Friday, May 30, 2008

Chinese Cyberattackers

This is an extremely well-researched, in-depth and thorough article in National Journal Magazine about cyberattacks coming out of China.

There's been a lot of press about this issue, but what this piece seems to sum it all up nicely in one place.

Ten Employee Security Risks

Here's another slide show from eWeek about the IT security risks of employees:

1) USB Flash Drives
2) Laptops
3) P2P
4) Web Mail
5) Wi-Fi
6) Smart Phones
7) Collaboration Tools
8) Social Networks
9) Unauthorized Software Updates
10) Virtual Worlds

This must employee security threat week. Information Week magazine had a similar article about the same subject.

Ten Laptop Security Risks

This is a nice little slide show from eWeek about ten security risks of laptops:

1) Hard Drives Aren’t Encrypted
2) USB Drives Aren’t Glued Shut
3) Work-Home Lines Are Crossed
4) End Users Aren’t Security-Aware
5) Physical Security Isn’t Implemented
6) The ‘Duh’ Factor Is Ignored
7) Systems Aren’t Labeled
8) The Eyes Don’t Have It
9) No-jack
10) As the Worm Turns

Thursday, May 29, 2008

Webcast on Identity and Access Management Suites

Yesterday, I did a live webcast for TechTarget on identity and access management suites. It's part of a series I did for them on IAM suites in Information Security magazine and on their SearchSecurity web site.

Wednesday, May 28, 2008

Facebook XSS Hack

They're at it again. Those XSS attackers just don't stop. This one was against Facebook, which makes you think twice about the safety of some common social networking sites.

Details were in the XSSED Security Blog, as reported by Computer World.

Potentially 70 million users were affected. But don't panic yet. The XSSED post says there haven't been too many XSS breaches of Facebook. But who knows? More could be around the corner, they say.

Some Free Security Tools

Here are five free pen testing tools and ten free Windows security tools. There's nothing in this list that's new, but I like how they put these common tools in one place.

Google Safe Browsing Site

Google has recently launched its Safe Browsing Diagnostic Page to help determine if a web site has been infected with malware, according to a report in eWeek.

Details are also on Google's security blog.

Friday, May 23, 2008

Security Threat of Orphaned Accounts

This is an obvious security hole, let alone a compliance issue for every regulation under the sun -- SOX, HIPAA and PCI -- you name it.

Many companies aren't careful about pruning out old accounts of users long gone -- voluntary and otherwise -- from their systems.

This was a nice summary on Redmond Channel Partner Online.

New PCI Standard Available in October

PCI 1.2, the updated version of the credit card industry security standard, is expected out in October, according to SC Magazine.

This is the first revision of the Payment Card Industry Data Security Standard (PCI DSS) since 2006.

Apparently some overlapping items will be fixed, reporting protocols will be clarified and the glossary will be expanded.

Now, let's try to stay calm and not all jump for joy, at once. I know the enthusiasm will be contagious.

Second Edition of Little Black Book on Amazon

The second edition of my book, The Little Black Book of Computer Security, is now available on Amazon.

A photo of the cover is on the right, just below the photo of me in my fashionable sunglasses.

Tuesday, May 20, 2008

Article on Multifactor Authentication

Here's a piece that came out today on TechTarget's SearchSecurity web site about multifactor authentication in IAM suites.

It went with my article that came out in Information Security magazine this month on IAM suites.

Textbook Case on Contractor Security

This story is unbelievable. A former airplane hijacker from Afghanistan working at Heathrow Airport. Clearly background checks of employees aren't done thoroughly. Scary for anybody flying to London.

Though this applies to IT security, it's still sort of related. Here's some suggestions about how an organization can protect its security when working with outside contractors. The controls are both network and software-based, but still interesting, nonetheless.

A Botnet Map and A Phishing Tool

This is the coolest thing. It's a botnet map, linking infected IP addresses into a nifty Flash graphic.

This isn't so cool. A botnet using a sophisticated SQL injection attack to hit legitimate web sites and enlist them in its evil army. The botnet spawns phishing spam.

Here are details about a mass SQL injection attack based in China, attacking web sites at home.

It's interesting this is happening now. I heard Caleb Sima, one of the founders of SPI Dynamics, which was acquired last year by Hewlitt Packard, predict these types of attacks at a SPI Dynamics dinner back in 2004.

Employees Bypass Enterprise Security

In its first annual report on application risks, Palo Alto Networks, said that employees are willfully bypassing security controls and bypassing traditional IT departments by downloading and installing their own applications.

Here's a summary from CSO online.

Wednesday, May 14, 2008

Massive Security Hole in Debian

News this week of a massive security hole in Debian shocked a lot of people in the open source community. It puts a chink in the armor of the open source claim that their software is more secure because it's exposed to the world for review.

Just because it's out there and exposed, doesn't mean it's been reviewed. Whether open or closed source, all code needs to go through rigorous security reviews at all stages of the development lifecycle.

What makes this particular security hole so disturbing is that Debian is one of the most widely used Linux distributions and is the backbone of Ubuntu, the most popular distro available. The exploit code targeted the openssl package, a widely used encryption package.

Five Ways Insiders Go Bad

This is a nice summary of common ways insiders abuse their own networks to gain malicious access.

The insider threat has been discussed lately. I wrote an article for SearchSecurity a year ago about the subject, citing studies done by CERT, the leader in profiling malicious insiders.

Information Security Magazine Article

I have an article about identity and access management suites coming out in the May issue of Information Security magazine. It was also just posted to the magazine's web site.

Wednesday, May 07, 2008

Dirty Secrets of the IT Security Industry

This was a great article that came out recently in Information Week about the IT security industry's dirty laundry.
  1. Vendors do not need to be ahead of the hackers; they only need to be ahead of the buyer
  2. Antivirus certifications do not require or test for Trojans
  3. There is no perimeter
  4. Risk assessment threatens vendors
  5. There's more to risk than weak software
  6. Compliance threatens security
  7. Vendor blind spots allowed for the "Storm" botnet
  8. Security has grown well past the "do it yourself" stage

Two New TechTarget Articles

I had two articles come out this week on two of TechTarget's web sites. One was about fault-injection attacks on, and the other was on single sign-on for

The Four Challenges of IT Security

I made a presentation about IT security to a group of students visiting the Illinois Institute of Technology from France last month.

The presentation was called "The Four Challenges of IT Security," which I identified as:
  1. Web application security
  2. Cyberattacks and cyberterrorism
  3. Privacy and data security
  4. IT security as a business enabler

Saturday, May 03, 2008

Credit Card Thieves Hitting Smaller Prey

This was a great piece on this week about how credit card thieves are targeting small merchants and their point-of-sale (POS) systems. The article cited a study by Trustwave, a major PCI consultant based in Chicago.

This shouldn't come as any great surprise. Unlike larger companies, small businesses often don't have the resources, let alone a dedicated IT security staff, to pay attention to every detail of the PCI requirements. Attackers know this, targeting more vulnerable small fries rather than big guys with stronger IT security defenses.

But what was interesting was that Trustwave found that many small businesses use third-party vendors to set up their POS systems. These systems aren't configured securely, often with default passwords -- commonly known by hackers -- still in place.

To add insult to injury, it isn't difficult for attackers to find exposed POS systems with simple port scans.