• It’s not their speciality. They make widgets. And they have the staff they need to make, deliver, develop and support those widgets. Other people can do non-widget related activities better than they can;
• They don’t need the overhead, time commitment and complexity that employing all these extra people demands. Yes, they could hire their own cleaner, but it’s a lot simpler to get on the phone and let a cleaning agency take care of that;
• It’s a lot more cost-effective that way. Our widget company could invest in a worldwide fleet of planes, vans and delivery-people but that would be ludicrously expensive when they can phone a courier company and have them delivered for a few pounds a day.

 
So three very good reasons for outsourcing: better service, simplicity and cost. These lines of reasoning can easily be applied to IT. Outsourced IT can be better, simpler and cheaper. Yay, let’s go for it, say those hotheads in accounting.
 
Where this sort of analogy starts to fall down, however is in the risk assessment. If the cleaner doesn’t turn up, then it’s no big deal. If they don’t turn up on a regular basis, you fire the agency and get a new one. There might be a few more biscuit crumbs and sandwich remnants for the new cleaner to deal with, but no harm done, by and large.
 
If your outsourced IT services turn out to be useless, on the other hand, then the consequences could be pretty brutal. Your information could be exposed; you could lose access at a crucial moment or they could manage to lose the lot. You don’t want that to happen, because it could make you bankrupt or put you in prison.
 
But people don’t like risk-assessment, of course. It’s boring. It puts paid to a lot of exciting new things. It reminds you of your mum when you were five.
 
I hate to say it, though, but your mum was probably right.

Like all the big, crunchy questions, the answer is a lot more complex than initially seems possible.
 
You could take some sort of statistical approach – what proportion of businesses deploy antivirus software to their desktops? – and come up with a big number that implies ‘yes, it does’. (Or maybe not).
 
You could interview the CTOs of a representative sample of large organisations and ask them for more in-depth examples and views. Again, it’s pretty likely that you’ll come up with a positive picture.
 
However, those results are misleading in some respects. And I think that’s because the question involves two big abstract terms. ‘Business’ is an idea, not a person, so it doesn’t care about anything much. Security doesn’t appear on the mission statement, I’d be willing to wager. Nor would it be appropriate for it to be there. Alongside things like Health and Safety, environmentalism and equality of opportunities, it’s the sort of thing we expect businesses to care about, but we know it’s not their primary function. And does ‘business’ mean the board, the IT department or every single member of the organisation?
 
Similarly, ‘security’ is extremely slippery as an idea: we’re talking about systems, software, attitudes, processes and policy.
 
So to break it down: does Jon in logistics make sure his internet browser is patched* to the currently advised levels? No, he couldn’t care less. He’s got a big shipment that needs to be in Paris tomorrow – so don’t start messing with his machine right now, thank-you very much. But he does care –a lot – that his system works and that he doesn’t get in trouble.
 
What we keep arguing for is an holistic approach to security. That doesn’t mean that we need to persuade Jon that his patch levels need to be up-to-date. That isn’t going to happen. Sorry.
 
What it does mean is that the security and IT department are able to manage his security for him – all the time. It’s pretty much impossible for Jon to screw-up or for his machine to get compromised because the policies are baked into the processes and the technology.
 
What are your views on this? Voice your opinions on the Register’s Security That Fits Workshop before it closes later this month.
 

from zappowbang's photostream under creative commons

Data breach laws are starting to become a serious concern for businesses of all shapes and sizes. It’s already five years since California passed data breach disclosure laws, requiring companies to notify customers of security lapses. Since then almost all other US states have joined it, many opting for penalties that could potentially land companies with a likely loss of reputation and crippling fines if customer data is lost or stolen.

Ireland published proposed measures on the subject two weeks ago. Frankly, it’s only a matter of time before the UK follows suit either through its own legislation or that of the EU.
 
Over on the Register, we’ve been running a series of articles about what constitutes an appropriate level of security, with the impending arrival of data breach laws adding some urgency to the discussion.
 
A common reaction is to demand the encryption of backup files. This appeals to companies not only because it makes it a lot less likely that any lost information can be used – you could even argue that encrypted data doesn’t even count as ‘information’ at all, following the line that information is data you can act upon. But also, it’s especially appealing to companies because encrypted data is exempt from the disclosure requirements in many forms of this legislation. So the potential loss of reputation and customer trust is hopefully avoided.
 
Encryption is trickier than it looks, though. First of all, what kind of encryption are you going to use? Software encryption takes time – and for larger organisations, it’s possible that the rate of data production – the proliferation of stuff you’re supposed to be backing up – could quickly exceed the rate at which data can be encrypted. Hardware encryption of backups often looks more attractive as a result, but being tied to a particular vendor with no rescue plan for when they go under is a recipe for spectacular disaster. There’s some interesting advice on this topic in this post from Securosis.
 
Backup hardware on its own is already proving hard to manage when it comes to finding data from more than a couple of years ago. Have you still got a tape streamer that will fit the open-reel tapes and cartridges from the early noughties? Still got a computer with a SCSI card to fit the streamer onto? Still got the cable to put the two together? I’m sure sysadmins will be delighted when they’re told to add encryption to the mix.
 
Now let’s throw in key management. Exactly how secure does your encryption need to be? And how secure will today’s tapes need to be in five years, a not uncommon legal retention requirement. Who will have access to encryption keys and how will they, in turn, be secured? Once again, this needs a systematic approach. There needs to be a plan and a backup plan for when it all goes wrong. Needless to say, there are products that can help with this – but as always, they can only do so much if the strategy for their implementation and management is weak.
 
Anyway, El Reg is conducting a poll to detect current attitudes towards encrypting data. We’ll be really interested to see the results, so make sure you add your own voice over there – and let me know what you think here in the comments box, too.

Image from rednuht's Flickr photostream under Creative Commons

“With a push of a button the botmaster instructs all the computers to buy or sell the same shares at the same time.“

 Â 
Of course the criminals behind the enterprise went on to profit from the sharp changes in stock price of the penny stocks that were being manipulated by buying and selling their own shares at exactly the right moments in classic pump-and-dump tactics.
 Â 
Hein Lannoy from the Belgian Banking, Finance and Insurance Commission (CBFA) is quoted as stating, “After the hack in July 2007 no further similar incidents occurred in the country“. He goes on to say “In April 2009 we sent a circular regarding an improvement in the security standards of our financial institutions. Belgian online banking services are now very heavily protected. We have no jurisdiction to impose our standards on foreign banks in our country.”
 Â 
However from conversations with a local journalist today it seems that many Belgian banks (in fact most banks globally) are still only offering classical two-factor authentication aimed at authenticating the user rather than the transaction. While this kind of technology would certainly thwart this bot in its current form it is not impossible to defeat. As I have previously blogged banking malware has already evolved to the stage where it can overcome multiple factor user authentication.
 Â 
With this in mind it is vital that any improvment in online banking security should verify individual transactions rather than simply authenticate the user. The authentication token itself must be capable of accepting direct input relating to the content or the value of the transaction. This can then be verified by both parties and cannot be modified by the malicious “man in the browser”.
 Â 
Belgian law enforcement are now working with their international counterparts to pursue the offenders.

Robot Face from Garrette's Flickr Photo Stream under creative commons

 Â 
Many of you will be familiar with the idea of Spam bots when it comes to real time chat, if not I detailed a Facebook related scam a while back that took advantage of this technique.
 Â Â 
Classical chat spam bots operate in four distinct modes, the research paper describes them as “Periodic bots” – they simply post spam messages at regular intervals; “Random bots” – posting messages at random intervals; “Responder bots” – automating replies to other user’s messages and “Replay bots” which as the name implies simply replay previously recorded conversations.
 Â Â 
The problem that scammers and criminals have to overcome with these technologies is the effectiveness of our natural suspicion and intuition. It turns out that, in the main, humans are particularly good at spotting when they are being spoken to by a computer. The researchers from Vienna have devised a way to overcome these natural defenses.
 Â Â 
The paper details an application they call Honeybot which acts as a man-in-the-middle between two human correspondents, intercepting, diverting and, crucially, modifying messages sent between them in order to direct the conversation and engineer the victims into clicking links. Links which have been inserted by the attackers. According to the paper:
 Â 

“The general attack principle works with any chat system that allows the exchange of private messages. It is based on the traditional man-in-the-middle concept. Every instance of the attack involves two human users and a bot in the middle. Both users believe that they are talking to the bot, but in reality, their messages are forwarded back and forth as shown in the following example:

• bot -> Alice: Hi!
• Alice -> bot: hello
• bot -> Carl: hello
• Carl -> bot: hi there, how are you?
• bot -> Alice: hi there, how are you?
• Alice -> bot: . . .

 

The bot looks perfectly human to both users because the entire conversation is reflected off the bot in the middle.“

 
 Not only are all communications proxied but the bot has the intelligence to be able to guess at the respective genders of the victims, use questions to take control of the direction of the conversation (usually to engineer a scenario where a link would normally be posted) or to simply replace links posted by one victim with pre-configured malicious links.
 Â Â 
In their testing, the researchers inserted three different kinds of link, a simple IP address, a TinyURL shortened link and a MySpace link into conversations on three different IRC channels and they recorded up to an impressive 76% click through. In a similar but more limited experiment using Facebook chat, the click through rate was still impressive at 40%.
 Â Â 
With those kinds of results, surely we can expect to see this kind of technology incorporated into cybercriminal campaigns in the very near future. Just like your mother always told you, don’t talk to strangers! In those situations where you really have to, then this is just one more reason to ensure that your security solution of choice is scanning for malicious URLs in real-time…

Image from Joe Shlabotnik's Flickr stream under creative commons

“We’re taking this step to preserve the integrity of Facebook Platform, ensuring that every application is associated with a valid and real Facebook account.”

There are a couple of glaring problems with this… Firstly, what guarantees are there that any Facebook account is “valid and real” in the first place? Secondly, proving access to a credit card or mobile phone is a whole different thing to proving ownership. So if criminals or scammers, who we must assume have ready access to disposable mobile numbers and/or stolen credit cards, attach some of these bogus credentials to an already bogus account where does that leave us?
 
Well, with the proposed “Confirmed Developer Accounts”; it leaves us with a fake “confirmed” profile which is once again free to post any application content they choose, and it leaves Facebook incident handlers continuning to play Whac-a-Mole with the scammers.
 
If Facebook really want to turn around the security situation when it comes to malicious or (being charitable) rogue content, then the only effective option open to them is an application approval process such as the ones already in place over on MySpace or on the Apple App Store.
 
The effort that Facebook incident handlers currently put in to tracking down and suspending the ever increasing volume of rogue apps would surely be better channeled into stopping them from appearing in the first place. This is something I first suggested back in February 2009 when two rogue apps in a week was considered shocking (how times change). At the time Mr Zuckerberg was very quick to dismiss my proposal, but with these first steps perhaps we can live in hope.

Photo from Julien Lozelli's photostream on Flicker - Creative Commons

“The mailbox was for the use of the Dragon TV’s internal employees only so it had simple passwords for easy communication.”

So, an internet-facing, shared mailbox containing highly confidential information with simple passwords? Normally at this point in a blog article I suppose I would begin to point out things that could have been done to limit the possibilities of such an event. It seems almost too incredible that the aforementioned combination of circumstances should even occur, but here you go…
 
If information is sensitive, do not allow access to it from the internet.
 
If information is sensitive do not store it in a shared mailbox, it is impossible to audit effectively
 
Never use simple passwords, for any reason, ever.
 
If you have a document worth almost half a million dollars… Encrypt it.

 
I explained that Trend Micro had previously declined to participate in some high-profile AV tests. We felt that these tests didn’t match the reality of how threats infiltrate organisations and arguably give a false sense of security.
 
Typically, what happens in these traditional tests is that a file repository is loaded up with a collection of different viruses, Trojans and other malware. The security software is then installed and updated, disconnected from the Internet and set to work trying to detect malware. The headline scores are then generated according to the percentage of those malicious files that are successfully identified.
 
Testers would argue, I suppose, that this creates a level playing field in which to compare different software solutions. I can understand that, but it really doesn’t reflect the threat environment in real organisations, or for consumers. The most common threat vector now is the Internet; the second most common is malware downloading other malware via the Internet. Infected web pages, PDFs, social networking sites and cloud-based services represent just some of the significant real or potential threats that aren’t replicated in the traditional lab-based test environment. Traditional tests focus on the file – can this security software correctly identify this file?
 
A more holistic approach is necessary. Malware and other threats arrive through various channels and to be honest, once they have arrived then some part of your security solution has already failed. And it’s not necessarily through people breaking the rules. An email arrives from your CEO asking you to check out a web site. I’d suggest that most people will click on that link. What a good security solution should be doing is asking a series of questions on your behalf, questions that aren’t just about viruses but your security as a whole:
 

• Is this email really from your CEO?
• Is the link it contains hosted in a bad neighbourhood or does it contain suspicious elements?
• Have we seen other examples of this same mail elsewhere recently?
• Is it trying to deliver files or prompting to change settings?
• Are those files bad?

 
The list can be almost endless, but traditional testing looks at what happens at the last line of defence. It asks one question: a bit like leaving your doors and windows open and unwatched but attaching a burglar alarm to the jewelry in your sock drawer. We believe that a security system should kick-in at the first link in this chain of events, not the last. No solution is 100% reliable at any level, but if you have multiple levels of control, each of which informs the others, then so much the better your chances of avoiding any compromise. Prevention is significantly better than a cure in such situations.
 
Going forward, a move to holistic protection networks and the centralisation of threat signatures is inevitable – new threats are detected every one-and-a-half seconds and as this trend continues, a solution based on signatures downloaded to client machines could neither keep pace, nor allow your machine to continue operating at the performance level you would expect while it’s attempting to do so.