http://www.microsoft.com/technet/security/advisory/979352.mspx
The patch will be released around 10 am PST, 1pm EST. This may be the vector that was used against Google.
There does not appear to be a patch for Office in this bundle, although it may be vulnerable. Microsoft has suggestions for workarounds in their advisory in Suggested Actions -> Workarounds.
Thursday, January 21, 2010
Tuesday, December 29, 2009
The Mecklenburg Times spotlights Calyptix Security in an article on the financial dangers of employee web-surfing
"Business owners keep tabs on employees online"
By Sam Boykin
CHARLOTTE — The Internet is a tempting distraction for many employees, so it’s no wonder a growing number of companies are concerned about employees wasting time and resources surfing online. A recent study by America Online and Salary.com found that workers waste an average of more than two hours each day, most of it surfing the Web.
Ben Yarbrough, CEO of Charlotte-based Calyptix Security, said his company has the perfect solution for business owners concerned about workers’ productivity.
While it’s doubtful that occasionally updating a Facebook profile will bankrupt a company, many believe such activity can have a serious financial impact. Awareness Technologies estimates the loss of productivity caused by Internet use costs American businesses $85 billion each year...
>> Go to the full article here: http://tiny.cc/calyptixinthenews
Thursday, November 5, 2009
Some discussion on SSL and its protocol flaw
A flaw in the SSL protocol was discovered several weeks ago. You haven't heard about it until now because the parties working on fixing it signed NDAs, which (for now at least) seems to have been a good idea.
SSL and TLS were designed to allow for computers to communicate with each other securely over insecure links, giving privacy and authentication even if the links are controlled by an enemy. Without going through the details, for all practical purposes, SSL and TLS are similar with minor differences, and I will use them interchangeably in this blog post.
If someone controls your link to the Internet -- or even just a significant portion of it -- they can redirect your supposed connection to http://paypal.com to their own server. But with SSL, the real paypal.com has secret information that it can use to prove that it is who it really says it is. When your browser was installed on your computer, it came with a set of "certificate authorities" that are used to prove that paypal.com has that secret information. A hostile https://paypal.com won't have that same information.
(All that is great in theory but has had problem in practice. The certificate authorities that your browser trusts have sometimes approved certificates that they should not have. And the end user too often ignores warnings when the secret information does not match. Those are serious issues but not the problem this time.)
Within a TLS connection, there are one or more TLS sessions. The client can switch among these sessions, each of which has its own security.
This new vulnerability appears related to the renegotiation phase of TLS, which allows for changing the state of the encryption tunnel. There are patches circulating for OpenSSL (a popular open source SSL implementation) to disable renegotiation, although some applications may require it.
One scenario depends upon client certificates, which are used when you want to automatically prove you who are to the server. This is hardly ever used in every-day web browsing or even secure web sites, because the technique of using some kind of username/password scheme is used instead. They may be used for specific web applications or within organizations, however. At this time, both Apache and Microsoft IIS are vulnerable.
Another method, not dependent upon client certs, does injection of specific HTTP requests. Generic defenses against XSS and CSRF attacks may work here, although I haven't investigated fully enough to say this for sure. If the MITM attacker can read arbitrary pages -- or use a separate attack to see the data -- then those defenses won't help.
Because of the broad nature of this vulnerability and the presence of a private working exploit, we would recommend that you keep a close watch on this SSL vulnerability. Please also review the SSL-based solutions that you are using in your own networks and that of your clients, so that you are prepared to update them when updates are available.
SSL and TLS were designed to allow for computers to communicate with each other securely over insecure links, giving privacy and authentication even if the links are controlled by an enemy. Without going through the details, for all practical purposes, SSL and TLS are similar with minor differences, and I will use them interchangeably in this blog post.
If someone controls your link to the Internet -- or even just a significant portion of it -- they can redirect your supposed connection to http://paypal.com to their own server. But with SSL, the real paypal.com has secret information that it can use to prove that it is who it really says it is. When your browser was installed on your computer, it came with a set of "certificate authorities" that are used to prove that paypal.com has that secret information. A hostile https://paypal.com won't have that same information.
(All that is great in theory but has had problem in practice. The certificate authorities that your browser trusts have sometimes approved certificates that they should not have. And the end user too often ignores warnings when the secret information does not match. Those are serious issues but not the problem this time.)
Within a TLS connection, there are one or more TLS sessions. The client can switch among these sessions, each of which has its own security.
This new vulnerability appears related to the renegotiation phase of TLS, which allows for changing the state of the encryption tunnel. There are patches circulating for OpenSSL (a popular open source SSL implementation) to disable renegotiation, although some applications may require it.
One scenario depends upon client certificates, which are used when you want to automatically prove you who are to the server. This is hardly ever used in every-day web browsing or even secure web sites, because the technique of using some kind of username/password scheme is used instead. They may be used for specific web applications or within organizations, however. At this time, both Apache and Microsoft IIS are vulnerable.
Another method, not dependent upon client certs, does injection of specific HTTP requests. Generic defenses against XSS and CSRF attacks may work here, although I haven't investigated fully enough to say this for sure. If the MITM attacker can read arbitrary pages -- or use a separate attack to see the data -- then those defenses won't help.
Because of the broad nature of this vulnerability and the presence of a private working exploit, we would recommend that you keep a close watch on this SSL vulnerability. Please also review the SSL-based solutions that you are using in your own networks and that of your clients, so that you are prepared to update them when updates are available.
Wednesday, November 4, 2009
Fortinet IPO validates enhanced security
The Fortinet IPO validates that the tremendous need for enhanced network security and control is overcoming the incredibly tough times on Wall Street this year. Here are some details and a little perspective on the significance of the event for Calyptix as a participant in the UTM (unified threat management aka all-in-one firewall) marketplace. If your customers are still using a consumer grade router/firewalls, maybe this is your wake up call to suggest stepping up their security.
IPO Details. On November 2 Fortinet filed an amended S-1 registration statement with the SEC (See SEC Filling here). The registration statement estimate an IPO offering price of $9 to $11 per share for the sale of 12 million shares of Common Stock. After the offering, there will be approximately 65 million shares outstanding. The IPO will include 5.8 million new shares to be sold by the company and 6.2 million shares to be sold by current shareholders. The market cap for Fortinet after the IPO is estimated to be approximately $650 million. The company will gross approximately $58 million while selling shareholders will harvest about $62 million. The additional 1.8 million over-alotment (extra shares to be sold if there is interest) will consist of more shares from the company that could generate an additional $18 million. The size of the selling shareholder pool could be considering a very strong testament to the strength of this IPO.
Why relevant to Calyptix and our partners?
1. The UTM Solution is here to stay. This IPO validates the continued growth and permanence of the multi-function network security appliance as a critical tool for IT professional. According to IDC, the UTM appliance market will grow from $1.3 billion in 2007 to $3.5 billion in 2012, representing a compounded annual growth rate of 22.3%. Based on IDC data, the UTM market is the fastest growing segment within the network security market, which was $6.8 billion in 2007. The underlying rationale for this explosive growth is the huge value multi-function appliances provide for IT professionals and their clients.
2. The UTM market has barely been scratched. Fortinet and Sonicwall report shipping 0.5 and 1.0 million units worldwide, respectively. Meanwhile Microsoft has publicly estimated the market size of small businesses worldwide with 5 and 75 employees at more than 40 MILLION! Based on these numbers market penetration at this point is less than 10%.
3. Understanding the target customer. The early UTM solutions have been designed primarily for deployment by managed security service providers (MSSPs) or large enterprises with multiple sites. This bias is evidenced by the "product suites" incumbent vendors require (beyond the UTM device) to achieve a comprehensive business solution for a single location (e.g. reporting, email filtering, and other necessary functions). Our AccessEnforcer targets the SMB market that currently eludes the MSSP offerings for any of a number of reasons - including technical complexity, licensing complexity, integration challenges, performance, price, etc. AccessEnforcer simplifies advanced security and networking and expands key functionality to provide everything a small business needs for an edge solution in a single unit.
4. UTM Product Evolution. The SMB network edge solution is destined to evolve considerably over the next 3 to 10 years. IDC analyst Charles J. Kolodgy first coined the term UTM in September 2004 when the he identified a UTM as only a firewall and VPN. For an early industry report see here. It is fair to say our UTM is a bit more comprehensive that the original concept. The key drivers for Calyptix in the continued evolution of our SMB edge solution will largely be (1) the network framework of our SMB customers and (2) the security threats they face. With our focus to be the firewall of choice for Small Business Server, our path is certain to be an exciting one.
IPO Details. On November 2 Fortinet filed an amended S-1 registration statement with the SEC (See SEC Filling here). The registration statement estimate an IPO offering price of $9 to $11 per share for the sale of 12 million shares of Common Stock. After the offering, there will be approximately 65 million shares outstanding. The IPO will include 5.8 million new shares to be sold by the company and 6.2 million shares to be sold by current shareholders. The market cap for Fortinet after the IPO is estimated to be approximately $650 million. The company will gross approximately $58 million while selling shareholders will harvest about $62 million. The additional 1.8 million over-alotment (extra shares to be sold if there is interest) will consist of more shares from the company that could generate an additional $18 million. The size of the selling shareholder pool could be considering a very strong testament to the strength of this IPO.
Why relevant to Calyptix and our partners?
1. The UTM Solution is here to stay. This IPO validates the continued growth and permanence of the multi-function network security appliance as a critical tool for IT professional. According to IDC, the UTM appliance market will grow from $1.3 billion in 2007 to $3.5 billion in 2012, representing a compounded annual growth rate of 22.3%. Based on IDC data, the UTM market is the fastest growing segment within the network security market, which was $6.8 billion in 2007. The underlying rationale for this explosive growth is the huge value multi-function appliances provide for IT professionals and their clients.
2. The UTM market has barely been scratched. Fortinet and Sonicwall report shipping 0.5 and 1.0 million units worldwide, respectively. Meanwhile Microsoft has publicly estimated the market size of small businesses worldwide with 5 and 75 employees at more than 40 MILLION! Based on these numbers market penetration at this point is less than 10%.
3. Understanding the target customer. The early UTM solutions have been designed primarily for deployment by managed security service providers (MSSPs) or large enterprises with multiple sites. This bias is evidenced by the "product suites" incumbent vendors require (beyond the UTM device) to achieve a comprehensive business solution for a single location (e.g. reporting, email filtering, and other necessary functions). Our AccessEnforcer targets the SMB market that currently eludes the MSSP offerings for any of a number of reasons - including technical complexity, licensing complexity, integration challenges, performance, price, etc. AccessEnforcer simplifies advanced security and networking and expands key functionality to provide everything a small business needs for an edge solution in a single unit.
4. UTM Product Evolution. The SMB network edge solution is destined to evolve considerably over the next 3 to 10 years. IDC analyst Charles J. Kolodgy first coined the term UTM in September 2004 when the he identified a UTM as only a firewall and VPN. For an early industry report see here. It is fair to say our UTM is a bit more comprehensive that the original concept. The key drivers for Calyptix in the continued evolution of our SMB edge solution will largely be (1) the network framework of our SMB customers and (2) the security threats they face. With our focus to be the firewall of choice for Small Business Server, our path is certain to be an exciting one.
Tuesday, October 27, 2009
Part III: Small Businesses under Attack from Organized Cyber Crooks
Noted computer security journalist Brian Krebs who wirtes the Security Fix blog and also for the Washington Post has recently chronicled in his blog the escalation of costly cyber security incidents encountered by small and medium businesses. This three part article highlights these developments and suggests several practical and affordable defensive measures for small and medium businesses. To request a complete copy of the article you can email us: info [at] calyptix [dot] com.
How to protect yourself. Protective measures include implementing sound financial management practices, educating staff and implementing sound IT practices and technologies.
• Reconcile your bank accounts daily. Pay special attention to all online banking and credit card activities, AND including checks generated from online bill pay systems. The victimized companies Krebs interviewed which were most successful in retrieving stolen funds were those who quickly spotted the fraudulent transfers through monitoring account activities. Some crooks taking a page out of the VAR playbook for recuring revenue have set up monthly automatic bill payments - paying themselves via check to some non-descript company at a PO Box to avoid detection form the casusual observer.
• Ask your bank to set up a notification procedure - perhaps approval by phone -- for any transfers or bill payments that fall outside of your normal online banking activity.
• For employees who need to access accounts online, consider setting them up with a separate isolated computer. Noting most attacks have been on Microsoft Windows systems, Krebs suggests using a Mac or Linux system (perhaps even a live CD distribution of Linux). We also invite you to contact us to learn how we can tailor our accessEnforcer to further lockdown a dedicated banking terminal.
• Be wary of unusual experiences when accessing online banking systems including login difficulties or unusual experiences with the bank’s website (e.g. slowness, formatting, color, logos, quality, misspellings, etc.).
• Educate your staff and executives about the risks and best practices for passwords, unsolicited email, unknown website links, software updates and downloads. Make certain to highlight this issue for staff who access online bank accounts; however, once a single workstation is infected anywhere on a network all others may be at serious risk.
• Keep all systems (workstations, servers, network equipment, etc.) promptly patched with all security updates to prevent attacks against security vulnerabilities.
• Implement a coordinated layered security strategy (aka “Defense in Depth”) across the network, including protection at the perimeter (e.g. internet gateway), servers and workstations.
• Implement a stringent perimeter defense that provides visibility into all traffic and utilizes proactive security techniques such as intrusion prevention, web filtering and other techniques to stop invisible network attacks, scans and exploits.
• Eliminate spam and other email from untrusted sources.
• Establish proper reporting and controls to prevent web surfing and software downloads from sites susceptible to malware (e.g. pornography, videos, pirated music and software, etc.).
For additional information, go to www.calyptix.com where you may access a free whitepaper entitled Twelve Security Techniques for Small Businesses.
How to protect yourself. Protective measures include implementing sound financial management practices, educating staff and implementing sound IT practices and technologies.
• Reconcile your bank accounts daily. Pay special attention to all online banking and credit card activities, AND including checks generated from online bill pay systems. The victimized companies Krebs interviewed which were most successful in retrieving stolen funds were those who quickly spotted the fraudulent transfers through monitoring account activities. Some crooks taking a page out of the VAR playbook for recuring revenue have set up monthly automatic bill payments - paying themselves via check to some non-descript company at a PO Box to avoid detection form the casusual observer.
• Ask your bank to set up a notification procedure - perhaps approval by phone -- for any transfers or bill payments that fall outside of your normal online banking activity.
• For employees who need to access accounts online, consider setting them up with a separate isolated computer. Noting most attacks have been on Microsoft Windows systems, Krebs suggests using a Mac or Linux system (perhaps even a live CD distribution of Linux). We also invite you to contact us to learn how we can tailor our accessEnforcer to further lockdown a dedicated banking terminal.
• Be wary of unusual experiences when accessing online banking systems including login difficulties or unusual experiences with the bank’s website (e.g. slowness, formatting, color, logos, quality, misspellings, etc.).
• Educate your staff and executives about the risks and best practices for passwords, unsolicited email, unknown website links, software updates and downloads. Make certain to highlight this issue for staff who access online bank accounts; however, once a single workstation is infected anywhere on a network all others may be at serious risk.
• Keep all systems (workstations, servers, network equipment, etc.) promptly patched with all security updates to prevent attacks against security vulnerabilities.
• Implement a coordinated layered security strategy (aka “Defense in Depth”) across the network, including protection at the perimeter (e.g. internet gateway), servers and workstations.
• Implement a stringent perimeter defense that provides visibility into all traffic and utilizes proactive security techniques such as intrusion prevention, web filtering and other techniques to stop invisible network attacks, scans and exploits.
• Eliminate spam and other email from untrusted sources.
• Establish proper reporting and controls to prevent web surfing and software downloads from sites susceptible to malware (e.g. pornography, videos, pirated music and software, etc.).
For additional information, go to www.calyptix.com where you may access a free whitepaper entitled Twelve Security Techniques for Small Businesses.
Friday, October 23, 2009
Top 10 things I learned from US Government Trusted Internet Connection Strategy
In July, the Department of Homeland Security updated its Information Security and Privacy Advisory Board on its Trusted Internet Connections (TIC) strategy. I stumbled upon this presentation which provided some insight into the challenges of the federal government for Internet Security.
Here are the top 10 things I discovered when I reviewed it.
1. DO NOT (under any circumstances) share your IT security strategy with the media. All they heard is that the government will only have 50 Internet connections.
2. The plan states "The total number of access points should be less than 50 to the extent practicable." "To the extent practicable" is a legal term that will translate into vulnerabilities. (Page 7).
3. "Practicable" is a term of art that differs depending who you are - agency officials, vendors and politicians. Tax payers are not included.
4. If you can't meet your goals revise them (page 18):
5. The TIC strategy presumes trust among government agencies. Hmmmm...... See item 4 again (and again).
6. Use pictures [with cryptic notes and ambiguous goals] to explain your IT initiatives because everyone will understand at least some part of the picture....and later you can explain it however you want.
7. PowerPoint slides have gone too far if the US government can describe its strategy on just one slide (page 8).
8. Leverage pre-existing brands by using really smart code names like "Einstein" to convey a sense of confidence and to ensure a steady stream of funding resources regardless of results. For instance, the media would have a field day if the program gets cancelled (e.g. Congress Kills Einstein).
9. When establishing rules for operations be sure to provide absolute clarity (with sufficient loopholes). See page 9 for this excellent example of a bright line rule for HTTP/s connections:
10. Keep your day jobs. The vendor gods (even Lawrence) can not convert this TIC strategy into an SBS wizard [YET!].
Here are the top 10 things I discovered when I reviewed it.
1. DO NOT (under any circumstances) share your IT security strategy with the media. All they heard is that the government will only have 50 Internet connections.
2. The plan states "The total number of access points should be less than 50 to the extent practicable." "To the extent practicable" is a legal term that will translate into vulnerabilities. (Page 7).
3. "Practicable" is a term of art that differs depending who you are - agency officials, vendors and politicians. Tax payers are not included.
4. If you can't meet your goals revise them (page 18):
“Continue to pursue the goal of the Trusted Internet Connection program to reduce the number of government network connections
to the Internet but reconsider goals and timelines based on a realistic assessment of the challenges.” – Cyberspace Policy
Review, 2009
5. The TIC strategy presumes trust among government agencies. Hmmmm...... See item 4 again (and again).
6. Use pictures [with cryptic notes and ambiguous goals] to explain your IT initiatives because everyone will understand at least some part of the picture....and later you can explain it however you want.
7. PowerPoint slides have gone too far if the US government can describe its strategy on just one slide (page 8).
8. Leverage pre-existing brands by using really smart code names like "Einstein" to convey a sense of confidence and to ensure a steady stream of funding resources regardless of results. For instance, the media would have a field day if the program gets cancelled (e.g. Congress Kills Einstein).
9. When establishing rules for operations be sure to provide absolute clarity (with sufficient loopholes). See page 9 for this excellent example of a bright line rule for HTTP/s connections:
"Unless exempted all http/https connections to external systems only allowed by Web proxy."
10. Keep your day jobs. The vendor gods (even Lawrence) can not convert this TIC strategy into an SBS wizard [YET!].
Thursday, October 22, 2009
Part II: Small Businesses under Attack from Organized Cyber Crooks
Noted computer security journalist Brian Krebs who wirtes the Security Fix blog and also for the Washington Post has recently chronicled in his blog the escalation of costly cyber security incidents encountered by small and medium businesses. This three part article highlights these developments and suggests several practical and affordable defensive measures for small and medium businesses. To request a complete copy of the article you can email us: info [at] calyptix [dot] com.
How attacks occur. The victims of this type of fraud have told Krebs different stories, but the basic elements are the same. Malicious software is planted on the company's PC that allows the crooks to gain access to the victim's corporate bank account online. The attackers wire chunks of money to accomplices called “money mules” in the United States who then wire the money to the fraudsters overseas.
Common ploys include email targeting the company’s controller, accounting staff or other high level executives. These email contain a virus-laiden attachment or link to a web site, that when opened, surreptitiously installs malicious software. The malicious software is designed to be undetected and steal passwords and other banking credentials. Once the credentials are obtained and communicated back to the fraudsters, the crooks start transferring small amounts (less than $10,000) out of the account to the “money mules.” The transfers can take the form of wire transfers and even checks paid as online bill payments.
A recent intelligence report circulated among the financial services industry on September 14, 2009 reported one such scheme involving a new series of spam originating from the “Cutwail botnet” - the world's highest volume spam sending botnet (90,000 spam per hour). In this case, the spam purports to come from the U.S. Internal Revenue Service (IRS) and contains a link to the IRS web site. Instead, the link directs the recipient to a site that downloads malicious software. Users are advised to be aware that the IRS does NOT send email to conduct business, and any spoofed emails should be deleted immediately.
Today's underground online fraud economy is a sophisticated international business model equipped with expertise and multi-levels of participants. The lead research at RSA's Anti-Fraud Command Center illustrates the main goals of online fraud as "harvesting" and "cash-out." Harvesting is where criminals target user access credentials by skimming, phishing or Trojans, and cash-out fraudsters are after the profit (money) through e-commerce transactions or online banking transfers using sophisticated malware-mostly Trojans. Online fraudsters collaborate and set up business relationships through online forums to share information, tools and discuss the latest business opportunities.
The sophistication of the malicious software varies and can be extremely difficult to detect. For instance, one data-stealing Trojan program known as "Zeus" allows the attacker to change the display of a bank's login page as a victim is entering their credentials. For example, when a victim submits his one-time password along with his credentials, the malware may force the browser to return a counterfeit page (still showing the bank's domain name in the URL bar) stating that the bank's site is down for maintenance, please try back again in 15 minutes. Meanwhile, those credentials are not submitted to the bank but instead sent to the attackers. While the unwitting victim waits as instructed, the thieves use the intercepted credentials to log in as the victim and initiate unauthorized transfers from that account.
Part III: Practical steps to take.
How attacks occur. The victims of this type of fraud have told Krebs different stories, but the basic elements are the same. Malicious software is planted on the company's PC that allows the crooks to gain access to the victim's corporate bank account online. The attackers wire chunks of money to accomplices called “money mules” in the United States who then wire the money to the fraudsters overseas.
Common ploys include email targeting the company’s controller, accounting staff or other high level executives. These email contain a virus-laiden attachment or link to a web site, that when opened, surreptitiously installs malicious software. The malicious software is designed to be undetected and steal passwords and other banking credentials. Once the credentials are obtained and communicated back to the fraudsters, the crooks start transferring small amounts (less than $10,000) out of the account to the “money mules.” The transfers can take the form of wire transfers and even checks paid as online bill payments.
A recent intelligence report circulated among the financial services industry on September 14, 2009 reported one such scheme involving a new series of spam originating from the “Cutwail botnet” - the world's highest volume spam sending botnet (90,000 spam per hour). In this case, the spam purports to come from the U.S. Internal Revenue Service (IRS) and contains a link to the IRS web site. Instead, the link directs the recipient to a site that downloads malicious software. Users are advised to be aware that the IRS does NOT send email to conduct business, and any spoofed emails should be deleted immediately.
Today's underground online fraud economy is a sophisticated international business model equipped with expertise and multi-levels of participants. The lead research at RSA's Anti-Fraud Command Center illustrates the main goals of online fraud as "harvesting" and "cash-out." Harvesting is where criminals target user access credentials by skimming, phishing or Trojans, and cash-out fraudsters are after the profit (money) through e-commerce transactions or online banking transfers using sophisticated malware-mostly Trojans. Online fraudsters collaborate and set up business relationships through online forums to share information, tools and discuss the latest business opportunities.
The sophistication of the malicious software varies and can be extremely difficult to detect. For instance, one data-stealing Trojan program known as "Zeus" allows the attacker to change the display of a bank's login page as a victim is entering their credentials. For example, when a victim submits his one-time password along with his credentials, the malware may force the browser to return a counterfeit page (still showing the bank's domain name in the URL bar) stating that the bank's site is down for maintenance, please try back again in 15 minutes. Meanwhile, those credentials are not submitted to the bank but instead sent to the attackers. While the unwitting victim waits as instructed, the thieves use the intercepted credentials to log in as the victim and initiate unauthorized transfers from that account.
Part III: Practical steps to take.
Subscribe to:
Posts (Atom)
