Web Application Penetration Test Tricks Part I – Virus Upload

Performing a web application penetration test is not voodoo magic, but rather an exercise in knowledge, prioritization, and efficiency. During years of hard work penetration testers hone their methodology and develop efficient ways of applying their knowledge in order to identify specific vulnerabilities. The "Web Application Penetration Test Tricks" blog series will examine simple methods for testing some interesting web application vulnerabilities. In other words, we'll take a look at some tricks of the trade that you can implement while performing penetration tests against your own web applications!
Many web applications implement file upload functionality using an <input type=" file"> field. The file is uploaded to the server where the web application does something with it, often storing the file for subsequent download by other application users. What if a file containing a virus could be uploaded? Could the virus be spread to other applications users through the web application? And how could you actually test this vulnerability? You don't want to actually spread a virus, and besides local anti-virus software might interfere with testing.
The answer is the EICAR (European Institute for Computer Antivirus Research) anti-virus test file, formally known as the "EICAR Standard Anti-Virus Test File". This file contains the following 68-character plaintext string:
X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*
Although it is not actually a virus, most anti-virus software will flag files that contain this string (with up to 60 characters of optional preceding whitespace) as a virus. The anti-virus test file can be downloaded from http://www.eicar.org/85-0-Download.html. Here Microsoft Security Essentials is shown quarantining the anti-virus test file:

Here Symantec Endpoint Protection is shown detecting the anti-virus test file:

The anti-virus test file is therefore perfect for testing web applications. Just upload the file onto the web server. If the file can be subsequently downloaded with the test string intact, you know that the web application is not performing virus scanning of uploaded files. Consequently, the web application is vulnerable and can be used as a mechanism to propagate viruses to unknowing users. Web server administrators should deploy anti-virus software on web servers, and developers should ensure that the web application leverages the anti-virus software to scan uploaded files before disk storage.
That's all for the first installment of the "Web Application Penetration Test Tricks" blog series. Next time we'll take a look at clickjacking, another vulnerability that targets unknowing web application users. Cheers!

Learn “How to secure yourself from Virus & Hackers” @ 250

XMASS Gift by Hackers to Mobile Users!!!!!!!!!!

 

Types of security threats in Android OS

• internet security
• June 6, 2013
• By: David Frankk
• Subscribe

 

 

Android is known for its app store having more than 800,000 apps (both paid and free) including utility apps, games, as according to the stats of Feb 2013. Most of the apps are uploaded directly into the store making it more vulnerable to attacks on Android devices and putting the user’s privacy at stake. A report shows that 136 out of 149 known threats for mobile accounts to Android while iOS and Windows remains threat-free.
Android is the largest market share holder with 52% of global smartphone subscriber-base and having widest range of mobile device platforms hosting this OS. Android also holds the largest app-store in terms of number of applications available to its users with more than 800,000 apps in Google Play, its app store. A recent study described the popularity of Android with having more than 48 billion app downloads from Google Play. However, another research conducted by F-secure labs states that prevalence of malware on various smartphone OSs is concentrated on Android as compared to other OSs.

© 2013 Nokia© 2013 Microsoft Corporation

Location: Boston

42.358631134033 ; -71.056701660156

There was a rise of 50% of malware for Android last year and its state has only worsened since then till now, making it the most vulnerable smartphone OS of today. All of these malware affect the users in one way or the other thus causing them privacy or monetary losses. Some of the threats are discussed below:

• Premium service abusers: These types of malware take over the control of the user for managing their bills and subscribed services. Installation of these applications deliberately subscribes the user for premium services without their knowledge and eventually increases the bill. Text message sent to premium numbers could be one of the examples where extra amount is charged from the user sending the message.
• Adware: Adwares work in a similar fashion to in-app advertisement. However, they are displayed as a pop-up notification and users do not have any control on such event. Moreover, these apps de-limits the authority of user to grant permission and adwares access the personal data like contact list stored on the phone. This could hamper the privacy of the user and replicate all the data of phone on remote server, if such functionality is embedded in an adware.
• Malicious Downloaders: These kinds of malware affect the monetary control of the users and increase their bill for subscription and/or downloading of unnecessary as well as paid apps. These malwares, just like adware, do not ask for the permission from the user and silently turn on the downloading for other applications or malware which could affect the privacy as well as the bill for that duration.
• Rooters: These types of malware are rare to be found in the app store however, these are the most lethal among the all. Rooting apps allow a hacker to take over the control of the device remotely and allows them to root the device to perform any task which can be performed by the user. User loses all the manual control over the device and any overriding or prevention operation fails to roll back the device.

 

Webcam hacking exploits Chrome Inbuilt Flash player for Camjacking

Researcher Egor Homakov demonstrated the possibility of Webcam hacking exploiting Chrome Inbuilt Flash player, a flaw that represents a serious threat to privacy.

Webcam hacking, hackers are increasing their interest on millions of cams that surround us. These prying eyes are everywhere, in the street as in our home, gaming consoles, smartTV and PC are all equipped with a camera.
The impressive diffusion of mobile devices equipped with web cameras makes Webcam hacking very attractive and it is considerably a serious menace for users’ privacy, these attacks are silenced and could cause serious problems. Think for an instant of the implication related to Webcam hacking made by cybercriminals or by a government for surveillance purpose, we have seen it in the movies but today it is a reality.
Let’s start from domestic webcam, the Webcam hacking is a reality according to a recent post published by Egor Homakov that highlighted a serious flaw in Google Chrome’s integrated Flash player.
Egor Homakov demonstrated that just pressing the play button a user could authorize an attacker to access his webcam giving him the possibility to capture video and audio without getting permission.

“I’ve heard a hacker could access my webcam and watch me in front of my computer. Could this really happen?“ YES, it is possible exploiting new Flash based flaw in Google Chrome.
“This works precisely like regular clickjacking – you click on a transparent flash object, it allows access to Camera/Audio channel. Voila, attacker sees and hears you,” Homakov said.

This type of attack dubbed is known for several years as Clickjacking, a known vulnerability in Adobe Flash Player Settings Manager.
Adobe is aware of Clickjacking attacks and it resolved the flaw with a change to the Flash Player Settings Manager SWF file hosted on the Adobe website.
Differently for Camjacking attacker could hide the Flash Player security message when the flash file is trying to access a web camera or to a microphone.
According the researcher the Webcam hacking is possible exploiting an invisible Flash element present on the page, it is enough that victim using Chrome Browser clicks on it is.

“That’s what I thought as well. written a simple page with the opacity and flash container (flash requested access to the web-camera), it was observed that 21 Firefox, Opera 12.15 or ignore transparency flash animation, or just do not handle. But IE and Chrome 27.0.1453.110 10 well treated transparency and allowed to place himself on top of the text and / or image. That, no doubt, would have gone into the hands of web designers. But to remain on its laurels were just not interested, and I started to dig deeper, taking the idea of Clickjacking attack, but to remake it to fit their needs, ie to borrow all the “useful” function for the attacker. I chose access to the webcam (of course, yet we can get access to the microphone, but it was important, then?) So, I wrote a simple USB flash drive, take a picture with the help of a web camera and sends it to the server. “

Homakov verified that Webcam hacking with Camjacking doesn’t work with semi-transparent on IE.

An Adobe security team representative has confirmed the bug related only to Flash Player for Google Chrome.
Will Google solve the problem in the seven days established for fixing the bug to its products?
But the concerns do not stop at home webcam, Craig Heffner, a former software developer with the NSA declared to have discovered the previously unreported bugs in digital video surveillance equipment from firms including Cisco Systems Inc, D-Link Corp and TRENDnet.

“It’s a significant threat,”
“Somebody could potentially access a camera and view it. Or they could also use it as a pivot point, an initial foothold, to get into the network and start attacking internal systems.” said the specialist.

He announced his intention to demonstrate it during the next Black Hat hacking conference, on July in Las Vegas.
Heffner revealed that he has discovered hundreds of thousands of surveillance cameras exploitable by attackers via Internet.
This is not a movie, neither an episode of the television serie Person of Interest … This is reality and maybe the Big Brother is already exploiting it!

Zeus Trojan steals funds and recruits Money Mules

Security firm Trusteer detected a new variant of Zeus Trojan that steals funds and recruits Money Mules proposing jobs ads to the victims using Man-in-the-Browser (MitB) techniques.

Zeus Trojan is becoming even more complex, its evolution is unpredictable due to the intense activity in the underground on its source code. Various forums in the underground offer customization service to adapt the behavior of Zeus trojan to new fraud scheme. Last version of the popular Banking Trojan detected by the Trusteer security firm is not only able to steal funds from its victims but it also tries to recruit them as ‘Mules’
Security firm Trusteer revealed that a group of criminals using the popular Zeus banking Trojan has started a recruiting campaign displaying ads for job scams once victim visits a popular job site, CareerBuilder [dot] com.
The investigation conducted by Trusteer focused also on employment websites that have long been a target for cybercriminals searching for the user’s credentials through malware distribution and mule recruitment.
The Zeus Trojan found by  Trusteer uses HTML injection to advertise a mule recruitment site when a victim visits CareerBuilder [dot] com. Mules are an essential component of the scam life cycle, in particular for cash-out money, in the past recruiting web site were used by criminal organizations to recruit these figures.

“Money mules are always a scarce resource and whenever criminals do recruit them, they keep a pretty good eye on them,” he said. “At the end of the day, you really can’t cash out unless you have a mule.” Commented Etay Maor, fraud prevention solution manager with Trusteer.

Typically the criminals create a job opening for “financial managers” with possibility to earn working at home, in reality those people that respond to the announcement serve as the money laundering component for cybercrime gang. Principal employment websites are aware of this illegal practice and have created dedicated security team including anti-fraud competences. The web site used for mule recruitment is marketandtarget [dot]com as reported  in the Zeus Trojan configuration file, site that is currently down.



On the other side malware authors have refined their techniques to avoid controls operated by site managers, the last variant of The Zeus Trojan in fact implements a Man-in-the-Browser (MitB) techniques to present the victim with an advertisement for a mule recruitment site every time he visits CareerBuilder [dot] com.

Man-in-the-Browser malware are commonly used by cybercrime to steal data from victims or to redirect them to compromised web sites such as the specific case we are analyzing.

The variant of Zeus trojan using HTML inject adds data fields or to present bogus messages to redirect  the victim to a fake job offering while he is visiting legitimate employment site CareerBuilder [dot] com, in this way the victim plays redirection as a legitimate operation of the access to a job opportunity.
The availability of the source of Zeus Trojan on the black market potentially opens to an infinite number of possibilities that we will meet in the near future and represents a success for the industry of malicious software.

Facebook working on a news-reader app like Flipboard

The report states that the social network has been quietly working on a service, internally called Reader, that displays content from Facebook users and publishers in a new visual format tailored for mobile devices, people with knowledge of the matter said.
It is not clear when Facebook when launch the service or whether there will be a desktop version of the service. For now, it seems to be geared toward smartphones and tablets.
Previously TechCrunch had reported that Facebook was working on such a service and that it would be launched during its 20 June event. However, Facebook launched the Videos for Instagram feature.

Facebook CEO Mark Zuckerberg in this file photo. AP

TechCrunch had reported that lines of code referring to rssfeeds were spotted inFacebook’s Graph API code. Linking the RSS feed to a user’s Facebook ID, the code schema also covers such aspects as title, URL and update time. Each RSS feed subsequently has entries and subscribers.
If Facebook does launch an app for news aggregation, it could make a lot of sense in terms of monetisation for the site. For publishers, the app could provide a new platform for them to highlight their content from their FB pages without worrying that their content will be lost in the often-never-ending NewsFeed.
But the competition won’t be easy for Facebook. Flipboard, Zite, Pulse and Google Currents are among the endless competitors awaiting it.
The fact that the app is currently only for mobile also highlights the direction Facebook is headed in. Zuckerberg has already said that Facebook is now a mobile company and while some of its mobile products such as Facebook Home on Android may not have received the best reviews, mobile is the company’s best bet for increasing revenues.

Why do American spy agencies want a Malayalam translators at exorbitant salary ?

 

Yet conversations with current and former employees of Booz Allen and U.S. intelligence officials suggest that these contractors aren’t going anywhere soon. Even if Snowden ends up costing his former employer business, the work will probably just go to its rivals. Although Booz Allen and the rest of the shadow intelligence community arose as stopgap solutions—meant to buy time as shrunken, post-Cold War agencies tried to rebuild after Sept. 11—they’ve become the vine that supports the wall. As much as contractors such as Booz Allen have come to rely on the federal government, the government relies on them even more.


Edward Snowden was not hired as a spy. He’s a mostly self-taught computer technician who never completed high school, and his first intelligence job was as a security guard at an NSA facility. In an interview in the Guardian, he says he was hired by the Central Intelligence Agency for his computer skills to work on network security. In 2009 he left for the private sector, eventually ending up at Booz Allen. The job he did as a contractor for the NSA appears to have been basic tech support and troubleshooting. He was the IT guy.

People in intelligence tend to divide contract work into three tiers. In the first tier are the least sensitive and most menial jobs: cutting the grass at intelligence facilities, emptying the trash, sorting the mail. In classified facilities even the janitors need security clearances—the wastebaskets they’re emptying might contain national secrets. That makes these jobs particularly hard to fill, since most people with security clearances are almost by definition overqualified for janitorial work.
Snowden, with his computer expertise, fit in the middle tier: people with specialized skills. When the U.S. military first began ramping up its use of contractors during the Vietnam War, these jobs made up much of the hiring—the Pentagon was desperate for repairmen for its increasingly complex weapons and transport systems. Also in this tier are translators, interrogators, and investigators who handle background checks for government security clearances. Firms such as CSC (CSC) and L-3 Communications (LLL) specialize in this tier. Booz Allen competes for some of that work, but it tends to focus on the highest tier: big contracts that can involve everything from developing strategies to defeat al-Qaeda in the Islamic Maghreb to designing software systems to writing speeches for senior officials. Tier three contractors often are, for all intents and purposes, spies—and sometimes spymasters.

BLOG:

Spying for the NSA Is Bad for U.S. Business

William Golden heads a recruiting and job placement company for intelligence professionals. In mid-June, he’s trying to fill three slots for contractors at the Defense Intelligence Agency. As it happens, Booz Allen isn’t involved, but these are the sort of jobs the firm has filled in thousands of other instances, Golden says. Two postings are for senior counter-intelligence analyst openings in Fort Devens, Mass., one focusing on the threat to federal installations in Massachusetts, the other on Southwest Asia. The contractors would be trawling through streams of intelligence, from digital intercepts and human sources alike, writing reports and briefings just like the DIA analysts they would be sitting next to. Both postings require top-secret clearances, and one would require extensive travel. The third job is for a senior linguist fluent in Malayalam, spoken mostly in the Indian state of Kerala, where there’s a growing Maoist insurgency. That the Pentagon is looking for someone who speaks the language suggests American intelligence assets are there. The listing specifies “austere conditions.”
Golden says he constantly sees openings at Booz Allen and other contractors for “collection managers” in posts around the world. “A collection manager is someone at the highest level of intelligence who decides what assets get used, how they get used, what goes where,” he says. “They provide thought, direction, and management. They basically have full status, as if they were a government employee. The only thing they can’t do is spend and approve money or hire and fire government workers.”
The pay fluctuates widely, depending on the candidates’ skills and experience. “This money comes from the intelligence budget, so there isn’t much oversight,” Golden says. He estimates that the Malayalam translator job, for example, will pay between $180,000 and $225,000 a year. That’s partly to compensate for the austere conditions as well as insurgents’ tendency, unmentioned in the posting, to target translators first. The pay is also a reflection that the past 10 years have been boom times for private spies.

WikiLeaks Says It Is Working to Negotiate Asylum in Iceland for Snowden

WASHINGTON — WikiLeaks activists in Iceland are discussing with government officials there the possibility of asylum for Edward J. Snowden, the former National Security Agency contractor who disclosed hundreds of classified documents on N.S.A. surveillance, Julian Assange, the founder of the antisecrecy group, said Wednesday.

“We are in touch with Mr. Snowden’s legal team and are in the process of brokering his asylum in Iceland,” Mr. Assange said in a conference call with reporters. He said both the legal and practical obstacles were under review by Mr. Snowden’s lawyers and supporters.

A spokeswoman for Iceland’s embassy in Washington confirmed that the government had been approached by advocates for Mr. Snowden but would not comment further.

Mr. Snowden, 29, whose leak of National Security Agency documents has shaken American officials and fueled a public debate about government surveillance, is believed to be in hiding in Hong Kong. He has acknowledged that he is likely to be prosecuted for the unauthorized disclosures and has expressed both interest in asylum in Iceland and concern about whether he would be safe there.

American officials have confirmed that Mr. Snowden is under investigation, but he has not been charged publicly. Indictments are sometimes kept secret to avoid alerting the defendant. 

Mr. Assange himself understands the complications of hiding out from possible criminal prosecution. As of Wednesday, he had spent a year in Ecuador’s embassy in London, where he fled to avoid being sent to Sweden to face questioning in a sexual offense investigation. He and WikiLeaks are the subjects in a separate leak inquiry by a federal grand jury in Alexandria, Va., and he has expressed concern that Sweden might send him to the United States to face charges.

Christopher L. Blakesley, a law professor at the University of Nevada Las Vegas, said that Iceland “would be a smart choice” for Mr. Snowden, because authorities there have shown sympathy for the cause of freedom of information and might act favorably on his asylum request.

Obama administration officials, meanwhile, are discussing whether the most contentious N.S.A. program revealed by Mr. Snowden — the agency’s routine collection of data on most telephone calls made in the United States — might be changed to mollify critics who believe it invades Americans’ privacy. One proposal would require the phone companies themselves to store the call data for five years and make it available to government investigators.

But the Federal Bureau of Investigation director, Robert S. Mueller III, warned Wednesday that such a change would slow investigators as they seek to stop terrorist attacks.

“The point being that it will take an awful long time,” Mr. Mueller told the Senate Judiciary Committee.

The National Security Agency director, Gen. Keith B. Alexander, hinted Tuesday at a House hearing that he was evaluating changes to the domestic calling log program and raised the issue of “speed in crisis” as a major disadvantage.

In his testimony, Mr. Mueller provided more details about why national security officials were wary of changing the system. First, he said, under current law companies are not required to retain such records, and some dispose of them in much less than five years. Second, rather than being able to instantly query the complete database to see who a suspect has been in contact with, he said, investigators would have to present legal paperwork to a half-dozen carriers and wait for them to gather and provide the records.

“In this particular area, where you’re trying to prevent terrorist attacks, what you want is that information as to whether or not that number in Yemen is in contact with somebody in the United States almost instantaneously so you can prevent that attack,” Mr. Mueller said. “You cannot wait three months, six months, a year to get that information, be able to collate it and put it together.”

Mr. Mueller did not explain why it would take so long for telephone companies to respond to a subpoena for phone data linked to a particular number, especially in a national security investigation.

Lawmakers also pressed Mr. Mueller to explain what attacks, if any, had been prevented by the N.S.A. surveillance programs disclosed by Mr. Snowden.

Mr. Mueller referred — in greater detail than was provided at Tuesday’s hearing — to newly declassified information linking the program to a case in which several men in San Diego were discovered to have sent about $8,500 to the Shabab, a terrorist group in Somalia.

Specifically, he said, the N.S.A. identified a terrorist-linked phone number in East Africa and ran the number against the domestic calls database, discovering that the suspect number had been in contact with a telephone number in San Diego. Investigators then used other legal authorities to find the name and address of the person who used the line in San Diego, and then obtained an individual warrant to start monitoring that line.

But two senators who have been especially critical of the phone records collection, Ron Wyden of Oregon and Mark Udall of Colorado, both Democrats, disputed intelligence officials’ assertions that the program has been critical in thwarting terrorist attacks. “We have yet to see any evidence that the bulk phone records collection program has provided any otherwise unobtainable intelligence,” they said in a statement.

Also on Wednesday, the chairman of the Privacy and Civil Liberties Oversight Board, a federal panel that is reviewing the N.S.A. programs, said members would sponsor a public discussion of the issues raised next month.

“Based on what we’ve learned so far, we believe further questions are warranted,” said David Medine, the board’s chairman, who was confirmed by the Senate in May and almost immediately faced the debate over N.S.A. monitoring. The five-member board was briefed on the programs by intelligence officials last week.

Mr. Medine said the board planned eventually to issue a public report and recommendations on the N.S.A. programs.

Michael S. Schmidt contributed reporting.

Top Eight Security Tips for Windows 8

Microsoft is releasing Windows 8, the newest version of the Windows operating system, for general availability on October 26. Although Windows 8 offers enhanced security features, it also raises new security concerns because of changes to the graphical user interface and a new online app store. We’re offering the following eight security tips to help you stay secure as you move to Windows 8.

1. Exercise caution with apps for the new Windows 8 user interface (formerly known as Metro)

Some familiar applications have been completely re-written for the new Windows 8 UI. As a result they may work completely differently, despite looking the same. For example, an application historically delivered as an executable could now be entirely web-based. This impacts the visibility your existing security and monitoring tools have into these apps.

2. Use the Windows 8 style UI version of Internet Explorer

By default, plugins are disabled, blocking a major target for exploit kits and Blackhole attacks.

3. Make sure your security vendor can flag malicious Windows 8 UI apps

Windows 8 UI apps have important differences from regular applications, and your security product should be able to distinguish the two. The security product should correctly flag malicious or modified Windows 8 UI applications (tampered, modified, invalid license).

4. Disable hard drive encryption hibernation

Hard drive encryption is a cornerstone of data protection. If possible, disable the hibernation option in Windows 8 through group policy, as it doesn’t always work well with encryption.

5. Make sure your hardware carries the “Designed for Windows 8” logo

To carry this logo, hardware must be UEFI compliant. This means you can take advantage of the secure boot functionality available in Windows 8. Secure boot is designed to ensure the pre-OS environment is secure in order to minimize the risk from boot loader attacks.

6. Make application control a priority

The Windows 8 app store makes application control increasingly important for both malware prevention and productivity control. While the Windows Store will be secured, history shows that malicious apps are likely to slip through. Disable the use of apps that aren’t relevant to your organization.

7. Treat Windows RT (ARM) devices like any other mobile devices

Make sure you impose the same security levels on Windows RT devices as all others. You should have the ability to control, track, remote wipe and encrypt them.

8. Review application permissions in the Windows Store

Applications in the Windows Store must list any resources they require. Carefully review these permissions in the details tab as some will grant access by default to your location information, calendar, etc.

Windows 8: Redmond’s Safest Operating System Ever?

 

With its Windows 8 operating system Microsoft has introduced sweeping changes to the desktop  environment. While much of the discussion around Redmond’s new operating system has been around the naming convention of its Modern UI interface and its touch-friendly tiles, it’s equally helpful to
examine Windows 8 from a security standpoint. Technology Features 

Secure Boot

The first feature owners of a new Windows 8 PC will benefit from is known as Secure Boot. All new PCs that are certified for Windows 8 must utilize the UEFI (Unified Extensible Firmware Interface) standard, rather than a traditional BIOS. UEFI must be configured to only launch boot loaders that are signed by trusted authorities. Vendors shipping Windows 8 certified machines will trust Microsoft’s signature, but are not prohibited from including others or allowing end-users to import their own.

This change will go a long way towards ending traditional boot sector malware. Going back to the 1980s MBR-based viruses and other malware have been able to hide simply due to the fact they are able to load before the operating system. Whatever your opinion on how this may restrict operating system choice,
ultimately, it’s a win for security. Immediately after Microsoft’s boot loader is launched it will validate the
signature of the Windows kernel and continue to the next new optional boot component, ELAM.

ELAM (Early Load Anti Malware) 

It is designed to enable security vendors to  validate non-Windows components loaded during startup. In addition to the Windows kernel verifying that all boot driver signatures are valid, a bare-bones
anti-malware engine may also be used to check drivers before they are loaded. Exactly how effective the feature will be against today’s sophisticated threats remains to be seen, but it’s a step in the right direction, and could prove useful in rootkit cleanup (e.g. in preventing malicious components from being loaded).
The last new boot component is known as Measured Boot and requires the PC to have a Trusted Platform Module (TPM) which is also enabled. All components loaded during the boot process will record measurements, such as how long they took to initialize, to the TPM.

After the boot is complete the results can be sent to a trusted external entity to verify that only wanted code was executed and that it behaved in an expected manner. Few computers today ship with TPMs and this seems like it could be highly error-prone. It remains to be seen whether the benefit will outweigh the
overhead, and additional cost.
Microsoft has also beefed up some of the more traditional exploit mitigation technologies introduced in Windows Vista and 7. Address space layout randomization (ASLR), data execution prevention (DEP) and heap randomization have all been updated to strengthen their protection against buffer overflow and
other stack-based attacks. For something nearly invisible to users, this should help to harden Windows against attacks.

User-Facing Features

So far all of the features we’ve evaluated have been “behind the scenes” work that shouldn’t impact day-to-day users of Microsoft’s latest OS. We will now explore how this new approach interacts with those users.

SmartScreen

SmartScreen, a technology Microsoft introduced in Internet Explorer 9, has now been expanded to cover all executables downloaded onto Windows 8 systems. SmartScreen is designed to take a checksum of an EXE and compare it to Microsoft’s cloud database of known good and bad application checksums. If the result is unknown, Microsoft will warn the user before execution that this program could be malicious and is of unknown provenance. Microsoft insists this feature protected millions of IE 9 users from harm, but I remain unconvinced.

In testing it reminded me of a constant false alarm that triggered scary messages frequently enough on innocent files that I learned to ignore the warnings and, occasionally, put myself in harm’s way.
Consumers will be happy to hear that Microsoft is now including basic anti-virus  protection courtesy of its Windows Defender tool. While most businesses require more comprehensive protection, not to mention centralized control, reporting and updating, home users will likely appreciate the basics being thrown in for no extra charge.
 

Microsoft’s free home anti-virus product, Security Essentials, hasn’t fared all that well in recent independent testing, but it should be good enough for most home users, and would likely stop freshly installed copies of Windows from being instantly compromised.

DirectAccess

DirectAccess was a nifty new VPN solution when first added to Windows 7, with one problem. It required IPv6 to operate, resulting in almost zero adoption. Windows 8 is taking another crack at it, but this time with IPv4 support. The concept of an always-on VPN is a good one and could likely go a long way towards protecting corporate users who frequently get online at unsecured WiFi hotspots at airports, hotels and coffee shops.

Windows To Go

Another security effort aimed at mobile users in enterprise environments is Windows To Go. This feature allows an enterprise licensed Windows 8 user to  take their entire desktop with them on a USB memory stick. It appears that Windows To Go is intended to go head to head with virtual desktop initiatives (e.g. booting from your PC from any PC that supports USB booting). Access to hard disks and other potentially dangerous peripherals is disabled when in To Go mode, but all of your files, preferences and programs are
there for your convenience. I could certainly see this being a safer option for companies who want employees to be able to connect from home PCs without opening up VPN access to untrusted home computers.

Modern User Interface

Last, but not least, is the much discussed Modern Interface and associated security features. Modern is based on the App Store concept that Apple pioneered with iOS. All applications (with one caveat) must be installed directly from Microsoft and must meet Microsoft’s privacy and safety standards.Walled gardens sound good, but the devil is in the details especially when you compare Apple’s approach with that of Google. Google Play has evolved into a safer world, but it has been plagued with many more issues that seem to result from Google trying to exercise less control and offer a more open playing field. Enterprise environments will have the option to load their own trusted certificate onto devices that will allow side-loading of applications. This is similar to iOS and is far more controlled than the tick-box approach that allows for a wild West of unknown applications being loaded on Android.

When applications are viewed in Microsoft’s store a granular list of requested permissions is available, similar to what is seen on Android devices. This list, however, is only available if you select the Details tab. There is no prompting to raise awareness of this privacy feature. This may be a good thing  as asking users to make decisions too frequently leads to the “always saying yes” problem that plagues SmartScreen, but it would be beneficial if the permissions appeared on the default installation screen rather than hidden behind a tab.

 IE 10 Windows 8

  introduces a new dual personality version of Internet Explorer 10. While IE is largely unchanged in “Desktop” mode, it operates in a far more limited mode when used as a Modern UI application.

The Modern UI IE eschews support for plugins, with the rare exception of a whitelist that allows Adobe Flash (which is native to IE 10) to execute on a Microsoft managed list of sites. With that comes the inability to patch when Adobe announces their availability as users will need to wait for a Microsoft update rollup. Enterprises that require Java or other proprietary plugins will find, in most cases, they will need to use Desktop mode, erasing most of the  advantages offered by the Modern UI.

The Safest Windows Ever In summary, Windows 8 isn’t blazing any innovative trails into a perfectly secure future; still, it offers improvements that can and will lead to a safer Windows experience. I don’t see anything (other than the new IE interface) that truly concerns me. The big question that remains is this: will enterprises with their investment in training and legacy hardware embrace an entirely new user interface so soon on the heels of Windows 7 deployments? I don’t think the incremental improvements in security will sway this decision, but there is no doubt that this is the safest Windows operating system ever.

Who helped NSA to build Prism?

Palantir Technologies is considered the principal company behind the design of software used for PRISM program, think of it as the work of a single company is truly an understatement.

Palantir Technologies, this is the most popular company name referred when discussing those who have supported the U.S. Government in the development of massive surveillance project Prism. The company, exactly like the principal IT firms involved in the program denied any implication but majority of security analysts are convinced that the truth is different.

I wrote on Palantir in a post just after the publication of mail stolen during the hack to Stratfor firm, in one email published Palantir is expressly indicated as a possible financier of Facebook.  The email between two Stratfor’s analysts states:

“I think Palantir is involved in things less clear, including the financing of Facebook.”

The Palantir is a California company that designs platforms for complex information analysis. It was founded in 2004 and currently offers various solutions for integrating, visualizing, and analyzing the world’s information.

Palantir was founded by Peter Thiel, Alex Karp, Joe Lonsdale,  Stephen Cohen, and Nathan Gettings, the company received investments for $2 million from the CIA’s venture arm In-Q-Tel and $30 million from Thiel and his firm, Founders Fund.
The name of Palantir appeared for the first time during the hacking of HBGary Federal company, when documents were some stolen detailing the involvement of the Palantir to attack and destroy WikiLeaks.
By coincidence Palantir commercialize a product dubbed PRISM that “that lets you quickly integrate external databases into Palantir. Specifically, it lets you build high-performance Data Engine based providers without writing any code. Instead, you define simple configuration files and then Palantir automatically constructs the data provider and database code for you.”
Palantir Prism is a data mining software for banks, that’s the version provided by legal representatives of the company:

“Palantir’s Prism platform is completely unrelated to any US government program of the same name. Prism is Palantir’s name for a data integration technology used in the Palantir Metropolis platform (formerly branded as Palantir Finance). This software has been licensed to banks and hedge funds for quantitative analysis and research,”

Y Combinator partner Garry Tan commented Palantir’s disclaimers with following tweet:

It is still not clear how PRISM works, the slides presented could be not accurate enough to explain how PRISM platform access to the data of IT companies, some specialists sustain that the companies provided direct access to their servers others speculate the companies feed a sort of Dropbox-like system that is accessed by PRISM for surveillance purpose.
In this second scenario it could be involved also Amazon as hosting provided for temporary storage for information provided by companies, Amazon Web Services in fact recently announced that it is set to build a massive cloud for the CIA. IBM.
Despite various hypothesis on PRISM architecture, it is still a mystery I suggest you the post proposed by Robert Graham of Errata Security that tried to propose an original idea of the Debated surveillance program.
In reality the complex machine that in a simplistic way was dubbed PRISM is probably fueled by much more information from various sources, not only IT giants are involved, Digital Net Agency Chief Strategy Officer Skip Graham believes the advertising industry is complicit inducing internet users to provide personal information online.
Who and how manage this data?

“How our industry works has absolutely no correlation to the efforts of the government. Or does it? How much of the data the NSA is using is data we convinced people it was safe to have stored? I’m afraid it’s going to turn out to be most of it,” Graham told ZDNet.

It must be also considered that many other data can concur to profile US citizens, let’s think of information related to their medical history, rather any kind of financial information acquired from banking and other financial institutions.
We are all  under continuous control, think of it as the work of a single company is truly an understatement …. how many other Palantir are operating in the US and elsewhere?
What data handling and on behalf of whom?
Pierluigi Paganini

NSA Implementing 'Two-Person' Rule To Stop The Next Edward Snowden

The next Edward Snowden may need a partner on the inside.
On Tuesday, National Security Agency Director Keith Alexander told a congressional hearing of the Intelligence Committee that the agency is implementing a “two-person” system to prevent future leaks of classified information like the one pulled off by 29-year-old Booz Allen contractor Edward Snowden, who exfiltrated “thousands” of files according to the Guardian, to whom he has given several of the secret documents.
We have to learn from these mistakes when they occur,” Representative Charlies Ruppersberger said to Alexander in the hearing. “What system are you or the director of national intelligence administration putting into place to make sure that if another person were to turn against his or her country we would have an alarm system that would not put us in this position?”
“Working with the director of national intelligence what we’re doing is working to come up with a two-person rule and oversight for those and ensure we have a way of blocking people from taking information out of our system.”
That “two-person rule,” it would seem, will be something similar to the one implemented in some cases by the military after Army private Bradley Manning was able to write hundreds of thousands of secret files to CDs and leak them to WikiLeaks. The rule required that anyone copying data from a secure network onto portable storage media does so with a second person who ensures he or she isn’t also collecting unauthorized data.
It may come as a surprise that the NSA doesn’t already have that rule in place, especially for young outside contractor employees like Snowden. But Alexander emphasized that Snowden was one of close to a thousand systems administrator–mostly outside contractors–who may have had the ability to set privileges and audit conditions on networks.”This is a very difficult question when that person is a systems administrator,” Alexander responded. “When one of those persons misuses their authority it’s a huge problem.”
Alexander added that the system is still a work in progress, and that the NSA is working with the FBI to collect more facts from the Snowden case and to implement new security measures in other parts of the U.S. intelligence community.
When asked how Snowden had gained such broad access to the NSA’s networks despite only working for Booz Allen for three months, Alexander said that he had in fact held a position at the NSA for the twelve months prior to taking that private contractor job.
The questions about the NSA’s lack of leak protections came in the midst of a conversation that largely focused on the NSA’s justification for the broad surveillance those leaks revealed. In the hearing, Alexander claimed that more than 50 attacks have been foiled with some help from the NSA’s surveillance programs such the collection of millions of Americans’ cell phone records and the collection of foreigners’ Google-, Facebook-, Microsoft- and Apple-held data known as “PRISM,” both disclosed in Snowden’s documents. One newly-revealed bombing plot targeted the New York Stock Exchange, and another involved an American donating money to a Somalian terrorist group.
Of those more than 50 total cases, ten of those plots involved domestic collection of phone records, according to Alexander. But when Representative Jim Himes questioned in how many cases that collection was “essential,” his question went unanswered.
Alexander also fended off criticisms that the Foreign Intelligence Surveillance Act court system, which oversees the NSA’s requests to use data it’s collected–often from Americans–is a “rubber stamp process” that approves nearly all of the NSA’s actions. That court reported  in April that it had received 1,789 applications for electronic surveillance in an annual report to Congress. One request was withdrawn, and forty were approved with some changes. The other 1,748 others were approved without changes.
“I believe the federal judges on that court are superb,” Alexander told Congress. “There is, from my perspective, no rubber stamp.”
But a significant portion of the hearing also focused on the NSA’s security vulnerabilities highlighted by Snowden’s leaks, rather than its surveillance. Representative Michelle Bachmann emphasized that the NSA should answer “how a traitor could do something like this to the American people,” and how to “prevent this from ever happening again.” She asked Alexander how damaging the leaks were to the NSA’s mission, and he responded that they were “significant and irreversible.”
Snowden has taken refuge in Hong Kong, where he conducted a live Q&A on the Guardian’s website Monday. In that conversation, he wrote that “the consent of governed is not consent if it is not informed,” and that “truth is coming, and it cannot be stopped.”
At the hearing, a member of the committee ended with a personal question about that young leaker’s fate: What’s next for Snowden?

FBI deputy director Sean Joyce answered, simply, “Justice.”
–

Google challenges US surveillance court on 1st Amendment grounds

SEATTLE (Reuters) - Google Inc asked the U.S. Foreign Intelligence Surveillance Court on Tuesday to allow it to publish aggregate numbers of national security requests it receives separately from criminal requests, on First Amendment grounds.

In its filing, Google requested the court to allow it to publish the aggregate number of national security requests it receives, including disclosures under the Foreign Intelligence Surveillance Act (FISA), claiming it as part of its First Amendment right to free speech.

"In light of the intense public interest generated by the Guardian's and Post's erroneous articles, and others that have followed them, Google seeks to increase its transparency with users and the public regarding its receipt of national security requests, if any," the Google filing said.

Google's move comes after other tech companies, including Microsoft Corp, Facebook Inc and Apple Inc released limited information about the number of surveillance requests they receive under an agreement they struck with the U.S. government last week.

Under that agreement, the companies were only allowed to disclose aggregate requests for data made by government agencies without showing the split between surveillance and criminal requests, and only for a six-month period.
The companies are scrambling to assert their independence after documents leaked to the Washington Post and the Guardian newspapers suggested they had given the U.S. government "direct access" to their computers as part of a National Security Agency program called Prism.
The disclosures about Prism, and related revelations about broad-based collection of telephone records, have triggered widespread concern and congressional hearings about the scope and extent of the information-gathering.
Google said it asked the U.S. Department of Justice and Federal Bureau of Investigation on June 11 to publish the aggregate number of national security requests, but said it was told such an act would be unlawful.
(Reporting by Bill Rigby; Editing by Richard Chang and Leslie Gevirtz)

NSA director describes surveillance as 'limited, focused' in House hearing

Keith Alexander testifies to Congress that programs revealed by Edward Snowden have stopped 'more than 50' attacks

Some of the most senior intelligence and law enforcement officials in the United States strongly defended the National Security Agency's broad surveillance efforts on Tuesday, saying they had disrupted more than 50 terrorist plots around the world.
General Keith Alexander, the director of the NSA, told a rare public hearing of the House intelligence committee in Washington that the programs were "critical" to the ability of the intelligence community to protect the US.
Offering the most extensive defence yet on the efficacy of secret surveillance programs reported by the Guardian and the Washington Post, Alexander said they were "limited, focused and subject to rigorous oversight".
During the hearing, members of Congress criticised the source of the leaks, Edward Snowden, who remains free in Hong Kong. On Tuesday, Iceland said it had received an informal approach from an intermediary claiming that Snowden, a 29-year-old former NSA contractor, wanted to seek asylum there. Asked at the congressional hearing about what was next for Snowden, Alexander said: "justice".
Flanked by senior officials from the FBI, Justice Department and the Office of the Director of National Intelligence, Alexander said that two surveillance programs revealed by the Guardian and the Washington Post had "helped prevent more than 50" terrorist attacks in over 20 countries.
Most of those prevention efforts, Alexander said, came from the NSA's monitoring of foreigners' internet communications under a program known as Prism. He conceded that only 10 related to domestic terror plots.
The Obama administration officials gave more details about four cases in which information taken from the NSA's databases of foreign internet communications and millions of Americans' phone records had contributed to stopping attacks. Two of them have been previously disclosed, especially that of the 2009 arrest of would-be New York subway bomber Najibullah Zazi. That case has been sharply challenged thanks to court records as more attributable to traditional police surveillance.
Referring to the statutory authority for Prism, known as Section 702 of the 2008 Fisa Amendments Act, FBI deputy director Sean Joyce said: "Without the 702 tool, we would not have identified Najibullah Zazi."
Joyce identified two previously unknown cases that he said the surveillance efforts helped unravel. In one, a Kansas City, Missouri, man named Khalid Ouazzani was found communicating with a "known extremist" in Yemen, information that helped detect what Joyce called "nascent plotting" to bomb the New York Stock Exchange. The other, described more vaguely, allowed the US government, using the NSA's phone-records database of Americans, to revisit a case closed shortly after 9/11 for lack of evidence.
Ouazzani, however, was never convicted of plotting to bomb the stock exchange. Andrew Ames, a Justice Department spokesman, later clarified that he was convicted of "sending funds" to al-Qaida. The other case, Joyce said, involved an American who provided "financial support" to extremists in Somalia.
Two members of the Senate intelligence committee, Ron Wyden and Mark Udall, said last week that they had not seen any evidence to show that the "NSA's dragnet collection of Americans' phone records has produced any uniquely valuable intelligence".
The intelligence and law enforcement officials as subject to "checks and balances". But they clarified, in the most detail provided publicly thus far, that most of those checks are internal.
James Cole, the deputy attorney general, said that the NSA needs "reasonable, articulable suspicion" of involvement in terrorism before searching the millions of Americans' phone records that it collects. But, Cole said: "We do not have to get separate court approval for each query."
Instead, the NSA sends an "aggregate number" of times it has searched the database every 30 days to the secret Fisa court that oversees surveillance, while also sending a separate report each time NSA analysts inappropriately search the database. Alexander's deputy, Chris Ingliss, said NSA analysts searched the database 300 times in 2012 in total.
Representative Adam Schiff, Democrat of California, said that "it may be valuable to have court review prospectively".
Alexander pledged to send the House and Senate intelligence committees greater detail on the surveillance programmes' role in preventing the 50-plus plots in secret on Wednesday. But he insisted the NSA took great care internally to balance civil liberties and national security.
"I would much rather today be here to debate this point than try to explain why we failed to prevent another 9/11," he said.

 

WARNING: Malware Targets Facebook Users

Microsoft discovered malware aimed at obtaining Facebook users’ login information and taking over their accounts, and the new malware strain, Trojan:JS/Febipos.A, has been delivered in the form of extensions for Google Chrome and add-ons for Firefox. The only good news is that it appears to have been discovered only in Brazil thus far.
The Next Web reported that Internet Explorer and Safari appear to be immune from Trojan:JS/Febipos.A thus far.
According to The Next Web, the browser extensions or add-ons determine if users are logged in to Facebook and attempt to download configuration files that include lists of commands, enabling them to perform activities such as liking pages, sharing content, posting on other users’ Timelines, commenting on posts, joining groups and inviting friends to do so, and chatting with friends.
Microsoft concluded, as reported by The Next Web:

There may be more to this threat because it can change its messages, URLs, Facebook pages, and other activity at any time. In any case, we recommend you always keep your security products updated with the latest definitions to help avoid infection.

In other words, while the threat seems to be currently focused on targeting Facebook users in Brazil (its messages are all written in Brazilian Portuguese), it’s easy to see how the threat could be modified to target more users. The fact that it uses a configuration file shows that the criminals specifically designed it to be modular.

Readers: Have you ever fallen victim to malware on Facebook?

HP introduces HAVEn to combat $4 billion cyber-theft in Big Data space

HP announced at HP Discover 2013, the new big data solutions along with security portfolio to combat $4 billion cyber theft in big data space. The acronym HAVEn  is built with best of HP’s technology such as Hadoop, Autonomy, Vertica and Enterprise Security represented by Arcsight and "n" apps built on this platform, all representing various aspects of big data.

Big data is unmanageable and complex data comprised of machine and human generated data. This is a perfect platform to manage that big data from all perspective including analytics, reporting, and security. Autonomy is the best big data solutions for human generated data, ArcSight has been managing the machine generated big data since 2007 with introduction of CORRe, Hadoop is a great place to consolidate all of this data with which you can use any analytical tool such as Vertica to perform real-time, near-real-time, and historical analysis of all type of data.

Big data is caused by the volume, velocity, and variety of the data and HAVEn handles each of this along with managing the vulnerability of the big data. This combined solution has the capability of collecting data from 750+ built-in connectors at over 100,000 events per second, and pushing the data to both ArcSight for event correlation and Hadoop for further analysis and storage at the same 100,000 events per second. You will now be able to perform Google like search on any type of data with simple full-text searching at over 3,000,000 events per second, and coordinate the events in real-time across devices at over 5,000,000,000 events per day. This provides end-to-end and comprehensive big data solution from collections, analysis, storage, and searching.

WeChat Messenger App to Be Banned in India?

The Intelligence Bureau (IB) has proposed a ban on Chinese mobile messengers including We Chat following concerns that proliferation of such services can pose a threat to national security.

Blocking access to such websites in accordance with the licensing conditions governing Internet service providers is one way of checking them, the country's internal intelligence agency pointed out at the second meeting of the inter-agency operational working group on June 4.
According to an internal note reviewed by ET , deputy national security advisor Nehchal Sandhu asked IB to discuss the matter with the home ministry and the telecom department to devise a methodology to block access to such sites.

We Chat, an instant mobile messaging application, claims a worldwide subscriber base of 300 million and competes with popular mobile applications such as Whatsapp and BlackBerry messenger. With revenue from SMS on the decline, telecom operators have been exploring tie-ups with such messengers to shore up their data revenue.

Sandhu also proposed to limit the access of various ministries and departments to Internet so as to make government's communication more secure. "A limited number of interface points could be effectively protected. The DRDO has floated a paper on the subject," he said.

Zeus FaaS Comes to a Social Network Near You

FaaS: Never a Dull Moment
The cybercriminal practice of operating Trojans and botnets has a long history on the Internet, an especially thriving one since the release of the first commercial banking Trojan, Zeus, in 2007.
Since then, the ever-evolving world of financial malware has seen many turns of the tide with new banking Trojans released, then disappear in dramatic underground events.
Through it all, the one constant has been cybercrime’s Fraud-as-a-Service offerings market, enabling the sale of Trojan bits and bites, or entire package deals, to those who could not afford a complete kit, or had no idea where to begin.
Typical Trojan FaaS deals offer a Trojan like Zeus, SpyEye, Ice IX, or even Citadel for a few hundred dollars instead of the full kit price going for a few thousands rather. FaaS deals sweeten the pot with bulletproof hosting at a discount, free set-up services, hands-on tutoring and malware-campaign help wrapped into affordable combos.
While it is beyond doubt a thriving economy, Fraud-as-a-Service mostly remained hidden in the deep enclaves of dark online markets, only advertised to those who were in the know, sought in the right place, or knew the right people. But that’s all a thing of the past, it seems. Social networks are such a great place for malware infections and phishing, why not just market the botnet directly from there?
Zeus FaaS Comes to a Social Network Near You
A recent discovery by RSA researchers shows a new FaaS offering that is being marketed directly via a popular social network. The sale item: a customized botnet panel programmed to work with the Zeus Trojan – both reworked by what appears to be an Indonesian-speaking malware developer.
Beyond having compiled a working Zeus Trojan kit, the developer customized an attractive control panel for the admin (basic and familiar in functionality, and taken from previous Zeus versions), the developer and his team created a demo website for potential buyers – which they have no qualms about sharing publicly, and best of all—a Facebook page with frequent updates and information about botnets, exploits, cybercrime, and their own product (Zeus v 1.2.10.1).
Why is This New or Interesting?
New Crime Products
Since the Zeus code leak in mid-2011, the world of information security foretold the coming development of new breeds of the malware and the compilation of working variants from the source code in the hands of those versed in malware programming. Seeing new customized Zeus Trojans out in the wild is very common, but seeing someone marketing a Zeus v1 kit is not.
This case shows that the code leak, leading to the availability of the Trojan, makes for an even more diverse crimeware market, one that gives room to new offerings, especially at a time when all the major developers are staying away from the commercial arena.
No Fear
Marketing cybercrime in such an open and accessible manner is not something common. Cybercriminals usually fear for their freedom and will not expose their endeavors online to potential undercover cyber-police officers and security research. Those who would take such a chance, in favor of selling their wares to a larger audience, do so because they trust the anti-digital crime laws in their counties are more forgiving or downright absent.
What’s The Overall Effect?
The cybercrime underground may have lost most of the access it had to the major commercial Trojans after Zeus, SpyEye, Ice IX and Citadel’s developers all decided to quit vending their malware freely, but it seems that FaaS is definitely keeping things alive in the crime world.
With affordable kits and readily available developers selling it, even an old Trojan like Zeus v1 can do the job, enticing would-be criminals to try their hand at harvesting bank credentials and online financial fraud scenarios.
Laws and Punishment – Best Deterrents
Cybercrime is a rampant phenomenon, and while it is known that policing is not yet up to par in its ability to control crime on the Internet, the most evident deterrents to online crimes are the law’s long-reaching, heavy arms.
International investigation efforts and collaborations leading to the arrests of numerous cybercriminals, botnet operators, fraudsters and online gangs have been the driver for malware developers to minimize their publicly-available operations and find a hiding place to continue their illicit activities.
Laws and actual punishments are developing all over the world; the more people understand that digital crimes can be investigated, uncovered, proven and lead to jail time, the more they would hesitate before deciding to dabble in cybercrime.

A social networking page dedicated to potential buyers and those interested in botnets, exploits and cybercrime

Demo website allowing potential buyers to look at the botnet control panel and options they can use

Mobile Risks and the Enterprise

I have worked on mobile security strategy for RSA for the last two years now, and during that tenure the market continues to evolve and move at a rapid pace, which no doubt is putting more stress and uncertainty into the minds of security professionals. But, just the other day I saw a graphic in Computerworld that really summed up the entire mobility movement. Take a look:

For those interested in reading the entire article, here it is (but don’t dare click away until you have finished this compelling blog): Poor pre-launch showing plagues Windows 8
What we are seeing with the mobility movement is not just about the next shiny new device, and the worry of that device being left in a cab or a restaurant. We are really seeing a fundamental shift in the way IT is consumed, and subsequently secured, and it’s mostly driven by mobile. The graphic above shows the amount of Windows PCs that currently have Windows 8 installed on it compared to Windows 7 at the similar time in its life (Windows 8 ships October 26^th). Now, a difference between a 1.6% share and a 0.33% share may not seem like that much on the surface, but you need to think about the kinds of people that typically deploy early releases of these operating systems.
People upgrading early are not likely to be the consumers of IT services. More often than not, early upgrades are for the development community to build the applications that we all know and love on the next operating system (like how a number of apps were ready for the Retina display when I bought my MacBook pro this summer). Sure, some of this shift between Windows 7 and Windows 8 is due to Apple continuing its dominance in the laptop market and more applications moving to OSX. But a lot of this discrepancy is also due to the mobility movement and the shift of IT consumption to iOS and Android devices rather than traditional PCs.
The new SBIC report, “Realizing the Mobile Enterprise: Balancing the Risks and Rewards of Consumer Devices”, highlights these shifts. Consider these quotes:

Roland Cloutier (VP, CSO, ADP) – “Mobile apps have the power to increase organizational agility…No matter where someone is in the world, they can manage their workflow around anything…”
Dr. Martijn Dekker (SVP, CISO, ABN Amro) – “A huge benefit of mobile devices is the user interface…This is simply how people want to interact with IT systems nowadays…”

This shift in how IT is consumed can have a dramatic effect on the security world. It also pushes the importance of mobile beyond just protecting the endpoint from a lost/stolen scenario, and actually makes it an even bigger problem around how you authenticate users and federated identity in a non-Windows, web-based world.
Considering this, there are a number of trends we have come up with around mobility that make it a distinctly different and new security challenge to consider:
BYOD: This is a marketing term, but the fact that devices are either personally owned (or treated as personal devices) has serious implications. First and foremost, enterprises have lost control of the endpoint image, which creates an issue around enforcing agents or installing security patches. Many enterprises are struggling just to get users to install MDM on their devices, let alone deeper agents like anti-virus or malware forensics agents to protect against advanced threats. In addition to the lost endpoint control, BYOD also creates a problem about when and how enterprise policy is applied. Obviously when a device belongs to an individual there is an expectation that enterprise rules are only being applied when working, but this is starting to be the case even when enterprises provide devices for users, especially in phones. For example, EMC purchases our phones for us, but I still treat that device largely as a personal device. It’s my only cell phone (my only phone at all, in fact), and I have a number of personal apps loaded on it. The simple fact that I carry it all day everyday means that a large percentage of the time it will be in use for personal reasons. This forces enterprises to think about applying security policy in only enterprise scenarios, not on the entire device. This is one example where MDMs tend to come up short.
Off Network: Network visibility is a drug to security teams. Its needed more than anything else to understand what users are doing and when they are doing it. That is the reason why so many advanced threat tools today are network-based monitoring tools. Unfortunately, in the mobile world, enterprise networks don’t have to be touched all that often. For phones, just about all of the network connectivity goes across carrier networks, and its only when the phone asks the enterprise for some information that the enterprise can monitor it. As soon as the data gets to the device – you’ve lost visibility from a network perspective (picture a sensitive piece of content being uploaded to Dropbox from a mobile device). The use of cloud services only exacerbates this problem, because then you have disconnected endpoints (that enterprises don’t own) connecting to cloud services (that enterprises don’t own). Nowhere in that interaction does the enterprise network see the traffic.  That lack of visibility can be troublesome for security teams.
“Chatty” Interaction Model: This is always a tough trend to explain, and the term “chatty” has been the best way I have been able to describe it. Basically, what it boils down to is the fact that mobile users have very frequent context shifts between work and play. The best way to illustrate this is email and calendar. Just a few years back, if I wanted to check my email at night or see what time my morning meetings were, I needed to boot up my laptop (which likely was a 10 minute process), open my VPN client, usually respond to a two-factor authentication challenge, and then open Outlook. The Blackberry (remember that?)  changed all of that. It gave quick access to email and calendar without the need for VPN. That began the blurring of work/play. iPhone and Android brought in more play to these devices, and what we are left with is a consistent flip between work/play throughout the day. You might check email, make a quick response, and then hop onto your Facebook app right after that. That switching does not provide good areas for strong authentication, and blurs the line as to when enterprise security policy should be applied.
Web/Federated Access Model: This one is mostly driven from the “app” economy Apple created and the chipping away of Microsoft’s dominance in the enterprise. More and more cloud services are being used for enterprise purposes (Google Apps, Salesforce, Box, Office 365, etc), and each of them make use of web-based authentication standards. As enterprise app development evolves, more and more things will be developed in the mindset of  “mobile first” (see Microsoft graphic above). That will push more traditional enterprise authentication and identity management into a web standards world.
Fighting against these trends isn’t the wisest idea. Apple has shown that consumers have an awful lot of control around enterprise IT policy. But you still need effective ways of delivering security. Fundamentally, you still need to secure data, secure identities, and get threat visibility, but you need to do it while working within these trends and not trying to push the old model on the new.
The SBIC report on mobility that I mentioned earlier gives a great overview of the security options available to enterprises today, including MDM, application containerization, enterprise authentication, and application malware detection. Specifically, the report calls out the need for MDM, but cautions against the over reliance on MDM as a security solution. Consider the quote from Marene N. Allison (Worldwide VP of Information Security, Johnson & Johnson), “…If you talk to security professionals at this point we just settle on MDM. It’s not like we can get all of the features we want yet. MDMs are still too immature.”
The overall mobile management market is maturing beyond just device management into application and data management, which allows for granular policy enforcement and network connectivity into enterprise apps. These management products will ultimately encompass the next generation security infrastructure in mobile, similar to the way VPNs made up the traditional remote access infrastructure. Strong authentication methods, especially those that rely on risk-based methodology, as well as data security and threat forensics will be layered on top of these infrastructure components to create a true mobile security stack that can take much of the mystery out of BYOD.