As much hype as has been poured into the cloud security model, believe it or not, there aren’t a lot of managed security services available for public cloud infrastructure. There are point solutions here and there. There are models that force users to jump through tons of hoops – shuttle your traffic out of the public cloud to a different provider where you can have an appliance that has a few managed services on it. Or maybe you can use the public cloud and then purchase a Unified Threat Management (UTM) service that you ask the provider to put in for you. There are other variants on the theme, but the point is that securing your public cloud servers is not easy. Nor can you go to a comprehensive managed services provider today and ask them to embed their managed offering into your cloud.

Until now. The hoops, hurdles, and inconvenience changes today. We are announcing our Cloud NSA (Network Security Appliance) – a new version of our network security appliance that is a cloud instance within your public cloud infrastructure. You can now have a managed service built from within rather than tacked on externally. How did we do it? From the inception of the company, StillSecure has been focused on software. While everybody else was focused on creating custom appliances that could “go fast”, we wanted to innovate in software. Go fast in software and be more cost effective, portable, and efficient. That focus has allowed us to deliver our NSA on a variety of hardware platforms, virtualize it, and now deliver it on top of public cloud infrastructure.

We spin up a Cloud NSA alongside your other public cloud instances and from there, we configure and segment your systems so that you can have your own isolated network protected by our Cloud NSA. It’s like getting private cloud protection at public cloud prices. Our device acts as a network gateway, so your security is managed at a single location. That reduces complexity and makes it easier to make sure everything’s properly locked down. You can receive a full complement of our managed services from managed firewall, IDPS, WAF, and log management to PCI Complete, all from within your cloud infrastructure. What you are used to at your home office location, your colocation facility, or your managed / dedicated servers you can now receive in the cloud.

We are incredibly proud of this innovation and believe it will continue to accelerate the adoption of the cloud.

To cut through some of the noise, StillSecure hosted its first annual Security Summit in Boston last week. The event brought together some of the most educated leaders in the space, including analysts, media and senior executives from the cloud security and hosting industries.

These security veterans discussed some of the most pressing issues around data security today, including:

• Should the government regulate security? Given the number of security breaches, what role (if any) should the government play in regulating data security? Should there be mandates?  If the government does step in, how will that impact the hosting /data center space and business strategy?
• How to manage virtual desktops with BYOD. How is BYOD affecting the security needs of hosting providers/data centers?  How are companies solving these issues?
• Security vs. Compliance. Both are drivers within the security space, but which buyers respond to each? How does each drive business in the hosting and cloud spaces?
• Cloud Security. How is the data security market changing now that cloud and hosting providers are playing an increasing role in the enterprise?  Who is controlling security and what companies are being displaced?

This last question seemed to be of real interest to the attendees. However, most agreed that with the rapid adoption of cloud computing, organizations are increasingly comfortable outsourcing any activity they deem “non-core.”

It should come as no surprise that cloud security is galloping into the managed services model as well. Companies and organizations want results and a secure infrastructure at a reasonable price. No longer does this equate to an internally owned and operated function. Third parties that can deliver results are not only acceptable, but also preferred when managed services are provided at the levels required for critical business functions.

Think of it this way: Your server environment is a casino, and your hardware firewall is the door attendant. As long as a person has ID showing he/she is of age (as long as data appears to be from a safe, legitimate sender), the attendant will let the person in (the data will be delivered to your server). The door attendant does not monitor the person once he or she is inside.

But an Intrusion Detection and Prevention System (IDPS) acts more like a pit boss or eye-in-the-sky, searching among the people who have already gotten in (the data that the firewall has allowed into your server environment) for anyone displaying suspicious behavior. It can act quickly to prevent or react to the threat.

The IDPS is just one element of a complete security package. StillSecure and Hostway will present a free webinar on what you need to know to protect your information from the increased threats you’ll face in 2012. If you’ve been relying on a firewall or aren’t 100% sure your security is as strong as possible, please make plans to attend this free webinar.

Webinar: Beyond the Firewall
Date: Thursday, April 19, 2012
Time: 9:00 a.m. – 10:00 a.m. CT
Register Now

A new article from Kaspersky Lab posted 1/13/12, David Jacoby states that a new, dangerous and extra crafty Phishing scam is propagating through Facebook. Phishing is a method of obtaining usernames, passwords, and credit card information, by tricking unsuspecting users into putting this information into an illegitimate, fake website, which appears nearly the same as the legitimate one. This particular “Last Warning” Phishing attempt is a perfect example of one that attempts to steal all of the above.

This particular phishing attack is unique and raises much concern because of its worm like behavior of attempting to propagate itself via a compromised account, to “infect and hijack” other Facebook accounts instead of merely logging unsuspecting victims credentials and or credit card information on the phishing site.

The first module of this Phishing scam starts when an account has taken the bait, and the password has been compromised, the phished account then uses the password the victim provided, changes the name to “Facebook Security” and swaps the profile picture to the Facebook logo. Facebook normally blocks any attempt to change a username to “Facebook” or “Security”, however in this case since they are special ASCII letters, it bypasses the blocking security measure.

If you look carefully examine “Facebook Security” you’ll notice that the a, k, s, and t are slightly off!

It then proceeds to send this message to everyone on the contact list, repeating the entire cycle. It states:

“Last Warning: Your Facebook account will be turned off Because someone has reported you. Please do re-confirm your account security by: [URL REMOVED] Thank you. The Facebook Team”

Here is the second, scarier part of the Phishing Module. It redirects to a site that appears similar to Facebook, and asks for a lot of sensitive information, which if filled out, completely compromises the victims Facebook, as well as the email used in conjunction to log into Facebook.

The second module then continues to take you even further, and asks you for the first 6 digits of your Credit Card:

And the last part of this Phishing scam comes right out with it, and ask you for ALL of your Credit Card information, right down to the last detail:

In conclusion, you can see that this particular Phishing scam is pretty scary. If someone fills these forms out in their entirety, the scammer has every bit of information they need, as well as entire list of Facebook friends that it could potentially compromise as well. What’s the best way to avoid this? As general practice never give out your email and password, and if you must give credit card information, always make sure its encrypted and over a secure “https://” connection.

References:

• http://www.securelist.com/en/blog/208193325/Facebook_Security_Phishing_Attack_In_The_Wild
• http://www.indiana.edu/~phishing/social-network-experiment/phishing-preprint.pdf
• http://techie-buzz.com/social-networking/facebook-security-phishing-attack.html
• http://en.wikipedia.org/wiki/Phishing

This past Thursday, one day after the Internet black out by many major websites in protest of SOPA/PIPA, the US government and it s agencies  as part of larger global crackdown, shutdown the popular file sharing site Megaupload. Almost immediately after,  hacker group  ”Anonymous” began a large scale DDoS attack directed at websites for  entertainment groups such as MPAA and RIAA along with various government sites including FBI.gov, justice.gov, etc…  Although this is not the first time these websites have been attacked by Anonymous, what made Thursdays attack so very interesting is how they went about it.

In the past, supporters of Anonymous and other groups would download a DDoS client, such as the infamous LOIC (Low Orbit Ion Cannon) or other similar applications in order to facilitate the DDoS attack.  On Thursday we observed links to a website with links to a site containing java script which acted as the DDoS client, with no configuring or no downloading required. These links was distributed via social networking sites such as twitter.

Image courtesy of http://nakedsecurity.sophos.com

While some speculate this could be used by participants for legal defense, where a user would claim that they would be tricked, or inadvertently participated in the attack without knowing” they were doing so. This can be indeed be a new way to click jack someone into participating in a DDoS without knowing it, and has the potential to make DDoS attacks even more common and far more devastating than it has been in the past.

Sources:

1. Naked Security
2. Threat Post

The network landscape is changing rapidly as companies move to a more connected presence across different geographic locations. With this geodiversity comes new challenges in network or WAN security. To help support and protect these types of networks companies must deploy multiple layers of security technology. These layers are necessary as no one security product will fully protect a network. Some of the products used in these situations are not new technologies like firewall and IDPS. While others while not new technologies are as highly deployed, web and content filtering and web application firewalls. Blending these types of network security products with a managed security service provider is possibly the best way to defend a WAN against attack.

We’re using the hashtag #XOComm on Twitter so feel free to join the conversation.

We hope you can join us 2pm Thursday, January 26. Register here for the webinar.

I’ve gone through the typical New Year’s resolution of eating healthier and losing some weight gained from the holidays (yes, I blame the last few decades on the holidays), so I decided that this year’s resolution will be to educate my friends and family on some good old information security. The beauty of this resolution is that something so simple can make such a huge difference all around and it is something that I know that people with an information security mindset take for granted at times. So many thoughts came into mind when I started to think of all the simple steps the average person can take to be more secure this year while prompted me to realize that some of these things I have taken for granted at times. Now, these things may sound so simple and yet they can make a monumental impact on a user’s Internet well-being. That’s why passwords and spam emails are at the top of my list.

I wouldn’t want to count to see how many times while helping someone with a computer issue that they would tell me their password and it would be something that would take a dictionary attack seconds to break. I plan to explain to them why passwords should not be a known word even with a number behind it, not a name with a date, not a password from last month with a 1 added at the end and then the next month a 2 then 3 etc… and definitely not “PASSWORD”. I will show them the image below on how long it takes to crack passwords and while I am aware that the new methods to use a GPU to enhance the amount of passwords attempted that dramatically lower the amount of time needed to crack a password it would still take about 1 year for a password with 8 characters long. So, I plan to explain to them that they should have a password with at least 8 characters long with lowercase, uppercase, numbers and symbols. At the same time we should not be using the same passwords for multiple sites and should use a program or a phone app to store their passwords. Not a sticky on your desk or monitor or somewhere in the line of sight.

Thank goodness for junk mail folders and spam folders but not all spam emails get caught by the filters in place and this is where so much damage can take place. A 15 letter password can be compromised with a simple email that has you looking into a fake site. Spam emails come in so many sneaky forms that anyone not paying attention can be caught by them. We have the Scams, the Adult, Financial, Stock, Pharmaceuticals, Phishing, educations (diplomas, degrees, certificates and any other type of training programs), replicas ( that purse she always wanted), software, gambling, dating, video games and others that have been crafted to steal your information from you and give it to the attacker. The rule of thumb I would explain to my friends and family is that if you do not know from who it is, not only a link in the email, not a file, not a free something you just won and not from someone guy across the world that died and just left you all his wealth and when I said around the world I meant it. Most of the spam comes from other countries and come from bot-nets as well. The image below displays statistics for spam sources by countries for the week of December 25th.

While these two policies if followed would make life much easier for my friends and family but also myself by not having to fix so many computers and leaving me with much more time for my hobbies. These are simple steps that could help the average person yet, would even help myself and others who take simple security polices for granted. What good is a strong password if your phone has no password on it to access your email and this goes with the ever so expanding world of the tablets? The biggest vulnerabilities are usually something simple and that’s why they are such a threat. We usually overlook them and/or don’t practice them at all. Following these policies would also make anyone’s place of work much more secure as well. The last thing I would recommend is that if they hear of ABC Company was compromised to go change their password for that site. So my 2012 New Year’s resolution is educate my friends and families and make sure I myself follow them. Who knows maybe this year my inbox will have less Fwd:Fwd:Fwd:Fwd emails and less calls to fix someone’s computer oh yea and lose some weight (another gym membership not used).

References

• Hack Attack: All You Need To Know [Infograph]
• http://www.m86security.com/labs
• http://en.wikipedia.org/wiki/Password_strength

This was first discovered by Android developer Trevor Eckhart who noticed his phone had hidden software that phoned home to the carrier. Eckhart had found that Carrier IQ can be shown as present on the phone to users or configured as hidden, which was the case on the HTC phones he analyzed. He also states that because customers do not give explicit permission for this data collection and don’t even know this software is on their phones, and they can’t opt out of it which is a clear privacy violation.

Carrier IQ representatives said that the data carriers collect with their software has a legitimate purpose and is handled responsibly. Carrier IQ says the software is designed to help carriers troubleshoot network failures and other problems. One example would be learning exactly where a phone call was dropped and can help a carrier discover network troubles in a geographic location. Also, information on keys that are pressed and how many times the phone is charged can provide activity information over the life of a phone, which is important for device manufacturers.

A Sprint (one of the many service providers involved) spokesman provided a statement about the use of Carrier IQ, but did not provide any information as to whether customers knew about the data collection and why they can’t opt out. Here is the Sprint statement:

At this moment Carrier IQ has several active law suits due to the privacy of their customers being breached. In the end whether or not they are using this tool for good or evil, they should notify their clients that the software is there and give them the opportunity to opt-out.

Curious if your phone has the Carrier IQ? Check out the application for Android users called Voodoo Carrier IQ Detector.

During the Holidays many of us will be traveling, telecommuting and visiting with friends and family. More often than not, we use and rely on free Wi-Fi to do a variety of tasks from checking that email from the office to using social networking to keep in touch with everyone. As we use free/ public Wi-Fi at hotels and our favorite coffee shops and regular haunts, it is good to remember how prone Wi-Fi is to a variety of hacks and man in the middle attacks. Below we will discuss what a basic man in the middle attack is and some ways to protect one’s self and/or mitigate what data is exposed.

The Basics of a Wi-Fi Man in the Middle attack.
So when you go to a coffee shop for example and you sit down for a cup of coffee most of the time they have free Wi-Fi. You go to your Wi-Fi card setting see “CoffeShopWifi” you click connect and you are enjoying access to the Internet. You may do the same thing at hotels or in the airport to connect to their Wi-Fi offerings. The name you see when you connect to Wi-Fi is called an SSID, and it’s a basic name to tell one wireless network from the other. In a man in the middle attack, the attacker will set up a wifi appliance with the same SSID as a legitimate access point. So in our coffee shop example the attacker would configure his rouge appliance’s SSID to “CoffeeShopWifi” and tricking computers and people to connect to their rouge access point vs. the legitimate access point. The attacker will provide you with Internet access, but also at this point can see all your traffic traversing their appliance. Here you have your very basic man in the middle attack. Now any traffic in clear text such as SMTP, POP3, HTTP, etc… traffic is in clear text, and they can see what you’re doing where you going on the Internet and get as much information as you put out. You may say “I don’t even need to connect to Wi-Fi it just connects”. Well that is even worse since it’s even simpler to have you connect to rouge hot spot. There are even techniques to cause a Wi-Fi connections to disconnect and relying on auto connect and that it only checks for a SSID name to connect you to a rouge Wi-Fi and not even know it. Other things that can be done once we have Wi-Fi users in a man in the middle attack an attacker can use other techniques to provide you false DNS records which may redirect you to dummy websites which can try to record your user names and passwords or get malware/viri to be inadvertently installed on your machine that may allow the infected to machine to be later accessed.

Prevention:
So due to the basic way Wi-Fi works, it hard to stop these man in the middle attacks. Generally you don’t even know they are happening. Although there variety of ways you can keep your laptop or device secure.

Software Firewall:
Most modern operating systems come with a basic firewall which will keep people out. When you are using public Wi-Fi it is especially important to keep it on.

HTTPS vs. HTTP:
HTTPS can provide encryption point to point between you and a website. As security becomes more of a focus for high profile websites many of them do provide HTTPS versions of their website. So even in a man in the middle attack you can keep that traffic encrypted and thus safe. Most banks and financial institutions have SSL enabled by default. Many Webmail solutions and commerce sites also are now making HTTPS a default for payment. Also now, social network sites such as Twitter, Facebook, and Google+ all have these options but not all by default. There are “add-ons” or extensions you can use to help with this for your browsers of choice. If you use Firefox the Electronic Frontier Foundation has an extension called HTTPS everywhere which forces HTTPS where ever it can. On Chrome, you can use HTTPS Enforcer or KB SSL Enforcer try to do a similar thing but sadly not as well as the Firefox extension. This will not keep everything away from someone who has you in a man in the middle attack but prevents more sensitive data from being in clear text in a packet capture or dump. Although if they try any sort of DNS name spoofing all bets are off.

VPN
If you have a VPN and it’s configured correctly, you can use VPN connections to surf the web anonymously but also full encrypted from your computer to where ever your VPN terminates. So when you are in the victim of a man in the middle attack they can never see what you are doing. All they will see is encrypted traffic. Also, if your company doesn’t provide VPN access, there are a variety of third party companies that sell that have VPN services that allow for this that one can subscribe for this very purpose. They will have VPN end points spread around the country or in some cases around the world which can connect into to encrypt and even privatize web queries. This then creates a VPN session you can safely surf the web through even in public internet environments.

Turn off Wi-Fi auto-connect
This is the one that is the most annoying changes but yet one of the best tips to prevent getting caught in man in the middle attacks; turn off Wi-Fi auto connect. This is that handy feature where your computer remembers the Wi-Fi you connect to and connects you automatically to known hotspots. The down side it will always connect to any Wi-Fi with the same SSID or Network identifier. So in our previous example regarding the coffee shop Wi-Fi, if you constantly go there you will always connect automatically to the Wi-Fi SSID, and as such, you will always connect to the same SSID. If you have to pick and choose every time you want to connect it forces you to pick and if you see multiple “Coffee_Shop_Wifi” SSID as an example you might actually be seeing one legit and 1 rouge connection and then you may reconsider connecting at all. Disabling auto connect will vary system to system, but it comes highly recommended.

Final thoughts
One thing about these sorts of man in the middle of attacks is that they are platform agnostic. There is no safe bet when it comes to them but with a little preparation it is very easy to defend and protect yourself from these sorts of attacks and at least make any data that is intercepted useless. So don’t be afraid just stay informed and prepared.