Admins Grapple With Shadow Tech

If you want to see an IT pro twitch, bring up Shadow IT in a conversation.

“Shadow IT” is a term applied to technology deployed by an organization’s users outside the purview of the IT department. It’s bothersome to system shepherds because it can open up an organization to data leakages. It’s also growing.

“A few years ago, we were looking at hundreds of applications in a business environment,” Frank Cabri, vice president of marketing forSkyfence, told TechNewsWorld. “Today, we’re looking at thousands.”

Driving the creation of shadow apps is their broad adoption by employees who are looking for ways to increase their productivity but aren’t getting them fast enough from IT.

“Employees are thinking only about how to get their tasks done,” Cabri explained, “while IT’s job is to not only think about getting a job done but how to do it in a safe and secure manner.”

Many Shadow IT programs run in the cloud, but all clouds are not created equal.

“Not every cloud provider takes the same approach to operational security,” Cabri said. “That means they could have weak links, and your company’s data could be residing in places that don’t meet your security standards.”

Free App

To help administrators get a better handle on the use of Shadow IT within their organizations, Skyfence has bundled some of the components of its paid security offering — Skyfence Cloud Discovery — into a free product that can be downloaded and run locally.

“That’s important, because the tool imports log files from perimeter security devices,” Cabri explained.

The app supports the importation of logs from a number of popular perimeter offerings, such as Checkpoint, Palo Alto Networks, Blue Coat proxy and Squid, as well as the ability to create a custom format.

The discovery app, which runs on both Windows and OS X systems, scans the log files for apps and matches them to a risk database maintained by Skyfence. The resulting report gives administrators a snapshot of Shadow IT use on their systems.

“The information can be used as a basis for a dialog with their lines of business and IT colleagues about what to do next about the situation,” Cabri said.

Enormity of Heartbleed

If there were any uncertainty about how fast and hard online marauders tried to exploit the Heartbleed vulnerability in OpenSSL’s libraries, a report from IBM’s X-Force team should put those doubts to rest. On a single day, April 15, IBM identified more than 300,000 attacks on its Managed Security Services customers within a 24-hour period, or 3.47 attacks per second.

“Heartbleed is the biggest vulnerability we’ve seen this year in terms of size and impact,” Michael Hamelin, lead X-Force security architect for IBM Security Systems, told TechNewsWorld.

What’s surprising about Heartbleed is the damage it caused, given its Common Vulnerability Scoring System rating of 5.0 — a middle of the road severity ranking.

“Even though it was a medium vulnerability, it created quite a bit of havoc because it allowed scraping of user names and passwords of logged in users,” Hamelin said.

In addition, since OpenSSL is an open source program, it was widely used in a variety of ways. That made patching the vulnerability even more difficult.

“There are lots of commercical products that use OpenSSL, and there are lots of embedded devices that use it, so there wasn’t one place to get a patch,” Hamelin explained.

“The OpenSSL libraries were patched quickly, but every vendor has their own patch cycles to go through,” he noted, “so hundreds of vendors had to be approached for patches.”

Loose Lips Sink Hacker

Shortly after South Korean authorities last week reported a data breach affecting more than half the population of their country, 16 people allegedly behind the caper were arrested. Some 220 million records maintained at a number of movie ticket purchasing and gaming sites for 27 million Koreans were stolen by the hackers.

One arrestee, identified by police as “Kim,” bought stolen credentials of South Koreans from a Chinese hacker and used them to siphon US$394,000 from user accounts at six online Korean game sites. He also resold some of the credentials to other hackers, which turned out to be Kim’s undoing.

“His arrest was no doubt either because one of his associates decided to brag about the attack or otherwise failed to ensure their communications were secure when speaking about the attack and therefore gave the authorities a way in,” Adam Kujawa, a malware analyst with Malwarebytes, told TechNewsWorld.

“This is the most common way that cybercriminals get caught worldwide,” he added.

Breach Diary

• Aug. 26. Dairy Queen confirms it has been notified by U.S. Secret Service of suspicious activity on fast food chain’s network related to Backoff malware used to compromise point-of-sale systems at more than 1,000 U.S. retailers.
• Aug. 26. Class action lawsuit filed in Alabama against Community Health Systems for data breach that placed at risk personal information of some 4.5 million people across the United States.
• Aug. 27. Imhoff & Associates, a California law firm, reports personal information, including Social Security numbers, of an unspecified number of people at risk following the theft of a hard drive from the locked trunk of an employee’s car on June 27.
• Aug. 28. FBI confirms it is working with the U. S. Secret Service to determine the scope of reported cyberattacks against several American financial institutions. Earlier in the week, it was reported one of those banks was JPMorgan Chase.
• Aug. 28. Tri-City Medical Center in California informs more than 6,000 patients their medical records are at risk after they were removed from the facility without authorization.
• Aug. 28. Summit County (Utah) Fair officials report data breach affecting an undisclosed number of ticket buyers to rodeo and demolition derby held at the fair.
• Aug. 28. Anti-Phishing Working Group reports the number of worldwide phishing attacks during the second quarter of this year — 128,378 — was the second-highest ever recorded by the organization since it began tracking the activity in 2008.
• Aug. 28. Aorato releases “The Untold Story: The Target Attack; Step-by-Step.” a comprehensive report on last year’s data breach that resulted in the theft of personal and payment card information of more than 110 million customers.
• Aug. 29. JPMorgan Chase notifies Louisiana authorities that personal information of people issued debit cards by three of the state’s agencies through the bank is at risk due to compromise of the financial institution’s computer systems.

Upcoming Security Events

• Sept. 5-6. B-Sides Ottawa. Ben Franklin Place, 101 Constellation, Ottawa, Canada. Free with registration.
• Sept. 6-7. B-Sides Dubai. Move n Pick Jumeirah Hotel, Dubai. Free.
• Sept. 8-9. The Privacy Security Forum: Protecting Data Assets and Managing Risks. The Westin Hotel Waterfront, Boston. Registration: $750, healthcare providers and payers; $950, all others.
• Sept. 9-10. Detroit SecureWorld. Ford Motor Conference & Event Center, 1151 Village Road, Dearborn, Michigan. Registration: $695, two days; $545, one day.
• Sept. 9-10. RSA Global Summit. Marriott Marquis, Washington, D.C. Registration: before Sept. 8, $745; online, $895; government, $545.
• Sept. 11-12. B-Sides Los Angeles. Dockweiler Youth Center and Dockweiler State Beach, Los Angeles. Free.
• Sept. 12. Suits and Spooks London. Blue Fin Building, Southwick, London, UK. Registration: Pounds 200.
• Sept. 13. B-Sides Memphis. Southwest Tennessee Community College, 5983 Macon Cove, Memphis, Tennessee. Free.
• Sept. 13. B-Sides Augusta. Georgia Regents University, Science Hall, 2500 Walton Way, Augusta, Georgia. Free.
• Sept. 17-19. International Association of Privacy Professionals and Cloud Security Alliance Joint Conference. San Jose Convention Center, San Jose, California.
• Sept. 18. Cyber Security Summit. The Hilton Hotel, New York City. Registration: $250; government, $50.
• Sept. 22. Cyber Intelligence Europe 2014. Renaissance Brussels Hotel, Rue du Parnasse 15, 19, 1050 Brussels, Belgium. Registration: 600-850 euros, military and public sector; 1200-1700 euros, private sector.
• Sept. 23. Linking Enterprise and Small Business Security to Shore up Cyber Risks in the Supply Chain. 11 a.m. ET. InformationWeek webinar. Free with registration.
• Sept. 23-24. St. Louis SecureWorld. America’s Center Convention Complex, 701 Convention Plaza, St. Louis. Registration: $695, two days; $545, one day.
• Sept. 23-24. APWG eCrime Researchers Symposium. DoubleTree by Hilton Hotel Birmingham, 808 South 20th St., Birmingham, Alabama. Registration: before Sept. 2, $400; after Sept. 1, $500.
• Sept. 26. B-Sides St. John’s. Uptown Kenmount Road, St. John’s Newfoundland and Labrador. Free.
• Sept. 29-Oct. 2. ISC2 Security Congress 2014. Georgia World Congress Center, Atlanta. Registration: through Aug. 29, member or government, $895; non-member, $1,150. After Aug. 29, member and government, $995; non-member, $1,250.
• Sept. 29-Oct. 2. ASIS 2014. Georgia World Congress Center, Atlanta. Registration: exhibits only, free; before August 30, members $450-$895, non-members $595-$1,150, government $450-$895, spouse $200-$375, student $130-$250; after August 29, member $550-$995, non-member $695-$1,250, government $550-$995, spouse $200-$475, student $180-300; a la carte, $50-$925.
• Sept. 29-Oct. 3. Interop New York. Jacob Javits Convention Center, New York City. Expo: free. Total Access: early bird (July 1-Aug. 15) $2,899; regular rate (Aug. 16-Sept. 26), $3,099; Sept. 27-Oct. 3, $3,299.
• Oct. 1. Indianaoplis SecureWorld. Sheraton Indianapolis at Keystone Crossing. Registration: $695, two days; $545, one day.
• Oct. 3. B-Sides Portland. Refuge PDX, Portland, Oregon. Free.
• Oct. 10-11. B-Sides Warsaw. Andersa 29, Warsaw, Poland. Free.
• Oct. 14-17. Black Hat Europe 2014. Amsterdam RAI, Amsterdam, the Netherlands. Registration: before Aug. 30, 1,095 euros; before Oct. 10, 1,295 euros; before Oct. 18, 1,495 euros.
• Oct. 16. SecureWorld Denver. The Cable Center, Denver. Registration: $695, two days; $545, one day.
• Oct. 18. B-Sides Raleigh. Raleighwood, Raleigh, North Carolina. Free.
• Oct. 19-20. B-Sides Washington D.C. Washington Marriott Metro Center, Washington, D.C. Free.
• Oct. 19-27. SANS Network Security 2014. Caesar’s Palace, Las Vegas, Nevada. Courses: job-based, $3,145-$5,095; skill-based, $1,045-$3,950.
• Oct. 29-30. Dallas SecureWorld. Plano Centre, 2000 East Spring Parkway, Plano, Texas. Registration: $695, two days; $545, one day.
• Dec. 2-4. Gartner Identity & Access Management Summit. Caesers Palace, Las Vegas, Nevada. Registration: before Oct. 4, $2,150; after Oct. 4, $2,450; public employees, $2,050.