Wednesday, January 31, 2007

Trojan code more common than Windows flaws

Report indicates that four out of five threats are Web-based

Michael January 29, 2007 (Computerworld Australia) -- The 2007 Sophos Internet Threat Report, released last week, indicates a seismic online shift towards using Web-based threats as a way to spread malicious code and dupe users into downloading it.

The United States, China, Russia, the Ukraine and the Netherlands rounded out the top five malware hosting countries for 2006.

Trojan-like malicious code, which outnumbered Windows-specific Internet-based worms in 2005, rose to 80% of all threats in 2006. In 2005 that figure was 62%.

Paul Ducklin, head of technology for Sophos Asia Pacific, noted that there is no direct link between malware hosting and botnets, as often a computer can be tweaked to send spam but for some reasons could not be used to serve malware.

"Infected e-mail through attachments has gone down to one in 44 and the fact it has fallen is not because there is less malware, but that the bad guys are more determined to create distinct bits of malware, and these bad guys are no longer enamoured with mass mailing malware because it draws attention," Ducklin said.

"2006 saw an explosive growth of Web based downloaders and 41,536 new pieces of malware but overall the amount of e-mail containing infected attachments was down to one in 337. November saw 7612 new threats. The average has been roughly 8,000 a month,which is around 113 per day with five released every hour."

The report also found that 75% of all phishing e-mail sent during 2006 targeted either PayPal or eBay users, and the first incidents of voice phishing was discovered where scammers redirected e-mail recipients to a telephone number as opposed to a fraudulent Web site.

Ducklin said even company switchboards are being replicated to give this scam more success.

"We're not talking about completely replicating the switchboard but it is a call to action, getting a switchboard in the same way of ripping off other stuff," Ducklin said.

"Obviously you cannot just speak English, but the big deal with VoIP is that it makes the cost of calls to the recipient very low."

The top malware family for 2006, as recorded by Sophos, was Mytob, which accounted for 30% of the problem. Netsky, Sober, Zafi, Nyxem, Bagle, MyDoom, Stratio, Clagger, and Dref rounded out the top 10.



Port of Seattle moves to Web-based message alert system

Port managers cite lower costs for the move away from paging system

Matt Hamblen    January 29, 2007 (Computerworld) -- The Port of Seattle has expanded an emergency alert and response service that allows for quick communication with as many as 750 people -- a rollout that followed a successful trial of the Send Word Now system to 50 emergency officials last year.

In all, the people who are notified of emergencies at the facility work for about 35 different agencies and groups, including police and fire department employees at the airport and seaport, said Ernie Hayden, chief information security officer for the Port of Seattle. The service is designed to notify key personnel in the event of emergency breaches at runways and other areas, fuel spills or updates on snowstorms, he said. It replaces a paging system that had been in use for many years and failed one time last summer.

"With recent bad weather in early January, we used the service for snow [notifications] very actively," Hayden said. Several messages went out during snowstorms, starting with notices saying "Snow is expected" to "Snow is starting" to "Two feet of snow, everybody report to the airport." Users can receive notices on a multitude of devices, including cell phones and laptops, and in various modes.

Hayden said the service was the least expensive option the port considered. The service costs about $5,000 a year for the first 50 users, with the port paying about $30,000 a year for all 750 people on its notification list, he said. Since Send Word Now is a service, no new equipment was required, and Hayden or his colleagues can distribute emergency messages by calling or e-mailing the service provider.

New York-based SWN Communications Inc.'s Smart Alert Service starts at $10 per user per month, with additional costs based on usage, a spokeswoman said.

"This approach makes it much easier for a dispatcher to manage a response," Hayden said. In the past, a dispatcher would try to contact key personnel by various modes, but couldn't always be sure the message was received. Send Word Now includes a response feature that quickly gives the dispatcher a list of who has not responded.

Nick Milos, manager of corporate facilities at the Port of Seattle, said he has tested the system and found 19 of 20 policy makers responded in 15 minutes, up from the two hours it sometimes took to get a response using the old system.

The service does not communicate with the 800-MHz public safety band of devices, including two-way radios carried by police and firefighters, Hayden noted. "But if you have an emergency and want to tell everybody very quickly, this does that and very reliably," he said.

Although Hayden said he could try to notify a group via an e-mail blast, "I wouldn't know if they got the e-mail."

The hardest part of using the service was adding the names of those receiving messages into the system, Hayden said. But it's very easy to keep contact information up to date, he said, since users are responsible for contacting the service and saying which group of devices should receive the messages.

The port's alert service fills a gap apparent in some emergency response systems, said Tole Hart, an analyst at Gartner Inc. Though it would not be as useful for responders at the scene of a crisis, it could help with interoperability at a central command center, he said.

"But with public safety channels getting congested, this is a pretty interesting approach," Hart said.  


Best practices for use of RF technology in ID management

Jan 30, 2007 10:46 AM

Using radio frequency (RF) technology for identity management has become a balancing act between security and privacy. The Smart Card Alliance Identity Council has released guidance regarding best practices for organizations implementing the technology in identity management systems.

In "Best Practices for the Use of RF-Enabled Technology in Identity Management," the Alliance provides recommended guidelines for issuers of ID credentials using RF technology to ensure the confidentiality, integrity and validity of identity information and to protect the credential holder's privacy. The publication and accompanying frequently asked questions document also address common misunderstandings about the use of RF technology to transmit identity information, which have led to questions about the security and privacy of RF-enabled ID credentials.

"There is a public misperception that all RF-enabled technology is synonymous with RFID," says Randy Vanderhoof, executive director of the Alliance. "These new documents achieve a twofold purpose: They provide rules for good behavior when using RF-enabled technology in identity management, and they clearly delineate the differences between RFID and contactless smart cards that use RF and provide security and privacy protection in identity applications."

Radio frequency identification (RFID) is commonly used in product tags for tracking and supply chain management. Contactless smart cards are RF-enabled devices with onboard computers designed to protect identity information and its communication. Widespread corporate and government use, including the worldwide e-passport program, has validated contactless smart card technology as a secure, reliable way to transmit ID information.

Key elements of the Alliance's best practices for using RF technology in ID management call on credential issuers to:

* Implement security techniques, such as mutual authentication, cryptography and verification of message integrity, to protect identity information throughout the application.

* Ensure protection of all user and credential information stored in central identity system databases, allowing access to specific information only according to designated access rights.

* Notify the user as to the nature and purpose of the personally identifiable information (PII) collected -- its usage and length of retention.

* Notify the user about what information is used; how and when it is accessed and by whom; and provide a redress mechanism to correct information and to resolve disputes.

Vanderhoof emphasizes that RF-enabled smart cards are able to meet all the guidelines in the Alliance's best practices document. The use of RFID tags in identity credentials, however -- due to their long read range of up to 25 feet and lack of appropriate security features -- could leave users open to the types of fraud and identity theft most feared by privacy advocates and government officials, he says.


10 Security Gotchas that you forgot...

Gotcha, Gotcha, Gotcha. Always forgetting something! Dynamic
Security can handle all these problems. It is like having central locking in
your automobile.

The 10 Most Overlooked Aspects of Security

NOVEMBER 29, 2006 | Feel like
you're forgetting something?

Most likely, you are.

Did you post
a surveillance camera in your server room? Check the trash can for discarded
disk drives that weren't wiped clean of sensitive data? Do a deep background
check on that new database administrator you hired? Look into that new
third-party security services offering?

Encrypt the backup of the
year-end financial data?

Gulp. Maybe you're not quite ready for the

You'd better watch out. But don't cry, and don't pout, because
you're not alone. Most organizations have at least a few security issues that
have been lost in the shuffle, and it's not too late to give them some

So, with the help of Dark Reading's editorial advisory board,
we've compiled this list of The 10 Most Overlooked Aspects of IT Security, along
with the risks of skipping out on them, and some advice on how to attend to
them. Our research turned up a wide variety of opinions on these topics, many of
which are environment-dependent, so we're giving you this list in no particular
order. You decide which bases you've got covered -- and which ones need your

Consider this our contribution to your holiday shopping list.
Post 'em on your blog and the company intranet, pass them on to your colleagues
and business partners, all in good cheer. There is still plenty of time to make
your own list -- and check it twice.

(Editor's note: If there are other
commonly forgotten security measures you've just remembered, we'd love to hear
about them. Please send comments via the message board associated with this
story, not by email. All postings are completely anonymous.


— The Staff, Dark

Next Page: Physical

The 10 Most Overlooked Aspects of

1. Physical

NOVEMBER 29, 2006
| When you review your IT security architecture, you
probably don't consider your organization's physical security.
But that can be a lethal oversight.

"In order to truly achieve 'defense in depth,'
we have to think physical security as well as information
security. The best [logical] security can't prohibit a
physical theft of a server if the computer room is not
adequately protected," says Steve Delahunty, senior associate
with Booz Allen Hamilton.

More often than not, the people who do IT
security and the people who do physical security in large
organizations don't work with one another. Many small- to
mid-sized enterprise IT security groups may overlook physical
issues altogether. It's not until a building break-in occurs
that the two may even meet at all.

"It's always somebody else's fault when there's
a break-in in the building," says Steve Stasiukonis, vice
president and founder of Secure Network Technologies,
regarding IT security blaming facilities management and vice
versa. But IT security should be on the same team as the
facilities management group, he says.

In many organizations, physical security is
often focused more on protecting copiers, printers, and fax
machines from theft -- not servers or computer equipment,
Stasiukonis says.

"A lot of companies are allocating surveillance
technology in the wrong places," he says, and not where
intruders are more likely to gain access, such as the cargo
landing where smokers take their breaks, or on the cafeteria

Leaving physical access to chance in these
areas makes it that much easier for an attacker to simply walk
in and make a network attack or other breach.

"A lot of attacks become much easier because of
physical security weaknesses," says Sean Kelly, technology
consultant for Consilium1, who does penetration testing for
clients. "It makes things a lot easier if you can walk in the
door. And you don't have to be a technical person to perform
these breaches -- it opens the door to a wider pool of data

Social engineering is way too easy a ploy to
get a foot in the door, experts say. Stasiukonis, who stages
social engineering exploits for his clients to audit their
security, recently duped employees at a credit union client's
facility, posing as a copier repairman stopping by to "clean"
the copier machine.

"I busted into a credit union last week,
wearing one of those copier company t-shirts," Stasiukonis
says. "So I jacked in and grabbed the password and log-ins in
clear text and then [used them] to break in from the outside,

Getting the IT and physical security teams
together is crucial to thwarting social engineering attacks
like these. But it's not easy to teach employees who to trust
and who not to trust.

"Social engineering is a huge issue no matter
what level of organization you're in," Consilium1's Kelly
says. "Security awareness training needs to stress more on
auditing and procedures to identify people you're giving
information to, and for questioning people without badges."

Next Page: Proper
disposal of devices, storage media, and sensitive

The 10 Most Overlooked Aspects of

2. Proper disposal of
devices, storage media, and sensitive

NOVEMBER 29, 2006
| IT people hate dealing with trash. Attackers, on the
other hand, love it. That should tell you something right

Each day, corporations dump tons of material on
the curb, most of it useless landfill. But companies that
don’t have strong policies on garbage disposal may be leaving
bits of gold for hackers seeking passwords, customer
information, or other sensitive data. And if they’re not
careful, those organizations may just be throwing out the keys
to their most valuable information.

One of the most frequently-overlooked treasures
for attackers is the discarded hard drive. As companies
upgrade their old machines, they often donate them to
recycling centers, charities, or simply mark them as trash.
But some IT departments are lax in their efforts to wipe those
old hard drives clean, creating potentially damaging data

In a study published in August, researchers at
the U.K.’s
University of
Glamorgan and
Edith Cowan University bought more
than 300 hard drives in auctions and computer fairs all over
the world. What they found was a surprising array of data that
should have been erased long before the drives were sold or
tossed. Some of the data included payroll information,
employee names and photos, IP addresses, network information,
mobile phone numbers, copies of invoices, and financial
information such as bank and credit card accounts. (See Second-Hand Drives Yield First-Class

And the problem isn’t limited to hard drives.
In a separate study also published in August, security firm
Trust Digital made similar purchases of used cell phones and
PDAs on eBay, and researchers were able to recover sensitive
data on nine of ten devices in the study.

”The file system on your cell phone or PDA is
just like the one on your PC’s hard drive,” said Norm
Laudermilch, CTO at Trust Digital. “If you delete a file,
you’re not really overwriting the data. All it’s doing is
changing the index of the file system, or the file’s
pointers.” (See Study: Used Cell Phones, PDAs Contain
Confidential Data

And companies shouldn’t overlook one of the
oldest forms of stolen data: paper trash, experts say. Jim
Stickley, CTO at penetration testing company TraceSecurity,
says he has found a wealth of sensitive information --
including user identities and passwords -- simply by
dumpster-diving on unshredded company trash. “Shred, shred,
shred,” he says. (See 'Analog Hackers' Overlooked,

Next Page: Background

The 10 Most Overlooked Aspects of

3. Background

NOVEMBER 29, 2006
| A background check? When did it
become necessary to do more than call references and verify
past employment?

It's easy and tempting to overlook the
character issue when hiring employees, or even managing them
over the long term. But as the strategic value and importance
of IT has risen, so has the need to make sure those with the
keys to the kingdom aren’t eavesdropping, stealing, or worse.

"It's become more the norm that companies
screen all their employees," said Jason Morris, president of
Background Information Services, Cleveland. "People quickly
realized that IT is one of their biggest liabilities -- when
employees take home data tapes, for example. So they may not
screen low-level carpet sweepers, but if they have access to
sensitive areas, employers screen."

In addition to verifying education and previous
employment, Morris encourages making sure there are no
unexplained gaps in a candidate's job history. Are they
claiming MCSE or Cisco router certifications? Get it
confirmed, he suggests. "Driver's records could also be a good
measure of responsibility, as are credit reports."

A basic check might include SSN verification,
address history, and a search of county records for felonies
and misdemeanors. Background research can get even more
detailed (and expensive) with searches of sex offender
databases, state and national archives, even international

So how much should a company expect to spend on
a background check? "It varies, but a good rule of thumb is
one day's salary" for the position for which you're hiring,
Morris says. "It can be a lot less too."

Doug Shields, president of Secure Networks
finds less value in sifting through official records and
prefers to drill down more on what he calls "character

Shields, who worked at the CIA for nine years,
is more interested in why a prospect left his last job, or if
he was an Eagle scout, for example. "That may sound hokey, but
it tells you something."

You can also learn about character issues by
asking a candidate how they safeguard their own data. Do they
use encryption on their personal laptop? Have they even set up
a wireless LAN at home, and if so what security protocol did
they use? The answers will tell you something about
consistency and follow-through, Fields suggests.

And while screening before employment begins is
great, it doesn't help much if you don't continue to keep tabs
of some sort on employees. "If they go bad over time, you're
not going to know about it" unless there's continued
monitoring, Shields explains. "It doesn't matter what industry
you're in. You have to make sure your stuff is secure and that
people only have access to things they should have access

Next Page: Getting
control of the at-home user

The 10 Most Overlooked Aspects of

4. Getting control of the
at-home user

NOVEMBER 29, 2006
| Out of sight, of out mind. Many IT departments
carefully watch their employees in the office, but they fail
to monitor just what software their users are installing or
what hardware (think thumb drives and iPods) they're plugging
into their desktop or laptop machines at home -- or who else
may have access to those machines.

The rash of laptop losses and thefts at major
corporations and government agencies over the past year has
red-flagged the problem of securing data when it leaves
company premises. But what about the machines that sit in home
offices where telecommuters work daily, or company executives
work after-hours? And what happens when a user's home is
broken into and his laptop or PC stolen?

"The problem companies face with home workers
is that the security boundary with the Internet has been
extended to hundreds, even thousands of remote locations,"
says Geoff Bennett, director of product marketing at
StreamShield. "The odds of a weak point are multiplied

Ironically, top execs can be the biggest
weakest links in the home-user chain. "The CEO and CFO want to
store sensitive information locally on their laptops because
they don't want to worry about VPNing in," says Consilium1's

Few IT organizations have the means to restrict
user-access when it's not on-site: Home users may leave their
machines connected to the company network, or give passwords
out to family or friends. And watch out for those
technologically precocious kids in the house.

"In one instance, a CEO’s kid got on his
machine and renamed critical financial files. The firm was
unable to do a planned stockholders' meeting as a result,"
says Rob Enderle, principal analyst with the Enderle Group.
"End point security remains important especially if the
equipment isn’t on premise."

Security assessments are rarely, if ever, done
of the homes of these users, Enderle says.

And now, as home users increasingly become the
targets of phishing attacks and botnet attacks, the
company-issued laptop and the user's home PC with VPN access
can leave the corporate network at risk. "If their machine has
turned into a zombie and has access through a VPN to the
corporation, the corporation is clearly exposed," Enderle

Most zombie infections use keylogging, which
captures password information. And a zombie PC also becomes a
spam pipeline, says StreamShield's Bennett, which can wreak
havoc since most corporate email systems are configured to
filter inbound, not outbound, spam.

"The assumption is that one's own employees are
not likely to send spam. But a compromised PC will act as a
spam relay," he says, which could result in the company's
legitimate email being blacklisted by other organizations.

One way to lock down home users is to eliminate
VPN access and instead use biometric, multi-factor
authentication to email and "the most limited set of resources
needed to do the job," Enderle says.

A home security audit is also helpful, as well
as training home users how to best protect their computer and
the company network. "And the computer accessing the corporate
resources should remain administered and patched, and
protected to a degree sufficient for the level of access the
remote employee has."

Next Page: Taking
advantage of built-in security functions

The 10 Most Overlooked Aspects of

5. Taking advantage of
built-in security functions

NOVEMBER 29, 2006
| Security is big business these days, and hardware
vendors know it. As a result, many hardware vendors have begun
to build security features directly into their devices, giving
them out-of-the-box capabilities that are often unexplored or

One of the best examples of this phenomenon is
the Trusted Computing Group’s Trusted Platform Module (TPM)
1.2, a set of specifications that enables vendors to add a
"security chip" microprocessor to any PC. TPM 1.1 chips made
by vendors such as Atmel, Broadcom, and Infineon, have become
standard issue on most PC hardware, but PCs that use TPM 1.2
only began shipping in the first half of this

Companies that have begun using TPM packages,
such as Wave Systems’ Embassy Trust Suite 5.1, are giving it a
thumbs up. "Using TPM and Embassy Trust Suite has made a huge
difference in the way we administer security," says Chris
Cahalin, network manager at Papa Gino's, which operates some
400 restaurants throughout New
. "It's not only made our client machines
and files more secure, but it's given us a lot more control in

ETS 5.1 is a set of security tools and
applications that leverage TPM chips to encrypt files,
folders, and passwords on a laptop or PC, leaving the key only
in the hands of the end user and the IT department. The keys
can be given out in the form of smart cards, or the user can
be authenticated via biometrics or digital

The net result is that users of TPM 1.2 and ETS
1.1 can lock their hard drives, folders, and files via an
encryption key that can only be decrypted by the authorized
user. A thief can't read any of the files on a stolen TPM
laptop, and even users inside the company can be locked out of
sensitive files on any end station.

Although most new PCs have TPM, many
enterprises have yet to turn on their functionality, concedes
Steven Sprague, president and CEO of Wave Systems. "I would
encourage every enterprise to take a few of their new PCs into
the lab, turn on this technology, and see what it can do," he
says. "It'll change the way they look at end-user

Most experts see TPM as a boon for enterprises because it
is a standard that works uniformly across vendors and PC
models. But they are more wary of proprietary built-in
security capabilities that are now being added to
consumer-oriented machines.

Over the last few weeks, PC hardware vendors have been
rolling out security technology at a rapid rate. On Nov. 1,
Hitachi Global Storage Technologies announced that it will
offer optional hardware encryption on all of its new 2.5-inch
disk drives, which are expected to ship at a rate of a million
units per quarter in early 2007. That announcement came on the
heels of new drives from Seagate Technology, which will not
only offer hard drive encryption but also multi-factor
authentication options that would make it impossible for
unauthorized users to access any data on the hard drive. (See

Labels: , ,

The Six Dirtiest Tricks of 2006


DECEMBER 27, 2006 | Since the dawn of humanity, man has taken pride in his achievements of days past. The courageous defense of his cave from long-toothed predators. A fruitful hunt of the elusive wildebeest. The successful programming of his complicated BlackBerry.

In ancient times, these great achievements were told and re-told in tales, in song, in poetry. Today, journalists have evolved this retelling to a higher art form: the annual "year in review" story. This story is done and re-done each year by virtually every publication in existence, from Sports Illustrated to Hog Monthly.

As a new, innovative Web destination, we thought about not doing one of those stories. Break the mold and all that. But it's the end of the year. The drums are beating. The fire is burning high. The smell of roasted wildebeest hangs pungent in the air. The ceremonial conch shell is passed to us -- it's our turn to, uhh, blow.

So, what the hell. Who are we to argue with evolution?

The following is Dark Reading's look back at six of the most clever and devious IT security exploits of 2006, which we call "The Six Dirtiest Tricks of 2006." (Catchy, ain't it?) These are the exploits that attracted the most attention from our readers during our first seven months of publication. (Okay, so it's not the whole year. Sue us.)

Interestingly, none of the "hot security topics" of 2006 appear on this list. In general, our readers didn't find our stories about Windows vulnerabilities, lost laptops, NAC, or HP pretexting to be as interesting as these six. Could it be that you actually want to read about something different for a change? Well, watch out for Dark Reading in 2007: We're making it our quest to give it to you.

In the meantime, pull up a rock and grab a slice of wildebeest. Our look back is about to start.

  • No. 1: The Thumb Drive Caper

In June, a penetration testing firm planted 20 infected USB drives in the bathrooms and parking lots of a busy credit union. It was a simple, non-technical exploit -- and also one of the most effective of the year. Out of the 20 drives, 15 were inserted into PCs by curious credit union employees. If the infection hadn't been benign, the entire business might have gone up in smoke.

The account of this exploit -- perpetrated by one of our own columnists, Steve Stasiukonis, vice president and founder of Secure Network Technologies Inc. -- was by far our best-read story of the year. It exposed a frequently-overlooked vulnerability in most organizations, and it brought forth a whole range of vendors and products that are now attempting to close the hole.

See Social Engineering, the USB Way and Thumbs Down on Thumb Drives.

  • No. 2: Everything in XSS

In September, hackers on a popular hacking message board began posting cross-site scripting (XSS) vulnerabilities they found on popular Websites, including those of Dell, HP, MySpace, and Photobucket, as well as security companies F5 and Acunetix. Heck, after we published the story, the blighters even posted a couple of XSS vulnerabilities found on Dark Reading.

The vulnerability postings were a tangible illustration of another trend that emerged in 2006: XSS has become hackers' favorite vector of attack. While many vendors struggled to keep up with viruses and worms during the year, XSS gave attackers a newer, more targeted weapon, and they continue to use it.

See Hackers Reveal Vulnerable Websites and Cross-Site Scripting: Attackers' New Favorite Flaw.

  • No. 3: The Month of Browser Bugs

After a year of watching flaw after flaw appear in popular browsers -- and writing a few of them himself -- famed security researcher HD Moore decided to make a statement. He would publish a new browser bug every day in July -- the supreme illustration of the insecurity of the modern browser.

Moore's "Month of Browser Bugs" was met with consternation, as vendors and IT managers worried that attackers would pick up the vulnerabilities and run amok through their applications and systems. But although there were a number of exploits launched, the exercise proved to be more of a lesson for the industry. Vendors launched a variety of patches, and IT people gained a better understanding of the flaws in their browsers -- and the inevitability that hackers will find more.

The Month of Browser Bugs also helped to inspire other themed vulnerability exposures, including the Month of Kernel Bugs, which took place last month.

See Getting Buggy with the MOBB and MOBB Bug Among Mozilla Patches .

  • No. 4: The Copier Repairman Cometh

Just a few weeks ago, our resident pen tester and social engineer, Steve Stasiukonis, was at it again. This time, at the request of management, Stasiukonis and one of his colleagues walked into a regional bank dressed as copier repairmen. They proceeded to pull the wool over the eyes of all of the bank's employees, using a copier room connection to tap into the network.

Once again, if Stasiukonis hadn't been a white hat, he might have walked away with the account information for thousands of the bank's customers. As with the thumb drive caper, his exploit proved that companies must train their employees to beware of seemingly-innocent people and devices, and to ask the right questions before letting them in.

See Banking on Security.

  • No. 5: What Hard Drive?

Once in a while, we post a story from another site that attracts droves of readers. Such was the case in June, when we ran a piece from our sister pub, VARbusiness, that recounted a new technology for quickly erasing hard drives. The story recapped a new development at the Georgia Institute of Technology, where researchers had discovered a magnetic means of wiping hard drives clean for the U.S. military.

Okay, technically, it's not an exploit or a dirty trick (unless you're trying to steal the data from that hard drive). But the hard drive erasure issue clearly struck a nerve. As we discussed in subsequent stories, there remains a crying need for a fast, sure-fire way of cleaning off the data from hard drives before they are sold or recycled. The folks at Georgia Tech and L-3 Communications are still working on a "garbage can" for hard drives that would do just that.

See Researchers Find Technique to Quickly Erase Hard Drives and A Garbage Can for Hard Drives.

  • No. 6: They're in MySpace

Throughout the year, social networking site has become astoundingly popular, not just for teenagers, but for grown-ups who access it from their work computers. Unfortunately, the popularity of the site has made it an excellent target for attackers -- and a major risk for enterprises.

In October, a researcher published proof-of-concept code on a zero-day vulnerability he found on -- and another variation on the cross-site scripting (XSS) theme. Since that time, researchers have found more vulnerabilities in the social networking site, and the hacks keep coming. Attackers like MySpace because it gives them the freedom to use a combination of social engineering and technical hacking to get the data they need, experts say.


Banking on Security


NOVEMBER 29, 2006 | We were recently hired by a regional bank to assess its security. When negotiating the services agreement with the bank president we agreed to perform the standard network security penetration testing, but he insisted we also test the security awareness of the bank staff.

What he really wanted to discover was whether employees have become complacent in verifying credentials of the customers, but more importantly checking out the people who service the bank's needs. The bank had recently outsourced its IT functions, and although they were promised a dedicated technician by the outsourcing firm, the revolving door of technicians coming and going had become the standard.

After signing some legal boilerplate and "get out of jail free" paperwork, here's what we agreed to: Pose as a vendor, enter the facility, plug into the network, sniff traffic, look for login and passwords, then try to become domain administrator of the network.

Our first step was to select a vendor to impersonate. To keep the suspicion level down, it needed to be someone who'd use a computer or laptop once inside. To find out more, I sent a colleague into the bank to inquire about a checking account. While in the bank she took notice of the various pieces of office equipment, specifically the printers, faxes, and copiers. While discussing the possibilities of becoming a customer, our spy also inquired about the manager of the bank and the availability of that person in the event a question or problem arose. Days, times, and even a cellphone number was provided to our insider.

After reviewing the list of office equipment she retrieved, we decided the best person to enter the facility was a copier technician. The bank used digital multifunction devices so each copier worked as a local printer on the network. From there we looked into our cache of vendor clothing. We were fortunate to have a brand new denim shirt embroidered with the copier company logo. Being close to Halloween we thought it would be entertaining to throw on a fake beard or mustache but scrapped the idea when saw how bad it really looked. We then put together an assortment of tools and credentials.

Our office at Secure Network Technologies utilizes a proximity card access system, which also serves as an employee identification badge. Conveniently, we have the machine that prints these things. After a few minutes in the device's editing program, we used a digital photo to create an identification card that looked official enough to be from the copier company.

Using our past experience with copier folks, we put together a giant silver briefcase on wheels, a mini-vacuum cleaner, and a few reams of paper. Inside the briefcase was our laptop, loaded with all the software tools needed to poke and probe their network.

On the day we planned to go in, I called the bank and indicated I was new to the copier company and wanted to get familiar with the machine to properly service the equipment. I indicated we could perform a preventive maintenance call at no charge to insure the quality of the prints and copies. The person at the bank agreed and thought it was a good idea. I requested her name in the event we needed to validate who we spoke to when we attempted to go in. Later that afternoon I stopped in at the bank with my new denim work shirt and a rolling briefcase full of gear in tow.

I entered the bank lobby and was immediately greeted by a woman in a small glass-paneled workspace. I mentioned we called earlier, dropped the contact's name, and indicated I was here to service the copier/printer. Without hesitation I was escorted to the machine and left unattended. To make it appear as if I were working on the device, I opened every panel on the machine, pulled all the trays out, and placed my laptop on the glass surface of the copier/printer.

I was approached by a few people who needed to make copies, I apologized for the inconvenience and said the machine might be down for 30-40 minutes. I then disconnected the network cable from the copier/printer and attached my laptop. As soon as my laptop booted up, DHCP provided a network address and I was on the internal network. I started a few of our utilities and started sniffing the traffic on the network.

Within seconds I had a variety of logins and passwords, access to numerous shared folders, data, and administrative accounts. We usually single out a few of the key employees that might be considered important, i.e. bank president, vice president, and operations manager, and make a note of their logins and passwords. When I determined I had enough data I decided to snap a few digital images to throw into the report. I took a six or seven pictures, even utilized the flash with nobody questioning or asking why I was doing this.

In the event they asked, I figured I'd tell them we do this to document the cleanliness of the machine after we service it, primarily of complaints about the machine being covered and smudged in black toner.

Before departing scenes like these, we try to document the effort and provide proof of our success. I usually leave something behind and then contact the person who hired me and direct them to the mark. In this case I wrote his password on a ream of paper and tucked it under the machine.

When I returned to my office I immediately called my contact and explained what we did and that we were successful. After retrieving the ream of paper with his password, I could hear the concern in his voice since our job confirmed his worst fears. I explained to him this type of problem can be fixed by sharing the results with his employees, and that no one person should be targeted as a single point of failure.

Our effort required us to talk and interact with several people. At no time did anybody question who we are or call the vendor to confirm our identity.

Over the years and after doing several security assessments using social engineering techniques, nine times out of 10 we usually get caught when that one person says "I need to call someone about what you're doing." That call to confirm, usually raises enough suspicion to stop us from proceeding. And after that person realizes what they did, word travels real fast throughout the organization that they caught the "bad guy."

Combine catching the bad guy and letting an organization know this type of theft and criminal behavior really exists, and you get one of the best tools in educating employees about vigilance and how to be proactive in security.


Should IT Block iPhone?


JANUARY 26, 2007Second of a two-part column

In the first part of our discussion of security's role in company policy, we focused on why the security group should play a stronger role in employee selection. This time, let's look at security's role in restricting the hardware that is brought into corporate networks. We could start with USB flash drives, but Apple's new iPhone is potentially more dangerous.

While IT people often worry about rank and file employees, executives pose a special problem. Much of my mail includes questions on how to deal with that troublesome top executive -- without sacrificing one's career in the process.

Executives often misuse their authority and intentionally create security problems just to showcase their own power or avoid personal inconveniences. This is particularly true with unapproved devices, because these executives feel that general rules shouldn’t apply to those in their exalted positions. The execs sometimes end up paying for such mistakes, but in the end, the security most often will share the blame.

Which brings us to the iPhone. Is it just me, or did anyone else see the launch of Apple’s new iPhone as a security nightmare in the making? I’m talking about the increasing number of employees who will be buying these things, putting company information on them, and then losing them.

We already have a nightmare with stolen and lost laptop computers. But these damn phones -- which apparently are years behind the exiting RIM, Palm, and Microsoft CE platforms with regard to security -- are both more portable and vastly more likely to be stolen.

Apple appears to have launched the iPhone without even a nod to security, which suggests that we, as an industry, are simply not being vocal enough with regard to our requirements. And before a bunch of executives buy these damn things, we’d better make sure that our IT organizations have developed a published policy (with teeth) preventing them from entering our networks and collecting embarrassing data.

If we do this broadly enough, there is a good chance the next yo-yo vendor that rolls out a device like this will think through the security problem first. This is about getting ahead of problems -- and it is amazing that some very successful companies, which should know better, don’t. And with its high internal security requirements, Apple should be first in line to prevent this phone from being brought in by employees.

So what do hardware policies have to do with employee hiring practices, which we discussed in Part 1 of this column? Both are issues where security needs to get involved early, in a proactive way.

Too often, security is used as a reactive function -- after the horse has left the barn. It often is not used strategically and that, I think, is a huge mistake. Making sure employees are safe, company secrets are secure, and a company’s assets are protected -- those things are at the heart of ensuring a company is both profitable and viable. A security failure can do more than just damage a firm. It can, and it has, caused several companies to cease to exist.

This is why I think security should play a more active role in ensuring people are properly selected -- and keeping inappropriate hardware out of the network. When executives make stupid mistakes, it often is because they were unaware of the real risks they were taking. Security, used strategically, can make those executives more aware -- and less likely to make these critical mistakes.


Mobile Malware: The Enterprise at Risk

Today's business-class smartphones have the same memory, processing power, and application capabilities that PCs had in the early part of this decade. They also run full-blown operating systems (OSs) such as Symbian or Windows Mobile. Besides the cellular connection, many of them have multiple options for moving data in and out, including Bluetooth and universal serial bus (USB) interfaces. These characteristics are a major reason why handsets have become an attractive target for writers of viruses and other forms of malicious software, or "malware."

There are at least three reasons why malware should be viewed as a potentially critical security threat by CIOs and IT managers:

Vulnerability: Nearly all mobile malware has thus far targeted handsets that run a full-blown OS: Palm, Symbian, Windows Mobile, and, to a lesser extent, BlackBerry. These smartphones typically cost $300 to $700, which means they're usually provided only to executives and management. As a result, the people with the most to lose – e.g. address books with key company and customer contacts – are also in the best position to lose it. Meanwhile, smartphone prices are falling, which improves the business case for offering them to a wider range of employees, and thus increases the enterprise's vulnerability.

Cost: Although most mobile viruses (so far) cause little damage to handset functionality and stored data, their financial impact shouldn't be underestimated. Their damaging effects include lost employee productivity and increased IT support costs; users can also be socked by larger wireless bills from malware that causes the phone to send text messages – without the user's knowledge – to premium services that are charged to the phone account. Unless employees and managers scrutinize wireless bills, such charges can slip through. If the charges are so large that they're impossible to overlook, the enterprise can incur additional costs in terms of personnel hours spent disputing them with the wireless carrier, which might not be willing to issue a refund.

Risk: If a smartphone is used to store or access client information, malware can put that information at risk. As a result, the enterprise may run afoul of regulations and laws such as the Health Insurance Portability and Accountability Act (HIPAA) in the U.S. Even if the handset is used to access that information rather than store it – for example, using cellular to connect to the company's server – malware can place it in jeopardy. For example, FlexiSpy is a keystroke logger that could be hacked into a Trojan for collecting information such as text messages and IP addresses visited by the phone's browser.

This report evaluates the potential impact of mobile malware on enterprise telecom and IT resources. The report identifies the potential entry points of malware programs and assesses the threat level that each potential trouble spot poses to the enterprise. It also surveys anti-malware products and solutions available from wireless service providers, handset makers, and third-party security software companies. Finally, it includes a full set of “Insider Tips” – guidelines and procedures that enterprise telecom and IT departments should consider to minimize exposure to malware risk.

This report provides critical data and analysis for a range of industry participants, including:

Enterprise/IT managers and decision-makers involved in planning and administering enterprise mobility operations and applications

Manufacturers of smartphones and other enhanced mobility devices

Suppliers of mobility-enabling software and operating systems

Wireless service providers

Investors evaluating the competitive positioning and long-term prospects of startup and established suppliers in the anti-malware product sector


US Military Roadmap: 'Fight the Net

 IT Security Problems Recognized by the Military

US Military Roadmap: 'Fight the Net' 

JANUARY 30, 2007 | Ground operations, air operations, maritime operations -- and now, information operations? That's right -- the U.S. military wants to add information operations as a new military core competency, according to a newly declassified Defense Department document called the "Information Operations Roadmap." The 78-page document, written in October 2003 and signed by former Defense Secretary Donald Rumsfeld (complete with blacked-out blocks of classified text), was obtained via the Freedom of Information Act by the National Security Archive at George Washington University and reported by BBC News. It provides a sneak-peek into the military's ambitious goals for information operations: using/fighting the Internet, improving psychological operations (psyops), and dominating the electromagnetic spectrum. Bottom line: Information is crucial to the military's success.

"Fight the Net" is a major recurring theme of the document. Given the rise in hacker and cybercrime risks to U.S. businesses, the military should fight the Internet as if it were an "enemy weapons system," the document says. It also points out that networks are becoming more vulnerable and calls for a defense-in-depth strategy for "providing Combatant Commanders with the tools necessary to preserve warfighting capability." The document hints about the use of "offensive cyber tools" and computer network attacks as well as integrated weapons systems, but much of that section is classified, and therefore sketchy. Sean Kelly, business technology consultant with Consilium1, says the "fight the net" campaign is the wrong approach. "I agree that our Defense Department needs to have strong security strategies for defending our information systems -- especially intelligence databases, as well as key communications channels," Kelly says. "I would hope that our Defense Department would employ some of the best and brightest network security professionals to develop a strategy that identifies and protects -- through monitoring and taking action where necessary, [a] good old fashioned incident response program -- high-risk areas of its own networks as well as on the Internet." The military's IO Roadmap also includes improving psyops, which today are more "reactive" and "not well organized," according to the document, including better using technology -- radio, television, print, and Web -- to spread the word.

But one of the most compelling issues in the roadmap was the military's interest in getting control of the electromagnetic spectrum. "To prevail in an information-centric fight, it is increasingly important that our forces dominate the electromagnetic spectrum with attack capabilities," according to the document. Kelly says controlling the electromagnetic spectrum is extreme. "Instead of taking an 'us against the world' approach, we should be collaborating with other nations to identify threats and develop a plan address known vulnerabilities," he says. "We can decide how we want to defend our internal interests and network infrastructure, but we should not be seeking the ability to have full control over the electromagnetic spectrum." Defense Department officials were not available for comment in time for this posting.    

Labels: ,

Security Breach Damage Spreads

Oops.. Cybercrime is costly...

More Thefts From TJX Breach


JANUARY 30, 2007 | More than 60 banks have reported compromises of customer accounts as a result of the recent security breach at retail giant TJX Companies, and that figure is expected to grow, according to the Massachusetts Bankers Association.

And in a separate report, Visa alerted financial institutions that TJX had violated the Payment Card Industry's Data Security Standard guidelines, which prohibit long-term storage of credit card data by retailers.

Less than half of the 205 banks in Mass. have reported their findings on the TJX breach, disclosed two weeks ago. (See TJX Breach Skewers Customers, Banks.) Most of the banks reporting in have seen unauthorized account activity on at least some of the credit cards exposed in the breach, according to the MBA.

The banks are still contacting TJX customers, and in some cases, are canceling customer accounts and re-issuing cards, according to Daniel Forte, CEO and president of the MBA. The number of banks affected is "likely to grow higher," the MBA says, as many of them haven't been able to report "because the situation is such a moving target."

Officials at TJX still aren't saying how the breach occurred, but according to an alert sent Jan. 15 via the Visa Compromised Account Management System, the retailer had stored credit card data dating back to 2003. PCI rules, which are set and enforced by the credit card companies, state that merchants cannot store data for long periods.

The banks are absorbing most of the punishment resulting from the breach. It is the banks, not TJX, which are reimbursing customers for the account thefts, and it is the banks, not TJX, which could be subject to fines for doing business with a merchant that does not comply with PCI.

The banks are responding by asking for swifter action by legislators and credit card companies to require swift disclosure of breaches among retail merchants. "By not disclosing which firm caused the breach, or quickly disclosing it, consumers are needlessly troubled," Forte says.


Labels: ,

FBI Faces Fresh Cyber Threats


JANUARY 29, 2007 | NEW YORK -- From dirty bombs and high-tech spies to teenagers planning DOS attacks with Sony PlayStations, the F.B.I. has its hands full with a growing number of cyber-threats, according to David Thomas, deputy assistant director of the agency's science and technology branch.

The official, a keynoter at a conference here today, warned that the Internet is more important to U.S. national security than ever before. "We know that terrorists would like to create a dirty bomb," he said, explaining that his agency has to keep this know-how within the U.S. "Spying is changing -- whereas before people had to travel to the U.S., now they don't have to."

Senior officials, such as 9/11 Commissioner Jamie Gorelick and former presidential security adviser Richard Clarke, have already highlighted the cyber-threat posed by groups such as Al-Qaida, although this is just one of many issues on Thomas's desk. (See U.S.: Al Qaeda Eyeing Cyber Threats.)

A new breed of hackers, for example, is emerging in eastern Europe, posing a fresh challenge to corporate America. "They are using brokerage accounts to manipulate stocks now," warned Thomas. "If you have a brokerage account, you have to watch it like a hawk."

For some time now, eastern Europe has been the cyber-equivalent of the Wild West, with governments struggling to clamp down on hackers and organized crime. Even Thomas has been a victim. "I gave an interview for the Wall Street Journal last January on eastern European hacking groups and within four hours my accounts had been cleared out," he said.

The official explained that the next frontier in the battle against cyber-crime is further east. "Strategically, all my people are looking at China -- you have got a lot of people [there] that are tech-savvy," he said, explaining that, in a population of around 1.5 billion, even a tiny percentage of cyber-criminals could cause major problems for American firms.

Against this backdrop, businesses should start rethinking their storage and VOIP security strategies, according to Thomas. "Companies need to look at the way they store their data," the official told Byte and Switch, adding that CIOs can make a hacker's life more difficult by storing customer names, dates of birth, and social security numbers on separate servers.

U.S. firms also need to reappraise their perimeter security. "There's an over-reliance on firewalls -- [CIOs] think that they can do everything, but they can't," he said adding that firewalls and intrusion prevention systems (IPSs) often possess too many vulnerabilities of their own.

VOIP also presents big challenges, according to the official. "There was a case out of Newark [where] a guy had set up his own private network where he was stealing bandwidth from the private telephone companies," he explains.

The fraudster, apparently, was making $1.5 million a year simply by hacking into telecom firms' VOIP switches. This trend, warned Thomas, is on the rise. "We have seen a tremendous increase in hacking into public bridges," he explains, adding that hackers targeting VOIP switches can cost a telecom around $70,000 a month in lost revenues.

Then there is the ongoing threat posed by geeky, yet technically gifted, adolescents. To illustrate his point, Thomas related the story of an FBI raid on the home of 15-year-old American hacker, who was suspected of causing a major Denial of Service (DOS) attack in Cyprus.

Despite the feds confiscating all the kid's computers, he somehow used the Linux operating system on his Sony playstation to get back online and buy replacement gear. "That night, he wrote a DOS attack that knocked the Website off for three days," added Thomas, prompting laughter from the audience.

A number of vendors used today's LegalTech event to unveil new products and talk about their roadmaps. SAN specialist Xiotech, for example, announced plans to integrate its products with a new set of compliance-related services. (See Xiotech Intros Products, Services.)

These solutions, according to Mike Stoltz, the vendor's vice president of marketing, will be geared around initiatives such as the Federal Rules for Civil Procedure (FRCP), and will be available later this quarter. (See FRCP Tip Sheet.) The vendor, he added, has also got its eye on possible M&A in areas such as e-discovery and consulting. "You will see some announcements from us very shortly," he explained.

Elsewhere, Iron Mountain announced a partnership with e-discovery specialist Stratify and classification vendor Kazeon changed the user interface on its IS1200-ECS device, which its claims will make it easier for lawyers to use. (See Iron Mountain Forges Alliance and Kazeon Reduces Cost of E-Discovery.)


Made4biz Security Translating real-world security knowhow into state of the art security systems.
Made4biz Security

Turn on Sound for Demos:
Bill Gates Demo (Location-based)
Elvis Demo (Location/Context-based)
Clint Eastwood Demo (Temporal-based)

Powered by Blogger

Subscribe to
Posts [Atom]

Technorati Profile

RSS Syndication

Made4Biz Security Inc