enterprise security
Transcription
enterprise security
2. Security Strategies Alert Is your company ready for legal holds and compliance with mobility and the cloud? An interactive eGuide ENTERPRISE SECURITY 4. Who are all these hacker groups? They go by names like Anonymous, Lulz Security, Zeus, Night Dragon, Green Army Corp, Inj3ct0r Team; their goals, methods, effectiveness vary 7. The Deep End It’s time to make poor coding a felony Keeping corporate information assets safe takes a combination of smart strategy and intelligent technology choices. IT managers must stay on top of the latest security threats, understand the latest prevention mechanisms, implement risk management and, perhaps toughest of all, keep users complying with corporate safeguards. And with trends such as mobility and cloud computing impacting corporate IT security, technology professionals need to ensure their infrastructures are protected on all fronts. In these articles, Computerworld and its sister publications CIO, CSO, InfoWorld and Network World explore best enterprise security practices and expert advice for securing modern enterprise IT environments. 9. Reduce, reuse, recycle – just not your password In the wake of a breach, researchers typically focus on the poor password choice of users, but reuse is a much greater threat 11. Smartphone apps: Is your privacy protected? Are your apps putting your privacy at risk? Custom publishing from COMPUTERWORLD 14. David Litchfield on securing the data castle It’s not sophisticated attacks, complex vulnerabilities or user errors that are the greatest threats to database security, says this expert. 16. Security Resources Sponsored by COMPUTERWORLD Security strategies alert Who are all these hacker groups? The Deep End Reduce, reuse, recycle – just not your password Smartphone apps: Is your privacy protected? David Litchfield on securing the data castle Security Resources Advice Security Strategies Alert Is your company ready for legal holds and compliance with mobility and the cloud? By M. E. Kabay and Gordon Merrill, Network World IT HAS NOT BEEN TOO LONG since Google lost millions of emails and struggled to get most (!) of them back for customers. Amazon recently had cloud issues where they were not able to restore all the data their cloud customers had placed on their servers. I recently sat in on a presentation hosted by the Chattanooga Technology Council called “Cloud Computing: Separating Fact from Fiction.” The Google and Amazon situations were discussed in this meeting and IT leaders questioned whether the cloud was se- cure enough yet for any other than benign data. Are you ready for the cloud? If so, will you use a public service or a private cloud? Companies are being urged to go virtual and into the cloud to be competitive. We usually read advice to use private clouds, not public clouds. Controlling our own cloud can afford some degree of protection beyond security on public clouds; however, they are both accessible through an IP address, making both types of cloud vulnerable. But in addition to the security and data integrity of cloud computing, legal and compliance issues become more ah, clouded, – OK, more complex – when we enter the cloud. In the U.S., Sarbanes-Oxley requires total control over your data from origination to destruction. Other compliance regulations have similar restrictions in them that impose various punishments for the breach of company data. Let’s look at the Amazon case, in which several cloud subscribers did not regain all of their data placed on the cloud. Where does ENTERPRISE SECURITY An interactive eGuide that leave them? Just as our digital age has far outpaced the 1986 Computer Fraud and Abuse law (18 USC 1030a) and the Wire and Electronic Communications Interception Law (18 USC 2510 et seq.), leaving us with major data environments not mentioned with any sort of legal recourse or protection, we are now moving fast into the new mobile and cloud age with newly uncharted territory for legal compliance or recourse. With a legal system that has not even caught up to brick-and-mortar and perimeter security, how can we expect any real guidance as we rush forward into the great unknown? Imagine that a hypothetical Fortune 250 company, XYZ Essen- tials, has their data stored on a private cloud on Amazon Elastic Computer Cloud (EC2) when the EC2 system goes down. Suppose XYZ is already on a legal retention order from a court stipulating that all data and records are to be retained with zero destruction until released by the court. Let’s take it a step further and say the company is under Federal Department of Justice Investigation as well. • Is XYZ now out of compliance because they have data that was lost when EC2 services went down? • Is XYZ still responsible for the data it lost when it turned control over to a Sponsored by COMPUTERWORLD Security strategies alert Who are all these hacker groups? The Deep End Reduce, reuse, recycle – just not your password Smartphone apps: Is your privacy protected? David Litchfield on securing the data castle Security Resources 2 of 16 Advice ENTERPRISE SECURITY cloud provider? • Does this action constitute a loss of control from creation to destruction? • In the brick-and-mortar world, if the lost data were demanded by court order, those data could still be recovered from company-managed backups or by forensic recovery from the hard drives. How do we recover data if the cloud goes down? tries. Gordon’s information assurance background has included -- Gordon Merrill, MSIA, currently working for major computer comlives and works in Tennessee. His panies such as IBM, managing IT career has taken him to 48 of the projects for Fortune 250 compa50 states and to six foreign coun- nies in the risk management field, An interactive eGuide owning his own business, and working as a private consultant. He was chair of the School of Information Technology at the ITT Technical Institute in Chattanooga for three years. Sponsored by COMPUTERWORLD Security strategies alert Who are all these hacker groups? The Deep End Reduce, reuse, recycle – just not your password Smartphone apps: Is your privacy protected? David Litchfield on securing the data castle Security Resources 3 of 16 News Analysis Who are all these ENTERPRISE SECURITY and posted pornographic videos disguised as children’s videos onto YouTube. It’s said to have joined with Iranians protesting the results of the June 2009 Iranian presidential election. It’s tied to taking down the Australian prime minister’s website in 2009 because of the government’s plans there to have ISPs censor porn on the Internet. Anonymous has taken up the cause of piracy activists fighting By Ellen Messmer, Network World copyright law by launching denialof-service attacks against anti-piraHACKER GROUPS THAT ATTACK When they’re angry, they hack Anonymous or the short-lived Lulz cy groups and law firms. The group or steal — some estimates say into business and government sys- Security group (which claimed to is supporting WikiLeaks, which there are as many as 6,000 of tems to steal confidential data in have just six members and just publishes confidential information, such groups online with about order to expose information about joined forces with Anonymous). including the U.S. State DepartOver the years, Anonymous is 50,000 “bad actors” around the their targets, or they simply disment cables allegedly leaked by believed to have hit targets that world drifting in and out of them rupt them with denial-of-service U.S. Army soldier Bradley Manning, include the Church of Scientology, now in a military jail awaiting trial. — are a threat, but the goals, attacks. These are the hackers methods, effectiveness of these with a cause, the “hacktivists” like the Support Online Hip Hop webAnonymous, perhaps tied to site, the No Cussing Club website, the Sony hacking incidents, has groups varies widely. the shadowy but well-publicized hacker groups? They go by names like Anonymous, Lulz Security, Zeus, Night Dragon, Green Army Corp, Inj3ct0r Team; their goals, methods, effectiveness vary An interactive eGuide launched distributed DoS attacks against Amazon, PayPal, MasterCard, Visa and others when the card-payment groups refused to process donations to WikiLeaks. Anonymous has sprung into conflicts, such as this year’s uprisings in the Mideast, hitting the websites of the Tunisian, Egyptian and Libyan governments. The group recently let the world know its chief focus these days is going to be targeting governments and corporations. But hacktivists like Anonymous are just one type of hacker group. Others are out for financial gain, well-organized to steal paymentcard numbers and personal financial data, or pillage bank accounts. And there are groups that focus on intellectual-property theft or steal valuable information for national interests, or money, or both. Sponsored by COMPUTERWORLD Security strategies alert Who are all these hacker groups? The Deep End Reduce, reuse, recycle – just not your password Smartphone apps: Is your privacy protected? David Litchfield on securing the data castle Security Resources 4 of 16 News Analysis ENTERPRISE SECURITY Here’s a look at what’s known about some of them — including the ones that unlike the hacktivists, seldom “Tweet” the world about what they do. suspects tied to $70 million in U.S. bank heists. But the leader of what’s called “JabberZeus” (because the specific variant of ZeuS used Jabber instant message to tell gang members when a victim’s online bankThe Zeus gangs ing credentials were stolen) is still The malware called ZeuS is debelieved to remain at large. And acsigned to plunder victims’ PCs to cording to Don Jackson, senior secusteal financial information and ex- rity researcher at Dell SecureWorks, ecute fraudulent high-dollar Autowhich has worked with business and mated Clearinghouse (ACH) trans- the FBI, there are still five other sepfers in corporate bank accounts, arate ZeuS hacker groups very active resulting in many millions of dollars across the world. These Zeus hacker in fraud against businesses, church groups have now been connected groups and government agencies. to “a billion dollars in losses,” says The Federal Bureau of InvestigaJackson. tion (FBI) and international law-enDogma Millions forcement partners in the United This group, largely Russian, runs Kingdom, the Netherlands and the what’s known as a “pay-per-inUkraine managed to disrupt one of the six main ZeuS hacker groups last stall” operation to get victims to fall in a sweep that netted about 100 download malware they’ve de- Over the years, the more famous China hacker groups have included Janker, founded by Wang Xianbing, and the Green Army Corps, founded by Gong Wei, according to researcher Scott Henderson, who runs the website Dark Visitor. Although there is no shortage of suspicion in the U.S. that Chinese hackers The Chinese hacker puzzle have at times worked for the ChiWith a growing number of cybernese government to steal secrets attacks traced back to mainland from U.S.-based businesses and China, there’s a lot of interest the government, there are also in knowing about hacker groups times when Chinese authorities there, with speculation there are have taken steps to shut down many dozens of them. Security hacker groups. For instance, refirm McAfee earlier this year reports said police last year in Huleased a report called “Night bei province went after hacker Dragon” which claimed hacker group “Black Hawk Safety Net” groups from China work regular and its website that was providhour shifts to try and break into ing Trojan-based malware. Over the years, others such as oil companies to steal data. signed and it’s believed to have hundreds of “affiliates” that get paid when a malicious file is installed on a victim’s machine. The group is known to have developed specialized software packers and protectors to ensure its malware, such as rootkits, which remain undetected by antivirus products. An interactive eGuide the Network Crack Program Hacker Group based out of Zigong have been identified. The group used a rootkit called GinWui in attacks on the U.S. Department of Defense, other U.S. agencies and Japan about five years ago. GinWui is thought to have been developed by the group’s leader, Tan Dailin, who has used the handle “Wicked Rose” and later “Withered Rose.” The Network Crack Program Hacker Group is believed to have transmitted a large amount of documents to China from the U.S. But when Dailin launched denialof-service attacks against other Chinese hacker groups, including Hackbase, 3800hk and HackerXfiles, these hacker groups went to Chinese authorities, which arrested Dailin in 2009. He now faces over seven years in prison. Sponsored by COMPUTERWORLD Security strategies alert Who are all these hacker groups? The Deep End Reduce, reuse, recycle – just not your password Smartphone apps: Is your privacy protected? David Litchfield on securing the data castle Security Resources 5 of 16 Recent hacker group in the news: Inj3ct0r Team Some hacker groups, particularly the hacktivists, are inclined to make their exploits public by announcing them online in some way or dumping contents they’ve stolen as proof of their prowess. Recently a group called “Inj3ct0r Team” News Analysis claimed they’d compromised a server belonging to the North Atlantic Treaty Organization (NATO). When contacted by IDG, the group said the files were a “server backup, confidential data.” According to IDG, “inside the files was a notepad document dated July 3 that said: “NATO lamers! I’ve been watching you day and night since then! W00t! Your Machines rooted! Servers restored to default! what else! [Expletive deleted] you and your crimes! And soon enough all your stupid ideas will be published on WikiLeaks!” One industry source asked about Inj3ct0r ENTERPRISE SECURITY An interactive eGuide Team says it started as one individual who began finding vulnerabilities in websites and publicizing them, who then attracted a following. Hacker groups have a long history. The predecessors to today’s had names like “The Legion of Doom” and “Masters of Deception” and in the 1980’s they mainly struck phone networks, where “they did a lot of damage,” says Dell SecureWorks researcher Jackson. Today’s groups, he adds, are more “selfmobilizing, they drop in and drop out,” and the big groups “always have a mastermind or two.” • Sponsored by COMPUTERWORLD Security strategies alert Who are all these hacker groups? The Deep End Reduce, reuse, recycle – just not your password Smartphone apps: Is your privacy protected? David Litchfield on securing the data castle Security Resources 6 of 16 Opinion ENTERPRISE SECURITY The Deep End It’s time to make poor coding a felony By Paul Venezia, InfoWorld IT’S BEEN ABOUT 18 MONTHS since I wrote a little post on horrible website password security. Unfortunately, I see that very little has changed, as evidenced by Universal Music’s recent security breach that exposed their users’ real names, email addresses, and passwords. Similar reports seem to surface every day now, such as late last week at the Washington Post and FBI contractor IRC Federal, though it’s unclear if the latter two were as wildly irresponsible as Universal Music. You might think that a company the size of Universal Music that has plenty of resources would be able to follow the simplest form of security and at least hash its passwords before storing them. You would be incorrect. And if you were unfortunate enough to have registered an account with Universal Music in the past, your information is now spread around for anyone to see and use. For the large number of users that re-use passwords from site to site, their login credentials to any number of other resources is now public information -- and they may not even know it. Also, I expect to see a bunch of highly targeted phishing attempts appearing quite soon -- after all, they can send you an email, use your real name, and (most important) reference a password that you’ve knowingly used. Forge the headers and include a link to a bogus site that appears legit, and I’ll bet they’d get a boatload of information from unwitting users. Frankly, I wouldn’t consider that to be their fault at all. It’s Universal Music’s fault, top to bottom. At this point, a brief PR hit is the only thing a company of any size really has to worry about when this sort of thing happens. Sony has been hit with wave after wave of security breaches that have directly affected a huge number of its customers, but with no apparent consequences. Millions of its users have had their account information released into the wild, and some of that number will begin finding fraudulent transactions in their name -- or any of a variety of possible illegal uses of their information. There’s nothing they can really do to prevent it, and I’m certain that a significant portion of them may not even know they were exposed. Just like Sony and all the oth- An interactive eGuide ers, Universal Music just has to say “oops” and issue a brief press release noting, “Hey, you might want to change your passwords on other sites now. Oh, and carefully inspect each email you get since someone may hit you with a phishing scam.” Then hope it all dies down in a day or two. I think it’s high time that this level of technical absurdity be punishable by law. The company and employees directly responsible for constructing code so poorly that it stores plain-text passwords of millions of users and can apparently be compromised at will should, at the very least, be fined a vast amount, with some portion of that money going to each possibly affected user and the rest used to assist in addressing identity theft problems that Sponsored by COMPUTERWORLD Security strategies alert Who are all these hacker groups? The Deep End Reduce, reuse, recycle – just not your password Smartphone apps: Is your privacy protected? David Litchfield on securing the data castle Security Resources 7 of 16 will inevitably appear following a breach. If I had my way, there would also be mandatory loss of employment and possible jail time involved for those whose unspeakably poor decisions led to this event. Simply being on the receiving end of a server or network hack isn’t what I’m talking about -it’s designing a system that stores such sensitive information so poorly that should be thought of as criminally negligent behavior. Let’s reframe this a bit. Sup- pose that a developer sneaks a function into a Web portal that snoops a user’s name, email address, and plain-text password during the registration process and then stores this information somewhere. Suppose that the portal itself is designed well enough that the password is hashed before being stored, but this little function call also stores it in plain text. Suppose that the site is cracked and the plain-text database downloaded and parad- ed around the Internet. Odds are that the developer who snuck that function into the site would not only be fired, but he or she would probably be arrested for corporate sabotage or similar crimes and face fines and jail time. The only difference between this hypothetical situation and what actually happened with Universal Music and a host of other sites is that instead of having a bad actor slip code into a solid design, these developers actual- Opinion ENTERPRISE SECURITY An interactive eGuide ly designed their code to function this way. They did it on purpose. That should actually be considered a far worse crime than the developer who snuck in the function. Incompetence is no defense, doubly so in this case. But I highly doubt we’ll see anything of the sort, and definitely not soon. If Anonymous and the various other hacktivist groups continue on their path of exploiting horribly implemented code, all we’ll get are more regretful press releases and the occasional person who might fall on their sword and quit. It’s not enough. It’s not nearly enough. I say throw the book at the ones who allow these breaches to happen. Maybe then they’ll realize exactly how critical these design decisions really are. Maybe then they’ll understand that they can’t play fast and loose with other people’s data without consequences. But right now, they can -- and that’s the real crime. • Sponsored by COMPUTERWORLD Security strategies alert Who are all these hacker groups? The Deep End Reduce, reuse, recycle – just not your password Smartphone apps: Is your privacy protected? David Litchfield on securing the data castle Security Resources 8 of 16 ENTERPRISE SECURITY Reduce, reuse, recycle – just not your password In the wake of a breach, researchers typically focus on the poor password choices of users, but reuse is a much greater threat By InfoWorld Tech Watch, InfoWorld SONY PICTURES, NEWS SITE GAWKER, and social networking site RockYou -- following each high-profile breach, hackers released the password file and lit off a round of analysis of users’ password choices. The most common conclusion from researchers: Users select poor passwords. Yet, in the real world, choosing weak passwords is much less dangerous than reusing the same password at multiple sites. In a recent paper, researchers from Florida State University, Cisco, and security firm Redjack found that passwords not guessed by cracking dictionaries can survive brute-force attempts quite well. “There are very few situations where password strength really makes a difference,” says Matt Weir, a co-author of the paper and security researcher, now with the MITRE Corporation. Weir and other computer scientists researched whether entropy, a common cryptographic measurement, was a good metric of password strength. In reality, today’s password-breaking systems focus on guessing common passwords using techniques like rainbow tables, not on brute-force methods of cracking. The researchers demonstrated that common estimates of strength overestimate the difficulty in cracking easily guessable passwords and underestimate the difficulty in cracking more complex codes. The conclusion: Really weak passwords -- those having fewer than eight characters and contained in a password dictionary -- can be broken easily. However, add a little complexity, and the passwords become much harder to break. “What immediately sticks out is that the password cracking sessions start out much like the other attacks, but quickly hit a plateau where they become significantly less effective,” the reseachers state in the paper. “Unfortunately this means that there still are a sizable number of users who pick weak passwords Tips An interactive eGuide and would be compromised in an online cracking attack.” The research undermines the focus on password strength, as do recent events. In particular, password strength matters little if providers don’t protect the sensitive files that store passwords. For example, Sony Pictures allegedly did not encrypt its password files, allowing anyone with access to the file, such as the hackers that broke into the site, to have full access to all the passwords. In addition, the strength of the passwords has not mattered in many cases because the companies have failed to encrypt the password files, exposing weak and strong passwords alike. The RockYou breach exposed some 30 million passwords and Sony Pictures Sponsored by COMPUTERWORLD Security strategies alert Who are all these hacker groups? The Deep End Reduce, reuse, recycle – just not your password Smartphone apps: Is your privacy protected? David Litchfield on securing the data castle Security Resources 9 of 16 ENTERPRISE SECURITY exposed a million, all allegedly without the protection of encryption. In the face of such events, having unique passwords is significantly more important than strength. A unique password limits the impact of any breach to only the affected accounts -- a much better situation then trying to quickly change passwords across all your accounts. Yet, because of the difficulty in keeping track of passwords across the dozens of websites and online services to which a person typically belongs, most users reuse passwords. An analysis of the Gawker password set found 76 percent of people reused their passwords. Another analysis that compared Gawker and Sony found 67 percent of accounts using the same email address also had the same password. While many security researchers like to belittle the user who reuses simple passwords across multiple sites, software architect Troy Hunt, who did the latter analysis, says the user’s dilemma is entirely understandable. “Even if you go low and, say, use 10 characters, by the time you add a little complexity and by the time you accumulate a few accounts, you have to be a savant to remember them all,” Hunt says. Unlike requiring strong passwords, providers cannot gauge whether a password has been reused. Such choices are entirely in Tips An interactive eGuide the user’s hands, unless providers somehow find a way to force users to use a password manager. Because of these tradeoff between security and usability, password will likely puzzle researchers for some time to come. “We are going to be dealing with password problems for the forseeable future,” MITRE’s Weir says. • Sponsored by COMPUTERWORLD Security strategies alert Who are all these hacker groups? The Deep End Reduce, reuse, recycle – just not your password Smartphone apps: Is your privacy protected? David Litchfield on securing the data castle Security Resources 10 of 16 ENTERPRISE SECURITY Smartphone apps: Is your privacy protected? Are your apps putting SMARTPHONE APPS can do more than provide you with entertainment, information or useful services -- they can also invade your privacy. Apps can trace your Web habits, look into your contact list, make phone calls without your knowledge, track your location, examine your files and more. They can also automatically send information such as location data to mobile ad networks. In addition, apps can gather Tips An interactive eGuide ways you can protect yourself, and take a look at possible legislation that may -- or may not -- help. What information do apps gather? Researchers warn that a surprisyour privacy at risk? By Preston Gralla -- Computerworld ingly high percentage of smartphone apps may threaten your the phone number and the unique collected by multiple apps, build app, you must tap OK underneath privacy. In October 2010, joint reID number of each type of phone: a sophisticated profile about you the “Accept permissions” button. search by Intel Labs, Penn State the Unique Device Identifier and Duke University found that 15 -- and then legally sell that data to BlackBerry phones also cite per(UDID) on the iPhone, the Interna- other marketing companies. out of 30 Android apps analyzed missions and Apple monitors all It’s not as if you weren’t tional Mobile Equipment Identity sent geographic information to App Store apps for safety. But do you actually pay attenwarned. Before you download (IMEI) number on the BlackBerremote ad servers without users’ tion to what’s gathered? Have you knowledge. Seven of them also an app, you often get to see the ry, and (depending on the make) the IMEI or the Mobile Equipment kinds of information that the app ever not downloaded an app based sent the unique phone identifier; will collect about you. On Android, on what information it indicates it’s in some cases, the actual phone Identifier (MEID) on an Android for example, when you tap Install going to harvest about you? What phone. Personal information that number and serial number were to download and install an app, a do those notices really mean? apps gather about you can be sent to app vendors. This can enIn this article, we’ll detail the kind able app vendors and/or advertismatched to these IDs. That means screen displays the “permissions” you grant it when you install it. In of privacy threats you face when us- ers to create comprehensive prothat ad networks can easily combine various pieces of information order to download and install the ing mobile apps, offer advice on files about your likes and dislikes, Sponsored by COMPUTERWORLD Security strategies alert Who are all these hacker groups? The Deep End Reduce, reuse, recycle – just not your password Smartphone apps: Is your privacy protected? David Litchfield on securing the data castle Security Resources 11 of 16 ENTERPRISE SECURITY the places you visit when you carry your phone, your Web surfing habits and more. They can then use those profiles however they want or sell them to others. Meanwhile, in June 2010, security vendor SMobile Systems found that 20% of Android apps allowed third parties (that is, companies other than the app vendors themselves) to get access to private or sensitive information. In addition, the report warned, 5% of the apps could make phone calls by themselves without user intervention and 2% could send an SMS text message to a premium, for-pay number -- again without the user making the call. Apple’s iOS is not immune to such threats. In January, a classaction suit filed in San Jose charged Apple, the music-stream- ing service Pandora and others with “transmitting [users’] personal, identifying information to advertising networks without obtaining their consent.” The suit also charged that “some apps are also selling additional information to ad networks, including users’ location, age, gender, income, ethnicity, sexual orientation and political views.” The case is still winding its way through the courts. This issue is enough of a worry that federal prosecutors are currently investigating whether iOS and Android apps obtain or transmit information about users without properly disclosing what they are doing, according to the Wall Street Journal. Pandora has already received a subpoena in the probe, according to the Journal. The most comprehensive inves- tigation into the kind of information that smartphone apps gather and how they use it may be one conducted by the Wall Street Journal itself. The Journal examined 101 popular iOS and Android apps and found that “56 transmitted the phone’s unique device ID to other companies without users’ awareness or consent. Forty-seven apps transmitted the phone’s location in some way. Five sent age, gender and other personal details to outsiders.” For example, the Journal found that that Pandora “sent age, gender, location and phone identifiers to various ad networks.” The iOS and Android versions of a game called Paper Toss “sent the phone’s ID number to at least five ad companies.” The list goes on. The Journal also found that, as a general rule, iOS apps sent more personal data than did Android apps, but the newspaper also noted that “because of the test’s size, it’s not known if the pattern holds among the hundreds of thousands of apps available.” The legal issues There may be very little that you can do about one of the biggest privacy issues related to apps: What is done with your personal information after it is gathered by a mobile app. You can try to check the apps themselves to see whether they have privacy policies in place. Typically, these policies can be found in a Settings screen, on an About This App tab or screen, or possibly through a link at the bottom of a screen. But few apps Tips An interactive eGuide have or display these types of policies. TRUSTe and Harris Interactive recently studied the top 340 free iOS and Android apps and found that only 19% of them included links to privacy policies. Troy H. Vennon of the Juniper Global Threat Center warns, “Many developers are collecting device information and storing that information on third-party servers as a means to build ad profiles or device profiles for delivering application content.... It’s worth noting here that nearly all free applications use some sort of adware kit in order for the developers to generate revenue on their free applications. How many of these free applications are collecting and transmitting this ‘private’ device data to build those ad profiles?” No one knows the answers to Sponsored by COMPUTERWORLD Security strategies alert Who are all these hacker groups? The Deep End Reduce, reuse, recycle – just not your password Smartphone apps: Is your privacy protected? David Litchfield on securing the data castle Security Resources 12 of 16 ENTERPRISE SECURITY those kinds of questions, because there are no legal requirements to provide them. Congress is concerned enough about the issue that it has held hearings on the matter. After a recent hearing of the Senate Judiciary Committee’s privacy and technology subcommittee, Sen. Al Franken (D-Minn.), chairman of the subcommittee, called for Apple and Google to require that location-aware apps include privacy policies. “Apple and Google have each said time and again that they are committed to protecting users’ pri- vacy,” Franken wrote in a letter to the companies. “This is an easy opportunity for your companies to put that commitment into action.” However, that would be a relatively small step, because it would cover only location-aware apps, and would not limit how the apps share personal information, only that they reveal how they will use it. Other senators would like to see the federal government take stronger measures. Sen. John Kerry (D-Mass.) and Sen. John McCain (R-Ariz.) introduced the Commercial Privacy Bill of Rights Act in April, which would require any Web-based businesses, including mobile ones, to give a clear notice to consumers about what data is being collected about them. And Sen. Jay Rockefeller (D-W.Va.) introduced a bill that would in essence create a national do-nottrack mechanism to allow users to opt out of being tracked. It would apply to mobile network operators, websites and ad networks. It’s not clear that either bill will pass, especially because they face opposition from groups such as the technology trade group As- sociation for Competitive Technology (ACT). How to protect yourself Given all that, what can you do to protect your privacy when using apps? First, keep this in mind: The very nature of using a mobile app exposes you to potential privacy intrusions. So you need to balance the benefit you expect to get from an app against the potential privacy risk. Even the most rigorous privacy protectors don’t say you should Tips An interactive eGuide avoid downloading apps altogether. Rather, they say, the key is making sure that the app you’re downloading truly requires the permissions it’s asking for. If, for example, a single-player game asks for permissions to send SMS messages, that should be a clear warning sign, because there’s no need for a game like that to send text messages. Preston Gralla is a contributing editor for Computerworld.com and the author of more than 35 books, including How the Internet Works (Que, 2006). Sponsored by COMPUTERWORLD Security strategies alert Who are all these hacker groups? The Deep End Reduce, reuse, recycle – just not your password Smartphone apps: Is your privacy protected? David Litchfield on securing the data castle Security Resources 13 of 16 Q&A ENTERPRISE SECURITY David Litchfield on securing the data castle It’s not sophisticated attacks, complex vulnerabilities or user errors that are the greatest threats to database security, says this expert. By George V. Hulme, CSO THERE’S BEEN AN INCREDIBLE NUMBER of records breached this year, including: What can organizations do to better secure their databases? Who better to address that question than noted database security ex• The 1.27 million userIDs and pert David Litchfield? email addresses stolen from Litchfield is author of “Oracle the Washington Post jobs site; Forensics: The Oracle Hacker’s • The Epsilon breach; and Handbook”, the “Database Hack• The massive 77 million user er’s Handbook” and “SQL Server accounts pilfered from Sony Security”, and co-author of the Corp. Online Entertainment. “Shellcoder’s Handbook”. He is recognized as one of the world’s All of this begs the question: leading authorities on database say is one of the most important things organizations can do today to keep their databases secure? A: The first is to change all default and simple-to-guess passwords. The major database vendors have recently become better at helping with this issue. In the past few years they’ve stopped shipping database servers with default user IDs and passwords. But for a very, very Q: You’ve seen your share of data- long time they were shipping all of base deployments. What would you their databases with default userIDs security, and has uncovered hundreds of vulnerabilities in software from companies such as IBM, Microsoft, and Oracle. Litchfield is currently working on V3rity, his database forensic and breach investigation tool. He says this free tool enables more automated investigation of potential database security breaches. An interactive eGuide and passwords. Certainly for older systems, default passwords are still a major issue. Many times, while conducting security assessments, it was -- and still is -- incredibly shocking to see how many organizations run default access credentials. Another simple yet often overlooked area is keeping software patches up to date. While it can be very difficult with production database systems, given that they are in use, there are ways to make sure you keep the software up to date during scheduled maintenance. Q: Beyond patch updates and good password management, what else can organizations be doing that they’re not? A: Use the principle of least privilege within their applications. This is a very important one. People are pressured Sponsored by COMPUTERWORLD Security strategies alert Who are all these hacker groups? The Deep End Reduce, reuse, recycle – just not your password Smartphone apps: Is your privacy protected? David Litchfield on securing the data castle Security Resources 14 of 16 into getting their applications running as quickly as they can. However, when they try to manage permissions properly, that good practice can delay deployment slightly. So they say, “Oh look, let’s just give users all the permissions. The application seems to work with these settings. Let’s shove that into production.” Not a great approach. If you don’t want a breach, it’s really worth spending the extra time to design an application that operates on least privilege. Q: Give readers an idea of what you mean. An example could be that a customer service representative may be allowed to look at one customer at a time, but not do a search for all customers. And they can only see things relevant to support. What else would be involved? A: That’s part of it, but it’s not just that. Consider the registration side of database management. That requires the ability to manage the database. Whereas the other side, where you’re just selecting profile information for yourself, that only requires select privileges. There should be two parts of the application: one account for the registrations that has the ability to insert, but for the other stuff, which only requires select permissions, that should be using a distinct account. You should look at the application and say, “What permissions are required where?” Rather than have one account that has the ability to do everything, each part of the application should only be allowed to perform specific functions. By designing an application and using the principle of least privilege, orga- nizations can mitigate their risk. Q: Does taking these precautions add a burdensome amount of additional effort to an organization, or push out application and database deployment schedules? A: Only if it is back ported. Trying to do it all later is when it costs extra time. That is when things start breaking down. Then, in the heat of production, you have to investigate why it’s breaking. Doing it from the get-go -- having a security guy working with the application developers from the start -- might add an extra week. But it won’t add the extra five weeks in terms of back porting security. And it certainly won’t add an extra ten weeks in terms of conducting an investigation if you get a breach. And, by not doing it up Q&A ENTERPRISE SECURITY An interactive eGuide front, you increase your odds of a breach because you didn’t build security into the application. How difficult is all of this, really, when compared to all of the potential benefits to be reaped? Other precautions organizations can take up front is to reduce one’s attack surface by stripping out all of the functionality that they don’t need. Databases come with all these wonderful extra features, so if you’re not using things like indexing or search and stuff like that, strip them out because it’s just extra attack surface. On my website I’ve compiled a list of the top things an organization can do to make their database servers as secure as possible. Following the advice doesn’t solve all risks, but does solve about 90 percent of the issues out there. Q: None of this strikes me as exceptionally difficult for organizations to achieve. A: It’s disheartening. What is really depressing, for me, is we do all this really cool research into exotic vulnerabilities, developing new attack techniques and finding new classes of vulnerabilities. But at the end of the day, this stuff is irrelevant when eight times out of ten people are leaving default user names and passwords in place. Of what importance, really, is all of this research and attention on exotic vulnerabilities when the basics aren’t even being given attention. Q: Thanks for your time, David. It’s amazing after all these years we are still having this conversation. A: It’s terrifying that we’re still having this kind of conversation.• Sponsored by COMPUTERWORLD Security strategies alert Who are all these hacker groups? The Deep End Reduce, reuse, recycle – just not your password Smartphone apps: Is your privacy protected? David Litchfield on securing the data castle Security Resources 15 of 16 Resources ENTERPRISE SECURITY An interactive eGuide White Paper White Paper White Paper Security & Trust: The Backbone of Doing Business Over the Internet Choosing a Cloud Hosting Provider with Confidence Beginners Guide to SSL Certificates Cloud computing is rapidly transforming the IT landscape, and the conversation around adopting cloud technology has progressed from “if” to “when.” Enterprises are showing strong interest in outsourced (“public”) cloud offerings that can help them reduce costs and increase business agility. These cloud services offer enormous economic benefits but they also pose significant potential risks for enterprises that must safeguard corporate information assets while complying with a myriad of industry and government regulations. Whether you are an individual or a company, you should approach online security in the same way that you would approach physical security for your home or business. Not only does it make you feel safer but it also protects people who visit your home, place of business, or website. It is important to understand the potential risks and then make sure you are fully protected against them. In the fast-paced world of technology, it is not always easy to stay abreast of the latest advancements. For this reason it is wise to partner with a reputable Internet security company. Gaining the trust of online customers is vital for the success of any company that requires sensitive data to be transmitted over the Web. Most consumers are concerned that their sensitive information will be intercepted in-transit, or perhaps the destination web site is manned by imposters with malicious intent. Read this white paper and learn how to best implement a security strategy that keeps consumers’ information secure and instills the confidence they need to proceed with transactions. Download Download Download Sponsored by COMPUTERWORLD Security strategies alert Who are all these hacker groups? The Deep End Reduce, reuse, recycle – just not your password Smartphone apps: Is your privacy protected? David Litchfield on securing the data castle Security Resources 16 of 16