Monday, May 14, 2007

Cybercrime In Italy

I'm here in Italy for two weeks on vacation. According to a news report, the Guardia di Finanza is in charge of investigating cybercrime in Italy.

Here are two links in Italian about IT security in Italy: an announcement of a cybercrime conference by the Guardia di Finanza and Raffaele Rialdi's blog.

Sono qui in Italia di vacanza per due settimane. Secondo il telegiornale, la Guardia di Finanza ha responsibilita' per le indagine di cibercriminalita' en Italia.

Ecco due link su sicurezza informatica in Italia: un annuncio di la Guardia di Finanza di una conferenza su cibercriminalita' e il blog di Raffaele Rialdi.

Friday, May 11, 2007

Ira Winkler on Google Hacking

The noted security expert and author, Ira Winkler, was interviewed this week by SearchSecurity's Bill Brenner about Google hacking.

Winkler didn't say it wasn't a problem. But he was amazed at some of the recent hoopla over Google hacking, as if it were a newly found exploit. He compared it to other recent press about Microsoft Office macro exploits. These, too, he said, have been known for a decade.

Winkler said it reflected the state of the information security today. He also said part of the problem was the influx of new people into the industry without any history of prior exploits.

I have a signed copy of Winkler's book, Spies Among Us, from a signing he did at RSA last year.

And, by the way, the king of Google hacking, Johnny Long, has a great web site with a database of Google exploits. Long also has a book on the subject, Google Hacking for Penetration Testers. His book remains the Bible and ultimate reference on Google hacking.

Thursday, May 10, 2007

Java Security Holes Getting Worse

There was a nice article yesterday in eWeek about how Java security is actually getting worse. The story is based on presentations at Java One both this year and last, comparing security changes over the year.

An interesting point is that Java is susceptible to XSS.

But what the article didn't go over was buffer overflows. Possible -- but not likely -- in Java, but interesting to note, in any case.

As for buffer overflows, Java by default checks the size of inputs, making it better at preventing buffer overflows than other languages. C and assembly, for example, don't check buffer sizes. A developer has to specifically add code in these languages to check buffers and block overflows.

But, at the same time, Java is used for connecting web systems to back end systems, often running C and assembly. So, it can potentially pass overflows through to susceptible systems. That is if the size of the overflow is small enough to get past the Java checks but big enough to do damage on the back end system. And, that's possible, but still a big if.

There's some good links in the article to other Java security resources and a Java One presentation.

Tuesday, May 08, 2007

Bank Login Debate Still Simmering

Slashdot had a post today about banks not using SSL for their login pages. This debate is still simmering with more details in a post in the IEBlog.

I've been following this since February. My last post was in April on SiteKey weaknesses.

SQL Injection Cheat Sheet

This is a nice cheat sheet about SQL injection from Ferruh Mavituna.

There are links to other SQL injection resources. This, of course, is only for informational purposes and shouldn't be tried by our studio audience.

SPI Dynamics, developer of WebInspect, also has a great blog and site with SQL injection information.

Guide to NIST Guides

Prof. Mich Kabay in his Network World column today had a great review of the Guide to NIST Information Security Documents.

The National Institute of Standards has tons of great references and templates for information security policies, procedures and standards.

Sometimes, it's just too difficult to find the right one. The guide in Kabay's article makes it that much easier.

Sunday, May 06, 2007

Hacking Exposed Wireless and Links

The newest book in the Hacking Exposed series, Hacking Exposed Wireless, recently came out. While not as dazzling as some of the other books in the HE series, it still has the usual parade of hacks and tricks used for breaking into wireless networks.
Johnny Cache, one of the authors, is a wireless guru who has spoken at major security events like Black Hat. He has a web site with his wireless tools, including airbase.

Trojan Impersonating Microsoft Activation

Symantec reported this week on a Trojan that imitates the activation process for Windows XP. This sneaky little social-engineering exploit was also reported on Yahoo and Computer World.

The post was on Symantec's blog and in their Security Response center.

New Identity Theft Resources

PC World had an article this week about some online resources for protection from identity theft.

Two of the services they mentioned, myTruston and StolenIDSearch, are free. They also had a link to a list of state privacy laws and the Identity Theft Resource Center, a popular clearinghouse for ID theft information.

I had a post about StolenIDSearch in February, when it was first launched, and then again last month, when I talked about doing background checks on yourself.

Thursday, May 03, 2007

Recent Stuff on Endpoint Security

Prof. Mich Kabay in his regular column in Network Security had some interesting statistics about enforcing security policies for workstations.

Last month, Network World had a review of Network Access Control (NAC) tools, a related area. And, then, recently a new book, Endpoint Security by Mark Kadrich, came out on the subject.
Endpoint security and NAC has been a hot topic since workstations are now seen as the weakest link in many company's IT security. Even with firewalls, the right application attack can sail right through, land on a desktop and wreak havoc.

My Take on VPNs and SMBs on SearchSMB

I had an article on the VPN choices for SMBs that came out today on TechTarget's SearchSMB. web site.

New Month of Bugs Project for ActiveX

A new blog in the Month of Bugs series came out recently. This one is the Month of ActiveX Bugs. These Month of . . . blogs have been of mixed success but are interesting reading, in any case.

There was also an article yesterday in Computer World about the MoAxB project.

My TechTarget Article on Insider Profiling

My article on profiling malicious insiders came out today in the Threat Monitor newsletter of TechTarget's SearchSecurity web site.

CERT has done the benchmark work in this area and has a number of publications on their web site.

Wednesday, May 02, 2007

Great YouTube About Chase Dumpster Diving

The Service Employees International Union (SEIU) has posted a video on YouTube showing how customer data from Chase is carelessly tossed into trash cans.

This isn't chivalry on the part of the SEIU. The Washington, D.C.-based union is currently having a labor disagreement with Chase.

But, nonetheless, it's great footage and really interesting.

My TechTarget Article on TJX and Compliance

My article on the TJX breach and compliance mistakes came out today in SearchSecurity's Compliance newsletter.

CSO on the State of Hacking

CSO's Scott Berinato did an online interview with an alleged hacker about the state of hacking today. Yes, I know this is from March and a bit dated, but it just hit the top of my To-Read pile today.

It's the point of view of only one hacker and doesn't have lots of details, but I thought it was worthwhile since it made points that go against some of things in the trade press about hackers and hacking.

Tuesday, May 01, 2007

New SDL Blog

Microsoft has a new blog devoted entirely to its Security Development Lifecycle. The inaugural post was last week.

Michael Howard, one of the blog's writers, is also the author of the Security Development Lifecycle with Steve Lipner.

Best Security Blogs from CW's Top 15

Computer World had a list today of its top 15 geek blogs. Among those, here are my top picks related to security:
Here are some of my suggestions for lists of top security blogs:

Web 2.0 Security and Financial Services

Help Net Security had an article this week detailing the security issues around Web 2.0 for financial institutions. It said that banks and other financial companies, which have been grabbing on to Ajax and other Web 2.0 technologies, need to be careful of some of the security vulnerabilities for online transactions.

Most of the issues revolve around the usual problems in application code: cross-site scripting and other types of code injection. But there are also vulnerabilities in unprotected RSS and XML, which can also hide nasty code and links to malware if not properly validated.

The article was by Shreeraj Shah of Net-Square. He has written books about web security and has a blog.

There was also an academic article, Subverting Ajax, in December of last year, though somewhat technical, about the same subject.

Verisign Offering Disposable Passwords

Verisign announced today that a new type of payment card embedded with a One-Time Password (OTP). Until now, most OTPs have been in devices like tokens and key fobs.

The card works just like the tokens. They have a button on the back that can be pushed every time the user wants to make a transaction to display a number. The card generates a new number for every transaction.

The user enters their user ID and password and also the OTP number plus a PIN number. The OTP and PIN combination are one factor and the user ID and password are the second factor in what is considered a two-factor authentication system. The user ID and password are the "what you know" and the OTP value are the "what you have" pieces of a two-factor system.

The story was reported today on Market Watch.

A few days later, Larry Seltzer had some interesting comments in eWeek. He made the same arguments as most businesses about OTPs -- they're a hassle to customers and could potentially drive business away. But, interestingly, he was also cautiously optimistic.

How PayPal Fights Phishing and Fraud

There was an interesting article today on TechTarget's SearchSecurity web site about how PayPal combats phishing.

Considering that PayPal is the most phished brand on the planet, these could be some good tips.