PathMaker Group Blog

So perhaps only a few have heard about the July 4th news story reporting that several iTunes accounts (30 accounts ??) across the globe were compromised by the developer of an application (or several apps).

The story alleges that iTunes was hacked and several user accounts were compromised by an application developer who exploited peoples’ iTunes accounts to purchase his applications, so much so that it elevated him to the top in his applications’ category. Now, i would suggest that more that 30 accounts would have to be involved to elevate an app to the top of its category, but that’s beside the point. It is likely that there are more accounts involved, some go not reported, some completely oblivious to their losses.

Read the story for yourself….

I’m not so convinced that iTunes was hacked by some thief brute forcing username/password combinations to crack 30 accounts out of millions. While it is entirely possible that Apple could be hacked and that data could be stolen in bulk, I think there are some alternative ideas that should be considered.

Hearing that the culprit could be a crooked application developer, I began to think about security controls (OR LACK THEREOF) and assurance measures that may exist (OR NOT) to ensure that crooks aren’t selling apps on the iTunes store that have the ability the siphon data and/or steal your identity while you enjoy the app’s cool primary function. The secondary function being the malicious, unadvertised function.

Consider the following:

1) Many apps require that you enter your iTunes password in order to install them. What if a phishing utility did the same? I will call this a PhApp? (I copyright (c) the term PhApp to me). But, how does one discern the difference between “legitimate Apple password requests” and “malicious password requests”?

2) What would prevent an installed application from having complete control over your accounts? You authorized this by clicking install and giving your password (as above in item #1). And. do any of us really analyze each time our iPhone asks us to enter our password. I think many would provide their email password without a second thought if a dialog box popped up asking for it.

3) What controls exist that prevent a crook from embedding tools inside seemingly functional applications for harvesting your contacts, bank accounts, passwords, and other sensitive info? Perhaps, the decoy application serves a legitimate purpose, there does not appear to be any controls that would prevent malicious code from being included in the functional decoy code. Is there an application code review? Nope.

I am most concerned about the above item (#3) especially because the future of mobile computing will leverage these pervasive technologies and methods. I think there needs to be some serious consideration towards protecting the data contained in these technologies from the affects of an ill-designed application.

I suppose the same problem exists in the personal computer realm, but at least your personal firewall will notify you of outbound connections. I speculate that you’d be more alarmed if a dialog box appeared on your PC right now asking for your iTunes password. But many people might not question the same event should it occur on their iPhone or iPad.

Perhaps, these controls do exist and I just missed something, but my hunch is, in its rabid growth, there are lots of controls that have been omitted or completely overlooked. I fear that the controls that could detect and prevent the above scenarios are among the missing.

Yes, I have an iPhone and, yes, I use it just like millions of others. I cringe every time that dialog box pops up for me to enter my iTunes password. Still, I give it.

As with all passwords, you should utilize complex passwords (UPPER case, lower case, non-alpha characters), no dictionary words, no dates, etc. And for goodness sake, please don’t use your username as your password, that’s just too stupid.

Thanks,
Ed Higgins
Vice President, Security Services

Post #1, Virtual Machines != Security Virtual Reality

PathMaker Group is introducing some exciting new technologies to the market that greatly reduce business cost of securing virtual environments and simultaneously increasing system efficiencies, measured in hard-dollar savings.   In order to truly embrace the value of these innovative solutions and approaches, one needs to consider some of the obvious and not-so-obvious security issues rooming in virtual space today.

This post is the first of my multi-part series on securing virtual machine environments and I hope that it provides some additional insight into the security issues that I anticipate would concern every business using virtual machines, or considering using it.

The majority of security concerns found in virtual machines are very similar, if not identical,  to those on physically separate platforms. However, virtual machines bring with them some very unique potential weaknesses as described below:

1. Techniques such as clipboard sharing allows data to be transferred between multiple VMs, as well as with the host. This seemingly useful functionality can also provide a very dangerous bridge for transferring data between cooperating malware  programs running inside VMs of different security levels, or to exfiltrate data to or from the host or VM operating systems.
2. The operating system kernel that provides the VM layer has the ability to log keystrokes and screen updates passed across virtual terminals in the virtual machine. The keystrokes and screen updates are logged to files located on the host, allowing monitoring of even encrypted terminal connections inside the VM.
3. Some VMs have no form of isolation whatsoever, giving the guests unfettered access of the host’s resources, such as the file system, and device resources. Such solutions tend to focus on running applications designed for one operating system on another operating system, and eschew the isolation that many VM users expect. VM users with significant security and isolation needs should invest some time to determine a proper approach toward isolation.
4. The now common buzz-term, “virtual sprawl”, refers to a condition in which IT managers and, in some cases, even end users install virtual machines all over the enterprise, creating a dysfunctional mess that is hard to manage and in most cases introduces huge security gaps.  As a result, systems of various security classes and purpose may be haphazardly found  adjacent to one another, potentially exposing the most sensitive of information to the Internet.  Virtual machines, especially temporary test VMs, may get sporadically created,  used briefly, then lost and/or forgotten altogether.

In the next several posts, I will pick apart each of the four items (above) to elaborate further on these particular security issues and provide insight and security best practices to help head-off these potential disasters.

Thank you,

Ed Higgins

Vice President, Security Services

This post may seem a little off-topic, science fictitious, or perhaps read a bit like a joke, but nonetheless, I wonder, in our security risk planning have we seriously considered natural disaster risks such as solar flares, etc.

As a kid of the 70′s, I remember that at certain times my CB Radio (remember those) could receive signals from locations a few thousand miles away which was well beyond the capability of my radio and antenna.  Or, those times when the television reception was just not that good at all, terrible in fact?  These things were all directly related to  solar activity, sun spots, and solar flares.

So, now we fast forward to current time, a time in which we are heavily dependent on electricity, computers, cellular, digital telecommunications, wireless, satellite communications, radio frequency and infrared devices, anything magnetic, etc.

In the past 10 years, we’ve seen our list of technology requirements grow as has our dependence on these and the resources that support them. Think for a minute, what would your life, right now, be like without a computer network or cell phone for a week or several months?  How about no television or satellite communications?  What about our business transactions, electronic commerce, banking and trading? What if there were no electricity for several weeks or perhaps months because our energy grid management systems were broken, not able to automatically open and close the power switches along the grid that deliver electricity to our homes and businesses?  What if energy produced by hydro, wind, nuclear, coal-fired generators were all halted because the microcomputers that control them were all fried and disconnected.  Alarmist? Perhaps. Thought-Provoking? At least I Think So.

Our Nation’s energy businesses have all been diligently implementing controls and plans to protect us from the infamous “cyber attack” on our electrical grid systems. But, what if this particular threat was the least of our worries?  Driven by NERC CIP, regulators mandate that energy producers improve Critical Infrastructure Protection, or the cyber-security controls that surrounds critical infrastructure systems that control things such as the energy grid,  water treatment facilities, air filtration fans, and toxic materials disposal. These regulations greatly address the security risks of outages caused by terrorist act, accident, malicious hacker, and other cyber-villains.

While cyber attack is a legitimate threat to our infrastructures, what if the biggest threat was the 11-year cycle of predictably repeated, historically accurate, events relating to solar flares and sun spots that goes back millions of years..

In these most recent of years, and at no other time in history have we all grown so very dependent on systems that are the most fragile to mass effects of solar flare activity.

In 1859, a solar eruption occurred that was so powerful it set fire to hundreds of telegraph offices…  people got nasty electric shocks simply because they were working with metal objects.  In 1859, however, we had no televisions, cell phones, power grid management systems, smart-meters, etc so arguably the impact was less visible.

Now continue these 11-year recurring events forward to modern times…..

In 2003, and the most recent peak in solar events, we experienced outages that included computer system failures, magnetic data backup tape failures, electricity outages to homes and businesses, disrupted television and satellite operations, and greatly disrupted radio signals.

NASA and the scientific community accurately predicted the solar events, however the only means of reducing the risks were to simply shut off high-risk devices. NASA  temporarily shut down certain radar and satellite tracking antennae to avoid their destruction. NASA even grounded space shuttle programs to protect astronauts from the severe threat of deadly radiation exposure as space is not protected by the magnetic field that protects the Earth.

Check out these interesting and informative videos on the solar flare phenomena:

1. Attack of the Sun
2. Nasa Warns Of Super Solar Storm

As we explore and deploy all of the new methods for acquiring and producing energy… thus expanding our power grid to accommodate wind farms…solar arrays… new nuclear plants … and other renewable energy sources. This grid will get larger… and smarter…. With microprocessors inside almost every device…communicating and negotiating with one another… running everything from air conditioners to power plants.

A sudden surge of solar activity could strike the grid directly…inflicting substantial damage on our “smart power economy”.

A similar storm today, or in 2013 when peak solar flare events are predicted, could easily cause several trillion dollars in damage to our sensitive high-tech infrastructure, potentially thousands of times greater than hurricane Katrina.

Modern information security strategies are focused on physically and logically protecting data, keeping systems up during brief outages, recovering a destroyed data center to another with waiting equipment, preventing intruders or insiders from stealing company secrets or sensitive information such as customer credit cards, health records, et cetera ad nauseam ad infinitum.

Our Disaster Recovery Plans and Business Continuity Plans tend to focus on events with which we  have some prior experience, like the horrible tragedies of September 11th, hurricane Katrina, and even the threat of widespread pandemic influenza. But, what about the global impact on a modern-day solar flare event?  How will we respond? What will we do when these naturally occurring solar flares generate similar interference as they have over previous 11-year cycles for past millions of years, but this time they cripple the computerized devices that we have become so dependent upon?

Thoughts?

Ed

We’ve been working with most of the leading Identity Management/Provisioning tools since 2003.  Most of the products have been acquired or rolled up into a larger suite of products.  This process brought maturity, stability, and added investment to the industry.  This helped the products and industry establish a place in the IT infrastructure that’s  here to stay.

When we first meet with a prospective client we always ask the question, “What’s driving your need for provisioning?”  Most organizations will talk first about audit compliance forcing these initiatives.  And although this driver has finally elevated the effort to become a budget priority, the fact is that most companies wanted to do the project years ago simply to improve the overall security of the organization.  And that can still be done pretty quickly.

So what if you’re one of those organizations that still can’t seem justify the project?  Let me suggest you consider a streamlined, rapid approach that will enable you to realize value quickly — I mean in a matter of weeks vs. months or years!

Consider this rapid four-step approach:

1. Acquire a leading vendor solution (we can help educate you if you don’t know where to start).  The products are more affordable than ever.

2. Integrate the product with only two systems to begin with — HR and Active Directory.

3. Using the provisioning solution, match up your AD accounts with your verified HR accounts.  Any AD account that cannot be validated against an HR account should be disabled, removed or heavily scrutinized.

4. Begin driving daily employee HR changes into your AD environment to create,  remove, or change privileges as appropriate.

This approach to beginning your provisioning project may seem overly simple, but it’s the best way to see value quickly and begin to gain momentum within your organization and among your budget stakeholders.  You just realized a huge benefit by removing hundreds, if not thousands, of invalid accounts from your AD environment.

Too many companies have tried to deploy Identity Management/Provisioning with overly complex requirements.  The projects lose momentum, never see production and eventually get dropped from the budget altogether.  They never to get another shot at success and the product becomes shelf ware.

One more comment on selecting a software product  — Please trust your systems integrator over a software vendor PowerPoint presentation.  You can spend countless weeks or months evaluating, scoring, running proofs of concept, etc.  But if you want to really move quickly, find a reputable systems integrator who has multiple long-term client references.  Pick a product and move on down the road.  All products are not created equal but a good systems integrator can simplify the tasks and get you realizing value from your investment sooner rather than later.

Thanks.

Keith Squires

The Need for Effective Log Management

Log Management is a necessity for regulatory compliance and essential to maintaining a positive security posture in your environment. As your IT organization evolves to comply with today’s regulations and defend against new network security threats, you should choose a solution that avoids expensive maintenance and operating costs, reduces the number of resources needed to maintain and support your solution, and most importantly provides the most effective log management solution on the market today.

Our SaaS offering collects log data via an agentless collection device and provides log storage, reporting, correlation and monitoring leveraging our grid computing and storage architecture in our highly secure redundant datacenters.

Smartest Way to Manage Logs

A cloud-powered Log Manager solution is the smartest choice for overregulated businesses with underfunded IT departments.

1. Reduce costs: No hardware, software or maintenance to purchase greatly reduces your cost of ownership. All storage, monitoring, maintenance, upgrades, and support are handled by us, removing the need for staff resources to manage the solution.

2. Effective Log Management: Log Manager collects, stores, reports and correlates log data in our highly secure and redundant datacenters, helping you avoid the maintenance and operating costs of on-premise solutions.

LogReview Service: Extends the value of Log Manager and frees up your resources by transferring the burden of daily log review and maintaining a PCI DSS compliant audit trail to our team of certified security analysts.

Call us today and eliminate the burden on your IT Staff and the high costs associated with storing logs!

David Wagner-ITIL Certified

VP/Sales

Cyber attacks have become a ‘weapon of choice’ for many terrorist organizations. Cyber attacks can be launched from anywhere in the world that has Internet access, are often untraceable, and have the potential to wreak havoc on our financial and economic systems, defense networks, transportation systems, power infrastructure, and many other essential capabilities.

Although not widely publicized, cyber attacks occur routinely. Within the State of Texas, a major computer security incident with significant financial and operational impact is an annual event for most organizations, including state government entities. In fact, state entities reported a daily average of almost 575 security incidents in fiscal year 2009, including malicious code execution, unauthorized access to data, and service disruptions. Most of these attacks are blocked, prevented, or result in only minor disruptions.

Between January 2005 and August 2009, Texas-based organizations reported 105 incidents involving privacy data; 43 of these incidents were government-related (universities, cities and counties, and state agencies). These 105 incidents exposed over 3 million records, with the cost estimated at an all-time high of $202 per record exposed, totaling $606 million dollars to recover from the attacks. This is why it is imperative for organizations to have a “multi-layered” approach to security to ensure these attacks remain unsuccessful or only do minimal damage and disruption.

David Wagner-ITIL Certified

VP/Sales

Virtually every organization has a DR (disaster recovery) plan in place as they should. However,  most organizations don’t have a detailed IR (incident response) plan in place for when their IT systems are impacted by malicious behavior from either external or internal causes.

Why is it potentially more important to have an IR plan in place vs. a DR plan? The answer is simple, statistics. According to several creditable sources, the percentage of companies in the United States who experienced an IT incident in 2009 related to a directed malicious attack from either an external source (malware, etc.) or internal source (privileged user, disgruntled employee) was 49% compared to less than 10% of organizations who actually activated and used their DR plan.

Over the last few years we, at PathMaker Group, have seen the number of incidents, and the impact from those incidents, dramatically increase in number and impact (both downtime and financial). Suprisingly, most organizations still don’t have a defined Incident Response team and procedures to address these issues in a timely fashion to reduce downtime and financial impact.

Additionally,  with the increasing number of Regulations requiring organizations to notify their customers when and if their Personally Identifiable Information (PII) has been breached or even exposed for a brief amount of time, the financial impact can be significant. Just sending out notification to 50,000 users that their SSN’s were exposed on a public website for approximately one hour cost a HealthCare company over $500,000 in actual costs.

That is why is it vitally important to put together an IR team that includes independent 3rd party experts to help minimize the impact of any breach.

Unlike a DR plan, an IR plan needs to include independent personnel from outside the organization due to the potential litigation that may result. Should a breach occur from either an external malware or phishing attack or internal from a privileged or disgruntled employee, you need to first be able to understand scope and  then contain the breach.

So, the first calls when an IT organization realizes they are in the middle of an attack or becomes aware of a significant IT breach should be to the CEO, GC (general counsel) and an independent 3rd party Incident Response company such as PathMaker Group.

The main reasons for contracting with an independent 3rd party is for both later potential litigation and specilized expertise needed to anlayze and understand what is occuring. An organization needs to ”collect data in a forensically sound and accepted fashion” using industry recognized tools and  then preserve and store this evidence via a documented “chain of custody” by certified Forensic specialists.  The organization should have personnel that are also licensed Private Investigators in that State and have experience testifying in a court of law. An added bonus will be if they have worked with the Secret Service and FBI for ACH and other financial fraud transaction cases.

Many organizations make the HUGE mistake of attempting to use “Joe, the IT guy”, to collect the critical data and in so doing either corrupt the data or otherwise open themselves to questions by the opposing counsel as to the validity of the data by the lack of qualifications of the internal IT staff and therefore lose the case.

In conclusion, it is imperative that any company that has a DR plan in place to also create and implement an IR plan as well. By including an organization that specializes in IT breaches, it ensures that they will be able to minimize the impact, collect and preserve the data to analyze and determine the origin of the breach and then have a much higher probability of successfully recovering funds and/or data and prosecuting the appropriate parties.

Thanks,

David Wagner-ITIL Certified,

VP Sales

Recent press supports our direction on selecting leading edge security technology partners.  Not long ago, NetWitness found the most invasive Netbot in recent history.

Now our cloud-based monitoring solution partner, Alert Logic,  discovered a serious bug with Facebook.

IDG reported “Facebook is fixing a Web programming bug that could have allowed hackers to alter profile pages or make restricted information public.

The flaw was discovered last week and reported to Facebook by M.J. Keith, a senior security analyst with security firm Alert Logic.

The bug has to do with the way that Facebook checked to make sure that browsers connecting with the site were the ones they claimed to be. Facebook’s servers use code called a “post_form_id” token to check that the browser trying to do something — liking a group, for example — was actually the browser that had logged into the account. Facebook’s servers check this token before making any changes to the user’s page, but Keith discovered that when he simply deleted the token from messages, he could change many settings on any Facebook account”

http://www.networkworld.com/news/2010/051910-facebook-fixing-embarrassing-privacy.html?fsrc=netflash-rss

If you need to know more about how to secure your environment, outside and inside, with these and other leading edge technologies, we will provide a $6,000 fixed-fee, rapid FastPath TM Security Assessment.  With a couple days on site and a few days of analysis, we can give you a heads up on areas you may need some remediation.  This is a small investment to help your IT Security leadership sleep better at night.

In the past six months we’ve had more conversations with prospects and clients about Federation than in the prior six years.  The technology is being widely adopted and is no longer a barrier.  What is becoming a barrier is managing the multitude of user ids and passwords required to perform someone’s daily job duties.  Or more commonly all these ids or multiple logins may be the reason a customer chooses a competitor to transact business with.  Strategic business direction almost mandates that a move to a seemless customer logon experience is no longer an option. It will start costing companies significant business (if it hasn’t already).

It’s becoming clear, based on our conversations with clients, that a federated identity management model is moving up the priority list for IT management.  And it’s being driven from the business side.  If you’re in IT security or infrastructure, are you educated and ready to help move your company forward?

Give me a call and let’s setup a lunch and learn to get you and your stakeholders up to speed on the benefits of moving to a Federated World.  What are the key technologies and products?  What are the critical success factors to a successful federation program?  What will it cost and how long will it take?  Let us answer these and other important questions.

Comments?

Keith Squires

President and CEO, PathMaker Group

For clients who have limit capital expense budgets, we’ve created a suite of services to help clients meet the challenge of limited budget and need to maximum security solution benefit.  With services in log management, threat management, file integrity management, vulnerability management, wireless devices security management and 24×7 monitoring, we’ve effectively resolved eight of the most challenging Payment Card Industry (PCI) requirements.

Instead of spending several hundred thousand dollars and even more in additional personnel, and equipment rack space among other things to launch these products yourself, why not consider our SaaS model where for just a few thousand dollars per month, you get the benefits of a latest technology, reduced work for your personnel, and greatly improved security operations server.

In traditional outsourcing models, the customer gives up visibility and control to their inner operations. Not in our model! You can have as much access, full control, and visibility to everything that our Security Operations Center sees. We’ll just handle it around the clock!

Ed