The compromise of Community Health Systems (CHS) is being reported as the first major breach involving the Heartbleed vulnerability. The details are slim, but apparently the vulnerability was exploited on a Juniper remote management console that hadn’t been properly updated. Heartbleed is an OpenSSL vulnerability that allows an attacker to dump part of the memory from an vulnerable server. The portion of memory is used by OpenSSL itself and often carries secrets, which in this case included a set of valid credentials for the CHS VPN. From there, it was easy for the attackers to get into the rest of the corporate network and make off with 4.5 million healthcare records.
Juniper had released a patch to fix the Heartbleed vulnerability within days of its disclosure, so why was this health organization compromised for three months? Because patching is hard, especially in organizations like healthcare, where security is often an afterthought, if it isn’t just considered a nuisance that everyone has to work around. And when I say ‘hard’, I simply mean that it takes a lot of resources, especially time and planning, to make happen, something that’s scarce at every healthcare organization that I’ve ever talked to.
I do find it amusing that Mandiant was called in to do the forensics on this case and found it linked to Chinese nationals. Of course it was linked to China; everything Mandiant finds is linked to China somehow. Or I could just be making light of a serious situation.
It may not quite be VPN for Dummies, but Astaro RED sounds pretty close if you ask me. I talked to Jan Hichert at Astaro about RED (Remote Ethernet Device) at RSA earlier this year and the way he talked about this new product, it seems like it’s an easy way for companies to add a remote office without many of the headaches this often entails. I haven’t played with it myself and haven’t talked to anyone who has yet, but at least in theory it sounds like a good product. Basically, you run Astaro Security Gateway at your central office, when you bring the remote RED box online, it phones home to Astaro, where it receives instructions on how to connect to your central office server. There is configuration, but it’s mostly handled by Astaro before it ever gets to your office. I’m sure Jack Daniel can tell you more if you’re interested, but in the mean time, the press release follows after the break.
Continue Reading »
I’m not an expert on web application firewalls, which is why I’m asking for feedback on the Mykonos Security Appliance. I was given a demo of the product at the RSA Conference this year and it’s one of the few products I’ve seen lately that’s doing something new and innovative. Or more accurately, it appears to be doing something new and innovative; it’s still in beta and this is a technology that’s outside my comfort zone. If you’re someone with an expertise in WAF’s, it should be worth at least a short look.
In a lot of ways, Mykonos appears to be a standard WAF; it can be used to protect your site from many of the standard coding errors that a WAF is designed to deal with. It addresses the OWASP Top 10, it has all the reporting capabilities to tell you something’s wrong; in this area it doesn’t appear to have a lot of extra punch you can’t get elsewhere. The place it does start to have some distinguishing capabilities is in the tracking, categorizing and response to malicious attacks on your web site.
You want to know more about who’s probing your web site? Mykonos will dynamically modify the code your site is serving to get you more information on who’s attacking. It’ll tell you about the level of sophistication of the attacker, whether they’re just trying to manipulate a price in the shopping cart, if they’re trying a SQL injection attack or if they’re working on something at the higher end of the attack scale. And it gives you a lot of choices about how you want to respond; simply block the user, send custom code telling them they’ve been identified and logged or act as a honeypot to get even more information about the attacker and how he’s planning on attacking your site. The tracking and information gathering abilities seem to be pretty impressive and it may be worth looking at for that alone.
Mykonos looks like more than a plain vanilla web application firewall and the downside to that is it requires more work from the administrator and more work from your developers to make full use of it’s capabilities. This also means it’s potential for becoming shelfware is much greater as well. But if you’re looking for more than what a standard WAF offers, it might be worth looking at this product. And once you do, I’d appreciate feedback on your impression of the product. Is Mykonos a potential new product market, a single product with greater capabilities or just a flash in the pan that won’t amount to much?
Ahh, the joys of being a parent. My youngest son recently started sprinkling his language with profanity, something both his mother and I were certain he didn’t get from us: she almost never uses profanity and when I do the kids are usually running for cover rather than trying to remember what I said. At first we thought he was getting it from school, but his older brother finally came forward and told us it was from videos he was watching on YouTube. What had looked like a fairly innocuous video of SuperMario and other characters turned out to be profanity laden and more than a little disturbing. He was given a warning and told to turn off any videos that contained profanity, then lost his computer rights for a week when I caught him watching a video with profanity. The third time’s a charm, so I decided it’s time to block YouTube at the entry way, my WRT54G router.
It seemed simple and straight forward. But an hour and several internet searches later, and I still couldn’t get the WRT54G to block YouTube. I created a Policy called YouTube, rather appropriately, I added a list of affected PC’s, set it to everyday, 24 hours a day and entered http://www.youtube.com in the space marked “Website blocking by URL address”. Then hit “Save Settings” and … nothing. I was still able to get to YouTube, the kids could get to YouTube and I was not happy.
Then it suddenly struck me: the folks at Linksys and Cisco were creating the software for the average computer user, someone who doesn’t have the faintest idea what “HTTP” or “URL” mean and probably never types the “http://” at the beginning of the URL. I took that out of the URL and saved the settings and now YouTube is blocked. I’m happy that I now know how to block a site, but I’m frustrated that the developers couldn’t have taken a few more lines of code to either automatically remove the http:// if typed in, or at the very least taken ten seconds to add an example of what they consider a URL. If I’d seen even one example of what they consider a URL, I would have been able to block the site in less than 5 minutes, rather than taking over an hour. And I wonder how many less technical parents have given up in frustration.
As someone put it on Twitter “Sometimes people should check acronym definitions before using them”
I use Gmail as my central email repository and usually the spam filters they use are pretty good. But lately they’ve been a little overly aggressive, so I have to comb through to make sure no legitimate email is being caught accidentally. There’s not a lot that’s misidentified, but there’s enough to make it worth the few minutes a day it takes to double-check the spam folder.
I’ve been amazed at some of the subject lines I see, as well as what I see in the preview of the email. There’s no way I’m going to click on any of them to find out what else is in the spam, because it’s just not worth the risk. But I do have to say that my favorite subject line so far is “Thanks for contributing to our financial success”. It’s honest and straight forward even if it is just an attempt to rip off people around the globe.
On a side note, I used to clean out my spam folder every couple of days, but in March I started letting them accumulate and get deleted automatically when they’ve aged 30 days. It’s been interesting watching the number of spams spike and drop. At one point I had gathered nearly 9000 spams in a 30 day period, which works out to an average of 300 spams a day. Personally, that means about 60% of my email is spam, a far lower percentage of spam than most people see. I guess being subscribed to ten or so mailing lists had to have some benefit.
Mine is just a single data point, compared to the millions some anti-spam vendors get to see. But I like having a personal high water mark to compare to what the vendors are reporting. I’m not a spam expert, so it’s interesting to see new spam subjects that companies like F-secure report. Anyone else out there keep track of the spam they receive for fun?
Technorati Tags: security, spam, McKeay