Fisher squeezed out time around his day job as editor of Kaspersky Lab’s security blog, Threatpost, to pen and publish his first novel, released last week. Prior to his current gig, Fisher was an editor and writer, focused on information security, at TechTarget.

Fisher

No surprise, then, that this work of fiction contains an info sec subplot. Hot on the trail of a serial killer, the detectives get stymied by an inability to legally examine the contents of the suspect’s computer. Enter JD, who agrees to help out with some stealthy cybersnooping. He also leaves a rootkit behind that ultimately figures into a climactic scene at the end of the book.

There’s clearly an eager global audience for works of fiction that feature lone wolf hackers. Lisabeth Salander, the fictional hacker-heroine of the late Swedish journalist Stieg Larsson’s Girl With The Dragon Tatoo trilogy, comes to mind.

Fisher says he got the idea for the book while commuting to Boston every day.  “I’d drive by this really nasty looking swamp on the way home. It was right by the side of the highway and had the feel of something from a horror movie, with burned-out tree trunks sticking out of the water,” Fisher says. “I started wondering what had happened there and what could be under the water.

“I started wondering what had happened there and what could be under the water. I eventually came up with the beginning of the plot, with there being dead bodies found in the water and then went from there. I imagine that most writers start either with a character or a plot idea, but for me it started with that location.”

He describes Motherless Children as “a story about the small decisions that can define our lives, the true nature of good and evil and finding the strength to do what needs to be done–regardless of the consequences.”

JD, the hacker-hero, is ” based loosely on a couple of researchers and there are several small inside security jokes in the book that folks in the community will like, I think,” Fisher adds.

Online tracking is fueling a heated national debate over whether new do-not-track laws are needed to safeguard consumers’ online privacy. Leaders in the online advertising industry use a version of Privacyscore to self-police the tracking practices of online advertising networks, and thus head off new laws. Privacy experts welcomed the consumer version.

“This certainly is going to be a useful tool for consumers, but it may actually be even more useful in pushing application developers, who don’t like getting poor grades, to look more closely at their own privacy practices,” says Jules Polonetsky, director of the Future of Privacy Forum, a Washington, D.C., think tank on data security.

Facebook’s pervasive Web presence comes with “a responsibility to hold people who are developing apps on their platform accountable for the (privacy) assertions that they’re making,” says Craig Spiezle, executive director of the Online Trust Alliance.

Facebook’s David Swain noted that the company requires app developers to agree to its privacy policies. “If we find an app has violated our policies … we take action,” Swain says.

According to PrivacyChoice, 140 different tracking entities routinely collect information about users of the top Facebook apps. Trackers can correlate that data to profiles of individuals’ browsing behavior across multiple Web pages in order to deliver more relevant ads. “It’s up to users to know the privacy risk of sharing personal data with apps,” says Jim Brock, PrivacyChoice founder and CEO.

Privacyscore’s top score is 100. Deductions are made for sharing data with an excessive number of tracking entities, failing to honor deletion requests, failing to provide an opt-out choice or storing consumer data for long periods.

Gamemaker Zynga, for instance, registers an overall score of 82 for 17 Facebook games. The game Slingo, with 17 million players, scores 80, losing points partly because it connects to 59 trackers. Zynga general counsel Reggie Davis says Zynga welcomes tools such as Privacyscore. And Zynga’s online tutorial, PrivacyVille, rewards its users for learning more about the company’s privacy policies.

—

The end result is an ever expanding canvas of attack surfaces for highly skilled and motivated cybergangs to tap into corporate databases. In this LastWatchdog guest post, Timothy David McCreery, President and CEO of network monitoring firm WildPackets, examines why it might make sense for companies to embrace network forensics as ongoing preventive maintenance, instead of turning to it in after the fact investigations only.

McCreery

By Timothy David McCreery

Homeowners insurance, health and life insurance are well known forms of risk coverage. While these modes of protection have remained relatively the same there is a litany of new threats that aren’t as well accounted for. Most businesses today operate some form of computer network and for many, their entire business in based online. Company computer networks are increasingly more vulnerable in the era of phishing scams, cyber attacks and large-scale data breaches. So then, what is their form of insurance?

Today, preventative security is a top priority for any IT department, but no amount of security can protect all of your networks all of the time. Even global brands and governments aren’t immune to attacks, and every company should have a contingency plan in place in the event of a breach. One of the most easily implemented, but often-overlooked contingency plans for your network is network forensics.

While many companies believe that a simple activity monitoring solution is the only thing they need to help protect their network, network forensics is an essential part of any comprehensive security strategy. Although IDS/IPS (Intrusion Detection/Intrusion Prevention Systems) solutions do help indicate and prevent problems, when they miss something security teams have no data to analyze and figure out what went wrong. Typically simple activity monitoring solutions involving IDS/IPS are tedious and require sorting through possibly thousands of packets of data –including IP address, source/destination port, time, date, protocol, string and more – to find one incident.

Network forensics, on the other hand, captures complete network conversations, recording all network activity at the packet level to fixed storage, displays key network performance statistics, and provides visual tools for post-capture analysis in real-time. Captured data is stored in a central location and translated into a common format, allowing users to easily drill into problem areas and quickly locate a specific incident or monitor for potential virus ‘fingerprints’ to avoid a major infection.

With an increase in breaches from both inside and outside the network, analysis and prevention can only be achieved if you have a complete view of your network activity. This level of insight is even more essential with the number of on-the-go users and BYOD policies growing within companies. In fact, it’s often business-critical issues that have nothing to do with performance or cyber attacks, like violations of industry regulations or data breaches, which drive the need for post-incident analysis.

A breached mobile device or infected personal laptop brings outside threats inside the network, which can go undetected by most IDS/IPS solutions. The ability to recognize a breach and pinpoint the source prevents a compromise of the entire network. In addition, network forensics can be used to identify rogue or unauthorized devices trying to access the network, preventing another kind of potential hack.

Network forensics can be a powerful tool in both your security and compliance strategies, but the key to network forensics is to have a solution in place now – before you have a need for incident analysis or require data to investigate an attack.

About the essayist: Timothy David McCreery is the President and CEO at WildPackets, a provider of network analysis solutions. McCreery co-founded WildPackets, Inc. as AG Group in 1990. McCreery taught undergraduate Computer Science at U.C. Berkeley obtaining a Master’s degree in EECS, and is an industry veteran with over 25 years of experience.

Another detection tool you can use has been made available by Russian antivirus firm Kaspersky. Meanwhile, Apple has issued a statement indicating that it is continuing to work on an offical detection and innoculation tool.

It’s not just individual Mac owners who ought to take heed. Network security firm Lancope says companies with employees who use Macs would be wise to check for infected Apple computing devices.

Kissling

“Enterprises should also bolster their defenses,” says Lancope vice president Jody Ma Kissling. “As the market share for Macs continues to increase, end users, corporations and Apple itself must all be prepared for a subsequent rise in attacks targeting Apple’s Mac OS X.”

Neil Roiter, research director at Corero Network Security says “cyber criminals now consider Macs profitable targets. Mac users should protect their computers with antivirus software, encrypt sensitive information and follow the common-sense advice not to click on links or open email attachments from unknown sources.”

Roger Thompson, chief emerging threats researcher at vendor-neutral testing and certification firm ICSA Labs, explains the significance of the emergence of a major botnet comprised entirely of Macs.

He observes that Mac infections were considered rare for much of the past two decades “as a natural consequence of relative market opportunity for the bad guys. Put another way, there were way more PCs than Macs, so there was simply more opportunity for a return on their development and marketing effort.”

What the existence of a massive Mac botnet highlights, Thompson says, is that “Mac malware is not just a reality, but is now a genuine problem. The issue is that for a decade, Apple has made a point of telling users that they had no malware problem, and the result of that is that Mac users have no antibodies, when it comes to malware. They don’t expect it, and too many people will click on, and install, anything.”

The bottom line for Mac users: they will have to install and keep current antivirus programs and make sure all application updates, for things like Java, iTunes and Adobe Flash are quickly installed, just like Windows users.

“There will soon be a name for Mac users who are not doing this: victims,” says Thompson.

However, many of these new ways to leverage the Internet cloud,  using a cool array of embedded and mobile computing devices, are triggering unforeseen ramifications. In this LastWatchdog guest post, Barrie Hadfield is CTO and co-founder of file-sharing company SkyDox outlines how we got here – and what systemic challenges have resulted.

Hadfield

By Barrie Hadfield

Nearly every organization has embedded within it some type of collaborative ecosystem. Traditionally, this was anchored in email or a centralized server, accessible almost exclusively from within the firewall. Yet as the cloud wields increasing influence on corporate environments, the traditional ecosystem becomes more antiquated. There’s some paradox in how the cloud is enabling this unparalleled productivity and collaboration for the workplace, while simultaneously eroding security protocols designed to protect intellectual property and corporate assets – often cited as the consumer-file sharing problem.

So how did the enterprise end up surrendering so much of its valued security measures to the cloud? First, let’s consider how the traditional corporate ecosystem was structured. Without the influence of cloud technologies, the workforce primarily shared and revised documents via a set of approved collaboration tools provided by the organization. In most cases, Microsoft’s Office suite reigned supreme with PowerPoint presentations, Word files and Excel spreadsheets stored on a single, centralized server accessible nearly exclusively via company-owned devices.

Provisioning history

The first crack in the traditional ecosystems surfaced via email, which has always provided an escape hatch for collaborating outside of the firewall. Do you, however, recall that old adage – never send anything via email that you don’t want to be leaked into the public domain? Quickly, this saying became a misnomer, as typically, the rush for convenience trumped nearly all security considerations. Employees soon found they could take advantage of email’s attachment feature to share files, without considering the potential risk of intellectual property loss or information breach.

Then, the cloud worked its way into the office and the collaborative ecosystem was permanently changed. The first sign of trouble was how these tools were introduced into corporate settings. In direct contradiction to the conventional top-to-bottom corporate application provisioning, in which tools are handed down from top executives and IT administrators to the workforce at large, consumer-style cloud platforms were shared among the employees at the frontlines first and then trickled upward. The result was an abundance of consumer-oriented tools, downloaded by all, used properly by few, none approved for security or compliance by the IT administrators.

Secondly, as opposed to, say, a packaged set of tools, such as the Microsoft Office suite, consumer-based cloud collaboration tools are usually in direct competition with one another. And according to Forrester, half of all office workers use between four and seven collaboration tools to do their jobs. With this patchwork approach, each platform becomes its own information silo, making it arduous to track the content once it is uploaded. Of course this is frustrating for employees who want to keep track of where their data is and whether the stored version is the most updated. But from a security standpoint it also causes significant harm to a business’ audit trail, making it nearly impossible to know if unauthorized users have access to the content to distribute, store or modify it.

No turning back

The resulting security threats are self-evident. Consumer-based products in general are designed with ease-of-use as the primary consideration, with security falling somewhere well below. When security aspects are even considered at all in the design process, it is frequently from a personal, as opposed to an enterprise-grade, level. Additionally, these types of platforms do little, if anything to prevent the distribution of files and information across enterprise firewalls. If a document or file was sent to an employee at one company, there are no measures in place for him or her to send it, even by accident, to the wrong person.

But there is no turning back the clock. The cloud is now part of the business fabric and will only become more ingrained in the collaborative process going forward. Trying to ban cloud collaboration tools will only hinder your organization’s ability to innovate and collaborate — and ultimately damage the entire productivity of the workforce. We have, however, reached a crossroads in which IT administrators must either take back control and have a voice in the way the cloud is deployed within their organizations – or risk irrelevancy. After all, would you want your company’s proprietary information pushed into the public domain on purpose or inadvertently?

About the essayist: Barrie Hadfield is CTO and co-founder of SkyDox, a cloud-enabled file sharing, file synchronization and collaboration platform for the enterprise. Before founding SkyDox, Barrie co-founded another document comparison and file-sharing company, WorkShare, in 1999.fore founding SkyDox, Barrie co-founded another document comparison and file-sharing company, WorkShare, in 1999.

Those cool mobile devices beloved by consumers carry deep-rooted security flaws that are only now being discovered and addressed.

That’s the upshot of two recent deep examinations of popular mobile devices. The findings highlight how designers of the current generation of smartphones and tablet PCs failed to fully account for the security and privacy implications.

“Today’s smartphones and tablet devices perform the same functions as a PC,” says Dan Hoffman, chief of mobile security at Juniper Networks.“However, the vast majority of devices lack security software and mistakenly rely upon the operating system to keep people safe.”

In one study, Cryptography Research showed how it is possible to eavesdrop on any smartphone or tablet PC as it uses cryptographic keys to protect sensitive operations, such as when a mobile device is being used to make a purchase, conduct online banking or access a company’s virtual private network.

The secret keys can be deciphered, enabling a criminal to use them to access a financial account or a company network, says Benjamin Jun, Cryptography Research’s chief technology officer.

Jun

“These type of attacks do not require the device to be modified and there is usually no observable sign that an attack is in progress,” Jun says.

Cryptography Research is “working with one of the major smartphone and table companies right now to put countermeasures in,” Jun says. No known actual attacks have occurred, he says.

In another theoretical study, researchers at security firm McAfee, a division of Intel, demonstrated several ways to remotely hack into Apple iOS, the operating system for iPads and iPhones.

McAfee’s research team remotely activated device microphones and recorded conversations taking place in the vicinity of the hacked device. They also stole secret keys and passwords, and were able to pilfer sensitive data, including call histories, e-mail and text messages.

“This attack method shows ways that advanced attackers can compromise and control devices indefinitely,” says Ryan Permeh, McAfee’s principal security architect. “This can be done with absolutely no indication to the device user.”

Apple spokeswoman Trudy Muller declined comment.

Security experts and law enforcement officials anticipate that cybergangs will accelerate actual attacks as consumers and companies begin to rely more heavily on mobile devices for shopping, banking and working.

“Responsibility for addressing these security concerns is far reaching,” says Hoffman. “The broader security community needs to assist in providing all users the highest-level of protection.”

Henry

The disclosure of a massive botnet comprised entirely of Macs is serving as a lightning rod for the community of a few hundred top virus hunters who would like to see Apple become more collaborative about defending the Internet against cybercriminals.

“Maybe Apple will feel a little of the pain their users are now feeling and get serious about being more candid and perhaps more revealing in their patch release notifications,” says Paul Henry, security and forensic analyst at network security company Lumension,.

Henry notes that calculating the number of infected Macs has been relative easy, since the Trojan “actually sends a copy of each infected Mac’s UUID to the command and control server.”

Some 300,000 of the 600,000 Macs infected by the Flashback Trojan are located in the U.S., including 274 in Cuppertino, Apple’s hometown in Silicon Valley, according to Tweets from Ivan Sorokin, a malware analyst at Russian antivirus company Dr. Web.

Sorokin used sinkhole technology to redirect the botnet traffic to their own servers to count infected Macs.

Henry says that “Apple still lacks any urgency in their patch release and in fact, users had to be lucky enough to have checked.

“Simply put, if Apple wants to be taken seriously as an enterprise provider, they need to be more timely and candid about their patches,” Henry continues. “How else will administrators understand the necessary sense of urgency to prioritize and deal with security issues?”

Apple has been issuing patches roughly once a month, much like Microsoft issues security fixes on the second Tuesday of each month, known as Patch Tuesdsay.

“Apple should take a lesson from Microsoft and formally adopt a monthly process and provide, at minimum, the same level of disclosure users have come to expect from Microsoft,” says Henry.

An unpatched portion of Java left Mac users prone to the Flashback Trojan, which causes the machine to quietly report to a command and control server for further instructions.

Mac users  can get infected by navigating to a viral web page pre-loaded to deliver a driveby download tuned to exploit this Java vulnerability — much the same as Windows PC users.

The  Russian antivirus company Dr. Web says some 600,000 Macs have been infected, several of which include devices based in Cupertino, California, the home of Apple. So if your Mac has been balky lately, this could be the explanation.

Swiss Army knife

Botnets are used to spread spam and infections, participate in denial of service attacks, hijack online bank accounts etc. Botnets are the Swiss Army Knife of cybercrime. And when your machine is performing bot duties, your processing efficiencies naturally get sapped. It was only a matter of time before this common experience of Windows PC users came home to roost with Mac users.

One commenter to Ars Technica’s coverage noted:

My wife’s first gen core duo macbook pro hard drive is always busy, which i thought was due to limited hard drive space. Even after cleaning out ~15 gigs of space, the OS is slow and often unresponsive, and the HD is clickety clacking all the time. I sure hope I don’t have it. I’m going to check first thing when I get home. Has anyone’s machine here tested positive? If so, does this sound familiar?

Apple has since patched the Java flaw. F-Secure has supplied details on how to diagnose and fix the problem, but warns that the steps are tricky.

Wake up call

“This latest wave of infections is a wake-up call to Mac users that their system is not immune to threats,” says Mike Geide, senior security researcher at Zscaler ThreatLabZ. “And the need to follow best security practices, such as remaining current with patches, is ubiquitous — it doesn’t matter if you’re using Windows, Mac, or even mobile phone.”

Marcus

Dave Marcus, director of advanced research and threat intelligence at McAfee Labs, says the existence of a major Mac botnet comes as no surprise. He advises Mac users to do as Windows PC users do: keep antivirus protection and all Apple patches current.

“Attackers are leveraging years of success from writing PC malware and they’re doing the same thing in the Mac world,” says Marcus. “Cybercriminals will attack any operating system with valuable information, and as the popularity of Macs increase, so will attacks on the Mac platform.”

–By Byron Acohido

Visa and MasterCard acknowledged Friday that they’ve been alerting banks about a major breach of an unnamed payment card processing firm. The Wall Street Journal, citing unnamed sources, named Atlanta-based Global Payments as the processor in question.

Global Payments declined interview requests.

Security blogger Brian Krebs, who broke the story, says thieves cracked into the processor’s systems between Jan. 21 and Feb. 25, and may have swiped more than 10 million credit and debit card transactions records, originating from an unknown number of merchants, banks and credit unions.

Litan

Gartner banking security analyst Avivah Litan says unverified reports point to a New York City street gang with Central American ties taking over ” an administrative account that was not protected sufficiently.”

“I’ve spoken with folks in the card business who are seeing signs of this breach mushroom,” says Litan.

MasterCard issued a statement advising cardholders to contact the financial institution that issued their cards with any concerns. Visa emphasized that no Visa systems were breached.

However, criminals know better than to try to waste time on highly defended systems, and have been consistently successful cracking support system. “Sooner or later they find some weakness in the highly complex chain of systems that they can exploit,” says Geoff Webb, of data security firm Credant Technologies.

Credit card processors have been breached before. Heartland Payment Systems lost 130 million payment card records generated by 250,000 merchants and restaurants in 2008 -2009.

It’s not just card processors that are being targeted. Last year hackers stole payment card information for more than 100 million customers of Sony’s PlayStation Network.

And earlier this year online shoe retailer Zappos disclosed hackers took e-mail and shipping addresses, phone numbers and account passwords for some 24 million customers, data useful for identity theft.

“Any business that’s capturing payment data is a target,” says Mark Bower, analyst at Voltage Security.

Consumers whose debit card account information landed in criminals’ hands with this latest breach are at heightened risk. That’s because gangs are adept at quickly manufacturing faked cards to make large cash withdrawals from ATMs. And the consumer’s cash goes missing until a theft is reported and reimbursement carried out, which can take several days.

“You should always be watching your statements for unauthorized transactions but right now people should be extra vigilant,” says Steve Coggeshall chief technology officer at ID Analytics.

Retailers are also uniquely exposed. Some 46 states have now enacted data breach disclosure laws that require merchants and payment card issuing banks and credit unions to notify customers whose card numbers are stolen.

Many of these data loss disclosure laws impose stiff fines if notifications are not done in a timely manner, says Ted Julian, of Co3, a Cambridge, Mass.-based start-up that helps retailers manage the repercussions of credit card theft.

States could pursue a windfall in fines levied against merchants and card-issuing banks and credit unions who are slow to notify consumers that their credit or debit card number is in criminals’ hands. “Merchants are definitely on the hook for these state disclosures, because they are the ones who have the consumer relationship,” Julian says.

That trend has not abated. And now governments may be getting into the act, orchestrating such attacks. Earlier this week the BBC accused the Iranian government for disrupting the news organization’s e-mail and web pages, along with jamming the BBC’s satellite feeds into Iran.

In this LastWatchdog guest post, Lori MacVittie, Senior Technical Marketing Manager at application delivery networking firm F5, delves into the technical underpinnings of modern-day DDos attacks.

MacVittie

By Lori MacVittie.

The success of Distributed Denial-of-service (DDos) attacks today is more about what an attacker is trying to do with the traffic than just how much traffic they generate.

Certainly massive volumes of traffic can overwhelm a site in any number of ways, but such attacks are costly and require coordination to execute. It takes hundreds of thousands of machines to generate the kind of volume necessary to overwhelm the public-facing presence of an organization today. Network infrastructure has become adept at not only handling such volume but recognizing a traditional DDoS attack for what it is, and putting the brakes on the traffic to protect a company’s presence.

This is why we’ve seen a rise in attacks directed at the application layers – exploits based on protocol behavior and basic application logic assumed by all web and application servers. These attacks offer maximum effect with minimal effort, requiring less coordination and fewer resources on the part of the attacker while still managing to disrupt services from even those organizations one hop from the Internet backbone.

A week-long DDoS attack in early November , targeting an Asian e-commerce retailer, was one of the largest in 2011: it reached traffic volumes of 45 Gbps. Yet waves of other attacks that have generated far less traffic volume have been far more successful in accomplishing the task of taking down a website.

Modern attacks

As noted by reports of the aforementioned attack, at its peak attackers were able to make 15,000 connections per second to the target company’s servers. This is the key to understanding modern attack methods. While network infrastructure can detect and throttle back traditional attack methods, it is not so good at detecting and throttling back modern attack methods that target application protocols. That this company saw connections being made to its servers indicates a failure on the part of its network and application delivery network infrastructure to correctly identify and execute appropriate measures to halt the attack.

This is likely for the same reason similar attacks have been successful in the past: the network and security infrastructure in place is simply not imbued with the intelligence necessary to distinguish between legitimate application requests and those that are not. The key to doing so lies in understanding interaction behavior at the protocol layers and being able to apply that understanding to live interactions in a way that clearly distinguishes illegitimate from legitimate requests. When clients behave in ways inconsistent with the network and client characteristics present in every connection attempt, it should trigger an alarm in the infrastructure that puts it on alert, ready to clamp down when a certain threshold of traffic or requests is seen.

Because network infrastructure today is unable to accurately distinguish between bad and good requests, it can do little more than pass the requests to servers. Those servers, despite the ever-increasing computing resources available, are still simply unable to handle the volume of connections being attempted. The end result is almost always a disruption of service. In an auto-scaling cloud computing environment, service may continue – but at a very high cost, as automated systems launch more and more virtual servers to handle the load, each one incurring costs on an hourly basis.

Traditional security mechanisms are excellent protection against traditional attackers. Sadly, however, they are largely ineffective against emerging modern attacks. Organizations need to recognize the changing focus of attackers from the network to the application layers and evaluate their strategy and infrastructure in light of how well such components would recognize and put a stop to modern attacks.

About the essayist. Lori MacVittie is responsible for F5’s outbound marketing, education, and evangelism of application. Her role includes authorship of technical materials and participation in a number of community-based forums and industry standards organizations, among other efforts.