Friday, October 31, 2008

Tips for Adults to Protect Kids Online

This is an interesting article from CSO Online about how parents can protect their kids online. Granting this is a slippery slope, since many kids have more tech smarts than their parents, but there's some food for thought in this article.

Again, a theme I've harped on the past, a lot of the tricks used by teenagers mentioned in the article are just good old fashioned social engineering rather than sophisticated hacker techniques.

Wednesday, October 29, 2008

XSS Vulnerability in Yahoo HotJobs

A cross-site scripting (XSS) issue reportedly found in Yahoo HotJobs has been fixed, according to SC Magazine. Details of the vulnerability, which could allow an attacker to steal authentication cookies for Yahoo accounts, are on the Netcraft blog.

Netcraft said the attack would allow a broswer session to be hijacked and, with it, cookies that access Yahoo accounts, such as e-mail.

Yahoo recommended that concerned users change their passwords and verify they are signing into Yahoo with their Sign-in Seal.

Tuesday, October 28, 2008

Radio Program on Managed Security Services

I was interviewed last week on WIIT by Alon Friedman about managed security services providers (MSSP). As usual, we had a lively debate about the pros and cons of MSSPs, and how they're actually implemented.

The program was one of my regular shows on computer security on WIIT on Friedman's Here, There and Everywhere program on Thursday nights.

Monday, October 27, 2008

The Difficulty in Fighting Bank Fraud

Here's a brief interview with Elliot Castro, a former credit card fraudster and now a consultant in the UK, discussing some of his tricks of the trade for Finextra, a British banking e-mail newsletter.

You'll notice that all of his techniques were simple social engineering traps. There wasn't a hacking tool in site for miles, or kilometers, if you're outside the US.

Friday, October 24, 2008

Microsoft Emergency Security Fix

This is something we haven't heard about for a while and that came out of the blue. It's a vulnerability in a bunch of Windows systems that can be remotely exploited with a specially crafted RPC call.

What scared security researchers is that this could be exploited in a type of attack like the old Blaster worm of a few years back. These types of worms have been out of fashion lately as hackers have been targeting banking and e-commerce sites with phishing and other more targeted attacks.

This one even hit CERT. The original Microsoft bulletin for MS08-067 was followed with more details by posts on its MSRC and SVRD blogs.

The Windows versions affected are Windows 2000, Windows XP, Windows 2003 and, to a lesser extent, Windows Server 2008 and Windows Vista, according to Security Focus.

This one also made the rounds on the web sites of Symantec and Websense.

Thursday, October 23, 2008

Global Information Security Study

An annual information security report by PricewaterhouseCoopers says progress has been made in implementing security technologies, but companies still lack leadership and focus, in general, in their IT security programs.

The study, which is global in scope and the sixth conducted annually by PWC, said 10 percent of respondents had trouble answering basic questions about where they stored information assets, while 71 percent admitted they don't have an inventory of such assets, according to SC Magazine.

Compliance continues to be a key driver for security budgets and implementation but a checklist mentality continues to be confused with real security.

"If there's a security tool out there," respondents tended to have it, CSO reported online.

While technology is important, it shouldn't be relied upon solely, and isn't a replacement for geniune leadership of security programs, the study concluded.

Monday, October 20, 2008

Tips on Preventing SQL Injection

This is an interesting paper that came out in September from Oracle about SQL injection. The problem is one of the OWASP Top Ten vulnerabilities as part of the family of attacks known as injection attacks.

Cross-site scripting (XSS) is also a type of an injection attack but has its own category in the OWASP hit parade.

Bruce Schneier also mentioned the Oracle paper last week in his blog.

Friday, October 17, 2008

IRS Computers Full of Security Holes

The IRS has sensitive data about 130 million people filing tax returns. But their computer systems storing that data have inadequate security controls, according to a study by the Treasury Inspector General for Tax Administration in a report released in September.

The security issues run the gamut from inadequate access controls, lack of auditing of privileged users and weak application security.

The study focused on the Customer Account Date Engine (CADE, for you acronym junkies who aren't US government employees), which is meant to streamline access to taxpayer data. I guess now that would also streamline access for hackers, as well.

The IRS was aware of the issues but didn't think they were important. Now, they do, and have agreed to work with the Inspector General's office to fix the vulnerabilities, the report says.

Thursday, October 16, 2008

Autumn 2008 Edition of 2600 on Newstands

It seemed a bit early, but I happened to see the latest issue of 2600 on the newstand this week, and snapped it up, as I do every three months.

As always, there's some good stuff in here. There are articles about Tor, cyberwar, Google Analytics, Blackhat SEO, pen testing and USB forensics.

Tuesday, October 14, 2008

Top Security Suites Don't Block Exploits

This shouldn't come exactly as a surprise, but according to a study by Secunia, a Danish IT security outfit, most security suites don't block exploits.

The reason, the study says, is that most security suites are still stuck in the old mode of using signatures to detect malware. Signatures take time -- even if only a few hours -- to develop and deploy, and then rely on having a the malware handy for analysis.

The study recommends focusing on vulnerabilities rather than malware payloads, which are always follow hackers. Looking for vulnerability exploits could attack multiple pieces of malware at once and is more efficient.

Sunday, October 12, 2008

New Features in User Provisioning Products

My article on TechTarget's SearchSecurity web site about new features in user provisioning products came out this week.

User provisioning is a pretty basic technology but expect advances in the future with the growth of technologies like virtualization and Software as a Service (SaaS). Both of these present challenges to traditional identity and access management systems overall but to user provisioning, in particular.

Saturday, October 04, 2008

Massive Site Compromise

A security researcher has uncovered administrative login credentials for over 200,000 web sites, according to a report Friday in Computer World.

Ian Amit, security research director at Aladdin, said the sites included the US Postal Service and Fortune 500 companies. He wouldn't disclose any site names other than that of the USPS.

Amit found the logins on a server compromised by Neosploit, a hacker tool kit used by cybercriminal gangs.

Thursday, October 02, 2008

Malicious Pop Ups Still Fake Out Users

According to recent study, even well-informed users, who should know better, can be caught by malicious pop up windows.

The screen shots in the study, conducted by a group of psychologists at North Carolina State University in Raleigh, show some pretty impressive fake pop ups.

Now, remember, these aren't phishing sites. They're web sites designed to look like error messages packed in error-sized windows. Clicking on the "x" in the upper right hand corner of the window prevents redirection to a malicious site.

Clicking on "OK," as many study participants did, well . . . who knows what evil lurks.