On Wednesday April 6th the Federal Bureau of Investigation (FBI) seized control of 5 servers used to control as many as 2 million computers infected with Coreflood malware. This malware, also known as AFCore, quietly steals personal and financial information from the computer and forwards the information to the criminal ring leaders. The attackers use the information collected by AFCore to conduct fraudulent wire transfers, emptying the users’ bank accounts.  The botnet is suspected to have existed since at least 2002, and has evolved over the years from using IRC based command and control and selling DDOS/anonymity services, to HTTP based command and control and performing fraud.

Using a similar approach used to take down the Bredolab botnet, US federal investigators were granted special authorization by the Department of Justice to substitute their own Command and Control server for the hosts operated by the criminal organization.  When the bot of the infected machine checks into the new C&C it is simply given a command to shutdown.  The DNS records used by the bots have also been pointed to Shadowserver’s sinkholes.

Seizing control of the C&C servers by law enforcement is now preventing the criminals from accessing any information already harvested by the infected computers.  It also keeps them from covering their tracks by deleting files and terminating processes.  However, the millions of Coreflood infections remain intact and still require intervention by a trained security analyst or antivirus program with signatures to detect it. Investigators are also alerting the Internet Service Providers of the compromised machines and requesting they inform their customers.

More information about the takedown can be found here:

• Botnet Operation Disabled: FBI Seizes Servers to Stop Cyber Fraud
• Bold FBI Move Shutters COREFLOOD Bot

Perimeter’s Security Operations Center is actively monitoring for outbound activity known to be associated with the Coreflood botnet.  In one instance, minutes after adding inspection for the redirected C&C check-in, alerts indicated a single customer network to have 17 actively compromised hosts. Here’s a sample screenshot from our SOC’s Security and Information Event Management System:

Coreflood Botnet Traffic, from Perimeter SOC

Looking at the raw event logs, we can see that the compromised host is attempting direct HTTP connections to a sinkhole IP. The URI confirms the activity to be related to a bot C&C check-in:

Recommendations for Perimeter customers

Although the FBI has taken ownership of the Command and Control and are issuing shutdown commands to the active bots, the malware is still installed on the compromised machines and reactivated at bootup.  Analysis of this Coreflood variant indicates the C&C domains change monthly and have been pre-registered in countries that are outside of United States jurisdiction.  There still remains a possiblity of the criminal ring regaining control of the botnet.  Perimeter strongly recommends customers take the following actions to stay protected:

• Use Web Content Filtering to lockdown Internet usage by enforcing user authentication and blocking of categories not critical to business
• In particular, customers are strongly advised to block access to unclassified sites, which commonly harbor malware and C&C servers
• Use standard best practices such as Network IPS and Network/Desktop AV to help prevent infections
• In cases where infections do occur, a strong WCF policy will help prevent theft of data, and will provide additional logging information used by the Perimeter’s Security Operations Center

Thanks for your time and attention, and stay safe.

Late last week, e-mail services firm Epsilon, which manages e-mail campaigns for hundreds of high-profile clients in retail, publishing, consulting and other sectors, revealed that it had been hacked. As a consequence, the attackers were able to obtain the names and e-mail addresses of millions of customers of companies like Citigroup, Walgreens, JP Morgan and many, many others.

Like me, you likely received a notice from a company you do business with informing you of the hack. I got mine from McKinsey Quarterly:

We have been informed by our e-mail service provider, Epsilon, that your e-mail address was exposed by unauthorized entry into their system. Epsilon sends e-mails on our behalf to McKinsey Quarterly users who have opted to receive e-mail communications from us.

We have been assured by Epsilon that the only information that was obtained was your first name, last name and e-mail address and that the files that were accessed did not include any other information. We are actively working to confirm this. We do not store any credit card numbers, social security numbers, or other personally identifiable information of our users, so we can assure you that no such information was accessed.

Please note, it is possible you may receive spam e-mail messages as a result. We want to urge you to be cautious when opening links or attachments from unknown third parties. Also know that McKinsey Quarterly will not send you e-mails asking for your credit card number, social security number or other personally identifiable information. So if you are ever asked for this information, you can be confident it is not from McKinsey.

We regret this has taken place and apologize for any inconvenience this may have caused you. We take your privacy very seriously, and we will continue to work diligently to protect your personal information.

Three quick observations about What It Means:

First, this is embarrassing for Epsilon. It suggests that they have some work to do on their defenses. We don’t know how the attackers got in — it could have been by exploiting a weakness in their web applications (likely), or from a social engineering attack of the type that hosed RSA (less likely).

Second, the attack will be of no consequence to most people. Yes, as many commentators have written, there is an “elevated risk of spear phishing attacks,” which in plain English means this: because the bad guys have your name and e-mail address, they might try to trick you by sending you an e-mail with a funny link. But to be honest, I don’t get much, if any, spam — thanks to Perimeter’s multi-stage e-mail filtering service. And if you use a premium spam filtering service, you probably don’t either. And even if the attackers manage to put together an e-mail that does get through your spam filters, how would you be able to tell that this particular break-in was the cause of it? Right.

Third, nice work McKinsey! The e-mail above is a great example of how to write an unambiguous and clear disclosure e-mail. You’ll note that they spell out exactly what Epsilon says has been disclosed (name and e-mail address, not enough to trigger a PCI or HIPAA violation). They also provide appropriate guidance on what to watch out for, and reinforce that McKinsey employees will never request sensitive information from their customers (which they shouldn’t). This is exactly what you should say in an e-mail like this.

The bottom line is this: spam happens. Just make sure that your employees and colleagues don’t blindly click on attachments they shouldn’t, or blindly click on links embedded in e-mail. Take this incident as an opportunity to reinforce your security policies. But don’t worry too much. Compared to the RSA compromise from a few weeks ago, this is very small beer.

It is not clear whether the theft of this information enables attackers to compromise customers’ own SecurID deployments. RSA claims that the information obtained by the attackers does not. As described in RSA’s advisory (http://www.rsa.com/node.aspx?id=3872):

“[RSA has] no evidence that customer security related to other RSA products has been similarly impacted. We are also confident that no other EMC products were impacted by this attack. It is important to note that we do not believe that either customer or employee personally identifiable information was compromised as a result of this incident.”

However, RSA’s news release notes that “the information extracted does not enable a successful direct attack on any of our RSA SecurID customers, this information could potentially be used to reduce the effectiveness of a current two-factor authentication implementation as part of a broader attack.”

We strongly urge customers to read the full advisory from RSA here: http://www.sec.gov/Archives/edgar/data/790070/000119312511070159/dex992.htm

There is no indication that suggests Perimeter’s customers are at risk. We are continuing to monitor the situation and will send out additional updates as new information is made available.

Defining an enterprise mobile device passcode policy can be surprisingly difficult. Security managers must attempt to reconcile two opposing goals. They must:

• Create a passcode policy that is strong enough to protect the device if it is lost or stolen, while:
• Not annoying users with needless length or complexity

These goals are hard to reconcile because mobile devices like smartphones and tablets are personal, portable and convenient. Employees use their devices in places they wouldn’t use a PC: in the car, during their kids’ football game, and during (shall we say) otherwise unproductive periods of the day. It’s tempting to simply duplicate existing network security policies. The rationale goes something like this: smartphones and tables are nothing more than small PCs with antennas, so the password policies should be the same as for PCs. It’s easy to think that, but it’s the wrong attitude.

This whitepaper will describe the passcode policy Andrew recommends for mobile devices that comply with NIST’s e-authentication Level 1 guidelines as described in Special Publication 800-63, “Electronic Authentication Guidelines”. The policy is reasonable, employee-friendly and highly usable, but strong enough to protect your company’s data. To cut to the chase, here’s what it is:

• 8-digit numeric PIN
• Simple PINs disallowed
• Automatic lock after 15 minutes
• Grace period of 2 minutes
• Automatic wipe/permanent lock after eight wrong tries
• No expiration

Click here to read the whitepaper.

By Tom Field, Editorial Director, Information Security Media Group

The three pillars on how organizations can be secure today and to participate better in the changing economy:

• Reduce Risk
• Cut Cost
• Enable New Business Opportunities (i.e. Cloud Computing and Mobility)

I’ve spent the week at the RSA Conference. It is a great place to meet colleagues, customers and friends. I had been a Conference Chair for the last 5 years, helping pick speakers and build panels. That was lots of fun, but this year I chose to sit out and let some other lucky soul have a chance. I did participate in the program, however. My friend Caroline Wong put on a panel on security metrics, and asked me to be one of the four panelist. The panel was a blast, and is worth a blog post in its own right.

But the subject of today’s post isn’t my panel, or metrics, but about a key part of the show. It’s about a time-honored ritual at RSA: the industry keynote delivered by Microsoft’s Corporate Vice President of Trustworthy Computing, Scott Charney. In a speech that was covered by multiple media outlets, including IDG News Service, CIO, and Computer Reseller News, Charney made three significant announcements. He:

• Admitted that last year’s suggestion, to require ISPs to cut off serially infected machines, was not realistic because it imposed undue costs on ISPs. Charney argued instead that end-users must take more responsibility for the safety and security of their own machines. To that end, he…
• Proposed a system of “public health certificates” that customer client machines would present to relying parties like banks and on-line websites that needed extra assurance that their customers’ machines were clean. Charney calls this “Collective Defense.” In addition, Charney…
• Argued that the Internet must attribute activities to people wherever we can. Charney argues that with threats, there is always a Who, a What and a Why. Figuring out who the Who is would go a long way to helping national governments fight the various cyber-wars, cyber-skirmishes and cyber-hair-pulling matches that have been documented so well in the press over the last few years.

It seems to me that Scott, as the designated security spokesman for Microsoft, clearly understands his responsibility to set forth a vision for the industry. Microsoft’s preeminent position as the world’s leading software and systems vendor demands that he think big, think fast and think provocatively about The Future of Security. Moreover, the RSA Conference, as the preeminent industry conference devoted to information security, gives Microsoft (and Charney) the perfect platform for presenting their big, fast and provocative thinking. But let’s be honest, there’s a fine line between provocative and pollyanna. This year, Charney donned blue-tinged gossamer winds and fluttered off into the magical land of wishful thinking.

Let’s start with Microsoft’s ideas about Collective Defense and “public health certificates.” If I understand the idea correctly, relying parties (such as banks) would elect to trust — or selectively trust, or not trust — devices that presented digitally-signed attestations about their health. Rather than call this Collective Defense, let’s call it NAC’s Nephew. Practically, here is what that would mean: if McAfee or Symantec AV tells your bank that you have a clean bill of health, then your bank ought to let you transfer your money to Liberia. But if you don’t, they might think twice or ask for secondary authentication.

If you are technologist, especially one who drinks the Better Living Through Cryptography Kool-Aid or believes that “non-repudiation” actually refers to a real legal concept, digitally-signed health certificates sure sounds like a great idea. But upon closer scrutiny, nagging questions about practicality, implementation complexity and the so-what factor make it less attractive. Dan Geer has noted that technologists need to beware whenever they catch themselves saying “…and then a miracle happened.” That’s what we have here. I could raise a dozen objections, including (1) the decreasing efficacy of endpoint anti-malware software, (2) the high likelihood of certificate forgery, (3) the lack of likely implementations for platforms that aren’t Windows, and (4) the serious doubt that banks are asking for this stuff anyway (Trusteer isn’t exactly setting the world on fire, is it?).

But these are just the obvious objections. Slightly more worrying is Charney’s admission that ISPs aren’t part of the solution for keeping PCs safe. By that I assume he meant: Comcast, Time Warner, Charter, Cox had a few objections to cutting off infected customers. I can imagine a conversation between the two Steve Bs (Ballmer and Burke) that went something like this:

Burke (Comcast): So, Steve, I understand that you’d like to have me start cutting off Internet subscribers when we figure out that that their machines are infected.

Ballmer (Microsoft): You better believe it. We’re all-in on making our customers safer. ALL-IN!

Burke: I’ve got 80 million high-speed customers. My customer support team tells me I’ll lose 5m of them within the first year of running this program. That’s 7 billion dollars of lost revenue in the first year.

(pause)

Burke: Are you trying to get me to throw a chair at you?

(pause)

Burke: Excuse me Steve, but you’ll understand if I pass. I’ve got to run anyway. It’s time for me to start working on my 2011 Christmas cards.

That conversation never happened, and the numbers I presented are fictitious. But you can understand why putting the onus on ISPs to “keep their pipes clean” isn’t good for business. That Microsoft realizes this now is merely an admission of reality, and most welcome.

But while Microsoft’s new position reflects a more realistic appreciation of the limits of securing customer computers, Charney doesn’t push his thinking as far as he could. For example, consider his analogy comparing infected PCs to infected people. These are both health risks, and in both cases it behooves authorities to be aware of infections as early as possible. To the extent you can compare people to PCs, It also makes sense to educate customers about basic practices they can take to reduce the risk of infection (although I suspect Symantec might object to the implied comparison of installing their software to hand-washing.)

That said, computers aren’t like people at all. Computing can be improved in ways that the most audacious recombinant DNA theorist can only dream of. Because unlike humans, machines’ “DNA” — the operating systems and software that they are made of — can be replaced wholesale. From the security perspective, operating systems like SELinux, Qubes OS, BlackBerry OS, Apple’s iOS, Google’s Android or even Microsoft’s own Singularity or Windows Phone 7 OSes are fundamentally superior to Windows, because they have built-in protections like code-signing, verified roots-of-trust — often burned into hardware — and mandatory access control. From the security perspective, replacing Windows PCs with trusted Post-PC OSes such as Singularity or iOS isn’t merely a minor improvement like washing your hands. It’s more like replacing humans with a carbon-based life-form that’s immune to influenza.

Now, these other Post-PC OSes and their associated App Stores have other problems that I will be writing about in future posts, such as chatty, privacy-invading apps. But infections that compromise machine integrity isn’t one of their most pressing problems. And yes, I know I’m going to catch a lot of flak from the app security absolutists for saying this (“NOTHING is 100% secure…”). Please. Captain Obvious already paid me a visit today. Given enough time and money, anything is breakable. But acting as if mandatory code-signing, sandboxing and hardware-based trust anchors don’t decrease risk significantly is tantamount to dismissing 30 years of research by people much smarter than you and I. And that, in turn, means that we are ignoring lessons about how software should be built. In other words: we should not let loose talk about “ecosystems” distract from the critical need to re-examine the core software we run on the systems we use in our daily work.

Charney gets close — so very close — to this key point. When he calls for public health certificates that rely on hardware roots-of-trust to vouch for the integrity of devices, he should, instead, ask himself why they are needed in the first place. When he admits that ISPs can’t filter out infected PCs because of the expense, he should be asking whether he ought to, instead, design an operating system that fundamentally resists infection.

And finally, when he suggests that customers should share responsibility for educating themselves about keeping their PCs clean, he should ask himself why they should care, and whether the hassle of “education” and “taking responsibility” is worth it from the customer’s standpoint.

Now that’s a visionary speech I wish he’d made.

Greetings! Every morning, I do a quick scan of the articles in my Google Reader queue. I have ‘Reader configured to pull about 100 different RSS feeds on different topics ranging from security to high-tech news, plus a variety of “professional hobbies” such as application development. I usually pick out a few articles to actually read. In what I hope will will become a regular feature here at Perimeter Blog Central, here are four that caught my attention today:

1. Malware: Microsoft Disables Autorun for USB

In an innocuously-named post called “Deeper insight into the Security Advisory 967940 update,” my friend and metrics crony Adam Shostack describes why Microsoft is disabling the default Autorun feature in Windows XP and Windows Server 2003 and 2008, and Windows Vista for USB media. As the accompanying MSRC post describes, it means that customers will run a reduced risk of being infected by malware when they insert USB sticks of unknown origin into their computers. I am glad to see Microsoft taking this step to protect customers, but to be fair, USB Autorun/Autoplay was one of the dopiest and riskiest features Microsoft ever introduced. It had FAIL written all over it. Good to see them uninstall it.

2. Metrics: GQM+Strategies For Defining Security Metrics

In his post on security metrics, Brad Bemis describes the Goal-Question-Metrics+Strategies (GQM+Strategies) method for constructing metrics. It’s a good post, and describes a simple methodology that should be useful for customers who want to know how think about the process. An important part of the post (and the method) is the focus on using (1) business objectives to drive the goals, which (2) prompt the questions and (3) lead to the creation of metrics. However, Brad’s “business objectives” discussion is a bit abstract. Fortunately, there are lots of very structured ways that corporations often use frame their objectives. I am a big fan of the Balanced Scorecard, which advocates measuring organizational performance according to the Financial, Customer, Internal Operations, and Learning & Growth perspectives. I describe the “Balanced Security Scorecard” in my book, Security Metrics: Replacing Fear, Uncertainty and Doubt. (In better booksellers everywhere — and did I mention? — it makes a great gift.)

3. Mobile: Veracode Announces Mobile App Security Scanning Service

Today, my friends at Veracode announced a new service for scanning mobile applications for security flaws. Veracode already scans apps for Windows Mobile (meh) and BlackBerry (ok, sure). Now, it is expanding to cover Android (in Q1) and iOS apps (in Q2). Targeting the hottest two smartphone platforms is smart, and I applaud them for their leadership in this area. Full disclosure: I used to work with many of the principals of Veracode at @stake. I count Chris Wysopal (Veracode’s CTO, formerly the artist known as Weld Pond), Christian Rioux (Chief Scientist, fka Dildog) and Chris Eng (Senior Director) as friends, and I wish them all the best with this exciting new service.

4. Mobile: Smartphones More Popular Than PCs

Today’s Financial Times reports that according to IDC, vendors shipped 101 million smartphones in the fourth quarter of 2010. Vendors shipped just 92 million PCs. What it means: Post-PC devices are now more popular than the venerable PCs they are running next to (or in some cases, replacing). Of course, my former employer Forrester Research predicted that this would happen nearly nine months ago, as I pointed out in a blog post from August of last year. Note that IDC’s numbers do not count the iPad in either category. If you count them in the “smartphone” bucket (as I do), the total is closer to 108 million Post-PC devices. What it means for customers: your security posture is going to change faster than you might think. As I pointed out in my previous post, securing the mobile devices on your network cannot be an afterthought — it needs to be your front-and-center priority for 2011. You should focus on applying sensible controls to protect your data.

That’s it for today. I hope you are enjoying your week. See you at RSA next week!

On the heels of the news that Apple CEO Steve Jobs was taking a medical leave of absence, the company announced its earnings after the close of the bell Tuesday. And even though Apple always sandbags its estimates, and even though it seems like we are used to seeing “Apple blows out its numbers” headlines every quarter, the announcement really was a blowout. The company announced record revenues, record profits ($6 billion), record shipments of Macs (4.1 million), record shipments of iPhones (16 million) and a gangbusters quarter for iPads (7.3 million). That might all seem abstract until you reflect that what this says about the changing mix of computing devices used by companies and by individuals:

• The iPad is replacing laptops for some customers. With shipments of over 7m in the last quarter, iPad sales are now a statistically relevant 7% of worldwide PC sales. Combine that with the observation that netbook sales are down by 30% year over year. The conclusion: the iPad is becoming not just an accessory device, but a replacement device for a lot of mobile computing tasks. Our CEO and Chairman of the Board both carry an iPad; in the Chairman’s case, it has replaced his laptop entirely. Apple’s quarter means this won’t be an unusual phenomenon for long.

• iOS is emerging as a major enterprise platform to be secured. Since the introduction of the iPhone, Apple has sold 160 million iPhones, iPads or iPod Touch devices. Put another way, Apple sold 160 million devices that are capable of accessing corporate e-mail. If you assume that 25% of these devices are used for work purposes, that means 40 million iOS devices that need to be properly secured. That is probably a conservative number: Apple told the Street that 88% of the Fortune 100 are deploying the iPhone in some way, and that 80% are piloting or supporting the iPad. The canonical example of this might be JP Morgan Chase, which announced in December 2010 that every employee in its investment banking division will receive an iPad.

There are a lot of pundits and security vendors that see the emergence of Apple as a non-traditional enterprise supplier as a sign of impending doom. McAfee believes that we’ll finally see an influx of Mac and iOS malware (despite the dearth of it in the past). Cisco says something similar. And so does Sophos (although that’s a drum they have been beating so long I’m surprised their arms haven’t fallen off).

Our view here at Perimeter is that all this talk about Apple malware is just a bright-and-shiny argument not dissimilar to the bright-and-shiny qualities of Apple products themselves. It’s hot air meant to scare customers and promote vendor products and ahem, “demonstrate thought leadership.” That’s fine, but customers should not be misled. The security issues with Apple devices are far less dramatic, and far more prosaic, than whether a sly programmer can slip malware past the App Store screeners. As an analyst at Forrester, I wrote extensively about why anti-malware software won’t be needed on Apple iPhone and iPad devices, due to core security features in iOS like code signing, mandatory access control (“sandboxing”) and trusted boot processes. Moreover, despite all of the screeching about potentially overly privileged applications that might or might not be beaming your contact list to Outer Mongolia, chatty apps aren’t a major issue either (at least not yet).

The real security issue that the increasingly omnipresent Apple devices force us to confront is much more basic. And it is related to what the devices are used for — getting email. Companies I speak with about mobile security issues want to make sure that their employees access e-mail and other company resources safely, and in accordance with standard security policies. That means:

• Automatically provisioning your e-mail accounts and global address books
• Encrypting traffic to and from e-mail servers
• Locking the device with a PIN or passcode, 6 digits at a minimum
• Setting a policy so that devices automatically lock themselves after 15 or 30 minutes of inactivity, and automatically erase themselves after excessive timeouts
• Activating the “remote wipe” feature that allows administrators to brick a device if it has been lost or stolen

In other words, the major security issue with Apple products is how to implement security controls, and not about repelling the wily hacker. The good news is that policy controls are not very hard or expensive to do — just configure your Microsoft Exchange server or Lotus Notes Traveler server to enforce the relevant security policies via ActiveSync. PerimeterUSA customers, for example, can implement iOS security features as a standard feature of our hosted Exchange service. Apple also provides the iPhone Configuration Utility that allows customers to generate policy files that can be distributed to air to iPhones and iPads.

So to sum up: what Apple’s blowout quarter means for security is three things, in the short term is this:

• It means that you will soon see a lot more Apple devices on your corporate networks
• It means you will need to configure these devices with sensible security policies, but that…
• …most of the things you need to do are straightforward, and can be done inexpensively

Over the longer term, the iPad in particular has interesting implications for security in addition to the e-mail, connectivity and configuration topics I’ve mentioned in this post. With the iPad, it’s all about the apps. I will write about that in a future post. In the meantime, good luck finding a fashionable case for your new device.

Last week I hosted a webinar called “5 Data Security Predictions for 2011.” The webinar was my first of many for Perimeter. It was lots of fun. I received some excellent questions from the audience. And I was gratified to see that we had several hundred registered attendees, too!

For those of you who couldn’t make the webinar, you can click on this link to view the replay. But if you are allergic to multimedia, I thought I’d summarize the topics I covered in the webinar here. Last week’s webinar had three goals:

• To take a look back at the key security trends from 2010
• To summarize the three most interesting security events of the last year, and the lessons we learned from them
• To predict five data security trends for 2011

This post covers the first item on the agenda: looking back at 2010.

2010: The Year of Living Dangerously

With many apologies to the actor formerly known as Mel Gibson, 2010 extended and deepened four trends we’ve seen in previous years. These should seem familiar to you, but there are a few twists that make them worthy of comment. In 2010, we observed:

• Multiplying threats. It should come as no surprise to astute security professionals that malware has continued to proliferate. As with previous years, the number of circulating malware samples increased, by some counts, by a factor of 10 over the previous year. McAfee, for example, estimates the the number of samples has exceeded 50 million. Other AV vendors have reported similar figures. The reason for the increases is simple: attackers are creating malware in smaller “batch sizes” (but with a larger number of batches) to evade detection by anti-virus engines. We are getting close to what I call “designer malware”: one signature, one victim. It’s not hard to understand why that strategy would work for the bad guys: if you can create unique malware for each victim, you can slide under the radar screen of the AV labs because the prevalence is nearly zero.  The low-and-slow attack vector for modern malware is a difficult challenge for everyone in the industry. And it is clearly successful. From Perimeter’s perspective as an MSSP, we have been tracking nearly 25 botnets that we’ve observed in action inside our customers’ networks. We expect to track more incursions in the future.
• Migration of malware to the web. Hand-in-hand with the explosion in malware samples is the change in attack tactics. Instead of mailing infected attachments to their intended victims, the bad guys are much more likely to send e-mails with hyperlinks in them, which they then induce the recipient to click on. When clicked on, the link leads to a site that dynamically generates “drive-by” malware that is custom-made for the victim. Again, this goes back to the “designer malware” comment in the previous bullet. Some of the vendors I’ve worked with in the past (like WebSense) have noted the movement of malware away from e-mail and towards the web. As an MSSP with content filtering services, we’ve noticed it too. What it means for our customers is that web content-filtering becomes a lot more important than it used to be. Keeping inbound web traffic free from malware becomes as critical for security (indeed, more so) than the outbound stuff. Never mind whether Johnny in Accounting is spending too much time on ESPN’s website — you should care just as much if he’s getting 0wned when he goes there.
• Mobile security fears. From the iPad to those newfangled Android devices, every enterprise I’ve spoken with is worried about what modern Post-PC devices will do to their security posture. The urgency stems from two sources. First, managers want to know how to apply security controls to consumer-grade gear being brought into the workplace by employees and executives. They want to know what kind of password and data protection policies they need, and how to apply them to gear that isn’t named BlackBerry. Second, companies have concerns about the iPad in particular, because of business initiatives outside IT. Both scenarios are equally important. You can read about my perspective on Apple devices in this Forrester report, which I wrote last summer, and in press accounts of it here and here.
• More compliance pressures. Compliance and security are often conflated, but it’s best to view the kinds of security activities enterprises do for compliance purposes as a kind of tax they have to pay to stay in business. And every year, the “tax rate” goes up. For example, with the passage of the HITECH provisions of the American Recovery and Reinvestment Act (ARRA) of 2009 (aka “the stimulus bill”), health care Covered Entities (hospitals and providers of medical care) and their Business Associates (insurers, and other partners) are subject to more stringent rules on what they must do to safeguard personal protected health information (PHI). For retailers, recent revisions to the Payment Card Industry’s Data Security Standard (PCI-DSS) means that businesses that accept and process credit cards must tighten up their wireless networks, manage their server log files better and audit their web-facing applications. And in the banking sector, new rules from FINRA around social media means that employers must monitor their employees’ use of Facebook and other outside websites.

All four of these trends are top-of-mind concerns for just about every security professional and CISO I speak with. What is most interesting for me, as an observer, student of security and CTO is the mix of concerns. Threats and compliance pressures are perennial concerns: they are always with us, and always need tending to. The attackers won’t stop brewing up increasingly lethal doses of malware for consumption by the unwitting, and the auditors won’t put down their clipboards. But the new evergreen issues on this list — mobile security, and the increased lethality of web content — could cause rapid shifts in company security postures very quickly if they aren’t dealt with. How we respond to these two issues is the key.

And on that note, we’re at a good breaking point for this post. The next posts will summarize what we learned from 2010′s three most interesting events, and offer predictions for  2011.

The following table summarizes the November security bulletins that affect Microsoft Windows in order of severity.

Affected Software

^[1]The security updates for Microsoft Office 2004 for Mac, Microsoft Office 2008 for Mac, and Open XML File Format Converter for Mac are unavailable at this time.

To avoid being affected by these vulnerabilities, our security experts recommend installing the necessary update on your machines which can be found on the Microsoft website.

Here is the link for more information.
http://www.microsoft.com/technet/security/bulletin/ms10-087.mspx

The Perimeter Security Operations Center has recently discovered that upon visiting these sites you may be presented with either a fake Adobe Reader 8 Install prompt or a Microsoft Security Essentials “Infection Found” pop-up window.  Neither of these are legitimate.

This ad based drive-by download presents itself as ThinkPoint.  The file may use a legitimate name such as hotfix.exe or mstsc.exe and is saved to a temp directory.  It then picks out random files, claims they are infected and forces you to “clean” these false threats.  ThinkPoint will state that you need a heuristic program to fix the problems and offers to sell one for $99.90.  Do not purchase ThinkPoint; this program is fraudulent!

Anti-viruses may detect this as FakeAV, FakeAlert, or a generic Trojan.  A full list can be found here:

http://www.virustotal.com/file-scan/report.html?id=c049d274905ac80c9377e1cb0c291a5e67c33876ce256454db29dea953e44e4a-1287696527

There is a surprising lack of information about this trojan variant, considering how popular the sites are that are helping spread it.  We have found one reputable anti-virus vendor with insight:

http://www.f-secure.com/weblog/archives/00002053.html

For Perimeter’s ITC customers we have added a Null Route to blacklist the IP address of the domain actually serving the malware.  The advertising domain has also been submitted to Fortinet to be recategorized as Malware until this issue can be resolved by the primary domains using the advertisements.

For customers using Fortigate, additional steps of preventing this kind of infection include subscribing to Web Content Filtering while blocking the Advertising and Unrated categories, and subscribing to network anti-virus with download of Executables blocked.

By Venture Capital Dispatch

The following dispatch comes from Robert Armstrong, a senior columnist with Dow Jones Investment Banker:

Big IT companies buy their smaller peers to ward off competition. Paradoxically, the strategy can give innovative young companies a foothold in the market.

For entrepreneurs in enterprise IT and their venture capital backers, this phenomenon should provide inspiration. For M&A strategists at the market leaders, it’s a warning.

Dow Jones Investment Banker recently spoke with several profitable and fast-growing venture-backed enterprise technology companies. Many executives emphasized how the acquisition-minded giants — as difficult as they are to compete against — have created opportunities for upstarts like themselves.

Big vendors such as International Business Machines, Hewlett-Packard and Oracle Corp., have an iron grip on the enterprise market, due to conservative corporate IT buyers and high switching costs. Adding new products though acquisition is a strategy designed to tighten this grip further. The thinking is that buyers will be happy to one-stop shop with a trusted name and will be enticed by all-in pricing packages.

Oracle, for instance, has bought 31 companies in the last three years, including Sun Microsystems and BEA Systems Inc. Rival H-P has bought 23 companies, including Electronic Data Systems, 3Com Corp, 3PAR Inc. and ArcSight Inc, over the same period.
Some smaller companies are turning the acquisition strategy against its practitioners.

SevOne Inc., backed by Osage Ventures, sells software and hardware for IT infrastructure performance management, and competes against a murderers’ row of IT giants including H-P, IBM, CA Inc. and BMC Software. The Delaware-based company has managed to grow well all the same, swelling from 15 employees three years ago to 50 today. Thomson Reuters Corp., Comcast and Computer Sciences Corp. are on its customer list.

SevOne’s products identify, analyze, document and report on problems in customers’ networks. Chief Executive Mike Phelan says his competitors’ offerings “are often actually a different product for each step in the process.” In many cases, the parts were picked up in separate acquisitions.

The messy genealogy of the big vendors’ products, along with the very fact that they are often part of a much larger product suite, leads to two problems for buyers: cumbersome upgrade paths and difficulty scaling up. “We deliver new capabilities a little at a time, but very frequently,” says Phelan, and when customers are looking to grow, scaling up to manage a bigger network is simple.

The idea that the big guys are at a disadvantage when it comes to upgrades and scaling up is echoed by Samir Gulati of Appian Corp., a Virginia-based maker of business process software. He has found that the competitive products from the large IT houses are often four different products — a database, a reporting engine, a process server, a portal product — parts of which will have been developed at different companies. The key issue, again, is that the focused, organically grown product is easier to update: “we upgrade every month or quarter — the big vendors can’t match the innovation.”

Appian, backed by Novak Biddle Venture Partners, generated 60% growth in license revenue in 2009 and has secured customers such as Amazon.com Inc. and the Office of the Comptroller of The Currency.

The increasing complexity of companies’ IT infrastructure is another key factor. It has become more important than ever that when a new product is added, it is interoperable with all those that went before, which often come from a variety of suppliers.

Augie Gonzalez, director of product marketing for the storage virtualization firm DataCore Software Corp., says “our pitch to buyers is, whoever they buy their storage infrastructure from, we can help them maximize the value of that infrastructure.”

Florida-based DataCore competes against many companies, such as IBM, that offer a hardware/software solution — which precludes this kind of vendor agnosticism. Its investors include Flagship Ventures, Insight Venture Partners, New Enterprise Associates, and Updata Partners.

The same message is shared by Tim Harvey, CEO of Connecticut-based Perimeter E-Security, which offers security monitoring and reporting services to customers, and last summer raised $104 million from Bessemer Venture Partners, Goldman Sachs and Stripes Group. Its product is designed to work with — indeed to maximize the value of — products offered by security giants McAfee Inc. and Symantec, and Harvey sees this as a key selling point.

There is an irony here. The fact that companies like these have profitably exploited the intrinsic weaknesses of the big acquisitive conglomerates increases the chance that they will, in their turn, be acquired by those very conglomerates.

If history follows its usual course, some of these acquisitions will work well — but others will do little more than open the door to new entrants.

Original post:
http://blogs.wsj.com/venturecapital/2010/09/29/when-consolidation-fosters-innovation-among-start-ups/