Tuesday, September 30, 2008

New Trojan Using HTML Injection on Bank Sites

A new Trojan, called Limbo, is making the rounds that inserts data fields into the legitimate web sites of banks, according to Computer World. This is different than a phish, which is a totally bogus duplicate of a legitimate site.

The Trojan was reported by RSA and uses several routes to get onto a user's machine. These include pop-up messages that download programs.

Unlike other injection attacks, this one actually inserts HTML code, with additional fields, right onto a bank's web site, even while the user might be logged in.

Monday, September 22, 2008

Two More IAM Ask The Experts

Here's two more of my Ask The Expert answers on identity and access management for SearchSecurity's TechTarget web site:

Should a new user have to confirm his or her email address before gaining access?
This question posed on 08 September 2008

What should an enterprise look for in a password token, and in a vendor?
This question posed on 05 September 2008

Saturday, September 20, 2008

Not Just Palin's E-Mail Vulnerable

Supposedly, according to some security researchers, the Yahoo e-mail account of Alaska Gov. Sara Palin, also the Republican Vice Presidential nominee, was cracked using a simple password reset feature. All that was needed, apparently, was the account's user name and the answer to one security question.

That would put not only Yahoo, but Gmail and Hotmail at risk of the so-called password-reset attack. Family members, close friends and even possible close enemies, like ex-spouses, might know enough to figure out how to break into the accounts of those close to them.

Sending the password to an alternative e-mail address, a possible mitigating control, is offered but frequently not used on these free e-mail services either.

Other security researchers doubt this is how Palin's account was hacked. But, either way, the security of online e-mail accounts is something to think about.

Here are some more tips from PC World.

Saturday, September 13, 2008

My Latest IAM Ask The Expert Answers

Here's a fresh batch of my identity and access management Ask The Expert answers from TechTarget's SearchSecurity web site:

Is it possible to write a batch file that allows user access to the local admin group for a short time?
This question posed on 27 August 2008

IAM best practices for employees with varying degrees of access to the same computer
This question posed on 22 August 2008

What are some good pre-boot biometric user authentication tools or strategies?
This question posed on 11 August 2008

If the encryption on the Mifare Classic RFID has been cracked, are smart cards insecure?
This question posed on 11 August 2008

How does the Group Policy Object interact with the 'Password Never Expires' flag?
This question posed on 07 August 2008

What are best practices for remote management of medical imaging devices?
This question posed on 23 July 2008

Monday, September 08, 2008

Unified Communications Security for Mid-Size Companies

My article on unified communications for the middle market came out today on SearchCIO-Midmarket.

The article just scratches the surface of the issue but covers a bit of VoIP and some products within reach of smaller companies.

Monday, September 01, 2008

TechTarget on The Little Black Book's Second Edition

TechTarget ran a nice article this week about the second edition of my book, The Little Black Book of Computer Security, which came out in May.

The article also has a link to a podcast with an interview of me followed by me reading an excerpt from Chapter 20 on security awareness training.

You can also download the chapter in its entirety as a PDF, as a sample.