No End to the Headaches Endpoints Give System Defenders
Sep 3, 2013 4:33 PM PT
If there's one attack surface that's attracting growing attention from digital marauders, it's a system's endpoints. With the proliferation of devices accessing corporate networks, securing connections can be a defender's nightmare.
Endpoints have an allure for attackers because they offer multiple attack vectors, such as social engineering attacks, spearphishing, USB infection, and compromise of WiFi networks and routers.
Moreover, combinations of attacks can be packaged into kits that monitor an endpoint's activity and tailor attacks based on available vulnerabilities at the point of attack.
"These types of attacks are very difficult to detect and cannot necessarily be discovered with an endpoint agent," James Kawamoto, director of product management at Zscaler, told TechNewsWorld.
Hardening endpoints has been problematic. "The endpoint has been left to stagnate in terms of security innovation," Anup Ghosh, CEO of Invincea, told TechNewsWorld.
"The vast majority of endpoints rely on signature-based defenses to spot malware, and with more than 200,000 new variants of malware released into the wild daily, those technologies are woefully incapable of keeping up," he added.
What's more, tightening security at endpoints can put a crimp in worker productivity.
"For the most part, enterprises are afraid of touching the endpoint because the controls they have at their disposal are either inadequate, and thus don't justify the hassle, or far too restrictive to the end user," Ghosh maintained.
"What we need in the endpoint security space are solutions that deliver security and user freedom -- controls that empower the user to interact with untrusted content but mitigate any risk introduced as a result," he said.
"These controls have to work well with the entire defense in-depth strategy, can't add further burden to already-burdened machines, and should change the paradigm by empowering users as opposed to constraining them," added Ghosh.
Spam Targets Craigslist
Spammers aren't new to Craigslist, but typically they're trying to scrape email addresses from the service, not engaging in elaborate schemes to post spam there. Last week, however, security researchers at Solera Networks, a Blue Coat company, discovered such a ruse.
The dodge starts with malicious links planted on the Internet. They could be on infected Web pages or ads. The links promise to update a browser add-on called "Adobe Photo Loader," which doesn't exist.
"That's sort of rule No. 1 for spreading malware: Get people clicking on malicious links," Ken Pickering, director of engineering at Core Security, told TechNewWorld.
Instead of delivering the bogus Adobe program to a computer, the link delivers a Trojan with a specific purpose. It sends spam to Craigslist trying to drum up business for a piece of mobile spyware called "Stealth Nanny."
Although limited in scope at the moment, the Trojan could be reprogrammed at any time by its master.
"The danger is the same from any malicious Trojan in that it could be used to distribute any sort of malware payload," Pickering noted. "So I would say any sort of fraud-generating malware is a likely candidate for spreading via this mechanism."
Stanford University has been a repeat offender when it comes to data breaches. It has experienced half a dozen breaches in the last four years, the most recent being last month when all users of the school's computer system were advised to reset their passwords due to an IT breach.
A look at the online security advice the university is giving its users may contain a hint to its porosity problems.
"It's disappointing to read Stanford's guidance on what people should be doing," Dave Jevans, chairman and CTO of Marble Security, told TechNewsWorld.
For example, the school recommends users follow industry best practices to protect mobile devices.
"Who knows what that means?" Jevans asked. "That's pretty useless advice."
Another recommendation is to use strong passwords, which may be useful, but stops short of identifying the real problem facing users.
"The bad guys aren't getting in because they're guessing your password. They're getting in because you're giving it to them," Jevans said.
"They're going to send you an email saying they're the IT department and you have to change your password; here's the website to do it," he continued. "Then you click on a link and go to a bad website where you enter your password and they take over your account."
- Aug. 26. Anonymous posts to Internet information gained from its breach of the FBI's Regional Forensics Computer Laboratory, including 19,329 law enforcement email addresses. Action believed to be in retaliation for FBI claim that it had largely dismantled the hacker organization.
- Aug. 28. University of Texas Health Science Center at Houston Medical School reports unencrypted laptop computer containing some patient information was discovered missing on Aug. 2 from a locked closet in a physician's orthopedic clinic and begins notifying 596 patients affected by the breach. Laptop contained hand and arm image data from February 2010 to July 13, as well as patient names, birth dates and medical record numbers. No Social Security numbers were on the machine.
- Aug. 28. Manager Magazin Online reports that 25 employees of Deutsche Telekom had unauthorized access to personal data on nearly all the company's 120,000 employees in Germany for 11 years. An investigation of the breach is currently under way.
- Aug. 28. Valparaiso, Ind., sends out letters notifying 860 users of the city's ambulance service that their personal information has been stolen by an employee of billing company ADP who used some of the information to file fake tax returns and collect refunds.
- Aug. 28. Liberty Mutual Insurance Company files lawsuit against St. Louis supermarket chain Schnuck Markets to limit its liability in data breach that compromised the credit card numbers of some 2.4 million of the food retailer's customers.
- Aug. 29. Federal regulators and Illinois attorney general's office confirm they are investigating data breach at the Advocate Medical Group that could affect more than 4 million patients seen by the healthcare provider's physicians.
- Aug. 29. Federal Trade Commission accuses LabMD, a medical lab in Atlanta, of failing to adequately protect its patients' online records, resulting in leak of Social Security numbers and birth dates of some 9,000 consumers.
- Aug. 30. Osprey Packs begins notifying its Osprey Pro customers that their personal information was compromised in an attack of its Pro Deals website. Breach exposed customers' names, billing, shipping and email addresses, phone and credit card numbers with expiration dates. Although a small number of customers have reported to the company that they believe attempts were made to use their credit card information fraudulently, no credit monitoring services have been offered by the firm to customers yet.
Upcoming Security Events
- Sept. 10. AT&T Cyber Security Conference. New York Hilton Midtown Hotel, Avenue of the Americas, New York City. Free with registration.
- Sept. 11-13. 4th Cybersecurity Framework Workshop. The University of Texas at Dallas, 800 West Campbell Road, Richardson, Texas. Free with registration.
- Sept. 12. Inside the Mind of a Hacker, 9:30 a.m. ET. Webinar sponsored by WatchGuard. Free with registration.
- Sept. 12. Mobile Work Exchange Fall 2013 Town Hall Meeting. Walter E. Washington Convention Center, Washington, D.C. Registration: government, free; non-government, US$495 (Aug. 16-Sept. 11), $595 (Sept. 12).
- Sept. 17. The Size and Shape of Online Piracy. 9 a.m.-10:30 a.m. Room 485, Russell Senate Office Building, Constitution Ave. NE and 1st Street NE, Washington, D.C. Sponsored by The Information Technology & Innovation Foundation. Free with registration.
- Sept. 18-20. Gartner Security & Risk Management Summit 2013. London. Registration: 2,325 euross + VAT; government, 1,800 euross + VAT.
- Sept. 24-27. ASIS International 59th Annual Conference. McCormick Place, Chicago. Registration: Before Aug. 21, $895 member, $1,150 non-member. After Aug. 20, $995 member, $1,295 non-member.
- Oct. 1-3. McAfee Focus 13 Security Conference. The Venetian /The Palazzo Resort-Hotel-Casino, 3325-3355 Las Vegas Blvd., South Las Vegas. Registration: Early Bird to July 31, $875/$775 government; Standard to Oct. 3, $995/$875 government.
- Oct. 2.Visa Global Security Summit -- Responsible Innovation: Building Trust in a Connected World. Ronald Reagan Building and International Trade Center, Washington, D.C. Free with registration.
- Oct. 5. Suits and Spooks. SOHO House, New York City. Registration: Early Bird, $395 (July 5-Aug. 31); $625 (Sept. 1 and after).
- Oct. 8-9. Cyber Maryland 2013. Baltimore Convention Center., Baltimore, Md. Registration: $495; government, free; academic faculty, $295; student, $55.
- Oct. 17-18. 2013 Cryptologic History Symposium. Johns Hopkins Applied Physics Laboratory's Kossiakoff Conference Center, Laurel, Md. Registration information to be announced.
- Oct. 29-31. RSA Conference eurospe. Amsterdam RAI. Registration: Early Bird to July 26, 895 euros+VAT delegate/495 euros+VAT one day pass; Discount from July 27 -Sept. 27, 995 euros+VAT delgate/595 euros+VAT one day pass; Standard from Sept. 27-Oct.27, 1,095 euros+VAT delegate/695 euros+VAT one day pass; Onsite from Oct. 28-31, 1,295 euros+VAT.
- Nov. 18-20. Gartner Identity & Access Management Summit. JW Marriott at L.A. Live, 900 West Olympic Boulevard, Los Angeles, Calif. Registration: Early Bird to Sept. 27, $2,075; Standard, $2,375; Public Sector, $1,975.
- Dec. 4-5. MENA Business Infrastructure Protection 2013 Summit (Risk Management and Security Intelligence for companies in the Middle East and North Africa). Dubai.
- Dec. 9-13. Annual Computer Security Applications Conference (ACSAC). Hyatt French Quarter, New Orleans.