Another Demo Of The Google Gmail Hack

Here's another demo of the Google Gmail hack that I mentioned this week.

This is from the Poor man's view of the world blog and has screen shots going through the hack step-by-step.

The post cited another in-depth discussion of the hack -- with how to prevent it -- from the Hackademix blog.

The lesson here is simple: check your Gmail filters.

Scary Gmail Zero-Day Exploit

This should rattle your cage, a frighteningly easy zero-day exploit using Google Gmail. It works like this. Someone logs into their Gmail account, then visits a malicious site during the session. The bad site creates a rogue filter in their e-mail account and redirects all their e-mail to the attacker.

The exploit was uncovered by Petko Petkov, a web pen tester in the UK. Called cross-site request forgery (CSRF), Petkov posted details on the Gnucitizen web site.

Ryan Naraine had more details on his Zero Day blog.

Wired Story On FBI-Hired Cybercrook

You can't make up stuff like this. Wired ran a series about an identity thief arrested by the FBI who agreed to be their mole.

It's a few months old, but I just happened to run across it when going through one of my piles (that still keep growing) of stuff.

Shell Code For iPhone Attack Tool

Security for the iPhone has been bounced around and discussed ever since the product hit the market over the summer.

But HD Moore, inventor of the famous Metasploit framework, has posted shell code on his blog that can be used to turn the iPhone into a tool for attack.

This shouldn't come as any great surprise. The issue isn't necessarily the security of the iPhone itself. It's the fact that the iPhone has a browser and can access the web. If an iPhone catches malware through that browser, it can just pass it along to a network like an infected laptop, desktop or other mobile device.

More details are in this story on SearchSecurity.

Wireless Security Tips: Old But Reliable

There's no real news in this article on wireless security, just some plain common sense.

Sometimes They Just Never Learn

It's been about a year and a half since the VA breach and, though laptops have been encrypted, they're still far away from setting a standard for IT security, according to a GAO report. It was an unencrypted laptop that was at fault in last year's breach.

In the same vein, my other favorite security breach, TJX (how did you guess?) has finally been unraveled by a Canadian security probe mandated by their breach notification laws. The culprit -- weak wireless security that allowed hackers in a parking lot of a TJX facility in Miami to start burrowing their way into the network. This is the full text of the report.

Here's some related point-counterpoint on wireless security that followed the report.

An Example Of IT Used For Physical Security

This article in Computer World about video security cameras using IT for surveillance. Unlike traditional surveillance cameras, these cameras actually sit on the network, and -- yes -- they use IP to communicate across that network.

I'm glad they mentioned the IT security implications of cameras on the network. The IP traffic needs to be segregated from the rest of corporate traffic. Otherwise, who knows, snooping eyes on the web could try to see right down your company's hallways.

No way, who would ever do that?

Some Interesting Items On Web Security

Here's a paper from researchers at the University of Washington about SpyProxy, which analyzes web sites looking for malicious content based on behaviorial characteristics. The paper is a bit heavy and academic, but it has some colorful diagrams for illiterate people like me that make the point.

Here's another exposition about DNS pinning, which takes advantage of the Same Origin policy used by browsers. Same Origin has been exploited to fool browsers into gathering information about an internal network and sending it to a server on the Internet.

The Week In Malware

There were a few interesting tidbits over the past week on the malware front. IBM reported that malware was becoming more sophisticated, a researcher uncovered that PDFs could be a risk to Windows XP, the no-date-finalized upcoming release of Firefox 3.0 will have some new security plug-ins and hacking tools went on sale on eBay.

Just another fun week at the IT security zoo.

Bringing Down Firewalls -- The Jericho Forum

This isn't exactly a new idea, but it's gotten some press lately. There's been talk here and there about firewalls being obsolete. With wireless and portable devices smashing the perimeter, the idea, on the surface, has some credence. And, one organization, the Jericho Forum, just like its Biblical namesake, is trying to do just that.

Network World has covered some of the debate recently at a recent forum meeting in New York.

In my humble opinion, there might come a time when IT defenses will be so diffuse that firewalls could become irrelevant. But that isn't happening today, and probably not for the forseeable future. Saying firewalls are irrelevant is like saying that we don't need doorlocks any more because locks have been compromised by lock pickers. Locks are here to stay, even if weak. They'll still be part of a multi-layered defense.

IT Security Trends From McAfee CEO

At an Information Week conference in Tucson last week, McAfee CEO David DeWalt said that cybercrime was a bigger business than drug dealing. His comments created a buzz on IT security message boards, but he did make some interesting points worth noting, nonetheless, about industry trends.

1. The security industry is undergoing consolidation with big players taking over smaller ones.
2. Compliance requirements have grown in response to the increase in cyberthreats.
3. Security protection is moving from the perimeter, or the network, to the data layer itself. (See this article for some fascinating details.)
4. Virtualization with the use of Virtual Machines (VM) is creating new security risks in the form of subverted VMs. (Here's an unrelated article on VM security.)
5. New devices were challenging security with new platforms of attack for hackers.

The Botwall: A Firewall Against Bots

Here's an interesting new product: the botwall. It's designed to watch for malware attempting to plant itself on the network and take over machines. Bots work by enlisted "zombies" into vast armies of servers they control.

The botwall from FireEye in Menlo Park, CA, sits in your data center but has a Virtual Machine (VM) that works with ISPs and third-party providers to analyze traffic suspected of containing bot-laden malware.

Bots were identified last week in a report from Arbor Networks, as the top security issue, overtaking DoS attacks, for ISPs.

The report also said that VoIP is also becoming a big target for hackers.

TechTarget Article on Identity-Enabled Devices

My article on identity enabled network devices came out today on TechTarget's SearchSecurity web site.

The idea behind the article was the Trusted Computing Group initiative, in which identity information is stored right on hardware in secure and tamper-proof chips.

Security Dangers of Consumer Technologies in the Enterprise

Here's a list from Computer World of the eight most common consumer technologies and their potential security risks in your company.

Not that every company has to be a backward Luddite, but consumer technologies are fast outpacing the ability of companies to deal with them. In addition, as the work day merges into every day, employees are starting to use their household electronic gadgets for work too.

An example, are P2P technologies, which were used to steal an assessment of terrorist threats and in an ID theft scam. Skype, another popular technology, also fell victim to a worm.

This Is A Hacker Classic

This is right out of Hacking 101. Here's a litany of simple security fixes, never implemented, that allowed this guy to walk into a hospital and get into their network.

In all fairness, if you read the Computer World story closely, you'll see there were some mitigating controls that preventing him from having total run of the place. But he still got pretty far.

And the fixes were so simple. That's the scary part.

Fifth Annual Global State of Information Security

CIO magazine and PricewaterhouseCoopers came out with their fifth annual global information security survey last week.

The results showed that more companies are doing more -- hiring more staff, spending more money and getting more involved in information security -- but that the problem doesn't seem to be getting better. They're still being attacked at the same rate and still having to deal with the same security issues, mostly insider threats and malware.

The conclusion: they've hired more people, they're just not using them enough.

Banner Ads Now Attack You

Here's an interesting twist that shouldn't come as a surprise. A web security company, ScanSafe, noticed an increase in banner ads with malware planted on common social networking sites, like MySpace, according to a report this week in SC Magazine.

The banner code looks for a recently patched ActiveX exploit, and then drops Trojans on the user's desktop without any user interaction. So, just visiting an affected site, without even clicking on the banner, starts the attack on your machine.

Patched browsers are protected from the Trojan downloader called VBS.Agent.n.

Keep your patches current is the best advice.

Another Way Around Tor

Tor works well as an anonymizer but shouldn't be relied upon for encryption, according to a security researcher who collected e-mails from the Russian and Indian embassies. Both used Tor for handling their diplomatic e-mail but didn't encrypt the traffic when it entered or left Tor.

The Swedish researcher, Dan Egerstad, got into Tor by setting up his node on a peer-to-peer network used by the embassies. Egerstad was able to grab user names and passwords for around 100 embassies in August.

I've reported on Tor security issues in previous posts.

My SearchSMB Article on Open Source Security

My article came out yesterday on tips for SMBs to securely manage open source software.

The piece was in SearchSMB's regular newsletter.

Chinese Hack Into Pentagon

This was a hot item last week -- an alleged Chinese cyberincursion into the Pentagon and the German government, according to the Financial Times and Information Week.

The attack brought back memories of the recent cyberattack on Estonia, The Economist noted. There was an fascinating piece in Wired magazine about how Estonian authorities fought off their attack.

The Week in Web Attacks

There were the usual round up of web attacks last week. There was a session hijack that could defeat even ten layers of authentication, according to Computer World. This sort of makes mockery of all the fancy multi-factor doodads companies are starting to ask customers to use to authenticate. CSO had more details.

Then there were exploits and data leakage from Monster, USAJobs and Facebook.

And, to top it off, the Honeypot project noted that it's not just adult sites any more that have malware. All kinds of innocuous sites have been exploited.

Bank of India Web Site Hacked

This was big news last week about the Bank of India web site being seeded with malware.

Within a few days, the site was cleaned up, supposedly. A Russian gang was blamed for the cyberassault, using an exploit served up by an IFRAME. This isn't a new exploit but, like other recent web attacks, has become more common.

The story was reported all over the media, but also in Computer World and Finextra.

Isn't This Also a PCI Issue?

This is an interesting article in Computer World about the weak security in Point-Of-Sale (POS) systems at retailers.

Since these POS devices are often at the heart of credit card transactions at retailers, this is a significant PCI issue, as the piece correctly pointed out.

Most Likely To Be Hooked By A Phish

This is an interesting tidbit in CSO magazine about who is most likely to be phished in a company.

It seems like ordinary employees are being hit the most by targeted phishing attacks against their company.

Links to the phished sites are usually in e-mails and contain information of specific interest to the employee.

Phishing isn't what it used to be. It's getting harder to spot, even by the smart and initiated.