This story briefly details the corporate spying case brought against News Corp by Dish,  a satellite TV competitor.   News Corp hired hackers, ostensibly to secure their own network, however one of them infiltrated Dish’s network and stole intellectual property.  A News Corp exec being deposed admits keeping the hacker employed 6 years after being informed of the criminal activities, which of course means the exec likely ordered the hit.

I would go into my lecture against hiring hackers that claim to be crossing over to the good side being a myth that belongs in the dustbin of history, except that the situation above involves a company subsidizing the criminal behavior.  Hopefully this won’t be treated any differently than the culpability a corporation faces when the CFO cooks the books.

It is clear that talented hackers are highly coveted and have many illicit options to monetize their skills.  It is too bad that legitimate companies are among the illicit options.

By Jim Reavis

That poor Olympic torch has never had it so bad. It has been getting more attention than Britney Spears on a cigarette run, and it isn’t even safe in a wheelchair. Much of the world, of course, is outraged over the unrest in Tibet and the Chinese government’s tactics.

At the same time, in our little parallel universe of information security, we see an ever growing sophistication in a wide variety of attacks coming from the East. DDoS attacks are pretty effective, take a look at this attack launched against SlideShare. And of course, CNN was targeted 2 weeks ago. There has been a spate of infected USB devices: thumb drives, hard drives, even digital picture frames that have been manufactured in China. The private groups that I belong to have been busy cataloging all types of malware, botnets, SQL injection attacks, infected websites and those dangerous parts of the net enabling the badware, what I call the IISPs (Illicit Internet Service Providers). I talk to my friends with real jobs protecting real websites and they all have the same “whack-a-mole” story: block a Chinese net range, wait a few minutes to a few hours, and the badware is back.

Yeah, I know, I am sounding like an unoriginal broken record, many of you know this stuff already. But, what I want to know is, are we leveraging some predictive analytics to forecast how these scenarios are going to be playing out this year? How bad can it get? From a technology perspective, the artillery pieces are being lined up. There is no reason to expect anything other than an escalation in tensions in Tibet through the Olympics in August. An opening ceremonies boycott has been a political football in US presidential politics. I am really not here to talk about the politics, but even Democracy Jim can understand how a few million Chinese might get a little upset at one of their own being jostled in her wheelchair.

Political leaders, protesters and everyone can do what they think is right. And so should CISOs. We might want to think about how these scenarios might play out and how to be ready for them. As nice as August can be, I don’t think I would want my top incident response people taking extended vacations this year.

Apparently a cross-site scripting bug in the community blogs section of Senator Obama’s website was exploited by a hacker, redirecting visitors to Senator Clinton’s website instead. Cross-site scripting is old and lame, but as we know there are a lot of vulnerable sites still out there. This is boring news, I was just looking for an excuse to post this picture:

I was forwarded this BusinessWeek article by a CISO, which I missed as I was at RSA when it came out.  It is one of the better articles detailing the increase in hack attacks on the U.S. government, including sensitive installations.  Espionage is exploding, and the techniques that are successful, such as spear phishing, will look very familiar to those in the private sector. 

By Jim Reavis 

The criminal who has been terrorizing eBay users for several years has been apprehended.  It took many years of work, but Romanian authorities and the FBI collaborated to bring Vladuz to justice.  This is by far the greatest problem with information security - bad guys need to go to jail.  From my front row seat I have seen the ups and downs, thank you eBay for taking a stand and getting the job done.

By Jim Reavis

I always try to plan a nice quiet week in the office after the RSA Conference and I am almost feeling back to my normal self.  When I was sitting in the bar at the W with a colleague on the Sunday before the conference started, another friend came up to us and asked us how long we had been in San Francisco.  “5 beers ago”, my colleague said.  Well, more than 5 beers later, here are some of my more memorable personal moments:

The Olympic Torch.  Who is responsible for this scheduing snafu, taking press away from Art Coviello?  A friend of mine went out to watch the torch go by, figuring that controversy aside, this is an historic moment.  He recounted standing next to two protestors, one of which was weary of the delays, asking his fellow agitator, “Do you want to keep protesting, or do you want to have lunch?”.  Lunch won.

Craig Mundie.  I enjoyed the End to End Trust keynote from Microsoft’s Chief Research and Strategy Officer, delivered fireside chat style with ACS CISO Chris Leach.  Mundie’s folksy, pragmatic view of privacy and strategy was interesting, and he showed humility in the face of the daunting challenge of E2E.  It is a big ship to turn around, but Mundie explained that MS has been working from the bottom up - you cannot argue with the progress made at the lower layers.  I also ran into several great security experts from Microsoft who told me a few years ago they would never work there.

GRC.  The Governance, Risk & Compliance “buzz-acronym” was bigger than I expected.  When you looked at the sessions beforehand, there was nary a mention of it, but it seemed every session referenced it, not to mention it being all over the show floor.  I guess it makes sense when you figure sessions were nailed down several months ago.  A CISO on my compliance panel put the concept of GRC best when he said he uses risk management to turn tens of thousands of vulnerabilities into just a few hundred that must be remediated for compliance reasons.

MSSPs are getting some scale.  I was pretty impressed by how much business the MSSPs have been pulling down in the last 12 months.  There is still a little too much compliance checklist services vs making organizations more secure, but you have to give the customer what they are looking for.  On a bizarre and twisted note, I ran into a former employee of an MSSP named Breakwater that I used to consult for a few years ago, and he told me that one of our colleagues there became a mass murderer.  For the record, I do not believe that managed security makes you crazy, but on the other hand I never had to wear a pager tied to an improperly tuned IDS.

Best Party.  I didn’t go to any parties, but I heard that Greylock’s had the best networking and McAfee’s was the most fun.

Michael Chertoff.  He seems sincere that it is different now at DHS, and the focus on cybersecurity is real.  The appointment of wiki guru Rod Beckstrom as the cyber leader is certainly interesting and I hope he brings some changes, but if Beckstrom doesn’t last, he won’t be the first entrepreneur who got frustrated by the DHS red tape.

Al Gore.  I had to catch a plane Friday and missed his closing keynote, but I did notice it was about 10 degrees warmer than Thursday, so I guess that was good for him.

By Jim Reavis

I am just posting some quick thoughts on our first two Firewall 2.0 Focus Groups, I will have more to say later:

• Everyone agrees that the firewall as currently constituted is providing minimal value. Everyone has built a ton of “helpers” around it that are doing most of the security work.
• By and large, there is no visibility into what is leaving the network tunnelled in Port 80. We need reporting that explains what applications are really being used, and by whom.
• Once an internal PC is “owned”, that outbound Port 80 is possibly an “outside-in” attack, so it isn’t just DLP we are worried about.
• We need to move from Port/IP Address rules to True Application/User (authenticated/identified/located) rules. Eons ago Ports were supposed to represent applications, but that train left the station a long time ago.
• Virtualization. We are building the new mainframe, and applications will be communicating through the virtual backplane, so whatever firewall enhancements we make need to secure the backplane, because we can’t force communications out of the virtual mainframe to be managed by network security devices.

There are several other recommendations I will document later. A few well meaning people have made some postings that this focus group idea isn’t worthwhile and we need to focus on OWASP and securing applications. Guys, I get the importance of that, I did a ton of work for SPI Dynamics for 5 years. However, it isn’t an either/or proposition. Securing apps is crucial, but what about the SSL session from accounting to Bulgaria? Don’t we at least want to try to understand how badly we are owned? It is about layered defenses and I think giving our network ingress/egress points 20/20 vision is worth at least attempting. No, it’s not just a network problem, but it is a big part of the problem.

By Jim Reavis

Take a look at this posting by Brian Krebs at the Washington Post, “Anatomy of a Vishing Scam“.  Krebs details some recent vishing (voice phishing) attacks against cell phone users.  Phony text messages purportedly from the cell subscriber’s bank alert the user that their account has been suspended due to fraudulent activity, and they immediately need to call an 800 number to reactivate the account.  Of course when they call the number, the automated attendant drains them of all their account information, including PINs.

I’ll bet anything that a lot of the victims of this scam are the same people that know better than to fall for phishing emails.  However, an old attack coming from a new attack vector can be vexing and no doubt has an increased success rate.  When you consider that the area codes by and large are still associated with a particular geography, you have the ability to launch locale-relevant attacks, and I think this type of scam is ready to erupt.

Remember the Do Not Call Registry? That is completely irrelevant here: medium-sleazy telemarketers vs ultra-sleazy organized crime.  The VoIP technology the Vishers can hide behind is so slick that you can’t catch them and they will only get better at impersonating someone you trust.  I am waiting for the Visher that texts me from my wife’s mobile number needing the credit card number.  Although as the old joke goes, if the bad guy spends less than my wife, maybe I won’t care.

Email is a real pain with 90% of the messages being spam.  What is life going to be like when cell phones are equally useless?