Sunday, March 30, 2008

Windows Server 2008 Security Troubles

The head of an IT security company in Argentina has already found holes in the upcoming Windows Server 2008, according to a recent report in eWeek. Cesar Cerrudo, founder and CEO of Argeniss Information Security in Parana, Argentina, says the flaws could lead to privilege escalation also in Windows XP and Windows Server 2003.

What's disturbing is that Windows Server 2008 is being hailed as the most secure version ever of Windows. Cerrudo said while Windows security has improved over the years, these latest versions still have weak security models.

Mac Hacked by Web in Two Minutes

This has been touted in the trade media as the fastest hack in the West of a Mac. Charlie Miller was able to break into a Mac in two minutes at this year's CanSecWest conference, according to Computer World.

Last year, Dai Zvi won the prize at the same conference, giving the Mac another nick on the chin.

But does cracking it two years in a year -- at the same conference -- really prove the Mac is any more vulnerable than, say, Windows or Linux?

If you read the story carefully, you'll see Miller only broke in the second day of the contest using a web exploit, apparently on Safari -- though few details have been disclosed for security reasons. The first day contestants could only try to break in via traditional network attacks. No one succeeded.

But Miller directed contest organizer's to a malicious web site with exploit code. Big deal. Web attacks aren't network attacks, and they definitely aren't news.

Tuesday, March 25, 2008

The State of Spam

This is an enlightening interview by Prof. Mich Kabay of Cloudmark CTO Jamie de Guerre about the state of the spam problem today. The interview came out today in Kabay's weekly Tuesday newsletter on Network World's web site.

Interestingly, North America leads the world in receiving spam at 96% of its e-mail traffic with Europe second at 85% and Asia trailing at 80%.

Part 2 of this fascinating interview is here.

Passports for Obama, Clinton and McCain

The recent headlines about a breach of the passport data for the three presidential candidates -- Obama, Clinton and McCain -- highlights yet again the human side of IT security. There were access controls, for sure, but why the particular employees had access to the data isn't clear.

The technical controls that caught the breach did their job and, according to one report, the breach might not have been preventable. But there was an issue of wanton disregard for privacy by the employees.

The State Department issued a statement, and here are details about the records themselves.

In an unrelated federal breach, a laptop with medical records for 2,500 patients was stolen from a division of the National Institutes of Health. The NIH said the risk of identity theft was low since the records contained no Social Security Numbers.

Thursday, March 20, 2008

Trend Micro Site Trojan Infection

The virus encyclopedia on Trend Micro's web site was recently hacked in an attack that spread Trojans to visitors.

The attack, apparently, may have been part of an injection attack affecting 20,000 web sites last week. The attack references JavaScript attack code that redirects users to an infected web site in China.

Sophos, hardly an unbiased observer as a competitor to Trend Micro, had details of the attack on their web site.

Sophos also has an interesting technical paper on web security, in general, on their site.

Thursday, March 13, 2008

My TechTarget Article on Web Scanning

I had an article come out on TechTarget's web site today about web scanning. It's about best practices, tools and reporting of scanning results.

Wednesday, March 12, 2008

Bleak 2008 Security Reports and Other Attacks

Both Google and CA came out with reports this week on cybercrime and threats predicted for 2008.

Both reports cited botnets and their resulting output of spam and malware as chief worries. But the CA report also cited social networks, Web 2.0 applications and Microsoft Vista as potential cybertargets. Google said malware, in general, was getting smarter and better at hooking people.

Google had its own worries with a tool that hits its Gmail service and there was more bad news for the security of handheld mobile devices.

ID Theft Ring in NY Busted

This is a textbook case of the merging of hacking with offline fraud. The police in New York recently busted up a ring of 38 people living in New York for using stolen customer data to create fake credit cards and go on shopping sprees.

But where did they get the data? From China, interestingly, where apparently the customer information was sifted by hackers.

Brits Are Juicy Prey for Online Fraud

According to a survey in the UK, published in Finextra, Internet users in the UK are putting themselves at risk by posting personal information on insecure web sites.

The survey said online banks and retailers are some of the most popular sites in the UK for identity thieves to harvest new victims.

Saturday, March 08, 2008

Some Guides to Phishing and Whaling

CSO magazine had a great piece recently about targeted phishing attacks, called whaling. The attacks are highly targeted against well-paid executives and use social networking sites to gather information.

They have also run articles about safe social networking and protecting yourself from phishing and pharming, a DNS attack that redirects to a phishing site.

Five Security Policy Mistakes -- How to Fix Them

This was in Computer World recently about the five most common mistakes in security policies.

The mistakes are:
1) Not having a security policy
2) Not updating the security policy
3) Not tracking compliance with the security policy
4) Having a "tech only" policy
5) Having a policy that is large and unwieldy

Friday, March 07, 2008

SSL Certificates Not Always Secure

This is an interesting story that came out yesterday on the Associate Press wire. It's about how SSL certificates aren't always as secure as they claim to be. It says criminals can forge the certificates, which are supposed to be a third-party verification of a site's identity.

It also says, on another level, that SSL itself is no guarantee of security. SSL can encrypt the transaction but, if the site itself has security holes, all SSL is doing is protecting an insecure transaction.

None of this is news, but it was a bit of a surprise to see it appear in the mainstream media, like AP.

Monday, March 03, 2008

PCI Compliance Audits Made Simple

I had an article come out today on the SearchCIO-Midmarket web site about how small and mid-size companies can prepare for a PCI audit.

The idea here isn't so much a PCI for dummies as a PCI without expensive outside consultants. Of course, all companies subject to compliance with PCI need their quarterly scans done by outside vendors. This article is about the army of other so-called PCI consultants that prey on poor defenseless smaller companies.