Monday, April 30, 2007

New NIST Guidelines on RFID Security

The National Institute of Standards and Technology (NIST) has come out with new guidelines on RFID security. NIST is known for its huge library of useful documents on all areas of information security from the administrative, like setting policies, to the technical, like network security guidelines.

I wrote an article last November for TechTarget's SearchSecurity web site about RFID security.

The new guidelines were reported on Friday in Information Week.

I talked about RFID passports being cracked in the UK in a post in March and in February wrote about RFID Guardian, an RFID security project. Bruce Schneier has commented on RFID security a number of times.

More on the Vista vs Mac Security Debate

Dino Dai Zovi in an e-mail interview with Computer World is stoking up the ongoing debate about Vista versus Mac security.

He contends that Vista's code is more secure than the Mac's. He says Microsoft's Security Develoopment Lifecycle (SDL) has reduced vulnerabilities in newly written code.

Some of Dai Zovi's Mac exploits are listed on his blog.

Sunday, April 29, 2007

USB Tricks and Security

There was a nice article on Friday on Lifehacker about USB tricks. It included some security tips about encryption, removing traces of the USB on a desktop and how to set up a reminder to prevent forgetting your USB key somewhere.

I'll be talking about USBs and security this Thursday night on my regular show on WIIT at 7:45 PM CDT.

Tune in for details.

Saturday, April 28, 2007

The Acquisition March Continues

Websense announced this week it was acquiring SurfControl. Both companies provide services for protecting against web threats.

Websense provides web filtering software for protecting against malware and phishing, and SurfControl offers web security software, also for blocking malicious content and malware-laden web sites. The products have features for generating reports for numbers-hungry regulators.

Protecting Yourself Against Cyberstalkers

There was a real eye-opening story in Computer World this week about cyberstalking. It detailed five steps for protecting yourself from this menace. It also described how a group of mean-spirited people, even if very small, can take down a blog or online group through cyberstalking.

The article quoted a mental health professional, who divides people that harass online into two groups: trolls and cyberstalkers. The site about trolls had links to some excellent resources on the privacy, a related subject.

Thursday, April 26, 2007

Doing Background Checks on Yourself?

This was an interesting article in the Career Journal section of The Wall Street Journal about doing background checks on yourself. This is another twist in the privacy area of information security.

The idea is to find out what dirt may be on you -- hopefully, mistaken -- in anticipation of an interview. Some of the results in the article are interesting, even funny.

There's links to several online background checking services, most of which aren't free, but all of which spider the web for public documents. The two free services mentioned are ChoiceTrust and StolenIDSearch.

I posted something about StolenIDSearch back in February.

Exploit Against Google

Exploit Prevention Labs reported an exploit against Google this week, using Google's sponsored links feature. Details were also reported in Brian Krebs blog on computer security in the Washington Post and Computer World.

Firewall Discussion on WIIT

I spoke about firewalls tonight on my radio program on WIIT. I'm becoming a regular guest every Thursday on the show.

I'll be on next week to talk about USB keys and security. Then I'll be taking a break for three weeks, returning to the program in June.

I recorded tonight's show and have been gathering recordings for past shows. I'll post them on my web site or on this blog -- or both -- when I've gathered everything together.

One other thing, I added a link on my web site to firewall resources a few days ago. I gave incorrect information on the show. The script was written before I made the changes to the site.

Latest Batch of ATE Questions

Wednesday, April 25, 2007

Mac Attack Now a Browser Issue

Now, it appears the fabulous Mac attack is actually a browser issue. It just happens to have been discovered on a Mac. The culprit is QuickTime. Doesn't that sound familiar? This isn't the first time QuickTime has been exploited.

Details are on the Matasano blog, the Information Security Sell Out blog and Computer World.

The fun never stops.

More on the MacBook Hack

There was some interesting press on the recent Mac hack at CanSecWest in Vancouver last week. The successful hacker was Dino Dai Zovi of Matasano.

Ryan Naraine interviewed Dino at the Vancouver conference, and had some other observations in another post on his blog Zero Day. Computer World also reported on the hack, which was from a QuickTime flaw. eWeek had an article on another Mac exploit, this one through Safari.

Matasano's blog has more details.

More on the US Credit Card Skimming Ring

Finextra, a British banking newsletter, reported on Monday about losses due to card cloning, where PINs are stolen from chips embedded in credit cards. The article also mentioned the break up of a skimming ring here in the US.

I posted something about this over the weekend.

Special Report on Protecting Data

The tech magazine, eWeek, has a special report on protecting data. It's mostly a round up of recent news about data breaches and defending against them.

But nothing beats the hit parade of data breaches from the Privacy Rights Clearinghouse. Sadly, the web page is getting longer and longer. There were 19 breaches alone this month.

Other security sites of interest on eWeek -- there's three -- include their Security Center, IT Security Hub and Security Watch. Their Zero Day blog by Ryan Naraine is also very good.

Sunday, April 22, 2007

New Security Metrics Book

In the nefarious world of security metrics, there aren't too many good references. Or should I say, none at all? It's all pretty much do-it-on-your-own and invent some numbers by hokus pokus.

Yes, ROI has been a popular benchmark for convincing skeptical CFOs and other C-level exectives of why they should invest in security. Supposedly, ROI provides a business case for something that most executives see as an expense and a hinderance.

I have to admit that even I fell under the ROI spell in this SearchCIO article last October.

But the recent release of Security Metrics by Andrew Jaquith now makes it that much easier to talk to the business side of the office. The book was released late last month by Addison-Wesley.

There's also an accompanying web site with a mailing list and other good stuff for metrics geeks.

Quoted in Processor Magazine

I was pleasantly surprised to see that I was quoted a few weeks ago in Processor magazine. The article by Tony Bradley was about Vista security.

Joel Dubin, Microsoft MVP and author of “The Little Black Book of Computer Security,” notes, “Some of the features, such as User Account Control, are aimed at home users, and its pop-up windows could be difficult for a small business user, but it’s a little early to tell since it hasn’t been widely adopted yet. The other security features, such as Windows Defender, operate in the background and wouldn’t be intrusive. But for a small or medium-size business the best approach is to see how well it integrates into their current environment. If they’re using Active Directory, for example, the Vista systems would connect to that environment, where many of the same security features can be controlled through GPOs.”

Tony is the author of numerous articles and books, including Essential Computer Security, and runs the web site on network security.

Processor is a weekly tabloid-size newspaper, specializing in articles about products and issues of interest to SMBs.

They had two other interesting articles in their March 30 issue, Tips for Better Security and Compliance and Safeguarding Against Logic Bombs.

Saturday, April 21, 2007

Targeted E-Mail Attacks

In a report released this week by MessageLabs, targeted e-mail attacks against single users were on the rise in March. Of the attacks, 84% were exploits in Microsoft Office, with an almost even split between Word and PowerPoint documents.

PowerPoint seemed to be leading the race, pulling ahead slightly last month.

What was most ominous was that most of the attacks came out of China and were targeted against US government agencies. The attackers found an exploit that was so successful, they used it repeatedly since last November. The attacks take over control of the victim's PC.

These types of attacks aren't really news. Targeted attacks have been on the rise for over a year and are one of the hottest new hacking trends. This recent set of attacks is just part of an ongoing trend.

Though government agencies topped the list of targets, there were also significant numbers of attacks against private sector companies in electronics, aviation, retail, communications and finance. The goal of the attackers was to steal data and information.

Interestingly, according to the report, the hackers took a break on weekends, hitting only Monday to Friday.

This was also reported in Computer World.

Free Browser Security Tools

Finjan Software this week announced the release of its free SecureBrowsing plug in for both Internet Explorer and Firefox. The tool is meant to help web surfers avoid dangerous web sites.

Finjan specializes in web security and offers a line of products, including hardware appliances for blocking malicious web traffic. Their web site has white papers, case studies and other tools and information about web security.

The Finjan story was reported this week in Computer World.

Two related web sites of interest are SiteAdvisor from McAfee and LinkScanner from Exploit Prevention Labs. Unlike the Finjan tool, these are web sites where you enter the URL of a web site, the suspected site is scanned and a report is returned.

Also, this is an interesting article out of Stanford about protecting browser state from web privacy attacks. The article introduces two tools: SafeCache and SafeHistory. Both tools are for Firefox only. Sorry, IE users.

Offline Credit Card Theft

This story just broke about two hours ago on the AP wire about a ring of credit card thieves indicted yesterday in New York.

Now, there's nothing unusual about credit card thieves, and there's nothing special or innovative about this particular card ring. But that's just my point. The bulk of credit card theft, or any type of identity theft, for that matter, continues to be offline -- not online. Thieves are using the same old tactics they've always used: dumpster diving, going through medical records or just plain stealing card numbers directly from shoppers and diners, as in this case.

While I'm on my soapbox about the subject, I want to make clear that credit card theft is fraud plain and simple. It's not identity theft. The media seems to confuse the two. Full blown identity theft is stealing someone's entire financial identity and opening up lines of credit in their name. The identity theft not only can go on a shopping spree but can buy a car or a house under the victim's name.

This doesn't minimize the growth of online fraud and theft. But that's still mainly through social engineering tactics like phishing and keystroke loggin Trojans. These crimes are increasing but the still still remains breaches of physical security like the AP reported today.

How to Handle a Data Breach

Here's a real nice checklist from the Federal Trade Commission (FTC) about how to handle a data breach.

The checklist was referenced in an article yesterday in Computer World.

Friday, April 20, 2007

Windows DNS Flaw and Other Code Exploits

It was another fun-filled action-packed week for code flaws. The Windows DNS exploit grabbed the headlines mid-week with this story from Computer World. The next day, they published an FAQ on the exploit followed by an eWeek story about the status of a patch from Microsoft.

Yesterday, a security researcher at Juniper demonstrated a way to attack routers and cell phones with a null pointer error. His presentation was at the CanSecWest security conference in Vancouver.

Null pointers are pesky problems that arise in code when a variable references an empty -- or null -- memory space, hence the name null pointer. This usually happens when a developer doesn't initialize a variable or tries to use a variable that hasn't been created yet. I ran into these many times when I was a Java developer in a past life. That might explain why I'm in security now and no longer a coder. I had created just one too many null pointers.

The Juniper researcher was creative in turning null pointers into an attack vector.

It was just another episode in the continuing saga of malware development. What a great week it was for malware developers.

Schneier on His Love for Security Vendors

This article on the Wired web site yesterday is no surprise for followers of Bruce Schneier. He talked about why security vendors sell lousy products. Vintage Schneier. I liked his analysis of the economics of how bad products drive out good ones. This is something else he's good at -- economic explanations of security.

There was a reference to how cracked the 4 GB USB stick he uses. Nice job there too with screen shots of how they did it.

The web site appears to be a great collection of tech news -- in Dutch -- for those fortunate enough to speak that language. Unfortunately, it's not one of the six languages I speak (English, Spanish, Hebrew, Arabic, Italian and Portuguese). Maybe I should work on adding it to my list . . .

Thursday, April 19, 2007

My WIIT Radio Show Tonight on Wireless Security

Tonight I'll be back on WIIT to discuss wireless security. The program will be at 7:45 PM and can be heard live by streaming media from their web site.

I'm going to be talking about both traditional methods of securing wireless networks and some contrarian views, if time permits.

Here's your homework in preparation for tonight's class. There's been a lot of articles lately about wireless security in the trade press. This is a sampling:

The infamous article on cracking WEP keys by a pair of German researchers.

An interesting post today on Martin MC Brown's blog on Computer World about wi-fi piggybacking. He references two items from the BBC -- one on wireless hijacking and the other on wi-fi theft.

Here are some interesting guides from George Ou on ZDNet and his LAN Architect site.

Sunday, April 15, 2007

More Weaknesses in SiteKey

The fake boarding pass guy is at it again, according to Slashdot this week. He posted videos on his blog about how he bypassed SiteKey, an authentication scheme for logging onto Bank of America's web sites.

Two weeks ago, another commentary on SiteKey weaknesses came out, and there was some press in February. More information is in my original post.

New Apache Module for Enigform

The ever-enterprising Arturo "Buanzo" Busleiman has released a new module for apache to support Enigform on the server-side as an authorization module. The module is called mod_auh_openpgp and is in alpha.

I've been following Enigform since February, when it first came out. My last post was in March, when version 0.7.0 was released. Enigform is for digitally signing HTTP POST requests with OpenPGP.

Check out Buanzo's blog. It's packed all kinds of neat security stuff.

Tuesday, April 10, 2007

Spring 2007 Edition of 2600 on Newstands

It's almost three weeks early -- again -- 2600 is out on the newstands.

The whole issue, as always, was good, but there were two decent articles that stood out:

Understanding Web Application Security was a nice succinct four-page summary of the key threats. The article was by Acidus of Most Significant Bit Labs.

The other article was about one of my favorite subjects -- proxies. List of proxies are like ships in the night. They come in and then go out and disappear. But there was an updated -- for now -- list of sites with more proxies and tools listed.

Sunday, April 08, 2007

New Identity Management Link

I added so many new sites recently to my own web site about identity management that I decided to add a new link on the subject.

The link, Identity, is on the left hand navigation panel of my web site.

Saturday, April 07, 2007

WEP Broken Again

The news doesn't get any better for WEP. Now, a group of German researchers have cracked it in less than a minute.

Someone could basically walk through an office and crack the WEP key of a wireless access point, according to an article this week in Computer World.

Details about the crack are on the researcher's web site.

More on the Weaknesses of SiteKey

In one of his newsletters this week in Network World, Prof. Michel Kabay gave a real nice analysis of why SiteKey is a weak method of authentication.

He first discussed this issue in a previous newsletter.

This was also mentioned in a New York Times article in February about the weakness, in general, of online bank security.

In all these cases, SiteKey keeps getting mentioned.

Tuesday, April 03, 2007

SearchSMB Article on Security Awareness Training

My article on security awareness training came out yesterday on SearchSMB's Weekly Tech Advice newsletter.

Chinese Internet Security Blog

The Chinese Internet Security Response Team, or CISRT, has an interesting blog on security activity in China.

The blog has been active in the past few days reporting on the recent Microsoft cursor bug.

The latest news about the bug and about Microsoft's fix due out today is on their MSRC blog.