IM: An Underestimated Security Threat

Focused on email security, many network managers are overlooking the dangers presented by IM (instant messaging) technology. After all, IMing your sister-in-law an impromptu dinner invitation from your office cubicle seems pretty harmless. But IM in the enterprise is exploding, as 85 percent of organizations in North America report IM use, according to The Radicati Group Inc.

In the past, the security threat from IM was seen as an additional gateway to the enterprise as well as a concern for securing private corporate data. But that’s not the issue anymore. Studies estimate that IM worms and viruses are growing exponentially. In fact, Akonix Systems Inc. tracked 297 malicious code attacks over IM networks in 2007 – a 20 percent increase in IM threats over the previous year. And while 60 percent of organizations monitor and secure email, studies estimate that 90 percent of organizations lack any form of IT sanction or control for IM. That equals exposure to a rash of security threats, data leakages and legal liabilities.

James Quin, a senior research analyst with Info-Tech Research Group said, “The vast majority of companies really aren’t even aware that there’s an issue associated with IM malware. … But when you look at the fact that IM is increasingly being used as a distribution platform for malware – viruses, worms, Trojan horses – and is also a very serious threat in terms of data leakage, organizations simply can’t continue to take the track that IM is not something they need to worry about.”

Flying Under the Radar

Quin said one of the greatest dangers posed by IM is data leakage. Unlike email which is typically logged, tracked and blocked by an organization, IM communications tend to exit an enterprise outside of the watchful gaze of an IT manager. “If I’m sending something through IM on a server that’s not maintained by the company and it goes out through a generic traffic port, as far as the firewall is concerned, it’s plain old Web traffic,” he said. “It’s a bit of a sneaky way to get information out of the enterprise.”

Taking Action

There are steps companies can take, however, to wrest control of enterprise IM and to minimize exposure to security and legal threats. Here are just a handful of precautionary measures:

1. Sure, IM lends itself far more easily to informal conversation than email, rendering it a faster and lighter alternative. But is it really necessary? What business value does it deliver? The first step, said Quin, is “determining if IM is something you feel is an appropriate part of your business communication strategy.”

2. By preventing IM from being sent over public networks, companies can better manage security challenges. “Organizations should look at deploying an internal IM capability rather than using one of the freely available ones outside of the enterprise,” said Quin. Microsoft Corp.’s unified-communications suite, for example, delivers messaging capabilities, which enables companies to manage IM on internal servers and restrict communications to in-house usage.

3. Many public IM networks offer patches to protect against the latest program vulnerabilities. Network administrators need to install and update these IM patches regularly.

4. Turn to a third-party provider for high-level security protection. Symantec Corp., for example, offers an IM-management tool that secures, logs and archives corporate IM traffic on both public and enterprise IM networks.

5. “No technology should ever be deployed without a policy,” said Quin. IM is certainly no exception. Companies must establish best practices for the uses of IM and any restrictions that apply. In addition, organizations should educate employees on the dangers of IM and inform them of important precautionary measures such as storing IM passwords, communicating with unauthorized sources and refusing file transfers and attachments.

IRS Email Scam

I recently sent an email about this to my friends. Here’s the post:

If you receive the below email (Get 2008 Economic Stimulus Refund – $1800), delete it! This is a scam!!!! Please be perceptive enough to check into things before you blindly believe these technological lies. Apparently, a half-witted computer tech without morals is trying to capitalize on the stimulus refund from the government. He/she will be phishing for your bank account information & SSN, and will ultimately rob you of your identity.

Email is never the primary way governments, banking institutions and major businesses communicate with you. Remember, email is like a postcard, it’s not secure unless you use encryption (to answer everyone’s question, “Am I using email encryption?” I guarantee you that you would know if you’re using email encryption because you have to install it-or login to a secure webmail server, and it only works if the other person you’re communicating with uses the same type of encryption or has a private or public encryption key).

All it takes is a few tools and in five minutes I can intercept email as it travels across the internet. Again, email is simply a postcard. As it travels anyone with the right tools can intercept and read it. Never send banking information, passwords, or Personal Identifiable Information (PII) via unencrypted email.

Here are a few free email encryption solutions:

1. Hushmail (free secure webmail solution)

2. Google Gmail Encryption with FireFox: FireGPG (You have to login to https://gmail.com when using this encryption with Gmail.) Here’s the instruction on how to setup and use FireGPG encryption with Gmail: http://www.linux.com/articles/62369

3. Greasemonkey Encryption: Firefox Extension

If you have any questions, please visit my IT Security blog at: www.itsecurityadmin.wordpress.com or email me.

Here’s the email:

---

From: service@irs.gov [mailto:service@irs.gov]
Sent: Tuesday, May 13, 2008 3:58 AM
Subject: Get 2008 Economic Stimulus Refund ( $1800 )
Importance: High

Over 130 million Americans will receive refunds as
part of President Bush program to jumpstart the economy.

Our records indicate that you are qualified to receive the
2008 Economic Stimulus Refund.

The fastest and easiest way to receive your refund is by
direct deposit to your checking/savings account.

Please click on the link and fill out the form and submit
before May 13th, 2008 to ensure that your refund will be
processed as soon as possible.

Submitting your form on May 13th, 2008 or later means that
your refund will be delayed due to the volume of requests we
anticipate for the Economic Stimulus Refund.

To access Economic Stimulus Refund, please click here.

© Copyright 2008, Internal Revenue Service U.S.A. All rights reserved.

Proposed Cyber Security Bill will pressure Department of Homeland Security

Rep. Jim Langevin, D-RI, introduced a bill on Wednesday that aims to hold the U.S. Department of Homeland Security responsible for investigating every cyber attack and for shoring up its network security.

The bill would better define the roles and responsibilities of the agency’s chief information officer, require that the department reduce the number of successful attacks against its networks and mandate that the DHS investigate the state of contractors’ network security before signing a contract with them. The bill comes after more than a year of investigations by the House of Representative’s Committee for Homeland Security into cybersecurity breaches at numerous government agencies. Rep. Langevin heads up the Subcommittee on Emerging Threats, Cybersecurity and Science & Technology, which has held most of the hearings on the issues.

“The security of our federal and critical infrastructure networks is an issue of national security,” Rep. Langevin said in a statement. “Through my many cyber hearings it has become clear that an organization is only as strong as the integrity and reliability of the information that it keeps. Therefore we must make cybersecurity a national priority.”

While U.S. government agencies have shown slow improvement, they have continued to score low grades in the annual report on their compliance with the Federal Information Security Management Act (FISMA) of 2002. Most federal agencies are behind an aggressive timetable for switching over all government desktop systems to a set of standard configurations designed to be more secure. Know as the Federal Desktop Core Configuration (FDCC), the initiative is part of a broader program known as the Comprehensive National Cybersecurity Initiative (CNCI), embarked upon by the Bush Administration in January.

The bill has been designated the Homeland Security Network Defense and Accountability Act of 2008 (H.R. 5983).

Encryption 101

Unfortunately, many businesses fail to take advantage of encryption technology, fearing that it’s too complex and difficult to use on a routine basis. In reality, encrypting vital data isn’t much more difficult than running a virus scanner or a data-backup program. Here’s how to get started.

The Basics

There are two basic ways to encrypt data. One approach is to use asymmetric PKI (public-key infrastructure) encryption. PKI cryptography is based on a pair of cryptographic keys: One is private and known only to the user, while the other is public and known to the opposite party in any exchange.

PKI technology provides privacy and confidentiality, access control, proof of document transmission, and document archiving and retrieval support. While most security vendors currently incorporate some type of PKI technology into their software, differences in design and implementation prevent interoperability between products.

The other method of encrypting data is symmetric key protection, also known as “secret-key” encryption. Generally speedier yet less secure than PKI, symmetric encryption uses the same key to both encrypt and decrypt messages. Symmetric technology works best when key distribution is restricted to a limited number of trusted individuals. Since symmetric encryption can be fairly easy to break, it’s primarily used for safeguarding relatively unimportant information or material that only has to be protected for a short period of time.

Applying Encryption

The easiest way to use encryption is to purchase a business application or a hardware product that incorporates some form of encryption technology. Microsoft’s Outlook Express email client, for example, provides built-in encryption support. Meanwhile, vendors such as Seagate Technology LLC and Hitachi Ltd. have started incorporating encryption technology into their hard drives.

Since most software applications and hardware products don’t include any type of internal encryption technology, business owners and managers need to look for stand-alone encryption products. This can be a confusing process, one that’s best approached by first determining the business’s precise security requirements, then finding an encryption product that fits each need.

Microsoft Vista Enterprise and Ultimate users can take advantage of BitLocker Drive Encryption, a full disk tool that offers powerful 1024-bit encryption. Another Windows offering is EFS (Encrypting File System), which uses symmetrical PKI technology to provide file encryption.

Beyond Microsoft, leading encryption vendors and products include PGP, open-source TrueCrypt, DESlock+, Namo FileLock and T3 Basic Security.

What to Encypt

So how do you know what to encrypt? Here are some places to start:

• Hard Drives: A business may choose to encrypt entire hard drives as a way to reduce or eliminate data theft.
• Individual Files: In cases where full disk encryption is overkill, file-by-file encryption provides added security on an “as-needed” basis. Many leading encryption products offer drag-and-drop encryption capabilities.
• Laptops: Unlike office systems, laptops are easy to lose and are prone to casual theft. By ensuring that the system’s data content is unreadable, a business can limit its loss to the cost of the laptop. A growing number of government regulators and insurance companies are demanding that businesses encrypt any data that leaves their premises.
• Removable Media: Memory sticks, thumb drives and similar portable storage technologies provide portability, convenience, and an opportunity for data loss and theft. As with laptops, encryption limits a business’s loss to the cost of the device itself. A growing number of removable-media devices come with built-in encryption support.
• File Transfers: Sending files over unsecured wired or wireless links can expose sensitive information to data thieves. Encryption provides an additional layer of security, even when a secured network is used.
• Email: Encrypted email is kept secure during the transmission process and while sitting in its recipient’s mailbox.
• IM (Instant Messaging): A growing number of businesses are using IM to swap confidential business information. Encryption helps secure these critical transmissions.

Encryption’s Limitations

Like any technology, encryption software isn’t perfect. Even the best products consume both processor speed and storage space. Users can also lose or forget passwords, thereby potentially locking systems forever.

Before purchasing any encryption tool, carefully research the product. Make sure that the offering addresses your company’s needs, is compatible with your systems and has a good track record concerning reliability and support. If possible, check with your friends and colleagues for their opinions on various encryption tools.

Enterprise security in 2008: Malware trends suggest new twists on old tricks

With the new year upon us, the bad guys continue to improve their computer attacks, refining their outdated techniques and introducing new twists. Let’s look at some of the trends that will likely dominate the information security threat landscape in 2008:Increasing effectiveness and complexity of large-scale botnet management
Right now, there are multiple active botnets that each contain more than 1 million infected machines. Medium-scale collections (100,000 to a million infected machines) and small-scale ones (less than 100,000) are even more numerous.

Attackers can use annoying but relatively benign schemes — like pop-up ads, spam and search bar installations — to harvest money via such an infrastructure. More insidious attacks include pump-and-dump stock scams, denial-of-service floods, phishing schemes and form-scrapers that gather bank account numbers and passwords from browsers.

With large-scale distribution of a botnet’s infected computers, these bad guys are encountering the same infrastructure problems that large enterprises have — distributed remote management en masse is not easy. However, the attackers are a crafty lot, and they are developing robust peer-to-peer communications and control mechanisms to avoid single points of failure in their botnets. Attackers are also using fast flux techniques to rapidly shift critical servers’ domain name-to-IP address mapping, making it hard for investigators to hunt down phishing Web sites, control servers and other parts of their infrastructure. Look for such peer-to-peer and fast flux techniques to be included in almost all of the big botnets — and quite a few of the small- and medium-sized ones — in the year ahead.

More event-driven, targeted email containing malware
In early 2007, the Storm Trojan infected hundreds of thousands of machines by simply duping email recipients into reading an attachment that contained the malware. The message’s subject line exploited concerns about a string of floods in Europe. The malware’s authors continued throughout the rest of the year, modulating their headlines with the latest news stories. As a result, more than 1 million systems became part of the Storm botnet.

Look for more of the same in 2008. Numerous email worms will be spread with bogus — and sometimes even real — news stories about the upcoming U.S. primary and general election campaigns, or perhaps other gripping headlines, such as war and unrest in the Middle East.

Information security practitioners should educate users to be extra diligent when reading email and viewing attachments, even from users that they know. When sharing email, users should include the text of news stories pasted in the message, instead of forwarding links or sending attachments. It’s also important to redouble efforts for effective email antispam and antimalware deployments.

Security pro Michael Cobb explains how future application development processes will be corrupted.

Mike Rothman, our resident security management expert, reveals the emerging compliance issues in ‘08.

Leaked high-profile stories of executives nailed by spear-phishing attacks
Civilian and military organizations have reported a significant number of targeted phishing incidents. The attacks use specially crafted email messages to trick a target organization’s users into visiting a site that looks friendly, but will actually attack any browser that surfs there. Some targeted attacks also include infectious email attachments.

In these so-called “spear-phishing” attacks, the bad guys trick humans into installing a Trojan horse backdoor in the target environment. With malware planted on a victim machine, the attacker has a software sentinel inside the target organization, which can be used to control that system, take over others and exfiltrate sensitive information.

Some of the attackers look for low-hanging fruit, just any old user who they can trick into providing access inside a particular organization. Craftier attackers have set their sites on more important targets: corporate officers and higher-up military personnel.

In 2008, we may see some leaked information about targeted, high-profile individuals who fell victim to such attacks. Incident handlers working on the case may inadvertently reveal more information than they should. Leaks could also be intentional, too, due to possible vendettas or legal requirements for breach disclosure. Make sure that your internal incident-handling team has a clear set of non-disclosure agreements, along with documented plans and policies for dealing with the press.

Increasing cyber-attack activity attributed to nation-states, not organized crime groups:
Spear-phishing has occurred against major U.S. and European enterprises, and many allegations have cited China as one of the attacks’ major sources. Chinese officials have countered by saying that similar attacks are waged against their country as well.

In the spring of 2007, a barrage of packet floods hit the highly wired, eastern European country of Estonia, taking down much of its electronic government and banking sites. Some observers claim that the flood was directed by the Russian government for political reasons, but the Russian government denies this and blames Russian nationalists.

This year, look for more suspicions of government involvement in cyberattacks. The continuing packet floods, cyber espionage, and infiltration of military and commercial networks will receive more press scrutiny than ever. We are now in the midst of a shift that will not supplant cybercrime, but augment it, as nation states increasingly use computer attacks to further their interests.

Decrease in disclosure rate of credit card compromise — not because of fewer breaches
If an enterprise suffers a breach that exposes personally identifiable information (PII) to an attacker, state notification laws may require an organization to alert citizens whose data was compromised. For a computer attack to be considered a breach, however, the data actually has to be exposed to the attacker. With an increasing number of enterprises using desktop and laptop encryption tools, there is a chance that attackers cannot actually view the data that they receive from a hacked system or stolen laptop.

But some desktop and laptop encryption tools aren’t very good. Microsoft’s Encrypting File System, for example, leaves clear-text copies of data shortly after it is encrypted. Some tools (including Microsoft’s EFS) only use an operating system password to protect file encryption keys, instead of a separate and carefully guarded password just for the cryptographic function or even an authentication token or smart card. If attackers can crack a user’s operating system password, they can then decrypt files with EFS and similar tools.

If an organization suffers a breach, management must discern whether there was a reasonable chance that data was exposed. Even if the data is encrypted with a weak encryption product, management will likely respond that the sensitive information wasn’t compromised.

In 2008, we may see less disclosure, but not fewer breaches. Such a trend will unfortunately hide the magnitude of real security problems. Enterprise security personnel should make sure that they use strong laptop crypto products. They should also verify and review the disclosure decision-making process with management and legal personnel.

This new year will likely spell busy times for information security professionals, as attackers continue to ramp up their abilities. Keeping up with the bad guys won’t be easy, but it is vital that we understand their latest tactics and work diligently to thwart them. Don’t get discouraged. Instead, remind yourself about how exciting these times are, and how we are fighting the good fight.