Saturday, March 31, 2007

Top 59 in IT Security and Their Blogs

The IT Security web site had an interesting list this week of what it called the top 59 people to influence IT security.

The list included links to their blogs. It's a nice list for reference to some top notch blogs.

Here are two other comprehensive lists of IT security blogs from Security Catalyst and a list on the Network Security Blog from a blogger meeting at this year's RSA conference. I'm listed on the Security Catalyst site as the IT Security Guy.

Metasploit 3.0 Released More Windows Friendly

Metasploit released version 3.0 of its testing tool this week. The tool used to test for web and application vulnerabilities works better on Windows than previous versions.

This was in an article in Computer World this week.

Metasploit simulates actual attacks and posts code on its site used by the framework for penetration testing.

ID Theft Threats Surge 200% This Year

A study by Cyveillance reported threats of ID thefts have jumped 200% this year alone.

It said traditional phishing attacks are being replaced by putting URLs directly in e-mails. Prior to this, most phishing attacks involved replicas of actual web pages.

The report was cited this week in Computer World.

Learning About and Fighting Botnets

Computer World had two interesting articles this week about botnets. One was about how to fight botnets and the other was an introduction to botnets.

Thursday, March 29, 2007

The Little Black Book on WIIT

I spoke tonight on WIIT about my book, The Little Black Book of Computer Security.

I talked about what inspired me to write the book, what it's about and its target audience.

I also discussed other security insights not mentioned in the book.

Thursday, March 22, 2007

IMSafer for Protecting Kids on MySpace

Computer World had an article yesterday about a new product from IMSafer for protecting kids using MySpace. The MySpace product is a new addition to their line and is available as a free download from their web site.

Parents can register with the site and check comments posted to MySpace. They can check for inappropriate or predatory comments.

Back on WIIT

I was back on WIIT again tonight talking about hacking techniques: new and old.

The station had been down for the past six weeks because of technical difficulties.

I'll be back next week to talk about my book, The Little Black Book of Computer Security.

Wednesday, March 21, 2007

NetSecure07 at IIT in Wheaton

Today, I attended NetSecure07, the all-day annual security conference at the Illinois Institute of Technology's Rice Campus in Wheaton. Wheaton is about 30 miles west of Chicago.

The most interesting presentation was by Uday Ali Pabrai of ecfirst.com about the state of information security. Pabrai is CEO of the company, which specializes in information security and compliance.

Tuesday, March 20, 2007

More Apple Vulnerabilities Uncovered

This seems to be the month for Apple Bugs. Computer World ran a story yesterday about a new QuickTime exploit against MySpace. Details are also on the Apple web site.

All this is less than a week after Apple patched 45 other bugs.

The Month of Apple Bugs (MoAB) has more information on its web site.

Tuesday, March 13, 2007

Romanian Hacker Hits eBay

Phishing and other attacks against eBay aren't news, but this one is interesting because of some of the comments by the Romanian hacker who hit the site.

Details are in the FireMeg blog and in eWeek, The Register and Zone-h. Screen shots are on the O-ThatsWhy blog.

Computer World on Anonymous Surfing

There was a real nice article today in Computer World about surfing anonymously. The article had links to all kinds of tools from anonymizer web sites to e-mail tools and other privacy web sites and software.

This follows up another article last week about hiding your browsing history.

Sunday, March 11, 2007

NYT Article on Identity Theft

The NYT magazine today ran an article about identity theft. It put the crime in perspective, without the usual hype while still emphasizing its seriousness. The article, Identity Crisis, was well researched with some good numbers to back up its contention that there's a lot of unnecessary panic surrounding identity theft.

The article was by Stephen J. Dubner and Steven D. Levitt, authors of the best-selling book Freakonomics. The research for the column comes from their web site.

Friday, March 09, 2007

More on the TJX Breach

The TJX breach just doesn't go away. It's been lingering in the news since it happened in January.

It should be lesson in how a company can take a bath in the media after a breach. It's not just about data any more. It's about reputation.

This article in Computer World dances around it, but the Company X sounds a lot like TJX. The company is mentioned again in another Computer World blog post.

In response, Ruby Tuesday is also beefing up its credit card security, using PCI compliance.

How To Hide Your Browser History

This is an interesting article in yesterday's Computer World about how to really hide your browser history.

Online Trading Fraud Ring Broken

The LA Times reported yesterday about the break up of an online trading fraud ring.

Enigform 0.7.0 Released

Arturo "Buanzo" Busleiman announced the release this week of version 0.7.0 of his tool Enigform.

Enigform is for digitally signing HTTP POST requests with OpenPGP.

The project is available for download from Freshmeat and Mozdev.

Wednesday, March 07, 2007

RFID Passport Cracked in the UK

This seems to be a never ending saga. A security expert in the UK cracked an RFID passport using easily available tools, information gathered from Google and a home brew program he wrote in Python.

An article appeared yesterday in Computer World and also in the Daily Mail in London.

Bruce Schneier has blogged about this many times, as well. He had a post specifically about the UK and another about RFID passports in the US.

I also wrote a story for SearchSecurity in November about RFID security.

Java Open Review Project

Here's an interesting site sponsored by Fortify Software about Java vulnerabilities. The project is called the Java Open Review Project.

Fortify makes a source code analysis tool.

PCI Compliance and TJX

TechTarget's Compliance Counselor newsletter published my article on PCI and the recent TJX breach.

I outlined some thoughts on PCI best practices.

Tuesday, March 06, 2007

Hardening IE7 Security

TechTarget's SearchWindowsSecurity newsletter had an interesting article on hardening the security of Internet Explorer 7.

The article isn't exhaustive, but it has a settings checklist and goes over the protected mode and phishing filter features.

Monday, March 05, 2007

SearchSMB Article on Insider Threats

My article on insider threats came out today on SearchSMB in their Weekly Tech Advice newsletter.

I took the approach that there are three approaches to this problem: physical security, administrative security and technical controls.

There's been a lot written about this lately, and the conventional approach is to monitor the activity of employees on the network. I'm not discounting the importance of employee monitoring. But my approach was geared to SMBs, which don't have the cash or the people to do lots of electronic hall monitoring and babysitting.

Two other good sources of information on the insider threat are on the CERT web site and the Insider Risk Management Guide at SearchSecurity.

Friday, March 02, 2007

Net Crimes & Misdemeanors 2nd Edition

I just picked up the second edition of Net Crimes & Misdemeanors by Jayne Hitchcock at a local Borders. Yeah, I know, it's been out almost a year, but the first edition didn't catch my attention, so I ignored this one until recently. The foreward is by Vint Cerf, a pioneer of the early Internet.

The book is a totally non-technical treatment of computer crimes against individuals, their children, their homes, their identities and their businesses. It's an easy read while still being encyclopedic. There's also a great list of web sites in the back.

And, of course, the book skillfully covers other common topics like phishing, spam and malware.

Along the theme of being non-technical, it still explains in simple and straightforward language how to set up privacy features on things like Yahoo! Mail. This isn't technical to begin with, but it can still intimidate those who aren't techies.


More About Tor Vulnerabilities

Back in November, I had a post about Tor being cracked. Tor is a proxy server meant to hide a user's identity and IP address on the web.

Computer World ran an article today about some American researchers who cracked Tor again. Tor's executive director, Shava Nerad, replied that they haven't any such attacks in the wild and that this was an academic exercise.

Thursday, March 01, 2007

Worm for Sun Telnet Exploit

This one was too easy. It was only a matter of time before someone wrote an exploit to take advantage of the Telnet vulnerability in Sun Solaris 10.

An advisory was issued by CERT and there was coverage in the trade press, notably Computer World and eWeek.

Sun issued a patch, which was posted on their web site and mentioned in another Computer World article.