Friday, October 23, 2009

Use Data Masking to Secure Sensitive Data in Non-Production Environments

| Brett D. Arion |

Data masking is the process of de-identifying (masking) specific elements within data stores by applying one-way algorithms to the data. The process ensures that sensitive data is replaced with realistic but not real data; for example, scrambling the digits in a Social Security number while preserving the data format. The one-way nature of the algorithm means there is no need to maintain keys to restore the data as you would with encryption or tokenization.Last week's article covered the topic of protecting data in databases from the inside out. That is, watching every action involving data as it happens, and promptly halting improper actions.

Data masking is typically done while provisioning non-production environments so that copies of data created to support test and development processes are not exposing sensitive information. If you don't think this is important, consider what happened to Wal-Mart a few years ago. reports that Wal-Mart was the victim of a serious security breach in 2005 and 2006 in which hackers targeted the development team in charge of the chain's point-of-sale system and siphoned source code and other sensitive data to a computer in Eastern Europe. Many computers the hackers targeted belonged to company programmers. Wal-Mart at the time produced some of its own software, and one team of programmers was tasked with coding the company's point-of-sale system for processing credit and debit card transactions. This was the team the intruders targeted and successfully hacked.

Wal-Mart's situation may not be unique. According to Gartner, more than 80%t of companies are using production sensitive data for non-production activities such as in-house development, outsourced or off-shored development, testing, quality assurance and pilot programs.

The need for data masking is largely being driven by regulatory compliance requirements that mandate the protection of sensitive information and personally identifiable information (PII). For instance, the Data Protection Directive implemented in 1995 by the European Commission strictly regulates the processing of personal data within the European Union. Multinational corporations operating in Europe must observe this directive or face large fines if they are found in violation. U.S. regulations such as the Gramm-Leach-Bliley Act (GLBA) and the Health Insurance Portability and Accountability Act (HIPAA) also call for protection of sensitive financial and personal data.

Worldwide, the Payment Card Industry Data Security Standard (PCI DSS) requires strict security for cardholder data. In order to achieve full PCI compliance, organizations must protect data in every system that uses credit card data. That means companies must address their use of cardholder data for quality assurance, testing, application development and outsourced systems -- and not just for production systems. In the Wal-Mart case discussed above, the retailer failed to meet the PCI standard for data security by not securing data in the development environment.

Many large organizations are concerned about their risk posture in the development environment, especially as development is outsourced or sent offshore. A lack of processes and technology to protect data in non-production environments can leave the company open to data theft or exposure and regulatory non-compliance. Data masking is an effective way to reduce enterprise risk. Development and test environments are rarely as secure as production, and there's no reason developers should have access to sensitive data. And while encryption is a viable security measure for production data, encryption is too costly and has too much overhead to be used in non-production environments.

Many database vendors offer a data masking tool as part of their solution suites. These tools, however, tend to work only on databases from a specific vendor. An alternative solution is to use a vendor-neutral masking tool. Dataguise is one of the leading vendors in the nascent market of data masking.

The dataguise solution has two complementary modules. dgdiscover is a discovery tool that searches your environment (including endpoints) to find sensitive data in structured and unstructured repositories. So, even if someone has copied data to a spreadsheet on his PC, dgdiscover can find it. This can be a valuable time-saving tool as data tends to be copied to more places, especially as virtual environments grow and new application instances can be deployed on demand. dgdiscover also can be used to support audits and create awareness of data repositories.

The second dataguise module is dgmasker, a tool that automatically masks sensitive data using a one-way process that can't be reverse engineered. Dgmasker works in heterogeneous environments and eliminates the common practice of having DBAs create masking techniques and algorithms. The tool preserves relational integrity between tables/remote databases and generates data that complies with your business rules for application comparability. In short, you have all the benefits of using your actual production data without using the real data. Instead, dgmasker obfuscates the real data so that it cannot be recovered by anyone -- insider or outsider -- who gains access to the masked data.

Data masking is an effective tool in an overall data security program. You can employ data masking in parallel with other data security controls such as access controls, encryption, monitoring and review/auditing. Each of these technologies plays an important role in securing data in production environments; however, for non-production environments, data masking is becoming a best practice for securing sensitive data.

Symbian Microkernel released as Open Source

| Brett D. Arion |
It was well over a year ago now that news of the Symbian operating system--found on approximately half of global smartphones--going open source broke. The news was interpreted as particularly important to Nokia's forward-looking Symbian strategy, but after all this time, an open source version of Symbian's platform is still only in beta testing.

Today, though, as EETimes notes, Symbian has released its platform microkernel, and software development kit (SDK), as open source under the Eclipse Public License. The Symbian Foundation claims that it is moving quickly toward an open source model, which is questionable, but the release of the EKA2 kernel is a signal that Symbian still means business about adopting an open source model.

Accenture, ARM, Nokia and Texas Instruments contributed software to the microkernel, Symbian officials said. They also note that the microkernel is responsible for most key functions in the operating system. What puzzles me, though, are the many posts and news stories that I'm seeing that seem to agree with the Symbian Foundation's claim that it is nine months ahead of schedule with its shift to open source.

Ahead of schedule after more than a year? Has anyone alerted the Symbian Foundation and Nokia that there is an absolute, competitive maelstrom going on in the smartphone arena? Android will soon come out in a full version 2.0 and has major momentum. Meanwhile, Nokia is bleeding money and taking an old-fashioned butt-kicking from the iPhone in the smartphone market. Nokia's North American sales are down more than 31 percent over last year.

It's about time that the Symbian platform showed some actual signs of going open source in earnest. If it does, it will only be good for market share, but I'm really not sure that this latest release qualifies as "ahead of schedule" in this mobile technology market.

Reblog this post [with Zemanta]

Congressional Advisory Panel: China taking valuable information from hitech companies

| Brett D. Arion |
The Chinese government is stepping up efforts to steal valuable information from high-technology companies in other countries, according to a congressional advisory panel, which detailed one operation that siphoned "extremely large volumes" of sensitive data.

The 2007 attack against the unnamed high-technology company was just one of several successful operations the US-China Economic and Security Review Commission ( believes was sponsored by Beijing.

According to ( The Wall Street Journal, which reported the contents of a report the panel was expected to release Thursday, the Chinese government is suspected because of the "professional quality" of the attack and the technical natures of the stolen information.

According to the WSJ:

The hackers "operated at times using a communication channel between a host with an [Internet] address located in the People's Republic of China and a server on the company's internal network."
In the months leading up to the 2007 operation, cyberspies did extensive reconnaissance, identifying which employee computer accounts they wanted to hijack and which files they wanted to steal. They obtained credentials for dozens of employee accounts, which they accessed nearly 150 times.

The cyberspies then reached into the company's networks using the same type of program help-desk administrators use to remotely access computers.

The hackers copied and transferred files to seven servers hosting the company's email system, which were capable of processing large amounts of data quickly. Once they moved the data to the email servers, the intruders renamed the stolen files to blend in with the other files on the system and compressed and encrypted the files for export.

The attackers used at least eight US-based computers, some at universities, as drop boxes before sending it overseas. The company's security team managed to detect the theft while it was in progress, but not before significant amounts of data left the company network.

China is one of 100 countries believed to have the capability to conduct such operations, according to the report. ®

Reblog this post [with Zemanta]

Almost half ISO 27001 'compliant' firms break with security

| Brett D. Arion |
Almost half of businesses that claim compliance with ISO 27001 are sharing privileged user accounts and breaking other standard guidance, according to a survey of IT managers.

Some 47 percent of firms in the UK said they were compliant with the standard. But forty-one percent of these said that they were using various non-compliant practices.

Bad practice by privileged users is putting European data at "high risk", according to the 'Privileged user management -- it's time to take control' report. These practices included use of default user names and passwords, the granting of wider access than is necessary, failure to monitor the users, and an ignorance around the existence of privileged users in the first place.

Two hundred and seventy European IT managers, including 45 in the UK, were interviewed for the survey that was conducted by Quocirca.

Twenty nine percent of firms in the UK rely on manual control of privileged users, who include system administrators, application service users, and privileged personal users. Only a quarter have implemented privileged user management software, which aims to help businesses enforce and track policy. Around 20 percent plan to implement the software.

UK firms saw privileged users as a medium threat, rating them on average at 2.5 on a scale of one to five, where one meant no threat and five represented a very serious threat.

On a similar scale, they exhibited a medium level of confidence that they could monitor and control privileged user accounts, at 3.1 and 3.2 respectively.

Tim Dunn, VP security at management software firm CA, which commissioned the survey, said at this week's RSA Security Conference in London that there is a "necessity for privileged user access", but that they are "the main target for hackers".

There are a number of recommendations Dunn gave to businesses, including making sure risk managers and other executives "take charge of the problem" instead of "leaving it to IT". Firms should also introduce individual accountability, enforce the segregation of duties for privileged users, secure log files, and implement a privileged user management platform, he said.

Reblog this post [with Zemanta]

Friday, October 16, 2009

Firefox Users At Risk From MIcrosoft Plug-In

| Brett D. Arion |
[ UPDATE: Mozilla has now removed the extension from the blocklist after Microsoft clarified some information in its bulletin on how Firefox users were affected. ]

Patches critical bug, exploitable because of add-on silently slipped into Firefox last February.....

An add-on that Microsoft silently slipped into Mozilla's Firefox last February leaves that browser open to attack, Microsoft's security engineers acknowledged earlier this week.

One of the 13 security bulletins Microsoft released Tuesday affects not only Internet Explorer (IE), but also Firefox, thanks to a Microsoft-made plug-in pushed to Firefox users eight months ago in an update delivered via Windows Update.

"While the vulnerability is in an IE component, there is an attack vector for Firefox users as well," admitted Microsoft engineers in a post to the company's Security Research & Defense blog on Tuesday. "The reason is that .NET Framework 3.5 SP1 installs a 'Windows Presentation Foundation' plug-in in Firefox."

The Microsoft engineers described the possible threat as a "browse-and-get-owned" situation that only requires attackers to lure Firefox users to a rigged Web site.

Numerous users and experts complained when Microsoft pushed the .NET Framework 3.5 Service Pack 1 (SP1) update to users last February, including Susan Bradley, a contributor to the popular Windows Secrets newsletter.

"The .NET Framework Assistant [the name of the add-on slipped into Firefox] that results can be installed inside Firefox without your approval," Bradley noted in a Feb. 12 story. "Although it was first installed with Microsoft's Visual Studio development program, I've seen this .NET component added to Firefox as part of the .NET Family patch."

What was particularly galling to users was that once installed, the .NET add-on was virtually impossible to remove from Firefox. The usual "Disable" and "Uninstall" buttons in Firefox's add-on list were grayed out on all versions of Windows except Windows 7, leaving most users no alternative other than to root through the Windows registry, a potentially dangerous chore, since a misstep could cripple the PC. Several sites posted complicated directions on how to scrub the .NET add-on from Firefox, including .

Annoyances also said the threat to Firefox users is serious. "This update adds to Firefox one of the most dangerous vulnerabilities present in all versions of Internet Explorer: the ability for Web sites to easily and quietly install software on your PC," said the hints and tips site. "Since this design flaw is one of the reasons [why] you may have originally chosen to abandon IE in favor of a safer browser like Firefox, you may wish to remove this extension with all due haste."

Specifically, the.NET plug-in switched on a Microsoft technology dubbed ClickOnce, which lets .NET apps automatically download and run inside other browsers.

Microsoft reacted to criticism about the method it used to install the Firefox add-on by issuing another update in early May that made it possible to uninstall or disable the .NET Framework Assistant. It did not, however, apologize to Firefox users for slipping the add-on into their browsers without their explicit permission -- as is the case for other Firefox add-ons, or extensions.

This week, Microsoft did not revisit the origin of the .NET add-on, but simply told Firefox users that they should uninstall the component if they weren't able to deploy the patches provided in the MS09-054update.

According to Microsoft, the vulnerability is "critical," and also can be exploited against users running any version of IE, including IE8.

Latest Fake Antivirus Attack Holds Compromised Systems Hostage

| Brett D. Arion |

Attack forces user to purchase phony antivirus package to free computer

Attackers have added a new twist to spreading fake antivirus software: holding a victim's applications for ransom.

Researchers discovered a Trojan attack that basically freezes a user's system unless he purchases the rogueware, which goes for about $79.99. The Adware/TotalSecurity2009 rogueware attack doesn't just send fake popup security warnings -- it takes over the machine and renders all of its applications useless, except for Internet Explorer, which it uses to receive payment from the victim for the fake antivirus. "The system is completely crippled," says Sean-Paul Correll, threat researcher and security evangelist for PandaLabs, which found the new attack.

Correll says when the rogueware detects any application on the machine starting to execute, it then shuts down the application. "This happens for every file you try to open except IE. The only reason IE works is because that's what's used to allow victims to pay the cybercriminals," he says.

Bad guys have used ransom threats in phishing attacks and distributed denial-of-service (DDoS) attacks, but Correll says this is the first time it has been used to force users to buy rogueware. Rogueware distributors typically prompt the victim with pop-up messages, but the user can bypass the purchasing process by ignoring them or clicking through them.

Adware/TotalSecurity 2009 isn't new rogueware, but the difference is its distributors are using a more aggressive tack to ensure they make money from it. "Users are put into a Catch-22," Correll says. To free their systems, they are pressured into purchasing the package and sending their financial details to the bad guys, he says. Once the transaction is complete, they receive a serial number that releases their apps and files and can recover their information.

The good news is that, so far, this type of attack is relatively rare. And PandaLabs has posted the serial numbers for the malware application so that users can temporarily "unlock" their systems.

Rogueware has been on the rise this year, and its creators are pumping out new versions of the malware in rapid-fire. PandaLabs found 374,000 new versions of rogueware samples released in the second quarter of this year, a number the company expects to nearly double to 637,000 in the third quarter.

Correll says it's only a matter of time before other rogueware developers emulate the ransom attack. "By forcing the user to pay so quickly, they are able to maximize their profitability before getting caught and removed," he says.

Reblog this post [with Zemanta]

Botnet Operators Impacted by Global Economy. DDoS and other attacks cheaper

| Brett D. Arion |
Security researchers say the cost of criminal services such as distributed denial of service, or DDoS, attacks has dropped in recent months. The reason? Market economics. "The barriers to entry in that marketplace are so low you have people basically flooding the market," said Jose Nazario, a security researcher with Arbor Networks. "The way you differentiate yourself is on price."

Criminals have gotten better at hacking into unsuspecting computers and linking them together into so-called botnet networks, which can then be centrally controlled. Botnets are used to send spam, steal passwords, and sometimes to launch DDoS attacks, which flood victims' servers with unwanted information. Often these networks are rented out as a kind of criminal SaaS to third parties, who are typically recruited in online discussion boards.

DDoS attacks have been used to censor critics, take down rivals, wipe out online competitors and even extort money from legitimate businesses. Earlier this year a highly publicized DDoS attack targeted U.S. and South Korean servers, knocking a number of Web sites offline.

Are botnet operators having to cut costs like other businesses in these troubled economic times? Security researchers don't know if that's been a factor, but they do say that the supply of infected machines has been growing. In 2008, Symantec's Internet sensors counted an average of 75,158 active bot-infected computers per day, a 31% jump from the previous year.

DDoS attacks may have cost hundreds or even thousands of dollars per day a few years ago, but in recent months researchers have seen them going for bargain-basement prices.

Nazario has seen DDoS attacks offered in the US $100-per-day range, but according to SecureWorks Security Researcher Kevin Stevens, prices have dropped to $30 to $50 on some Russian forums.

DDoS attacks aren't the only attacks that are getting cheaper. Stevens says the cost of stolen credit card numbers and other kinds of identity information has dropped too. "Prices are dropping on almost everything," he said.

While $100 per day might cover a garden-variety 100MB/second to 400MB/second attack, it might also procure something much weaker, depending on the seller. "There's a lot of crap out there where you don't really know what you're getting," said Zulfikar Ramzan, a technical director with Symantec Security Response. "Even though we are seeing some lower prices, it doesn't mean that you're going to get the same quality of goods."

In general, prices for access to botnet computers have dropped dramatically since 2007, he said. But with the influx of generic and often untrustworthy services, players at the high end can now charge more, Ramzan said.

Oracle to fix 38 database, product vulnerabilities

| Brett D. Arion |

Oracle CorporationImage via Wikipedia

Oracle has announced plans to ship a Critical Patch Update (CPU) with fixes for at least 38 security vulnerabilities in a wide range of database and server products.

The most serious vulnerabilities (CVSS score of 10.0) affect Oracle Core RDBMS, Oracle JRockit and Oracle Network Authentication. The patches are due on Tuesday, October 20, 2009.

According to an advance notice from Oracle, the following products and components will be affected by the October CPU:

  • Oracle Database: 16 new security vulnerability fixes for the Oracle Database. Six of these vulnerabilities may be remotely exploited without authentication, i.e., may be exploited over a network without the need for a username and password.
  • Oracle Application Server: Three new security fixes for the Oracle Application Server. Two of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password.
  • Oracle E-Business and Applications Suite: Eight new security fixes for the this product. Five of these vulnerabilities may be remotely exploitable without authentication.
  • Oracle PeopleSoft Enterprise and JD Edwards EnterpriseOne: Four new security fixes for the PeopleSoft and JD Edwards Suite. None of these vulnerabilities may be remotely exploitable without authentication.
  • Oracle BEA Products: Six new security fixes for the BEA Products Suite. All of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. Oracle BEA Products affected:
    • Oracle JRockit

    • Oracle WebLogic Portal

    • Oracle WebLogic Server
  • Oracle Industry Applications Products Suite: One 1 new security fix for the Oracle Industry Applications Products Suite. This vulnerability is not remotely exploitable without authentication.

“Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply Critical Patch Update fixes as soon as possible,” the company said.

Reblog this post [with Zemanta]

Tuesday, October 6, 2009

NIST maps out the emerging field of IT metrology

| Brett D. Arion |
NIST maps out the emerging field of IT metrology

Information technology security is a hot topic, but attention usually focuses on the lack of it. What is missing is an objective, quantifiable way to effectively measure it.

“Security can be looked at in different ways by different people,” said Wayne Jansen, a computer scientist at the National Institute of Standards and Technology’s IT Laboratory. There is quality control for code developers, the process of deploying a system, and its maintenance by users. “These are all different aspects,” and they do not lend themselves to traditional methods of measurement used in physical science, he said.

Jansen has examined the status of efforts to develop security metrics, identified challenges and suggested a course for future research in a recent NIST report, "Directions in Security Metrics Research."

There have been a number of efforts to establish metric systems for security, including the international Common Criteria, the Defense Department’s Trusted Computer System Evaluation Criteria, the European Communities’ Information Technology Security Evaluation Criteria, and the International Systems Security Engineering Association’s Systems Security Engineering Capability Maturity Model.

“Each attempt has obtained only limited success,” Jansen wrote. “Compared with more mature scientific fields, IT metrology is still emerging.”

The issue is complicated because security means different things to different people and organizations. “Security is risk- and policy-dependent from an organizational perspective; the same platform populated with data at the same level of sensitivity, but from two different organizations, could be deemed adequate for one and inadequate for the other,” he wrote. “The implication is that establishing security metrics that could be used for meaningful system comparisons between organizations would be extremely difficult to achieve.”

There is no standardized terminology for discussing or describing security, Jansen said. The Federal Information Security Management Act's criteria for rating systems as low, medium or high impact is subjective, and assigning them numerical rankings can blur the distinction between qualitative and quantitative measures.

It is difficult to remove subjectivity from IT security. Security measures can be correctly implemented yet still not be effective. “Effectiveness requires ascertaining how well the security-enforcing components tie together and work synergistically, the consequences of any known or discovered vulnerabilities, and the usability of the system,” the report states. In other words, what is effective for one system might not be for another.

Are meaningful security metrics even achievable?

“The answer is yes,” Jansen said, “but they might not be as satisfying as you want.”

He identified two broad areas of research — process and organizational maturity — that focus on the care and maintenance of IT systems, and the intrinsic characteristics or properties of the systems. “I think we can make good progress on the maturity aspect,” he said. Research on security characteristics is not as far along.

There is not likely to be a single system of security metrics anytime soon because of the need to address different elements of security separately. Jansen cited the Federal Information Processing Standard 140 for cryptographic modules as a workable metric “because it bites off a manageable chunk.” The much broader Common Criteria, on the other hand, is less effective, he said.

“The issue of how to do this is going to be with us for the foreseeable future,” he said.

Challenges to effective security metrics identified in the report include:

  • The lack of good estimators of system security.
  • The entrenched reliance on subjective, human, qualitative input.
  • The protracted and delusive means commonly used to obtain measurements.
  • The dearth of understanding and insight into the composition of security mechanisms.

Promising lines of research for improved metrics include:

  • Formal models of security measurement and metrics.
  • Historical data collection and analysis.
  • Artificial intelligence assessment techniques.
  • Practicable concrete measurement methods.
  • Intrinsically measurable components.

Avert Labs Paper: Inside the Password Stealing Business:the Who and How of Identity Theft

| Brett D. Arion |

Avert Labs has published a new research paper, “Inside the Password-Stealing Business: the Who and How of Identity Theft.” With so many financial transactions occurring online today, stealing passwords to banks and other accounts is an irresistible attraction for cybercriminals. Thieves around the world use Trojans and other malware to grab user credentials, which they can resell to their crooked clientele while supporting their own illegal businesses.

The report uncovers technical details on the capabilities, level of sophistication, and inner workings of the most infamous contemporary password-stealing malware families such as Zbot, Sinowal, and Steam Stealer. We also discuss the prevalence of such malware, distribution channels, how criminals keep up with the changes banks make to keep transactions secure, and how they exploit today’s economic climate. Offering illegal “work at home” opportunities to desperate job seekers is one way criminals lure the unsuspecting into furthering their illegal activities.

You’ll find the report here in English and eight more languages.

Want to peek inside another one of these infamous password thieves? Let’s have a look at SilentBanker.

Our story starts with browser helper objects (BHOs), which are plug ins for Internet Explorer. BHOs give developers the opportunity to extend the browser’s functionality without their having access to the browser’s source code. That doesn’t sound too bad, as users aren’t forced to rely on the browser’s developers to implement new features. Even if you’re not a developer, it’s seems useful to download any desired extension, whether you want to customize the user interface or be able to read PDF documents directly in the browser, isn’t it? Well, yes and no! The answer depends on the trustworthiness of the BHO’s author, the server you download from, or the DNS server. Unfortunately, not all BHOs are safe applications—the bad guys are always looking for ways to turn originally useful features into a way to deploy their malware, hunting for usable information such as credentials. Silentbanker is one of those nasty password-stealing malware that comes in the form of a BHO.

This is one “helper” you don’t want on your side: Once installed and automatically loaded by the browser, Silentbanker can interrupt communication between your browser and the Internet! The malware is highly configurable and targets online banking users. Silentbanker will not only recognize and monitor online banking activity but may also modify HTML pages to include additional code or to change a transfer’s details. The data thief acts as a “man in the middle” to inspect and modify data before it is encrypted and sent to a server and after it is received from the server and decrypted. Still think you’re secure with SSL? Unfortunately that’s not the case with this freeloader sitting on top of the browser.

Silentbanker BHO

The screenshot above shows a pseudocode representation of Silentbanker’s malicious core. The code is responsible for detouring relevant operating system functions to its own malicious routines. This malware effectively kills security applications such as host intrusion prevention systems and others. Before its own malicious detours are installed, the malware disables any previously installed detours by reading a Windows library’s original code from the hard disk (”read_whole_file”), and then mapping it back to the process’ memory (”remove_API_hooks”)—thus rendering security products relying on the same technology ineffective.

Computer scientists successfully boot one million Linux kernels as virtual machines

| Brett D. Arion |
Computer scientists successfully boot one million Linux kernels as virtual machines
September 25th, 2009 in Technology / Computer Sciences

Sandia National Laboratories computer scientists Ron Minnich (foreground) and Don Rudish (background) have successfully run more than a million Linux kernels as virtual machines, an achievement that will allow cybersecurity researchers to more effectively observe behavior found in malicious botnets. They utilized Sandia's powerful Thunderbird supercomputing cluster for the demonstration. (Photo by Randy Wong)
( -- Computer scientists at Sandia National Laboratories in Livermore, Calif., have for the first time successfully demonstrated the ability to run more than a million Linux kernels as virtual machines.
The achievement will allow cyber security researchers to more effectively observe behavior found in malicious botnets, or networks of infected machines that can operate on the scale of a million nodes. Botnets, said Sandia’s Ron Minnich, are often difficult to analyze since they are geographically spread all over the world.
Sandia scientists used virtual machine (VM) technology and the power of its Thunderbird supercomputing cluster for the demonstration.
Running a high volume of VMs on one supercomputer — at a similar scale as a botnet — would allow cyber researchers to watch how botnets work and explore ways to stop them in their tracks. “We can get control at a level we never had before,” said Minnich.
Previously, Minnich said, researchers had only been able to run up to 20,000 kernels concurrently (a “kernel” is the central component of most computer operating systems). The more kernels that can be run at once, he said, the more effective cyber security professionals can be in combating the global botnet problem. “Eventually, we would like to be able to emulate the computer network of a small nation, or even one as large as the United States, in order to ‘virtualize’ and monitor a cyber attack,” he said.
A related use for millions to tens of millions of operating systems, Sandia’s researchers suggest, is to construct high-fidelity models of parts of the Internet.
“The sheer size of the Internet makes it very difficult to understand in even a limited way,” said Minnich. “Many phenomena occurring on the Internet are poorly understood, because we lack the ability to model it adequately. By running actual operating system instances to represent nodes on the Internet, we will be able not just to simulate the functioning of the Internet at the network level, but to emulate Internet functionality.”
A virtual machine, originally defined by researchers Gerald J. Popek and Robert P. Goldberg as “an efficient, isolated duplicate of a real machine,” is essentially a set of software programs running on one computer that, collectively, acts like a separate, complete unit. “You fire it up and it looks like a full computer,” said Sandia’s Don Rudish. Within the virtual machine, one can then start up an operating system kernel, so “at some point you have this little world inside the virtual machine that looks just like a full machine, running a full operating system, browsers and other software, but it’s all contained within the real machine.”
The Sandia research, two years in the making, was funded by the Department of Energy’s Office of Science, the National Nuclear Security Administration’s (NNSA) Advanced Simulation and Computing (ASC) program and by internal Sandia funding.
To complete the project, Sandia utilized its Albuquerque-based 4,480-node Dell high-performance computer cluster, known as Thunderbird. To arrive at the one million Linux kernel figure, Sandia’s researchers ran one kernel in each of 250 VMs and coupled those with the 4,480 physical machines on Thunderbird. Dell and IBM both made key technical contributions to the experiments, as did a team at Sandia’s Albuquerque site that maintains Thunderbird and prepared it for the project.
The capability to run a high number of operating system instances inside of virtual machines on a high performance computing (HPC) cluster can also be used to model even larger HPC machines with millions to tens of millions of nodes that will be developed in the future, said Minnich. The successful Sandia demonstration, he asserts, means that development of operating systems, configuration and management tools, and even software for scientific computation can begin now before the hardware technology to build such machines is mature.
“Development of this software will take years, and the scientific community cannot afford to wait to begin the process until the hardware is ready,” said Minnich. “Urgent problems such as modeling climate change, developing new medicines, and research into more efficient production of energy demand ever-increasing computational resources. Furthermore, virtualization will play an increasingly important role in the deployment of large-scale systems, enabling multiple operating systems on a single platform and application-specific operating systems.”
Sandia’s researchers plan to take their newfound capability to the next level.
“It has been estimated that we will need 100 million CPUs (central processing units) by 2018 in order to build a computer that will run at the speeds we want,” said Minnich. “This approach we’ve demonstrated is a good way to get us started on finding ways to program a machine with that many CPUs.” Continued research, he said, will help computer scientists to come up with ways to manage and control such vast quantities, “so that when we have a computer with 100 million CPUs we can actually use it.”
Provided by Sandia National Laboratories (news : web)

Express Scripts: 700,000 notified after extortion

| Brett D. Arion |

Express Scripts: 700,000 notified after extortion

Last November, the company reported that someone had threatened to expose millions of customer prescription records, but it has come under criticism for being vague about how many of its customers' records were accessed. Now the company says that about 700,000 have been notified.September 30, 2009 (IDG News Service) Nearly a year after being hacked by computer extortionists, pharmacy benefits management company Express Scripts now says hundreds of thousands of members may have had their information breached because of the incident.

The trouble started for the St. Louis-based company in October 2008, when it received a letter containing the names, birth dates, Social Security numbers and prescription data of 75 patients. The extortionists threatened to turn the information public if they weren't paid. Express Scripts refused and instead notified the U.S. Federal Bureau of Investigation. The company is now offering a US$1 million reward for information leading to the arrest of the perpetrators.

Express Script has not said how the criminals managed to get hold of the data, but in an e-mailed statement the company said that "there have been no reported cases of misuse of member information resulting from the incident."

In a June court filing, the company said that three of its customers have also been approached by the extortionists.

Toyota is one of those companies. In November 2008 it received a letter that was similar to the October Express Scripts threat, from extortionists who threatened to release information on Toyota employees and their dependents.

Express Scripts manages pharmacy benefits for corporations and government agencies. It reported $22 billion in revenue last year.

Customers are not the only people who have been approached by the criminals. A few weeks ago, an unidentified law firm was also provided with more records, according to Express Scripts spokeswoman Maria Palumbo. That firm turned over the records to the U.S. FBI, which in turn informed Express Scripts.

"In late August 2009, Express Scripts was informed by the FBI that the perpetrator of the crime had recently taken action to prove that he possesses more member records from the same period as those identified in the 2008 extortion attempt," the company said on its Web site. "Express Scripts is in the process of notifying these members."

In May, Washington, D.C., law firm Finkelstein Thompson brought a class-action suit against Express Scripts on behalf of members whose data was stolen. Attorneys at the firm did not return messages seeking comment for this story.

It's troubling that Express Scripts has apparently been unable to figure out exactly whose data was accessed, said Dissent, a health care professional who runs the Web site and uses a pseudonym to keep her privacy advocacy separate from her professional practice. "Given that they may not really yet know the full scope of this incident and that we really cannot be sure that the extortionist didn't acquire the entire database, it would seem prudent to notify everyone whose records were in the database," she wrote in an e-mail interview.

"This breach is certainly not the largest breach involving personal health information that we've seen," she said. "But it is nevertheless a very troubling breach because it signals that cybercriminals are recognizing the value of databases containing patient information even where no financial or credit card information is included."

Free Security Magazines