Tuesday, January 29, 2008

Anonymous May Not Be Anonymous

Russ Cooper of Microsoft Certified Professional Magazine Online had an interesting item yesterday about a paper on covert channels.

The paper by Steven Murdoch of the University of Cambridge explains how anonymizing software, like Tor, isn't always secure. In fact, the covert channels are often not encrypted and can be watched by cybervoyeurs.

The full text of the paper is 140 pages.

Monday, January 28, 2008

Societe Generale: Biggest Fraud Or Biggest Hack?

Somehow I knew this story would end this way. It started out as a meagre $7.1 billion dollar loss at Societe Generale. It was only the biggest fraud ever against a bank.

The losses were run up allegedly by Jerome Kerviel, a 30-year-old trader, said to be "not one of its stars."

Then it turned out he may have done some of the bad trading by hacking into SocGen's computers. Apparently this guy wasn't a computer brain surgeon either. But there's more to this story than pure technical hacking skills. He also figured out how to skirt the multiple layers of security and audit controls by taking advantage of his position inside the bank and talking his way out of investigations.

This is a textbook case of how security depends not just on technology but on people, policies and procedures. Kerviel allegedly breached all of these. Everybody knows security is partly about people. Just ask Bruce Schneier or Kevin Mitnick.

No Web Site Is Immune Anymore

It used to be that if you avoided shady sites, like porn and gambling sites, you weren't likely to catch any malware. But today, 51% of hacked sites are legitimate ordinary web sites that have been compromised by malware-bearing hackers, according to Websense.

The best advice? Just keep your patches up-to-date, use anti-virus software and a personal firewall. They won't provide total protection -- nothing does -- but they do reduce the risk.

In other web security news, a researcher has cracked the CAPTCHA used by Yahoo, long considered one of the toughest to break. This little breakthrough could spell real trouble for sites using CAPTCHA to block spam.

There was also a directory traversal attack uncovered against Firefox and a breach of a site using the Hacker Safe seal, showing how weak these seals really are.

Macs Are Becoming A Juicy Target

This is something we've been seeing for a while over the past year -- an increase in hacker threats against Macs.

Hackers these days follow the money, and the smart money is betting on a growing market share for Apple.

Keep those Macs patched. There's more fun to come this year, according to a report by Sophos.

10 Steps To Virtualization Security

Here's a great article from CIO magazine about 10 steps to securing your virtual infrastructure.

The article is a bit dated -- it's from last November -- but must have just surfaced on top of my pile, since I only read it recently.

Tuesday, January 22, 2008

McAfee Expands DLP Protection

McAfee unveiled its Total Protection for Data suite yesterday. The new suite integrates SafeBoot encryption with McAfee's existing DLP products, according to this story today on SearchSecurity by Neil Roiter.

Skype XSS Vulnerability Only Partially Fixed

A cross-site scripting (XSS) vulnerability uncovered last week by researchers Aviv Raff and Petko Petkov has been partially fixed, according to Computer World.

Basically, Skype disabled video downloads from Dailymotion, a video partnter which was the source of the problem. The root cause remains at large.

Skype acknowledged the issue on its web site but said Dailymotion was fixing the vulnerability on their site.

New Windows Tool Fights Keystroke Loggers

A company called SoftForum came out with a new tool, XecureCK, which protects Windows users from keystroke loggers, according to this Windows Security Tip on TechTarget.

The tool augments traditional SSL and TLS, which encrypt data in transit but not on the desktop, where Trojans operate.

The tool encrypts authentication credentials as they're entered on the desktop, defeating snooping Trojans sending their payload back to the evil mothership.

Spammers Aren't The Culprit In Spamming

This is a great post from Chad Perrin, who blogs on IT security for TechRepublic. Perrin goes through a long expose on the weaknesses of SMTP and its lack of authentication.

But, in the end, he said, spam is generated by botnets, which are rooted in Trojans dropped on home computers, for the most part.

The solution isn't to replace SMTP but to deal with the weak security of most home computers.

Saturday, January 19, 2008

Anit-Botnet Software Is Just Anti-Malware

This is a really thought provoking piece by Larry Seltzer of eWeek about how the anti-malware industry is trying to foist anti-botnet software on its existing customers. He said they're just repackaging what they're already selling and saying it protects against botnets.

Basically, botnets are just PCs injected with the same Trojans the existing software supposedly protects against, anyways.

He also said that someday the party would be over when a systemic solution to the malware problem will cut down a good share of botnets.

Friday, January 18, 2008

My Article On New SearchFinancialSecurity Site

I had an article come out yesterday on the new SearchFinancialSecurity web site about global authentication policies.

I discussed how to harmonize policies for credentials, like user IDs and passwords, across the globe despite multiple languages.

In my byline, it says I speak six languages, two of which use non-Western characters (Hebrew and Arabic), so I have some experience with this issue. The other four languages are English (which I still struggle with as evidenced by this blog), Spanish, Italian and Portuguese. I also speak some French and German, but only well enough to get around and not to have an in-depth conversation.

Wednesday, January 16, 2008

Hacking Exposed Web 2.0

The Hacking Exposed series recently came out with a new book, Hacking Exposed Web 2.0, which covers the new web technologies under the 2.0 rubric. Though this is a thinner volume, only 258 pages, than the other books in the series, it goes beyond the Hacking Exposed Web Applications, which is already in its second edition.

Hacking Exposed Web 2.0 focus on common injection attacks, like SQL injection, cross-site scripting (XSS), HTML injection and cookie manipulation, as well as, the next generation of attacks. These include cross domain, JavaScript, AJAX and .NET attacks. There's also a section on ActiveX and Flash attacks, which have also been the rage recently.

Web Hacking Roundup

There's been some scary attacks reported lately in the trade press. But when you take a closer look, they're all pretty much variations on the same old themes. They're not new attacks, just bolder versions of existing attacks.

A Trojan targeting 400 banks does a classic Man-In-The Middle (MITM) attack. Symantec had details about the Silentbanker Trojan on its web site with instructions on its removal, according to Computer World.

A mass attack of legitimate web sites that drops malware on users' PCs was uncovered by ScanSafe, but remained unexplained, like a SQL injection attack against Geeks.com, which was missed by ScanSafe, at the same time. Another SQL injection attack was launched against other sites last week.

Kits for hacking neophytes that launch sophisticated attacks are getting more common, SearchSecurity reported this week. No experience necessary. Take a hack kit and just add water -- or a server.

Then there was the hacked MySpace page and the Firefox authentication box exploit.

Tuesday, January 15, 2008

Winter 2600 Hits Newsstands

The Winter issue of 2600 magazine just hit the newsstands after coming out last week.


This edition was full of interesting stuff, but there were four articles that caught my attention:

  • Scanning the Skies -- about TV satellites
  • Essential Security Tools -- a review of some of the most commonly used, and basic, hacking tools
  • An Introduction to Beige Boxing -- Ah, this is about a homemade phone phreaking tool, but it sure is nostalgic. Remember, blue boxes, black boxes and red boxes. Probably not. You're too young.
  • Exploring AT&T's Wireless Account Security -- explains security weaknesses in AT&T wireless.

Monday, January 07, 2008

First SearchCIO-Midmarket Article

I've been writing for almost two years for the old SearchSMB site on TechTarget. The site was recently rebranded as SearchCIO-Midmarket.

My first article, Security on a midmarket budget, came out today. It's about commercially available security tools for middle market companies on a budget.

Sunday, January 06, 2008

Too Many Leave Their Windows Open

Despite the ready availability of security patches for Windows, a fifth of all PCs running Windows aren't up-to-date on their security fixes, according to a recent study by Secunia.

Secunia gathered the results from scans using it's PSI tool, which checks PCs to make sure they have the latest patches.

The Personal Software Inspector is available free from Secunia, a leading IT security company based in Denmark.

Who Needs Social Security Numbers?

This is an interesting column from Tom LaSusa at Information Week about why companies and organizations should stop using Social Security Numbers (SSN) for identifying their customers and clients.

LaSusa was commenting on the latest in a string of laptop thefts with customer data, this time from the Memorial Blood Centers in Minnesota. Besides information about their blood types, the laptops had SSNs for the blood donors.

SSNs here in the US are a vital piece of information that can be used to commit identity theft.

In response, Memorial Blood Centers doesn't ask for SSNs any more. Unfortunately, many government web sites still prominently display SSNs to the dismay of security professionals.

New NIST Document Available for Comment

The National Institute of Standards and Technology (NIST) recently released the final draft of its publication, SP 800-53A, Guide for Assessing the Security Controls in Federal Information Systems.

The 396-page document is an exhaustive checklist of the types of IT security controls required for federal systems.

The public is invited to comment until January 31.

Tuesday, January 01, 2008

Microsoft MVP Award For 2008

I'm pleased to announce this morning I was awarded the Microsoft MVP Award for 2008 for the third straight year in a row.

This prestigious award was given for my contributions to the industry. I first achieved Most Valuable Professional status the year after publication of my book, The Little Black Book of Computer Security.