Domain: infosecisland.com
Stories and comments across the archive that link to infosecisland.com.
Stories · 4
-
Five Charged In Largest Hacking Scheme Ever Prosecuted In US
wiredmikey writes "US authorities have charged four Russians and a Ukrainian five on charges of running a global hacking operation that targeted major payment processors, retailers and financial institutions. The charges stem from hacking attacks dating back to 2005 against several global brands, including the NASDAQ exchange, 7-Eleven, JC Penney, Hannaford, Heartland, JetBlue, Dow Jones, Euronet, Visa Jordan, Global Payment, Diners Singapore and Ingenicard. The men allegedly used SQL injection attacks as the initial entry point into the computer systems of global corporations. Once networks were breached, the defendants allegedly placed malware on the systems. According to the indictment (PDF), the malware used created a "back door," leaving the system vulnerable and helping the defendants maintain access to the network. The men face five years in prison for conspiracy to gain unauthorized access to computers; 30 years in prison for conspiracy to commit wire fraud; five years in prison for unauthorized access to computers; and 30 years in prison for wire fraud." -
Book Review: Reverse Deception
benrothke writes "Advanced persistent threat (APT) is one of the most common information security terms used today and it is an undeniably real and dangerous menace. Wikipedia notes that APT's usually refer to a group, such as a foreign government, with both the capability and the intent to persistently and effectively target a specific entity. The term is commonly used to refer to cyber threats, in particular that of Internet-enabled espionage using a variety of intelligence gathering techniques to access sensitive information, but applies equally to other threats such as that of traditional espionage or attack. Every organization of size and scope is a target, and many of the world's largest firms and governments have been victims. In Reverse Deception: Organized Cyber Threat Counter-Exploitation, Dr. Max Kilger and his co-authors provide an effective counterintelligence approach in which to deal with APT. The good news is that the authors provide an effective framework. The bad news is that creating an effective defense is not an easy undertaking." Keep reading below for the rest of Ben's review. Reverse Deception: Organized Cyber Threat Counter-Exploitation author Sean Bodmer, Dr. Max Kilger , Gregory Carpenter , Jade Jones pages 464 publisher McGraw-Hill Osborne Media rating 9/10 reviewer Ben Rothke ISBN 978-0071772495 summary Excellent reference in which to deal with advanced persistent threats When it comes to APT, the de facto perpetrator is China. The book shows how to pursue and hopefully prosecute the perpetrator. But that begs the questions, how many firms can realistically defend themselves against an adversary like China, RBN or nation state?
In the introduction, the authors note that deception is about behavior, both induced in the adversary and undertaken by the deceiver to exploit it. To deceive, the authors write, it is not sufficient to induce belief in the adversary; it is necessary also to prepare and execute the exploitation of resultant behavior. Once again, preparation and execution against a nation state is not a small endeavor.
Chapter 1 (available free here) sets the stage for the rest of the book and provides an overview of the topic and some examples of advanced and persistent threats, including Stuxnet, Operation Aurora, the RBN and more.
Being the biggest of all APT, China takes center stage in chapter 2 – What is Deception? That is nothing new as China has successful used deception for the last 2,000 years. China is referenced heavily in the book due to their extreme confidence and success in executing deception.
Chapter 3 – Cyber Counterintelligence(CI) details how to use CI to find the cyber-adversaries. The chapter provides both the basic investigative and operational techniques and tools, in addition to detailing how to use legal counsel to ensure that what you are doing is legal.
Chapter 5 gets into much more of the details around the legal issues, and what you can and can't do to your adversary. The chapter provides an excellent overview of how to quantify which persistent threats are the most dangerous. It provides nine areas to rank, in order to use as a metric to weight each and every threat.
By the time the reader gets to chapter 4 on profiling, they will likely be overwhelmed by the amount of work necessary to implement an effective cyber CI program, which is indeed the case. The amount of time to develop an APT program is for the most part unfeasible for most organizations. While the book does not get into the budgetary issues; CIO's, CISO's and other IT managers will likely have a difficult time getting any sort of budget to fund an APT program.
Part of the issue is that many firms don't have an effective IPS in place to they won't even know they are being attacked. In the majority of cases, the APT intrusion is not even discovered by the firm, rather an outside entity who notifies them. What is worse is the fact that in many cases, APT malware has been on the victim network often for years undetected.
In addition, in the same way in which people who are scammed once are often repeatedly scammed again; companies that are victims of an APT will often be repeat victims since the perpetrators may share that information with others.
A few of the authors have military and law enforcement background, which adds to their expertise and insights.
The book is meant to be used to pursue and prosecute the perpetrators of APT. With the exception of the military and a few Fortune 50 companies, the odds of effectively prosecuting APT perpetrators is quite small. Notwithstanding that difficulty, organizations misunderstand that they are under attack, and at least have some plan to assess their vulnerabilities.
This book is mainly an introduction to the topic, but does not provide a comprehensive strategy on how to implement an APT program. Such a reference would need to be at least a few times larger than this work.
There is a web site for the book, but it does not really do more than redirect you to Amazon and Barnes and Noble. Matthijs Koot has a detailed review of the book where he took the time to detail the hyperlinks to source the books web page should have had.
Reverse Deception: Organized Cyber Threat Counter-Exploitation may be overkill for most organization, but is nonetheless a necessary read to truly understand the danger.
For anyone looking to understand what APT's are and how to deal with them, the book provides a comprehensive and unparalleled overview of the topic by experts in the field.
If nothing else, the book provides the reader with an appreciation for how dedicated the perpetrators behind APT are. They are smart, sophisticated, have governments and military agencies on their side and they are numerous. One of the many challenges of dealing with the Chinese APT is that China can easily throw tens of thousands of highly-trained and sophisticated attackers at a target in the US, while the target may only be able to muster a few people to provide a cyber-defense.
One of the most important things to take from the book is the third word in the title – organized. Those carrying out APT are highly organized, prepared and meticulous. They often do things in a slow methodical manner to avoid detection. The book provides a detailed methodology to deal with such adversaries.
The downside is that the victim companies themselves lack that organization. Defending against APT requires much more than simply reading this invaluable text. It requires management support, budget, effective tools and a highly trained staff to correctly use those tools. The great advice in the book won't be of assistance if the team deployed does not know how to correctly use them.
While you will likely be outnumbered and outgunned when it comes to APT defense, Reverse Deception: Organized Cyber Threat Counter-Exploitation is a fascinating reference that ensures you won't go down without a fight.
Ben Rothke is the author of Computer Security: 20 Things Every Employee Should Know.
You can purchase Reverse Deception: Organized Cyber Threat Counter-Exploitation from amazon.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page. -
Book Review: UP and To the RIGHT
benrothke writes "Anyone who has worked in information technology knows of Gartner. They are one of the leading information technology research and advisory firms. Most of their clients are CIOs and senior IT leaders in corporations and government agencies, high-tech and telecom enterprises. Gartner is huge with over 5,000 associates, over 1, 200 research analysts and consultants and clients in 85 countries. Their revenue in 2011 was nearly $1.5 billion. While Gartner is the world's largest, there are over 650 independent analyst firms worldwide. Barbara French's Directory of Analysts provides a comprehensive list. With all that, very few people understand how Gartner works and what makes them tick. In UP and to the RIGHT: Strategy and Tactics of Analyst Influence: A complete guide to analyst influence, ex-Gartner analyst Richard Stiennon takes the mystery out of Gartner. In particular, a good part of the book deals with Gartner's vaunted Magic Quadrant." Read below for the rest of Ben's review. UP and to the RIGHT: Strategy and Tactics of Analyst Influence: A complete guide to analyst influence author Richard Stiennon pages 186 publisher IT-Harvest Press rating 9/10 reviewer Ben Rothke ISBN 0985460709 summary Definitive guide on Gartner and their Magic Quadrant The Magic Quadrant (MQ) is Gartner's proprietary research tool that according to them provide a qualitative analysis into a market and its direction, maturity and participants, thus possibly enabling a company to be a stronger competitor for that market. Every, and I mean every tech vendor strives to be recognized by Gartner be on a prominent post on the MQ.
Today there are hundreds of different MQ's for sectors from firewalls, cloud services to web hosting and everything in between.
For those not Gartner clients, buying a specific MQ can be expensive. But vendors often use the MQ to tout their product and pay to make them publicly available. Some examples of the freely-available are the MQ for:Secure Web Gateways, Security Information and Event Management and Web Fraud Detection. A Google search of the term with the PDF format will also reveal numerous free versions.
The book derives its name based on the best place for a company to be on the MQ. Up and to the right is where Gartner places market leaders which is nirvana for a tech firm. The other locations on the quadrant are: niche player, visionary and challenger. But for a tech firm, there is only one location, and that is up and to the right.
The MQ itself has two markers; completeness of vision, which defines features and innovative enhancements. The other is ability to execute, which is determined by revenue, number and quality of resellers and distributors, number of employees and their distribution between engineering, sales, and support and other business issues.
If up and to the right is the desired location, how does one get there? For many tech firms, they often are clueless. In the book, Stiennon provides clear direction on how to get there. For those looking to make the expedition to the land of Gartner; this book is a veritable Berlitz Guide on how to safely make the journey.
A Gartner myth that will never go away and that Stiennon deals with on page 2 is the notion that getting on the MQ is simply a matter of paying for the privilege. He calls the notion of MQ pay to play completely false.
Chapter 2 is The Magic of Magic Quadrants and Stiennon details what it is and why vendors aspire for placement. Irrespective of its value, he notes that every time a new MQ comes out, the vendor has an opportunity to issue a self-congratulatory press release about it.
In chapter 6, Stiennon makes the somewhat depressing observation that the senior analysts at Gartner have not had hands-on experience with products for many years. Yet these same analysts often have huge influence on the very products they often don't understand in minutia.
In some ways, the book is akin to How to Win Friends and Influence People by Dale Carnegie. The only difference is that one is attempting to influence a Gartner analyst in the vendor's favor. In chapter 7, the book details how to find the influencers. Stiennon is a big fan of social media and gives a number of valuable methods to find the Gartner analysts in your sector.
One approach I think Stiennon is mistaken is with the use of Klout. He writes that Klout is a great tool for measuring relative influence, at least on social media of an analyst. That may be somewhat true, but for a large part is irrelevant. As I wrote in Some Observations on Klout Scores, Klout can and should be applauded for trying to measure this monstrosity called social influence; but their results of influence should in truth, carry very little influence.
I based this on the fact that Klout scores Funny One Liners and the legendary Tim O'Reilly as being equal; which is utterly absurd. You can do your own Klout analysis for similar irrelevant and meaningless Klout scores.
The MQ is not the only service Gartner offers. In chapter 8, Stiennon writes of SAS Day. SAS is the Gartner Strategic Advisory Service, where a vendor buys the services of an analyst for a day. He notes that the pay to play myth may arise from SAS; but observes that you are not buying the analyst's opinion, rather their time. Vendors can get a lot out of a SAS day, as it is a day-long bottoms-up analysis of their products, markets, sales strategies and more with an analyst who has a deep awareness of that sector.
Stiennon also provides a lot of pragmatic direction on SAS on how to prepare for the SAS day. Given the expense of the analyst and the need to have all of the key staffers there, he notes that getting an agenda planned, good conference rooms, nutritious meals and much more are key to getting the most out of the day.
Back to the MQ; Stiennon writes that every organization of size needs a dedicated analyst relations (AR) staff member. The AR person will be the conduit between the vendor and the analyst firm. While the AR person is critical, he writes that a firm should never pin the responsibility for missing a target of MQ placement on the AR person. Executing on the MQ strategy is the responsibility of the entire organization.
The book provides more pragmatic advice in chapter 12 where it details the use of Gartner conferences. Stiennon writes that firms invest huge sums to attend and sponsor Gartner conferences in the hope to get in front of and sell to leading CIO's. In many cases a single sale to a CIO that arises from a Gartner event will justify the huge expenses.
But even with that, many firms make the mistake of manning their booths at the conference with junior staffers and marketing people that can't speak to the CIO, while the CEO of the vendor firm is in the back of the booth on their cell phone. That is just one of a few major faux pas the chapter details and how then can be obviated.
The chapter also details a common sales mistake in staffing the booths with booth babes. He notes that the concept is gross and misogynistic.
Towards the end, the book closes with what not to do when dealing with Gartner. He gives two examples of firms that were on their negative side. After Oracle Under Fire was written, Oracle CEO Larry Ellison went on a tirade against Gartner.
In another case, ZL Technologies, an email archiving firm sued Gartner for over $1 billion in damages (even though it was worth a fraction of that) when an analyst said their products was not up to par.
The book closes with the observation that buyers need industry analysts, as the analysts see that changes that are coming in the industry and are able to forewarn their clients.
The book is an easy read, yet highly informative and insightful. Every chapter has Stiennon's real-world experience at Gartner and post-Gartner.
While Stiennon is ex-Gartner, never in the book does his disparage his former employer or denigrate their MQ methodology. Rather he shows ways in which the vendor can maximize the potential Gartner relationship and exposure.
Any technology executive, investor and everyone in their PR and marketing departments who are looking to be on the MQ, deal with Gartner or any advisory service, should make certain that UP and to the RIGHT: Strategy and Tactics of Analyst Influence: A complete guide to analyst influence is on their absolutely required reading list. The book provides myriad superb advice on everything you need to know about dealing with and being successful with Gartner.
Given the extraordinary costs involved with analysts and the preparation for analyst meetings, the books $22 price tag is an absolutely bargain combined with its indispensable content. Whether you are a niche player or leader, it is a book well worth reading.
Ben Rothke is the author of Computer Security: 20 Things Every Employee Should Know.
You can purchase UP and to the RIGHT: Strategy and Tactics of Analyst Influence: A complete guide to analyst influence from amazon.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page. -
iTunes' Windows Problem
Hugh Pickens writes "Jean-Louis Gassée writes that iTunes is the best thing that has happened to Apple because without iTunes' innovative micropayment system and its new way of selling songs one at a time, the iPod would have been just another commodity MP3 player. The well-debugged iTunes infrastructure turned out to be a godsend for the emergence of the iPhone. But today, the toxic waste of success cripples iTunes: increasingly non-sensical complexity, inconsistencies, layers of patches over layers of patches ending up in a structure so labyrinthine no individual can internalize it any longer. 'It's a giant kitchen sink piled high with loosely related features, and it's highly un-Apple-like' says Allen Pike. 'Users know it, critics know it, and you can bet the iTunes team knows it. But for the love of god, why?' People naturally suggest splitting iTunes into multiple apps, but Apple can't, because many, if not most iOS users are on Windows. It's Apple's one and only foothold on Windows, so it needs to support everything an iOS device owner could need to do with their device. 'Can you imagine the support hurricane it would cause if Windows users suddenly needed to download, install, and use 3-4 different apps to sync and manage their media on their iPhone?' But help may be on the way with iOS 5. As iCloud duplicates more and more of iTunes' sync functionality, they can start removing it from iTunes. 'Apple is very explicit about it in their marketing materials: they call it "PC Free". They're not quite there yet, but they're driving towards a future where you don't need to manage your iOS device with a PC at all – Mac or Windows.'"