Thursday, February 28, 2008

Second Edition of Hacking Art of Exploitation

This fantastic little book -- actually not so little anymore at 488 pages -- is a real gem for the serious code geek, or those in search of their inner code geek.

Hacking: The Art of Exploitation by Jon Erickson came out recently in its second edition. There's now a companion CD and the book has been expanded.

This is real serious stuff for the security professional that wants to dig deep into the guts of application security. There's no other book like it. Kudos again to No Starch press for another outstanding publication.

MySpace Link Hack

Websense has uncovered a new phishing attack against MySpace in which users are directed to a bogus web site from malicious links in MySpace profiles.

This attack is interesting because it bypasses the malicious link filter in MySpace, according to SC Magazine.

This is another example of the difficulty in Web 2.0 of controlling content users can now upload to web sites. Not everybody uploading posts to a site with Web 2.0 technologies is a saint. Imagine that.

Finjan Finds Hidden Treasure

Internet security firm Finjan found a database this week holding the logon credentials for 8,700 FTP servers. Quite an evil stash to just stumble upon.

Details are in Computer World, eWeek and Finjan's Malicious Page of the Month for February 2008. FTP server owners interested can contact Finjan, if they suspect they've been compromised.

Media Hype Dept: Macs and Child Predators

Here are two thought-provoking items about how the media has overhyped some computer security threats.

In a post on his Computer World blog, Mark Hall cites some interesting numbers to put the threat of viruses against Macs into perspective. After boiling it down, he points out that the rate of infection still remains small, despite the growing popularity of Macs. But, even then, he points out the market share is still under 10%.

Then there's this really in depth post on David Pogue's blog in The New York Times about child predators on the Web. Like Hall's post on Mac viruses, he really puts the issue into focus.

Now, this doesn't all mean that there aren't Mac viruses or child predators on the Web. Nor does it discount these problems. It just goes to show that these security threats have to be put into perspective.

Tuesday, February 26, 2008

New Google Hacking Tool

A new hacking tool using Google was released last week by the Cult of the Dead Cow, a high-profile hacking group. The tool, Goolag, uses Google to scan for web sites with vulnerabilities.

The story was widely reported in Network World, Information Week and Computer World.

There was also some nice technical detail, as always, on the GNUCITIZEN site.

The Seven Layers of Security

This is an interesting article from Information Week about the seven layers of security used to protect Pacific Northwest National Laboratory, a government research laboratory.

Frankly, there's nothing new or brilliant here. It's basic IT security common sense -- encryption, awareness training, strong authentication and network segregation (he calls them enclaves).

But I like the presentation and think it makes a good quick handy guide for any information security professional.

Saturday, February 23, 2008

10 IT Security Tips for the New Prez

A group of cybersecurity experts convening at Black Hat this week in Washington presented a plan for the new administration about protecting the country's cyberinfrastructure.

The group said this issue is no longer a luxury the government can ignore.

Here's another 10 tips for the new president, whoever that will be, from eWeek in one of their famous slideshows.

D&T Study Says Security is Worse Than You Think

A new study released by Deloitte and Touche, their second annual of IT security at 100 major companies worldwide, says that a majority believe their security is better than it actually is.

Many believe they're better prepared than ever to deal with breaches while, according to the study, security budgets haven't increased. And, on top of that, most companies still don't have a coherent security strategy.

More details were in CSO this week.

Data Breach Notification Laws

Here's a nifty interactive map from CSO magazine about data breach notification laws state-by-state.

Just click on the state and a pop up window gives you a brief snapshot of the laws for that state.

An actually more detailed list in a table is from the law firm of Scott & Scott.

December Ask The Expert Answers Posted

My answers to the December Ask The Expert questions on SearchSecurity were posted this week:

What are the risks of connecting a Web service to an external system via SSL?
This question posed on 30 December 2007

What are the dangers of using radio frequency identification (RFID) tags?
This question posed on 24 December 2007

What should an internal support model for identity management look like?
This question posed on 11 December 2007

Biometrics vs. biostatistics
This question posed on 05 December 2007

CardSpace vs. user IDs and passwords
This question posed on 02 December 2007

I'm the resident ATE on identity and access management for SearchSecurity.

Tuesday, February 19, 2008

Google Report on Web Attacks

According to a recent report by Google, as many as one in a 1,000 web pages carry malicious code or links to malicious code. The report, which called the majority of attacks "drive-by downloads," isn't really news. Web attacks are the hacker tool of choice these days as firewalls and networks have gotten tougher.

The report was compiled by Neils Provo, a senior researcher at Google, and some of his colleagues.

What's new is the scale of affected sites. What's not new, again, is that even good, clean, well-meaning sites -- not just porn -- can be seeded with malware. You're not safe if even if you're cyberchaste and avoid porn, gambling or other vice and sleaze sites.

A post on Google's security blog noted part of the problem is that 38% of versions of Apache and PHP are outdated. As a result, these web servers are susceptible to the types of injection attacks that dump malware on their web sites.

Now, that said, there's always the possibility Google could tag a legitimate site as malicious. But, not to worry, Google has that covered too. They have instructions on what to do if they've fingered your site.

They also have an explanation of how they find sites with malware and some general tips on securing your web site.

Monday, February 18, 2008

New Security Features in Firefox 3.0

The new release of Firefox 3.0, currently available in beta, will have new anti-malware blocking features. Basically, the browser upgrade will be able to detect and stop malicious pages from loading, according to Computer World last week.

For Mozilla security aficionados, there's also a security blog and Bugzilla, which tracks reported security bugs.

15 Top IT Security Pros

This is a short and sweet slide show from eWeek (they do a lot of these, by the way, on various security topics) about the top 15 movers and shakers in the information security world.

Among them, the only two I have ever come into contact with personally, in one form or another, are HD Moore and Mike Howard. I heard HD Moore speak at Black Hat last year in Las Vegas, and I actually met and spoke with Mike Howard at a book signing at RSA in 2006.

He was signing copies of his book, 19 Deadly Sins of Software Security, an outstanding little book about how developers can fix the most common security errors. He already had a copy of my book, The Little Black Book of Computer Security, and was polite enough to say that he had enjoyed reading it. My book had been passed to him at Microsoft by one of his colleagues just prior to my becoming an MVP.

Saturday, February 16, 2008

Video Tutorials -- Nmap and Netcat

I ran across this site the other day that has some neat videos with basic tutorials for Nmap and Netcat.

The site is run by, which offers training in penetration testing.

Wednesday, February 13, 2008

Hackers Hiding Browser Attacks

Hackers are hiding all of their web browser attacks, either through obfuscation techniques or encryption, according to a report by IBM's X-Force team.

Attacks are being focused against browsers using JavaScript and PDF files, in another post on the McAfee Avert Labs blog.

The full report from X-Force is here.

ID Theft Declining In US

The annual costs of ID theft in the US dropped 12% in 2007 over the previous year, according to a report by Javelin Strategy & Research, as reported yesterday by Finextra, a financial technology web site.

The report attributed the decline to businesses raising consumer awareness of ID theft threats through education and spending more on online fraud detection systems. To void having their dirty work foiled, fraudsters are now turning to more traditional offline methods of committing fraud, such as through bogus phone solitications.

Russia Moving Up In Spam World

There was a dramatic rise in spam emanating from Russia in the fourth quarter of 2007, according to a study released this week by Sophos.

The US still holds the lead as the source of at least 21.3%, or one in five, of all the world's spam messages. But Russia jumped up into second place at 8.3%. That puts Asia and Europe combined as larger spam generators than the US alone.

Other key players were China, including Hong Kong, Brazil, South Korea, Turkey and Italy.

Tuesday, February 12, 2008

Two New TechTarget Articles

I had two new articles come out recently on TechTarget.

One was my projection for 2008 about access management, and the other was about how a small company can set up an information security department on a shoestring.

Sunday, February 03, 2008

Controversy About Windows Attack Code

An exploit uncovered on Jan. 8 involving a flaw in Windows TCP/IP has stirred a bit of a controversy among security researchers, some of whom have said it shouldn't have been posted publicly.

A Flash demo of the exploit was posted last week on Immunity Inc.'s web site. Details of the exploit, MS08-001, are on Microsoft's site and in Computer World.

More on Societe Generale: Weak Oversight Common

Societe Generale isn't the only bank with controls but weak oversight, according to Wall Street & Technology. Many banks dole out access like candy and then don't patrol it later on.

It wasn't so much a knowledge of computers that allowed the rogue trader to beat the system, but his knowledge of operational controls and how to circumvent and abuse them.

Besides weak oversight, only eight percent of US and European banks even have automated systems to detecting the type of identity-shielding techniques used by the trader.

Saturday, February 02, 2008

Brits Taking Cybersecurity More Seriously

Online shoppers in the UK are taking security more seriously, according to a study released this week by CyberSource, an e-payments processor.

The results published in Finextra, a British banking news site, said users were paying closer attention to web sites to see if they're legitimate.

The Super Bowl and Wireless Security

For all you Super Bowl fans tomorrow -- and that means just about everybody in the US -- this is a great story from CIO magazine about wireless security at the big game.

Funny thing until I read this article, I didn't realize how many wireless devices there are at the game. In fact, I didn't realize either, how many things can go around and how many opportunities there were for virtual mayhem and mischief.

Besides football web sites, like the one compromised last year, wireless devices are used for coaches to communicate. Besides a possible Denial of Service (DoS) attack, there's also the possibility for manipulating game results, affecting millions of dollars in wagers and bets.