President Obama and Information Security

President Obama has released an information security plan on the White House web site. The plan is based on recommendations made in December by the Commission on Cybersecurity for the 44th Presidency.

This couldn't happen too soon, as a security breach was reported on one of the president's web sites today.

The plan calls for the following:

• Strengthen Federal Leadership on Cybersecurity
• Initiate a Safe Computing R&D Effort and Harden our Nation's Cyber Infrastructure
• Protect the IT Infrastructure That Keeps America's Economy Safe
• Prevent Corporate Cyber-Espionage
• Develop a Cyber Crime Strategy to Minimize the Opportunities for Criminal Profit
• Mandate Standards for Securing Personal Data and Require Companies to Disclose Personal Information Data Breaches

As part of the effort to strengthen federal leadership, Obama will be picking a new national cyber adviser, reporting directly to him. More details and commentary are on the Brian Krebs Security Fix blog and in SC Magazine.

Monster Job Board Breached Again

In an attack reminiscent of a breach 18 months, the job site Monster.com has been breached again. Exact numbers of those affected aren't clear, but apparently no financial information was taken. But it appears other personal information -- user IDs, passwords, names, e-mail addresses, phone numbers, sex and ethnicity -- were harvested by the intruders.

The incident was first posted on Monster and reported last week.

Though the information isn't financial in nature, and might appear innocuous on the surface, phishers can craft carefully targeted -- and more believable -- attacks.

Monster offers tips on its Security Center web site.

Building a Better CAPTCHA Mousetrap

CAPTCHA, a system used for blocking spam bots from posting to blogs and web sites, has come under fire in the past year. Systems used by Yahoo, Hotmail and Gmail were cracked last year, making it less attractive to use on e-mail and web sites.

But, in this interesting article in Computer World, CAPTCHA seems to be making somewhat of a come back with some innovative new approaches. Rather than just capture scrambled letters, new systems use word matching and images.

The article traces the history of capture through its cracking to present day developments, including reCAPTCHA, SQ-PIX and ALIPR, among others.

CAPTCHA stands for Completely Automated Public Turing Test to Tell Computers and Humans Apart.

Clever Anti-Phishing Education Tool and More

With all the news reports -- in both the mainstream and trade media -- about the dangers of phishing, it would seem people would have caught on by now. They should know better than to reply, let alone open, e-mails from unknown senders, especially with weird or dubious names.

Not so, according to a research report on the weakness of security awareness by Cisco, as reported by M.E. Kabay in his Security Strategies Alert column in Network World. But, all is not lost, according to Kabay, who mentions a training system called PhishGuru, which simulates phishing attacks but educates rather than hooks users.

Along the same somber note, Websense in its report, The State of Internet Security, for the second half of 2008 paints a bleak picture of legitimate sites being compromised, according to SC Magazine. This isn't news but the sites studied included common every day sites and not just bizarre ones hosted in China or Russia.

Microsoft and Other Advice on Fighting Downadup

Microsoft has updated its Malicious Software Removal Tool (MSRT) to remove Downadup, also called Conficker, and its variants, a particularly nasty worm that has spread recently to around nine million PCs worldwide.

I first reported on the attack yesterday, mentioning that systems a patch released by Microsoft in October (MS08-067) would have been protected. Details about the worm, and how to protect your PC, are on the Microsoft Malware Protection Center and Computer World web sites.

The worm exploits a flaw in the Windows Server service (svchost.exe), allowing remote execution of malicious code on boxes with file sharing enabled.

Interestingly, SC Magazine reported the first variants of Conficker were programmed to avoid targets in the Ukraine, where the alleged malware writers are located, to hide from local law enforcement, by detecting the keyboard layout. Later versions of the worm don't discriminate in who they attack.

IRS Flunks Second Government Security Review

In a second review of the Internal Revenue Services's Modernized e-File system, this time by the General Accountability Office, the 13 vulnerabilities cited in 2007 have yet to be fixed. The system went into production in January 2007 despite the vulnerabilities, which were to have been corrected based on the findings of an earlier government audit.

The report noted that the IRS remains a juicy target for identity thieves because of the large volume of personal data, including Social Security Numbers, which it stores on its systems, including MeF. Interestingly enough, most of the issues cited in the report revolve around inappropriate access controls and logging, which has allowed IRS employees to snoop around in the tax records of celebrities.

For those of you in the US, who may not be celebrities but are still getting ready to file their taxes and want to protect their financial privacy from nosy IRS employees, this is something to think about.

US Data Breaches Up 47% in 2008

The sad part about these statistics is that nothing much changed in 2008 over past years in terms of the type of victims and types of breaches committed. There were just more of them -- 47% more over 2007-- according to an annual study recently released by the Identity Theft Resource Center and reported by Finextra, a British financial industry newsletter.

The ITRC noted that the financial sector continued to be hit the most -- no surprises there -- but that government fell down to third place. The biggest source of breaches continued to be malware attacks, hacking and insider theft. Human error type breaches, such as loss of data on the move and accidental exposure, were down but still enough to be of concern.

Links to more reports, including the breach list and breach statistics, are on the ITRC site.

Windows Worm Hits Nine Million PCs

Here's a lesson in why it's important to keep up to date with patches, particularly on Windows machines. The Downadup worm infected 9 million PCs within four days last week. A patch released by Microsoft in October for MS08-067 hasn't been installed on a third of Windows systems, according to InfoWorld.

The patch would have supposedly protected against the attack from having been so widespread. Here are some details about the original vulnerability, when it was uncovered last October.

Ten Tips and More for Safe Social Networking

Here are ten tips for safe social networking from the ThreatChaos blog. This is a real nice comprehensive list of best practices for safely navigating LinkedIn, Facebook and Twitter. The post was inspired by the recent Twitter hack.

Here are some more tips from Bill Brenner of CSO. His tips are less technical and more common sense about safe browsing when going down the "real neighborhoods" of social networking sites.

The top ten from ThreatChaos are the following:

1) Email verifications
2) Captachas for sign up
3) Lock out the user after X failed login attempts
4) Password strength
5) Create an abuse hotline
6) Rate limits
7) Firewalls and IPS
8) DNS
9) Worm defense
10) Communicate in case of disaster

These are some more suggestions from Microsoft about protecting privacy in online communities and in online directories.

Top 25 Most Dangerous Programming Errors

SANS released a few hours ago on its web site a list of the top 25 most dangerous programming errors. Application security aficionados will recognize some of these issues from the infamous OWASP Top Ten.

The SANS list is the result of a collective effort by 30 cybersecurity organizations from around the world. The site also has links to resources for fixing the issues.

Predictions for Enterprise Attacks in 2009

Here's a few brief thoughts on the outlook for attacks against the IT systems of enterprises this year. In this article on SearchSecurity by John Strand, he points to some exploits that are just twists of what is already out there.

Strand sees the return of operating system attacks, possibly linked to web attacks, like cross-site scripting (XSS), more strains on anti-virus products with easily crafted and undetectable exploits from Metasploit 3.2 and the continuation of wireless attacks.

He also suggests limiting web access to employees, since most breaches of corporate networks are through malware from sites accessed by staff. The web vector, he says, continues to be the easiest way to skirt even the toughest of corporate IDS and firewalls.

Profits from Phishing Are Way Down

Once a popular and easy way to commit cybertheft, phishing isn't bringing home the bacon as it once did, according to a recently released study by two researchers at Microsoft.

Put in more down-to-earth terms by SearchSecurity, phishing has become a commodity with too many players in the market driving down prices. The amount of work and the cost of setting up a phishing site now outweigh the money made from selling the stolen credentials in the cyberunderworld.

Social Network Security: LinkedIn and Twitter

Social networking sites are on the radar for attackers these days. In two separate but unrelated incidents both Twitter and LinkedIn were recently hit.

But it's interesting to note the big difference between the two attacks. In the Twitter case, according to bMighty, dozens of legitimate accounts were compromised, including that of President-elect Barack Obama. The bMighty article also gives some security tips for using Twitter.

In the LinkedIn case, the site was seeded with bogus profiles laced with malware. Victims were lured to the profiles, which were alleged to be of celebrities, unlike on Twitter, where login credentials of victims were caught by phishing web sites.

Some Thoughts on Cloud Computing Security

This is an interesting article by George Hume from InformationWeek's Security Weblog about security issues around cloud computing.

Here are some of his thoughts and questions on the issue:

What about making sure the data is segregated? If you need to be compliant with any one of the myriad of government and industry regulations, encrypting files without segregating them just doesn't cut it. Besides, you just don't want your high-value data to be co-mingled with your low-value data. Do you? Properly segregating data is something you'd want to do anyway.

Then there's the issue of in what country your data will reside. That's right: There are regulations in many countries that forbid certain types of protected data to actually leave the physical boundaries of a country.

What about having the ability to validate how your cloud provider keeps data secure? Or, even for the ability to independently audit their policies and processes?

What about the background of the employees and administrators hired by the cloud provider?

Who will actually have access to your data? Even if it's encrypted, it can still be lost, destroyed, or your access to it cut. How does AES help you there?

What about your business continuity and disaster recovery plan?

What about data-loss prevention from the cloud?

How will your business manage identity and access management to cloud-based applications and data?

What about the fundamental security of the application code your cloud provider is using? I don't think buffer overflows and data injection attacks -- and all of the other application-based challenges we still haven't solved -- will just vaporize in the cloud.

Ten Steps to Vista Security

Here's an interesting article in Computer World about securing a Windows Vista PC in 10 steps:

1. Use Windows Security Center as a starting point
2. Use Windows Defender as a diagnostic tool
3. Disable the start-up menu
4. Get two-way firewall protection
5. Lock out unwanted guests
6. Now audit your attackers
7. Secure your Internet Explorer settings
8. Use OpenDNS
9. Live with User Account Control
10. Check your work

More SMB Security But Fewer Security Jobs

A report recently released by Forrester says security spending at SMBs will be up, but it won't be followed by a corresponding increase in headcount.

The report says spending for companies with fewer than 1,000 employees will go up a full percentage point in 2009 from 9.1% of their IT budgets in 2008 to 10.1%.

The bulk of spending will be on data protection tools, such as intrusion prevention systems by 20% of respondents, endpoint controls by 17% and data encryption, including both full disk and file encryption.

An excerpt of the report is available from Forrester.

Recent SSL Exploit Not Earth Shattering

The big hype over a crack in SSL is way overblown, according to Tom Olzak in this excellent blog post on TechRepublic.

He said the real issue, as has already been publicized, is the weakness in the MD5 hash algorithm used for creating some certificates. The weakness of MD5 has been known for a few years and has already been abandoned by most Certificate Authorities, in any case.

Two New Interesting Web Sites and Blogs

What a great way to start out the new year -- finding two new web sites and blogs about IT security. Both deserve to be watched and read regularly.

One, from DarkOperator, is a blog, called Techie working in a corporate world, that has been around since 2007 with a companion web site listing some of his testing scripts.

The other, just launched by Valsmith, is Attack Research, which specializes in malware research, also with an accompanying blog.