Tuesday, August 28, 2007

New Bot Herder Evasion Tactics

Ever wonder what keeps those bots going? It's called fast flux DNS, according to an article on Security Focus.

Rather than rely on a single IRC channel, bot herders are using the DNS tactic to evade detection and stay out at night past curfew. IRC channels, the bot medium of choice until recently, were a single point of failure. Once a bot fighter took down the IRC, the bot came down with it.

Not so with DNS fast flux, which uses a network of servers, playing musical chairs with IP address and their DNS entries. Not only do they move around fast enough to stay ahead of their pursuers, they're a network that can't be easily taken down by removing one foul DNS server from the network.

Russ Cooper also had a blurb in MCP's Security Watch column this month.

How to Hack Your Office Systems

The Wall Street Journal ran an interesting, if not provocative, article on how to evade security controls in your office. Ten Things Your IT Department Won't Tell You is a cookbook (yes, a la O'Reilly) on office hacking.

Prof. Mich Kabay was less than enthusiastic about the article and had some equally thought provoking comments in his Security Strategies newsletter today on Network World's web site.

I had to admit the article raised my eyebrows, as well, when I first read it.

Monday, August 27, 2007

Java Security Video from Chris Pirillo

Here's an interesting video from Chris Pirillo on Java security. It's pretty basic, but I like it because it hits the high points:

Chris Live Tech Support Video Help Add to iTunes

More details are on Pirillo's web site.

The Monster Mess: Hack or Not?

The Monster incident last week is the story that keeps on giving. I love it. It's my second most favorite breach after TJX.

Of course, purists are claiming it wasn't a hack. But the theft of personal data, even by sneaky social engineering, still makes this a breach, in my opinion.

Again, it's all there, the ingredients of a great breach. There was phishing, a compromised Ukrainian server and targeted attacks all over the place.

Lousy IT Security Advice

Here's a compendium of some of the worst IT security advice ever given from Computer World.

I think those of us in the industry have heard all of these at least once. But it's nice to see them all in place for a few laughs.

Laptop High Security Paranoia

Computer World's undecover security manager had some thoughtful -- maybe a bit excessive -- ways to protect her organization from laptops. I can't say I totally disagree with her. I might not do the same thing in her situation.

Her suggestion about keeping the laptop with her at all times, whether through airport security or in a hotel room, are exactly what I do when traveling. A lot of it is common sense, and simple, low-tech procedures.

I wrote an article in June for SearchSMB with some simple tips for securing laptops.

Companies Blocking Facebook

According to a report last week by anti-virus vendor Sophos, close to half of the companies they polled block access to Facebook. Only 8% allowed access because of fears of a backlash.

Companies were concerned about cyberloafing on the job more than anything else. Yes, there was also the concern about identity theft or loss of company secrets. Interestingly, there was no mention of the possibility of XSS, a threat on social networking sites like Facebook, MySpace and others.

Sophos has tips for Facebook safety with a list of recommended privacy settings.

Tuesday, August 21, 2007

Identities of Job Seekers Stolen

In another textbook web attack, up to 1.6 million users of Monster, and other job hunting web sites, may have been infected by an identity-stealing Trojan on the sites, according to Information Week and Computer World this week.

The Trojan was embedded in ads on the sites, according to Symantec and its blog.

Saturday, August 18, 2007

Web Hacking Roundup

It was another fun week in the world of web hacking. First, there was another URI exploit uncovered by security researchers Billy Rios and Nathan McFeters. It turned out to be more serious than originally thought, according to Computer World.

URI issues have been front and center since a bug discovered last month by Thor Larholm, another security researcher.

And then, there were malware-infected greetings sent by e-mail and, to top it off, the Clpwn web-defacing gang surfaced. Boy, web defacements sure bring back memories. I didn't think anybody did that for fun any more. Now, it's all for money and XSS has replaced defacement.

Here's a link to the outstanding blog by Billy Rios on web application security.

Worst Data Breaches Ever

Here's a great slideshow from eWeek with a chronology of the worst data breaches ever.

Of course, let's not forget the granddaddy of all data breach chronologies is from the Privacy Rights Clearinghouse.

Friday, August 17, 2007

Online Shopping Best Practices

Here's some great tips for online shopping in a two part series in Prof. Mich Kabay's Security Strategies newsletter in Network World.

The first part is about the usual tech stuff: using tools to block malware, checking for SSL and looking for other web site security indicators.

The second part deals with privacy issues.

Facebook Source Code Leak: Breach or Not?

The discovery of the leak of source code from Facebook sparked some interesting debate on the definition of vulnerabilities and the impact. Though it wasn't exactly a true vulnerability, confidence in the social networking site dipped.

Vulnerability or not, this is a textbook case of the types of weaknesses in web applications. And, it doesn't help that 40 percent of Facebook users are just too eager to give up their personal information.

A Useful Physical Security Tip Against Gunmen

Even though I'm all about IT security, I find myself following physical security tips with a morbid curiosity.

I found this tip in CSO magazine quite interesting about protecting yourself against gunfire in the office.

Monday, August 13, 2007

Handling of Undercover Reporter at Defcon

This is an interesting piece from Bill Brenner of TechTarget on their SearchSecurity site about the handling of an undercover reporter at Defcon.

Brenner did a good job of reporting both sides of the story from the blogosphere.

For those of you who may remember, the reporter, Michelle Madigan of NBC's Dateline was asked to leave the conference for not getting press credentials. Instead, she went undercover.

I personally only caught the tail end of the tumult as she was leaving H.D. Moore's presentation on Tactical Exploitation. I saw a bunch of people, including some orange-shirted "goons" -- as the conference staff were called -- running out the door of the hall.

Phishing Kits Easily Available Online

In the most recent RSA Monthly Online Fraud Report for July, there was some interesting information about phishing kits now available on line. This isn't news -- these have been around for a few months already -- but the report goes into some detail.

The story was also reported in Finextra.

Hacking Gmail at Black Hat

Here's an interesting post on TG Daily about hacking Gmail at Black Hat.

There's also a link to a slide show.

Sunday, August 12, 2007

ChicagoCon -- New Security Event in the Windy City

ChicagoCon, an exciting new security event, is coming to Chicago from September 17 to 23 and promises to be a unique combination of a conference, training and hacker fest, all in one.

There's a bannker with a link on the right-hand side of this blog.

I met the organizer, Don Donzal, at Black Hat last week in Vegas. Here's a blurb from his press release:

ChicagoCon 2007: White Hats Come Together in Defense of the Digital Frontier
September 17 – 23, 2007

ChicagoCon combines a professional security conference, certification training and a hacker con into a single, unique event. Not just another bootcamp, ChicagoCon adds value to your training dollars by providing top instructors, recognized certifications, keynotes, evening presentations, hacking demos, gift bags & more. 11 courses including CISSP, CEH, CHFI, Advanced Hacking, Cisco, SOX/COBIT, Security+, Linux+, PMP... From the novice, to the ultimate techie, to the CISO chair... everyone interested in a career in security will find something at ChicagoCon, your one-stop shop for security training and certification. Keynotes: John C. Dvorak, Steve Hunt, Lance Spitzner, Symantec, DoD. Presented by http://www.ethicalhacker.net/.

Fresh Batch of Ask The Expert Questions Posted

TechTarget's SearchSecurity web site has posted my latest batch of Ask The Expert answers:

Are one-time password tokens susceptible to man-in-the-middle attacks?
This question posed on 29 June 2007

What risks are associated with biometric data, and how can they be avoided?
This question posed on 18 June 2007

What are the PCI DSS compliance benefits of tokenization?
This question posed on 13 June 2007

Is it safe to use remote access tools to grant system access?
This question posed on 05 June 2007

What are the risks of turning off pre-boot authentication?
This question posed on 02 June 2007

More on Cyberwar

Prof. Mich Kabay of Norwich University in Vermont had a two-part series about cyberwar in his regular Security Strategies newsletter on Network World's web site.

The first part outlines three possible levels of cyberwar, while the second part offers some defenses.

Part two had a link to a detailed paper by the Business Roundtable. The paper said our government lacks consistent policies and strategies for dealing with cyberwar, while the defense against such attacks wouldn't be costly.

VPN Security Still Lacking

Computer World reported last week on pen tests of VPNs in the UK that had less than stellar results.

Since so many companies rely on VPNs for secure remote connections for their road warriors, this is thought provoking.

I wrote an article last year about pen testing VPNs with a simple approach to looking at both IPSec and SSL VPNs.

Some Thoughts on Vista Security

I thought this article in this month's Redmond magazine on Vista security was well done. It distilled Vista security into a series of ten "security truths."

Whether you love Vista or not, whether you think it's new security features can wow Windows or are just more of the same, Roger Grimes puts the issue in perspective.

There have been many complaints, for example, about the usuability of Vista's new User Access Control (UAC) feature. Grimes explains what it is and what it really does, and puts it in context.

Web Browser Attacks and Defenses

A big vector for attacks these days seems to be through web browsers. Unprotected, unpatched and widely used, the lowly browser takes a beating from hackers looking for the path of least resistance to someone's desktop. And why not? Nothing could be easier. Traffic bounces in unimpeded on port 80, unnoticed because its just ordinary web traffic.

At Black Hat last week in Las Vegas, Dan Kaminsky and Robert Hansen showed how easy it is to penetrate internal networks through browsers. Kaminsky used an old exploit with a Java applet and Hansen used JavaScript to attack DNS in what's called "anti-DNS pinning."

I saw Hansen's presentation at Black Hat and the exploit was so easy, it was scary. Just a few lines of harmless -- yeah, right -- JavaScript code. I love JavaScript. I used to code in it about five years ago when it couldn't do much on a network. Now, with new features for AJAX and Web 2.0, it can be a lethal weapon. My how times have changed.

Here's more from Information Week about Hansen's presentation, done jointly with Jeremiah Grossman, author of the recently released XSS Attacks. I call their technique scanning without scanning.

Here's an interesting article from Redmond magazine about protects for protection against web attacks.

On a side note, I picked up a copy of Grossman and Hansen's XSS boook at Black Hat. It's the only book completely dedicated to the subject.

Thursday, August 09, 2007

Two New TechTarget Articles

I had two articles appear on TechTarget today. One was in the SearchSMB Weekly Tech Advice newsletter on intrusion detection and prevention.

The other was in SearchSecurity's Web Security newsletter about fault-injection attacks.

Wednesday, August 08, 2007

PCI For Dummies

I'm starting to come back to life after almost drowning last week in the carnival called Las Vegas at Black Hat and Defcon. It was my first trip ever to Las Vegas, and it was pretty much what I expected -- a lot of glitz with little substance.

That should also explain the week-long hiatus I took from blogging.

This was an article in CIO magazine about PCI. It says what I've been saying all along. It's just a basic IT security standard with the bare bones any company should have.

The article boils down PCI into the simple steps it really is.