Tuesday, April 29, 2008

Have You Noticed Less Spam?

Call me crazy, but I sure have. There has been a lot less spam in my e-mail inbox over the last few months.

Could it be the crushing of the Storm botnet? It's hard to say. Microsoft took credit for deep sixing the infamous botnet, though, as usual with any Microsoft claim, there's a lot of controversy around it.

In any case, Microsoft does have an interesting botnet hunting tool worth taking a peek at.

Monday, April 28, 2008

Dangers of Web Mail

Here's a nice summary of some of the security issues surrounding web mail. It's not especially brilliant or eye-opening, but I liked the presentation. It summarized the key issues quite well.

Sometimes we tend to forget that web-based e-mail isn't really an e-mail application, per se. It's a web application with all the vulnerabilities that go with that.

And, on top of that, according to the Computer World article, it sits on somebody else's servers, making it prime bait for snooping by bored employees of the web mail company.

Digital Spy Tools Protect Data

Here's a nifty list of 24 tools used for both physical surveillance and data security. They're not exactly James Bond specials or Maxwell Smart's shoe phone, but they are an interesting assortment of products.

There's a lot of different telescopes and binoculors, a USB key stroke logger and a few bugging and counterbugging devices.

The march of the merger of physical and information security goes on.

Saturday, April 26, 2008

E-Commerce Ripe Victims for Cyberterrorism

A group of hackers that met in London last week warned that major retail chains could be next on the cyberterror hit list, according the venerable old BBC.

They said the same techniques would be used as thos in the attacks against Estonia last year, that basically brought the government and infrastructure to its knees.

Friday, April 25, 2008

Infected Web Page Every Five Seconds

According to anti-virus and security company Sophos, it discovers an infected web page every five seconds. That's up from 14 seconds for all of last year.

The results were part of the company's security threat report for the first quarter of this year.

Some interesting reading in only four pages.

iFrame Attack Surge

Panda Security is reporting a surge in iFrame attacks against Microsoft IIS servers. Details of the injection attack were in Network World yesterday.

Panda is recommending that network managers check their web sites for the malicious code. Panda isn't sure which vulnerability is being exploited but suspects it might be related to a Microsoft advisory from April 17.

Tuesday, April 22, 2008

PayPal Bans Unsafe Browsers

Here's a novel twist in the browser and phishing wars. PayPal plans to ban unsafe browsers, according to eWeek and Finextra. What's an unsafe browser? Apparently, one like Microsoft's Internet Explorer or Apple's Safari, which doesn't have anti-phishing protection, like that provided by Firefox.

Now, newer versions of IE that support Extended Validation SSL would be allowed to access PayPal.

Then later, Computer World reported that PayPal said Safari wouldn't be barred.

Either way, turning the tables on users, forcing them to use protection is an aggressive, if interesting, move.

Friday, April 18, 2008

Some Things Everybody Should Know

This "things you should know about your company's data security" series in Computer World this week was fantastic. It should be part of the security awareness training given to all employees at every company. It shows, yet again, that security just isn't an IT concern. It's everybody's concern.

5 things your salespeople should know about your company's data security

5 things your receptionist should know about your company's data security

5 things your HR people should know about your company's data security

4 things your remote staff should know about your company's data security

4 things your administrative staff should know about your company's data security

3 things your facilities group should know about your company's data security

Maybe this all should be put in a data security textbook?

Tuesday, April 15, 2008

News From The Cyberware Front: Botnets and More

The top botnets now control around one million computers, and cyberattacks against our infrastructure are one of our biggest security threats.

Doesn't it seem like these might go together? Sometimes yes, and sometimes no. But some of the same cybercrooks are perpetrating both.

I heard it said at Defcon last year that as botnets and cyberattacks get worse over the next few years we might call today the good old days.

It's Not Just IT Security -- It's Also Fraud

Here's two interesting reports about fraud from the recent RSA 2008 conference that ended last week in San Francisco. Unfortunately, I couldn't make it this year, but maybe next year.

Fraudsters are exploiting multiple channels to attack online banking, according to SearchFinancialSecurity.com and SC Magazine.

What makes this interesting is that these types of attacks aren't necessarily blocked by traditional authentication and access management. They blocked by reviewing transactions themselves behind the scenes, watching for suspicious patterns. Of course, out-of-band and two-factor authentication might slow down these types of crimes.

But essentially they can't be caught by traditional risk assessments because they're not really breaches of IT security controls.

My point? IT security and fraud have to work hand-in-hand. It's not just about IT security anymore. It's also about fraud.

Wednesday, April 09, 2008

Compliance is NOT Security

Three cheers for Art Coviello, president of EMC's RSA division. In his keynote speech on Tuesday at the RSA conference, he got it straight -- compliance isn't security. It's about checking off lists that don't always correlate to an organization's specific information security needs.

I wasn't there, but I read about it in Computer World.

Risk Analysis for Dummies

This is a real nice explanation of risk analysis from Computer World. The example of explaining to an executive the savings in dollars and cents of disk encryption are priceless.

The scenario is real and the answer obvious -- dollarize it or it won't work for the business. IT security has to morph into a business partner and enabler, or the business will block it.

Great CSIRT Handbook

Mich Kabay had an excellent column this week in his Security Strategies Newsletter about burnout on incidence response teams.

He made reference to the CERT's Computer Security Incident Response Team handbook, another excellent reference for any IT security professional.

Malware Count Hits a Million

In a report released yesterday, Symantec said the amount of malware in circulation hit the one million mark. The Internet Security Threat Report Volume VIII cited increasingly sophisticated and well-financed criminal organizations with resources to marshall malware programmers.

The 105-page report makes for good reading. An archive of past reports is on Symantec's web site.

Texas Regional Infrastructure Security Conference

The Alamo ISSA (Information Systems Security Association) will be hosting the 2008 Texas Regional Infrastructure Security Conference (TRISC) in lovely San Antonio from April 21 to 23.

The event will be held at Omni San Antonio Hotel at the ColonNade and will feature the ISSA 2007 International Awards Ceremony.

For more information, contact Chip Meadows or Elliott Franklin at president@alamo.issa.org.

Monday, April 07, 2008

My Article on Laptop theft

I had an article on preventing laptop theft come out today on SearchCIO-Midmarket.

As usual, I discuss both low-tech and technical controls. My philosophy has always been that security is a combination of educating people supplemented with technical controls. The two need to work not separately but together.

Sunday, April 06, 2008

Spring 2600 Hits Newstands

The Spring issue of 2600 hit the newstands this week. There was a real interesting article about bypassing the toughest of Internet-blocking proxies at companies. I don't want to give away the whole story, just a sneak peek -- they use SSH running as a service on a remote machine.

Apparently, according to the article, the proxies used at some companies are as tough as those used by countries like Iran to block their citizens from unfettered Web access.

Thursday, April 03, 2008

Browser Vulnerabilities Abound Everywhere

Two vulnerabilities in the recent release of Safari 3.1 for Windows were uncovered last week and reported by Secunia.

Also, there was an interesting article in today's SANS Ouch newsletter, entitled From the Trenches, about how the web sites of smaller companies are at greater risk for exploitation. The article said small companies don't have the expertise to harden web servers and web applications to meet today's tough threats.

Interestingly, the article mentioned how even if your operating system has all its patches up-to-date, it can still be vulnerable due to exploits in Microsoft and Adobe products residing on the system. Keeping your application patches up to date is key, as well.

Worst IAM Practices and How to Fix Them

My story on worst practices in identity and access management came out yesterday on TechTarget.

Of course, it also gives suggestions for how to fix them.