Do you know if you and your third-party vendors are HIPAA compliant? Do you need some help finding out?

Thankfully, RJS Smart Security provides healthcare organizations and their business associates with a comprehensive evaluation of their protected health information and data environment with a HIPAA assessment. RJS follows the emerging Penetration Test Execution Standard (PTES) as the model for these assessments.

HIPAA Compliance with RJS Smart Security

Our HIPAA assessment focuses on HIPAA regulations for companies who may or may not be facing an audit. During this engagement, we look at the following:

Compliance is not the same as security. Compliance defines the bare minimum needed to protect specific data types or industries. This engagement identifies lean ways to meet HIPAA requirements so that your business still has resources for security.

Strategy is perhaps the most critical security task, as well as the least used. A strategy engagement identifies what HIPAA compliance pieces you already have, what you need and how to get there. Several risk assessment methodologies are available to guide us in crafting a security plan that ideally fits your health care business.

Policies and Procedures review the body of written controls that are currently in use and assess how well they are being followed. Policies often age as technology improves and procedures are followed poorly as they lose applicability.

And, depending on the scope of your engagement, we also examine:

Network Vulnerability involves scanning your network to identify the operating systems and applications in use. Older applications are a common vector in successful attacks, but these flaws can only be addressed if you know they exist.

Web Vulnerability focuses on the many common problems found in web applications, such as SQL injections looking to steal or alter data, scripting to exploit users or weak configurations.

Data Analysis identifies the documents and databases an organization is storing and the risks resulting from possible data leakage. This analysis helps you determine ways to centralize storage and eliminate the unnecessary.

A Success Story

Healthcare Services Provider*

A medical services company had grown by acquisition and upon examination of their network infrastructure, an increasing number of legacy applications were cause for mounting concern. With fewer people on staff who knew how they functioned, it was increasingly difficult to maintain their security and comply with the regulations of HIPAA and HITECH.

To help simplify the process of application management while working within a tight budget, the company hired RJS to review one legacy application each quarter. In the short term, this approach helps the firm meet their Business Associate requirements. In the long term, the newly-built applications can be maintained at a lower cost.

* The company name has been kept anonymous due to the sensitivity of the work performed.

We couldn’t agree more!

As you probably know, the United States has constantly lagged behind in global math and science scores. As the New York Times reported this past December, “In the United States, only 7 percent of students reached the advanced level in eighth-grade math, while 48 percent of eighth graders in Singapore and 47 percent of eighth graders in South Korea reached the advanced level. As those with superior math and science skills increasingly thrive in a global economy, the lag among American students could be a cause for concern.”

I would argue that a substantial part of the issue is what we’re not teaching. In 41 states, coding courses do not count toward high school graduation. This is a terrible oversight for several reasons:

1) The backbone of computer programming is … math and science.

2) Computers have become a necessity in our culture, on par with food, water and shelter. Global and national business transactions, online connectedness to family and friends, mobile applications, web-based games and social media are all computerized elements that are daily fixtures for most Americans.

3) Because of the computer industry’s relative youth (we’ve only been using the internet for a little more than 20 years) and still untapped potential (mobile and cloud for example), possibilities for growth are virtually endless.

So wouldn’t you think the leaders of our educational system would start putting two and two together, identify this huge opportunity and create a game-plan to proactively solve a problem that is as crystal clear as bottled water? The stats are available for all to see. Here’s what we’re looking at:

Thankfully, the non-profit, Code.org, has taken notice and is dedicated to growing computer programming education. It’s time we engage our legislators, youth and education professionals to make the changes necessary to embrace computer science as the present and future of math and science.

And if you have a couple minutes, check out Code.org’s video, “What Schools Don’t Teach,” starring a who’s who of the computer industry, including Bill Gates, Mark Zuckerberg, Jack Dorsey and many more.

You might think that paleo art is art done by prehistoric people, but no. In this case, it is art done to provide imaginative reconstructions of life from fossils. I imagine that most people these days are aware of the belief that many of the two-legged dinosaurs were feathered. However, as it often turns out, things are more complex than that. This book explores the history of dinosaur art and, along the way, draws on what we know about natural history, camouflage and mating habits of contemporary species.

So why am I posting this review on a blog that is (more or less) focused on information security?

Well, in addition to this book being about pretty pictures of dinosaurs, it is also about an industry working over time to make guesses about the truth, analyze their mistakes in the face of new evidence and, through a constant stream of screw ups, come closer and closer to consensus. As they’ve done this, everyone has had to constantly adjust to the shifting truth.

In effect, it is a book about evolution … the evolution of species … the evolution of understanding … and the evolution of the understanding of evolution, so to speak. This happens in all industries, but the younger the industry is, it seems, the less we like to acknowledge that we don’t have all the answers. In Information Security, we don’t like to be wrong and we particularly don’t like to be wrong in front of other people. This is understandable, as when we make a mistake in security, people could get hurt. However, when we don’t get a chance to discuss our mistakes as a community, we don’t get a chance to improve.

Today, there is some discussion in the community, but mostly within closed mailing lists and at conferences. Unlike in the realm of paleo art, our mistakes tend not to be public, so there are fewer eyes on them and fewer opportunities to get better. Fortunately, there are more hackers than professionals who draw dinosaurs, so we do get an advantage of numbers. Still, there is ample room for improvement.

This book explores the problems that arise from:

• Taking a superficial view of evidence
• Not comparing logical conclusions to examples of modern data
• Avoiding analysis and basing beliefs on the misguided work of others
• Looking strictly at hard evidence and ignoring behavior
• Hyper-focusing on dramatic scenarios

Sound familiar?

You’ve probably seen published lists of the most commonly used PIN numbers, including such creative numerology as 1111 or 5683 (spells out LOVE). Security experts look at those lists and shake our heads wondering what people were thinking when they hit “1” four times and thought their phone was secure.

Of course, at least they’re using a PIN of some sort in an effort to protect their phone. Even if the PIN is considered “weak,” the stark reality is most people don’t use one simply because PIN codes are inconvenient and take time to enter. In fact, most people don’t use any means of data protection at all.

Thank goodness you’re not one of those PIN-less cellphone users, right?

Well, what if I told you your PIN, no matter how cleverly created, is now trivial to hack?  And that nifty complicated thumb sliding lock pattern you came up with that would require the hacker to be double-jointed to pull off?  Even easier.

There’s a new PIN and lock pattern proof-of-concept hack from Dr. Adam Aviv and his team of researchers at the University of Pennsylvania that uses the accelerometer in your phone to detect how it moves in space specifically during the unlock process.  As you move your thumb to hit the PIN numbers or trace the unlock pattern, this hack track the accelerometer data and matches it against its database of known patterns. They’ve been working on this attack vector for a few years now. Their previous approach utilized the gyroscopic sensors which lead to very imprecise measurements, but this new approach uses the accelerometer sensor in a “high bandwidth” mode and the results are pretty spectacular. In controlled settings with the subject seated they were able to guess the PIN number used 43% of the time and the unlock pattern 73% of the time.  When the subject was walking, the accuracy dropped greatly due to the additional movement noise introduced to the sensors that resulted in only 20% of PINs and 40% of patterns guessed.  They also mention the possibility of utilizing machine learning to determine text-based passwords as well, but mention no collected data against it.

I suspect long key presses for alternate characters may be difficult to decipher from the accelerometer data, but they do briefly mention key permutations (each key having multiple values from long presses), which increases the number of guesses required to get a four number PIN combination. If one were to use a very complicated password or random characters you could make it highly unlikely to guess your password using this method. Of course, you would also be spending the bulk of your time on your Smartphone entering an unlock password.

Another possible solution is to change the orientation of your phone (i.e. holding it wrong). Since Dr. Aviv’s team is only reading the accelerometer values and not the gyroscope values, which track pitch and roll of your phone, one could throw their data off. If they accounted for this circumstance and polled the gyroscope to determine orientation values while polling the accelerometer, the data sets would be much more complex as a result.

So clearly the best response to this type of attack method is to boogie down, run, jump, etc. while unlocking your phone. Personally, I’m working on some sick dubstep and James Brown moves to go along with my android unlock pattern that should make it near unreadable.

1) Former NFL Quarterback, Jon Kitna, has become a high school teacher. He did this as a way to give back to the community.  However, the most important part of the story is how he is giving back. This is a story about someone trying to change his community by teaching children that their actions have consequences, even if those consequences result in the entire team losing.

2) A Canadian computer science student by the name of Ahmed Al-Khabaz was expelled from Dawson College for running hacking tools against a system that contained data for numerous students. He found a flaw, reported the flaw, but because he did not have permission to run the test, he was kicked out. He has since been offered opportunities with firms and other schools.

3) On my private mailing list, a friend expressed concern over an issue in which one of his students sent a PDF of a book to the entire computer security class. This book was a copyrighted work by someone else that we both know. This was clearly illegal and, by most standards in the security community, unethical.

So, what do all of these stories have in common? Fundamentally, they’re about young people making mistakes. What might be hard to see, though, is that they’re also about adults making mistakes. We tend, in the Security and Legal communities to see the world in black and white. Dawson College expelled Ahmed Al-Khabaz because, in their view, he was “no longer suited to the profession.”  There was discussion about expulsion in the private story as well, because of similar concerns. In other words, we have colleges taking a hard line on students that screw up and are kicking them out.

The problem, though, is that one of the best ways to learn is by making mistakes. Many of the best people we have in IT Security have checkered pasts. Many of the worst people we have in IT Security also have checkered pasts.  While my own past is cleaner than most, I did cross the line a few times in school and got a talking to. I quickly learned both what to do and what not to do, but more importantly, how to do.

Actions must have consequences. Without pain, we do not learn. However, if those consequences are too severe, we don’t learn either. We give up.

If we look at these issues as a society, we have people working defense who are trying things and, if they try the wrong thing with the wrong person, they’re kicked out. We also have people working as attackers. These are well-paid individuals (due to the high risks involved) and are often highly skilled because they are not hampered by people trying to get them expelled or fired for experimentation. In fact, the more we take a hard line approach to these sorts of issues, the more likely we are to identify our best learners (the young people who make mistakes) and drive them to unethical and illegal activities, as we close the door to legitimate work in their face.

In a world where the attackers are massively out-competing the defenders, I have to ask whether this is wise.

Instead, consider Jon Kitna’s story. He’s adopted hard line rules for his football players. If they screw up, they’re out … but not completely … just a game or part of a game. They’re not off the team, they’re not kicked out of the community. This still means a mistake is punished, but done so in a way where people learn from it. Those who made the mistake get the most punishment. Those who supported the mistake while it was being made get a lesser punishment, and all of them serve as examples to keep everyone else where they need to be.

As people, we learn and grow over time. Of these three stories, which supports growth?  Of these three stories, which people would you rather work with as adults?  Who would you hire?

I know, for me, I’d take the under-educated, low-income kids over the college students any time.  Why?  It’s about community. Lincoln High School is making better adults than Dawson College is. The graduates from Jon Kitna’s football team might not be the best educated kids. They might need a lot of hand holding and training to make it in the real world, but they’ll have character. If I’m working a security problem with someone, I need someone I can trust. That means I need someone who has been raised to be trustworthy. Improvement is iterative and if you’re not given the ability to learn and grow from your mistakes, you’re just going to wind up making the same errors over and over again. As a security person, a professional and, really, just as an adult, I need people who have made mistakes, owned up to them and, where possible, fixed them. I need learners and I need people who can see the shades of grey in the world. I suspect that you do too.

There’s spin on both sides. Unsurprisingly, Sophos is downplaying the issue and Tavis Ormandy’s tone in his second paper is much like that of his first. So I thought it would be good to explore the issues more fully.

I am disappointed in Sophos’s recent fumbles, but not disheartened. I still think that, for a great many companies, they have the best solution available.

There are two core problems here. The first is that of scaling. As companies grow bigger, they often become slower to react. Sometimes, they fail to adjust to their new reality. Sometimes, however, they get through it and become incredible companies. There are indications that Sophos is beginning the turnaround.

The second problem is industry-wide and has to do with market-splintering. Today, we are facing a splintering security vendor space and reports like the ones from Tavis are a symptom. Reports we’ve been getting for the past few years about AV and IDS being “dead” is yet another symptom.  There’s nothing wrong with these reports and it’s good that people are thinking about the issues. But unfortunately, they’re missing the big picture.

In a splintering space, there is an increasing deviation between what a product actually does and how it is branded. This continues until the vendors wake up and pivot their branding to better match what they actually do. This always takes longer than we’d like, because employees of a company are driven by their brand even more than their customers.

As I see it, the AV vendor space is breaking apart into four chunks:

• Traditional AV – Focused on being lightweight and supplementing the protections built into an operating system.
• Anti-Malware – Focused on monitoring and responding to bad and potentially bad things that can happen to an operating system.
• Application Whitelisting – Focused on locking down an operating system to only allow known applications to run.
• Malware Analytics – Focused on providing detailed data about events so human analysts can make appropriate decisions.

We are also seeing the attack space splintering as well. Specifically, we’re seeing a tiered structure emerging:

• Background Radiation – A constant stream of trivial attacks, legacy viruses and worms that float about the internet.
• Industry-focused Asset Attack – Attacks that focus on specific industries aiming to steal monetary assets. These often rotate between industries, “campaign” style. At present, Western banks are in vogue. Indications are that these attacks are run by organized criminal groups. If you have above average protection in this space, you gain significant competitive advantage as attacks are driven to those that do not.
• State-sponsored IP Attack – Attacks that also focus on specific industries, but are run by better-organized groups suspected of being funded by state agencies. They aim to steal intellectual property. You get significant benefit from being above-average here too.
• Industrial Espionage – Attacks focus on specific companies and likely come from other specific companies. There is no benefit to be gained from being above-average in defense, as that just creates rapid escalation in an arms-race pattern of growth.

The third splintering effect is familiar to those of you who have heard my talks or read my comic book.

In the defense space, we have two primary trends emerging based on complexity. Both are valid, but they are completely incompatible with one another (at least on the large scale).

• Simplification – This trend involves firms who outsource much of their operations and infrastructure to managed SOC providers, cloud providers, SAAS providers, etc. The idea is that by focusing on their core business and finding trustworthy partners, they can become more nimble and therefore, more profitable.
• Complexification – This trend involves firms who increasingly centralize their infrastructure through virtualization, log management, analytics, etc. The idea is by taking more control, you can better analyze the business and find regions of improvement.

So after this rather long diversion, what does it mean for Sophos? Well, their core strength is offering administrators a solution to rapidly and consistently provide a reasonable level of protection that gives early indicators of attack. This means they’re a great fit for anti-malware up to and including the State-sponsored IP attack tier and work best in simpler environments or in simpler subsets of complex environments.

I do not think that they’re the best solution for highly-targeted complex companies, as they are not an analytics tool. They’re also not the best solution for extremely simple firms that want “set it and forget it” technologies. Security takes work and if you put the work in, you get better security. You should pick a solution that allows you to put in more work than you currently do, but does not require that additional work for the product to still be effective.

Many of the critiques of Sophos tend to be at the edges. And Sophos doesn’t help these concerns by marketing as if they fit everywhere for everyone. I think they’ll eventually reach this goal, but they’re not there today.

If you’re in a highly complex environment that is facing constant incursion from well-funded foreign governments, Sophos better not be your only tool. You need Analytics, too.

If you want the cheapest solution out there that you can install and ignore, Sophos won’t work well for you either. That’s where Traditional AV and the ability to wipe and reload when it fails comes in.

Operationally, you need to figure out what sort of attack and defense space you’re in, so you can select the tool(s) that will provide the best protection for your business. If you overlap spaces, you’re going to need multiple tools. One of the biggest reasons I really like Sophos is because of their flexibility to play in overlapping spaces. They layer quite well with other security products, which is a great benefit for their customers.

Just remember: We live in a complex world. There are no magic bullets. Security requires thought.

“Ruthlessly eradicate legacy” is one of my mantras when it comes to infrastructure management. Older systems take a surprising amount of resources to maintain and use. Modern technology is easier to update, cheaper to operate and easier for people to use. It also has modern features that can drastically improve capabilities. With servers, this means killing all that no longer get updates (Windows 2000, for example). With cameras, it means time to say goodbye to my old friend and look at other options.

This is not a camera post, however, so I’ll cut short the decision process and say that I settled on a d800 or d800E. For my purposes, there are no differences, so I went out looking for a good deal. After all, Black Friday is coming and now is the time to look for electronics. This, however, is where the story gets interesting.

In doing my research, there were indications that while camera accessories go on sale periodically, the high-end camera bodies and lenses I like only drop in price when a successor comes out. This means I’m stuck at the high end unless I buy used. Moreover, in the Nikon world, warranty is a huge factor and is significantly reduced when you buy used, so it only makes sense to look at that option if you are going to save over 20% off the purchase price.

Which is why, when I found a d800E on Amazon, I got a little excited. In fact, I got a little too excited. I almost got scammed.

The list price on a new d800E is $3,299.99 (which is why my d300 got to be five years old before I considered a replacement), but this camera listed on Amazon.com was just $1,836.73. 56% off is clearly a better deal than 20% … but the deal is a little too good. In fact, it’s so good that a lot of people are going to leap on the deal, so I had to move fast.

Or did I?

See, the deal was too good. I got suspicious. Luckily, the seller had a note in their little logo icon that said to email with questions, so I did… not before I did a bit of research, though.

The company was Bissinger’s Inc., so I checked them out. They’re a St. Louis-based chocolate company. (Warning, if you click that link, your friends and family will be getting chocolate for Christmas, and your checking account is going to be a fair bit lighter.) At this point, I’m wondering why is a chocolate company selling a high-end camera? But since I want it to be real, I’m concocting ridiculous scenarios to make it seem legitimate. For example … “Maybe they bought the camera to take photos of their chocolates for the holiday season, but it was too complex for them?”

Anyway, there’s no harm in emailing them to find out, so this is what I send:

From: Josh
To: Bissingers

I am in the market for a D800E and see that you are selling one.

I have to ask before purchasing though, why a chocolatier would be selling a camera.

Is there something wrong with it?

I then cross my fingers, and go to bed with visions of massive megapixels dancing in my head. The next morning, I get this:

From: Bissingers
To: Josh

Hello,
the Nikon D800E 36.3 MP CMOS FX-Format Digital SLR Camera (Body Only) is in new condition ( it just had to be listed as ‘Used – Like New’ as the box has been opened), comes with all manufacturer supplied accessories, US model,1 year full warranty. It has not been used. The price is $1,836.73 including delivery.If you are wondering why the price is lower than the usual,it is because we have some promotional prices before holidays.Return policy is full money back in 30 days. If you want to buy send me your full name and delivery address to have your order placed with Amazon.
Many thanks

Heck of a deal, right? Except that, by this time, the camera has vanished off of Amazon. Still not wanting this to be a scam, I think that maybe they pulled it because they’re going to sell it to me. I send them the following:

From: Josh
To: Bissingers

I do want to buy. Is it still available? I see that it’s no longer listed on Amazon.

Here is the information you requested:
[My address here]

After all, if it’s a scam, all they have is my email address and name (which they had before) and my street address, which as a home owner is a matter of public record. When it comes to payment, it’ll go through Amazon, which links to my credit card. If it’s fraud, all I have to do is call my card company and dispute the charges. Right?

They reply with:

From: Bissingers
To: Josh

Ok,
Your order will be processed by Amazon
Thank you and let me know when you will receive the confirmation from them.

And I respond:

From: Josh
To: Bissingers

Do you need my amazon ID?

I’m curious as to how the payment will get to you.

I’m also curious as to when it will arrive.

Well, several hours go by and I hear nothing. I’m growing concerned. After all, I’m in Minnesota and they’re in St. Louis. They normally sell chocolate for around $50 a box. You’d think an $1,800 sale would be a big deal to them, right? I email them again:

From: Josh
To: Bissingers

I haven’t heard anything from Amazon yet?

Is there something that I need to do?

No response… and enough concerns have piled up I am suspecting a scam. They never directly addressed my concerns about a chocolate company selling the camera. They implied that they sell other electronics, but they are clearly a chocolate company. And they’re using Amazon in a way I’ve never seen it being used. I suspect it may be a grey market or possibly even a stolen camera. I’m wondering how anti-fraud protections work if you buy a stolen item, and I decide to just call them and get to the bottom of things.

Stepping outside of the Amazon.com system, I find their website and their contact page. I call the corporate office and tell them my story and find out their Amazon account had been hacked and it was a scam. This was deeply disappointing as I had, by that time, hoped I’d be able to get my camera and order chocolates for my family. Alas, such was not to be.

However, it did puzzle me how the scam worked. After all, I hadn’t given them any useful data. How would they get my money? Were they just incompetent criminals? This was well outside the realm of photography and I now had a professional interest. Time, of course, was the determining factor.

Later that night, the following email arrived:

From: Bissingers
To: Josh

Hi again,
I was informed by Amazon that they send you all the payment and delivery informations. Search your inbox carefully and also check your bulk/spam/junk folder because it might have arrived there. Please let me know asap.

Thank you!

Ah hah. The payment was not, in fact, to come through Amazon, but would have an alternative system. For an attacker, this makes sense. After all, if they tried to accept payment from Amazon, Amazon can take it back when they are informed of fraud. I dutifully checked my spam folder and there were my instructions.

As you can see, it looks like a regular Amazon email, except that the payment section is a bit different. There are several interesting things to note here.

First, they prefer payment via bank transfer. This is common, particularly with overseas attacks, as once money leaves the American banking system, it can be notoriously difficult to get back. This should be a critical warning for most people, as it’s very different from the usual method of purchasing through Amazon. However, there is a grey market for electronic gear, and a lot of items come from overseas where warranties are different. So, it’s possible that a small percentage of people interested in high-end cameras would continue with the transaction.

Second, while most of the links are legitimate and match that of the Amazon.com template, three are different. The “Confirm Payment” link goes to pay-messages@live.com. The “Clicking here” and “Click here” links at the bottom go to marketplace-order@live.com. They sound good, but a legitimate Amazon email would have all Amazon links. After all, if you bypass the Amazon system to sell your wares, Amazon makes no money. They work very hard to control the transaction.

Third, there was a bit of header analysis. If you like header wonkery, check the bottom of this post, but the three big things to notice are (1) the email came from private address space (10.x.x.x) and was sent through Google and (2) , the source address was “payment.amazonservices@gmail.com”, but appeared to be from “aw-confirm@payments-amazonmarketplace.com”. This is interesting because the email passed the SPF check and had all the expected anti-spam features. If I had not been hosting my email with Google, this likely would have been enough to bypass my filters.  Finally, (3) all emails actually used for communication come from free email hosts.  In this case, Microsoft and Google. If anyone can create an account there, I could be talking to anybody.

So, at this point, I decided to just wait and see what their next move was. I didn’t have to wait long:

From: Bissingers
To: Josh

Hello
It seems that one of my employees punt in the same package with yours 2 phones instead of 1.
Now you can’t receive the package until you will not send Amazon the same amount.
After you will do that,you will receive the package,but you have to send back the ohone and you will receive the money back for the second one.
Plus i will send you 50 USD as appologies for this inconvenience.
Contact us urgently.

Then, in less than a day:

From: Bissingers
To: Josh

Hello
I have already dispatched the package,but the package is on hold until you will make and send the payment informations to Amazon.
After that i will provide you also the tracking number.
Can you please tell me when are you able to make the payment?
waiting for your email asap.

This is where the attack starts matching the normal scam indicators.

They have so many victims that they can’t track them very well, and confuse my camera purchase with a phone purchase. There are the misspellings that we’ve come to expect from things like this. And finally, we get the social attacks.

Most scams use a hook to cause a reaction. The idea being that if you are reacting, they get to control you. If you take the time to stop and think things through, you take control back and can usually spot the scam. Common hooks involve Urgency, Uncertainty, Sex, Fear or Anger. In this case, it’s all about Urgency, Uncertainty and Fear. By setting the price so low, they drive urgency high, as you’re afraid that you might miss the deal. They then compound this by telling me there was an error in the shipment, trying to make me believe they are incompetent and if I act quickly, I can take advantage of their error.

The second email hypes the urgency, trying to get me to pay quickly. I did not reply, but if I had, the next step in a scam like this is to sweeten the deal if I were to act immediately, often by pretending to ship my non-existent camera with a bonus item (like a cell phone) overnight if I give them payment information immediately.

Of course, if I ever did give them my payment information, they’d empty my checking account and, if they’re with a larger attacker group, start using my account to traffic stolen funds.

This is a very long blog post, and I thank you for making it this far. Why did I go into so much detail? Because this Friday is Black Friday and quickly followed by Cyber Monday. Yes, this is the time we get great deals on electronic items, but it is also the time there is a massive uptick in scams. Basically, we’ve primed ourselves to be at risk for “too good to be true” offers, as some legitimate offers seem too good to be true, but are actually real. So, we can no longer rely on the old adage of “if it seems too good to be true, it probably is.” Instead, ask yourself the following questions as you review your deals:

• Is the price low enough you should be suspicious?  Are you dealing with someone using only public email accounts?  If either is true:
  • Do you feel like you have to act immediately? (Urgency)
  • Are the terms of the deal unclear in any way? (Uncertainty)
  • Are you afraid that if you don’t take the deal, something bad will happen? (Fear)
  • Are you paying in a way that you can easily dispute the charges?

If there is any concern, get someone on the phone. It’s a lot harder to come up with lies on the fly and you can often trip them up. If the deal starts to seem like a bad one, just stop. Don’t let them apologize or guilt you into anything. It’s worth paying a little bit more to know it’s not a scam.

————————————–
If you are interested in a deeper technical dive, here are the headers for the payment email. Enjoy.

Headers:

Delivered-To: REDACTED_EMAIL
Received: by 10.112.148.37 with SMTP id tp5csp212198lbb; Mon, 5 Nov 2012 14:28:26 -0800 (PST)
Received: by 10.50.12.138 with SMTP id y10mr10891413igb.58.1352154505313; Mon, 05 Nov 2012 14:28:25 -0800 (PST)
Return-Path: Received: from mail-ie0-f174.google.com (mail-ie0-f174.google.com [209.85.223.174])
by mx.google.com with ESMTPS id s10si19571463ice.88.2012.11.05.14.28.24
(version=TLSv1/SSLv3 cipher=OTHER);
Mon, 05 Nov 2012 14:28:25 -0800 (PST)
Received-SPF: pass (google.com: domain of payment.amazonservices@gmail.com designates 209.85.223.174 as permitted sender) client-ip=209.85.223.174;
Authentication-Results: mx.google.com; spf=pass (google.com: domain of payment.amazonservices@gmail.com designates 209.85.223.174 as permitted sender) smtp.mail=payment.amazonservices@gmail.com; dkim=pass header.i=@gmail.com
Received: by mail-ie0-f174.google.com with SMTP id k13so10488482iea.33 for ; Mon, 05 Nov 2012 14:28:24 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=gmail.com; s=20120113;
h=mime-version:reply-to:sender:date:x-google-sender-auth:message-id
:subject:from:to:content-type;
bh=fEPMh0cdMOCy5Y1jBJj89FeNhCT6gsIQNKLFVfwBwyg=;
b=yItLaxIqhbh/AtFV1N/SvEacdDMoUtu/4Br8HGVW+dnPWzdnAx7DQK4ylTUvG9Rinc
ld827lC/tOxhXqRyJS2h+gyGmMn2KdtN4oHXhiRmVHJanpsVX/yRwzgvX8rZdAwXfEEZ
VRZN7Lw6xzjMF9TkRdWfi1LYDG5dXIfCtX8A1TuPwD6oM2ujK8k+OMxafCxlBLJEteQW
GqLVj0w733ig6pEO4C8QsjVzWJhKhVv+zMHzhTYPP58qdLtgbnZo2ddbSx/rwroIoRV/
6ETHAgL8liNzDI02lbM6Vx5RfJqDMR2rttQKq2Vqj4MFdc5UJI7mWWfwr54l1ZiOIjwR
z5pQ==
MIME-Version: 1.0
Received: by 10.42.163.5 with SMTP id a5mr3969473icy.37.1352154504571; Mon, 05 Nov 2012 14:28:24 -0800 (PST)
Reply-To: aw-confirm@payments-amazonmarketplace.com
Sender: payment.amazonservices@gmail.com
Received: by 10.64.82.201 with HTTP; Mon, 5 Nov 2012 14:28:24 -0800 (PST)
Date: Mon, 5 Nov 2012 17:28:24 -0500
X-Google-Sender-Auth: ZZYTCDwnOP6-ORmSRVSdM-vs2d0
Message-ID:
Subject: Your Order with Amazon.com
From: Amazon Services
To: REDACTED_EMAIL
Content-Type: multipart/alternative; boundary=90e6ba6e843ced2bd504cdc70061

However, unlike the mainstream news media, I am also deeply concerned about the fate of others in the wake of this decision … specifically due to the lack of Hostess Fruit Pies!

See, I remember when The Flash used them to save the city from the Bureauc-Rat. They were an essential tool for Captain America in preventing alien invasion. Aquaman used them to stop a shark invasion. Iron Man’s technology alone wasn’t enough to foil a bank robbery. And Spider-man used them to prevent the destruction of homes. In fact, there have been over 200 times that Hostess has helped save people.

Without this powerful tool, how will we ever survive?

Fortunately, most of our super heroes have contingency plans. DC heroes team up to become the Justice League to solve big problems. Marvel heroes team up to form the Avengers, first fighting among each other and then solving problems. Even the independents work up a good crossover now and then when they have to.

The question is, do you?

In IT in general and in Security in particular, we are highly dependent on a complex web of relationships and dependencies. This can be as simple as needing Microsoft to release their patches so we can protect ourselves. (Which you should do, as this month’s fixed some important issues.) Or it can be as complex as having systems dependent on Dell’s management appliances which are dependent on third party technologies.

Do you know which technologies you are dependent upon? How would you react to their sudden unavailability or to a problem in their supply chain? Do you have a contingency plan or will you have to figure things out in the moment?

Sadly, most people I talk to are in the latter category.

When you choose your vendors, it’s not enough to know if they can do the job today. You also have to know if they’ll be there for you tomorrow and to have a plan in case they’re not. All too often, I see companies who waste far too much time assessing vendors based on the “ideal” technology and no time at all looking at how it integrates into operations and loosely-coupling their technology to other systems.

I’m constantly visiting companies with networks that employ expensive technologies that don’t meet my clients’ needs, while cheaper and better  technologies remain unused. This isn’t just annoying, this is potentially catastrophic to the business. For a case study, look at Hostess. Specifically, look at the strike document. In 2009, technology was not refreshed, which helped to put them into the position they’re in today. Granted, they had other problems. However, whether we’re talking flow-improvement like Document Management or monitoring and control like Anti-malware or UTMs or DLP, technology serves as a multiplier.

If you choose the wrong technology, it will multiply your problems. If you don’t choose the right technology, the firms that do will multiply their profit and leave you in the dust.

When most people hear that we do assessments, they think vulnerability scans and penetration tests. And yes, we do those. However, most of our clients find a lot more value in our vendor assessments, disaster recovery assessments and strategy assessments. These focus on security AND the business. After all, security means nothing without a business to protect.

If Hostess had learned that lesson in their first restructuring attempt, perhaps they’d have lasted longer and a contingency plan of liquidating the entire company would have stayed … a contingency plan. As for me, I’m going to take a long lunch and stock up on fruit pies. After all, you never know when Spider-man might come-a-calling.

And if you haven’t downloaded our very own RJS Smart Security comic book yet, click here!

On Tuesday, November 6th, the United States of America held a vote, the results of which upset a few people. Many of these people chose to express their feelings online, and were documented doing so. Because many of the individuals involved took no efforts to hide their identities, some of them were traced. Then, in a move that surprises me, Jezebel’s reporters started contacting schools to find out if the schools were aware of the situation and how they were dealing with it.

In most cases, the schools cited policies of not releasing information about minors… which I can’t fault. However, the hidden gem was Dr. Rick Brooks of Jackson Christian School, who said:

Addison’s words clearly do not reflect the values that we espouse and teach at Jackson Christian School, and are not representative of our broader school community. As such, we have visited with him about his actions and his attitude, and have disciplined him accordingly. As is our school policy, we will not share information about specific discipline cases.

Though we find Addison’s action and words deplorable, we hope that our continued encouragement and teaching will help him further avoid the mistakes of youth, and will help him to mature as a young man. I hope that you will be able to look beyond what he has done, and toward the man that he can and will become from this unfortunate learning experience.

And that, I think, is worth discussion.

People make mistakes. People grow and change. As adults, one of our social tasks is to help the young turn into people we can later respect. As employers and employees, we like to think we’re here to make money, but if that were the case, the world would be nothing but multi-level marketing. No, we need more. For many of us, we need to help others and tell stories. We love stories. In fact, the more business owners I work with, the more I find who are in business to help others … be it their customers or the employees.

Hate speech is one form of story-telling. Reporting is another.

But wait, isn’t this a security blog?

If we want to make money, we have to tell a story that’s good enough to get people to let us help them. If what we care about is helping others, we have to know when they need to be helped. If what we care about is stories, we have to know which stories are being told. Fundamentally, we have to know what’s going on.

It seems reasonable that most of these schools learned about what their students were saying after the first article was published. Basically, they learned the story that others were telling about them. They did not get to influence the narrative and were stuck in a reactive mode. Some did better than others, but if they had been listening to what others were saying, odds are the speech would have been addressed before the election.

And that is where DLP comes in. It’s marketed as Data Loss Prevention, but that’s not what it is. DLP is a story tool. It helps you identify what sorts of information exists on your network and lets you know when it leaves. It’s traditionally used for boring stuff like keeping social security and credit card numbers off the internet (sarcasm). However, like most security technologies, it can be used creatively. In this case, monitoring for a few keywords would have let the schools know quickly what students were saying (at least from the school networks). When running in non-blocking mode, it can collect data, so you can easily identify people that need improvement.

Similar internet-facing technologies can scan specific websites on a periodic basis to report the stories being told about you. This can help you identify the narratives and take corrective action for People, Processes and Technology before the story spins out of control and you’re stuck with no option but reaction.

Security technology is all too often viewed as “blocking” or prescriptive. When used properly, security technology enables the business. It helps you learn more and learn faster. This gives you control of your business, so you don’t have to keep finding your way in a world of constant attacks and errors.

Whenever a major media event happens (like Hurricane Sandy), we are inundated with news. Sometimes that news is useful, but often it merely exists to create FUD… Fear, Uncertainty and Doubt. While I have not personally seen any malware campaigns capitalizing on the event yet, it is inevitable. The pattern is generally as follows:

1. Event hits the news as media outlets try to one-up eachother to get the word out.
2. People spread the warnings, making them just a little bit worse each time they are copied.
3. Other people create hoaxes to ride the wave of popularity.
4. Still other people create custom hoaxes to exploit the disaster financially.

A few minutes ago, at least in my little corner of the internet, we hit stage 3 when this image was posted:

( From here. )

Now, as someone who plays with photography, I was a bit suspicious, but as a security person, I can actually prove some things here.

The first tool I want to discuss is FotoForensics. Check out their analysis.

See how the statue of liberty and land on which she stands is much brighter than the background? That indicates that that image has been pasted on top of the other, so we know it’s fake.

Sometimes, though, this trick doesn’t work. If someone is making a good hoax, they can change the error levels to prevent easy detection. That’s where our next tool comes in. TinEye is awesome.

Look what happens when I do a reverse image search on the suspicious file here. (TinEye results expire after 72 hours, so if you’re slow to read this, just past the URL of the photo into their search box.)

TinEye, by default, is going to try to find the best match. But that’s not what we want. We want the original. Luckily, when people make hoaxes, they usually shrink the image to make it harder to find the signatures of a hoax. So we just click to sort by size and there we have what it likely the original:

ETA: Original can be found in this set by Mike Hollingshead.

Then it lists a bunch of sites that have stolen this image to use without credit. (That’s a different post.) You can then click on the “Compare” link for the likely original and see what they did. By flipping between the versions, you can see that they added the Statue of Liberty, the water and the boat. They also shrunk the image and made it darker… because darker is scarier, apparently.

The important thing to realize here is that the attacker is trying to manipulate you. By spreading fear, they are making you more susceptible to future attacks. By taking advantage of your uncertainty and doubt, they put you in a position where you will do unwise things to gain an element of certainty in your life. Does this matter that much in an image hoax? Probably not. But it does matter when you start getting fraudulent emails convincing you to “click here” to help victims of the hurricane.

Uncertainty and doubt can work against you, but it can also work for you. When the attacks come … likely in a few hours, approach them with suspicion. If you’re in the path of the storm, trust the names you recognize, like Google and The National Weather Service. If you’re not in the path of the storm and want to send aid, go with The Red Cross. If anyone else you don’t know asks for your money or your clicks, ask yourself what they have to gain.

Despite the magnitude of these web-based attacks, I don’t think the public necessarily understands how devastating cyber warfare could become. With nearly all business featuring some sort of online component and so much of our day-to-day activities utilizing web-based technology, a cyber terrorist could effectively cripple everything from bank accounts, telecommunications, medical facilities, utilities, transportation … you name it. Perhaps this is why U.S. Secretary of Defense, Leon Panetta offered a rather dire warning last week:

“The collective result of these kind of attacks could be a cyber Pearl Harbor,” warned Panetta. “An attack that would cause physical destruction and the loss of life, an attack that would paralyze and shock the nations and create a new profound sense of vulnerability.”

I bet that quote got your attention! The reality of such an immense attack can certainly be debated, but the question of whether the United States is ready and able to protect its interests is certainly a topic that should be at the forefront of any discussion regarding terrorism and world war.

Heather Roff, a Research Fellow with the Eisenhower Center for Space and Defense Studies at the United States Air Force Academy, penned a great post this week for the Huffington Post that discusses the conclusions we can draw from Panetta’s speech and how prepared the United States is to defend it cyber borders.

The fundamental difference is that we’ve fully embraced the fact that the idea of 100% security is a trap. You can never be completely secure, so why base a security project around the idea that you can be? Instead, we focus on achieving a measurable improvement over “today.” Different businesses have vastly different security needs, so once you shift the goal away from “find and fix all the problems” to “strike a balance between defense and response,” myriad solutions become available.

Having a large number of solutions is great, as we can select the one that fits your company’s unique situation the best. But remember, it’s not perfect and will need constant attention to avoid “analysis paralysis” and to stay current with new security trends. To combat this, we look at the second key difference: time-bound tasks, or as we call them, security sprints.

With anything you do, there is one resource that completely vanishes — time. Other consulting approaches focus on minimizing either money or an amorphous concept of risk. The catch with those is to clearly pre-identify “risk reduced” or “money saved,” time is required. Since time is billed, it can cost a significant amount of money to identify how much money you’re saving!

Want to know how much more secure a project will make you? Pick a small project that can be done in a week or two, do the project, then measure. There’s no guess-work, no scope-creep and most importantly, no spending more money than required to improve your defenses.

This process affords another advantage we did not anticipate. In many cases, security fails because the people put it in place to manage it are often not those responsible for maintaining it. Since security tends to weaken over time as attackers constantly improve, it is imperative that people explore alerts, identify what they mean to the business and take appropriate action. When the people who must manage the systems are not involved with the initial configuration, they tend to lose a lot of time tracking false alerts or worse, missing legitimate issues.

Since our consulting process is time-bound and focused on helping improve security after we leave, we work on a lot of small projects. These projects are designed so that, when done, they can be absorbed into the business’s existing operations. We then come back for iterative tuning engagements and, over time, help maximize the business’s use of technology. This avoids the common problem of security being “someone else’s” issue, while minimizing the disruption that new technologies can cause.

In the end, after a year’s experimentation, we’ve found that a cyclical short-project consulting model has given our clients a level of security far greater than the traditional defense-only approach. While this didn’t surprise us (after all, that’s why we did it), we were surprised to find that these engagements generally came in 25% to 50% lower in cost than the traditional model. We’ve done security assessments, implementations and strategy planning sessions and, in every case, have achieved better security at a lower cost.

Please contact us if you’d like to learn more about our sprint model and how it can help you achieve a better state of security at a fraction of the price.

And why is Java so problematic you ask? Graham Cluley states the following:

“In fact, it has become increasingly common to see malware authors exploiting vulnerabilities in Java – as it is so commonly installed, and has been frequently found to be lacking when it comes to security.

Cybercriminals also love Java because it is multi-platform – capable of running on computers regardless of whether they are running Windows, Mac OS X or Linux. As a result it’s not unusual for us to see malicious hackers use Java as an integral part of their attack before serving up an OS-specific payload.”

For easy reference, here’s how to disable Java on the most popular web browsers.

• How to disable Java in Internet Explorer
• How to disable Java in Firefox
• How to disable Java in Chrome
• How to disable Java in Safari
• How to disable Java in Opera

Follow the principles and strategy detailed in our very own “Lean Security 101″ comic book and you can build your own lean security model within your organization!

Follow this link to download Lean Security 101: The Comic Book.

And don’t forget … you can get a lean security review for free, just by requesting one here.

What would you do if law enforcement came to your place of work and demanded all of your computers as part of an investigation?

What would you do if a tornado hit your building and spread all of your computers across a mile-wide radius?

If you are like most organizations, you don’t have a plan for everything. You can think of security (in an over-simplified way) of having three areas of control: Detective, Preventative and Reactive. We tend to start with Detective. When antivirus was new, it just alerted you when you had a problem. As the technology improved, it became preventative and would stop bad applications from running. Most security technology, in fact, has followed this pattern. Intrusion Detection moved to Intrusion Prevention. Patch Detection moved to Patch Management. Log Analysis moved to full-fledged SEIM systems.

However, this progression ignores a very powerful tool. As an example, here’s a video:

What would you do if you woke up one morning to find a moose in your swingset? Odds are you’d either deal with it yourself or call someone to deal with it for you. Response is key. When things happen, whether it involves an attacker taking over a system, an external agency taking your stuff or a natural disaster, reacting to the situation is important. You can either do it in an ad hoc way, or try to plan everything out.

In general, organizations that trust their people, just let their people do what they need to do. Organizations that do not trust their people, invest in planning and procedures. What’s interesting is that both methods work… though not always particularly well. Sometimes people hide behind policy and avoid doing the right thing. Sometimes, people hide behind uncertainty and avoid doing the right thing.

The problem here is that “right” and “wrong” are not always clear cut. Consider recent occurrences involving United Airlines, Penn State and FedEx. A reasonable response to events like these would be “we can’t trust our people,” and to address the issue by creating policies.

But, for an even more horrifying view of the world, check out this Google News search on “followed policy.” A wider search on this shows that people who follow policy result in death, brain death and murder suspects being released.

So it would seem that this is a “damned if you do, damned if you don’t” situation, right?

It turns out to err is human… but human error can happen whether or not we are constrained by policy. Using policy to prevent bad things from happening requires not only that you have people who will always follow the policy, but also that you have policies that are 100% correct and written by people who can see the future. Perhaps a better approach would be to use policies as guides that people can refer to when they’re confused. Then, build a culture around the fact it’s okay to make mistakes so long as you’re willing to apologize, attempt to fix things and learn from your error.

Not everything can be avoided. Sometimes you just have to deal.

More on the moose is here.

Researcher Wows Black Hat with NFC-based Smartphone Hacking Demo (CIO)

Accuvant Labs researcher Charlie Miller has figured out how to break into the Google/Samsung Nexus S and the Nokia 9 smartphones by using Near Field Communication (NFC).

I can read all the files, said Miller about how he managed to break into the Nokia 9 when his home-made NFC-based device is in very close proximity to the targeted smartphone. I can make phone calls, too. Vulnerabilities he identified in the Android-powered Nexus S were located in the browser surface, he said.

The truth behind those Nigerian 419 scammers (TechRepublic)

419 Advanced Fee Fraud (also known as the Nigerian 419 scam) is still being used quite frequently to steal money from gullible victims via fraudulent emails. But are these emails really coming from Nigeria, or are they perpetrated by attackers from other countries?

Researchers from the University of Ibadan found the following IP locations within 400 scam emails tested:

The Wisconsin Department of Revenue: A Bargain for the Identity Theft Collective (The Huffington Post)

Adam Levin of Credit.com wrote an interesting story documenting Wisconsin’s complete inability to secure public information.

Last week, the Wisconsin Department of Revenue revealed that it had accidentally made public 110,795 Social Security numbers and tax ID numbers of Wisconsin residents. The numbers were mistakenly embedded in a real estate report and posted to the department’s website for almost three months before being removed.

This is the fourth time since 2006 that Wisconsin state agencies have been involved in the public release of Social Security numbers.

Mikko Hypponen of F-Secure reports that he received several emails over the weekend from one of the scientists who claims to be working on Iran’s nuclear program. The scientist claims a new cyber attack has halted their enrichment activities and is supposedly playing AC/DC’s “Thunderstruck” over the speakers of the infected PCs at max volume.

Apparently this particular attack is another SCADA-based controller exploit that has forced the Iranians to shut down their centrifuges yet again while rocking some music to openly mock them.

The United States has a long history of using music in psychological operations. Some of my happiest memories of serving Uncle Sam were playing music on restricted radio frequencies and taking requests from the enemy combatants for their song choices. “You know we’re looking for you and when we find you, well, you know.  But before that happens, I’d love to hear some more Ozzy.”

But do accidents like this prove that shoes are a must or is just the opposite? If people everywhere can get foot injuries with or without shoes, doesn’t that suggest that shoes really aren’t all that important?

One of the best examples ever of the limitations of shoes is Abebe Bikila, who won the 1960 Summer Olympics marathon without any shoes at all.

Fundamentally, what society is saying when demanding that people wear shoes is “it’s not our fault” if people take risks – like not wearing shoes – and get injured. But this is false. An individual has no control over where they put their feet and they don’t have the ability to recognize hazards like broken glass, nails or poisonous vipers. After all, is the average person really a match for a vicious snake? Blaming poisonings on a lack of shoes is misguided – particularly given the stabby nature of snake fangs.

I’ll admit, it’s hard to find statistical evidence that supports this point of view. Not surprisingly, shoe manufacturers don’t share data on how protective their products truly are …

That’s probably enough of that nonsense.

In case you didn’t know, this post is in response to Dave Aitel’s recent article at CSO. While I am hardly one to defend the status quo, there are two logical fallacies at play here. The first is binary thinking … effectively saying “if a defense isn’t 100% effective, it’s not worth doing.” The second is the flaw of hand-picking anecdotes to support your premise.

This is regrettable because the bulleted advice on page two of Aitel’s article is good, if somewhat standard. It’s just that instead of following this advice rather than “wasting time on employee training,” it should be done in addition to employee training.

To drastically over-simplify, security involves identifying what you need to protect and then protecting it. In a global security market (which we’ve matured into), you have a second rule … identify what you want and attack until you get it. These two rules play against one another, with both the attackers and defenders constantly increasing their capabilities until a defender somewhere gets compromised or an attacker gets sloppy, caught and removed from the game.

Then, you repeat the cycle ad infinitum.

In a world that operates this way, the weakest entity is going to be the first out, on either side. And, since security is multidimensional, it will be the first entity with weak enough security along any dimension … technology, process or people. By removing your focus entirely from awareness training to focus on technology and process, you defend only part of your organization. By focusing strictly on network-based defenses, you open a massive hole for non-network attacks.

As soon as it becomes easiest for an attacker to bribe an internal employee to sell them data, they will. As soon as it becomes easiest for them to bluff their way through a job interview to steal data, they will. As soon as it becomes easiest to put on a uniform to steal equipment, they will.

The attacker’s game is “whatever works,” and if we only focus on what is easiest for us to do, we open up doors for attacks.

So … stop spending money on awareness if you want … but only do so if you have taken a good view of your entire organization and have identified areas where those resources are better spent. Be aware, though, that just as we lack solid statistics on how bad awareness is as a defensive layer, we also lack solid statistics on how good it is. For every story I can tell on how I’ve found a person not doing what they should in an organization, I have one that talks about how good they are.

If you need contrarian advice, avoid those that are expressed as binaries. Consider the following:

• Does password rotation cause more trouble than it’s worth? If users are selecting bad passwords because they have to change them often, maybe it’s time to stop doing that.

• If you have security alerts that are being ignored by your people, your systems probably aren’t being maintained properly. As soon as you stop maintaining your systems, they shift from being assets to liabilities. Thinking about fixing them … or getting rid of them.

• Are your people overly constrained? If you have customer service employees following scripts, you’ve basically turned them into technology. Turns out that we have technology in the first place because people are bad at that sort of thing. Ponder that.

• Is a data breach all that bad? In some industries, sure … but if it were universal, it seems as though there’d be a lot more companies going out of business. Think about what a breach would really mean and how you’d handle it. Odds are, you’re far weaker in response capabilities than you are on defense. Instead of shifting defense dollars from people to technology, maybe you need to invest somewhere else entirely.

Basically, the core lesson here is “think before you spend.” Don’t blindly follow the advice of anyone (including me). Assess your environment, consider your goals and the events that could prevent you from achieving them. Then, and only then, look at how you choose to use your resources.

We see the stories in the news each and everyday.

Malware hit Android. Malware took advantage of known flaws in Windows. Source code was released for a new family of malware. The thing is … none of this is really news.

I’ll make it simple for you. You can ignore all the rest of the malware stories that come out this year if you remember the following points:

• Attackers get better day-by-day. After all, if they didn’t, they’d lose.
• As defenders, you must also get better day by day. If you don’t, you’ll lose.
• Since we can’t control what the attackers do, the best you can do is play to not lose. This means:

1) Harden your systems (patch them, check users/passwords, remove uneeded software).
2) If you can’t harden your systems, get rid of them.
3) If you can’t harden your systems or get rid of them, implement compensating controls and understand where the gaps leave you exposed.
4) If you can’t do any of these three, get help. Sorry to toot my own horn here, but this is what we specialize in. You don’t need to be perfect, you just have to be getting better a bit faster than the attackers do.
5) If you can’t get help, give up. Just post your banking credentials, customer list and passwords on your website. The attackers are going to get them anyway. If you’re not going to protect yourself, just give up and enjoy the ride down as best you can.

Did interesting things happen last week? Of course they did. For example, I got to pet two otter cubs, take photos of venomous reptiles without protective glass and hold a grey fox in my lap. However on the security front, we’ve got a few updates here and there, and that’s about it. Sure, there’s news that various attackers have gotten incrementally better at this or that, but that’s not really news. That’s just what they do. Of course, since that’s what they do, it really should be what you do as well. However, that’s well off topic for this post.

Microsoft

We finally have an update to the MSXML problem. That is unless you run version 5.0, but who’d do a silly thing like that? The problem affecting Visual Basic DLLs is also addressed. Both of these issues are being actively exploited, so you should apply those patches immediately.

The patches also include critical issues on servers and workstations that involve Internet Explorer, TLS encryption flaws and file and directory name handling. Luckily, it doesn’t look like any of these patches are likely to cause problems, so you should probably just apply them.

Unless of course you’re running MSXML 5.0 … then you should probably replace with version 6.0.

More on these issues can be found at the SANS ISC Blog

Bonus Time

We gained an extra second last week. How did you spend yours?

If you were like some of our software/service vendors out there, you spent it crashing. This shows, yet again, that time is hard to deal with. There’s not much you can do about that, other than be aware that time isn’t as linear as we’d like, and things like leap seconds, leap years, time zone changes and such can wreak havoc on our systems.

Your best protection is to understand your extended business network better. Use a time management system internally and set it to alert you if systems start to drift. Map out how your service vendors affect your business so you can easily identify when being down is on their side as opposed to yours (I test off my cell phone, so all traffic follows an isolated path).

Basically, the more you understand how information flows through your business, the better you can identify what causes that flow to fail.

Android

Turns out Android has malware. This is probably news if your last phone was a Motorola DynaTAC. So, for those of you just now catching up, here’s the deal: phones are computers now. If you don’t treat your phone like a computer, bad things are going to happen. Use encryption, strong passwords, anti-malware and don’t go installing stupid stuff on it.

In fact, phones are bad computers! Much of the malware that runs on phones comes from applications that are, shall we say, somewhat adult in nature. Perhaps it would be better if, instead of viewing such material on a screen smaller than a mouse, people use that mouse and view it on real computer running real protections.

If you do that, you can ignore all the “OMG! Android has Malwares!!!!11!!” articles that come out over the next year.

WordPress

There is a new WordPress update out. If you’re running WordPress, install it ASAP. You can get it here, or just update it from within your dashboard. However, a caveat first. WordPress, as a platform, is great. You can post things quickly and easily. I use it all the time, myself.

But … and it’s a big but … the risk to using WordPress grows with each plugin that you install. It grows with the number of people who have the ability to post. Many site compromises occur because people host multiple sites with a large hosting company and if any one of them gets compromised, the attackers can bounce to other sites and take those over as well. Thus, if you’re running WordPress, keep all sites up-to-date, make sure all users have decent passwords and use a plugin like Exploit Scanner to check that things are set up right.

If you need help reading the results of Exploit Scanner, we’d be glad to lend a hand. Really, it’s pretty easy to secure WordPress, so it’s not that expensive to get a bit of professional help.

For more information visit Naked Security.

PRESS RELEASE

Clayton, MO - July 2, 2012 - Global Velocity, Inc. and RJS Smart Security, a subsidiary of RJS Software Systems, have jointly announced a strategic alliance adding RJS Smart Security as a Value Added Reseller of the Global Velocity family of cybersecurity solutions.

“This alliance provides RJS Smart Security with a world class data loss prevention solution for our clients.” said Josh More, Senior Security Consultant. “Global Velocity provides next generation data leak prevention solutions that protect information including confidential data residing in the RJS Smart Security hosted WebDocs repository.”

“This alliance provides Global Velocity with a leading reseller of security solutions to companies in the Upper Midwest” said Greg Sullivan, CEO at Global Velocity.   “This is another example of how Global Velocity protects confidential information residing in the cloud.”

About RJS Smart Security

RJS Smart Security is based in Minneapolis, Minnesota and utilizes a “lean security” model to provide agile security consulting and assistance, as well as sale and implementation of industry-leading security products. After several years of successful growth as a part of RJS Software, RJS Smart Security branched off as its own business unit in December of 2011. RJS Smart Security is a subsidiary of RJS Software Systems, a leading developer of document management software.

About Global Velocity

Global Velocity develops and brings to market a broad range of innovative network based cybersecurity solutions designed to help organizations protect critical information and manage risk. The company’s patented and patent‐pending technologies have the potential to redefine the cybersecurity industry.  For more information, visit www.globalvelocity.com

Our Senior Security Engineer, Josh More, is a big fan of SANS’ Internet Storm Center and WiKIDBlog. The SANS Internet Storm Center is a collective of security professionals who provide “ a free analysis and warning service to thousands of Internet users and organizations, and is actively working with Internet Service Providers to fight back against the most malicious attackers.” The writers at WiKIDBlog tend to think outside of the box and often have some unique solutions to common security problems. They also champion two-factor authentication “without the hassle factor!”

Our blogroll also contains some of our partners, including Bit9, Barrier1, Smoothwall, Sourcefire, Sophos and Zix. Bit9, Sourcefire and Sophos update their blogs quite often and have very informative posts. And if you’re not reading Sophos’ Naked Security on a daily basis, you are really missing out. Graham Cluley and Chester Wisniewski do a phenomenal job of keeping tabs on virtually every major threat wreaking havoc in cyberspace. Their blog is oftentimes rather humorous, contains insightful videos and has won numerous awards. For your money’s worth, you won’t find a better security blog.

Our blogroll contains just a few of our favorites, but there’s room to grow. Do you have any recommendations for us?

1) After years of abuse, and rightfully so, Microsoft has now surpassed Apple in terms of protection. Since the Windows Vista introduction in 2007, their OS has employed ”address space layout randomisation (ASLR) which is implemented so as to obscure most of what an attacker needs to conduct, for example, shell code injection attacks.” Despite acquiring ASLR in 2007, Mac OS has yet to implement this same degree of protection.

2) Apple has seen fabulous growth in the personal computer market. In 2003, Apple had just 2.06% of the desktop computer market. Just five years later, that number was at 14% and has now diversified further with the advent of the hugely popular iPhone and iPad. Not surprisingly, Mac OS malware has grown in excess of 200% in the last three years!

Unfortunately, many companies are ignorant to this environmental shift and still assume their Macs are as secure as ever. Take for instance an advertising agency we recently consulted with. This agency employs over 50 individuals and boasts several Fortune 500 accounts. Like many ad firms, Macs are their computer of choice.

Recently, one of their biggest clients had a security breach that originated from the agency office. The agency and client shared a portal where they frequently transferred images, files and documents. Besieged by a nasty piece of malware, the portal was rendered unusable.

What the agency didn’t realize is their Mac computers were hosting Windows-based malware. While the malware had zero effect on their Mac computers, it ran amok on the client’s Microsoft desktops after it was unknowingly transferred through the portal. This issue is prevalent in many Mac environments. According to Sophos, “A 100,000 strong snapshot of the millions of Mac computers which have recently downloaded Sophos’s free Mac anti-virus software, revealed that 20% of Mac computers were carrying one or more instances of Windows malware.”

Needless to say, if the agency realized that their fleet of Mac computers weren’t secure and at the very least invested in Sophos’ free Mac anti-virus software, this entire scenario would have never happened. If you are a Mac user or your company runs a Mac-based operation, please do us all a favor and download the aforementioned free anti-virus software. And if you really want to make sure all your bases are covered, give us a buzz and we’ll set you up with a free security review as well.

Sophos Apple Resources:

Download Sophos’ free Mac anti-virus software.

1 in 5 Macs has malware on it. Does yours?

Are Macs safer than PCs?

In response, Microsoft has released an emergency fix. This is not a patch, but rather a tool that temporarily hardens a workstation against an XML attack. Microsoft does this to help limit attacks while it works with vendors in the Microsoft Active Protections Program (MAPP) to build more robust detection and prevention capabilities to protect unpatched systems. Then, when the patches do come out, the problem will be considered officially resolved. Patches should be out by July 10th, if not sooner.

So, what should you do?

First, if you are running Sophos, Sourcefire or Alert Logic technology, trust your vendor.  They are all in the MAPP and so will have decent protections soon.  If, however, you are using a vendor that is not in the program, you should apply the fix to all Windows workstations that use Internet Explorer to browse the web. The fix is available here.  Just scroll down and click on the button under “Apply.”  When the patches are available, deploy them as soon as possible.

For more details, please see Microsoft’s security advisory.