Tuesday, December 30, 2008

TechRepublic's Best of IT Security in 2008

TechRepublic recently listed its top five blog posts about IT security for 2008. Some of them are pretty basic stuff any security professional worth their credentials should know.

But here they are, in any case, as a reference:

1) How to spoof a MAC address
2) List open ports and listening services
3) Help users create complex passwords that are easy to remember
4) How do you keep your sys admins from stealing company secrets?
5) What to do about RFID chips in your wallet

Saturday, December 27, 2008

DHS Cites Cyberterrorism Threat in Report

In an intelligence assessment obtained by the Associated Press, cyberterrorism is listed as one of the security threats facing the country through 2013.

The report cites the growing availability of hacking tools so that "youthful, Internet-savvy extremists might apply their online acumen to conduct cyber attacks rather than offer themselves up as operatives to conduct physical attacks.

Not surprisingly, it also says Al-Qaida would like to conduct cyberattacks that would cripple the US economically, but doesn't have the technical ability. On the other hand, it could hire others to conduct the cyberattacks on its behalf. But counterterrorism expert Frank Cilluffo, and head of the Homeland Security Policy Institute at George Washington University, told the AP that such a cyberattack wouldn't cause the desired mass destruction or media attention.

Instead, Cilluffo said, Al-Qaida will probably continue to use the Internet as a platform for disseminating both its message.

Deming's Quality Standards Applied to IT Security

Security guru Edward Deming's principles for quality are usually only thought of for industrial production. But in this post by Branden Williams on his VeriSign blog cleverly applies Deming's 14 points to IT security.

He compares the Deming Cycle to the Systems Development Life cycle, where progress is made through continuous improvement. He calls security a type of quality, which can't just be measured just by the number of successes and failures -- a common security metric these days -- but as a process for improvement.

Wednesday, December 24, 2008

A Look at the Credit Card Theft Underground

This is a fascinating article in the recently-released January issue of Wired magazine about the credit card theft and fraud underground. It's the story of the rise and fall of a completely criminal -- and quite technically sophisticated -- business enterprise.

Unlike the print version, which I just picked up, the online article has a video with Detective Bob Watts of the Newport Beach PD, telling how some of it was done, complete with card pressing and embossing equipment. The machines were used to press real cards from the stolen data.

The article also has a link to another video on the Identity Theft Secrets web site about CardersMarket.com, one of the web sites used in the criminal venture.

And while we're on the subject of credit card security, here's five tips from SC Magazine for successfully complying with the Payment Card Industry Data Security Standard (PCI DSS). Besides being required for any business involved with credit cards, PCI compliance is one big step in protecting against credit card crime.

Tuesday, December 23, 2008

New SQL Server Zero-Day

Microsoft issued an advisory Monday about the public release of exploit code for a SQL Server vulnerability discovered earlier this month.

The issue could allow an attacker to remotely execute code on a compromised server through SQL injection.

Details are on the MSRC blog and were published today in an article by TechTarget. The vulnerability was discovered security researcher Bernhard Mueller of SEC Consult.

Some Security Christmas Cheer

These two spoofs on security with Christmas themes are very clever and in the spirit of the season:

The Twelve Days of Audit

Twas the Night Before DR

Of course, you have to be a little twisted to enjoy these. But then being a little bit off beat is what being in security is all about.

Cybersecurity During the Holidays

It's that time of year again -- for mistletoe and shopping -- not necessarily in that order. And, rather than fight the cold and snow, which has come back in force around the US, shopping online saves time and aggravation on the roads.

Here are some tips, none of which are new, from SecureWorks for shopping online safely. They're all variations on the theme of watching out for ways malware can be dumped on your system.

  1. Be wary of holiday gift cards and holiday coupon offers sent via e-mail—these often have malicious links within the offer which lead to downloads of info-stealing Trojans or the hackers try to scam you out of your bank account information.
  2. When visiting your favorite online retailer to purchase gifts, be sure to type the actual Web site address of the retailer into your browser. Do not follow links provided by e-mail offers or pop up ads. Many times these are fraudulent sites made to look like the legitimate retail sites.
  3. When making online purchases, always use a credit card that limits your fraud liability. Avoid using debit cards to do online purchases when possible so as to limit your personal exposure to any possible fraudulent transactions.
  4. When making online purchases, always look at your Web browser for the https (as opposed to http) protocol that proceeds a Web address. The “s” let’s you know that the Web site is providing a layer of security for transmitting your personal information over the Internet.
  5. Be wary of unsolicited e-mails, even from senders that you know, that include links or attachments. Before clicking on links or attachments, ALWAYS verify that the correspondent sent you the e-mail and enclosed link or attachment.
  6. Be wary of e-mails notifying you that your banking certificate or token is out of date and to download a new certificate or token. Before taking any action, verify with your financial institution by calling them on a number that is not provided in the email.
  7. Avoid using simple (weak) or default passwords for any online site.

Have a safe and Happy Holiday Season!

Friday, December 19, 2008

US Unprepared for Cyberwar

This is a recurring theme about the US being unprepared for a cyberattack. It's also been the subject of some debate, since there are a lot of questions about what exactly constitutes a cyberwarfare. Some cite the attacks on Estonia's and Georgia's Internet infrastructure by Russian sympathizers as examples of such attacks.

What's clear after a two-day cyberwar simulation is that vital computer networks in the US are vulnerable to a major hostile attack, according to this report on Reuters. Representatives of 230 government defense and security agencies, private companies and civil groups participated in the simulation, which had breakdowns in leadership, planning, and communications.

I think the key point that gets overlooked -- but was cited in the article -- is that a cyberattack wouldn't be an end in itself. It would be part of "softening of the target," as they say in the military, as a prelude to a traditional physical attack with conventional weapons, according to Homeland Security Secretary Michael Chertoff in a post-simulation briefing.

Thursday, December 18, 2008

Web Attacks: AMEX, Facebook XSS, Clickjacking

Cross-site scripting (XSS) is nothing new and affects many web sites, but American Express and Facebook were reported hit this week in separate incidents.

The Register reported the American Express issue and detailed a lot of bureaucratic foot-dragging that prevented it from getting fixed right away. The Holistic Security blog had some more details, but neither posting explained exactly what happened other than to say the exploit could have lead to the theft of login credentials by cookie hijacking.

The XSS vulnerability on Facebook was posted on xssed, a blog dedicated to uncovering XSS exploits. Details are in The Register and SC Magazine.

In another, all-too-common web exploit, called clickjacking, links to malicious code are embedded in Flash on banner ads. This article by John Strand on SearchSecurity does a nice job of explaining clickjacking, how it differs from XSS and a related exploit, cross-site request forgery (XSRF) and how it can be prevented by appropriate web usage policies rather than implementing a technical control.

The idea is that if an employee is visiting a non-work related web site, they could be penalized for wasting time web surfing, an activity prohibited by the company's security policy.

Wednesday, December 17, 2008

Microsoft Emergency IE Patch Now Available

Here are the eagerly awaited details from TechNet with patches for Microsoft's critical Security Bulletin MS08-078 with links to affected versions of Internet Explorer.

Technical details are on Microsoft's Help and Support site.

Cyberattacks Looking More Like Legitimate Traffic

According to Cisco's recently released annual report, there was a 90 percent increase in cyberattacks originating from legitimate domains during 2008.

The following are some other highlights of the report:

  • Spam accounts for nearly 200 billion messages each day, which is approximately 90 percent of email sent worldwide
  • The overall number of disclosed vulnerabilities grew by 11.5 percent over 2007
  • Vulnerabilities in virtualization products tripled to 103 in 2008 from 35 in 2007, as more organizations embraced virtualization technologies to increase cost-efficiency and productivity
  • Over the course of 2008, Cisco saw a 90 percent growth rate in threats originating from legitimate domains; nearly double what the company saw in 2007
  • Spam due to email reputation hijacking from the top three webmail providers accounted for just under 1 percent of all spam worldwide, but constituted 7.6 percent of all these providers' mail

Computer World also had some other interesting comments.

More Internet Explorer Security Woes

Flaws in Internet Explorer aren't news, but this one has a lot of people in a tailspin. It's also reached mainstream media outlets, like the BBC.

Microsoft is expected to release a patch and an update to its Advisory 961051 later today. The original advisory said about 0.2% of web sites worldwide were affected, including some porn sites (what else is new?) and a less nefarious sites like a Taiwanese search engine.

The exploit allows remote code execution and drops a password-stealing Trojan on a user's desktop, according to this note from the SANS Internet Storm Center.

Thursday, December 11, 2008

Details About Internet Explorer 7 Zero-Day Exploit

This is a nice rundown by HD Moore, with all the juicy technical details, of the recent zero-day exploit against Internet Explorer 7. The exploit, inadvertently released by Chinese researchers, involves how IE7 handles XML.

Other details, technical and otherwise, are on the Symantec, MSRC and SearchSecurity's Security Bytes blogs. Microsoft issued its Security Advisory 961051 yesterday.

Networking Security Seven Deadly Sins

These seven security points for networks are pretty basic. But, as fundamental as they are, they still need to be repeated. This nice little piece from CSO sums it up:

1. Not measuring risk
2. Thinking compliance equals security
3. Overlooking the people
4. Too much access for too many
5. Lax patching procedures
6. Lax logging, monitoring
7. Spurning the K.I.S.S.

Cybersafety Tips for the Holidays from the FBI

This seems to be an annual event, but scammers keep coming back for the holiday festivities. The FBI, in this recent press release, wants to make sure they don't enjoy the party.
  • Do not respond to unsolicited (spam) e-mail.
  • Do not click on links contained within an unsolicited e-mail.
  • Be cautious of e-mail claiming to contain pictures in attached files, as the files may contain viruses. Only open attachments from known senders.
  • Avoid filling out forms in e-mail messages that ask for personal information.
  • Always compare the link in the e-mail to the link that you are actually directed to.
  • Log on to the official website, instead of "linking" to it from an unsolicited e-mail.
  • Contact the actual business that supposedly sent the e-mail to verify if the e-mail is genuine.
Here are some additional comments from Paul Korzeniowski of Information Week's bMighty.

Wednesday, December 10, 2008

Obama and Cybersecurity: Not Just His Blackberry

The security issues swirling around President-elect Barack Obama's BlackBerry are only a precursor of the many cybersecurity problems he's likely to face when he takes office in January.

A study released Monday by the Commission on Cybersecurity for the 44th Presidency recommended that Obama create a National Office for Cyberspace. The 94-page report equates online espionage and incursions into the country's networks to nuclear proliferation and terrorism.

It called cybersecurity "one of the most urgent national security priorities facing the new administration."

The commission was organized by the Center for Strategic and International Studies to create a cyberspace policy because of recent breaches of government systems by state-sponsored intruders.

Monday, December 08, 2008

Security Stupidity and Cell Phones

Here's a tidbit from CSO online about how mobile phone users don't securely use their phones. The issues run the gamut from physically securing the devices themselves to unsafe browsing -- just the same types of things users are warned against on their desktops.

1) Disabling the lock feature on the phone
2) Keeping information that could compromise company security in "plain sight" on the phone
3) Opening an application from an unsecured/unknown source
4) Using the phone to access dangerous/risky Web sites and Internet locations
5) Leaving the device open to access

Cybersecurity Plan for Obama

Here's a five-step plan from Computer World on key cybersecurity issues for President-elect Obama's new administration:

1) Secure the Web apps
2) Wipe the dust off older regs
3) Demand a better security training
4) Build a great cyberwall (against China and others)
5) Give someone control (and make them accountable)

And, here's Obama's own plan from his web site.

Credit Card Numbers Top for Theft

This shouldn't come as any big surprise, but credit card numbers are the number one commodity sought by online fraudsters, according to a report by Symantec, as reported by the BBC.

The article ranks the top 10 items desired by online crooks. Credit card numbers are the most popular because they're not only easy to steal but also easy to market through underground networks.