The IT Security Guy

Digital Pickpockets on TV

2011-11-04T10:21:00.003-05:00

I appeared on a TV program last night about so-called "digital pickpockets," who skim and clone credit cards. The program also had a demonstration of how card numbers can be sniffed from RFID cards right from people as they walk down the street.

Besides punching a hole in your credit card to remove the RFID chip, as the reporter dramatically showed at the end of the program, the best ways to protect your credit card are still the old-fashioned way -- frequently checking your credit card statements, keeping your card within eye sight and being careful where you use your card.

TV Appearance -- Again

2011-03-02T19:03:00.002-06:00

I was interviewed briefly on local television about ATM security. Thieves were allegedly using a master code to steal from ATM machines. The victim, in this case, was the machine, not individual accounts, since the alleged crooks used the code to pilfer the contents of the ATMs and not the accounts of individual credit or debit card holders.

My last television appearance was in 2009, also on a local station, about my book, The Little Black Book of Computer Security, Second Edition.

Remember Infected Floppies? Now They're USB Devices

2010-08-27T14:04:00.002-05:00

Remember the good old days when you could get virus infections through infected floppy disks? That was long before there was a Web, or an Internet, available to the average person. Well, now, those infected floppies, tossed away long ago in the trash, have been replaced by USB devices, according to Computer World.

Quoting the 2nd International Security Barometer report from Panda Security, a quarter of worm infections are spread through portable storage devices. The study of 10,000 small- and medium-sized businesses said 27% of attacks by malware were found to have originated from USB devices.

Among those victimized by USB-laden malware have been the U.S. military, which was hit when an infected USB drive was plugged into the U.S. Central Command's (CENTCOM) network, which is the regional command for the Middle East, including Iraq and Afghanistan.

Another USB thumb drive loaded with W32.SillyFDC, a low-risk worm, burrowed into both classified and non-classified military networks in 2008, in what is being described as the most significant breach of U.S. military computers.

In the private sector, the Stuxnet worm, which was aimed at PCs used in large-scale industrial control networks, was discovered in July to have also been spread by USB drives, according to a report from Computer World.

Protection can be found using Panda USB Vaccine, a free download for preventing infections on USB devices.

Cyberduped by Fake Sexy Cybergeek

2010-07-22T18:35:00.003-05:00

This is another one about the perils of not being careful when using social networks. A security researcher set up a series of fake Facebook, LinkedIn and Twitter accounts, bearing information and a seductive mug shot of a young lady, posing as a Navy cyberthreat analyst.

The fictitous flirty little Sage, as the dupe was called, established links with around 300 - mostly men, not surprisingly, but also some women - in the U.S. military, intelligence and information security communities. Some of her new found "friends" even considered offering her a job, according to this story in Computerworld.

Interestingly, the flesh honeypot wasn't able to attract any attention from either of the two top notch schools - MIT and St. Paul's, a New Hampshire prep school - listed on LinkedIn to demonstrate her high educational pedigree.

It seems the prep schools were a bit more choosy in who they friend. "One of the things I found was that MIT and St. Paul's [prep school] were very cliquey. If they don't remember seeing you, they are not going to click. You had less of a chance of penetrating those groups than the actual intel and security communities," Thomas Ryan, the real person behind the phony social networker, was quoted as saying.

The lesson is simple and obvious: If you don't know them personally, don't friend them. No matter how cute, knowledgeable or well-educated they appear. Matahari has now moved to cyberspace.

Hackers Hit YouTube XSS Flaw

2010-07-05T09:08:00.002-05:00

YouTube was attacked yesterday by hackers using a Cross-Site Scripting (XSS) vulnerability on its web site. Press reports indicate the flaw was fixed by Google, YouTube's owner, within a few hours.

The flaw apparently allowed the attackers to post JavaScript code in the comments section of videos. The attack redirected users looking for videos of Canadian singer Justin Bieber, alleging falsely that he was killed in a car accident. Twitter tweeted away that YouTube was hit by a virus.

Some more technical details were reported on Techie Buzz, and the Internet Storm Center at SANS mentioned the exploit could steal the cookies of YouTube users, which they said wouldn't be of much value.

iPad Security Breach Exposes 114,000 E-mail Addresses

2010-06-10T06:30:00.002-05:00

A security breach on AT&T's web site allowed a group of hackers to snarf up 114,000 e-mail addresses from unsuspecting iPad users, according to The New York Times. AT&T said that it has already closed the whole, but the question remains of why they stored such information on a publicly accessible web site in the first place.

While stolen e-mail addresses by themselves aren't of much use, other than to add to spam mailing lists, the hacking group, Goatse, was also able to get the ICC-ID of iPads. The ICC-ID is a unique identification number for the iPad. AT&T denied the ICC-ID could be used for anything other than getting an e-mail address, but some security experts cautioned it could still possibly lead to find the device's location.

Technical details of the breach were reported by Gawker, which said it involved spoofing the User-agent in the header to make AT&T's servers respond to a request from a PHP script for harvesting the data.

Never Met a Facebook Page I Liked

2010-06-01T14:54:00.002-05:00

If you like this Facebook page, as described in recent post on Graham Cluley's Sophos blog, you're going to get hit by a clickjacking Trojan. The Likejacking exploit, as Network World and Richard Cohen at Sophos calls it, attracts users by a suggestive message -- very similar to other social-engineering tricks -- and then redirects users to a page that downloads the Trojan, which replicates the suggestive messages to all the victim's friends.

According to Sophos, the Troj/IFrame Trojan just replicates virally through Facebook pages and doesn't appear to steal user credentials. It just forces users to "like" a Facebook page, as the social-networking site calls it, without the user's knowledge.

Interestingly, the blog post, which has technical details about the exploit, advises users to join the Sophos page on Facebook to get alerts about other security threats.

A Guide to Google Privacy

2010-05-27T14:55:00.002-05:00

This is an interesting guide to securely using Google from Computerworld. The so-called "smart paranoid's" guide can be basically boiled down to two general protections.

The first protection is a series of tips for cleaning up your Google history and other trails left while logged into your Google account, for example, to read your Gmail or use any of the growing range of Google applications.

I know what you're thinking. So, why not just log out of your Google account when browsing? That sounds pretty obvious. Won't that protect you from Big Brother Google? Not exactly. Even if you're searching without a saddle, Google can track your whereabouts with the usual suspects: IP address, browser settings and User-Agent settings, all sent by default over the Web.

The suggestions, in this case, are to use any of the commonly known proxies, such as Tor, or similar tools referenced in the article. Another suggestion is to use the private browsing features on Internet Explorer or Chrome, for example, and remove all cookies and caches after browsing.

Along the same lines, a sneaky phishing attack using the multiple tabs on browsers -- which the major browsers now, such as IF, Firefox and Chrome. This attack works behind the curtains while a user is browsing. The phisher changes the web site under an open tab, without changing the tab title, which redirects the user after the come back to the tab from another tab. Network World revealed a fix for what they called the "tabnapping" attack.

And, then Google just unveiled its brand new encrypted search feature.

CAPTCHA Cracking: Nice Work, If You Can Get It

2010-04-27T20:49:00.004-05:00

This story in The New York Times about people being paid to fill in CAPTCHAs is as much about IT security, as it is about working conditions in the developing world. According to the article, people in India, China and Bangladesh, among other developing countries, are being paid between the equivalent of 80 cents and US$1.20 for each 1,000 deciphered boxes.

CAPTCHAs are those funny sets of numbers and letters set every which way and embedded in an image in a box at the base of some e-mail, and login pages, to prevent automated bots and scripts from signing into accounts. The idea is that only humans should be able to recognize and enter the text from the embedded images.

That is, unless, the humans themselves are deliberately entering the text, opening the e-mail accounts, for example, and passing them along to spammers. Apparently, thousands of people in Asia, most part of sophisticated operations, are in on the act. And projects are even bid out online, and most employees have no idea who is hiring them.

The reaction of Google, one of the targets of these CAPTCHA crackers, glosses over the issue. Macduff Hughes, an engineering director at Google, said “Our goal is to make mass account creation less attractive to spammers, and the fact that spammers have to pay people to solve captchas proves that the tool is working.”

Industrial Control Attacks: Mundane or Prophetic?

2010-04-20T20:44:00.003-05:00

This isn't exactly the sexiest part of IT security, but attacks on industrial control systems, such as utility, water and sewage treatment plants, are on the rise, according to data gathered by the Repository of Industrial Security Incidents (RISI). And with recent media attention on cyberwarfare, utilities would be a prime target to bring down for any potential cyberwarrior.

But besides cyberadversaries wanting to hit the US, a major source of infections is more mundane: employees bringing malware on infected laptops and USB keys, for example, according to the study.

Though only a fraction of these control systems connect directly to the Internet, they do connect to business networks, which in turn are connected to the Internet. It's the business networks, to which employees have access, that are the source of the malware.

Industry insiders are skeptical of the threat from employees, let alone foreign hackers engaging in potential cyberwarfare, which might seem even more far-fetched on the surface.

Although utilities and control systems are in private hands, their protection is crucial to any defense of critical infrastructure in times of war, cyber or not. And that defense will rely just as much on government and military, as it will on IT security professionals in the private sector, with they'll need to partner.

Another Adobe Attack Vector Expected

2010-04-09T17:14:00.002-05:00

The ubiquitous Adobe Acrobat is back in the security spotlight again with another attack vector discovered by a security researcher this week. The flaw was first discovered by Belgian security researcher Didier Stevens and can be exploited with the "/Launch" function built into the Adobe Reader.

Unlike the recent JavaScript flaw, this one requires a bit of social engineering. A user must be tricked into opening a malicious PDF file. Details with a proof-of-concept are on Stevens' blog.

Adobe is aware of the issue but it was discovered too late to be included in next week's patch cycle for security fixes. In the meantime, security experts are recommending turning off the Launch feature in Reader. This was the same approach given for the JavaScript security bug.

To turn off the potentially threatening feature in Adobe Reader 9.3, the most current version, Go to Edit > Preferences > Trust Manager and uncheck the box labeled "Allow opening of non-PDF file attachments with external applications".

Tips for Debit Card Security

2010-03-20T22:42:00.002-05:00

Debit cards look, act, feel and work like those other plastic payment cards called credit cards. But think twice before using them in some places, according to this little blurb from CreditCards.com.

Unlike credit cards, debit cards directly access your bank or checking account. That means, if maliciously used, they could be a siphon right into your bank account.

The top ten list are the following:

1) Online
2) Big-ticket items
3) Deposit required
4) Restaurants
5) You're a new customer
6) Buy now, take delivery later
7) Recurring payments
8) Future travel
9) Gas stations and hotels
10) Checkouts or ATMs that look "off"

The last two are particularly interesting. Gas stations are particularly vulnerable to skimming operations at pumps, and ATMs that don't look right can end up unexpectedly in some popular locations.

Remember the bogus ATM planted last year at Defcon right as you went down the hall before the entrance?

Should Users Reject IT Security Advice?

2010-03-17T15:58:00.004-05:00

Writing on the TechRepublic's IT Security blog, Michael Kassner has an interesting point here. There seems to be an endless drumbeat of security advice dumped on users, ranging from more frequent password resets to watching for phishing e-mails and invalid certificates.

But does the information sink in? And, if not, why? It doesn't catch not only because there are too many rules, and among those too many to follow to the letter, but because users don't see a cost benefit, or sometimes any tangible benefit, at all.

Kassner was quoting a paper by Microsoft researcher Cormac Herley, "So Long, And No Thanks for the Externalities: The Rational Rejection of Security Advice by Users".

Here some highlights of the recommendations from Herley's work:

We need an estimate of the victimization rate for any exploit when designing appropriate security advice. Without this we end up doing worst-case risk analysis.

User education is a cost borne by the whole population, while offering benefit only to the fraction that fall victim. Thus the cost of any security advice should be in proportion to the victimization rate.

Retiring advice that is no longer compelling is necessary. Many of the instructions with which we burden users do little to address the current harms that they face.

We must prioritize advice. In trying to defend everything we end up defending nothing. When we provide long lists of unordered advice we abdicate all opportunity to have influence and abandon users to fend for themselves.

We must respect users’ time and effort. Viewing the user’s time as worth $2.6 billion an hour is a better starting point than valuing it at zero.

Identity Theft: Census Scams and Young People

2010-03-17T15:34:00.003-05:00

Here's something to think about for those of you in the United States. As those Census forms start arriving in the mail, just make sure they're legitimate and not phishing scams -- either by e-mail or paper mail -- looking to steal personal information.

According to the Better Business Bureau, fraudsters are taking advantage of the Census to steal financial information, like bank and credit card account numbers. Legitimate Census forms have 10 questions about your household and its inhabitants, not about your financial information.

The fraudsters are mailing out fake forms, sending phishing e-mails, pretending over the phone to be Census takers and even visiting homes. The BBB recommends you compare any Census form you get in the mail to the official version online. As for phishing e-mails, phone calls and visits to your door, the same rule applies: the questions should match the official form and not ask anything about personal finances or accounts.

Along the same lines, The Washington Post reported today that 18- to 24-year-olds are the most at risk for identity theft. The Millennial Generation is just too comfortable giving out personal information, whether online or in person, making them easier targets for identity theft than older, more discrete, generations more accustomed to a bit more privacy.

Seemingly anonymous information, such as movie preferences in Netflix, for example, can be misused to identify people. And, that's beside the information gathered from a photo of last night's party at a bar posted on a social networking site.

The Security Dangers of Social Networking

2010-03-10T14:47:00.003-06:00

You can try and lock them down, but no matter how you look at it, social networking sites remain security risks. But it's not just about application security, meaning the sites themselves as vectors for malware, but the information on them. They can be used for reconnaissance and intelligence about people for setting them up for spear phishing attacks.

Bruce Schneier had some interesting commentary on the subject recently, referencing research about using group membership on sites such as Facebook and LinkedIn to "de-anonymize" users. Even after locking down every possible piece of information on these sites, group memberships are often still visible.

As if that's not enough, posts by users after hours with information from their employers can lead to the leakage of inside information. The line between personal and professional lives, at least on social networking sites, is getting more blurred.

Defeating Online Bank Fraud Once and For All

2010-02-26T16:13:00.003-06:00

Is it possible to really defeat online banking fraud once and for all? Roel Schouwenberg thinks so in an interesting guest editorial on Kaspersky's Threat Post. Schouwenberg says the solution is already out there, and it's pretty simple: multi-factor authentication.

In an outstanding and detailed analysis he did back in 2008 of bank attacks, he noted that what he calls Man-in-the-Endpoint Banker Trojans, or Browser Trojans, have not improved much since 2007. The reason: they haven't had to.

Basically, what many banks are using for two-factor authentication -- secret questions next to passwords -- is neither true two-factor authentication nor secure. The Trojans of the past three years are just as adept at breaking such systems yesterday as they are today.

Many banks, particularly in the US, believe asking customers to use tokens, for example, would be a nuisance that would drive away business.

While I think multi-factor authentication would go a long way in preventing attacks against banks, it's still just another technology, and the issue isn't its use, but its implementation. Even the strongest authentication system is still vulnerable to human abuse, misuse, and social engineering.

Such authentication systems should also be combined with other systems, in a multi-layered defense, like fraud monitoring programs. Such programs, like FraudAction from RSA, allow or block transactions based on patterns of usage and behavior. Multi-factor authentication might not stop a suspicious transaction, such a lone transaction in Eastern Europe against a bank account in the US owned by someone who has never left the country.

But fraud monitoring operating behind the scenes and transparent to the user would be a good tool to augment multi-factor authentication. It might not stop bank attacks once and for all, but it would definitely help.

Dueling Botnets Fight Turf War in Cyberspace

2010-02-10T21:31:00.002-06:00

A new Russian botnet is on the loose, spreading a Trojan horse that not only steals data -- like any good Trojan -- but then deletes a rival Trojan from infected machines.

That's really sweet, but I wouldn't exactly call it the Good Samaritan Trojan either. The new Spy Eye toolkit, discovered by Ben Greenbaum, a senior security researcher at Symantec, began showing up on cybercrime sites in December.

Spy Eye is battling Zeus, a similar crimeware Trojan that steals online banking credentials, according to Symantec. Spy Eye has a feature, "kill Zeus," which is meant to disarm its close rival.

This sort of cyberspace equivalent of gangs slugging it out for territory isn't new, according to The Register, which has reported Trojan battles among Srizbi, Beagle, Netsky and Mydoom dating back to 2007.

Scary Facebook Security Glitch or Bad Software?

2010-01-15T18:01:00.005-06:00

As if there hasn't been enough publicity about the security evils of Facebook, this one is really off the wall. In this case, a woman from Georgia and her two daughters wound up in the account of some strangers when logging onto Facebook from their mobile phones.

All kinds of private information was exposed about the strangers. And, AT&T, the wireless provider for the family's mobile phones, said the glitch was due to a "routing problem," according to this news item two hours ago from the Associated Press.

The issue has far reaching implications beyond Facebook, since other sites, not just the famous social networking site, could be affected by such routing errors.

Basically, the issue wasn't due to problems with the Facebook web site, but possibly poorly configured network equipment and poorly coded network software. The issue might be hard for a hacker to exploit, since the routing error was random and one-off, something hard for a malicious user to engineer.

Interestingly enough, Facebook announced a partnership this week with McAfee to offer security software.

Summary of 2010 Security Predictions

2010-01-05T15:16:00.002-06:00

It's that time of year again, when everybody is out there with their annual predictions for IT security this year.

This little summary from Michael Kassner's post on Chad Perrin's IT Security blog at TechRepublic covers not only Kassner's own thoughts but also covers predictions from eWeek, Verizon, Help Net and IT PRO.

Then there was this from Andreas M. Antonopoulos posted at both Network World and Computer World, and from Larry Seltzer at PC Mag, who also cited reports from Symantec, F-Secure, Websense and Trend Micro.

Common themes? Well, it seems to run the gamut, but cloud computing, mobile security and malware were all common topics.

Adobe on Hacker Radar in 2010

2010-01-04T20:25:00.002-06:00

This should come as no surprise, but a recent report by McAfee, predicting threats for this year, says Adobe will be popular with hackers. In fact, according to the report, Adobe and Flash will beat out Microsoft software, finally, for the hacker attack vector of choice.

That's good news for Microsoft, which has been, until now, the favorite whipping boy for hackers.

Interestingly enough, the report also cites the tried-and-true oldest trick in the book, malicious e-mail attachments, as still another favorite attack vector. E-mail is also popular because it's a great way to burrow into corporate networks, past their finely tuned firewalls and DMZs. All an employee has to do at some company is click on the attachment and, well, the game is over.

And could one of those attachments be a malicious Adobe document? No way.

FBI Investigating Citibank Hack

2009-12-22T20:37:00.002-06:00

The FBI is looking into a breach at Citibank by a Russian cybergang, the Wall Street Journal reported today. The gang apparently began breaching Citibank over the summer and was uncovered by investigators in the US who noticed suspicious traffic from IP addresses used by the Russian Business Network.

Citibank denies any breach took place. The Russian Business Network is a well-known hacking group that has developed tools for breaching US government systems.

What concerns security experts is the potential for widespread damage to the banking system. They say that if hackers could get into one bank and manipulate data, they could easily get into others, creating chaos in banks and financial markets.

And, this is where hackers seeking financial gain -- the root of most hacking today -- might be crossing the line into cyber threats against national security. Supposedly, according to the Wall Street Journal article, this is what got the NSA and DHS in on the party, exchanging informaton with the FBI.

From the other side, as well, the attack may point to a revival of former members of the Russian Business Network, which has been quiet for the past two years. Investigators say a tool developed by a Russian hacker called Black Energy may have been used in the Citibank cyberheist.

White House Taps Schmidt for Cyber Security

2009-12-21T22:58:00.002-06:00

President Barack Obama has picked Howard Schmidt to be the national cybersecurity coordinator, according to the Associated Press. Schmidt has a 40-year career in cybersecurity, spanning law enforcement, private industry and even briefly in the Bush administration.

The announcement hasn't yet been public, according to the AP, quoting a senior White House official on condition of anonymity. Obama was personally involved in the search and picked Schmidt after an extensive search. Though he won't report directly to the president, he'll have regular and direct access.

Cybersecurity is a key issue facing Obama but has taken a back seat to his health care program and the war Afghanistan.

Schmidt wrote an interesting book, covering his long career, Patrolling Cyberspace, which I enjoyed immensely. It was a nice short book packed with a lot of history about the beginnings of hacking, much of which has been forgotten. He was definitely a visionary, seeing the problem long before law enforcement took it seriously.

The book also got a favorable review from M. E. Kabay in his regular Network World column.

Hollywood Burglars Used Internet Without Hacking

2009-11-15T21:45:00.003-06:00

These people aren't hackers by any stretch of the imagination. And their exploits weren't hi-tech. They were allegedly ordinary off-line thieves preying on Hollywood celebrities like Paris Hilton and Lindsay Lohan.

But what makes them different is their creative, yet simple, use of the Web to get information to commit their alleged crimes, according to The New York Times. They just took information off of ordinary web sites. No slick exploits. No cool hacks.

What's even more interesting is that they didn't snarf private information the stars might have unwisely posted on social networking sites. Instead they got information from common well-known sites about celebrities, such as TMZ to learn about their victim's comings and goings. When someone like Hilton might be at some gala, they knew that was their time to rob her house.

Granted, ordinary people who aren't celebrities don't have their every move publicized for the world to see on web sites. And, maybe well-known personalities can't do much to hide their movements or protect their addresses from online snoops. But this is still an interesting case of low-tech thievery using a hi-tech tool.

New SSL Vulnerability: Serious or Not?

2009-11-10T20:19:00.003-06:00

Every now and then a new SSL vulnerability hits the headlines in the trade press. Even the slightest possiblity of weaknesses in SSL send shock waves through the security community. An exploit against SSL, so goes the convential wisdom, stabs right at the heart of e-commerce, because SSL is the basis for securing transactions over the web.

And, it happened again this week, when a pair of researchers at PhoneFactor, a two-factor authentication company, said they found a fundamental flaw in the SSL protocol, which would allow an attacker to use a Man-In-The-Middle (MITM) attack to hijack an SSL session and secretly execute commands.

The commands could be used to reset passwords, for example, in one of the multiple sessions comprising a single encrypted SSL transaction. Attacks have already been tested against both Apache and Microsoft IIS web servers communicating with different client applications.

Researchers from a consortium of tech heavyweights have been meeting behind closed doors since September to patch the flaw, which will require a fix for all SSL libraries and patches for any software, not just browsers, that use the encryption protocol.

But another security researcher, Moxie Marlinspike, an expert on SSL flaws, said the vulnerability would have no impact on e-commerce. Marlinspike said, first, the exploit involves injecting code and not intercepting traffic, making it of limited value to an attacker targeting online transaction. And, second, the attack requires client-certificate authentication, which is rarely used in SSL authentication.

Twitter Haven for Malware and Protection

2009-11-08T11:41:00.002-06:00

Up to 500 web addresses posted on Twitter lead to sites with malware, according to the results from a tool created by Kaspersky Labs, a leading anti-virus vendor. This should come as no surprise, since it's common knowledge that social networking sites, Twitter aside, can be havens for malware, malicious links and other sorts of hacker mischief.

The tool, called Krawler, picks out about 500,000 URLs from Tweets daily and has examined about 30 million since its initial deployment in August.

Users need to be careful and wary with all social networking sites, but here are eight great tips from ReadWriteWeb on protecting yourself from malware on Twitter specifically:

Don't assume a link is "safe" because it's from a friend.
Don't assume Twitter links are safe because Twitter is now scanning for malware.
Don't Assume Bit.ly Links are Safe.
Use an up-to-date web browserKeep Windows up-to-date.
Keep Adobe Reader and Adobe Flash up-to-date.
Don't assume you're safe because you use a Mac.
Be wary of email messages from social networks

FBI Issues Warning on ACH Fraud

2009-11-04T20:49:00.002-06:00

The FBI is warning small businesses, municipal governments and school districts of an increase in fraud involving legitimate online banking credentials, according to British banking newsletter Finextra.

The scam works through spear phishing attacks, where victims are redirected to a malware-laden site that drops a key logger Trojan on their desktop. Once the attackers get access to an account, they transfer funds through either traditional ACH or wire transfers.

The FBI is warning business users with online banking accounts to contact their financial institutions to make sure they have adequate security controls and fraud prevention tools in place.

The Financial Services Information Sharing and Analysis Centre, a banking group, is recommending its commercial banking customers should "carry out all online activity from a standalone, hardened and locked-down computer from which e-mail and Web browsing is not possible".

The Legendary Evil Maid Laptop Thief

2009-10-27T19:45:00.004-05:00

This is a not-so-far-fetched scenario. In this post on TechRepublic's IT Security blog, the mythical evil hotel maid uses her equally mythical handy-dandy Evil Maid USB Stick to boot up your laptop from your hotel room, circumventing your TrueCrypt disk encryption, and steals data from your laptop.

And, she gets away with it without you ever knowing it. You don't suspect anything when you get back to the room. The laptop is off and closed, just as you left it, before you headed out a few hours before.

Substitute the mythical maid for an industrial spy who social engineers his or her way into your hotel room, and you have a real-live data theft scenario, coming to a theater near you.

While the example in the blog post is about a workaround to defeat TrueCrypt, the basic idea is that someone with physical access to a box basically owns it. Today it might be bootable USB key, but yesterday it was a bootable something else, like a live Linux CD, such as Knoppix.

So, what's the best defense?

As an occasional road warrior myself, I never let my laptop out of my sight. Yes, that's right. The best lock is an eye. Wherever I go, the laptop goes. And, it never stays in the room during the day, when the mythical Evil Maid might come by.

Avalanche More Than Name for Phishing Gang

2009-10-26T15:17:00.002-05:00

A phishing gang that goes, not surprisingly, by the name of Avalanche has spawned a quarter of all phishing attacks in the first half of this year, according to a study by the Anti-Phishing Working Group, as reported in Network World.

The gang has been successful by registering domains at multiple registrars, some in small countries, and with stolen credit card numbers from those same countries, and then hop scotches around if one of the domains gets shuts down, the report says.

But, on the other hand, an indicator of phishing success, which the report calls "uptime," shows that registrars are getting savvy about Avalanche's tricks, especially because of its use of stolen card numbers. Apparently, as a result, Avalanche's uptimes, around 14 hours, are significantly lower than the phishing "industry" average, if you will.

Though not considered a phishing attack, rogue anti-virus programs are, like phishing, a form of social engineering, according to legitimate anti-virus vendor, Trend Micro. In this scam, which again resembles a phishing attack, a pop up window appears on a legitimate web site with a security warning. The unsuspected user then forks over cash to pay for protection, which never appears.

Five New Sins in Howard Book and Some Myths

2009-10-24T17:50:00.005-05:00

Michael Howard, application security guru at Microsoft and author of some landmark books on software security, has recently added five new sins with this two co-authors, David LeBlanc and John Viega, in the new edition, 24 Deadly Sins of Software Security, of his outstanding handbook.

There really are six new sins, but since one old sin was dropped from the 19 in the old volume, the new total is back up to 24.

What I like about this book is that rather than being a textbook, it's more like a catalog for developers of the most common and nasty security weaknesses in application sofware. Unlike Howard and LeBlanc's other reference on the subject, Writing Secure Code, another famous reference on the subject, a developer can pinpoint the exact issue of interest, zoom down to specific code examples and find remedies in the most common programming languages.

The new sins of the 24 are the following:
Sin # 2: Web-Server Related Vulnerabilities
Sin # 8: C++ Catastrophes
Sin # 9: Catching Exceptions
Sin #15: Not Updating Easily
Sin #16: Executing Code with Too Much Privilege
Sin #18: The Sins of Mobile Code

Co-author John Viega, another noted author in the software security field, also recently wrote, The Myths of Security, a fascinating non-technical book on the fallacies peddled by the software security vendors. He zeroes in on anti-virus software, a subject he has an intimate knowledge of as CTO of the SaaS Business Unit at McAfee.

This book is a real wake up call not only to the general public about the pitfalls of anti-virus and other security products for home users, but to the arrogance of some geeks who think they're invincible because they'd never click on a bad link.

Between my new found awareness of my software sins and my arrogance as a geek, I was both humbled and enlightened by these two fantastic books.

Health Care Privacy Still Needs Intensive Care

2009-10-24T13:14:00.002-05:00

Health care privacy, to say the least, is still critically ill, according to a recent study last week of health care IT security professionals by the Ponemon Institute. The survey found that 80 percent of health care organizations had experienced at least one breach of health records in the past year.

Added to that, 70 percent of respondents said their management didn't think privacy and data security were a priority.

The professionals surveyed expressed concern that with the push for electronic health records, security had to get more attention. Few dispute the value of centralized and easily available medical records -- something that could save lives -- but those records should only be available to those who need them, not crooks and identity thieves.

Hospitals and medical institutions continue to lag behind other industries in protecting data, privacy and IT security. And, despite the complaints about the effectiveness of PCI, the corresponding regulation for health care, HIPAA, has little teeth.

A breach at Express Scripts in St. Louis last year may have impacted as many as 700,000 people.

SearchSecurity.com ran an article last week explaining new HIPAA provisions and tips for implementing an effective HIPAA program.

Social Networking: ID Theft Goldmine

2009-10-13T14:57:00.002-05:00

Ever watch what your friends put on Facebook or other social networking sites and just shake your head in amazement? Hackers sure don't. They don't even need any fancy tools or tricks to steal someone's identity from off a social networking site.

Besides the obvious like telling the whole world when you'll be away on vacation -- an open invitation not to hackers but land-based thieves looking for an easy break-in -- consider other information people put on sites: job information, birthdates, schools attended and graduation dates and family photos. How about other family information, like your mother's maiden name?

All of this can be used to knit together enough of a profile for an identity thief to bypass security questions on banking sites, create false ID cards and even open loan applications in the victim's name.

Although 57% of respondents to a survey in the UK on identity theft said they were concerned that social networking sites make ID theft easier, two thirds of those surveyed said they didn't take adequate protection.

Maybe a little common sense is in order, rather than some new tool or service, when it comes to posting on social networking sites.

No Free Checking with This Banking Trojan

2009-10-06T13:15:00.002-05:00

A new Trojan hitting banking sites, as if this were really something new, has been making the rounds. So, what's new about the new URLzone Trojan?

Unlike other common banking Trojans, like Zeus and Clampi, which just transfer funds from a victim's account to those of criminals, URLzone can block anti-fraud detection systems. It can even be set to not drain an account to a zero balance, flying under the radar of other detection systems triggered by empty bank accounts.

The Trojan is allegedly being operated by a Ukraine-based gang, according to security company Finjan.

Other sophisticated ways the Trojan evades detection is to only hit accounts at random and then only a limited number of times, again throwing off fraud detection systems, which generally look for suspicious patterns of withdrawals.

Phone Phreaking No Different Today Than Yesterday

2009-10-06T10:42:00.003-05:00

Remember when they were called phone phreaks? Maybe I'm dating myself, but that was back in the 70s (maybe earlier?), when they used different colored home-made toys called blue, black and red boxes.

Those were the tools of yesteryear pre-dating electronic switching, when data and computer commands ran on the same voice lines.

Well, they're back and actually doing better. In fact, I think, they never really went away. But now with the growth of phone service over the Internet, like VoIP, they can use a lot of the same tools and techniques for hacking phone services, as they can for cracking the Internet.

Also, unlike the phreaks of the past, who did it for fun, now they're organized into multinational syndicates stealing phone services on one country and diverting it -- for a fee of course -- to homesick immigrants in other countries wanting discounts on their international calls, according to this Network World article.

There are four weaknesses in phone configurations that trip up IT managers:

Weak user authentication and access control -- Companies often don't extend the same protections, like two-factor authentication, to their VoIP phone networks.
Relying only on session border controllers and media gateways for security -- During the handoff between networks and SIP trunks running phone services, application level security is needed to protect from phone attacks.
Inadequate virtual LAN separation and control -- The use of Virtual LANs (VLANs) to logically separate voice and data traffic isn't adequate to prevent an attacker from breaching the VLAN.
Inadequate use of encryption -- What else is new? This is simply not encrypting traffic over internal networks. Even if encrypted over public networks, when it enters the company networks, it still needs to be protected.

Read All About It: Fake Anti-Virus Hits The Times

2009-09-14T20:49:00.005-05:00

And, if you thought no web site was sacred, here's something that will make you a believer. Ads for bogus anti-virus software -- you know the kind that actually infects instead of protects -- ran over the weekend on the web sites of one of those most staid of institutions: The New York Times.

But The Times caught on to the scam and alerted readers on Sunday. There's nothing particularly brilliant about the exploit. Ordinary sites, not just porn and gambling sites, have all fallen to malware attacks. In fact, a recent Network World article listed "polluted ads" as one of seven leading security threats against web sites.

Technical details were blogged by Troy Davis and in Computer World. The Times itself provided advice on protection from the scam, as did Keith Farrell of bMighty. The rogue anti-virus, at this point, according to The Times, basically doesn't steal data -- yet -- but instead continues to popup a fake scanner with links to purchase bogus anti-virus protection.

This trend of bogus anti-virus hitting everyday web sites is something to watch since it can only be on the rise.

Hackers Need a Summer Vacation Too

2009-08-25T20:25:00.002-05:00

Though this little tidbit from Finextra, a British online banking newsletter, sounds funny, it really isn't. In fact, quite the opposite. It's very serious about a lull in hacker activity in the summer months.

But it does make a few good points taken from a poll by Tufin Technologies of 79 hackers at this year's Defcon security conference in Las Vegas. According to the poll, most hackers will take a rest over the summer, getting ready for the juicy and lucrative Christmas season, when they can pounce on unsuspecting online shoppers.

The Tufin study also noted that hackers prefer the holiday season, since the IT staff at most companies are often off, as well. I guess the old saying about the mice coming out to play, when the cat is away, is as true for hackers.

IBM Acquires Ounce Labs

2009-07-29T13:49:00.002-05:00

Big Blue has added another notch to its growing belt of security products and services with the acquisition yesterday of Ounce Labs, an application testing provider, according to an IBM press release.

Ounce Labs is a well-known player in the application security testing market, offering tools for ferreting out security glitches in application code during development. Ounce has taken advantage of the growing market for application security products, as attackers have set their sites on application layer rather network layer attacks, a trend long in the making over the past several years.

Ounce is known for being flexible and able to integrate with other development tools, which IBM hopes to add to its Rational software development products. IBM also hopes to outflank Hewlitt -Packard, another growing player in the application security space with its acquisition in 2007 of SPI Dynamics, a leading web application security scanner.

Terms of the deal for Ounce, a privately-held company, weren't disclosed.

Poor Access Control Policies Expose Michael Jackson File

2009-07-23T11:10:00.003-05:00

It seems nosy employees at the Los Angeles County coroner's office, who shouldn't have had access, were able to view Michael Jackson's death certificate. Though this story reported by the Associated Press is just another in the millions of articles about the celebrity, if you take a closer look, it's really about IT security and access controls.

The story reported that the certificate is stored in a state-supervised computer system, access to which is open to anyone with a state-issued password, which includes not only employees at the coroner's office, but also those at funeral homes, hospitals and county and state registrar's offices.

What the story didn't report was whether strong passwords were enforced, among other access control policies. What other holes exist in the system that could lead to information about the dearly departed?

Though Jackson's celebrity status makes him an easy target for the curious, what about identity thieves poking around for an identity to grab? Even the dead can have their identity stolen, which can be grave (pardon the pun) consequences for their living relatives.

Sometimes it seems only identity thieves can bring the dead back to life.

New EV SSL Certificates Already Vulnerable

2009-07-23T10:36:00.002-05:00

Two security researchers are scheduled to unveil at the upcoming Black Hat conference next week in Las Vegas a way to breach Extended Validation SSL certificates.

Conceptually, the attack is pretty simple but, in practice, is difficult to execute, according to Mike Zusman, principal consultant at Intrepidus Group, and one of the two researchers. The other is Alex Sotirov, an independent security researcher.

The attack works because it takes advantage of a web browser flaw that can't tell the difference between EV and regular Domain Validated (DV) SSL certificates.

Beyond that, basically, the attack consists of two steps. The first requires the attacker to get a traditional DV cert from a Certificate Authority (CA) and then use a rogue man-in-the-middle server that uses certificate combinations to conduct the attack. Since web browsers don't distinguish between EV and DV certs, the address bar would still show the green light, indicating a valid site.

The researchers will provide details at Black Hat and are expected to release a sample proxy tool shortly afterward.

How The Twitter Hack Did It

2009-07-21T06:53:00.003-05:00

The French hacker, who goes by the nom de guerre of Hacker Croll, gave extensive details of his exploit to TechCrunch in a fascinating article last week.

Did he use fancy hacking tools? Was he a hi-tech evil genius? No, on both accounts and far from it. He used the same type of password reset features that another hacker in Tennessee used to crack Alaska Gov. Sarah Palin's e-mail account last year, when she was running for vice president.

Basically, what Croll did was gain access to the Gmail account of a Twitter employee. He used information publicly available on the web about Twitter and from social networking sites to gather enough possible responses to password reset questions.

This led to a dormant Hotmail account the Twitter employee had once used but now was long forgotten. By cracking that account, as well -- also using password hints from the same public sources -- Croll was able to control the back up account to the employee's Gmail e-mail. This way the employee wouldn't be tipped off to the changes by any notifications to the secondary Hotmail account.

Some lessons learned from the attack are to be extra careful what you put on social networking sites, including clues about jobs, addresses and names of children and pets, for example. Also, make sure to have complex passwords, and don't use the same passwords for every account.

In the case of the Twitter hack, Croll found that the employee had used the same password not only for e-mail but for personal and financial accounts, as well.

E-mail, Twitter, it doesn't matter. They don't have to be scary. Just follow some safe account maintenance and password practices.

Milw0rm Exploit Site Back in Business

2009-07-19T21:23:00.002-05:00

The well-known exploit site, Milw0rm, is now back online after a week hiatus. The site's operator, str0ke, had announced in early July that he was taking down the site because he didn't have the time to maintain it.

Of course, word spread quickly through the security community about the loss of such a valuable source of exploit information.

But str0ke was able to work out an agreement with some of his colleagues to share the work of maintaining the site and was able to bring the site back to life last week.

Cyberattack Hits South Korean Government Web Sites

2009-07-07T21:38:00.003-05:00

This is a developing story with few details but it was just reported about an hour ago on Agence France Presse that South Korean police are investigating a series of cyberattacks against their government web sites.

About 25 sites were down for four hours on Tuesday in a Denial of Service attack that hit the presidential office, the defense ministry and other government web sites.

This follows a report last week, also from AFP, that the South Korean military was setting up a cyberdefense command to fight possible cyberattacks from North Korea and other countries.

Malware Robs Kentucky Bank Online

2009-07-07T20:21:00.005-05:00

This is an absolutely fascinating blow-by-blow account of a malware attack from Brian Krebs of the Security Fix blog. The attack allowed the hackers to steal $415,000 from an online bank account. The attackers, cybercriminals in the Ukraine, stole the money from the bank account of a county government in Kentucky.

The story has all the elements of a great cybermystery, along with a cast of two dozen co-conspirators in the U.S. The hackers used the county government's own Internet connection, and then set up fake accounts for the co-conspirators to handle the ill-gotten funds wired to their accounts.

They also took over the account of a local judge with access to the bank account, even going so far as to change his e-mail address, so alerts about fraudulent activity would never get to the judge. Instead, they would go to the attackers, who would, of course, ignore them.

What's really interesting here is that these tricks allowed the attackers to bypass classic fraud detection schemes, such as PC fingerprinting. After all, they were using the county's own Internet connection. That shouldn't raise any red flags, right? And, even so, the attackers would get any e-mail alerts.

The investigation is still continuing, so there's still a few missing details and pieces of information.
Also, as footnote, Krebs is in my personal Hall of Fame of security blogs for his outstanding coverage of security issues. Security Fix is one of those must-reads that should be bookmarked by every security professional.

Defending American Cyberspace Isn't Just About Cyberwar

2009-07-06T21:03:00.004-05:00

In this thought provoking piece in The New York Times, Jack Goldsmith makes an interesting and succinct case for defending American cyberspace. What I like in his guest Op-Ed is that he cuts through so much of the noise surrounding this issue and the criticism of Obama's recently unveiled cyberdefense plans.

Goldsmith argues that much of the cyberinfrastructure, like its physical counterpart, is in private hands. Hands that may run that infrastructure well as a business but still need to rely in the government to defend it from attacks.

Goldsmith goes through all the usual arguments in a paragraph each about civil liberties, surveillance and other fears about government control of the defense of cyberspace. He says we may be squeamish about the extent of government activity required but the balance can still be struck in defending both cyberspace and our civil freedoms.

What I also found interesting was that Goldsmith is not a techie, nor a veteran in the cybertrenches. He's an attorney and his arguments are well thought it. He's also written a book, Who Controls the Internet?: Illusions of a Borderless World, recently released on Amazon.

Insider Threats from Main Street to Wall Street

2009-07-06T20:43:00.003-05:00

Here are two totally unrelated inside jobs that, though very different, show how the insider threat is as dangerous and devastating as attacks from outside hackers. In fact, unlike a distant hacker, an insider already has access, often privileged.

In this story last week from Network World, a security guard at a Dallas hospital used his access to install malware on the hospital's network. The malware could not only steal confidential patient information, but also control the hospital's climate-control systems. The guard then had the nerve to post videos on YouTube of his exploits.

Hospitals, and health care institutions, in general, are still a long way from securing patient data, much of which contains the Identity Theft Quartet -- name, address, birthday and Social Security Number -- which together can be used for full-blown identity theft.

In another story broke by Reuters, also last week, the FBI arrested a Russian immigrant who had worked as a developer at Goldman Sachs for stealing application code used for high-volume trading. The former Goldman Sachs employee was going to bring the code over to a his new employee in exchange for a salary hike.

U.S. and Russia Cyberspace Treaty? Nyet!

2009-06-28T13:12:00.004-05:00

In this interesting article from The New York Times today, Russia is looking to negotiate an international treaty for limiting weapons in cyberspace. Such a treaty would be along the lines of similar bilateral agreements limiting chemical and nuclear weapons.

But, according to the article, the U.S. says a cyberwar treaty is unnecessary and sees the issue instead of improving international law enforcement. The U.S. argument is that international police protections against cybercrime, which are weak at best right now, would prevent cyberwar.

The difference in viewpoints is interesting, since the Russians see the lack of a treaty as a dangerous prelude to a virtual arms race in cyberspace, similar to what happened during the Cold War with nuclear weapons. And, the U.S. sees the issue as one of law enforcement. Besides, according to the U.S., the 50,000 attacks a day hitting U.S. targets -- mostly from China and Russia -- need to be criminalized to be legally combatted.

In addition, a treaty would be hard to enforce since there are no jurisdictions online. Attacks emanating from a hostile country could anonymously bounce around servers all over the world, making the true origin hard to pin point.

The issue is also interesting since it comes within a week of U.S. Defense Secretary Robert Gates announcing the formation of a new cybercommand at the Pentagon.

Twitter Victim of Possible Phishing Attack

2009-06-24T15:49:00.003-05:00

In a high profile recent hack of Twitter, the account of well-known Mac evangelist Guy Kawasaki was breached. Kawasaki's tweets were sending out a link to a porn video, something the tech guru isn't known for.

It's not clear exactly how the account was breached but there are suspicions of a phishing site that tricks users to log into a fake Twitter account that steal their authentication credentials. The porn site linked to Kawasaki downloaded Trojans onto the desktops of unsuspecting users and targets both Windows and Mac systems.

Twitter seems to be in the sights of hackers recently, since a good well-placed hack of a user with a large number of followers -- like Kawasaki's 140,000 -- can spread web nasties very, very quickly.

Other recent attacks have been against the Twitter account of the Mormon Church of Latter Day Saints and Cligs, a URL-shortening service competing with the famous TinyURL.

An Eye Chart to Test for Conficker?

2009-06-15T20:18:00.003-05:00

This is a new one. At first, I thought it was a bit bizarre. But when I took a second look, I actually thought it was sort of clever. The Conficker Eye Chart is a test to see if your workstation is infected with Conficker.

It works by checking if your browser can access common anti-viral software, which is often turned off for those plagued by Conficker.

If you climb up the URL of the Eye Chart, you get to the Conficker Work Group blog, run by a group of IT security professionals tracking the activities of this most mysterious of attacks against computer systems and networks.

Defending Cybersecurity and Protecting Privacy

2009-06-14T13:21:00.002-05:00

New initiatives by the Obama administration to protect cyberspace may run up against protecting online privacy, according to this article last week in The New York Times.

The creation of a new cybersecurity command by the Pentagon to do the job may also give the government extra powers to snoop on individual communications over the Internet. The idea is for the Pentagon to beef up its capabilities to fight cybercombat, just as it does with its physical forces on air, sea and land.

Since some of this will also involve taking over cybermonitoring functions of the NSA, which the government initiative hopes will reduce the ongoing turf wars over cyberdefenses, the privacy issue has come to the fore.

Gen. James Cartwright, vice chairman of the Joint Chiefs of Staff, commented in the article that sovereignty in cyberspace, which is truly global, is difficult to define. Maren Leed, a former Pentagon specialist in cyberoperations and now a defense expert at the Center for Strategic and International Studies, was also quoted as saying what would be an acceptable intrusion in time of war had to be defined.

But President Obama in his White House speech on the subject last month said, “will not — I repeat, will not — include monitoring private sector networks or Internet traffic.”

NIST Security Control Document Available for Review

2009-06-14T13:12:00.002-05:00

The National Institute of Standards and Technology (NIST) has released the latest draft of its 800-53 publication on security controls. The updated document, Revision 3, part of the well-known 800 series of NIST guidelines for IT security, is available on their web site for public comment until July 1.

The document has input, as well, from both the military and intelligence communities on improving security controls for IT systems.

Here are highlights from the document of some of the updates:

A simplified, six-step Risk Management Framework
Additional security controls and control enhancements for advanced cyber threats
Recommendations for prioritizing or sequencing security controls during implementation or deployment
Revised security control structure with a new references section to list applicable federal laws, Executive Orders, directives, policies, standards, and guidelines related to a control
Elimination of security requirements from Supplemental Guidance sections
Guidance on using the Risk Management Framework for legacy information systems and for external providers of information system services
Updates to security control baselines consistent with current threat information and known cyber attacks
Removal of the FIPS 199 security control baseline allocation bar resident with each control
Organization-level security controls for managing information security programs
Guidance on the management of common controls within organizations
Strategy for harmonizing FISMA security standards and guidelines with international security standard ISO/IEC 27001

Mass Injection Attack Hits 20,000 Web Sites

2009-06-05T15:17:00.003-05:00

Websense Security Labs has detected a mass injection attack affecting 20,000 web sites with malicious JavaScript that hides code redirecting users to a site with active exploits. The attack, uncovered last week, used a domain similar to the legitimate domain for Google Analytics.

In another post this week, Websense Security Labs provided more technical details about what it called the Beladen attack, German for "loaded," because the hacked web site is loaded with exploits.

Basically, the hacked legitimate site contains obfuscated code, does some checks to make sure to verify the referrer to prevent exposure of the code, and then redirects the user's browser to the Beladen web site, chock full of malicious goodies.

Operational Security for the Web

2009-06-05T15:03:00.002-05:00

The term operational security usually refers to physical security -- things like keeping your basic movements a secret, protecting your identity and other ways to keep one's "cover." In this brief article by Ira Winkler on the Internet Evolution newsletter, Winkler gives an example of an undercover security guard at a store who practiced poor operational security and, as a result, was easy to spot.

What's interesting in this little piece is that Winkler then explains how many companies practice similar poor operational security on the web, by disclosing too much information -- information that could be used by clever social engineers to gain malicious access.

He talks about how companies often fail to classify their data, so they even know what they need to protect. Winkler, a former NSA employee, who knows a thing or two about operational security, is also the author of a fascinating book, Spies Among Us, about insider threats and corporate espionage.

Hacking for the U.S. Government: Plum Job?

2009-05-30T19:46:00.003-05:00

Here's an interesting article from The New York Times about the growth of contract work for the U.S. government in cybersecurity, something the Pentagon wants to enter with "religious intensity."

Government work, which conjures up bureaucracy and red tape in the minds of most freewheeling geeks, is something most self-respecting nerds would avoid at all costs. But the combination of the recession, a weak labor market in Silicon Valley, increased government interest in cybersecurity and the growth of defense contracts in cybersecurity has swelled the ranks of bright young computer engineers looking for a classified thrill.

The players include household names in the military and defense business such Lockheed Martin, Northrop Grumman, General Dynamics and Raytheon. Some companies, like the 100-person unit at Raytheon, have built their cyberdefense businesses through acquisition.

The geeks with clearances, as they like to call themselves, use honey pots and other tools to track the hacking activity of their counterparts in places like China and Russia, and develop both defensive and offensive tools against cyberattacks.

Besides the contractors, there are an estimated 3,000 to 5,000 information operations specialists in the military itself. These initiatives are expected to help the U.S. catch up to its Chinese and Russian rivals, who have literally had free rein of American computer networks, both government and private.

U.S. Military Developing Cyberattack Technologies

2009-05-28T17:35:00.003-05:00

There's been a lot of talk both here and in the trade press about cyberdefenses, but now the military is also looking at cyberattack technologies, according to a fascinating article last week in Aviation Week.

The idea is to have cyberattack tools that are sophisticated enough to do the trick, yet easy enough to use in the field even by non-technical military people on the ground, SC Magazine reported.

The Aviation Week report said the military was impressed with how the Russians coordinated their traditional on-the-ground combat with a cyberattack during their war in Georgia last year. The U.S. military is looking to duplicate that effort with this project.

One of the tools is a device for tapping into satellite communications, VoIP, proprietary SCADA networks and any wireless network. Another tool, unclassified partly because it's built from open-source software, is Air Crack, which is used to crack wireless encryption keys.

The three elements of the cyberattack system are a toolbox, and planning and execution capabilities. The toolbox has hardware and software for specific missions, while the planning piece consists of a database of available capabilites. And the execution side, of course, is the course of operation of the attack.

National Cybersecurity Coordination Center

2009-05-27T09:15:00.002-05:00

The National Security Telecommunications Advisory Committee (NSTAC) has approved a proposal after meeting with President Barack Obama last week to set up a 24-hour facility for monitoring cybersecurity.

The center would build on initiatives already in place by the NSTAC and the Department of Homeland Security's US Computer Emergency Readiness Team.

The project is part of the ongoing 60-day review of federal cybersecurity commissioned by the president, whose conclusions -- or at least some of them -- are due to be publicly announced soon.

ITU Releases Global Cyberlaw Kit

2009-05-27T08:59:00.002-05:00

The International Telecommunications Union (ITU) recently released what it calls a "Cybersecurity Toolkit" with a list of best practices for drafting cybersecurity legislation.

The idea behind the toolkit, as reported in The H, is two-fold: first to help globally harmonize cybersecurity legislation and, second, to assist countries new to the cyberlegislation game in putting their own laws in place.

What's really interesting in the toolkit is a matrix of existing cybersecurity legislation by country, so that initiatives can be cross-referenced. All of the countries listed are key players in cybersecurity -- the US, the EU, Germany, Japan, Singapore, India and China, among others -- and have established laws on the books.

While attempting harmonization of anything globally, especially security, is dicey, at best, this is still a handy reference for different approaches and philosophies on cybersecurity by country and region of the world.

Obama Likely to Appoint Powerful Cyberczar

2009-05-26T14:38:00.003-05:00

The president is expected to be days away from announcing the creation of a powerful cyberczar for overseeing the security of both government and private computer networks. The move by President Barack Obama comes as part of the release of a 40-page report on the status of federal cybersecurity he commissioned 60 days ago.

The new cyber chief is expected to be part of the National Security Council but will also report to the national security adviser and the White House senior economic adviser. Officials are mum as negotitations and political jockeying are still in process as we speak.

The focus on cybersecurity by Obama should definitely be applauded. But the report's conclusions, much of which won't be available to the public, and the turf battles between government agencies overseeing cybersecurity, have yet to be resolved.

The federal cybersecurity saga continues.

Self-Destructing Botnets: But Why?

2009-05-26T14:09:00.002-05:00

Here's an interesting brief analysis about self-destructing botnets from Michael Kassner on TechRepublic's IT Security blog. While kill switches are nothing new in botnets, Kassner argues, it's not exactly clear what they do, or why they're there, in the first place.

Botmasters have total -- as in life-and-death -- control over their bots, and built-in self-destructing code is just one of those control mechanisms. Why not just control a machine, when you can blue-screen it's operating system altogether, if necessary? The concept was mentioned in a 2007 report by the ITU that nicely summarizes the whole subject of botnets.

Kassner cited three well-known botnets, in particular -- InfoStealer, ZeuS and Nethell -- all of which have built-in self-destruct mechanisms. But he focused on ZeuS in his article.

Basically, botnet kill switches can hide the botmaster's tracks when the heat is on, buy time for a phisher while transferring -- or stealing -- from a bank account, or even be a way for a criminal gang from allowing its botnet to fall into the hands of a rival cybergang. These are only a few possibilities.

Apologies for Lack of Posts

2009-05-24T11:55:00.006-05:00

I was rushed to the hospital last week with acute appendicitis. Apparently, it was worse than I had expected, since I woke up 24 hours later in intensive care, where I ended up for a total of two days. They discovered during surgery that my appendix had already perforated and my abdomen needed to be drained of all kinds of puss and other nasty stuff. But I'll be back posting news and tidbits from the exciting world of IT security within two to three weeks.

Massive Data Breach at UC Berkeley

2009-05-08T22:09:00.004-05:00

Hackers have allegedly broken into a health care database at the University of California at Berkeley. Supposedly sensitive personal information, including Social Security Numbers, for 160,000 students and alumni was stolen.

The intruders started probing around the system last September, finally broke in October 9 and were discovered in April 9, exactly a month before the university disclosed the breach to those potentially affected.

Authorities are tight-lipped about possible causes of the breach, but CBS News reported that the attackers might be from China.

What is known are two things: the data base was accessed via a public web portal used by the university, and that the database and web servers were on the same server.

Hmm. That's interesting. Maybe a little SQL injection going on here? Database and web servers together. That's just a lack of plain IT security common sense.

A Penny for Your Corporate Secrets?

2009-05-04T20:27:00.000-05:00

These are two unrelated stories about easily giving up secrets. The first is about how 37% of Londoners would reveal their company's secret information at the right price. Of that number, 63% would give up information if paid at least a million British pounds, and 10% would do it if their mortgage was paid off.

“It’s quite staggering that a third of people are open to bribery," Tamar Beck of Infosecurity Europe told the CBR Security web site.

In Nigeria, a television report noted that the market for used BlackBerries is based not on the model but on the value of data it might hold, as reported in The Register.

None of this should be shocking. Other reports had people exchanging secrets for chocolate and candy, and still others picking up loose USB sticks in parking lots. The USB sticks contained malware that stole data.

ChicagoCon Conference Starts Today in Chicago

2009-05-04T07:29:00.001-05:00

ChicagoCon, the Ethical Hacking and Security Conference in Chicago, kicked off today and runs until Saturday, May 9. Program organizer, Don Donzal, also runs the Ethical Hacker Network.

The program promises to be both useful for those working toward security certifications and those looking to sharpen their skills through educational seminars with noted speakers.

Proposed Cyber Law Requires Security Licensing

2009-05-03T08:54:00.004-05:00

The Cybersecurity Act of 2009, known formally as Senate Bill 773, is best known for its radical recommendation to give the president authority to shut down parts of the Internet under cyberattack.

While well meaning, and a positive sign that the Obama administration is taking cybersecurity more seriously than his predecessor, some critics say it would activate not just an Internet kill-switch, but also a business kill-switch with burdensome licensing requirements for IT security professionals.

The issue is that businesses already struggling with resources to meet the current tangle of regulations -- SOX, HIPAA and PCI -- would have to add another to their project plans.

Section 7.a of the bill is short on details about the licensing requirement for the public sector, other than to say it would be administered by the Secretary of Commerce. It also isn't clear on whether it would be mandatory for cybersecurity professionals other than those working for the federal government.

Would a CISSP be enough for an IT security professional at private company? That remains to be seen.

Locking Out Users? Good Security or DoS Enabler?

2009-05-03T08:36:00.004-05:00

The idea of locking out users after a specified number of failed login attempts isn't new. It's been touted for a long time as a way to prevent unauthorized access to computer systems, such as by brute-force guessing of weak passwords.

And, in its recently released Special Publication 800-118, the National Institute of Standards and Technology (NIST) calls for just that approach, among others. It's also something I advocated on page 54 of my book, The Little Black Book of Computer Security, Second Edition.

But, in his recent weekly column in Network World, Mich Kabay, commenting on the new NIST password standard, says a better approach is outlined on page 3-5 of the standard. He also questioned my recommendaiton of lock outs in a column last year.

"Have a fixed or exponentially increasing delay after each failed authentication attempt. After the first failure, for example, there could be a five-second delay; after the second failure, a 10-second delay; after the third failure, a 20-second delay, and so on."

Kabay also commented on other password wisdom from the NIST draft document in another recent column.

Online Banking and Mutual Authentication

2009-04-30T21:13:00.002-05:00

This little piece from Finextra, a British online banking newsletter, presents three scenarios for authentication: the classic user ID and password, one-way authentication and two-way mutual authentication.

It basically chops down the first two and, by following the evolution of hacking technology for cracking authentication, leads to the third alternative, which is two-way mutual authentication.

The article sees this as a two-way street, if you will, that can block fraud and increase business by promoting legitimate transactions.

Cyberwar, Cyberdefense: Many Issues, Little Time

2009-04-30T20:26:00.002-05:00

In this detailed article in The New York Times, the difficulties and complexities of defending against a cyberattack are well presented. Cyberwar can't be easily compared to its offline counterpart, as this article skillfully points out. Cyberdefenses are just as slippery to assemble.

To make matters worse, this study by the National Academy of Sciences says secrecy on the subject is preventing the open debate necessary to combat cyberwar. The report says U.S. government policy is "ill-formed, undeveloped and highly uncertain."

Watch Out for Swine Flu Online Scams

2009-04-30T19:00:00.002-05:00

As is always the case, there are plenty of low lifes out there looking to cash in on the current swine flu crisis. Con artists are churning out spam, offering pharmaceutical remedies for the disease. What ever happened to just peddling Viagra? Those were the good old days.

A list of suspicious recently-registered URLs was uncovered by Sophos and listed on the bMighty ANTenna blog by Keith Ferrell. More details were reported this week in Computer World.

WGN Interview About The Little Black Book

2009-04-20T20:13:00.002-05:00

I was interviewed today on WGN TV news in Chicago about my book, The Little Black Book of Computer Security, Second Edition:

Finally a Mac Botnet? Could That Be Possible?

2009-04-19T10:55:00.003-05:00

Yes, a Mac botnet could be very possible, according to researchers at Symantec, who say the malware spread inadvertently over peer-to-peer networks in January.

The researchers say the malware was embedded in pirated copies of Apple's iWorks '09 software and can cause Denial of Service (DoS) attacks. This is apparently the first ever Mac botnet.

Or should we say iBotnet?

Federal Cybersecurity Report Almost Due

2009-04-19T09:58:00.003-05:00

The 60-day cybersecurity review commissioned by President Barack Obama is due to be completed this week. But expectations are low about what the report will recommend, and when it'll be released to the public.

Some observers say the report might just be a lame checklist of cybersecurity initiatives already completed by the government. Obama had appointed Melissa Hathaway, a cybersecurity big shot from the Bush administration, back in February to conduct the study.

Report or not, the controversy surrounding federal oversight of cybersecurity has been swirling around for months, even before Obama set foot in the White House. Various government agencies -- DHS, NSA, and the DOD -- have been in a turf battle over the issue.

Security luminary Bruce Schneier recently noted that the NSA, a front runner over the DHS, shouldn't be in charge of cybersecurity because of its narrow scope. An advisory role, yes, but not the leader.

Meanwhile, the government has been looking for hackers to secure its networks. For those interested, the job is number 155433 at General Dynamics Information Technology.

Writing Scary Cyberwarfare Articles

2009-04-14T20:59:00.002-05:00

Here's a humorous article from Foreign Policy magazine, where you wouldn't normally find articles about IT security, about how to write an article to create a panic about cyberwarfare. The article doesn't deny the existence of cyberwarfare. It just pokes fun at the media for their handling of the subject.

The article references GhostNet, a cyberspying operation originating in China and discovered last month, that infiltrated media locations in 103 countries.

This is a more down-to-earth article in TechRepublic about GhostNet and how it was uncovered by Information Warfare Monitor, a cyberwar research team.

No Recession for the Underground Economy

2009-04-14T20:48:00.002-05:00

The so-called underground economy hasn't been touched by the recession. In fact, according to reports published today by Symantec and Gartner, organized crime groups are getting more sophisticated and phishing more than ever.

But, at the same time, the proliferation of criminals has created competition in the marketplace, making stolen card and identity data cheaper. Crime may be increasing, but it's paying less.

The report attributed part of the increase to a 47 percent increase in bots over last year. In fact, a new variant of Conficker may be linked to the notorious Storm bot.

Cyberspies in the American Power Grid

2009-04-09T15:25:00.002-05:00

Cyberspies from China, Russia and other countries have penetrated the American electrical grid, leaving behind tools that could potentially disrupt the electrical system, according to The Wall Street Journal.

While foreign hackers lurking around in US cybersystems isn't news, the extent of the supposed intrusions into our vital infrastructure hasn't been reported before. Intelligence officials quoted in the story expressed concern about the possibility of these dormant tools being turned on in the event of a war or other hostile situation.

The White House, in response, said it took cybersecurity seriously, citing its ongoing security review of the federal cyberinfrastructure, but it wasn't aware of any disruptions. The Pentagon is also in the act, having spent US$100 million over the last six months for cyberdefenses.

An interesting suggestion came from Alan Paller, research director at SANS. Paller called for beefing up the North American Electric Reliability Corporation (NERC), which currently sets standards for grid operators, into a cybersecurity regulatory body.

In unrelated cybersecurity news, Paul McCartney's web site was hacked with links to spew malware at visitors.

Step Aside Conficker, Neeris on the Loose

2009-04-07T20:45:00.002-05:00

Now that we've all survived Conficker without a major incident -- yet -- there's now Neeris, which, apparently mimics Conficker. Neeris isn't exactly new. It's been around for four years, but a new variant has hit the cyberstreets in the past week.

Like Conficker, it exploits the MS08-067 flaw and can also be activated by AutoRun. And, like Conficker, patching the Microsoft flaw and disabling AutoRun can contain the bug. But, unlike Conficker, it has attacked far fewer victims, researchers say.

The original version of Neeris used a buffer overflow to take advantage of a now-patched Microsoft flaw in the Server Service.

Pending US Legislation to Beef Up Cybersecurity

2009-04-04T12:20:00.002-05:00

The US government is proposing strong action to beef up cybersecurity defenses. Legislation proposed by the Senate would give the president unprecedented authority, for example, to unilaterally shut down networks under attack.

The proposal is based on the results of a study last year by the Center for Strategic and International Studies and would impose mandatory government standards on both the public and private sector for certifying network security.

Crafters of the legislation were Sen. John Rockfeller and Sen. Olympia Snowe with input from the White House, which hasn't officially endorsed the legislation yet. The legislation would create a National Cybersecurity Advisor (NCA), reporting directly to the president.

Rockfeller was quoted in the Washington Post, saying it was more than just a military or intelligence issue. "It suddenly gets into the realm of traffic lights and rail networks and water and electricity."

Supporters of the measure said it was long overdue, but critics say it gives the government too much power over private telecommunications and could threaten privacy, according to this post on The Last Watchdog, an Internet security blog.

Obama's security advisors are still in the middle of their 60-day review of American cybersecurity, another part of the White House's actions to improve cybersecurity.

What's on the Minds of Security Professionals?

2009-03-30T20:02:00.002-05:00

There are no surprises in this Information Week survey of 400 security professionals. The biggest driver of security is regulatory compliance, followed by prevention of unauthorized access as a close second.

But security professionals don't live by regulatory compliance and access management alone. Other top issues in the survey were cutting security costs and managing risk.

Along the same theme, here are four security holes in telecommuting from CSO Online, which I'm sure also keep IT security people in enterprises on their toes:

1) Careless use of Wifi and accessing unsecured networks
2) Letting family and friends use work-issued devices
3) Altering security settings to view Web sites that have been blocked by the company
4) Leaving a work-issued device in an unsecured place

Mainstream Media on Cybersecurity: 60 Minutes and Conficker

2009-03-30T19:50:00.003-05:00

The popular news show 60 Minutes ran a story by Lesley Stahl about the recent Conficker infection, which also struck CBS News coincidentally, and the impact of cybersecurity on consumers, in general.

Though it's textbook media hype, it does cover the basic issues: Russian cybergangs openly distributing and selling malware, the growth of hacking as a business and the spread of malware infections to well-trafficked sites like social networking sites.

But Michael Horowitz on the Defensive Computing blog puts the issue into perspective and the essence of the story evaporates. Horowitz notes the Windows-centric nature of the story, such as the lack of balanced coverage emphasizing that Conficker attacks only Windows system and not Mac or Linux systems.

Another weakness in the story, which, to be fair, is unavoidable for a program aimed at a mass -- and non-technical -- audience, is that we really don't know the security settings on the computer of the woman whose bank account was filched twice. She claims to have had all her anti-viral, anti-spyware and firewall settings all up to snuff. But how many times have those of us heard this same claim in the field from customers only to find otherwise when testing systems?

The story was called "The Internet is Infected." A bit of old-fashioned FUD, isn't it?

White House Cybersecurity Drama Continues

2009-03-30T19:22:00.003-05:00

A report currently being prepared on the state of federal cybersecurity may, or may not, call for the creation of a White House level cybersecurity director, Computer World recently reported. The report is being prepared for President Obama by Melissa Hathaway, acting senior cybersecurity director as part of a 60-day review of cybersecurity.

The issue has been a bone of contention among advocates of a cabinet-level cybersecurity czar and those who see the issue as part of the responsbilities of the NSA.

Phishers and Web Attacks: It's Not Getting Better

2009-03-24T20:53:00.004-05:00

In two separate reports, one on web attacks and another on phishing, it looks like the attackers aren't letting up. A report recently published by Cenzic, an application security outfit, said 80 percent of all web attacks were due to known vulnerabilities in web applications in the second half of 2008.

The other report, covering the same period in 2008, by the Anti-Phishing Working Group, a phishing watchdog group, cited increases of 225% in the number of phishing sites peddling fake anti-malware and an astounding 827% jump in password stealing sites. Phishers are automating code attacks, increasing their number and magnitude.

The targets? The same as always: financial institutions with well-known and well-established brands.

Tips for Safe Browsing With Internet Explorer

2009-03-24T20:39:00.002-05:00

Here are ten tips from CSO Online for safer surfing with Internet Explorer. IE takes it on the chin a lot, often deservedly so, for not being as secure as Firefox. But, either browser can be a magnet for attackers if not configured correctly.

1) Disable XPS documents
2) Disable font download
3) Disable inclusion of local file directory path when uploading files to a server
4) Disable prompting if you are prone to just clicking "yes"
5) Always prompt for username and password
6) Disable SSL 2.0 support
7) Enable TLS support
8) Disable searching from the URL bar
9) Disable unnecessary add-ons
10) Uninstall old Java installations

These tips will help block -- but not entirely prevent -- malware and accidently exposing your authentication credentials to unwanted outsiders. You'll also not there are "no obvious downsides" to most of these suggestions.

Blocking Anonymous Web Proxies in Your Office

2009-03-14T09:04:00.002-05:00

This is a big one for enterprises trying to control malware spread by reckless web surfing in the office. Many companies set up proxies with filters to control traffic, but there are still tools out there for circumventing proxies and bypassing web firewalls.

In this tip on TechTarget's SearchSecurity web site, John Strand provides some ways to prevent these practices. I had also written a tip for SearchSecurity on blocking web anonymizers in 2006.

Amazingly, little has changed since then. The basic defenses remain the same: a combination of web use policies (admittedly easily ignored but useful for HR), filtering traffic on known ports and IP addresses of proxy services and blocking downloads from the web.

Little Black Book Now Available at Left-Brain

2009-03-14T08:29:00.002-05:00

My book, The Little Black Book of Computer Security, Second Edition, is now available at the Left-Brain Store, the new online bookstore for my publisher, Penton Media.

Of course, it's still available, as it's always been on Amazon.

New Charges Against Palin E-mail Attacker

2009-03-09T18:53:00.003-05:00

A University of Tennesee student charged last year with breaking into then-vice presidential candidate Sarah Palin's e-mail account has been hit with additional felony charges by federal prosecutors.

Originally charged with unauthorized access to a protected computer, the new charges include fraud, unlawful electronic transmission of data outside Tennessee and attempting to conceal records to impede an FBI investigation.

The story received notoriety not just because the victim was a well-known personality, but because it also focused on the weakness of password reset systems for some e-mail accounts and the ease with which the alleged attacker was able to guess the answers to personal security questions based on publicly available information.

Federal Cybersecurity Shake Up

2009-03-09T18:28:00.002-05:00

The director of the National Cyber Security Center (NCSC), Rod Beckstrom resigned suddenly last week in a turf battle over federal control of cybersecurity initiatives. Beckstrom had been appointed in March 2008 to the newly created NCSC post as part of the Department of Homeland Security (DHS), according to Computer World.

Beckstrom said in a letter to DHS head Janet Napolitano that he was concerned about the encroachment of the National Security Agency (NSA) into leading government cybersecurity efforts. He decried what he called the "intelligence culture" of the NSA as a poor strategy for cyberdefense, saying it was different than "a network operations or security culture."

Beckstrom had been a controversial appointment himself due to his lack of a background in security. With his departure, attention will now be focused on the 60-day review of federal cybersecurity by Melissa Hathaway, who was appointed by President Obama in February.

Protecting Your Network During Layoffs

2009-03-05T20:55:00.002-06:00

In tough economic times, like these, it's important for companies to get a handle on restricting system access to departing employees. Laid off employees are more likely to attempt to steal privileged company data or try to hack into IT systems later, according to Computer World.

In a 2008 study conducted by Cyber-Ark, 88 percent of IT administrators would consider taking valuable company with them, if they were to be laid off tomorrow.

Here are some security tips for protecting your network during layoffs:

* Clearly and completely document each worker's access to the network, applications, servers and the physical building.
* Shut down remote connections, including pcAnywhere systems and VPNs.
* Invalidate usernames and passwords.
* If the employee worked in IT, change root access and network access.
* Shut down external access to the telephone system.
* Make sure handhelds, smartphones and cell phones are turned in along with PCs and laptops.
* Collect ID cards.
* Use monitoring software to keep an eye on network traffic.

I also have more details in a chapter devoted to this topic in my book, The Little Black Book of Computer Security, Second Edition. Here's an excerpt from my first edition on termination procedures posted by TechTarget.

Implementing Single Sign-On on a Small Scale

2009-03-03T11:08:00.003-06:00

This is an interesting case study from TechTarget's SearchCIO-Midmarket site of how a small community hospital in southern Indiana implemented single sign-on (SSO) on its network. The 247-bed Good Samaritan Hospital turned to a hardware solution from Imprivata, which specializes in SSO for SMBs.

While many SSO solutions require an enterprise to set up its own dedicated hardware and servers, and then configure them, Imprivata works almost right out of the box. This is fine for larger companies and organizations which can spare the equipment and staff. But for SMBs, this may not be realistics.

Imprivata is basically a standalone SSO server, or two for redundancy, which can hold authentication credentials for registered applications and can be remotely managed with a web-based interface.

The Dangerous Back Alleys of Outsourcing

2009-03-02T07:29:00.002-06:00

In an interesting study done recently by The Brown-Wilson Group, popular and emerging outsourcing destinations are ranked based on their security. The study, 2009: The Year of Outsourcing Dangerously, ranks cites not just on their physical security, but on other tangible issues like political instability and levels of corruption.

The study ranks Singapore, Dublin, Santiago, Krakow/Warsaw, and Toronto/Montreal as the safest among its top 25, and Kolkata, Hyderabad, Bangalore, Hanoit and Chennai as the riskiest of the bottom 25. It's interesting to note that four of the five worst are in one country, India, which has been the darling of outsourcing for the better part of the decade.

The study, which was also reported in Computer World, says businesses are now looking not just at cost, but also at security, before running offshore for development projects.

Some ways to mitigate the risks, according to the study, include doing a thorough analysis of the proposed offshore location and putting together crisis and disaster recovery contingency plans -- just in case the worse happens.

Tips for Cloud and Virtualization Security

2009-02-24T15:19:00.005-06:00

As cloud computing grows in popularity, it's important for companies considering this option to take heed of the security issues. Here are some guidelines from Computer World:

1) Understand the cloud and how its diffuse structure affects data security
2) Demand transparency from any proposed vendor about their security architecture
3) Reinforce your internal security such as access controls and firewalls and make sure the cloud meshes with these existing security procedures
4) Consider the legal implications of data put into the cloud
5) Pay attention to changes in cloud technology affecting security

Some other security-specific issues to clarify with a potential cloud provider are user access, regulatory compliance, data location, data segregation, disaster recovery, investigative support and long-term viability.

A related concept, virtualization, also takes data directly off hardware and requires care to protect. Unlike cloud computing, virtual systems remain in-house. In this piece from Neil Roiter of TechTarget's SearchSecurity site, this will be a big year for virtualization vendors to beef up security.

The idea is that security requirements for virtual environments are the same as those for any other environment, including configuration management and change control.

More SSL Mischief and Sleight of Hand

2009-02-24T15:07:00.002-06:00

TechRepublic ran an interesting post today by Michael Kassner on its IT Security blog about some tricks for bypassing SSL, the darling of security for e-commerce web sites.

The post has details and slides from presentations at the recent Black Hat DC 09 conference on the subject. Interestingly, the exploits are mostly Man-In-The-Middle (MITM) attacks, or those that fool users into non-HTTPS sites, rather than cracking the algorithms behind SSL.

How to Securely Destroy Information

2009-02-24T14:55:00.003-06:00

This is an informative and thorough piece on the CSO web site from Ben Rothke about how to securely destroy data.

Traditionally, IT security tends to look at data in motion or at rest, not on the way to the trash can. But, as this article accurately points out, the fine art of dumpster diving is far from passe. The riches found in a sample garbage expedition are enlightening, if not frightening.

The article further provides a long list of documents that should be considered in any destruction program, and whether to outsource data destruction and how to select a vendor, if that's the route a company chooses.

Two Social Engineers Are Leaving a Bar . . .

2009-02-22T11:37:00.003-06:00

. . . and one says to the other. These are eight of the most classic pick up lines ever spoken by a social engineer to get in the door. They're brought to you courtesy of CSO:

"I'm traveling in London and I've lost my wallet. Can you wire some money?"
"Someone has a secret crush on you! Download this application to find who it is!"
"Did you see this video of you? Check out this link!"
"This is Chris from tech services. I've been notified of an infection on your computer."
"Hi, I'm from the rep from Cisco and I'm here to see Nancy."
"Can you hold the door for me? I don't have my key/access card on me."
"You have not paid for the item you recently won on eBay. Please click here to pay."
"You've been let go. Click here to register for severance pay. "

They're not clever, and they're not brilliant. But they are typical.

Keeping Porn and Malicious Insiders at Bay

2009-02-22T11:19:00.002-06:00

What do pornography and the insider threat have in common? On the surface, not much. But, if you take a closer look, they're two sides of the same coin. Most, if not all, enterprises, I'd say, want to keep their employees from surfing porn.

Not just for legal reasons, but also for security reasons. Despite the spread of mainstream sites hosting malware, porn sites continue to be mainstream hosters of malware, as well. So, in a sense, although porn-surfing isn't an insider threat by itself, it's just one of those bad things malicious insiders might attempt.

In this SearchSecurity article on TechTarget's web site, David Mortman describes the two mainstays for fighting porn in the enterprise: web content filtering and content logging for forensics and policy enforcement.

In an unrelated article in eWeek, Jeff Nielsen provides some nice tips for combatting malicious insiders. The article talks about process-based systems for managing privileged accounts, the key to the entire store, which, if abused or stolen, make a company wide open and vulnerable to attack. The next step is audit trails for tracking malicious behavior and, finally, integrating policy controls with an identity and access management tool such as Active Directory.

Will A New Internet Be Any Safer?

2009-02-15T16:03:00.002-06:00

Somewhere deep in the campus of Stanford, engineers are designing a parallel Internet, one that will be, supposedly, insulated from some of the security issues plaguing the current public one.

But the question is: will it actually end up being safer or just another clone of its security-hole ridden ancestor?

In this thought-provoking article in The New York Times, John Markoff probes just that question. The idea is that this new Internet will have safeguards, not available currently, and will gradually take over, relegating the existing Internet to a bad neighborhood, where only the brave tread.

Citing the Conficker worm, which evaded existing Internet defenses, Markoff quotes Rick Wesson, the CEO of Support Intelligence, who says we're heading toward a "digital Pearl Harbor" where we have "Japanese ships streaming toward us on the horizon."

The Stanford Clean Slate project is designed to add better security features to the network and provide law enforcement better tracking capabilities. Their idea is to have something like a drivers license for anyone wanting to connect to the Internet. Of course, as with the existing Internet, the issue of identity is difficult, if not almost impossible.

What will probably happen, the article says, is that this supposedly new Internet will have features built into the routers and software, the backbone of the existing Internet.

Social Engineering with a Cisco Shirt

2009-02-06T16:02:00.003-06:00

There's nothing particularly new or brilliant in this story from CSO Online. It's just a text book social engineering exercise about a security consultant who basically talked his way into a client's facility and hacked their network. The exercise was part of a vulnerability test for a "retail company with a large call center."

All the tester used was a Cisco shirt bought at a thrift shop, some USB keys left in the cafeteria, a Linksys wireless router and a plate of cookies. The USB keys had password-stealing rootkits. These are some of the oldest tricks in the book. The sad part is that they still work.

The Firefox Versus IE Security Debate

2009-02-03T20:34:00.002-06:00

This one seems to another one of those legendary long-standing discussions: the security of Firefox versus Microsoft's still ubiquitous Internet Explorer. Though IE has lost some ground in recent years to Firefox, the "other" browser is often perceived as more secure.

But is it really? In this piece from CSO Online, the issue is debated by security experts. Most slightly favor Firefox for security but IE for compatibility with other Microsoft products -- like Exchange, SQL Server and SharePoint -- which still dominate many enterprises.

But IE has improved its security and, in reality, neither browser is 100% foolproof. In many cases, it's also the user, not just their browser, and how they configure it and whether they keep it patched and up-to-date, that really determines whether or not the browser is secure.

Hacking Exposed Sixth Edition

2009-02-03T20:25:00.003-06:00

The sixth edition of the landmark Hacking Exposed book is now available and, like the rest of the outstanding Hacking Exposed series, carries on the tradition of being an encyclopedic reference for IT security.

This book is a must have for any security professional. The newly released sixth edition has a new chapter on application security with details about the Security Development Lifecycle plus all the usual goodies from previous editions.

Office Security is On The Desk

2009-02-02T15:50:00.003-06:00

This is a little physical security tidbit from CSO Online about office security. It's about how employees leave things like sticky notes with passwords and confidential documents with company information right on their desktops for all to see.

In a video, someone from CSO takes a random walk through their office after hours and finds all kinds of hidden gems for prospective social engineers and data thieves. And it's not protected by locked offices. There's plenty of confidential stuff in open cubicles, including an access card under a computer keyboard.

Ever heard the one about the data thief who gets a job as a cleaning person?

President Obama and Information Security

2009-01-26T20:11:00.004-06:00

President Obama has released an information security plan on the White House web site. The plan is based on recommendations made in December by the Commission on Cybersecurity for the 44th Presidency.

This couldn't happen too soon, as a security breach was reported on one of the president's web sites today.

The plan calls for the following:

Strengthen Federal Leadership on Cybersecurity
Initiate a Safe Computing R&D Effort and Harden our Nation's Cyber Infrastructure
Protect the IT Infrastructure That Keeps America's Economy Safe
Prevent Corporate Cyber-Espionage
Develop a Cyber Crime Strategy to Minimize the Opportunities for Criminal Profit
Mandate Standards for Securing Personal Data and Require Companies to Disclose Personal Information Data Breaches

As part of the effort to strengthen federal leadership, Obama will be picking a new national cyber adviser, reporting directly to him. More details and commentary are on the Brian Krebs Security Fix blog and in SC Magazine.

Monster Job Board Breached Again

2009-01-26T13:51:00.002-06:00

In an attack reminiscent of a breach 18 months, the job site Monster.com has been breached again. Exact numbers of those affected aren't clear, but apparently no financial information was taken. But it appears other personal information -- user IDs, passwords, names, e-mail addresses, phone numbers, sex and ethnicity -- were harvested by the intruders.

The incident was first posted on Monster and reported last week.

Though the information isn't financial in nature, and might appear innocuous on the surface, phishers can craft carefully targeted -- and more believable -- attacks.

Monster offers tips on its Security Center web site.

Building a Better CAPTCHA Mousetrap

2009-01-25T22:23:00.003-06:00

CAPTCHA, a system used for blocking spam bots from posting to blogs and web sites, has come under fire in the past year. Systems used by Yahoo, Hotmail and Gmail were cracked last year, making it less attractive to use on e-mail and web sites.

But, in this interesting article in Computer World, CAPTCHA seems to be making somewhat of a come back with some innovative new approaches. Rather than just capture scrambled letters, new systems use word matching and images.

The article traces the history of capture through its cracking to present day developments, including reCAPTCHA, SQ-PIX and ALIPR, among others.

CAPTCHA stands for Completely Automated Public Turing Test to Tell Computers and Humans Apart.

Clever Anti-Phishing Education Tool and More

2009-01-22T21:38:00.003-06:00

With all the news reports -- in both the mainstream and trade media -- about the dangers of phishing, it would seem people would have caught on by now. They should know better than to reply, let alone open, e-mails from unknown senders, especially with weird or dubious names.

Not so, according to a research report on the weakness of security awareness by Cisco, as reported by M.E. Kabay in his Security Strategies Alert column in Network World. But, all is not lost, according to Kabay, who mentions a training system called PhishGuru, which simulates phishing attacks but educates rather than hooks users.

Along the same somber note, Websense in its report, The State of Internet Security, for the second half of 2008 paints a bleak picture of legitimate sites being compromised, according to SC Magazine. This isn't news but the sites studied included common every day sites and not just bizarre ones hosted in China or Russia.