Today botnets have become the engine that drives all forms of cyber attacks. It’s simple enough to identify bot traffic on the Internet, and even pinpoint the IP address of specific bots. Many security companies can do this. But it has become  next to impossible to systematically wipe out botnets. The  big reason:  botted PCs are in constant use by millions of average consumers and workers in homes and workplaces all across the globe.

Practically speaking, there is no  way to  inoculate these PCs at a scale that would make a difference — not without disrupting Internet-commerce as we’ve come to know it.  In this LastWatchdog guest post, Tomer Teller, a researcher at firewall pioneer Check Point Software Technologies, outlines other factors contributing to the near invincibility of botnets.

Teller

By Tomer Teller

The first bot, GMBot, was not malicious. In fact, it was created in the late 1980s to emulate a live person in Internet Relay Chat (IRC) sessions. However, around 1999 bots emerged that were designed with harmful intentions. Thereafter, bots grew more sophisticated, and in some cases, were commercialized as products.

The Zeus bot of 2006, for example, originally sold for several thousand dollars. In mid-2011, source code for the Zeus and SpyEye botnet kits was leaked, making these powerful botnet creators available to practically anyone that wants to establish their own botnet.

Today, botnets are often used as a backdoor into the IT systems of large organizations. Once inside, hackers operate in silence and stay under the radar to steal as much information as possible before their presence is detected.

Unfortunately, because bots are so stealthy, many companies aren’t aware when that their computers have been infected and security teams often lack the proper visibility into the threats that botnets create.

Botnets  are here to stay. Botnets are dynamic and can quickly change form, based on the cybercriminal’s command.

It has been estimated that up to one quarter of all personal computers connected to the internet may be part of a botnet. In 2011, the TDL Botnet infected more than 4.5 million computers and approximately 100,000 unique addresses per day. In addition, the industry saw nearly half of IT security professionals experience a dramatic increase in malware attacks.

Botnets have achieved near invincibility due to a confluence of developments.

Malware has become big business

Cybercriminals are no longer isolated amateurs. They belong to well-structured organizations that resemble terrorist cells – with money, motivation and goals. They can deploy considerable intelligence, time and resources in order to execute botnets that can cost businesses millions.

Information has become a hacker’s gold mine. However, financial information is not the only valuable data worth stealing. We see a rise in attackers looking more for general customer information and less for specific billing or credit card data. Such information can be very lucrative for hackers, enabling them to customize future attacks or spam campaigns and increasing the likelihood of their success.

Imagine, for example, emailing 500,000 people with a proposal to buy some product. If only one person out of 1,000 orders your product, that’s already 500 new orders. Now, imagine the latent profit that a spammer can make with 70 million email addresses.

As an example of how powerful a botnet can be, the “Rustock” botnet’s bot army was generating up to 14 billion spam emails per day before it was dismantled by U.S. federal law enforcement in March 2011.

Threats have become very sophisticated

Organizations are facing a “zoo” of malware types that result in a wide range of security threats, including viruses, worms, Trojans, spyware, adware and botnets to name a few. These are all tools used by cybercriminals in Advanced Persistent Threats (APTs), where individuals or organizations are specific targets for attack.

In addition, botnets are polymorphic in nature and can mimic normal application and traffic patterns – making it difficult for signature based solutions, such as Antivirus, to combat botnets alone. Businesses need a multi-layered approach to effectively mitigate the bot threat.

Attack vectors have multiplied

There are multiple entry points to breach an organization’s existing defenses, including browser-based vulnerabilities, mobile phones, malicious attachments and removable media to name a few. In addition, the explosion of Web 2.0 applications and social networks being used as business tools are giving hackers a huge opportunity to lure victims to clicking on malicious links or “malvertising” – malicious advertisements running on legitimate websites.

In addition, the rising popularity of social networks have given hackers new opportunities to leverage socially-engineered hacking techniques to drive botnet activity. Social networks also have made it easier to obtain personal and professional information about individuals and create new entry points to execute socially-engineered attacks, botnets and APTs.

Check Point research has shown the primary motivation of social engineering attacks is financial gain (51%), followed by access to proprietary information (46%), competitive advantage (40%) and revenge (14%) and can cost businesses anywhere from $25,000 to $100,000 per security incident.

What the future holds

In the coming years, botnets will continue to evolve using a combination of social engineering, zero-day exploits, as well as the proliferation of mobile computing and social networking.

In the past, it was assumed that most of the popular botnets were running on Windows machines, this is no longer true today. Linux and Mac systems are not immune. New botnet variants are cross-platform and the industry should also expect to see more Apple, Android and other mobile based botnets pop up where they communicate to Command and Control servers (C&C) using via 3G or Wi-Fi networks.

A disturbing trend is the use of social networks being as command and control centers . Social networks and Web based services, like IM, are being used to send instructions to malicious programs installed on victim networks and can give hackers the ability to send encrypted commands.

Using social networks such as Twitter, can allow a cybercriminal to set up shop quickly and nimbly shut it down without incurring the expense of managing an entire server.

In this day and age, hackers can easily get the tools and resources needed to execute successful botnet attacks. Unfortunately, this is a cat and mouse game. Each time new antivirus releases a file signature, malware authors create new variants of the malware. Luckily, law enforcement, large corporations and security experts are starting to take things seriously and stop bots, such as the Rustock, in their tracks.

By bringing down the C&C servers, bot masters lose control over all of the zombie computers and prevent infection from spreading. While thousands of companies have already been targets of bots and APTs, businesses have the responsibility to stop it from spreading.

About the essayist: Teller is Security Researcher and Evangelist at Check Point Software Technologies

And tech security journalist Brian Krebs in October shed light on a list (presented to Congress) of 760 organizations that were similarly hacked, including a who’s who of the Fortune 100.

That’s just one subset set of successful breaches, albeit a big one. Sony, Epsilon, Bank of America, HB Gary, DigiNotar, and, most recently, the U.S. Chamber of Commerce also disclosed major data thefts.

RSA, a division of EMC, deserves kudos for disclosing details about how it got penetrated. Such post-event sharing has traditionally been rare among the good guys.

Arthur W. Coviello Jr, RSA’s executive chairman, just sent LastWatchdog this  year end review of key lessons learned and what to expect in 2012.

Coviello

By Art Coviello

I just came back from a five-week trip of meeting with customers around the world and never in my entire career have CEOs and corporate boards been as interested in security as they are now. The common theme throughout these conversations was that we are facing a new reality – one of persistent, advanced and intelligent threat.

This new reality was reflected in the headline-grabbing attacks throughout 2011, from the attack on RSA to Sony, Epsilon and Google just to name a few. Organizations around the world today are dealing with a deluge of digital information. The velocity of sharing information is skyrocketing as well – driven by web-based applications, mobile devices, social networks and cloud computing. As a result, we all are interconnected as never before.

This new openness to computing infrastructures is creating greater opportunities for collaboration, communication and innovation; but it’s also creating new vulnerabilities that cyber criminals, hacktivist groups and nation states have learned to exploit. Attackers are taking advantage of gaps in security created by complex and disparate technology with increased speed, agility and cunning….easily outflanking perimeter security defenses such as anti-virus software and intrusion detection systems.

If there is a silver lining to this rising threat, it is that the furor around the attacks in 2011 has reached a crescendo; it’s no longer about awareness, it’s about action. I believe that 2012 will be a year of action in which we’ll focus on key areas of improvement and innovation.

Real-time intelligence sharing will become a priority

In the era of advanced threats, greater situational awareness is essential to effectively detect, deter and to defend against cyber attacks. The industry needs better frameworks for communicating threat information and strengthening the security posture of all interconnected parties. In my conversations over the past months, people were united in their call for private and public sectors to work on establishing a common framework to share information dynamically and at line speed. Today’s attackers are better at sharing real-time intelligence than their targets, and fixing this should be a top priority in 2012.

Security professionals will bridge the boardroom gap

Never before has information security captured the mind share of board members than it has this past year. Information risk management must be integrated into an organization’s overall enterprise risk management strategy. Now is the time to make security a board-level conversation.

Education and training of our cyber workforce will become front and center

As cyber threats escalate, we need to invest in building the cybersecurity workforce with the requisite skills to defend our enterprises, government and critical infrastructure and help drive continued innovation. Efforts are underway and should receive our full support for cybersecurity programs that graduate more individuals with expertise in computer sciences, risk assessment, analytics, digital forensics and human behavior.

National governments will prioritize cyber security

Across the globe we are seeing governments prioritize cybersecurity as both a national security and economic security issue. The growth in cyber-crime, the rampant theft of IP and other sensitive information from corporations, and the penetration of defense systems and critical infrastructure by cyber attackers have all contributed to the urgency placed on cybersecurity by national governments. In the U.S., a bill on cyber threat intelligence information sharing between government and industry is expected to pass the House of Representatives, and in the Senate the Majority Leader has said that he will bring a comprehensive cybersecurity bill to the Senate floor by January or February. Shoring up its own defenses, the U.S. Federal Government is ramping up its cybersecurity workforce plans, and forecasts for spending on cybersecurity initiatives top $13.3 billion by 2015.

Organizations will begin to change the way they think about security

Outpacing the advances in today’s cyber threats will take a new approach to information security. Security must evolve from conventional frameworks of uncoordinated static point products to more advanced security systems that are risk-based and capable of meeting the challenges of dynamic threat environments.

Learning to live in a state of compromise, organizations will shift their security budgets away from traditional prevention technologies to detection technologies designed to limit exposure and mitigate damage from threats. The pervasiveness of virtual desktops will grow as organizations struggle to protect endpoints. And the adoption rate of technologies such as tokenization will take off as companies find new ways to protect sensitive and regulated information.

I believe 2012 also will be the year in which security management meets big data – enabled by advances in data storage, compute power and analytics. With this big data capability, security teams will be able to gain real-time access to the entirety of information relevant to the detection and remediation of security problems.

If 2011 was the year of the attack, then I believe 2012 will be the year of resiliency and adaptation within the industry. Our experiences of this year have indeed made us stronger and smarter. Our society has made unimaginable progress over the past 20 years through advances in information technology. It’s our responsibility to sustain this advancement through a trusted digital world.

A flurry of mega databreaches rocked the Internet in 2011. They included RSA, Epsilon, Bank of America, HBGary, the U.S. Chamber (twice), Sony (multiple breaches) and DigiNotar. Meanwhile, the most sophisticated attack campaign yet seen, Duqu, has now likely burrowed deep inside dozens of corporations.

Meanwhile, new variants of tried-and-true consumer attacks — ranging from drive-by downloads, to clickjacking to phishing campaigns — have made the Web as infectious as ever. In this LastWatchdog guestpost Simon Crosby, co-founder and CTO of virtualized security start-up, Bromium, argues that a big part of the problem lies in the good guys’ reluctance to share what they know about how they’ve been hacked. It will probably take new laws to change that, he argues.

Crosby

By Simon Crosby

For the last decade, we have been basking in the benefits of the Internet as a platform for democratization and commerce. Our society is now dependent on Internet connectivity. But we have blithely ignored the need to protect ourselves from its darker side. The public perception of cyber-criminals is of spotty faced, anti-social pranksters.

Unfortunately, we are in an extraordinarily vulnerable position, and every aspect of our on-line society and critical infrastructure is being actively probed for vulnerabilities. This year has delivered more compelling evidence of the potentially crippling economic consequences of cyber-attacks by nation states and wealthy crime syndicates, such as various attacks deriving from China which occurred throughout the year:

• in February, Chinese hackers broke into the systems of five multinational oil and natural gas companies to steal corporate information
• in August a highly coordinated five-year campaign launched in China resulted in the hacking of 72 networks including the United Nations and US Government
• in October, a man in China successfully breached the networks of at least 48 chemical and defense companies stealing design documents, formulas and details on manufacturing processes.

Some loss projections could be  over-hyped. But  it is clear  that the Internet is already a key battleground in international conflicts

Attack details needed

It’s time to get serious about the need to protect our society and our economic and national infrastructure.  None of us want to admit to losses, and we don’t share information about attacks. The only way to change this behavior is to impose legal requirements that place national interest above the interests of a single company.

Just as we require enterprises to comply with accounting regulations such as Sarbanes Oxley to protect all investors, we ought to require them to disclose information relevant to cyber-attacks – successful or not – and we should impose penalties on those that fail to adequately protect individuals or critical infrastructure; after all, technologies do exist that ensure network security.

If a nuclear facility fails due to poor engineering, we have every right to be upset. We need to recognize that an “insecure network” is an example of poor engineering, and define the consequences for those responsible.

Earlier this year, the White House proposed a new national cyber security plan that, in theory, seems to be focusing on appropriate tactics and measures. Among other specifics, the proposal mandates that private companies notify all customers of any and all data breaches and their potential for identity theft. It also would require organizations where breaches would result in the greatest impact to the nation – such as federal networks, power grids, water systems and other critical systems – to maintain the highest levels of network security and submit to annual third-party audits to ensure they are in compliance.

Laws with teeth

To take it one step further, the government needs to also focus on the individual protection of the general public. To do so, any company chartered with ownership of private data that is accessible over the interview needs to be held responsible for the security of that data, and in order to enforce this, there should be heavy penalties and/or fines imposed.

To this end, the government should create both an addendum that defines the minimum standard of protection required by any provider that hosts data, and create a separate law stating the punishment.

The easy part is proposing these changes, the difficulty will lie in the implementation and with how quickly the plan is put in effect and how thoroughly the mandates are followed. Crucially, we must ensure that compliance requirements are not couched in terms of today’s technologies. Leave it to the industry to advance the state of the art as fast as possible to meet the needs of enterprises subject to regulation. We are about to witness a profound change in favor of a more secure infrastructure.

Thanks to hardware-assisted virtualization and trusted execution, I am confident that in 2012 we will see security technologies that are a thousand times more robust, and whose creation is the result of the positive benefits of the Internet.

About the essayist: Simon Crosby is the co-founder and CTO of Bromium. Prior to co-founding Bromium, he was the CTO of the Data Center and Cloud Division of Citrix, which he joined after the acquisition of XenSource where he was founder and CTO. Previously, he was a principal engineer at Intel, where he led strategic research in distributed autonomic computing, platform security and trust. He was a member of faculty at the University of Cambridge Computer Laboratory and Fellow of Fitzwilliam College.

The 1998 COPPA law bans website publishers and social networks from collecting or using information from children under 13. Enforcement, however, has been spotty.  And it’s common practice for website operators to  do the minimum to meet the letter of the law.

Among other things, the FTC has proposed updating the definition of “personal information” to include geolocation information and certain types of persistent identifiers, such as tracking cookies. And it  has  also proposed new methods and rules for obtaining verifiable parental consent.

In this LastWatchdog guest post, Paul Lipman, CEO of Total Defense, argues why he thinks the FTC’s proposed revisions fall short.

Lipman

By Paul Lipman.

On September 15th, the Federal Trade Commission  issued a long-awaited request for comments on proposed revisions to the Children’s Online Privacy Protection Act (COPPA), which gives parents control over what personal information Web sites may collect from children under the age of 13. While the sentiment behind this act is the right one, the proposed revisions don’t go far enough to protect children and families.

COPPA was enacted on October 21, 1998 and took effect April 21, 2000. At the time, the legislation was created to address the growth of online marketing techniques targeting children. Web sites were collecting information from children without parental knowledge or consent and children didn’t understand the risks of revealing personal information online. As a result, the public pressured Congress to legislate.

Current rules

COPPA details what Web sites must include in a privacy policy, when and how to seek verifiable consent from a parent and what responsibilities a Web site has to protect children’s privacy and safety online, including restrictions on marketing to those under 13. COPPA requires websites to  do one of the following:

• Attain a signed form from the parent via postal mail or facsimile
• Accept and verify a credit card number
• Take calls from parents staffed by trained personnel
• Require an email accompanied by digital signature from a parent
• Require an email accompanied by a PIN or password

While the COPPA regulations were timely and forward thinking, the Web has come a long way since 1998. It’s unbelievable that it’s taken the FTC more than 10 years to look into amending the decade old act.

Consider that in 1998,  Mark Zuckerberg, co-creator of Facebook was a child himself, at only 14 years of age. Facebook and MySpace did not exist.  Instant messaging, online shopping and Internet auctions were in their infancies. And few parents feared the possible repercussions of their children dropping personal information into the Web-o-sphere, because there was no real reason or way to do so.

The FTC proposed amendments to COPPA  expand the definition of “personal information” to include a child’s location, along with any personal data collected through the use of cookies. The FTC also suggested that parental consent be obtained by getting scanned versions of signed consent forms or via videoconferencing.

Parent engagement

The revisions come in light of the increase in children operating mobile devices, using online social networking sites and participating in interactive gaming. Unfortunately, these revisions come at a time when it’s almost too little too late. The proposed changes are not enough to keep kids safe online or to keep up with the ever evolving Web.

Like in other aspects of a child’s development, the parent should be actively engaged. Online behavior, both on the PC and mobile device is no exception. The repercussions of digital actions are not apparent as to how personal data is actually used and monetized by corporations.

COPPA legislation should help parents become more involved. Laws such as the state child restraint law help ensure adequate protection is offered to children while riding in a vehicle by requiring the parent to use age and size specific child seats. In a similar way, COPPA legislation should act as the restraint law for children when they are online by requiring a parent or legal guardian to register the child for any and all online services.

When it comes to social networking, the government must find ways to discourage youth from openly and freely sharing personal information. Mobile Internet use should also be more clearly addressed by outlining restrictions for mobile applications, browsing capabilities and more.

Marketing tilt

Current legislation provides too many registration options allowing the parent to be circumvented too easily. To avoid this, I recommend authenticating the parent or guardian by tying the transaction to the parent’s credit card. While this is a documented option in today’s COPPA standard, it’s just one of the options and not a requirement.

We must note that most child friendly Web sites offer plenty of interesting and valuable content without requiring any registration whatsoever. Still, these Web sites encourage registration via tempting sweepstakes and coupon offerings thus, should require parental consent or a ban of tempting sweepstakes on child friendly sites altogether.

Today’s legislation still tilts the scale in favor of the online marketer. Parents should be aware and legislation must change to better protect children, our future leaders, online.

About the essayist. Paul Lipman, CEO of Total Defense, was previously Chief Strategy Officer at Webroot. Prior to Webroot, Lipman was General Manager of Global Services at Keynote Systems, joining Keynote via the acquisition of Enviz. Lipman holds an MBA from the Stanford University Graduate School of Business and a Bachelor’s Degree in Physics from Manchester University in England.

Traditional perimeter firewalls are still in wide use as a fundamental defense mechanism.  But a group of security vendors are pushing for wider use of so-called Next Generation Firewalls, or NGFWs, that integrate firewall, intrusion detection and prevention, application monitoring and authentication and policy-use  controls.

These vendors include NSS Labs, Barracuda, Check Point, Cisco, Fortinet, Juniper, Palo Alto Networks and SonicWall. In this LastWatchdog guest post, AlgoSec’s CTO, Professor Avishai Wool, of Tel Aviv University, makes the technical argument for more pervasive use of NGFWs. (Clarification. 02Nov2010. NSS Labs tests security products, including firewalls,  and publishes the results.)

Wool

By Avishai Wool

The last few years have brought us arguably the most significant change in firewall technology in decades. Ever since “Stateful Inspection” was introduced by Check Point in the late 1990’s, firewall administrators and information security officers have been defining security policies based primarily on a connection’s source IP address, destination IP address, and service.

Now, with the so called “Next Generation” firewalls (NGFWs) promoted by Palo Alto Networks and Check Point R75, policy can also be defined based on the “application”.

To understand why this technical detail is an exciting development for organizations, we need a bit of background. Almost all organizations let their users browse the net. From a firewall point of view, this policy is implemented by allowing the “http” service (technically, tcp on port 80) from the internal net, to anywhere.

The trouble is that application programmers have realized this policy, and have adjusted: Almost every web-application now communicates over tcp/80. Since this port is practically certain to be open, there is no need for the application users to ask for a new rule through the firewall; the application will “just work”. This is very convenient for application developers, and also for application users.

But it is a serious concern for information security officers, because not all web-applications are born equal. While many web-applications are important business tools, others are not: some are inappropriate (think file-swapping applications), some are vectors for sensitive data loss (like personal network storage), and others are bandwidth hogs (like streaming video apps).

And lurking among all these we have the real nasty apps: cyber-warfare tools, corporate espionage trojans, identify-stealing ‘bots, viruses and worms, etc. And all these apps use tcp/80 – the good, the bad, and the ugly.

This leaves the information security officer with an unpleasant choice: Either block all the applications that use tcp/80, and disrupt business in a major way – or allow all apps, and assume the risk. Practically every firewall policy I have seen chooses business continuity over safety, and keeps tcp/80 open – with the associated heartburn for CISOs everywhere.

Now enter NGFWs. Through some pretty impressive technological advances, these devices can discriminate between applications that share the same port. NGFWs can enforce fine-grained policies like “block file-swapping applications”, or “allow Facebook but not its game applications”, or even “block the super-sneaky Skype application” – while allowing benign http traffic through the firewall.

The sales-pitch is indeed very compelling for many security-conscious organizations, and lots of organizations are indeed embracing the new technology.

However, once we are past the excitement over the cool new technology (and it is indeed cool!), we have to realize that NGFWs need to be managed. This will require some thought and planning. I’d like to raise two points you should think about when you are considering NGFWs.

The first point is policy granularity. For many years firewall policies were defined at a crude “service” granularity – lumping thousands of applications into a single “service”. And still, many corporate firewall policies have ballooned into monsters totaling thousands of rules.

Such giant policies are extremely difficult to keep secure – and invariably contain a surprisingly high number of errors. In fact, my research has demonstrated that there is a clear correlation between policy complexity and the number of errors in the policy; For firewall policies, “small is beautiful”.

Now imagine what will happen if instead of a single (albeit crude) rule allowing http, the policy will include 10,000 new rules, one per application… Without some careful design, the new policy could be even less secure just because of all the new errors that will creep in.

The second point is about “blacklisting” versus “whitelisting”. Fifteen years ago there was a raging debate among firewall administrators about how a good firewall policy should be structured. The “blacklisting” proponents suggested to “allow everything, and block the traffic you don’t want”, while the “whitelisting” aficionados argued to “block everything, and only allow the traffic you need”.

This debate was won by a landslide in favor of the more secure “whitelisting” approach: Today practically every firewall policy has a “default drop” rule and a great number of “allow” rules. Further, most regulations require such a structure to be in compliance.

However, this more secure approach has a cost: whitelisting causes a significant workload on firewall administrators. This is because every new connection potentially requires yet another firewall rule – which has to be planned, approved, implemented, and validated. Some organizations I’ve spoken to process hundreds of such rule-change requests every week, and as a result, suffer turnaround times of several weeks between change request and implementation.

With the advent of NGFWs, I think the blacklisting/whitelisting debate deserves a fresh look, and a conscious choice. Consider this: If you decide to whitelist at the application level (i.e., block outbound tcp/80 and only allow those web-applications you know about) – how many more change requests per week will you be processing? Can your existing team handle the extra load without degradation to turnaround time? Will you require additional headcount?

Furthermore, perhaps CISOs will find it easier to define policy via blacklisting, via rules like “block social networks, file sharing and video streaming, and allow all other web traffic”?

As anecdotal evidence, compare how filtering web-proxies and web-application firewalls (that do a similar job using different technologies) are configured. As far as I can tell, blacklisting is the more common approach for web-proxies, although I have spoken to some organizations that whitelist. Should NGFWs follow the web-proxy blacklist style – or should they follow the classical firewall’s whitelist approach?

So far most of what I’ve read about NGFWs has been about the technology. But what about the management challenges? We should be arguing about them! What do the regulators (PCI-DSS, NERC, NIST) say? What should the internal audit guidelines be (CobiT)? How about Managed Security Service Providers (MSSPs)? What are the vendors teaching in their NGFW configuration classes?

I think we’re going to have a few interesting years until the dust settles.

When he wakes up every morning, Jeremy Pepper, an engineering student at West Virginia University, rolls over, grabs his iPhone, opens  USA TODAY’s iPhone app, and glances at headlines. He then checks e-mail,  browses favorite Web sites and gets on  with his day.

Pepper uses his iPhone and a Windows 7 PC to access the Web. He spends much of his time online using Facebook, Safari, e-mail, Flashlight and camera apps. This past summer he used a cycling app, called iMapMyRIDE, to record and publish his cycling exercise routes. He shops using an Amazon app and uses a PayPal app for some financial transactions. In this LastWatchdog Q & A, Pepper shares a 23-year-old’s perspective on privacy.

Pepper

LW: Do you agree with Mark Zuckerberg’s assertion that privacy is no longer a social norm?

Pepper: To a certain extent. My sisters often make comments online that I would not feel comfortable making. However, I still only share things that I would feel comfortable with other people reading and I know that most of the people my age feel the same way.

LW: Why is privacy important to you?

Pepper: Privacy is important to me as far as it affects my ability to make purchases, to shape my own decisions, and to safeguard my information from reaching those whom I don’t want to have it. I think the thing I worry about above everything else in online transactions is financial theft. I don’t particularly care if people know where I live, where I study, and what I do for a living, etc. Those personal details are quite bland to most people and, as far as I can perceive, totally devoid of motive for theft – you could argue the same about my finances, but I’d still like to protect every last Honest Abe I have.

LW: How do you think most of your contemporaries feel about privacy?

Pepper: In my college classes I am surrounded by a group of kids who have a pretty good understanding of what to do with a computer and how to have their way with the electronic gadgets they use on a daily basis. I would say that most of them use their online interactions responsibly and safely. In fact, most of them even seem to care whether or not sites like Facebook know where they live and where they go to school.

LW: Do you believe current industry efforts at self-regulating the practice of tracking of Internet users, in support of online behavior advertising, are sufficient?

Pepper: I believe that some companies are doing an appropriate job and that others aren’t. I believe that Apple is doing a great job – though its efforts are often cast as attempts at dictatorial control over its devices – and that Facebook is doing o.k. Sites like Google, Yahoo, and Bing bother me a little more – although Google is the only search provider where my fear is as much the search provider as the safety of the link they provide.

With the exception of Google, I’m not really all that concerned about the large companies with whom I interact daily. What really concerns me are the smaller players where the internet is still a little more like the wild west than a well maintained location such as Facebook, USAToday, Apple.com, or Amazon.com.

LW: Do you believe federal regulations, generally along the lines as proposed by Sen. Rockefeller or Rep. Markey, are needed?

Pepper: Browsers like Mozilla, Safari, and Internet Explorer offer the same type of service proposed by Senator Rockefeller. Sometimes I think a tendency is to make-believe that the federal government can protect us, when in reality we already are protected. I can’t think of too many people who use the internet, aren’t that computer savy, and don’t use one of the three previously mentioned browsers. The main exception would be Google’s Chrome browser, but again, I try to stay away from all things Google.

LW: Do you believe Facebook should be covered by any Do Not Track rules that emerge, going forward?

Pepper: It depends. If they are intentionally sharing my data with so-called data aggregators, then yes, I think they should be included. If they are keeping the data and its analysis in house or are contracting with specific data analysis contractors, then no. Additionally, if they are simply seeking to improve the ads they display on our screen or what information we receive about our friends then I see no reason why they should be included. Facebook already gives us the tools to decide who sees what, which I find easy enough to use.

LW: What’s your main concern when it comes to your privacy?

Pepper: The thing I am most afraid of is twofold: one, misuse of my data by law enforcement agencies, and two, data sharing pertaining to my financial information. The first issue is largely handled by making sure the government is required to get a warrant to obtain any and all data pertaining to U.S. citizens.

The second issue, I feel, is significantly well dealt with by industry. Perhaps if a standard must be enacted, greater transparency about how our data will be used would be good. But I believe that for now the major players have shown largely good intentions in their usage of our data.

–Byron Acohido

Hacktivism has risen to new levels. Members of the hacking co-op Anonymous have gained infamy for disrupting the online operations of companies, such as Visa, PayPal and HB Gary, deemed to be misbehaving. Sony has been bedeviled by denial of service onslaughts and data theft stemming from business practices thought by some to be abhorrent. And the antics of the LulzSec hacktivist group has resulted in successful Distributed Denial of Service (DDos) attacks and data thefts committed against  numerous companies.

In this LastWatchdog guest post, Lori MacVittie, senior technical marketing manager at F5 Networks, describes what operatives who execute successful DDos attacks are doing to hide their tracks.

MacVittie

By Lori MacVittie

In recent years there has been a noticeable increase in the number of attacks motivated for reasons other than monetary gain. The infamous Anonymous group, responsible for a spate of attacks against organizations and government agencies involved in the Wikileaks incident, has continued to attack sites and organizations as a political statement in what some call “hacktivism.”

It’s become a form of digital protest; an attempt to overwhelm not the physical presence of an organization with bodies and picket signs but instead the digital presence with bits and bytes.

In the past, such attempts required significant resources. Overwhelming even a mid-sized organization’s web presence required thousands of launch points.

Today, overwhelming a website with volumes of traffic is still attempted, but it’s rarely as successful as it once was. Network hardware and security systems today are generally capable of handling the barrage of traffic thrown at it during a DDoS attack.

Attackers adapt

However digital attackers have adapted. Using knowledge of the software on which websites run and a deep understanding of the protocols – the rules of the digital road – attackers are able to disrupt business with a much smaller digital force than previously required. They’ve now learned to exploit the rules of the road  to execute successful attacks  with fewer resources.

This is not good news for businesses trying to avoid outages and associated costs. While fairly easy for technology to detect a traditional DDoS based on the characteristics of the data traffic, it is not so simple to identify the more subtle methods used today. Attack traffic no longer looks like an attack; it appears to be legitimate traffic.

What isn’t so easily detected is anomalous client behavior. Such behavior includes a digital version of “ring the bell and run away”, in which attackers contact a web site only to disappear.

Doing this repeatedly on a large scale means the web server is so busy opening the door and searching for who rang it that it simply doesn’t have the resources available to answer the door when a real visitor rings the bell.

A more modern version, prevalent in the successful retributive Anonymous attacks, is even more subtle. The attacker rings the bell and, instead of running, stays and talks – very, very slowly. The hallmark of the older, more detectable attack is the absence of communication, thus the modern version tricks the web server into believing the attacker is legitimate, leading it to waste time and resources waiting for the attacker to finish his sentence.

Other emerging modern attacks such as the recent “ApacheKiller,” take an under-the-table approach. Requiring very little traffic, these attacks target vulnerabilities in the web server via the HTTP headers –data exchanged between the browser and web server regarding capabilities of the browser such as language preferences.

HTTP headers are an integral part of web applications, and are generally ignored by most of the network hardware. Thus they are able to sneak into the web server where they are evaluated and can ultimately crash the system, causing an outage. This style of attack also appears to be legitimate traffic but is designed to cause a service outage with very little effort on the part of the attacker.

Current security measures, such as web application firewalls and application delivery controllers, are capable of detecting and putting an end to these threats. Therefore, the problem isn’t that the technology to head off these attacks doesn’t exist; it’s that businesses need to be more aware of current attack methods and the solutions that exist, to prevent outages and the damage they can cause.

About the author: Lori MacVittie is responsible for outbound marketing, education, and evangelism of application services available across F5’s entire product suite. Her role includes authorship of technical materials and participation in a number of community-based forums and industry standards organizations, among other efforts. MacVittie has extensive programming experience as an application architect, as well as network and systems development and administration expertise.

LastWatchdog guest post

I recall 9-11 like it was yesterday. I was among a small group of Treasury employees standing in the small fitness center in our office building in downtown Washington, D.C., staring in disbelief at the TV mounted on the wall as we helplessly watched the second plane crash into the second tower. In this room was the Treasury CIO, Jim Flyzik, who would lead us that day and in the many days following this horrific event to increase security and impassion us to use technology to fight for our freedom.

Jim was perhaps unique as a CIO, pushing his staff to use new technology and to find ways to build the security into technology solutions versus bolting it on later. As an IT Specialist working in Jim’s organization, I had been working for several months with two-way pagers and a software virtual private network (VPN) company to add security protocols to these devices. The goal was to allow our employees to communicate in a way similar to what they did with their laptops. Although we were in pilot when the events of 9-11 unfolded, things changed drastically after that day.

Titus

After 9-11, the decision was made to use the pager program to assist in secure communications. Normally, encrypted land mobile radio handsets were used during a crisis, but in 2001 these were not available for everyone assigned to the crisis management team. The ease of deployment and ease of use made pagers an easy decision for the CIO staff.

After 9-11, the secure two-way pagers were also used and deployed during the 2002 Salt Lake City Winter Olympics where alternative communications were critical to respond to anticipated crisis scenarios. It was a simple technology then, and the security overlay relatively easy to deploy and manage. The VPN management was server-based, running a central gateway for the pagers to authenticate for identity and access management.

We now have smartphones and tablet PCs, but our security has retained a focus similar to the software VPN that was part of my project back in 2001. The use of public key infrastructure has added a layer of authentication, but its complexity has kept many organizations from adopting the capability. Today there are more companies developing security “bolt-ons” versus devices with security built in.

Consumer technologies that are now pervasive in the marketplace have no better security than they did 10 years ago. There have been advances in third-party security products to add layered security, but we still have vulnerable devices being used throughout our communities and within our organizations. We need to focus on innovation to create devices that have security capabilities that are transparent to the consumers and our employees.

Some organizations address this challenge by using the “sandbox” environment, which basically protects sensitive data within the device and provides a centralized way to manage it. This advancement allows organizations to begin to embrace a “bring your own device” concept, which will integrate consumer technologies into the enterprise.

However this is enterprise grade and is not available to the average consumer. There has been some progress with cloud-based security services, but the complexity and cost of these services will likely drive the consumers away from using it.

As we approach the end of 2011, not much has been done to enhance the security of consumer grade devices. This creates a loaded weapon for the criminal element, since many consumers don’t understand the risk they’re taking every time they use these technologies. Hackers and criminals will continue to use these devices to disrupt our lives and steal our identities until we see transparent security built into the consumer devices.

Wolfgang Kandek, chief technology officer of vulnerability management firm Qualys, brought his son, Filipe, 14, with him to Vegas, to participate in DefCon Kids. In this LastWatchdog guest post, dad discloses his big takeaways:

Kandek

By Wolfgang Kandek

My 14 year old son attended DEFCON this year for the first time and he took part in DEFCON Kids. On Saturday he was in the Social Engineering Capture the Flag (CTF) contest where he was teamed up with another 10 year old participant and had to solve a 6-step scavenger hunt. The scavenger hunt involved decryption of secret messages, collection of information from multiple people on the DEFCON show floor and a good dose of critical thinking.

On Sunday he participated in the classroom sessions – at the end his favorites were “When you can remember your locker Combination” by Deviant and “Coding in Scratch” by Chris Hoff.

As a parent I loved seeing the interest sparked in my son by the challenges and class interactions. All instructors were extremely competent and focused on the benefits of gaining a real understanding of the technologies involved and when appropriate they discussed the moral and ethical questions involved (i.e. lock picking and social engineering).

As a security professional I see every day how the lack of security knowledge is impacting the computer industry and society in general. I believe initiatives like DEFCON Kids are essential in preparing the next generation for a life in the digital domain.

As a side note: Everybody my son met at DEFCON during the challenges was enthusiastic in helping and their eyes literally lit up when their assistance was requested in locating somebody or a certain room. While the Kids were solving their crypto challenges I was approached by numerous participants that were wondering what was going on and the most common comment was: Awesome, I will bring my kid next year.

The rapid and frenetic shift to commerce built around Internet-connected devices and online services continues to far outpace measured consideration of the profound security and privacy implications for individuals, small businesses and large organizations.

We may well be heading for a a day when it will be compulsory to  use company-issued locked-down devices for connecting securely to company networks, and separate consumer devices for which we, as individuals, carry the security/privacy burden, as discussed in the exclusive LastWatchdog video, shown below.

In this LastWatchdog guest essay, Adrian Turner, CEO of device security vendor Mocana, discusses the current state of our exposure in the evolving device-centric universe.

Turner

By Adrian Turner

For the last 20 years, the dominant security paradigm has been a software package that the user both installs and updates on a PC. Today, that paradigm is dying as the threat landscape greatly expands and attack sophistication increases. Tomorrow’s security archetype needs to begin baked-in, taking full advantage of features in silicon, not bolted on as an afterthought. And it must be made contextual and relevant through the active use of cloud services, since one-size-fits-all solutions don’t fit anyone well today.

In 2011 most of the nodes on the Internet are devices, not PCs. In fact, it’s estimated that there are nearly five times as many devices on the Internet as traditional workstations. The vast majority of these devices are almost totally unsecured, and much more vulnerable to attack than your home PC. Yet these devices often operate in much more critical contexts, like medicine or the electrical grid.

Not surprisingly, attacks on these device nodes are increasing rapidly. Hackers are following the money, and the growing populations of device platforms. Today there are 23 million Android devices, 17 million iPhones, and hundreds of millions of cable boxes and DVRs… and that’s just consumer devices, a small fraction of the whole. Remember to include office printers, factory robots, building HVAC controllers, networked processors in automobiles, boxes that control large-scale gas, water, and electric utility systems, smart meters that monitor energy consumption within the home, and medical implants within the body. To name just a few.

Effective off-the-shelf security software like the boxes we used to buy at the software store simply isn’t available for any of these devices. And even if it were, a shrink-wrapped device security “app” doesn’t make sense for the world we’re now in. What’s required is a combination of hardware, software and network services. And it’s not just about protecting the devices, it’s about protecting the applications and services that run across them. That’s because today’s networked devices are not “small versions of PCs,” they’re unique, something new.

Smart device security requires special expertise in embedded systems – there’s no way around it. There’s a vast rainforest of platforms, each with its own resource constraints and limitations to consider and there are thousands of unique combinations of OS and CPU. The architecture of these embedded devices is significantly different from the workstations that we have spent the last 20 years trying to secure, so only a small fraction of our cumulative PC learnings can be directly applied to these new environments.

What’s required is multiple layers of security that go deep, deep down to the silicon, include robust on-platform software, and also stretch high into the cloud for context-specific protections and continuous, up to the second threat updates – across all device types. No one’s built anything like this yet for devices but it’s desperately needed.

Device security that is vigilant, pervasive and essentially invisible will win the day but we’re running out of time. The stakes couldn’t be higher. Without this solved – the whole connected device ecosystem has the potential to stall. People will lose confidence to transact through their devices – or store or view sensitive information on them – and enterprises will be unable to tie them into business processes in an automated way. What’s being described here cuts across the entire value chain – and our networked society at large has a vested interest in making sure every corporate participant is doing their part.

About the author: Prior to founding Mocana, Adrian Turner was responsible for West Coast Business Development and Alliances for Kenamea, an enterprise communication firm. He also developed infrastructure to support Philips Electronics’ connected consumer and business devices. Prior to that in 1996, Turner launched a network of 225 coin operated Internet kiosks in the Australian market. He holds a business degree in Marketing and Finance from the University of Technology in Sydney Australia and has completed the Executive Program for Managing Growth Companies at Stanford University. Adrian is also Chairman of Australia’s leading international expatriate network, Advance.