Stories by Robert Lemos

Industry searches for answers after RSA breach

RSA's revelation that its network had been breached and information relating to its SecurID one-time password technology stolen has left customers and industry experts with more questions than answers.

Denial-of-service attacks top web attack list

Driven by the hacktivism of the loose-knit Anonymous group, denial-of-service attacks surged to the top of the list of web incidents, outpacing SQL injection and cross-site scripting, according to a survey of publicly disclosed attacks.

Moving to Cloud to Gain Agility: 5 Lessons

When Biogen Idec considered a move to the cloud, cost savings was not the primary concern. For a biotechnology company that lives and dies by its research division, the ability to quickly spin up computer resources for its scientists was far more important.

They're back: spammers return from year-end break

System administrators got a welcome Christmas present from the least likely of sources.
Starting from December 25, the cyber criminals behind the Rustock botnet [1] took a vacation, causing spam levels to drop significantly, according to Symantec and Trend Micro. The hiatus, however, did not last. On Monday, following 15 days of near-zero spam levels, the spammers turned their systems back on, inundating end-users with pharmaceutical-related spam.
"While levels of Rustock output appears marginally lower than before Christmas, we see no reason they won't reach those previous levels again, bringing global spam levels back up to the approximately 90 percent levels we had become so used to," Symantec wrote [2] in an analysis of the fluctuations in spam.
Despite the short-term decrease in spam and an overall drop in spam since October 2010, the annual volume of spam for 2010 increased significantly [3] over the previous year, according to Trend Micro. The company attributes the drop in junk email since October to efforts to take down the SpamIt affiliate network, which pays "partners" who direct people to fake pharmaceutical sites.
"It appears that the drastic fall in the number of spam reported at the end of the year was a short-term blip," wrote Matt Yang [4], solutions product manager for Trend Micro. "However, in the midterm, it appears that the overall spam level has at least leveled off."
Rustock was not the only botnet to take a break. Lethic and Xarvester, two botnets responsible for a much smaller volume of spam, also shut down during that time, according to Symantec.
Overall, spam dropped to nearly a third of previous levels, according to reports. The current crop of spam emanating from the Rustock botnet has subject lines such as "Dear [username] -80 percent now" and are branded as Pharmacy Express.

Dell buys SecureWorks, sets sights on SMB market

Dell's acquisition of managed security services provider SecureWorks puts the company on track to become a one-stop shop to small and medium-size businesses for hardware and services.
Announced earlier this week, the acquisition could be seen as playing catch-up with rival Hewlett-Packard, which has undergone its own midlife transformation, picking up security companies ArcSight in October, Fortify Software in September, and TippingPoint — as part of its 3Com acquisition. However, whereas HP aims squarely at enterprise customers, Dell's move will help turn it into a more complete provider to small and medium businesses, according to Josh Corman, research director at the 451 Group, an analyst firm.
"They are basically saying, 'You are already buying your servers and the laptops from us, so we will help you with compliance as well,'" Corman said.
Dell put the focus squarely on the small-to-medium-size business market in July, when the company announced a partnership with SecureWorks to "provide a portfolio of powerful security services to help midsize businesses improve their security posture, achieve their regulatory compliance, and lower IT costs by offloading day-to-day security monitoring, management and remediation to a trusted security services provider, working as an extension of a customers' IT staff," according to a statement issued by the companies.
SecureWorks also boosts Dell's presence in cloud services. In September, HP outbid Dell for data-storage cloud provider 3Par, paying about US$2.4 billion or more than 80 percent higher than Dell's initial bid, according to reports.
Although terms of the latest deal were not announced, the 451 Group estimates that the acquisition is likely valued between $500 million to $550 million, or about four times SecureWorks' $120 million revenue in 2010. For a managed security service company, which relies heavily on staff expertise rather than deep intellectual property, such a multiple is quite good, Corman said. SecureWorks' initial contribution to Dell's $8 billion in service revenue will be small.

Cyber-criminals set traps for security researchers

Don't always trust the data. That's the lesson for security researchers exploring cyber criminals' botnets and infrastructure.
Over the past two months, criminals have targeted multiple campaigns against the US Electronic Federal Tax Payment System (EFTPS) and its extended deadlines for tax payments. And some bot operators, wary of researchers trying to track their profits, have taken to creating fake data to lead researchers astray, say security experts.
While investigating targeted attacks against businesses, Brett Stone-Gross, a threat researcher with startup security firm LastLine, found servers set up to accept popular login-password combinations that were redirecting unauthorized users to pages that cite made-up data. At the same time, the server would surreptitiously record details about the person accessing the site.
"It's common for most exploit toolkits to contain an admin interface that manages exploits, payloads, and tracks exploit success rates," writes Stone-Gross. "However, the EFTPS exploit toolkit contains a completely fake admin console. This admin interface acts as a 'hacker honeypot' that records detailed information about who attempted to access the admin console, as well as who attempted to hack into it."
The fake admin page will accept usernames such as "admin," "root," and "user" in combination with common passwords, such as "password," "admin," and "toor."
Security researchers who enter any combination of the fake usernames and passwords will see a page populated with random statistics, including the number of loads per hour and the proportion of successful exploits. Meanwhile, the server collects data on the researcher, such as their IP address and any requests sent to the server.
The lesson is to not believe everything you see, says Thorsten Holz, a senior threat analyst with LastLine: "Researchers need to be careful of what they enter at the admin backends and also should not trust the numbers that are displayed there."
The LastLine investigation found that several researchers had cited bad data taken from the fake servers to the media, which subsequently reported it, skewing the apparent size of several botnets. While the problem likely leads to media hype, bad data can also lead to bad decisions, the company says.
"In the end, it has to do with why we measure botnets," LastLine researchers wrote. "It is not just to stick a number to the problem, but it is to start understanding it, to prioritize the threats we look at in depth, to decide whether we need new tools to more effectively fight them."

Denial-of-Service Attacks Meet the Cloud: four lessons

As companies increasingly use virtualised datacentres and cloud services, new weaknesses have opened up in enterprise infrastructure. At the same time, denial-of-service attacks are moving from brute-force floods of data to more skillful attacks on application infrastructure.

When clouds attack: five ways providers can improve security

Criminal gangs seeking to attack can lease networks of compromised computers, or botnets, from other criminals serving the underground community. These resources could be considered "clouds" in their own right, but researchers warn that operators of legitimate clouds need to worry about being used for illicit attacks as well.