Internet SecuritT Group

MacScan 2.9.3 with Google Chrome and SeaMonkey support released

Sat, 19 May 2012 06:46:11 +0000

SecureMac released MacScan 2.9.3, which features tracking cookie detection and cleaning for Googles Chrome browser.

MacScan is the premier Macintosh security program, protecting you against the …

View full post on Help Net Security – News

Call of Duty hacker jailed after meatspace burglary

Sat, 19 May 2012 06:09:11 +0000

18 months’ porridge for banking malware-spreader

A Brit who distributed a Trojan horse that posed as a patch for popular shoot-em-up game Call of Duty has been jailed for 18 months.…

View full post on The Register – Security

Do Firewalls make sense?, (Thu, May 17th)

Sat, 19 May 2012 05:06:14 +0000

Once in a while, someone comes up with the idea that firewalls are really not all that necessary. Most recently, Roger Grimes of Infoworld [1][2]. I am usually of the opinion that we definitely probably need firewalls. But I think the points made by the anti-firewall faction offer some insight into not only why we really need firewalls, but also what people don’t understand about firewalls.
To clarify from the start: I am talking here about good old basic network firewalls. No deep packet inspection rules and no host based firewalls.
From a security point of view, firewalls offer two main functions: They regulate traffic, and they provide logs. The second part is often neglected. But look over some of the stories here, and quite frequently, you will find cases in which firewall logs tripped the scale. For example the duplicate DNS response issue earlier this week was initially found by an observant reader watching firewall logs.
When it comes to filtering, some consider firewalls not worth the trouble because they only filter on ports that are closed on the server anyway. I think this shows a lack of understanding of what a firewall can do protecting servers. My best firewall wins came usually from outbound filtering from traffic trying to leave the server.
The next argument against firewalls is that there are usually better devices to do the filtering: Proxies have real application insight, router and switch ACLs can usually pick up the low end port filtering part. As far as the proxy is concerned: I say get one too. But proxies are usually rather complex devices to configure correctly and I rather get the easy stuff out of the way first using a firewall. At the same time: How do I make sure my traffic actually uses the proxy? That typically involves a firewall.
A switch or a router may have many features that are found in a classic firewall (even state-full rules and some application logic). They may be perfectly fine for a home user or a small business. However, in particular in an enterprise context, you probably want to split the firewall functionality to a different device, and with that to a different group of people. The people dealing with routing and network performance (packet movers) are usually not the same people that are dealing with firewalls and filtering (packet droppers).
But how many modern attacks are really blocked by firewalls? Aren’t they all sending a spear phishing email to the user, tricking the user to download malware some chinese kid wrote via the filtering proxy we installed? Next they exfiltrate the data via that same proxy (or DNS, or SMTP… or other services we have to allow)? In part, these modern attack are a testimony to the effectiveness of firewalls. An attacker would probably rather still use the same tool they used back in the 90s to brute force file sharing passwords and download data straight from the system. But sadly, because now even some universities block file sharing using a firewall, these attacks no longer work.
Against these modern attacks, we have other defenses. Some may work against the older versions of these attacks as well. In short, these defenses can be summarized as end point protection (whitelisting, anti-virus, host based firewall, hardening of the system…). Hardening a large number of end points is however a lot more difficult then configuring a few firewalls well placed at the right choke points.
By now, you are probably going to ask yourself: Why hasn’t he talked about defense in depth yet? The argument doesn’t really apply if you are trying to argue removing a device. Each additional security device can be justified with defense in depth. But some security devices don not add enough value to justify the expense. I don’t think defense in depth itself can be used to justify a *particular* security device. It rather justifies the fact that some of our security devices are redundant and fulfill similar,-) .
Thoughts? Flames? Use the comment feature or sent us a non-public comment via the contact form.
[1]http://www.infoworld.com/d/security/the-firestorm-over-firewalls-193409

[2]http://www.networkworld.com/news/2005/070405perimeter.html
——

Johannes B. Ullrich, Ph.D.

SANS Technology Institute

Twitter

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

View full post on SANS Internet Storm Center, InfoCON: green

Security Index Marks A Year Of Doing Business Dangerously

Sat, 19 May 2012 02:22:02 +0000

The Index of Cyber Security has measured top security officers’ sentiment on cyberthreats for more than a year. So what does the index’s steady rise mean?

View full post on Dark Reading – All Stories

Facebook IPO advanced fee scam hitting inboxes

Sat, 19 May 2012 00:46:02 +0000

Today's the day when Facebook has officially become a publicly traded company, after founder Mark Zuckerberg rang the bell and officially opened trading on the Nasdaq exchange.

For months now, spec…

View full post on Help Net Security – News

Mac-based Flashback click fraud campaign was a bust

Fri, 18 May 2012 21:39:39 +0000

The hackers in charge of the Flashback botnet managed to generate $14,000 from their click fraud campaign, but have not been paid, Symantec said Thursday.

New analysis of the Flashback botnet and the traffic between infected Macs and C&C (command-and-control) servers exposed the earnings and the lack of payment, Liam O Murchu, manager of operations at Symantec’s security response center, said in an interview.

View full post on Security – Infoworld

Tech Insight: Practical Threat Intelligence

Fri, 18 May 2012 21:21:34 +0000

Today’s ever-changing threat landscape requires proactive security efforts to identify threats and adapt defenses quickly.

View full post on Dark Reading – All Stories

New IPv6 Video: IPv6 Router Advertisements https://isc.sans.edu/ipv6videos, (Thu, May 17th)

Fri, 18 May 2012 21:06:01 +0000

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

View full post on SANS Internet Storm Center, InfoCON: green

Apache OpenOffice security fixes emerge

Fri, 18 May 2012 20:07:48 +0000

Under new management: First revamp passes one million downloads

Details have emerged about the security fixes that came bundled with Apache OpenOffice 3.4.0, the latest version of the open-source productivity suite.…

View full post on The Register – Security

Twitter supports Do Not Track option

Fri, 18 May 2012 18:45:03 +0000

The news was announced by Ed Felten, the US Federal Trade Commission's CTO, at a New York Internet Week privacy panel, and Twitter has quickly come out to confirm it: the popular micro-blogging servic…

View full post on Help Net Security – News

Internet SecuritT Group

MacScan 2.9.3 with Google Chrome and SeaMonkey support released

Call of Duty hacker jailed after meatspace burglary

18 months’ porridge for banking malware-spreader

Do Firewalls make sense?, (Thu, May 17th)

Security Index Marks A Year Of Doing Business Dangerously

Facebook IPO advanced fee scam hitting inboxes

Mac-based Flashback click fraud campaign was a bust

Tech Insight: Practical Threat Intelligence

New IPv6 Video: IPv6 Router Advertisements https://isc.sans.edu/ipv6videos, (Thu, May 17th)

Apache OpenOffice security fixes emerge

Under new management: First revamp passes one million downloads

Twitter supports Do Not Track option

Twitter supports Do Not Track option