Tuesday, October 30, 2007

Securing Company Laptops And Remote Devices

Here are some tips from CIO magazine on encrypting laptops and PDAs. The article says companies shouldn't see encryption as costly and difficult. Options and tools are available to put laptop security within each of any company.

Sprint and Alcatel-Lucent recently released a network card that doubles as a security device on laptops. The card works in conjunction with a management server that can lock and wipe clean the hard drive of a laptop reported stolen.

Ransomware Is Back In Style

Ransonware is nothing more than a cyberholdup. It's the virtual equivalent of extortion. Someone, usually a criminal, has either hijacked some files or planted malware on your system, and threatens to act unless you pay up.

Here are four tips from CSO's Threat Watch by Scott Berinato:
  1. Don’t panic. It’s natural to freak out when important files go missing, especially when someone is claiming to have the power to publish them on the Internet. Don’t panic. Lead.
  2. Don’t pay. Paying extortion fees only invites more extortion. Payment should be a final, desperate option and only when negotiation experts say it’s your best option.
  3. Assemble a team. Include encryption experts who might be able to unlock the files, security researchers who can look for the source of the attack and troll for intelligence, and someone skilled in negotiation if the situation becomes more serious or the attackers try to establish contact.
  4. Create awareness. One of your biggest threats in this situation is an emotional user who thinks his career and/or life can be ruined by this development. Make sure users don’t act on their own behalf, and create an environment to help them contain what is sure to be an emotional response to the ransomware attack.

Five Ajax Security Tips

This is a nice piece TechTarget's Visual Basic News about five security tips for coding Ajax.

I have to say that the more things change, the more they stay the same. Is it deja vu, or what? These tips all preach about the evils of client-side code. Haven't we been through this before with Javascript? Oh, I forgot, Ajax is partly about Javascript.

Here's an excerpt from the article:

  • Use CustomErrors pages in the WebConfig file to prevent attackers from identifying an application's particular vulnerability.
  • Use Stored procedures or parameterized SQL queries instead of dynamically created SQL queries.
  • Perform input validation on the server side, not through JavaScript.
  • Use the Least Privileges account for your database and do not allow access to system data. This builds on the notion that security should be implemented in single layers, Lombardo stated: "You don't want them to be able to thwart one and then get to the data."

Monday, October 29, 2007

Businesses Are Biggest Source For ID Thieves

According to a study cited last week in Baseline magazine, businesses are the biggest source of identities for ID thieves.

The conventional wisdom is that most identity theft is from stolen wallets and credit cards. But, not entirely, the study says. Identity thieves prefer to filch data and information with names, addresses, birth days and social security numbers from businesses.

So, much for dumpster diving in the parking lot. They're now doing it in the front office.

Popular Applications With Security Flaws

Here's a list of the top 12 applications users love that have critical security vulnerabilities:

1. Yahoo Messenger, and earlier
2. Apple QuickTime 7.2
3. Mozilla Firefox
4. Microsoft Windows Live (MSN) Messenger 7.0, 8.0
5. EMC VMware Player (and other products) 2.0, 1.0.4
6. Apple iTunes 7.3.2
7. Intuit QuickBooks Online Edition, 9 and earlier
8. Sun Java Runtime Environment (JRE) 1.6.0_X
9. Yahoo Widgets 4.0.5 and previous
10. Ask.com Toolbar and previous
11. Broadcom wireless device driver as used in Cisco Linksys WPC300N Wireless-N Notebook Adapter
12. Macrovision (formerly InstallShield) InstallFromTheWeb, unversioned

The look familiar. Don't they? Not an oddball in the bunch. They're all commonly used, mainstream everyday applications, used by everybody.

This list was compiled today by eWeek.

TJX Violated Most PCI Requirements

As if we haven't heard enough about TJX -- the breach that doubled in size from 46.5 to over 90 million stolen credit cards -- now court documents show the company violated nine of the PCI Standard's 12 requirements.

Back in May, the company's 10-K filing, wasn't much prettier, but the real cause of the breach was still unknown.

Now, it appears that it the hackers wormed their way in first through the company's unsecured wireless network, and then went to town from there.

Here are three tips for PCI compliance for SMBs.

Tuesday, October 23, 2007

Industry Heavyweights Form Code Consortium

Microsoft, Symantec, EMC, Juniper Networks and SAP have met in London to form a consortium for best practices for secure software development.

The group, Software Association Forum for Excellence in Code, or SAFEcode will be a non-profit group working mostly to educate developers in secure application best practices.

Monday, October 22, 2007

Hijacked Adware Server and RealPlayer Attacks

Here's something that packs a punch. It's all the ingredients of a great web hack: a hijacked ad server, compromised RealPlayer and users that go to innocent sites with all of the above.

On Friday, Symantec reported a zero-day exploit against RealPlayer in progress. It was also reported on Roger's Information Security Blog and on Security Focus.

More details were on SearchSecurity today.

Macworld Article on Mac Security

This was a great article on Mac security in the November Macworld magazine.

Just like most desktop security stuff, it's a lot of common sense about turning on authentication at logon, creating good passwords and safeguarding personal information.

A lot of Mac users fool themselves into thinking that Apple products are safer than Windows and Linux. To a degree, this is true. They have a better security architecture and, unlike Windows, for example, aren't the target of malware writers.

But Macs are just as susceptible to malicious access as any other platform if not locked down, patched and properly secured with adequate access management.

Low Tech Ways To Defeat Hackers

I love the simplicity of this approach. Information Week and Computer World both ran stories with easy-to-use low-tech methods for defeating hackers.

The techniques revolve around slandering hackers on web sites used for publicly trading malware. The idea is that the sale and marketing of malware is like any other business. It's based on a handshake and a gentleman's agreement. A sort of honor among thieves, if you will, in this case.

The articles say that traditional law enforcement methods, up until now, which have been about taking down hacking infrastructure, crooked ISPs and breaking up illicit computer networks don't always work. Just as soon as they're taken down, someone else crops up to build new hardware for criminals.

An interesting idea, but I'm not sure how it'll work out. Time will tell.

UK Phishing In US Waters

This is an interesting tidbit from a UK anti-spam company, saying that over half of the phishing e-mails in the UK come from the US.

Considering that, in general, most phishing sites are hosted in hard-to-enforce locations like Eastern Europe, this is a surprising statistic. You'd think with all the law enforcement and technical muscle in the States, it would be hard to pull off a phish here. But such isn't the case, according to ClearMyMail, quoted in Finextra.

Thursday, October 18, 2007

How About A Cracked Network With That Coffee?

This is a disturbing attack demonstrated this week at Toorcon in San Diego. Called the Cafe Latte attack by its inventor, Vivek Ramachandran, a security research at AirTight Networks, it steals WEP keys not by compromising routers but by fooling clients.

Here's how it works. In the old days, before this week, the hacker would park outside a hotspot location with their Pringles can and steal and crack a WEP key from the router in a matter of seconds. In Cafe Latte, the target is the laptops of users thinking their connecting to the router.

Here's a few more details.


As if victimizing poor web sites wasn't enough, a security researcher discovered a way to pass XSS exploits via VoIP using the SIP protocol.

VoIP devices have embedded web servers that aren't as well protected as those on standalone servers and, as a result, are susceptible to the exploit, according to Information Week.

Paul Henry, Vice President of technology evangelism at Secure Computing, uncovered the flaw.

Web Security Round Up

Core Impact, known for application security testing tools, is adding web application penetration testing to its suite.

In other web security news, CIO magazine gave some neat tips for securing Ajax applications. Ajax, a central feature of Web 2.0 applications, has taken it on the chin for security vulnerabilities. Since Ajax is client side with lots of JavaScript and XML, what else would you expect? Who said XML is pristine either? Without adequate input validation and checking it can also be chock full of injected malware.

Then there's the old URI handling bug that just doesn't want to go away. The bug is in how browsers -- not just IE -- parse URL's with links to executable code. It can allow the malicious passing of code to an unsuspected web surfer. Oh, boy. What else is new?

The URI bug reached the level of a CERT notification and was also a Microsoft security advisory.

A Corporate Application Security Program

This is a real nice article in CSO magazine about setting up a corporate application security program.

Rather than regurgitating the usual party line -- code reviews, scans and application layer firewalls -- Mark Carney of Fishnet Security gives a high-level overview with a comprehensive program.

Yes, others have said that application security has to be integrated into the development lifecycle, like Microsoft's Security Development Lifecycle. But this article goes beyond that and is more comprehensive.

Worm Vulnerability Still Plaguing AIM

The new AIM 6.5 release may still be vulnerable to a worm attack, according to security researcher Aviv Raff.

The release was to have fixed the problem uncovered in September but apparently still hasn't resolved the issue.

My SearchSMB Article on Failover Sites

My article on failover sites came out today on TechTarget's SearchSMB web site.

It's part of SearchSMB's disaster recovery theme this month. Though not very sexy, disaster recovery and business continuity planning are part of IT security. It's the Availability part of the Confidentiality, Integrity and Availability triad at the heart of data security.

Fake Microsoft Anti-Spyware Site

This is pretty insidious but not ingenious. It's been done before. An anti-spyware center masquerading as a Microsoft site.

This is sort of a new twist on the old social engineering tactic of e-mailing patches laden with malware to unsuspecting people. The sender was always a spoofed Microsoft e-mail address.

Details of the exploit, with a video demonstration, are on McAfee's Avert Labs blog:

Sunday, October 14, 2007

Finding The Phish

PhishTank, a service of OpenDNS that monitors phishing sites, recently released its annual report on who is hosting the most phishing sites, according to eWeek's Larry Seltzer.

It makes for interesting reading, saying the US telecom companies are some of the biggest culprits.

More on Kabay and Password Management

In his recent ongoing series on passwords, Prof. Mich Kabay mentions a novel authentication product in his latest Security Strategies newsletter.

The product, Passfaces, lets a user pick out a familiar face for authentication. Passfaces reminds me of something a few years back called PassMark. Users could pick out a photo -- it didn't have to be a face -- when they registered to a web site. This photo would be their "PassMark" and if it appeared on subsequent logins, the site was certified as not being a phish.

PassMark eventually was bought by RSA in 2006 and merged into their authentication product line.

There were clever ways PassMark could be phished. I'm wondering if the same is true of Passfaces.

It's still an interesting concept, nonetheless.

O'Reilly's Security Power Tools

This new book from O'Reilly, Security Power Tools, is an encyclopedia of the common security tools. This 822-page reference is packed with every imaginable tool -- and it's not the usual book just about how to set up sniffers like nmap and netcat -- from network monitoring and defense to code disassemblers. It also has code samples for customizing some of the security tools.

Some Random Web Application Security Stuff

This was a real nice piece in Network World this week about the top 10 web application vulnerabilities. I liked it because it was a summary of the OWASP top 10 hit parade with real-world examples, including a recent security news headline for each item.

Jeremiah Grossman, of White Hat Security, spoke this week at a local OWASP meeting in Houston and said some scary things about the state of web application security. In short, we're not in good shape right now.

A frightening example was reported last week about an increase in hacking attempts against utilities reported by Information Week, SC Magazine and Secure Works. As utilities, no different than other companies, webify their applications, there's a greater risk of web application vulnerabilities.

Sure, the convenience is fantastic of a web-based applicatin for utility workers to remotely manage facilities while on the road. But those applications can be secured. If they're on the web, anybody -- not just utility workers -- can get to them.

Wednesday, October 10, 2007

Web Scanner Bake Off

Information Week conducted a review of popular web scanning tools. Unfortunately, most of the scanners had trouble with Ajax applications. This is a shame, since that's direction of most web applications and the new pressure point that should be scanned for web vulnerabilities.

They gave high marks to WatchFire in a separate article.

Full-Disk Encryption Isn't Always The Answer

If you think Full-Disk Encryption (FDE) is the be-all-and-end-all to protect your data, you might want to think twice. The idea behind FDE, for example, is to prevent exposure of data from stolen laptops.

Ideally, FDE not only encrypts the whole hard drive, as its name implies, it also prevents thieves from using boot disks, like Knoppix, to bypass authentication.

Two ways to defeat FDE, one using a thumb drive, were in eWeek and the other, a bypass feature in PGP, were on Chris Pirillo's blog this week:

Chris | Live Tech Support | Video Help | Add to iTunes

Cybercrime Getting Out The Vote

Symantec's blog had interesting post this week about cybercrime and politics. The post was about an upcoming book published by Symantec on the subject.

Cybercrime, the authors allege, will be a factor in upcoming elections. It wasn't as well-developed during the last presidential race, even though it was as recent as 2004.

The post had a sample chapter from the book.

XSS Demo Video

This is a nice introductory video from Fortify software, showing how XSS scripting attacks are done.

It's pretty basic, but it gives a good idea of how these common attacks work for the newbie. It also goes step by step from the simple -- putting a Javascript alert box in a field to test if the site is vulnerable -- to the complex -- stealing an admin password for complete access to the site.

Tuesday, October 09, 2007

Autumn 2600 Hits Newstands

The Autumn issue of 2600 came out over the weekend. I picked it up at a Barnes and Noble in the area.There were, as usual, a lot of interesting articles, but two that caught my eye were about credit card fraud at Target. Talk about PCI, these guys are in the Stone Age. Shocking.

There was also a tip on setting up an SSH tunnel for securing traffic.

Sunday, October 07, 2007

ChicagoCon Presentation on PCI Compliance

I spoke in September at ChicagoCon, the first conference of its kind in Chicago, on PCI compliance.

A PowerPoint and MP3 with my presentation are on the ChicagoCon web site.

DHS E-Mail Security Mess

Due to a mistaken Reply All snafu in a DHS e-mail alert, the e-mail addresses of thousands of security professionals was exposed. The e-mail addresses included those of some recipients apparently that are classified. The recipients were on the DHS Daily Open Source Infrastructure Report mailing list.

There are details in the New York Times, Computer World, ISC and on Flip's blog, a fraud researcher.

Keep Your Mouth Shut

This was amazing. During a visit to a sports bar, someone in security told Jeff Hayes all about physical security at his company. The guy gave him details about all kinds of things, especially things someone shouldn't say to a stranger.

Details are in Jeff's blog and in Computer World.

The people problem in security never ends, even among security people themselves.

Some Thoughts on Passwords

There was a nice piece in Prof. Mich Kabay's column about how passwords have seen their day.

Interestingly, my story on improving passwords for compliance also came out this week in SearchSecurity.

The Newest Hacking Tool: the iPhone

This was big news this week. H.D. Moore, security researcher and founder of Metasploit, wrote shell code for turning the iPhone into a hacking device. This is great news. Once the iPhone is hooked into a network, presto, it becomes a gateway -- with root access, no less -- into a corporate network.

Does it get any better than this?

Check out the details on his Metasploit blog. This was also reported by eWeek, twice on Tuesday and once on Wednesday last week in Larry Seltzer's column.

Linux: The Phisher's Best Friend

Here's an interesting thought. Linux is the platform of choice for hosting phishing sites and botnet command centers, according to Dave Cullinane, eBay CISO, speaking at a Microsoft-sponsored conference.

Now, I know what you're thinking. What else is he going to say at a Microsoft backed event? But this isn't the first time this point has come up. Apache has some vulnerabilities, making it exploited for half of all web attacks, and Linux has a share of that.

But, on the other hand, Linux is only used for hosting bot controllers, not the zombies themselves, which remain strictly Windows-based.

I guess it's six of one, half a dozen of the other.

Hackers Breaking Up Own Botnets

Here's an interesting story in Information Week about how hackers are breaking up their own botnets into small botnets to evade detection. These guys are not only clever, they're nimble too.

Many large botnets are controlled from a single server acting as a command center. If that goes down, so does the botnet, making it a single point of failure. By breaking up the bot into bite-sized chunks, if one command center goes down, the rest of the botnet can keep on chugging.

Retailer Security: PCI, Gap and TJX Revisited

The big new breach of the week, as if a week passes now without one, was the Gap. Personal data on 800,000 job applicants, well secured, I'm sure, on a contractor's laptop went missing. This was reported in Computer World, SearchSecurity and SC Magazine.

In more retail breach news, TJX offered a settlement to those who had to replace their driver's licenses due to their breach discovered earlier this year. The announcement came shortly before a Canadian government report explained how the intrusion took place.

And then, as if retailers didn't have enough headaches, the deadline for compliance with the Payment Card Industry (PCI) standard passed October 1 with many retailers still not compliant.

There were four reasons cited for non-compliance: the cost and energy required to put controls on legacy systems, differing opinions from auditors on what constitutes compliance, the difficulty of staying compliant, particularly as the threat environment changes, and a lack of enforcement.

Newest ATE Answers Posted on SearchSecurity

My newest bunch of Ask The Expert questions were posted this week on TechTarget's SearchSecurity web site:

Can tokenization of credit card numbers satisfy PCI requirements?
This question posed on 31 August 2007

How can the combination of biometrics and electrophysiological signals be used for authentication?
This question posed on 23 August 2007

Is third-party software the only way to prevent access within a domain group?
This question posed on 15 August 2007

Choosing from the top PKI products and vendors
This question posed on 08 August 2007

How should sensitive customer data, such as driver's license information, be handled?
This question posed on 03 August 2007

Is there a way to bridge physical and logical security without using smart cards or biometrics?
This question posed on 30 July 2007

How do anonymous credentials and selective disclosure certificates affect enterprise IAM?
This question posed on 27 July 2007

Does single sign-on (SSO) improve security?
This question posed on 17 July 2007

What are the pros and cons of using keystroke dynamic-based authentication systems?
This question posed on 09 July 2007

What mistakes are made when implementing enterprise IAM systems?
This question posed on 01 July 2007

Data-Centric vs Network-Centric Security

This is something that I, and other computer security experts, have been saying a lot recently. The approach to IT security has to move from being focused on protecting hardware and networks, as in traditional firewalls and server hardening, to being more focused on protecting data.

Now, that doesn't mean abandoning firewalls and traditional network hardening. The idea is to combine that with other controls -- content monitoring, application firewalls and endpoint security -- to protect data both in motion and at rest.

It's the data, not the network, since that is what's at risk. The traditional approach of just protecting the perimeter, just doesn't work any more.

Handling Rogue Sys Admins

The rogue system administrator turned bad is a classic in the annals of insider threats. In an article this week in Computer World, Jon Espenschied, provides a five-step process for finding and weeding out malicious insiders. The story is interesting also because he compares it to a recent consulting engagement in Iraq.

Ryan Groom provides a three-step approach in his About.com Business Security site, and I had a chapter in my book, The Little Black Book of Computer Security.

No matter how look at it, this isn't an easy problem to deal with. Neither is profiling potential malicious insiders, as I noted in another SearchSecurity piece in May. In that article, I discuss profiling work done by CERT, which is the benchmark for studies on insider threats.

Wednesday, October 03, 2007

Passwords And Compliance: Keep It Simple

My article on password complexity and compliance came out today in TechTarget's Compliance Counselor newsletter.

Some of the points are repititive -- password length, using a mix of upper and lower case characters and numbers -- but I distilled it all into some best practices.