0

IT Security Rewind: Week of May 23

Posted on May 31, 2011 by Josh Arrington

What at deal–Free backdoors with every product! Bank of America is stung by an insider! Plus, cyber crime hits the small screen.  These are just a few of the headlines we’re focused on for this week’s IT Security Rewind.  Let’s dig into the details:

Wireless router, backdoor included: ThreatPost covers an “oops” by Allied Telesis, a Japan-based maker of switches, routers and other networking devices that posted an alleged internal customer support document online that was written to answer questions like “‘How do I obtain a backdoor password for my Allied Telesis device?’” and includes instructions on accessing a “built in Backdoor function” on any Allied Telesis device. Why is this a big deal?  ThreatPost says it best: Backdoor administrative accounts and functions are a dirty secret of the hardware industry.  Based on the headlines we’ve seen, this dirty little secret is hacker’s pay dirt.

Cost of a data breach = $10 million: IDG News Service has been tracking the Bank of America breach that was first reported by the Los Angeles Times this week.  According to reports, a Bank of America insider who sold customer data to criminals cost the bank at least $10 million (US) in losses.  While only minimal details of the breach are being released by law enforcement at this time, the efforts to leverage customers’ personal information has been successful in many cases, with one victim reporting that his checking accounts had been rapidly drained of more than $20,000.

Cybercrime – the movie: Got some down time this weekend?  Hopefully you had your DVR set for CNBC’s documentary “Code Wars: America’s Cyber Threat,” which originally aired on May 26.  The show investigated the prevalence of global cyber threats, with the correspondent Melissa Lee conducting multiple interviews including traveling to profile the leader of a group of Chinese hackers and visit Estonia, a nation whose banking system was taken down for days by hackers.  The New York Daily News says, “”Code Wars” aims to scare us about bad guys with computers the same way “Jaws” aimed to scare us about large angry fish.”  Missed it?  The program will run again on Sunday, May 29 at 10 p.m. ET.

What other security headlines do you think are worth highlighting?

0

IT Security Rewind: Week of May 16

Posted on May 20, 2011 by Josh Arrington

A talk about Siemens SCADA hack gets pulled, Dropbox gets caught lying and could there be hackers in space?  These are just a few of the headlines we’re focused on for this week’s IT Security Rewind.  Let’s dig into the details:

Liar, liar files aren’t encrypted: The FTC has filed a complaint that Dropbox “has and continues to make deceptive statements to consumers regarding the extent to which it protects and encrypts their data.” According to WIRED, the FTC provides evidence that Dropbox employees could view customer data and files. This puts users at risk of government searches, rogue Dropbox employees, and even companies trying to bring mass copyright-infringement suits. While Dropbox defends claims that employees couldn’t access files due to company policies it looks like they are in some hot water with the FTC.

Hacker in space: This week Threatpost reported a Romanian hacker, who uses the handle “Tinkode,” has published a screen capture from what he claims is an FTP server at NASA’s Goddard Center. NASA, no stranger to security issues, has been criticized for its lackluster policies on cyber security. They can now add this FTP server to their list of weaknesses.  Interestingly enough, this wasn’t “Tinkode’s” first time in space, in April he published the names and e-mail addresses of European Space Agency employees after compromising a server operated by that agency.

The White House focuses on the Utility Industry: While most of last week’s proposed Cybersecurity Legislation focuses on better reporting practices – one area of specific interest is the potential impact on the utility industry.  An industry that is continuously looking for guidance on how to protect itself, this proposal will give utility executives some things to consider and clear ramifications for those who don’t take action.

U.S. cybersecurity and Siemens representatives cancel SCADA talk: Attendees at the TakeDown Conference in Dallas may have left disappointed as a scheduled talk on the security vulnerabilities in Siemens industrial control systems was canceled. ComputerWorld’s Rob MacMillan explained, “It is common for security researchers to talk about security bugs once the software in question has been patched. But if the vendor can’t get the issue fixed in time that can create problems for security researchers, who may be expecting to talk about the issue at a hacker conference.”

What other security headlines do you think are worth highlighting?

0

TechEd2011 Week: Our Q&A with Paul Kenyon, Co-founder and COO of Avecto

Posted on May 18, 2011 by Josh Arrington

Paul Kenyon

Microsoft TechEd North America 2011—an international conference that draws IT developers and professionals from around the globe and encourages engagement and collaboration with Microsoft innovators, third party leaders and industry peers—is now in full swing at the Georgia World Congress Center in Atlanta, Georgia. Cyber-Ark will be on hand to demonstrate the advantages of its Privileged Identity Management Suite as well as the advanced auto-discovery functionality for automating the detection process of all forms of privileged accounts, including the service accounts commonly associated with Microsoft Windows Services. To join the conversation surrounding the event, we decided to check in with one of our partners—Avecto, a pioneer in least privilege technology that enables organizations to deploy secure and compliant desktops—to see what they have planned for the show and beyond.

Read on for our brief Q&A with Paul Kenyon, Co-Founder and COO at Avecto:

Cyber-Ark: What does the Avecto team have in store for attendees and followers of TechEd 2011? Any new technologies and products you anticipate will generate a good deal of buzz at the show?

Paul: Avecto will be demonstrating the latest release of our  privilege management product, Privilege Guard 2.7. Amongst the various new features in the product we have significantly increased the integration with Windows 7 User Account Control (UAC). We see UAC as a great solution for true administrators and home users, but felt that there was some functionality lacking for corporate environments. In Privilege Guard 2.7 we have filled that gap to make Windows 7 migrations simpler and more secure.

Already, Privilege Guard has received the Windows 7 compatibility accreditation, and the product is a snap in to Group Policy and WinRM (a standard feature in Windows 7) for centralizing our events. Specifically, what we have tried to do is avoid making our customers invest in additional architecture to obtain the benefits we provide—and we anticipate this will be received warmly at TechEd.

Cyber-Ark: Last year, Avecto and Cyber-Ark officially announced a strategic partnership to enable the resale of Avecto’s Privilege Guard products to Cyber-Ark’s Privileged Identity Management Suite customers. Can you share some milestones from this partnership in terms of evolving market demand and customer traction, even anecdotally?

Paul: Well to start, the relationship began with a meeting between myself and Udi Mokady, in Ireland, last year. I had suffered for a fall from my Mountain Bike so was looking a little worse for wear, but needless to say, I didn’t want to miss the chance to get together with Udi whilst it was geographically so convenient to meet. It was at that meeting that it became clear that the synergy between our two companies was too great to pass up on the opportunity to partner.

Naturally these things take time to hatch but once all the paperwork had been completed and the partnership launched internally we started to see considerable customer interest arise. Only yesterday I spoke with a prospect who is looking at both our products and was keen to make me aware of the value of purchasing technologies that he knows are compliant with one another from day one.

Cyber-Ark: With security, and IT in general, the focus always seems to be on “What’s Next?” With that in mind, how do you foresee enterprise security practices and technologies, both on-premise and in the cloud, evolving come TechEd 2012?

Paul: Most of the organizations we have spoken to are saying similar things; they have invested in anti-virus, firewalls, intrusion prevention and various other technologies at the perimeter but now they want to further secure desktop and servers inside the network.  More than that, we have seen the increasing demand on CISO’s to improve customer satisfaction which means that they need to implement technology that improves the security of the business but not directly at the expense of user flexibility.

0

IT Security Rewind: The Week of May 9

Posted on May 13, 2011 by Josh Arrington

swipe-credit-card

Welcome back to our weekly “IT Security Rewind” blog series. If there is one thing that IT security professionals know all too well, it’s that there is no such thing as a “slow week.” So while we didn’t witness a series of spectacular breaches as seems to have been the norm over the past few weeks, one in particular is making us think twice before swiping our credit cards through a store’s PIN pad!  Here are our top three security stories from the week of May 9:

  • A scrapbook that drains your bank account? : When news broke that debit and credit card numbers and PINs had been stolen through PIN-pad tampering at Michael’s, a national fabric retailer based in Irving, Texas, original reports indicated that the breach impacted only Chicago-area stores. But as is often the case, this week Michael’s reported that about 90 PIN pads at stores located throughout the US have allegedly been tampered with. The root cause of the attack is still under investigation—was it simple skimming through the use of an electronic device, or is it possible to implant malware on such a device through a network hack? We’ll certainly be watching for additional details on this story as they are uncovered.
  • More SCADA Security Flaws: It is never a good thing when “vulnerabilities” are included in the same sentence as “critical infrastructure.” According to ThreatPost, the “U.S.’s Computer Emergency Response Team (CERT) issued a warning to critical infrastructure firms on Wednesday about a serious security hole in products from Massachusetts firm Iconics that could leave critical systems vulnerable to remote attacks.” ThreatPost and other outlets reported that the vulnerability “can allow malicious code to run with the privileges of the current user.” Very much in the same vein as Stuxnet, we continue to see  companies in the electricity, oil and gas, manufacturing and water treatment sectors emerging as the focus of targeted attacks.
  • Hacking a CMS? A Help Net Security report uncovered a new vulnerability in Exponent CMS that could enable hackers to “create an arbitrary user with administrative privileges if a logged-in administrative user visits a malicious web site.” Could privileged identity management technology play a role in mitigating this threat? Either way, here is another potentially damaging flaw that could “conduct cross-site request forgery attacks and disclose sensitive information.”

Check back here again soon for next week’s IT Security Rewind, and as always, let us know your take on the news.

0

IT Security Rewind: The Week of May 2

Posted on May 6, 2011 by Josh Arrington

Today marks the launch of our “IT Security Rewind” blog series, with our take on some of the week’s most significant and newsworthy industry stories.  Our inaugural post highlights recent breaches and examines highly-exploitable vulnerabilities in common software and systems. Let’s take a look at this week’s Rewind:

  • Above the law? When it comes to maintaining order and preserving safety, police officers are typically considered a first line of defense. Unfortunately, that doesn’t necessarily mean that their crime prevention technology is impregnable to hackers. As one security consultant proved, it is possible to exploit vulnerabilities in their equipment, specifically a police cruiser’s digital video recorder system. The consultant was able to exploit the hardcoded, default password in the system’s FTP server to gain access to the DVR’s controls and manipulate its use. Just another example in a long line of recent breaches that illuminate the vulnerabilities present in a large number of seemingly innocuous targets (think: digital copiers and scanners, video conferencing systems, and well, police cruiser cameras).
  • Don’t ignore ERP: Along those same lines, enterprises beware: According to Dark Reading, another one of those often-ignored network targets susceptible to attack may be your company’s ERP system. According to the report, these systems are often ignored and left vulnerable by unauthenticated attackers that can leverage embedded credentials, like hardcoded passwords, to enter a system and steal sensitive information.
  • Passwords at risk [again]: Speaking of lines of defense—how upset would you be if you proactively used a secure password storage service, but then discovered that all of that critical information may be compromised? One of those services, LastPass, is urging their users to change their network passwords after detecting a network anomaly.

No matter where or how data is stored these days, one thing is clear—you need to stay on guard.

That’s this week’s IT Security Rewind! What was your take on the news?