Thursday, February 8, 2007

Cybercrime calculator targets hackers, terrorists

They really are out to get you. Dynamic security technology could integrate threat information into its policy enforcement algorithms.

China and Russia are the two biggest threats to cybersecurity in the U.S.

Network World Staff February 07, 2007 (Network World) -- The University of New Hampshire has unveiled a tool for gauging the level of threat any would-be attacker poses to the energy, emergency response or other sectors of the U.S. economy and infrastructure that rely heavily on IT and networks.

The UNH Cyber Threat Calculator was shown at the Department of Defense Cyber Crime Conference in St. Louis in January. The calculator spits out results after weighing a threat's intent, technological capabilities and economic resources.

"There are increased risks as computer networks become more integrated with all aspects of our lives and infrastructure," said Andrew Macpherson, director of the technical analysis group at UNH Justiceworks and research assistant professor of justice studies at UNH, in a statement. "Using cyberattacks to take some type of infrastructure, military or civilian out of commission is, over the long run, problematic."

China and Russia are seen as being the two biggest threats to cybersecurity in the U.S., he said, but it's not clear whether it is in their "best interest to use cyberattacks for strategic attacks."

Macpherson said it's possible an attacker might try to quietly do damage over time rather than making a digital Pearl Harbor attack.

"With approximately 85% of the cyberinfrastructure owned by the private sector, it's not just a government problem," Macpherson said in a statement. UNH expects to make the calculator available to private industry security experts later this year.

Labels: ,

RSA: Microsoft pledges support for OpenID

Dynamic Security could help integrate this authentication system into your present security programs and policies.

RSA: Microsoft pledges support for OpenID

Robert McMillan

February 06, 2007 (Computerworld Hong Kong) Microsoft Corp. has thrown its weight behind OpenID, an emerging Web authentication standard.

The announcement was made today at the RSA Conference in San Francisco during a joint keynote by Microsoft Chairman Bill Gates and Chief Research and Strategy Officer Craig Mundie that was long on vision and short on specifics.

Microsoft pledged to work to integrate OpenID with its CardSpace identity management software, which is now available in conjunction with Windows Vista. "The marriage of CardSpace and OpenID 2.0 is actually a giant step forward," Mundie said.

By integrating these two technologies, Microsoft expects to "eliminate the issue of the man-in-the-middle-attack," Mundie said. In these attacks, which are increasingly being used by phishers, a thief steals sensitive information by setting up a fake Web site that passes information back and forth between the victim and the legitimate Web site.

OpenID is an emerging open-source standard that simplifies the task of logging on to many different Web sites.

Gates and Mundie spent much of their keynote discussing how their company plans to simplify security and make the process of managing digital identities easier.

IT professionals could achieve both ends by getting rid of log-in passwords and replacing them with strong, certificate-based authentication techniques like smart cards, Gates said. "Passwords are not only weak. Passwords have a huge problem. If you get more and more of them, the worse it is," he said.

"We see smart cards ... [and] certificates in general as the way these things should go. You'll be presenting certificates as opposed to weak passwords," he said.

Microsoft hopes to drive the adoption of smart cards, with the launch of its Identity Lifecycle Manager 2007, introduced at RSA. Expected to ship on May 1, this software integrates technology from Microsoft's 2005 acquisition of Alacris with the company's Identity Integration Server. The software will make it easier for users to integrate strong authentication technologies like smart cards into Microsoft networks.

Mundie suggested that in order for security to work, technology companies will need to turn their thinking upside down, to a certain extent. "Security was really a blocking thing," Mundie said. "How do you invert this ... so these security mechanisms become a thing that makes it simpler for anyone to be granted permission to get [network] access."

Microsoft plans to achieve this by switching the focus using technologies like IPsec (Internet Protocol security) and IPv6 (IP version 6), Mundie said. The company has already been using these technologies for the past two and a half years in an internal access control system that is better about granting employees and contractors access to the data and applications that they need, but keeping them away from the rest of the network, he said.

With breaches being reported every week -- often after the loss of a laptop computer -- companies need to think beyond locking down the perimeter of their networks, Mundie added. "The threat model is changing in fundamental ways. We could continue to invest in this fortress mentality of protecting everything, but I don't think that would be sufficient," he said. "Our castle is fairly porous because a lot of our assets leave the castle."

Microsoft's broad vision did not impress one attendee.

"This was the most content-free presentation I've seen at RSA in years," said Bruce Schneier, chief technology officer with BT Group PLC's Counterpane unit. "My guess is that most people in the room could have given that talk because it's where we all want to go."

The keynote, in which Gates and his successor sat side-by-side and, at times, finished each others thoughts, appeared to be a symbolic handing over of power, Schneier said.

Gates will be stepping down from his day-to-day duties in July 2008, at which point Mundie will take over Microsoft's research efforts.

But Schneier doesn't expect Gates to appear at next year's conference. "The take-away is Craig's coming back next year, but Bill isn't," he said.

Labels: , , ,

Weak passwords help hackers - How to enforce Password Policy?

Dynamic security can enforce password policies.
Study: Weak passwords really do help hackers

Four computers left online for 24 days were hit by 270,000 hacking attempts

Todd R. February 06, 2007 (Computerworld) -- Left online for 24 days to see how hackers would attack them, four Linux computers with weak passwords were hit by some 270,000 intrusion attempts -- about one attempt every 39 seconds, according to a study conducted by a researcher at the University of Maryland.

Among the key findings: Weak passwords really do make hackers' jobs much easier. The study also found that improved selection of usernames and associated passwords can make a big difference in whether attackers get into someone's computer.

The study was led by Michel Cukier, an assistant professor of mechanical engineering and an affiliate of the university's Clark School Center for Risk and Reliability and Institute for Systems Research. His goal was to look at how hackers behave when they attack computer systems -- and what they do once they gain access.

Using software tools that help hackers guess usernames and passwords, the study logged the most common words hackers tried to use to log into the systems. Cukier and two graduate students found that most attacks were conducted by hackers using dictionary scripts, which run through lists of common usernames and passwords in attempts to break into a computer.

Some 825 of the attacks were ultimately successful and the hackers were able to log into the systems. The study was conducted between Nov. 14 and Dec. 8 at the school.

Cukier was not surprised by what he found. "Root" was the top guess by dictionary scripts in about 12.34% of the attempts, while "admin" was tried 1.63% of the time. The word "test" was tried as a username 1.12% of the time, while "guest" was tried 0.84% of the time, according to the experiment's logs.

The dictionary script software tried 43% of the time to use the same username word as a password to try to gain entrance into the affected systems, Cukier said. The reason, he said, is that hackers try for the simplest combinations because they just might work.

Once inside the systems, hackers conducted several typical inquiries, he said, including checking software configurations, changing passwords, checking the hardware and/or software configuration again, downloading a file, installing the downloaded program and then running it.

For IT security workers, the study reinforced the obvious. "Weak passwords are a real issue," Cukier said.

At the University of Maryland, users are told that passwords should include at least eight characters, with at least one uppercase letter and one lowercase. The school also recommends that at least one character be a number or punctuation symbol, Cukier said. All passwords should be changed every 180 days, according to the university's recommendations.

"That's really reasonable," Cukier said of the guidelines. "It's not helpful if the password is so complicated that people don't remember it and [therefore] write it down on a sticky note next to their computer."

Users can use the title of a favorite book for a password or even the first letters from a memorable sentence, he said. "They'll be easy for you to remember because you'll be able to remember the sentence ... without having to write it down," Cukier said.

Labels: ,

Made4biz Security Translating real-world security knowhow into state of the art security systems.
Made4biz Security

Turn on Sound for Demos:
Bill Gates Demo (Location-based)
Elvis Demo (Location/Context-based)
Clint Eastwood Demo (Temporal-based)

Powered by Blogger

Subscribe to
Posts [Atom]

Technorati Profile

RSS Syndication

Made4Biz Security Inc