Monday, December 31, 2007

2007 Worst Year Ever For Breaches

According to this story today in the Associated Press, 2007 has been the worst year yet for data breaches. Interestingly, the breaches have increased despite more sophisticated firewall and encryption technology being used by companies and organizations.

That's interesting. Or is it?

The article cites the two main organizations that monitor data breaches, the Identity Theft Resource Center and Attrition, who say a good part of the problem isn't technology, it's people. People at organizations mishandling sensitive customer data, like Social Security Numbers, on computer systems -- rather than hackers breaking in. That includes lost laptops.

No real news here. This is what I've been saying all along. IT security is only partly about technology. It's also about people.

Though not mentioned in the AP article, there's also an excellent parade of data shame at the Privacy Rights Clearinghouse.

Friday, December 28, 2007

New Trojan 2.0 Uses Old Web 2.0

The future looks bright for malware, not so their victims, as new distribution methods using RSS, Google text ads and Web 2.0 technologies profilerate. They're more nimble, harder to detect and embedded in web applications.

All of these things add up to another fun year in 2008 for web application security.

And Cisco, in its first ever annual security report, expects the Storm botnet to continue to be active next year, as well.

My Newest SearchSecurity's Ask The Expert Stuff

Here's the newest batch of my Ask The Expert answers from SearchSecurity:

What precautions should be taken if biometric data is compromised?
This question posed on 29 November 2007

How to prevent hackers from accessing your router security password
This question posed on 20 November 2007

How to choose the right biometric security product
This question posed on 15 November 2007

Is it secure to use .NET membership class for user authentication?
This question posed on 08 November 2007

How does identity propagation work?
This question posed on 01 November 2

Microsoft Launches New Security Blog

The Microsoft Security Response Center, a clearinghouse for Microsoft vulnerabilities, announced in a post yesterday that the company has launched a new Security Vulnerability Research and Defense blog.

Details were also in Redmond Channel Partner Online today.

Saturday, December 22, 2007

Data Breach In Iowa But Impact In UK

This is a perfect example of how a data breach in one location can have consequences somewhere else far away. In this case, the breach was in Iowa and the data was of three million British driver's licenses applicants.

The facility in Iowa shipped the names, addresses and phone numbers of the applicants on a hard drive that got lost.

This is the second major data breach for the UK in a month.

One lesson here is that data on computers is mobile and global. It's not like old-fashioned paper documents that stay in one physical location. Sure, they can be stolen, but the impact isn't as immediate or widespread as electronic data.

Pearson Driving Assessments in Iowa City, who allegedly had the drive when it was lost, will now be transferring data electronically, as a result of the incident.

Proud New Member of Security Bloggers Network

I recently joined the Security Bloggers Network. There's some fantastic security blogs over there worth visiting.

You can also check it out by clicking on the logo on the right hand side of this blog.

OSVDB Gets Major Facelift

The Open Source Vulnerability Database (OSVDB) web site got a face lift recently. The OSVDB is the major repository for vulnerabilities in open source software.

The site was beefed with some of the following new features:

  • Greater detail about the overall nature of a specific vulnerability

  • A "Watch List" service that provides alerts for new vulnerabilities

  • Consolidating external blogs by vulnerability

  • New reporting metrics

The story was reporting on eWeek's Security Watch.

Monday, December 17, 2007

SearchSecurity Article on Remote Partner Access

My article on securing remote access for outside partners and vendors came out Friday in the Risk Management Strategies newsletter of SearchSecurity.

I outline five scenarios to demonstrate a number of best practices.

Friday, December 14, 2007

Clever Trojan Attacks Banks

Here's a new Trojan that doesn't even need to steal a user ID and password to break into a banking account. The Trojan is the engine behind a bot used only for bank fraud. The bot, sitting on servers in Russia and India, is targeting banks in the US, the UK, Italy and Spain.

It works by alerting hackers when a user has logged onto their online banking account. It then hijacks the session in real time, allowing access to the account without having to steal or use any of the user's ID or password. Next, it communicates with the bot's command and control center which bank they're logged into and downloads custom code for that bank on the user's desktop to mimic transactions.

Users are initially hooked through e-mails with malicious links to sites downloading the Trojan.

The only protection advised by SecureWorks, who discovered the Trojan, is the same old fashioned -- and common sense -- advice about any unsolicited e-mail: If you don't trust it, don't open it or click on links in it.

Thursday, December 13, 2007

Online Privacy Tips For Christmas

This is a nice brief video from Chris Pirillo about privacy online. He makes some simple and common sense suggestions sent to him from one of his readers.

This is especially relevant right now in the midst of the Christmas season, as people flock to shop online.

My Article On PCI And Application Security

My article came out today on SearchSecurity about application security and the Payment Card Industry (PCI) standard.

Specifically, I wrote about Section 6, which is different than the other PCI requirements. First, it's the only one dealing with application security. Second, it's only a recommendation today but will be a full requirement in June 2008.

But mostly, I emphasized that traditional PCI solutions and regular vulnerability scans aren't enough for the infamous Section 6, and I give some creative ways to be compliant.

Wednesday, December 12, 2007

XSS Alerting Service

This is an article from Dark Reading about an XSS alerting service. Now, this is a novel idea. It's a service that will send you an e-mail when it finds an XSS vulnerability in your site.

What'll they think of next.

The service, by the way, is called XSSed.

Google Hacking 101 Video

This is a video demonstrating basic Google hacking techniques:

Christmas Gifts For The Security Geek

Here are two books I recently picked up that would make great stocking stuffers -- for big stockings, I guess:

The first is Writing Secure Code for Windows Vista by Michael Howard and David LeBlanc. Both of these fine authors from Microsoft have written a lot about secure coding and their company's Security Development Lifecycle (SDL).And, the other is the recently released second edition of the O'Reilly classic, Network Security Assessment by Chris McNab.

DNS Attack: The New Phishing

This is an interesting article in Computer World about a DNS attack that redirects users to phishing sites. Dubbed phishing 2.0 by the article, this could be disturbing new trend that can fake out even the shrewdest of phishing spotters.

Christmas Cookie Recipe

Here's a cookie recipe for the holidays that might not be so sweet -- if in the wrong hands. Michele Dallachiesa, an Italian security researcher, posted information and links to his two new cookie forging tools on Bugtraq.

The two tools, cookiesniffer and cookieserver, can be used to capture, manipulate or impersonate cookies. The tools can be downloaded from his Xenion web site.

These tools can be used for attacks known as session hijacking, replay attacks and cross-site request forgery (CSRF). They level the playing field for exploiting cookies, the equivalent of passwords in the Web 2.0 world.

There was also an article in Computer World.

Saluti a Michele per il suo grande lavoro nel campo di sicurezza informazione.

My Article on Smart Card Deployment

I had an article come out this week in SearchSecurity's Network Security Tactics newsletter about deploying smart cards.

The article is a high-level -- rather than technical -- overview of smart cards: what they are, the different flavors and considerations for deployment.

Tuesday, December 11, 2007

Newest Batch of Target ATEs

These are my latest Ask The Expert answers as the resident Identity and Access Management expert for TechTarget's SearchSecurity web site:

How can root and administrator privilegesof different systems be delegated on one account?
This question posed on 30 October 2007

Should PKI systems be used for laptop encryption?
This question posed on 26 October 2007

What is the best way to securely change the local administrator password in a domain?
This question posed on 16 October 2007

What type of protections should security question and answer authentication credentials have?
This question posed on 09 October 2007

Will enabling Group Policy password settings affect existing user accounts?
This question posed on 03 October 2007

Monday, December 10, 2007

Passport Canada Exposed

This one is too easy. In fact, it's so easy it's scary. It's just URL manipulation. Yep, URL manipulation. And, I'll bet you thought that went out with floppy disk viruses.

But someone applying for a passport in Canada discovered the flaw by just manipulating numbers in the URL of his online application. The applicant was able to pull up other applications on line.

Here are some details with screen shots.


Merry Malware Christmas: 2007 Tops Them All

This year was the worst ever for malware, according to a report by F-Secure, a leading anti-malware company. There was as much malware floating around in 2007 alone as there has been in the past 20 years.

Now, that's a lot of bad code.

Here's an interesting story about a hijacked Yahoo e-mail account and another warning about malicious holiday e-cards.

Security As A Business Problem

This is something I've harped on time and again. And I'm not alone on this one. Security is not just a technical problem, it's also a people and a business problem. Technical controls are great, but they can be circumvented by compromising not security tools but people.

Here's details from Computer World about a study by the Ponemon Institute, claiming most employees ignore their company's own security policies. Could that be? Hard to believe but true.

Apple QuickTime Flaw -- Again

This made a lot of news last week, so I won't belabor it. But Computer World and InfoWorld both reported a flaw in Apple's QuickTime.

Though this flaw could allow an attacker to run code on a victim's computer, it's not just confined to Mac OS X. It could also affect Windows XP and Vista.

Saturday, December 01, 2007

Report On Cyberbullying

This is an interesting news item about cyberbullying. It shouldn't come as a surprise that bullying, just like every other physical activity, has moved online, as well.

I have links to two resources -- and STOP cyberbullying -- on the subject on my personal web site under Privacy.

Government CIO Talks About HSPD-12 Delays

In an interview with Computer World, Karen Evans from the White House's Office of Management and Budget (OMB), discussed delays in the recent government smart card initiative, HSPD-12.

She said her office had told agencies in an October conference call to hold back because of issues with credentials.

I last posted on this issue recently. It's a hot one to watch for all you physical and IT security convergence buffs out there.

Google Used To Launch Malware

Google became the victim of a concerted campaign to redirect users to malware sites. The attack started earlier this week with redirects to malware-infected sites from innocuous search queries things like cisco router information.

Details emerged the next day on SearchSecurity and the Sunbelt blog.

Google eventually removed the bad sites from searchs later in the week and solicited assistance from the public in pruning out other malware sites.

SANS Top 20: Client Side Attacks Rising

The SANS Top 20 list came out this week and cited client side attacks as on the rise, according to SC Magazine and Network World.

But is this really news? Not so, thinks Bill Brenner of SearchSecurity, who said the report was "pretty much the same as last year" and didn't generate nearly as much media attention either.

The full report is on the SANS web site, of course.

A Possible Cyber Cold War?

As if the old Cold War wasn't over, it's now moved to cyberspace, according to a recent report by McAfee.

Here's a report in the main stream media and the original report from McAfee on virtual crime.

China, which was cited as major offender, had a few choice comments in response, My Way and Dark Reading reported.

New Java Secure Coding Standard

A new group, the Secure Programming Council, is hard at work on its first standards document. Essential Skills for Secure Programming Using Java/J2EE will be made available to the public in 60 days, according to SearchSecurity.

The group plans to set up exams for testing secure coding skills for developers. This follows a similar initiative earlier this year by SANS to set up a secure coding certification program.