Posts Tagged ‘security monitoring’


The Year in Review: 2012

Written by Andrew Jaquith. Posted in Blog Post


As the song goes, It’s The Most Wonderful Time of the Year. It’s the time of the year we write out our holiday cards, buy presents, think kind thoughts of our friends and family, and wax nostalgic.

Security is a big enough deal that it, too, warrants reflection and (dare I say it), a little bit of nostalgia. It’s the gift that keeps on giving. In that spirit, let’s dig up some of the tastiest chestnuts from the preceding 11 months, and gently roast them where appropriate. Given my sense of humor it’s going to be, shall we say, a dry roasting.

Here’s what got our attention in 2012. As is customary and appropriate, we spent a lot of time worrying about malware. The cloud — with all of its opportunities and challenges — was the second most important topic on our minds, along with mobile security. As you might expect, given our customer base of over 1,800 banks and credit unions, we analyzed financial services topics in depth. A variety of other topics got our attention, notably October’s National Cyber-Security Awareness Month and Mac security.

Each of these topics take time to review. So, let’s get nostalgic.


In 2012, it was clear that malware continued to be a problem for many companies. Of all of the topics we wrote about in 2012, we wrote about malware the most. Malware concerns came in four categories: web malware, new attacks, legacy malware and administrator-targeting malware:

  • Web malware — because of the ubiquity and reach of ad networks, attackers have made it a priority to attempt to infiltrate and infect ad servers. My colleagues, analysts Evan Keizer and Grace Zeng, wrote extensively about a banner-add infection campaign that caused to inadvertently serve malware. Unfortunately there are no easy fixes for banner infections; webmasters (and their colleagues in marketing) must be extremely vigilant.
  • New attacks — the Flame malware family, which some have called the most sophisticated malware ever discovered, was discovered by our friends in May at Kaspersky and widely covered. We thought it was notable enough to write about, too. Just to show that I don’t have a monopoly on bad puns, my colleague Rick Westmoreland asked, “Flame: Is it getting hot in here?
  • Legacy malware — we saw campaigns targeting old-school programs like Symantec’s venerable PCAnywhere. (If you are asking yourself, “do they still make that?” you aren’t alone.) Malware targeting Microsoft’s RDP protocol also spread rapidly; we felt it was dangerous enough to issue an advisory.
  • Administrator targeting malware — the most insidious malware campaign we saw in 2012 was one targeting Plesk, an administrative console for website operators. This was a little scarier than most campaigns because it obviously targeted people who have a high level of privileges already — your IT guy. This is the kind of thing that presages an industrial espionage campaign, a topic I covered at length in my webinar “The Hype and Reality of APTs,” something you should watch. (Ed: I am not joking. Really, go watch this; it deflates the APT hype balloon.)
In addition, we gently ribbed the anti-virus industry in an amusing post (Ed: to me, anyway) called “The Best and Worst Data-Driven Security Reports of 2011,” where I made fun of the silliness that comes with the periodic rash of AV “threat reports,” while celebrating the genuine good stuff, such as the Verizon Data Breach Investigations Report.

Cloud security

In 2012, Cloud security topics were right up there with malware in our consciousness. Call me crazy, but to me “the cloud” is a fancy name for hosted services mashed up with virtualization, and juiced up with instant-on provisioning and elastic usage billing. It’s a new — and welcome — twist on an old concept. Companies want to use the cloud in areas where it makes sense — for hosted email, productivity, and sales automation — but they want to do it only when they can be assured that their data is secure.

My colleague, Grace wrote about a key class of cloud risks: the security of servers in the cloud. She performed experiments where she placed 12 unprotected servers in the Amazon cloud and watched what happened. The headline: on average, your new cloud servers will start seeing scans, probes and potential attacks within an hour! Scary stuff — if you haven’t already, you should read these posts.

On the positive side, Perimeter created a series of video blog posts called the Cloud Owners’ Manual that took strong points of view on how companies should think about the cloud, and what they should be asking their vendors. Looking spiffy in a suit, I spoke on camera about key customer concerns about the cloud, and gave prescriptive guidance on the cloud in general, customer fees, data protection, data privacy, contractual terms, and contract termination. As an analogy, I compared cloud security requirements to car safety belts. Did you know that since the advent of car safety technology, based on US DOT official statistics, people now drive faster and have fewer accidents? It shows how safety gear is a precondition for faster, safer driving. To put it differently: confidence requires security. And by analogy: so it is with the cloud.

Mobile security

From iPhones to iPads to Galaxies, mobile devices continued to move to the top of IT security managers’ list of concerns. Beyond the sheer proliferation of devices, we observed four key trends:

  • Bring your own device. When I was an analyst at Forrester, my then-colleague Natalie Lambert coined the term BYOD and wrote quite a bit about it. That was four years ago. Now, it’s the hottest thing in IT. What do companies do about it? For our part, Perimeter answered the bell in September when we unveiled our Cloud MDM service in partnership with AirWatch. In the service, we included strong default policies and a unique BYOD Kit that provides prescriptive guidance for all of the areas employers need to worry about: data rights, support, confiscation, and many other topics. We think the right solution to BYOD is holistic, and encompasses the domains of policy, technology and law.
  • Developer ecosystem concerns. In September, developer Blue Toad had 12 million Apple unique identifiers (UDIDs) stolen. This shined a spotlight on a fragmented, shadowy part of IT: the thousands of smallish, contract mobile app developers, very few of whom are likely following mobile app security best practices. Watch for this topic to explode in 2013 as the Mobile Backend-as-a-Service (MBaaS) category heats up.
  • Data privacy. In the first quarter, we saw a controversy erupt over the Path app, which was uploading customer address book records to their servers unbeknownst to customers. I called Path an example of “nosy apps” and characterized data privacy as the “third rail of mobile.” These kinds of negative stories had an immediate impact on handset makers. Apple, for example, added significant opt-in controls to iOS6 that require customers to explicitly authorize app access to address books, photos, calendars, tasks, FaceBook account information and much more.
  • iOS has been a benefit to security. Speaking of Apple, did you know that iOS is now over 5 years old? In that time, customers have gotten used to the idea of vendor-controlled app marketplaces, digitally signed and trusted operating system runtimes, and locked-down devices. We have Apple to thank for popularizing the concept, building on the kinds of concepts RIM and Symbian had initiated. See my in-depth 5-year iOS security retrospective for details about why I think iOS is overall an huge net win for companies and consumers alike.

Financial services

Banks, credit unions, broker-dealers and other financial institutions continue to be a significant part of Perimeter’s customer base. We noted many, many threats to financial services customers in 2012. The rash of denial-of-service (DDoS) attacks in September prompted us to issue a critical advisory to our customers. We followed up on the DDoS story in October; my colleague Rick Westmoreland called it “the new reality” for financial services firms.

In July, we inaugurated our first-ever Financial Services Threat Report for the first half of 2012, which described the most important threat trends our customers were facing in the year to date. We will be doing more of these reports, and our second-half report will be coming out after year-end. To help our credit union customers, Andrew wrote a three-part series on credit union security topics.


Beyond these four main themes, Perimeter noted several other trends. We weighed in on this newfangled concept called “cyber security,” which is what happens when government-type people get their hands on an otherwise perfectly acceptable phrase — that thing that most of us used to call “information security” — and dumb it down. I suppose cyber-security is, to paraphrase Deng Xiaoping, Security With Government Characteristics.

Whatever you choose to call it, we helped celebrate National Cyber-Security Awareness Month in October with four posts by my esteemed colleague Mr Mike Flouton:

Midway through the year, Perimeter E-Security CEO Tim Harvey and actor/entrepreneur/restauranteur Robert De Niro hosted an exclusive New York event for 75 select partners and customers. The event featured an inspiring talk by two active duty Navy SEALs about building a high-performance, elite team capable of executing the most difficult missions. Tim’s summary of the event is here — in which he describes the key ingredients for success. For the record, I spoke at the event as well, but let’s face it: De Niro and the two Navy SEALs were hard acts to follow. It was a great event, though!

Lastly, Perimeter wrote about those devices your executives and developers are probably now carrying: Macs. In October, we released a survey showing that Mac usage is up, and that security concerns are increasing. Earlier in the year, alerted customers to something rather rare but important: real-life Mac Trojan outbreak in the wild: the Flashback Trojan.

Wrapping up

As I noted at the top of this post, security is the gift that keeps on giving. That’s good and bad. It’s bad for the obvious reason because the threats, concerns and challenges that got our (and the industry’s) attention affect companies and their customers everywhere. If security were a solved problem, we wouldn’t need to spend the time, attention and effort that we do.

I choose to be positive, though. Security threats and challenges are also good things. They remind us that, as professionals, we need to keep upping our game. New business frontiers such as mobile cause us to expand our horizons, become more involved with our colleagues and take the longer view.

As we look ahead to 2013, we are thankful for the continued support of our customers, colleagues and families. We at Perimeter wish you, dear reader, all the best this holiday season.


Perimeter E-Security 1H 2012 Financial Institution Threat Report

Written by Grace Zeng. Posted in Blog Post

By Grace Zeng, with David Coffey and Andrew Jaquith

Summary: Perimeter E-Security provides comprehensive security services to financial institutions of all sizes. In this report for the first half of 2012, we summarize security incidents based on data from 861 financial institution customers. During that period, 1,619 likely and confirmed compromises were detected. Of these, 43% targeted small, 38% targeted mid-sized, and 19% targeted large institutions. In total, 483 financial institutions were affected by those incidents. A majority of our financial customers (56%) experienced at least one security incident in the last six months. Large institutions had the highest average number of incidents per institution: six, about one per month. Our security services blocked about one third of all incidents, preventing damage to customers’ assets. Based on our analysis, Trojan horses and the Blackhole exploit kit are the most common threats facing financial institution customers today.

Monthly incident trends

Perimeter processes about 1 billion raw security events per month. We distill these events down to approximately 120 thousand potential security incidents. Among those incidents, a majority are low-level — that is, they are informational or reconnaissance related. A smaller number are likely or confirmed successful system compromises — what we call medium- and high-level incidents. Throughout this report, a “security incident” refers to these two types. A Perimeter security analyst analyzes every one of these. When a customer suffers a security incident, it is likely that one of their computing assets such as a desktop, server or other resource has been — to put it plainly — 0wned.

The Perimeter security team analyzed over 1,600 incidents — likely and confirmed compromises — in the first six months of 2012. From the monthly trend graph, we can see that the number of security incidents increased steadily from January to May before slightly declining in June. It appeared that threats and attacks are seasonal: more active in spring (Mar to May) than in winter (Jan and Feb).

Impact on financial institutions

Perimeter protects approximately 1,800 financial institutions. Our financial customers’ businesses range from banking and brokerage to credit unions, savings and loans and insurance. Our financial customers consist of 62% small institutions, 29% mid-sized institutions and 9% large institutions. We define small institutions as having assets less than $25 million; medium-sized between $25 million and $1 billion, and large institutions above $1 billion.

The chart below shows the distribution of incidents among our customer base. The plot shows percentages of financial institutions that had at least a certain number of incidents. In total, 56% of our financial customers experienced at least one incident. At one institution — the outlier at the right side of the chart — we detected 28 incidents over the past six months.


When analyzing the incidents by size of institution, we found additional patterns. In the past six months, 69% of our large financial customers experienced at least one incident. Midsize and small institutions, 63% and 51%, respectively, experienced one incident or more. On average, each institution suffered from about three incidents.

Of the top 10 customers that suffered the most security incidents, four are midsize (assets between $25 million and $1 billion) and six are large (assets greater than $1 billion) institutions. On average, each large institution had six incidents; each midsize had four; and each small had three. We believe large institutions are disproportionately targeted because they have large attack surfaces and can garner attackers larger financial gains. Although small institutions are not usually primary targets of attackers, they can serve as stepping stones for larger-scale attacks. And crucially, small institutions are most vulnerable to financial losses, and  may not be able to survive even one attack.

Approximately one-third of all security incidents were successfully blocked by our in-cloud and on-premise security devices. The rest were detected after-the-fact by our security monitoring systems.

Attacker countries of origin


Although Perimeter is not as wildly enthusiastic about “top attacking country” metrics as some — we do not suffer from congenitally nervous urges to “name and shame” former colonies, for example — the country origins of attackers help confirm hunches and things we already know.

Of the security incidents we observed, attackers’ IP addresses are distributed across 50 countries across the globe. The heat map below plots these countries with respect to the number of offending sources.  From a percentage perspective, more than 55% of attacks and threats originated from inside the United States. We expect that the main reason is that the financial institutions under scrutiny are almost all US-based. In addition, many of our customers commonly block traffic to and from non-US IP address ranges. We noticed that many users picked up malware from visiting legitimate US web sites.


Threat highlights

Financial institutions are particularly vulnerable to cyber crimes such as phishing and identity theft. We have seen numerous security incidents that have resulted in significant losses to the victim institutions.  A common propagation vector is targeted phishing emails addressed to employees with privileged account access. Once the recipient opens the link or the malicious attachment in the email, malware (in most cases, a Trojan) is installed. Sensitive account information is collected, which leads to unauthorized monetary transfers and customer data compromises. Based on the six-month incident data, Trojans turned out to be the major threat category facing financial institutions. As shown in the top 10 threat list, more than half of the incidents we observed were Trojan-related infections. Two threats on the list are particularly noteworthy: the Blackhole exploit kit and the ever-popular fake Anti-Virus. Details on each follow.

Blackhole exploit kit

The Blackhole exploit kit was the top threat plaguing our customers over the past six months. According to AVG Technologies, the Blackhole kit is the most popular toolkit in the cyber-underground. AVG’s Q2 threat report indicates that the Blackhole Exploit Kit makes up over half of detected malware; our figures agree broadly with AVG’s.  The Blackhole kit is installed on a server controlled by a cyber-criminal. When an unsuspecting user visits a compromised page or clicks a malicious link in a spam message, the page or link redirects (usually via <iframe> tags) the user to the server. The server hosts obfuscated code that delivers various exploits targeting vulnerabilities in browsers and their popular plug-ins such as Adobe Flash, Adobe Reader and Java. Once an exploit is successful, the victim machine loads and executes malicious payloads, and downloads additional component if needed.

Perimeter has been closely following this exploit kit since its emergence.  We observed that the ease-of-upgrading helps to make the kit prevalent; zero-day exploits are constantly added to the kit.  For example, a Java vulnerability was disclosed in mid-June and an exploit leveraging this flaw was made available in early July. Blackhole kit also rapidly evolves the way it spreads to web servers. In its recent campaign in late June, web servers were compromised by exploiting the Plesk SQL injection vulnerability.  Many web pages were infected with contaminated JavaScript files which loaded the Blackhole exploitation.  To defend against this ever-evolving exploit kit, we have implemented several protection mechanisms for our customers:

  1. Network-based anti-virus is equipped with JavaScript/iframe signatures to offer client-side protection
  2. Web security (content filtering) can block domains that host Blackhole exploit kits
  3. Multiple correlation rules in our SIEM match patterns of related IP addresses, domains and file names.  Please refer to our recent blog post for details.

Fake Anti-Virus

Rogue anti-virus is a form of Internet fraud that tricks users to install or purchase fake AV programs, to “help” remove non-existent threats in their computers.  These malicious AV programs usually introduce Trojans to the victim computer to harvest personal information. Fake AV has been one of the most prominent online threats in recent years. Purveyors of fake AV push it through a variety of channels:

  • Spam emails with links or attachments
  • Malicious advertising and compromised ad networks
  • Web pages containing exploits
  • Search engine optimization (SEO) poisoning

We have been closely monitoring fake AV activities for our customers and observed a rash of campaigns that led to dozens of infections this May. Early June, we discovered that Major League Baseball and a few other legitimate websites fell victim to a compromised ad network and served up fake AVs to their users.  We managed to pinpoint a specific ad on MLB’s website that embedded an iframe redirection to a malicious server. This server then pushed fake AVs from several Indian .in domains to users.  We published detailed analyses of these campaigns here and here.  To protect our customers, we immediately added null-routes to IP addresses malware-hosting domains resolve to. We also have created several correlations that keep updating to detect new campaigns.

Protecting financial institutions

As our review of the first half of 2012 shows, financial institutions continue to be under attack. To protect our financial customers from attack, we provide multiple layers of defense: firewalls, web content filtering, IDS/IPS, AV tools and SIEM. Each plays an important role in defending against state-of-the-art threats.

Perimeter highly recommends our financial institution customers take all necessary steps to safeguard machines and follow security best practices. Customers should:

  • Never open unexpected email attachments or click on any links in suspected emails
  • Never supply any personal or account information as a result of an email
  • Always keep the operating system and software packages (browser and AV programs in particular) up-to-date
  • Always disable and/or uninstall unused services on endpoint machines, servers and network devices
  • If possible, block ads in the browser, or use web content filtering services

Dan Carter and Mike Flouton contributed to this report.


The Consumer Effect: Increased Confidence in the Cloud

Written by Andrew Jaquith. Posted in Blog Post

By Andy Monshaw, General Manager of IBM Midmarket Business

And Andrew Jaquith, Chief Technology Officer, Perimeter Security 

Cloud computing is driving the way information and technology is being consumed, and changing the way we work. In the last year, we’ve seen businesses of all sizes benefit from the cloud:

  • A small healthcare provider decided to put patient records in the cloud while ensuring that they are HIPAA compliant. 
  • A regional bank turned to a managed service provider to host its new mobile applications for engaging consumers who want to do their banking anywhere, anytime.
  • A credit union, faced with the uncomfortable prospect of an expensive upgrade to Exchange 2010, opted to move their email to a secure cloud provider rather than keep it in-house.

Cloud applications have become so common and convenient that we take them for granted. For small and medium businesses (SMBs), the cloud has leveled the playing field by enabling them to compete — while saving them time and money. We see the cloud becoming increasingly important to SMBs for two reasons: the “consumer effect” and mobility.

First, consider the impact that consumer social, email, and other cloud applications has had on businesses. The “consumer effect” has been profound. Consumer technologies and apps have forced businesses to change their expectations of what the cloud can provide.  Today, SMBs are using technologies that originated in the consumer space — for example, cloud services and social media — to better compete, enter new markets and identify new customers. According to researcher AMI, SMBs in the United States will spend more than $49 billion on cloud services in 2015, nearly double the size of the market today.

Second, as mobility continues to gain in popularity, the demand for smartphone technology and mobile computing platforms by SMBs will increase as well. By 2015, nearly three-quarters of the internet-capable devices will be Post-PC devices such as smartphones and tablets. Many SMBs will use these devices to increase their contact with customers.

The barrier to entry for using mobile platforms to connect with consumers has dropped dramatically. With the emergence of vibrant mobile development ecosystems, everyone competes on equal footing. Citigroup offers mobile banking — but so do the smallest community banks and credit unions. SMBs outside banking, too, are exploiting mobility to offer free downloadable mobile app to brainstorm, exchange ideas and collect feedback from their customers.

Increasing Confidence in the Cloud

The cloud offers vast promise for SMBs. Several significant advances made in making cloud secure has made small businesses lean more toward cloud as not only a platform that reduces cost, but also one that now enables them to focus more in business growth and strategy rather than managing IT. These include:

  • On-demand applications for critical business functions, such as email, payroll, sales management, core processing, and data analytics
  • Comprehensive cloud-based and managed services for protecting infrastructure: firewalls, intrusion detection, and security information management
  • Better data protection options for encrypting data in transit and at rest, combined with secure virtual machines available on-demand 
  • Cloud-based security for authentication, authorization and auditing

These security solutions allow small businesses to exert more control over their data, whether it lives in the cloud or on premise. Increasing confidence in the cloud is opening up new opportunities for many small businesses. We expect SMBs will increasingly look to managed service providers to help them seize the opportunity that cloud can bring.


Your Healthcare Security Rx

Written by Andrew Jaquith. Posted in Blog Post

A recent Wall Street Journal article highlighted the controversial debate around whether or not physicians should use email to communicate with their patients. The article has, no doubt, prompted discussions across the healthcare industry. In the piece, Dr. Joseph Kvedar, founder and director of the Center for Connected Health in Boston, describes how email can be a valuable tool for building rapport between doctors and their patients, while enabling clearer, more frequent communication. Kvedar admits that email presents a security challenge, but notes privacy can be adequately protected by encryption tools and secure messaging applications. Privacy concerns should not stand in the way of establishing greater trust with your patients. (We agree: our SaaS Email Encryption product works very nicely for exactly this purpose.)

Dr. Sam Bierstock, founder and president of health-care IT consulting group Champions in Healthcare, takes the opposite view. He argues that not only does “email communication eliminate the ability to interpret important signals,” but it introduces potential security and liability risks that are too high.

So who is right?


Reviewing 2011 Prediction #1: The APT Meme Dies

Written by Andrew Jaquith. Posted in Blog Post

Last December I gave a well-attended webinar called “Five Data Security Predictions for 2011,” in which we predicted that five particular things would happen this year. Predictions are easy. Everybody makes them. It’s less common that you revisit your own predictions, and grade them. Here’s how we grade ourselves:

  • A: The available evidence suggests that we correctly identified the issue, and that available evidence suggests we got the prediction right. By “right”, I mean that we can cite to multiple instances in the mainstream media that agree with the prediction.
  • C: Got the issue right, but the prediction didn’t play out to the degree expected. We saw some corroborating evidence, but caught whiffs of wishful thinking.
  • F: Got neither the issue nor the prediction right. Alternatively, the evidence suggested that the prediction went in exactly the opposite direction as expected.

In today’s short post, let’s revisit one of our 2011 predictions: “The Advanced Persistent Threat meme dies, and is replaced by the more accurate term ‘state-sponsored actors’.”

What did we mean?

Unless you have been living under a rock, you have probably heard of the quaint expression “Advanced Persistent Threat.” You probably have heard that APT is some type of horrible infection or somesuch affliction that makes you itch whenever you go for dim sum. Or maybe you know it as some kind of extra-special malware that infects companies that have secrets worth stealing. I kid, but the reality is that APT marketing hype has infected the marketing departments of nearly every security vendor. If you’ve got an APT infection, goes the pitch, you can buy our miracle cream — requiring a never-ending prescription, to be sure — and it will just go away.

Emblematic of the APT-as-marketing meme was McAfee’s hype-laden report on Operation Shady RAT, which breathlessly revealed how hundreds of organizations have been infected with “APT malware.” (I won’t link to it because it is a very silly report, and I mean that in a Monty Python sense.) In the report, McAfee provides no details about the identity of the attackers. But there is lots of malware infecting lots of companies everywhere, apparently.

The point of my prediction that “the APT meme will die” is that wiser observers would start to see through the marketing haze and call APT what it is: particular who, not a what. Commentators like Richard Bejtlich have long been calling APT by its real name: the nation-state of China. That is, in fact, what APT originally meant when the Air Force defined it. It was meant as a politically correct euphemism for the PRC.

We predicted that the APT euphemism would start getting old, and that wiser heads in the press would figure it out and describe it more accurately. I picked “state-sponsored actors” as among the more palatable and accurate labels.

How’d we do?

Pretty well. It’s no longer an open secret that APT == China. Some evidence:

(1) In August 2011, Ira Winkler, one of the more thoughtful minds in the information security field, wrote a longish post in ComputerWorld in August, challenging the persistent use of APT to hawk products. “The McAfee report was more about marketing than it was about releasing information. McAfee provided few details about the attack, only saying that it was large and hinting at who the targets were.” Winkler also explicitly connects APT to China, citing a 2009 report from Northrop Grumman assessing the PRC’s capabilities: ”there have been documented cases of state-sponsored hacking out of China for more than a decade, targeting every conceivable type of commercial and government organization.”

(2) National Public Radio, on its All Things Considered newscast, ran a story on November 3rd called “China, Russia Top List Of U.S. Economic Cyberspies.” In this report, NPR summarizes and expands on Congressional testimony by Robert Bryant from the Office of the National Counterintelligence Executive. Bryant states that “Chinese actors are the world’s most active and persistent perpetrators of economic espionage, while Russia’s intelligence services are conducting a range of activities to collect economic information and technology from U.S. targets.” (Hat-tip: Richard Bejtlich.)

(3) Even Symantec, previously one of the louder barkers under the APT carnival tent, has subtly changed their tune. Instead of describing APT solely as malware, Symantec’s Kevin Rowney now describes it as a “malware campaign.” It’s still wrong, but closer to the mark in the sense that it implies an actor — a Who.

(4) CSO Online’s Bob Bragdon, just today, wrote a very funny column called “Naming Names in APT.” He writes: “Let’s call a spade a spade: China is the greatest threat to international cyber­security on the planet. I’m tired of pussyfooting around this issue the way that I, and many others in security, industry and government have been for years. We talk about the ‘threat from Asia,’ the attacks perpetrated by ‘a certain eastern country with a red flag,’ network snooping by our ‘friends across the Pacific.’ I swear, this is like reading a Harry Potter book with my daughter. ‘He-Who-Must-Not-Be-Named’ just attacked our networks. Let me be absolutely, crystal clear here. In this scenario, China is Voldemort. Clear enough?”

Overall, it is “crystal clear” that we got this one right. If anything, we were too conservative. We expected that the APT euphemism would be replaced with a more accurate descriptor, “state-sponsored actors.” Little did we know that that descriptor would be too timid for some observers, who have no problems just flat-out saying “China.”

My grade: A-

In in the next post, I’ll review anther prediction, “The US Crawls Towards EU-Style Data Protection.”


CTO’s Reading List: Three Articles You Should Read Today

Written by Andrew Jaquith. Posted in Blog Post

Microsoft’s Security Intelligence Report, Volume 11

I don’t have the patience to read through long security intelligence reports like I used to, partly because I’m a little cynical, but mostly because I just don’t have time. However, I usually skim through the periodic threat reports from Microsoft, Symantec, McAfee, Websense to see what they have to say about threat trends. Microsoft’s 168-page Security Intelligence Report, Volume 11 report contains a lot of the things you would expect: summaries of vulnerabilities, taxonomies of threats, and so on. Vinny and his team, as always, continues to do a nice job. What I like about Microsoft’s reports is that they are very keen to figure out how certain classes of “feature abuse” tie back to the Windows operating system. The current report validates, for example, that the decision to shut down Windows’ USB AutoRun feature was a wise one. The other part of the report I really liked was on page 14, Zero-Day Exploits: A Supplemental Analysis. Microsoft notes that true zero-day exploits (that is, exploits for which the vendor has not issued a notice) comprise less than 1% of attacks they detected. Another part of the report I liked was on pages 53-55, where Microsoft compares infection rates by country. Unfortunately, the infection rate (worldwide, just 11 infections per thousand PCs scanned, at 0.1%) is far too low to be credible; at Perimeter, we estimate infection rates are probably twenty times higher based on the botnet traffic we see. Still, the report is very interesting when comparing by operating system (pages 57-60), it confirms what we know: Windows 7 is more secure that Vista was, which in turn was more secure than Windows XP. Good to see quantifiable progress.

United States Marine Corps Social Media Guidelines 

You might think that the US military would have an incredibly draconian policy with regards to participation in social media networks. But you would be wrong! Recently, the US Marines Corps published a very thorough, comprehensive set of guidelines on how the Corps can use social media effectively and safely. While it is geared towards the needs of military service members, the guidance is nonetheless highly applicable to every organization. Best of all, it is extremely well written and contains a good deal of common sense. The guide is quite long, but if you are impatient just skip to page 36, “15 Tips to Stay Safe and Out of Trouble Online”.  Tip of the cap to Marc Handelman for spotting this.

The BIDMC FY12 Operating Plan

Boston “geek doctor” John Halamka, whose healthcare-meets-technology blog I’ve read for several years, puts together a nice, succinct post on Beth Israel Deaconess Hospital’s budget priorities for 2012. I appreciate John’s transparency and clarity, of course, but I also look for clues in his posts for a sense of how a busy health care CIO balances his priorities. His responsibilities span the entire gamut of technical services ranging from clinical to back-end systems. As you can see from his post, data protection ranks among his top priorities for 2012, particularly the interplay with personally owned devices. John has tried to make Beth Israel Deaconess among a “consumer-friendly” organization, so this is an important issue. Worth a read.



FBI Takes Down Coreflood Botnet, But Many Companies Remain Vulnerable

Written by Andrew Jaquith. Posted in Blog Post

By Harald Wilke, Security Analyst, Perimeter E-Security
with Richard S. Westmoreland, Lead Security Analyst and Andrew Jaquith, Chief Technology Officer

On Wednesday April 6th the Federal Bureau of Investigation (FBI) seized control of 5 servers used to control as many as 2 million computers infected with Coreflood malware. This malware, also known as AFCore, quietly steals personal and financial information from the computer and forwards the information to the criminal ring leaders. The attackers use the information collected by AFCore to conduct fraudulent wire transfers, emptying the users’ bank accounts.  The botnet is suspected to have existed since at least 2002, and has evolved over the years from using IRC based command and control and selling DDOS/anonymity services, to HTTP based command and control and performing fraud.

Using a similar approach used to take down the Bredolab botnet, US federal investigators were granted special authorization by the Department of Justice to substitute their own Command and Control server for the hosts operated by the criminal organization.  When the bot of the infected machine checks into the new C&C it is simply given a command to shutdown.  The DNS records used by the bots have also been pointed to Shadowserver’s sinkholes.

Seizing control of the C&C servers by law enforcement is now preventing the criminals from accessing any information already harvested by the infected computers.  It also keeps them from covering their tracks by deleting files and terminating processes.  However, the millions of Coreflood infections remain intact and still require intervention by a trained security analyst or antivirus program with signatures to detect it. Investigators are also alerting the Internet Service Providers of the compromised machines and requesting they inform their customers.

More information about the takedown can be found here:

Perimeter’s Security Operations Center is actively monitoring for outbound activity known to be associated with the Coreflood botnet.  In one instance, minutes after adding inspection for the redirected C&C check-in, alerts indicated a single customer network to have 17 actively compromised hosts. Here’s a sample screenshot from our SOC’s Security and Information Event Management System:

Coreflood Botnet Traffic, from Perimeter SOC

Looking at the raw event logs, we can see that the compromised host is attempting direct HTTP connections to a sinkhole IP. The URI confirms the activity to be related to a bot C&C check-in:

Recommendations for Perimeter customers

Although the FBI has taken ownership of the Command and Control and are issuing shutdown commands to the active bots, the malware is still installed on the compromised machines and reactivated at bootup.  Analysis of this Coreflood variant indicates the C&C domains change monthly and have been pre-registered in countries that are outside of United States jurisdiction.  There still remains a possiblity of the criminal ring regaining control of the botnet.  Perimeter strongly recommends customers take the following actions to stay protected:

  • Use Web Content Filtering to lockdown Internet usage by enforcing user authentication and blocking of categories not critical to business
  • In particular, customers are strongly advised to block access to unclassified sites, which commonly harbor malware and C&C servers
  • Use standard best practices such as Network IPS and Network/Desktop AV to help prevent infections
  • In cases where infections do occur, a strong WCF policy will help prevent theft of data, and will provide additional logging information used by the Perimeter’s Security Operations Center

Thanks for your time and attention, and stay safe.


RSA warns SecurID customers after company is hacked

Written by Perimeter. Posted in Blog Post

Attention Perimeter Customers: As you may be aware, RSA, The Security Division of EMC, disclosed yesterday that an unknown outside party successfully compromised RSA’s security systems. These attackers are believed to have stolen information related to the operation of RSA SecurID tokens. The identity, motivation and goals of the attackers are unknown. The exact methods they used to compromise RSA’s systems (malware, social engineering, or server exploit) are unknown.

It is not clear whether the theft of this information enables attackers to compromise customers’ own SecurID deployments. RSA claims that the information obtained by the attackers does not. As described in RSA’s advisory (

“[RSA has] no evidence that customer security related to other RSA products has been similarly impacted. We are also confident that no other EMC products were impacted by this attack. It is important to note that we do not believe that either customer or employee personally identifiable information was compromised as a result of this incident.”

However, RSA’s news release notes that “the information extracted does not enable a successful direct attack on any of our RSA SecurID customers, this information could potentially be used to reduce the effectiveness of a current two-factor authentication implementation as part of a broader attack.”

We strongly urge customers to read the full advisory from RSA here:

There is no indication that suggests Perimeter’s customers are at risk. We are continuing to monitor the situation and will send out additional updates as new information is made available.


What Scott Charney Missed in His RSA Speech

Written by Andrew Jaquith. Posted in Blog Post

By Andrew Jaquith, Chief Technology Officer, Perimeter E-Security

I’ve spent the week at the RSA Conference. It is a great place to meet colleagues, customers and friends. I had been a Conference Chair for the last 5 years, helping pick speakers and build panels. That was lots of fun, but this year I chose to sit out and let some other lucky soul have a chance. I did participate in the program, however. My friend Caroline Wong put on a panel on security metrics, and asked me to be one of the four panelist. The panel was a blast, and is worth a blog post in its own right.

But the subject of today’s post isn’t my panel, or metrics, but about a key part of the show. It’s about a time-honored ritual at RSA: the industry keynote delivered by Microsoft’s Corporate Vice President of Trustworthy Computing, Scott Charney. In a speech that was covered by multiple media outlets, including IDG News Service, CIO, and Computer Reseller News, Charney made three significant announcements. He:

  • Admitted that last year’s suggestion, to require ISPs to cut off serially infected machines, was not realistic because it imposed undue costs on ISPs. Charney argued instead that end-users must take more responsibility for the safety and security of their own machines. To that end, he…
  • Proposed a system of “public health certificates” that customer client machines would present to relying parties like banks and on-line websites that needed extra assurance that their customers’ machines were clean. Charney calls this “Collective Defense.” In addition, Charney…
  • Argued that the Internet must attribute activities to people wherever we can. Charney argues that with threats, there is always a Who, a What and a Why. Figuring out who the Who is would go a long way to helping national governments fight the various cyber-wars, cyber-skirmishes and cyber-hair-pulling matches that have been documented so well in the press over the last few years.

It seems to me that Scott, as the designated security spokesman for Microsoft, clearly understands his responsibility to set forth a vision for the industry. Microsoft’s preeminent position as the world’s leading software and systems vendor demands that he think big, think fast and think provocatively about The Future of Security. Moreover, the RSA Conference, as the preeminent industry conference devoted to information security, gives Microsoft (and Charney) the perfect platform for presenting their big, fast and provocative thinking. But let’s be honest, there’s a fine line between provocative and pollyanna. This year, Charney donned blue-tinged gossamer winds and fluttered off into the magical land of wishful thinking.

Let’s start with Microsoft’s ideas about Collective Defense and “public health certificates.” If I understand the idea correctly, relying parties (such as banks) would elect to trust — or selectively trust, or not trust — devices that presented digitally-signed attestations about their health. Rather than call this Collective Defense, let’s call it NAC’s Nephew. Practically, here is what that would mean: if McAfee or Symantec AV tells your bank that you have a clean bill of health, then your bank ought to let you transfer your money to Liberia. But if you don’t, they might think twice or ask for secondary authentication.

If you are technologist, especially one who drinks the Better Living Through Cryptography Kool-Aid or believes that “non-repudiation” actually refers to a real legal concept, digitally-signed health certificates sure sounds like a great idea. But upon closer scrutiny, nagging questions about practicality, implementation complexity and the so-what factor make it less attractive. Dan Geer has noted that technologists need to beware whenever they catch themselves saying “…and then a miracle happened.” That’s what we have here. I could raise a dozen objections, including (1) the decreasing efficacy of endpoint anti-malware software, (2) the high likelihood of certificate forgery, (3) the lack of likely implementations for platforms that aren’t Windows, and (4) the serious doubt that banks are asking for this stuff anyway (Trusteer isn’t exactly setting the world on fire, is it?).

But these are just the obvious objections. Slightly more worrying is Charney’s admission that ISPs aren’t part of the solution for keeping PCs safe. By that I assume he meant: Comcast, Time Warner, Charter, Cox had a few objections to cutting off infected customers. I can imagine a conversation between the two Steve Bs (Ballmer and Burke) that went something like this:

Burke (Comcast): So, Steve, I understand that you’d like to have me start cutting off Internet subscribers when we figure out that that their machines are infected.

Ballmer (Microsoft): You better believe it. We’re all-in on making our customers safer. ALL-IN!

Burke: I’ve got 80 million high-speed customers. My customer support team tells me I’ll lose 5m of them within the first year of running this program. That’s 7 billion dollars of lost revenue in the first year.


Burke: Are you trying to get me to throw a chair at you?


Burke: Excuse me Steve, but you’ll understand if I pass. I’ve got to run anyway. It’s time for me to start working on my 2011 Christmas cards.

That conversation never happened, and the numbers I presented are fictitious. But you can understand why putting the onus on ISPs to “keep their pipes clean” isn’t good for business. That Microsoft realizes this now is merely an admission of reality, and most welcome.

But while Microsoft’s new position reflects a more realistic appreciation of the limits of securing customer computers, Charney doesn’t push his thinking as far as he could. For example, consider his analogy comparing infected PCs to infected people. These are both health risks, and in both cases it behooves authorities to be aware of infections as early as possible. To the extent you can compare people to PCs, It also makes sense to educate customers about basic practices they can take to reduce the risk of infection (although I suspect Symantec might object to the implied comparison of installing their software to hand-washing.)

That said, computers aren’t like people at all. Computing can be improved in ways that the most audacious recombinant DNA theorist can only dream of. Because unlike humans, machines’ “DNA” — the operating systems and software that they are made of — can be replaced wholesale. From the security perspective, operating systems like SELinux, Qubes OS, BlackBerry OS, Apple’s iOS, Google’s Android or even Microsoft’s own Singularity or Windows Phone 7 OSes are fundamentally superior to Windows, because they have built-in protections like code-signing, verified roots-of-trust — often burned into hardware — and mandatory access control. From the security perspective, replacing Windows PCs with trusted Post-PC OSes such as Singularity or iOS isn’t merely a minor improvement like washing your hands. It’s more like replacing humans with a carbon-based life-form that’s immune to influenza.

Now, these other Post-PC OSes and their associated App Stores have other problems that I will be writing about in future posts, such as chatty, privacy-invading apps. But infections that compromise machine integrity isn’t one of their most pressing problems. And yes, I know I’m going to catch a lot of flak from the app security absolutists for saying this (“NOTHING is 100% secure…”). Please. Captain Obvious already paid me a visit today. Given enough time and money, anything is breakable. But acting as if mandatory code-signing, sandboxing and hardware-based trust anchors don’t decrease risk significantly is tantamount to dismissing 30 years of research by people much smarter than you and I. And that, in turn, means that we are ignoring lessons about how software should be built. In other words: we should not let loose talk about “ecosystems” distract from the critical need to re-examine the core software we run on the systems we use in our daily work.

Charney gets close — so very close — to this key point. When he calls for public health certificates that rely on hardware roots-of-trust to vouch for the integrity of devices, he should, instead, ask himself why they are needed in the first place. When he admits that ISPs can’t filter out infected PCs because of the expense, he should be asking whether he ought to, instead, design an operating system that fundamentally resists infection.

And finally, when he suggests that customers should share responsibility for educating themselves about keeping their PCs clean, he should ask himself why they should care, and whether the hassle of “education” and “taking responsibility” is worth it from the customer’s standpoint.

Now that’s a visionary speech I wish he’d made.


Technology Challenged – Interview with Tim Harvey, CEO of Perimeter E-Security by Dow Jones Investment Banker

Written by Perimeter. Posted in Blog Post

Despite aggressive investment by large technology vendors and a wide array of start-ups chasing the space, there are under served customers in the information security market.