user permissions, configuring firewalls, and other similar tasks aren’t the sorts of things you need security experience for. We have already seen those jobs, even some level of packet analysis, being handed off to operations teams.

On the other hand, security isn’t merely going to transition into a policy-building role. Get too far away from technology and the policies don’t reflect reality, and security gets the basement office. The one next to the boiler.

I’m running on the assumption that if you are reading this, you plan on staying in security for ten years, you enjoy the profession, and you don’t want to turn your brain off. There will still be plenty of those jobs out there, but they will keep decreasing over time. No, for those of you that care the future is bright.

First a few technology assumptions. These are the trends (detailed in the post linked above) that I believe will change the practice of security. The first is the growth of big data, and the ability of security teams to collect and analyze large stores of data in real time. The second is the increasing use of cloud computing, and the availability of application programming interfaces to manage everything from software defined networks to point security products. The third is a greater enablement of incident response, including use of tools like active defense and hyper-segregation to reduce attacker’s abilities to operate freely in our environments once they get in the front door.

That is probably a too-trite overview of where we are headed, but each trend is happening today, for real, as we see more and more of the boring stuff being handed over to Ops, who is better at it anyway. So what does this mean for those of us that don’t want to become clueless policy wonks?

There are three sets of skills I suspect will draw the big bucks in security: Security (Big Data) Analysts, Incident Responders, and Security Developers.

Despite the pretty vendor dashboards, winnowing out useful analysis from a big data repository is a significant challenge. It requires a sound understanding of security, the ability to program the analytics, and the common sense to figure out what matters, what doesn’t, and how to translate that for the non-statisticians (mere mortal) of the world. I won’t be surprised if this becomes one of the most sought after skills sets, especially among larger organizations and security service providers. If you did well in stats, this is where the big money will be.

Incident response is already a skills set in demand. The busy shops struggle to find qualified staff and keep them. Even mid size and smaller organizations will need either in house or outsourced incident response now that we have all realized we can’t completely keep all the bad guys out all the time. The less day to day operational adjustments we need to manage, the more time we can spend detecting and responding to incidents.

The last skills set is the one I find most interesting. As everything gains an API, we can build more dynamic and responsive security with code. Think your honeynet is cool? How about an active defense tool that detects and attacker hitting a honeypot, then spins out (using software defined network) a segregated copy of the subnet with same topology, but a bunch of dummy hosts to further identify and classify the potential attacker? Or using a few dozen lines of code to identify every unmanaged server in your cloud, determining the system owner, and potentially quarantining them or pushing out configuration updates? All of this is possible, today, with Software Defined Security. If you can code, understand security, and think DevOps is cool, the odds are you won’t have trouble finding work.

I’m not about to promise you full employment as a cloud security programmer next year, but it seems clear that over time these skills will only be more in demand. On the other hand, odds are the basic management and maintenance of existing security tools will slowly transition to other departments. Security will still set firewall policies, but it makes sense for network operations to implement them. Like any profession there will be a range of required skills, but the more you can align yours with the future, the better your odds of getting higher paying, more interesting work.

Article source: http://www.darkreading.com/views/security-skills-for-2023/240162107

Nervous reader, were you unsettled by the recent news that Yahoo’s email address recycling scheme had resulted in new account holders receiving past account owners’ personal details, including passwords and even an invitation to a wedding?

Did you fear that Yahoo might not be applying itself with all due gusto to users’ security, in spite of its having stated that it takes the security and privacy of its users very, very seriously?

Fret not. The exclamation-marked one has proved that it’s devoted to security.

How, you well may ask?

It paid a bug bounty to a security company, for finding a vulnerability that allowed any @yahoo.com email account to be compromised simply by sending a specially crafted link to a logged-in Yahoo user and tricking him or her into clicking.

In light of having been paid for that hole, the security company, Switzerland-based High-Tech Bridge, put a price tag on exactly how much Yahoo values their email security.

That would be $12.50 (£7.71).

The company had decided to test how quickly security holes on well-known, heavily trafficked sites such as Yahoo can be found and how the email provider reacts to a vulnerability notice.

Within 45 minutes of starting the research on 18 September, the company had netted a “classic reflected XSS vulnerability”, affecting the marketingsolutions.yahoo.com domain.

High-Tech Bridge speedily reported the bug, and Yahoo speedily replied in less than 24 hours.

Unfortunately, Yahoo was just letting the security outfit know that the bug had already been reported.

Its message:

Unfortunately this submission does not qualify for a reward because it has already been reported by another individual. Please continue to send in any other vulnerabilities that you may discover in the future.

The reply didn’t provide the security company with evidence that the vulnerability had already been reported, but OK. Fine.

Its researchers went on poking, and in short order, they found more issues.

In fact, by 22 September, High-Tech Bridge had discovered three more XSS vulnerabilities affecting the ecom.yahoo.com and adserver.yahoo.com domains.

The company reported the issues on Monday, 23 September, letting Yahoo know that each of the discovered vulnerabilities allowed any @yahoo.com email account to be compromised simply by, again, sending a specially crafted link to a logged-in Yahoo user and convincing him/her to click on it.

Yahoo’s response was a bit slower in coming this time around.

Within 48 hours, Yahoo “warmly thanked” High-Tech Bridge and offered to lavish the company with the princely sum of $12.50 reward per one vulnerability.

If your first inclination was like mine, of course, you’d warn High-Tech Bridge: Don’t spend it all in one place, guys!

Unfortunately, they do have to spend it all in one place, because Yahoo isn’t giving them cash, exactly.

Rather, the funds were dispersed as a discount code to spend in the Yahoo Company Store, which sells Yahoo’s corporate swag: t-shirts, cups, Inkjoy Retractable Pens, a 7×9″ mousepad festooned with the image of balloons, or the Yahoo Unisex Baby Set, which features, among other things, an Emoticon Long Sleeve Onesie (6-12 month).

Except the Yahoo Unisex Baby Set actually costs $61.

I’m afraid you’ll have to discover a lot more XSS vulnerabilities to score that Yahoo Company Store item, High-Tech Bridge!

High-Tech Bridge is a tad miffed.

Ilia Kolochenko, High-Tech Bridge CEO, said this:

Paying several dollars per vulnerability is a bad joke and won’t motivate people to report security vulnerabilities to them, especially when such vulnerabilities can be easily sold on the black market for a much higher price.

Of course, money isn’t the only motivation for security researchers, Kolochenko went on to say. Ego is right up there.

That’s why, he said, companies like Google not only pay out much higher financial rewards, but they also maintain a Hall of Fame where all security researchers who have ever reported security vulnerabilities are publicly listed.

He says:

If Yahoo cannot afford to spend money on its corporate security, it should at least try to attract security researchers by other means. Otherwise, none of Yahoo’s customers can ever feel safe.

How much more do other companies pay out in bug bounties?

As of July 2013, when Microsoft paid its first bug bounty for a hole in Internet Explorer, Google had paid out about $580,000 over three years for 501 Chrome bugs, and Firefox had paid out about $570,000 over the same period for 190 bugs.

A study [PDF] from the University of California, Berkeley has found that paying bounties to independent security researchers is a better investment than hiring employees to do it.

If you compare bug bounty payouts with just one full-time salaried security researcher digging through code, at, say, $100,000 per year, it’s obvious to see that the savings to a company can be huge.

In fact, the study found that bounty programs “appear to be 2-100 times more cost-effective than hiring expert security researchers to find vulnerabilities.”

High-Tech Bridge quoted Brian Martin, President of the non-profit Open Security Foundation, who commented on the High-Tech Bridge experiment, noting that some vendors pay their janitors more money to clean their offices than they do to security researchers who find vulnerabilities that could put thousands of their customers at risk.

High-Tech Bridge, for its part, says it’s decided to hold off on further research.

Yahoo, is this what you wanted to encourage with your first bug bounty payout? Security researchers throwing in the towel instead of helping to make your products safer to use?

I hope not.

Readers, what do you think? Do you think that the low payout means that Yahoo likely evaluated the XSS vulnerabilities and didn’t think much of them?

Or is just that the Onesie stock’s running low?

Please let us know your thoughts in the comments below.

Follow @LisaVaas

Follow @NakedSecurity

Image of bug courtesy of Shutterstock.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/l-HOokXH2kU/

It’s been nearly 10 months, but finally, the wait is over: We can now run Facebook searches to find single women who like men and like getting drunk and who might happen to mention such things in posts and status updates.

Thanks goes to the rollout of Facebook Graph Search’s ability to search every single public Facebook post and status update ever made, announced by Facebook on Monday.

The searches can be modified by time – “All of my posts from 2012,” for example – location, or the people who participated.

Graph Search for post and status updates is rolling out slowly to a small group of people who currently have Graph Search, Facebook says, including those who signed up for the limited beta of Graph Search, announced in January.

That small group does not include me, which hampered my ability to search selfies so as to determine how soul-crushingly embarrassing this is all going to be.

It’s not a field day for reputation ruining, at any rate. Privacy controls still pertain.

Those who run Graph Searches can only see content that has been shared with them, including posts shared publicly by people who aren’t friends.

But it’s worth noting that the broadening of Graph Search’s capabilities opens up all public posts ever, as well as any posted shared directly to each user, to aggregation.

Most of us, I’m sure, are kind of fuzzy on the details of what, if any, truly embarrassing Facebook status updates we’ve left behind in our more-or-less slimy trails.

We should all bear in mind that Facebook updates are set to be public by default.

That’s got much to do with the fact that Facebook is interested in encouraging users to open up conversations to strangers.

That was apparent when the social network rolled out hashtags in June, in hopes of creating a Twitter-like buzz of activity that users can partake of.

To maintain privacy and keep strangers out of your conversations and unaware of your activity, don’t use hashtags.

Also, to maintain privacy, use privacy controls. Millions of Facebook users are oblivious to, or just don’t use, privacy controls.

Don’t be one of them, and while you’re at it, don’t let your friends or family fall into that category.

To see who can find the things you’ve shared, you can use privacy shortcuts and Activity Log to review your personal trail of glory and misdeeds to find out just what was shared publicly.

Go to Facebook’s Activity Log page to find a list of your posts and activity, from today back to the dawn of your Facebook life.

There, you can find stories and photos you’ve been tagged in, Pages you’ve liked, friends you’ve added, your photos, and photos you’re tagged in that are shared with Public.

Even if you’re not in the beta group who now should have access to searches of posts and status updates, you can still swab the deck in preparation for whatever mess might spill over once everybody gets the ability to search for every Facebook thing you’ve ever done.

It’s good to remember that Facebook doesn’t drag information out of people. Besides photos we’re tagged in without our permission, most everything that’s in our Graphs is up because we put it there.

To further clean up our Facebook personae, we can always remove a tag from a photo or post we’re tagged in.

As Facebook outlines here, you do that by hovering over the story, then clicking and selecting Report/Remove Tag from the drop-down menu. Then, remove the tag or ask the person who posted it to take it down.

Also, to further lock down your profile, take a gander at these five tips to make your Facebook account safer.

If you need motivation to get to these cleanup tasks, here’s a good one: a blog that features actual Facebook Graph Searches, put up on 23 January 2013.

Within 24 hours of the launch of Graph Search, people had the mischievous ingenuity to cook up searches such as “Married people who like Prostitutes”.

It’s been about 9.5 months since the launch.

Imagine what people have thought to search for in that time?

If you want to keep up to date on privacy and security threats on Facebook and elsewhere on the internet, join the Naked Security Facebook page.

Follow @LisaVaas

Follow @NakedSecurity

Image of hashtag and share courtesy of Shutterstock.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/G2phEy7D2JU/

Email delivery: Hate phishing emails? You’ll love DMARC

The ISA’s National Institute of Standards and Technology (NIST) – recently accused of collaborating with the NSA to weaken security standards – has put together a paper highlighting the key-management challenge posed by cloud computing platforms.

As readers will know, key multiplication (and therefore management) can be headache-making even in in-house IT environments. Just one service, SSH, was criticised by its creator earlier this year for spreading 1unwanted keys far and wide.

The paper, Cryptographic Key Management Issues Challenges in Cloud Services, would be available at http://www.nvlpubs.nist.gov/nistpubs/ir/2013/NIST.IR.7956.pdf if it were not for the fact NIST’s site has been DOSed by the US government shut down. The Reg has popped it into Dropbox here as a PDF. (See – we don’t need no lousy government, do we?)

As the paper, authored by Ramaswamy Chandramouli, Michaela Iorga and Santosh Chokhani, states, crypto key management – already a challenge for anybody with a large IT infrastructure – starts to look a little nightmarish when you start spreading your systems far and wide into cloud environments you don’t control.

Key management, they write, “becomes more complex in the case of a cloud environment, where the physical and logical control of resources (both computing and networking) is split” between different locations, different applications, and different virtual machines.

“Furthermore, the pattern of distribution varies with the type of service offering – Infrastructure as a Service (IaaS), Platform as a Service (PaaS) and Software as a Service (SaaS),” they note.

Key management has to be able to cover securing the interactions with the cloud environment, as well as securing the data the cloud service creates. Moreover, “in many instances, the KMS required for managing the cryptographic keys needed to protect that data have to be run on the computing resources provided by the cloud Provider.”

The paper offers a variety of architectural templates for key management, depending on the deployment scenario under consideration. ®

5 ways to reduce advertising network latency

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/10/02/cloud_is_a_keymanagement_pain_nist/