Mumbai Terrorists used Technology as Weapon of War

This article presents an update on the methods used by the Mumbai terrorists: technology in the form of BlackBerry phones and Internet access. This shows a level of planning and organization that is unusual for most terrorist groups. However, it probably won't be the last time we see the bad guys using technology for sinister purposes.

Src: Terrorists turn technology into weapon of war in Mumbai (The Courier-Mail)

Malware Database - A must read!

By change, one of the security luminaries that I follow sent a link to the Malware Database site. If you want to stay current on the latest and greatest reports of malware in the wild, this is a must. There's also a Twitter account so you can get the latest malware news as Twitts.

Malware Database (web)
Malware Database (twitter)

Patching offline virtual machines

Excellent post from Security4all about the need for and the way to ensure that offline virtual machines are patched in a timely (and automated) manner. Patching solutions such as the ones discussed for Microsoft and VMWare will likely be the main differentiator between the virtualization leaders and their open-source competitors.

Sr: Patching offline virtual machines (Security4all)

How video and pictures can be a threat to security

This posting provides an update to the concept of "No Tech Hacking" which has made Johnny Long a commodity name in the InfoSec arena (Google video and book). Richard Stiennon is right on about the dangers that this Web 2.0 world poses to our daily lives. We are leaking information left and right, and there doesn't seem to be an end to it.

Larry Pesce of PaulDotCom.com has been working on his SANS paper, and has numerous postings (latest one here) about tools like MetaGooFil and others to extract information from local and web documents.

Src: How video and pictures can be a threat to security ( ThreatChaos)

Lenovo Service Disables Laptops With a Text Message

There are days when I just ponder if we're doomed to continue to create "security solutions" that are double-edged swords. Today's solution is one unveiled by Lenovo, which would let users register up to 10 cell phones allowed to disable a laptop remotely.

How long before spammers start sending text messages to all cell phone numbers with the command: remote-erase-all-data-now?

Slashdot commentary on Lenovo Service Disables Laptops With a Text Message
Original story on eWeek

Windows Drivers & Licenses

This news post from Christopher Dawson exemplifies the problem that plague most of today's Windows-based distribution: licenses and drivers.

On the licensing side, the user is faced with a barrage of cryptic codes to enter, if they remember where they put the license key in the first place. How about coming up with word-based licenses instead G6QRH five times?

On the driver side, my own experience echoes that of Mr. Dawson in that both Dell and HP's service tags manage to recognize the machine but present an array of choices regarding hardware drivers. How is a user to know which particular version of a network card or sound card one has? Why can't manufacturers code that level of detail into their license tags? Please don't mention HPA (Host Protected Access), a special area of the disk where manufacturers "store" (hide?) drivers and restoration software.

Ubuntu, a free Linux distribution with the look and feel of Windows, will install and recognize most hardware without ever asking for a license or a driver. We need technology that simply works instead of getting in the way.

Src: Are you sure you don’t just want to use Ubuntu? (ZDNet.com)

Dr.InfoSec featured on BusinessWeek Front Page

Update on 11/25/2008: still showing up on BusinessWeek's Technology page.

Earlier this month, Douglas MacMillan wrote a story for BusinessWeek about scammers and the dangers to your online identity. The article featured Shawn Moyer and Nathan Hamiel and their successful scam: convincing fellow LinkedIn users (many of which are security professionals themselves) that they were the real Marcus Ranum (CSO of Tenable Network Security).

By chance, I happen to see the article on Twitter and leave a comment. The comment got picked up and I was asked by BW to provide a photo and give my blessings to be featured on the front page.

Many thanks to Stiennon's Twitts, the Security Bloggers Network and the Security Twits group for all of the positive attention.

Direct link to the BusinessWeek story (photo of front page area below)
BusinessWeek front page

Who Hijacked Your Domain?

In the past weeks, the security Bloggosphere has been abuzz with stories of folks who got their web sites hijacked (and held for ransom) by getting their web-based email accounts altered via the wonders of filters which can redirect specific emails to an attacker's email account.

Personally, I would like to see more being done by the web-based email providers to validate users' identities and protect the ever-increasing value of information being stored in email accounts.

Gmail Security Flaw Proof of Concept

Microsoft Ranked 5th Most Spam-Friendly ISP

The cost of ignoring spammers is simply too high; now Microsoft needs to repair its PR image from the latest snaffu: being listed as 5th (now 6th) most spam-friendly ISP. The rating, from Spamhaus.org’s list, points to several current issues that Microsoft has simply not resolved yet including allowing hotmail scams, file repositories used by hackers, and web spaces used by hackers.

Who will make the list next?

Src: Microsoft is 5th most spam-friendly ISP (ZDNet.com)

A Wealth of Data, and Nobody in Charge

Privacy advocates argue that academic institutions should hire full-time privacy officers to focus solely on privacy as "the job of security officers is to protect data that are already collected — not to ask whether the data should be captured and stored in the first place."

This article exposes a salient truth about the academic sector. In the past two weeks, I have come across two instances where academia has appeared clueless when it comes to data security and privacy. One is contained in the article below ("what's a CPO?"), the second was posted on the social networking site Twitter by a frustrated security professional who was dumb-founded to have to explain the term "penetration test" to a group of Computer Science PhDs.

Src: A Wealth of Data, and Nobody in Charge (Chronicle.com)

SUMO Linux - New Multi-OS Distro

SunTzuData.com has re-mastered some solid Distros into one DVD format. The DVD available from SUMO Linux contains:

  • Backtrack 3
  • Helix 2.0
  • Samurai Linux
  • DBAN
  • DVL

SunTzuData, the company behind the SUMO Linux distro was founded by Marcus Carey. Marcus used to work for Computer Sciences Corp. (CSC) and was assigned to the DC3's Defense Cyber Crime Investigations Training Academy (DCITA) as a Researcher and Instructor.

Cyberscams Befriend Social Networks - BusinessWeek

I think it's time for these social networking sites to spend some of their money to validate new users' identity (would be nice to double-check existing users as well). They could learn something from the Google Knol's Name Verification program that can validate an identity based on a Credit Card or via phone directory (weaker IMHO).
Cyberscams Befriend Social Networks (BusinessWeek)

Use NoScript to force websites to SSL

Very useful feature of NoScript (browser plugin for Firefox) that allows you to force web sites to stay on the HTTPS side of things after authentication, instead of reverting back to plaintext HTTP.
Use NoScript to force websites to SSL (Security4all)

The Manchurian Chip - The news that shook the world!

If this story is to be believed then we're in for a whole lot of trouble, assuming we can do something about it of course. Suddenly your ten-year-old computer does not look so useless anymore. When ET calls home to China, everyone needs to pay attention.

And Now the Manchurian Microchip (Dily Artisan)

Businesses could be fined 10% of revenues for data protection breaches

This development is a step in the right direction in my opinion. Sure, it comes with a heavy price, but in this day and age, the penalties for not taking the appropriate steps to protect data should be commensurate with the size and extent of the breach.

This is good news for security professionals in the consulting realm. However, for those already employed by UK companies suddenly facing this law, their headaches just got a long stronger.

Businesses could be fined 10% of revenues for data protection breaches (Information Age)

Biggest Security Threat becomes Human Factor

Two stories published within days of each other reporting on the current biggest challenge: the human factor. At least one of my fellow bloggers, Jeff Evenson over at CulturedSecurity.com has made the human factor in security the focus of his writings.

The security threats have "more to do with human error and the usability of advanced authentication systems than any technical security problem." -- AlZomai (Web banking risk down to human error)

and

"Human error has become the biggest security concern for IT directors." -- Research report from Secure Computing (VUNet)

Only on eWeek

As I was reading a back issue of eWeek, I noticed some confusion as to who the laptop manufacturer really is...

Internet thieves make big money stealing corporate info

A big thanks to Stephen Northcutt of the SANS Technology Institute for pointing this resource out. The USA Today has a great (simple yet effective) graphical illustration (Flash-based) of the way attackers gain entry, compromise additional hosts, and leave with lots of data. Src: Internet thieves make big money stealing corporate info - USATODAY.com

Sim Card Chip Unlocks iPhone 3G

Well, someone was going to invent it and market it: a sim card to unlock the iPhone 3G. We're sure to see more of these special-purpose chips to modify otherwise locked, or worse - secured, mobile devices.

Unlock iPhone 3G, Sim Card Chip, Gevey Sim For Unlock iPhone 3G

Four Twitter scenarios of doom

A fellow Twitter from the SecurityTwits group wrote an interesting article about the threats that something like Twitter poses to your personal and professional online identity. Four Twitter scenarios of doom (ThreatChaos)

Data on Japanese students revelead by Google Maps

Here lies a big problem with the usability of today's software regarding the privacy and security of data. The article points out that when using Google Maps, "Users of the service tend to assume that information entered is available only to themselves as the site promotes itself as an exclusive map for individual users."

We need a shift in the way we think about data, starting from the decision of what to collect, how things are presented (Human-Computer Interface), and how things are stored/communicated/processed. Until we do, these kinds of accidental data leaks will continue to occur due to human error or, in this case, erroneous assumptions.

Src: Student data slip out via Google Maps (The Daily Yomiuri)

GPG encrypted-email for the rest of us

The folks at The Register are known for their consistent coverage of InfoSec topics (among others). This time around, the story is more of a how-to for the average (really?) computer user to install and use GPG to encrypt email. Still sending naked email? Get your protection here (The Register)

Go Phish with Consumer Reports - Test your ability to detect phishing scams

Consumer Reports (CR) has put together a great resource called the Guide to Online Security. One of the features of that site is what CR calls Go Phish (opens in a new window) in which you have to determine whether each of 12 different emails is real or fake. Can you achieve a perfect score?

Eide Bailly web site failure

It's disappointing to see this kind of error in 2008 from a company like Eide Bailly. Since it's Saturday, it will most likely be a while before the site is back up and running.

Alan Paller on Vulnerabilities

On having to report on over 150 vulnerabilities in a single week:
It is crystal clear that web application programmers are writing a LOT of bad code and their bosses are either ignorant of the problem or negligent in exercising their management authority. -- Alan Paller, Director of Research, SANS Institute - @RISK: The Consensus Security Vulnerability Alert

GoogleDocs Broken - Phantom Shared Docs

It appears that GoogleDocs is once again broken. This time, it shows phantom shared documents with folks that I've never met (and don't know). Disappointing.

New Paper at SANS Institute - .NET Framework Rootkits: Backdoors inside your Framework

Abstract

This paper introduces a new method that enables an attacker to change the .NET language. The paper covers various ways to develop rootkits for the .NET framework, so that every EXE/DLL that runs on a modified Framework will behave differently than what it's supposed to do. Code reviews will not detect backdoors installed inside the Framework since the payload is not in the code itself, but rather it is inside the Framework implementation. Writing Framework rootkits will enable the attacker to install a reverse shell inside the framework, to steal valuable information, to fixate encryption keys, disable security checks and to perform other nasty things as described in this paper. SANS Institute Reading Room - .NET Framework Rootkits: Backdoors inside your Framework

Bruce Schneier: Securing Your PC and Your Privacy

Responding to a question about the single biggest threat to IT security, Bruce Schneier said:
Technological systems, especially newer ones, are exceedingly complex—and complexity is the worst enemy of security. -- Bruce Schneier in Securing Your PC and Your Privacy (EarthWeb.com)

AVG and Rising signatures update detects Windows files as malware | Zero Day | ZDNet.com

It was bound to happen... the False Positive (aka "type I error"). It gets nastier when the files that are wrongly detected as infected are your windows files and in the process cause the machine to continuously reboot. The answer? QA - test, test, test. AVG should have tested this signature update and (longshot coming here) users should have tested the update and have a way to revert back. Src: AVG and Rising signatures update detects Windows files as malware (ZDNet)

Security awareness extended to Belgian bathrooms

"The person you are looking at is responsible for your security." -- bathroom mirror wisdom

As reported on a Belgian Security Blogger's site, a mirror on a bathroom sported the message (modified to reflect that security and safety are translated in the same word in Dutch, one of the official languages in Belgium). Src: http://www.remes-it.be/node/36

Northcutt on Security

Success in security depends on either automating the fix or making it really easy for the user. -- Stephen Northcutt, President of SANS Technology Institute, SANS NewsBites Vol 10 No 89.

TKIP is broken. Long live WPA

As pointed out by one of the maintainers of the SANS ISC (Internet Storm Center), WPA/TKIP has been broken (in one direction, from WAP to Client). An excellent explanation of how this is done can be found here.
Also: RaDaJo (RAul, DAvid and JOrge) Security Blog: WPA/TKIP ChopChop Attack

European Data Protection Supervisor declares IP addresses must be treated as personal data

Talking about the confusion of many European Data Protection Authorities (DPAs) as to whether the IP data Google is collecting is private or not, Peter Hustinx, European Union's Data Protection Supervisor, affirmed that IP addresses and server logs should be treated as personal data.

As Google itself acknowledged, IP address data is sometimes private and sometimes not. Hustinx basically seeks to remove any confusion on the part of the EU DPAs so that if the DPAs can't clearly determine if sometimes the data is private and sometimes not, it should be considered to be private and protected as such.

Hustinx: nameless data can still be personal OUT-LAW.COM

Bruce Schneier on Privacy (and the Lack Thereof)

That's the best way to secure customer data, not to have it. The way to make it work is to make companies liable to exposed customer data, to give them the economic problem of owning my data. They are the only entity that can protect it, yet when the data is lost, they don't feel the pain - I do. -- Bruce Schneier
Src: CIO Insight - Know It All - Bruce Schneier - Schneier on Privacy (and the Lack Thereof)

On the state of malware vs patches

...the signature and patch-centric approach to protecting desktops isn't dealing with the new, targeted threats that aim at the user, not unpatched PCs. -- John Pescatore, NewsBites co-editor, in SANS NewsBites Vol 10 Issue 87

People & mistakes

Writing about a memory stick containing pass codes for a UK government system was found outside a pub:
People make mistakes that cause harm to others. The challenge is how we educate and reinforce in people to do what is correct. I have said for years there needs to be a law entitled U.S. Code Title 18 "Stupid". In my former life, I would have had a lot more convictions. However, I am not sure what the consequences should be for stupid. -- Ron Dick, NewsBites co-editor, in SANS NewsBites Vol 10 Issue 87

A people-based virus for the US elections?

Apparently the need for SETA (Security Education Training and Awareness) goes beyond just the information security sphere. Several states report that cell phone users received text messages informing them that election day had been moved to Wednesday, November 5th, and that the recipient of the message should forward the information on to others.
Election Hoax Sent Via D.C. Based E-Campaign Group - Security Fix

RSA finds Huge Cache of Stolen Financial Data

The RBN (Russian Business Network) is reportedly behind one of the greatest repository of stolen financial information. According to the RSA FraudAction Research Lab, it uncovered more than a half million credit card numbers and online bank account logins and passwords, apparently acquired by the RBN over the past 2.5 years.

Malware has increased in complexity and capability; the Sinowal trojan used in this attack can show the user a fake login page, luring the user to provide valid credentials which are then transmitted by the malware to a server in a remote location/country.
A Huge Cache of Stolen Financial Data - Bits Blog - NYTimes.com

Phishers start validating credit card numbers

Times must be getting tough for phishers if they resort to validating credit card numbers before uploading them to the servers they control. Article from ZDNet.com

$10 Zero-day Vulnerabilities

The security community has been raising the alarm for some time; now we have proof: new, never-seen (hence the "zero-day") exploits for as low as $10. What's next?
Black market for zero day vulnerabilities still thriving Zero Day ZDNet.com

The future of the Internet according to Marcus Ranum

Marcus Ranum said it best about the Internet's future (in the Face-Off article of the September 2007 Information Security Magazine):
Will the future be more secure? It'll be just as insecure as it possibly can, while still continuing to function. Just like it is today.

Former sysadmin sentenced for wrecking corporate servers

This story illustrates how many companies are still not ready to handle computer-related emergencies. A former system administrator removed critical operating system boot files. He reportedly wanted to cause "a small hickup", however "the company inadvertently caused more damage while trying to repair the situation."

There is no reason why missing boot files would have taken days to repair if the company had implemented appropriate incident response and business continuity plans. In my own home environment, I can be back up and running in less than 10 minutes should my entire operating system get trashed. Why can't a company do the same?

Former sysadmin sentenced for wrecking corporate servers