Monday, April 20, 2015
There is little doubt that the cloud has made an impact upon IT security. Just how positive that impact actually is depends on who you talk to and when you last spoke. Indeed, just a few years ago the overwhelming majority of IT executives would have said it was a negative one, with data being insecure in the cloud. They would have used this as a reason not to migrate. At the same time, however, IT security professionals would have tempered that view somewhat by pointing out that the cloud has never been inherently insecure and that cloud-based data can be secure enough. Fast-forward several years and the insecurity argument has, as customer confidence and a better understanding of cloud security issues have improved, by and large been moved towards treating the cloud as just another environment where best practice can be applied to keep on top of data security.
Friday, April 17, 2015
Werner Vogel, Amazon Web Services (AWS) CTO, speaking at the AWS Summit in London yesterday has made the rather amazing claim that security in the cloud is "much stronger" than anything you can have on-premises. As someone who has been writing about information security for more than 20 years, and covering the cloud security beat for five, I can understand why he may say that. However, it doesn't mean that he was right; not for every customer, not for every implementation. If you are talking about the smaller end of the SME spectrum then, for the most part in my experience, there's a very good chance that the kind of dedicated security know-how and infrastructure investment available from the likes of AWS is beyond the reach of the average business. If you are talking about larger enterprises, which do have dedicated security teams and have already invested heavily in the relevant infrastructure and processes, well sorry Werner but that's a totally different ballpark.
The Payment Card Industry Security Standards Council (PCI SSC) has moved to fix the security vulnerabilities in the Secure Sockets Layer (SSL) and early versions of the Transport Layer Security (TLS) protocols, exposed by both Heartbleed and Poodle, with an out-of-band updated release of PCI DSS v3.1. This latest iteration of the PCI Data Security Standard, however, has split the IT security profession when it comes to just how much protection it is really providing the card holder who shops online.
Thursday, April 16, 2015
In what has quite possibly been one of the longest periods between security problems being revealed and action being taken, the Virginia Board of Elections voted on Tuesday to remove the certification of more than 300 AVS WINVote touchscreen voting machines. The Virginia Information Technology Agency, and consultancy Pro V&V, uncovered multiple flaws in the voting technology which had also been used in other states including Mississippi and Pennsylvania. The scandal here is that there have been concerted efforts to remove these machines from the electoral system since 2008 when experts investigating irregularities first flagged their concerns. They have consistently been used in Virginia between 2002 and 2014, and if you have voted there you may well have cause for concern.
Tuesday, April 14, 2015
According to the latest Verizon 2015 Data Breach Investigations Report all but four per cent of the security incidents analyzed by researchers could be accounted for by just nine basic attack types. That's pretty useful information for enterprise looking to prioritize their approach to security in terms of establishing a stronger security posture. So, as far as the nearly 80,000 incidents that were analyzed to form the basis of the report, what were these nine basic patterns then?
Saturday, April 11, 2015
According to a SecureList posting dated April 10th, researchers Anton Ivanov, Andrey Khudyakov, Maxim Zhuravlev and Andrey Rubin discovered a vulnerability in the Darwin kernel back in December 2014. Why is this of interest? Well, the Darwin kernel is an open source part of both the Apple operating systems. The vulnerability could allow remote attackers to launch a DDoS on a device running OS X 10.10 or iOS 8. More worryingly, it could allow the attackers to send just a single, solitary incorrect network packet in order to crash the target system and impact upon any corporate network it may be connected to. Sounds pretty serious right? Apple obviously thought so, seeing asAccording to a SecureList posting dated April 10th, researchers Anton Ivanov, Andrey Khudyakov, Maxim Zhuravlev and Andrey Rubin discovered a vulnerability in the Darwin kernel back in December 2014. Why is this of interest? Well, the Darwin kernel is an open source part of both the Apple operating systems. The vulnerability could allow remote attackers to launch a DDoS on a device running OS X 10.10 or iOS 8. More worryingly, it could allow the attackers to send just a single, solitary incorrect network packet in order to crash the target system and impact upon any corporate network it may be connected to. Sounds pretty serious right? Apple obviously thought so, seeing as it took the company which is so profitable that it ranks in the top three companies on the planet more than three months to fix it. The updated OS X 10.10.3 and iOS 8.3 software releases patched the holes, but even so, three months plus!!! it took the company which is so profitable that it ranks in the top three companies on the planet more than three months to fix it. The updated OS X 10.10.3 and iOS 8.3 software releases patched the holes, but even so, three months plus!!!
It all started pretty well, with the announcement by Mozilla at the end of last month that the Firefox web browser would make the Internet a safer place by encrypting everything. That's everything, even those connections where the servers don't even support the HTTPS protocol. Developers of the Firefox browser have moved one step closer to an Internet that encrypts all the world's traffic with a new feature that can cryptographically protect connections even when servers don't support HTTPS. The 'Opportunistic Encryption' (OE) feature essentially acts as a bridge between non-compliant plaintext HTTP connections and fully compliant and secure HTTPS ones. Firefox 37 made OE active by default, supposedly protecting sites that hadn't bothered with going through the digital certificate authority process, or which don't fully encrypt everything courtesy of embedded plaintext third party content requirements such as adverts for example. All of which was great, and hard to argue with. Mozilla had done a good thing in helping make the Internet a little more secure through enabling the OE functionality in Firefox. And then, a few days later, this happened: Mozilla Foundation Security Advisory 2015-44. Entitled 'Certificate verification bypass through the HTTP/2 Alt-Svc header' it detailed a critical vulnerability in the Firefox implementation of the HTTP Alternative Services specification. Specifically, this vulnerability meant that if an Alt-Svc header is specified in the HTTP/2 response, SSL certificate verification can be bypassed for the specified alternate server. In other words, any warnings of an invalid SSL certificate wouldn't get displayed so the attacker could then impersonate another site through a man-in-the-middle attack: precisely what OE is meant to prevent.
Friday, April 10, 2015
The so-called 'Dyre Wolf' campaign uses a multi-layered approach to evade detection and gain account access. These include injecting new fillable data fields into online forms on target legitimate web pages, redirects to proxy clone pages and pop-ups to lure targets in the first place. What was arguably most alarming, however, was that apparently Dyre Wolf could also defeat two factor authentication (2FA) mechanisms. Reading the news stories that emerged it appeared that the malware was technically sophisticated enough to bypass 2FA, which would be very worrying indeed. Further investigation revealed that 2FA is, in fact, far from dead in the water and actually Dyre Wolf is not as clever as you might think.
Wednesday, April 08, 2015
According to new research from Venafi, apparently some 74 percent of 'Forbes Global 2000 organizations' (or the big boys of business if you prefer) have yet to properly secure their public facing servers against the Heartbleed OpenSSL threat. That's a year after the thing broke for goodness sake! Venafi found that at least 580,000 hosts belonging to this elite group of enterprises were still vulnerable as full and proper threat remediation had not been applied. They were patched, yes, but did not bother with the equally important steps of replacing private keys and revoking the old certificates. Apparently, looking at the market in general, it would seem that more than half of organizations simply have no idea how many keys or how many certificates have, or even where they are being used. If you are in the US you can be happiest, if that's the right word, as your big business boys sit just behind Germany at the top of the remediation tree with a 41 percent total. That's still pretty poor, of course, but way better than Australia on 16 percent.
Confidence in security is key to deploying any service that gets hands on with your data, and that especially true when the cloud is thrown into the mix. It's a given that you would expect your chosen provider to be both aware of and implement security best practice end to end across the deployment and ongoing usage lifecycle spectrum; but expectation and due diligence are entirely different animals. In order to ensure that you are entering into a relationship with the right cloud solutions partner you need to be asking the right questions relating to the security of your data. Good security is all about balance in implementation (between usability and functionality, risk and reward) and that includes performing due diligence in your choice of CSP. Here are five questions that you really should be asking of yours...