Month: June 2012 | Bach Seat

Archive for June 14, 2012

RB | June 14, 2012

Got Cyber Insurance?

Network World says that standard business insurance does not cover data breaches or almost any other loss involving data. Standard insurance covers tangible losses and damage. Data isn’t tangible. This is causing many firms to investigate cyber insurance.

The decision that data is not tangible goes back to a 2000 ruling by a U.S. District Court. The ruling arose from an Arizona case, American Guarantee & Liability Insurance Co. vs. Ingram Micro Inc.. In that case, the court said that a computer outage caused by a power problem constituted physical damage within the meaning of the policy Ingram Micro (IM) had purchased from American Guarantee.

“After that, the insurance firms changed their policies to state that data is not considered tangible property,” Kevin Kalinich, national managing director for network risk at insurance vendor Aon Risk Solutions told Network World. The upshot is that an enterprise needs special cyber insurance to cover data-related issues. The problem is that the field is new and there is no such thing as standard coverage with a standard price.

Buyers push back

The resulting complexity is a major source of push-back by potential buyers. According to Larry Ponemon, chairman of the Ponemon Institute, a research organization focused on information security and protection, “The policies have limitations and constraints similar to home policies with act-of-God provisions, and that has created a lot of uncertainty about what is covered, and what the risks are,” Mr. Ponemon told Network World. “Those who are nevertheless purchasing cyber insurance are typically very selective about what coverage they want,” he adds.

Cyber insurance coverages available

Data breach coverage: This pays for expenses that result from a data breach. Covered expenses typically include notification of the victims, setting up a call center. They also cover credit monitoring, and credit restoration services for the victims, and other crisis management services. Ken Goldstein, vice president at insurer Chubb Group told Network World. “You might want to hire forensic experts, independent attorneys for guidance concerning the multiple state (data breach notification) laws, and public relations experts,” he says.

Regulatory civil action coverage: Pays in cases where the insured is facing fines from a state attorney general after a data breach. It also covers fines from the federal government after a violation of the Health Insurance Portability and Accountability Act (HIPAA) or similar regulations. Some policies only cover the cost of defending against the action. While others may pay the fine as well, says Steven Haase, head of INSUREtrust, an Atlanta-based specialty insurance provider.

Cyber extortion coverage: For cases where a hacker steals data from the policyholder and then tries to sell it back, or someone plants a logic bomb in the policy holder’s system and demands payment to disable it. Among other things, the policy should cover the cost of a negotiator, and the cost of offering a reward leading to the arrest of the perpetrator, Goldstein says.

Virus liability: Pays in cases where the policyholder is sued by someone who claims to have gotten a virus from the policy holder’s system.

Content liability: Covers lawsuits filed by people angered over something posted on the Web site of the policyholder. Such coverage should also cover copyright claims and domain name disputes, Haase says.

Loss coverages

Lost income coverage: Replaces revenue lost while the policy holder’s computer system or Web site is down. But Kalinich notes that insurers often apply minimum downtimes of 12 or 24 hours, or require proof of actual losses. “They’ll say that, after all, the customers who did not get through (during the outage) could have come back later,” he says.

Loss of data coverage: Pays for the cost of replacing the policy holder’s data in case of loss. “Backup policies are not always effective, and accidents and sabotage happen,” Haase says.

Errors and omissions coverage: Otherwise known as O&M policies, this type of coverage predates cyber insurance, but is increasingly added to cyber policies to cover alleged failures by the policy holder’s software, Haase says.

rb-

Seems that interest is growing in cyber insurance. I wrote about cyber insurance here.

Would your company’s insurance cover a cyberattack? (corporateinsuranceblog.com)
Hacking blitz drives cyberinsurance demand (theglobeandmail.com)

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedIn, Facebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: 2012, Business, Data breach, HIPAA, Insurance, Lawsuit, Ponemon Institute

RB | June 12, 2012

Comments Off

Security Considerations for IPv6

For those who missed the Internet Society (ISOC) announcement that World IPv6 Launch day arrived on June 6. (I blogged about World IPv6 day, back in March) Carl Herberger, VP of Security at Radware (RDWR) recently wrote at Help Net Security that he sees World IPv6 Launch day as much more hype than an operational change.

Many high-profile organizations have hooked their plans on change over to the ISOC launch date. Supporters include Google (GOOG), Facebook (FB), Microsoft (MSFT ) Bing, Yahoo (YHOO), and Akamai (AKAM). Mr. Herberger points out that many companies have already leveraged IPv6 WAN connectivity. Most mobile providers who have adopted LTE 4G infrastructures have built them for mobile devices, Mobile devices will connect to the Internet with IPv6 addresses by default. He argues that since a 4G phone must also be 3G and IPv4 compatible, the 5G providers have not done much. The service providers have woven IPv6 into the existing IPv4 Internet much to the chagrin of the initial IPv6 designers.

IPv6 Pandora’s Box

Bottom line: Because IPv4 is not going away any time soon, we will essentially live in perpetuity with both designs. A new dawn? Or the beginning of the end? The Radware VP thinks it’s neither, he calls the interoperability issues between IPv4 and IPv6, a Pandora’s Box of opportunity for those of the nefarious persuasion.

So, what are the three main takeaways from World IPv6 Launch day?

Take away #1

IPv6 will first be implemented on the WAN, IPv4 will continue to stay in the LAN for years to come – Google, Facebook, DNS, CDN providers, and many, if not most ISP’s are all moving to default IPv6 WAN connectivity. However, nearly no one has made the transition to IPv6 on the LAN. Mr. Herberger adds that rapid IPv6 deployment on the Internet WAN operations side and the very slow rollout of IPv6 on the LAN side will wreak havoc on perimeter security. He believes that there are huge problems associated with IPv4 and IPv6 cohabitating.

Take away #2

IPv6 & IPv4 don’t cohabitate well – IPv6 and IPv4 make insecure bedfellows. There are no predefined standards in the way to handle the cohabitation of IPv4 with IPv6. The transition mechanisms to ease the transitioning of the Internet from its first IPv4 infrastructure to IPv6 have not been standardized yet. The Internet Engineering Task Force (IETF) has working groups and discussions through the IETF Internet-Drafts and Requests for Comments processes to develop these methods. Some basic IPv6 transition mechanisms have been defined; however, nothing has yet emerged as a proposed uniform standard. As such, the article states, the world is awash with a plethora of IPv4 to IPv6 (and vice versa) Transition Mechanisms such as:

Encapsulating IPv4 in IPv6 (or 4in6)
Encapsulating IPv6 in IPv4 (or 6in4)
IPv6 over IPv4 (6over4)
DS-Lite
6rd
6to4
ISATAP
NAT64 / DNS64
Teredo
SIIT.

If you are familiar with network perimeter security devices, one of the things they do well is deep packet inspection and Stateful aware analysis. However, one of the dirty little secrets is that nearly none of today’s technologies have the capability to inspect encrypted traffic such as SSL or the ability to inspect tunneling protocols such as L2TP, PPTP, etc. What IPv4 and IPv6 transition does is effectively exacerbate these “Achilles heels” in security detection capabilities by introducing a whole new class of nearly undetectable transmissions. The author warns Don’t be fooled by a vendor’s claim that they inspect a v4 packet in v6 or vice versa, because even if true for one or two methodologies, the ways to carry out this task are almost immeasurable today. This is really a true community-wide problem and one that must be addressed.

Take away #3

Meet your old vulnerability – Same as the new vulnerability! Much of our defense is single-threaded, and should an adversary be able to pass through your perimeter defenses, many of the ‘older’ vulnerabilities would find a receptive home having passed through the ‘corporate scrubbers.’Moreover, just think of the new opportunities available to more nefarious organizations that don’t have your interests in mind. This ‘transition mechanism’ essentially becomes an effective ‘unscrubbed’ gateway or tunnel for all newly developed organized crime-designed, state-sponsored, and Hacktivist-motivated attacks.

Moreover, most of us will be largely blind to these realities unless we are acting now to make certain that our gateways are designed with all encapsulated traffic being detected and mitigated. Anomaly detection takes center stage here and signature tools will leave you wanting.

The Radware VP concludes that this problem requires action on behalf of security professionals to solve; you HAVE to do something different because the inertia path will leave you vulnerable.

It’s World IPv6 Launch Day: Welcome to The Wider Web (tomshardware.com)

Category: Uncategorized | Tags: 2012, 4G, 5G, Facebook, Google, Internet Engineering Task Force, Internet Society, IPV4, IPv6, Microsoft, Radware, World IPv6 Day, Yahoo

RB | June 9, 2012

Comments Off

What a Deal

From BYTE in 1980

Category: Uncategorized | Tags: 2012, Advertising, BYTE, Hard disk drive, Hardware

RB | June 7, 2012

Comments Off

‘Personal Cloud’ to Replace PC by 2014, Says Gartner

Mike Barton wrote on Wired’s Cloudline that there’s no doubting the cloud invasion. But the research firm Gartner (IT) believes the personal cloud will replace the PC as the center of our digital lives as soon as 2014.

Steve Kleynhans, research vice president at Gartner, said in a statement, “Major trends in client computing have shifted the market away from a focus on personal computers to a broader device perspective that includes smartphones, tablets, and other consumer devices.” He continues, “Emerging cloud services will become the glue that connects the web of devices that users choose to access during the different aspects of their daily life.”

In the article, Mr. Burton writes that Google plans a cloud-centered future with Google (GOOG) Play and Android mobile OS. But the personal computer will also not miss out on the cloud, as Microsoft (MSFT) and Apple (AAPL) are planning to weave the cloud into the next generation of their desktop operating systems, Windows 8, and OS X Mountain Lion.

But a cloud-happy future will not be as easy as that, because Gartner says, “it will require enterprises to fundamentally rethink how they deliver applications and services to users.” Gartner sees a number of factors are converging to make for a perfect personal cloud storm by 2014.

Megatrend No. 1: Consumerization— Gartner says what corporate IT has seen so far been a precursor to the major wave that is starting to take hold across all aspects of IT as several key factors come together:

Users are more technologically savvy
The internet and social media have empowered and emboldened users.
The rise of powerful, affordable mobile devices changes the equation for users.
Through the democratization of technology, users of all types and statuses within organizations can now have similar technology available to them.

Megatrend No. 2: Virtualization — Virtualization has improved flexibility and increased the options for how IT organizations can set up client environments.

Megatrend No. 3: “App-ification” — Apps change the way applications are designed, delivered, and consumed by users and it has a dramatic impact on all other aspects of the market.

Megatrend No. 4: The Ever-Available Self-Service Cloud – The cloud opens a whole new level of opportunity for self-servicing users. Every user can now have a scalable and nearly infinite set of resources available for whatever they need to do.

Megatrend No. 5: The Mobility Shift — Wherever and Whenever You Want Today, mobile devices combined with the cloud can fulfill most computing tasks, and any tradeoffs are outweighed in the minds of the user by the convenience and flexibility provided by the mobile devices.

Gartner’s Kleynhans said. “In this new world, the specifics of devices will become less important for the organization to worry about. Users will use a collection of devices, with the PC remaining one of many options, but no one device will be the primary hub. Rather, the personal cloud will take on that role. Access to the cloud and the content stored or shared in the cloud will be managed and secured, rather than solely focusing on the device itself.”

Wired says that former Microsoft chief software architect Ray Ozzie made the same point recently, “People argue about, ‘Are we in a post-PC world?’. Why are we arguing? Of course, we are in a post-PC world.” Ozzie reportedly told a conference, ”That doesn’t mean the PC dies; that just means that the scenarios that we use them in, we stop referring to them as PCs, we refer to them as other things.”

rb-

Goodie for Gartner, they get paid for codifying the obvious. Consumers are moving to the personal cloud. DVDs vs.Netflix streams. Files on your hard drives vs. some distant data center run by Dropbox. Photo albums vs. Flickr. Books vs. Kindles and Nooks.

Supermodels, Megatrends, and Ultra Big Paradigm Shifts to the Cloud

Category: Uncategorized | Tags: 2012, AAPL, Apple, Cloud computing, Gartner, GOOG, Google, IT, Microsoft, MSFT, PC, Ray Ozzie, Tablet computer

RB | June 6, 2012

Comments Off

Bad Day at LinkedIn

It’s been a bad day for LinkedIn (LNKD). LinkedIn users have been the victim of two security and privacy blunders on the same day. First, the LinkedIn mobile app for iOS devices is sending potentially confidential private and business information to the company servers without the users’ knowledge.

Help Net Security reports that security researchers Yair Amit and Adi Sharabani at Skycure Security identified the security hole. According to the researchers, the security flaw involves calendar syncing which collects data from all the calendars (private and corporate) on the iOS device.

“The app doesn’t only send the participant lists of meetings; it also sends out the subject, location, time of meeting and more importantly personal meeting notes, which tend to contain highly sensitive information such as conference call details and passcodes,” the researchers point out in the article. “…this information is collected and transmitted to LinkedIn’s servers; moreover, this action is currently performed without a clear indication from the app to the user, thus possibly violating Apple’s privacy guidelines.”

The first response from LinkedIn‘s spokeswoman Nicole Perlroth appears to minimize the issue and blame the users for the privacy breach when she told Help Net Security that the feature is opt-in, and said nothing about whether the company will update the app that would stop this privacy snafu from happening in the future. (Looks like LinkedIn updated the App and broke it according to reviews in the Apple AppStore) This was reinforced by Joff Redfern, Mobile Product Head at LinkedIn on the LinkedIn blog where he also pointed out the information harvesting app is an opt-in feature. He claims that the information collected is not stored or shared. LinkedIn did change the LinkedIn app for Google (GOOG) Android so it no longer sends data from Droids to LinkedIn. There was no information in the article if LinkedIn plans to change the Apple iOS app.

But wait it gets worse…

LinkedIn also lost 6.5 million accounts today. They were however found on a Russian forum. LinkedIn has confirmed on their blog that there are “compromised accounts.” Cameron Camp, Security Researcher at ESET, commented on the leak for Help Net Security:

“The difference with this hack … is that people put their REAL information about themselves professionally on the site not just what party they plan on attending, ala Facebook and others … mess with somebody’s professional profile, and you’re messing with their life, and their contacts know about it.”

rb-

I wrote about the value of different credentials here and here.

I am wondering about the timing of the two security problems for LinkedIn. Could they be related? Were attackers using the Apple iOS app as an attack vector? After all, we know that Apple loves to collect personal info on its customers.

What happened here?

Action Items:

Toggle off the “Add Your Calendar” option in the Sync Calendar feature of the LinkedIn app on your Apple iOS devices
Immediately change your LinkedIn password and any accounts that share the same password.
Be on the lookout for phishing campaigns that might leverage the incident.

Change Your LinkedIn Password Immediately. Don’t Worry About LinkedIn’s Calendar Sync.(forbes.com)

Category: Uncategorized | Tags: 2012, AAPL, Apple, Data breach, Facebook, FB, GOOG, Information sensitivity, IOS, LinkedIn, LNKD, Security, Social

« Older Entries Recent Entries »

S	M	T	W	T	F	S
					1	2
3	4	5	6	7	8	9
10	11	12	13	14	15	16
17	18	19	20	21	22	23
24	25	26	27	28	29	30

Bach Seat

Archive for June 14, 2012