Israeli Software

We call ourselves Team Evil. We like to go around causing trouble..Yawn.

I got a call last week, first thing in the morning from a colleague Nissan Ratzlav-Katz - who does research and writes about Islamic terror. He asked me if I could comment on the recent arrest of an Israeli Arab who is being charged for hacking Israeli Web sites.

I could not actually remember the case - but with a little prompting it came back to me. It was back in July 2006 - the attackers googled for a known vulnerability in the Invision Power Board 2.1.x forum application. The proof of concept code was released on the Internet in April 2006. After running the exploit, the attacker could modify an HTTP header to run malicious code.

Nissan had some questions which I answered pretty much in real-time since he had a deadline for his article on Israel National News.

Q - How can you say a hacker group is "based in" anywhere (as was said of them in 2006)?

A - A hacker group will have a small core team of 1-2 people based in a particular geographical location. The attack originated from three networks, most of which are in Saudi Arabia.

Q - Was it true that most sites were back up in a day?
A - Technically, they were never down, the sites were defaced. The companies involved got first aid from outside consultants like Beyond Security (who were the first responders I believe) and the sites were restored to normal state up within the day.

Q - Have there been improvements on Israeli IT security since then?
A - No.

Q - Does the arrest tell us something about the ease of catching such vandals? The sophistication of the attacks?
A - The arrest doesn't say anything about the ease of catching hackers.

The attack on the server in question was done by exploiting vulnerabilities in an unpatched web application and defacing the Web site. A combination of public and homemade tools was used, indicating a higher level of technical skill by the attackers (Team Evil) than that usually seen by similar groups.

However, the tools are very simple and they succeeded because the Web application (Invision) was not updated with the latest security patches.

Q -What does it say about current Israeli IT security? Anything?
A- As a rule, most Israeli companies are better at buying security technology (and getting a discount from the vendor) than sustaining a business process of fixing application software bugs.

Most Israeli IT managers are fighting yesterday's security battles and have an attitude that security is their employees' problem not theirs.

The prevailing mentality and sloppy maintenance mean that Israeli IT managers are no better prepared than they were 2 years ago

Read the article on Arab Israeli Arrested for Cyber-Sabotage of Israeli Websites

Getting back to basics helps reduce security costs

Many analysts gathered at the American Economic Association's two-day annual meeting in New Orleans spoke of a recession as almost a given but differed over how severe it will be. Alistair Milne, a professor at the City University of London's Cass Business School, told MarketWatch he's expecting "a really weak year," he said, the US economy won't likely get back on track until 2010 and will require more capital from overseas.

What does this have to do with the price of the price of Software Security in China?

What about Linux versus Windows security?

Living in post 9/11 in the Middle East, Israelis are acutely aware of how Islamic terror is fueled by hate of the West, the US and Israel in particular - yet, we've become insensitive to the continued Palestinian violence and the price terror victims and their families pay.

In local Israel politics, a number of political parties at both the national and municipal level rose on a hate plank (usually hating the religious "datiim" or Arabs) - in every case, the parties fell after less than 5 years - witness Tommy Lapid and the Shinui party in the Kennesset and Ir Hofshi here in my home city of Modiin.

In the tech world, a lot of my Linux friends despise Microsoft. Drawing an analogy from the political world, I've been wondering if this is a sustaining strategy for Linux supporters.

There has been so much hype from Microsoft and other sources - about which O/S and Web server has a better security track record. I think that the FOSS community has to stop bashing Microsoft just because they hate Bill Gates.

I think they will. But why?

1. An impending recession starting in 2008

The US economy is going to slow down for the next 2 years and then the days of buying everything on a security shopping list are over in the US. In EMEA - I don't recall they ever existed.

In the 2001-2004 recession, the code word for IT was "more for less" and "Reducing cost and complexity" and in 2008-2010, we shall see more of the same. In the digital asset protection space - the independent, DLP specialist security vendors like Reconnex, Vericept and Fidelis Security Systems, will need to work harder to prove dollar value of their security countermeasures for data theft.

2. Consolidation
In the past 6 months - Symantec bought Vontu, EMC bought Tablus, Cisco bought Ironport, Websense bought Port Authority and Raytheon bought Oakley Networks.

In a tough market, the big companies like Symantec and McAfee (unlike the independent specialists) will resort to dropping prices to in order to close sales.

What do they care?

They're not the founders with big equity stakes. They have plenty of cash - so they can discount their way to closing customers in a down market, if they need to improve their ROI calculators with the IT buyer.

3. Customer wakeup calls.
PT Barnum said that "there's a sucker born every minute" but IT managers are not fools. They are going to figure out that Imperva database SecureSphere firewalls for 100k that cannot enforce policies of db user name and application user name are not going to help them comply effectively with PCI DSS.

The people who spend money on Sarbanes Oxley are going to have less money; and then they'll ask the Checkpoint salesperson exactly how VPN-1 helps them comply with Sarbox 404 (that management attest to the effectiveness of corporate internal controls).

Apropos my previous post on Hate is not a sustainable strategy,

Today I got this email from my good friend Eli Marmour - who has been deeply involved in Apache development for almost a decade.

The forwarded message was sent from Microsoft to Apache Software Foundation.

I'm sure that there is an authentic good will, and it looks like the utopia vision of peace and Geula.

I read an article this week from the Boston Consulting Group on marrying risk and strategy to create value . There was a very strong banking/financial institution focus and high level stuff about strategic alignment and getting the risk officers involved in strategic planning.

A couple days later we met with a CFO at a prospective partner and they didn't even have a CRO (chief risk officer).

Still - a lot of what he had to say sounded familiar - just on a smaller scale.

The input from our enterprise users is that they are working to align risk management and planning functions, and tap their risk experts more often. However - our experience with consultants who use our PTA product suggests that they are still occupied largely with policies and procedures.

I do a lot of work in the extrusion prevention space with companies like Fidelis Security Systems and Waterfall. This week I had about a series of phone calls with a client who was invited to participate with us in a round table discussion with industry analysts on data leakage / extrusion prevention. The information security officer and her direct boss agreed but the request was vetoed at a VP level on grounds that "we don't want people to know that we're monitoring outgoing traffic from the enterprise network".

It is certainly their right not to participate in an industry discussion, it is just not clear to me that keeping an extrusion prevention system secret will help enhance their security.

While I don't believe in giving out neither state secrets nor technical details of an internal network - there is no way security will be served by obscurity.

This was my week for CIP, FERC and NERC security requirements.

Last week, headlines were screaming that CIA confirms cyber attack caused blackout - a CIA analyst late last week told attendees at a conference that the agency has confirmed that a direct computer attack caused a multi-city blackout recently. The analyst, Tom Donahue, did not specify when the attack took place or which cities were affected, but did say it was outside the United States.

In a statement released through The SANS Institute, Donahue said the CIA carefully considered whether to release any information about the incident.

On Sunday - I got a phone call from my friend Lior Frenkel over at
Waterfall Solutions. here in Israel.

Then on Monday, we got a support call from one of our PTA users regarding a practical threat analysis library for CIP 002-009.