Nokia Phones and the "Curse of Silence"

Security researchers from F-Secure have found an exploit which allows a specially crafted SMS or MMS to essentially cripple a Nokia phone's ability to send any more text messages.

Src: Curse Of Silence' Exploit Found For Nokia Handsets |

Storm Worm Reincarnates As Waledac

As 2008 draws to a close, it seems that the Storm Worm has once again resurfaced, morphed into yet a new form: Waledac.

The Storm Worm, which first surfaced in early 2007, has been one of the most formidable forms of malware ever seen. It is believed to have had control over as many as 50 million computers worldwide.

Src: Storm Worm Reincarnates As Waledac | SecurityProNews
Additional details about Waledac
Additional details about Storm Worm & its Botnet

Myths about Digital Privacy

ABC News has a good article on the Myths about Digital Privacy that applies to technology novices and veterans alike. Spoilers:
  • Myth: Opt-out means they no longer keep data about you
  • Myth: A privacy policy means your data is protected
  • Myth: If you remove it from the Internet, it's gone
Src: ABC News: Myth and Merriment

CyberCrime & Doing Time: More than 1 Million Ways to Infect Your Computer

When I teach my information security courses, I often find myself narrating instances of weak security leading to amazing compromises. This is one such story that I'll be too happy to relay to my students and see their eyes light up.

A relative of mine had this happen to them and spent tens of hours dealing with this malware infection. The average PC user is prone to infection, and worse, to paying for "removal" of this malware threat.

Src: More than 1 Million Ways to Infect Your Computer | CyberCrime & Doing Time Blog

Vulnerabilities in several virus scanners

When you can't trust your security software to keep you safe and infection-free, what is one to do? Depending on the case, it might be to remove some pieces of it.

Src: Vulnerabilities in several virus scanners - Heise Security UK

Dan Geer on Complexity

Dan Geer, the CISO for In-Q-Tel (and former VP of Verdasys) on complexity:
There’s zero doubt that we humans can build a system more complex than we can understand, much less control, to the point of no surprises.
Every time we add another security product to our enterprise mix, we increase the complexity of that mix.
Src: Dan Geer, IEEE Security & Privacy Nov/Dec 2008 ($)

Pescatore on Compromised Web Sites

I'd like to see web sites that are found to have easy to avoid vulnerabilities treated like restaurants that have cockroach infestations: not allow them to do business for a day or two and have them post a big notice while closed: 'Closed due to unsanitary business practices. Your business is important to us, though - have a nice day.' -- John Pescatore, Gartner Inc
Src: SANS NewsBites Vol. 10 Num. 99

PaulDotCom Wisdom

As overheard on episode 134...
The only difference between regular users and security professionals is that security professionals KNOW when they've been owned.
Src: Paul Dot Com Security Weekly Episode134

Dr. InfoSec on ID Theft

When it comes to a data breach, breach of credit card data has a sunset date whereas a breach of social security numbers doesn't.

In other words, when it comes to a breach, a credit card expires; SSNs are for life!

NH agency sends 9,300 SSNs as email attachment

If I were a New Hampshire resident I would be doubly furious that:

1. The Department of Health and Human Services sent an email with SSNs as an attachment to at least 61 recipients; and
2. That they (NH HHS) would have the audacity to say that there is "no evidence anyone has misused it." A credit card expires; SSNs are for life!

The icing on the cake comes from asking all of the email recipients to confirm that they have deleted that email. I guess someone will be implementing DLP (Data Loss Prevention) very quickly.

Src: NH agency sends 9,300 SSNs as email attachment | WCAX.COM

DefCon 15 - T505 - Dirty Secrets of the Security Industry

As seen on this Bruce Potter video:
Security is about not trusting what you are hearing, seeing, or [what is] being sent to you. -- Bruce Potter
Src: DefCon 15 - T505 - Dirty Secrets of the Security Industry

Does it seem like people with more education are harder to educate?

My colleague and fellow blogger over at Black Fist Security recently commented on his frustration dealing with my kind: faculty. He ended his blog entry with a question, " So is it just that people who have more education are too thick-headed to learn this?" My comment was as follows:
Being a university faculty myself, let me provide my perspective on the subject of faculty being harder to educate and on the need for improved security education/awareness.

First of all, faculty members who have tenure (myself included) can be quite stubborn and may as you put it "thick-headed." Some of that may come from an attitude of "if it ain't broke, don't fix it" stemming from years of administration-backed changes that seem to have little positive impact on the primary mission of the university, i.e. teaching.

However, I suspect that there's a deeper mechanism at work here, namely that the very "thought leaders" and "lifelong learners" that you have identified focus the subject of their lifelong learning so narrowly as to become unable to absorb new concepts, ideas, or worse change their way of thinking.

On a concept like information security in which technology and practices need to adapt to the changes in the threat environment, I find that many of my faculty colleagues are thinking more like dinosaurs rather than "thought leaders." Most security professionals would agree that what worked yesterday (or last month, or last year, or 10 years ago) may not work tomorrow. Yet, many faculty continue to act and think as if what they've come to know and experience in the near or distant past will continue to hold true.

On the subject of the phishing emails, the simple act of questioning the validity of an email message, or a message received via more traditional means, goes contrary to the environment of trust and sharing that adorns academia. Faculty may, by the very nature of their training and conditioning, be more susceptible to phishing than the average user.

Finally, you are absolutely correct in wanting to ensure better security for ALL the machines within your domain, faculty and lab machines included. I am a firm believer in the validity of the configuration standards that you mention for all publicly visible servers. If a faculty (or staff) doesn't know what TCP, SMTP, or DNS are, then they should not be administering the server, at least not on their own. I see a need for cooperation here, where IT services and others can agree to share the administration of these servers in order to provide a valuable service (the reason that the server is up in the first place) with reasonable security and patching processes (to make security managers happy and keep hackers at bay).
Src: Does it seem like people with more education are harder to educate? | Black Fist Security

Virtual Routing - The Anti-Matter of Network SECURITY...

Chris Hoff of the Rational Security Blog (renamed as the Rational Survivability Blog) says it best when it comes to the possibilities of virtualization but the realities of security:
When you look at the utility brought forward by the dynamic, agile and flexible capabilities of virtualized infrastructure, it's hard not to extrapolate all the fantastic things we could do.

Unfortunately, the crushing weight of what happens when we introduce security, compliance and risk management to the dance means we have a more sobering discussion about those realities.
Src: Virtual Routing - The Anti-Matter of Network SECURITY | Rational Survivability

NAI's New Privacy Principles Still Fall Short

The Network Advertising Initiative (NAI) has released updated privacy principles for their members. While the move is a step in the right direction, it falls short of ensuring best-practices in security and privacy.

The Security Principle requires members to "provide reasonable security for that data." The accompanying footnote reads:
Reasonable security is determined in light of several factors including, but not limited to, the sensitivity of the data, the nature of a company’s business operations, the types of risks a company faces, and the reasonable protections available to a company.
I read this as allowing NAI member businesses to take minimal steps towards security. There are no requirements of best-practices, audits, compliance checks, a named responsible party, staff training and awareness.

Another problem with self-regulatory privacy practices is that they often work in unexpected ways. Case in point is the NAI Opt-out tool, which allows you to opt-out from many NAI advertisers. However, since the choice is cookie-based, your settings will be lost if you choose to delete your cookies (which you might do to enhance your privacy).
The NAI Opt-out Tool is cookie-based. In order for the Tool to work on your computer, your browser must be set to accept third party cookies. If you buy a new computer, change web browsers or delete this cookie, you will need to perform the opt-out task again.

Social Engineering Outsourced - New service offers to localize cybercrime

Yes, as reported many times this year, the bad guys are getting more organized. The latest evidence is a service available in five languages that can provide social engineering services such as calling a bank and providing verbal authorization for a transaction.

Src: Social Engineering Outsourced - New service offers to localize cybercrime | Softpedia

The 7 Reasons why Businesses are Insecure!

Several times a year students and area businesses ask me how did we end up in such a precarious information security situation. The answer - doing nothing and pretending it's all going to go away. The cure - have a plan, involving management, education, policies, and practice incident response.

The article below goes into more details on each of these points and more.

Src: The 7 Reasons why Businesses are Insecure! | Beast or Buddha Blog

One more resource on this subject, educating upper-management as to the cyber risks, comes from the the American National Standards Institute (ANSI) and the Internet Security Alliance (ISA). Earlier this year, they released a new guide to assist business executives in the analysis, management and transfer of financial risk related to a cyber attack.


ISACA - Do as I say, not as I do

Updated on 12/17/2008:

ISACA's reply (paraphrased, emphasis is mine) is that the password management system will change with the next update to their web site and that users can choose to have a password hint displayed or whether they want to have their old password sent back to their email address on record.

My reply to ISACA's
The problem with being able to send one's old password back to them is that it implies the password is stored in a form that can be retrieved. This can be achieved by storing the password in plaintext in the database, or via some (often home-grown) reversible encryption (such as ROT-13, XOR, etc).

This also implies that people who maintain the DB (and possibly the site) can have access to that data. Of course, I expect ISACA to have procedures in place to review access privileges and log all access attempts. Still, I would rather know that my password is stored in a one-way hash that cannot be reversed.
Original post:

In the current threat environment, best practices for web sites mandate that when a user has forgotten his/her password, a new one be created for them and sent to the address on record. It is disappointing to see a giant of security like not follow that advice with their own web site.

Open Sesame - How a CD-ROM can bypass keycard security

So you think you can solve security issues with technology, right? If humans are anyway involved or even nearby, you might be surprised to see the results.

Src: Open Sesame - The Daily WTF

Stiennon’s laws | ThreatChaos

Fellow blogger Richard Stiennon is known for his wit and in-depth coverage of the security landscape. Now, I might have to think of him as a philosopher as well.
1. Good end point security assumes the network is hostile.
2. Good network security assumes the end point is hostile.
3. Good data security assumes the user is hostile.
Src: Stiennon’s laws | ThreatChaos

Cisco Report: Hackers Will Be Bolder, Smarter, Craftier in 2009

Not quite the rosy picture for 2009, the Cisco Annual Security Report should be a wake up call to all in the security sphere. Ready your defenses...

Who can you trust? [insert name of trusted site here] - Are you sure?
Targeted attacks and blended, cross-vector assaults, along with a 90 percent growth in threats originating from legitimate domains
A cloudy forecast for Web 2.0:
Internet criminals have staked out new attack vectors this year based on the use of Web-based services reached through standard browsers.
Raising an army of machines:
Attacks using botnets, social engineering and reputation hijacking became noticeably more prevalent.
But the network is secure, right?
The edge of the network is expanding rapidly, and the increasing number of devices and applications in use can make the expanding network more susceptible to new threats.
And for the finale, some philosophy about security:
Human nature rules, and security decisions by corporations are sometimes only made after a problem develops.
Src: Hackers Will Be Bolder, Smarter, Craftier in 2009 |
More including videos at CNN Money

Open Letter From SESTA Calls For Tighter USB Security - DarkReading

In an open letter to IT professionals, the SanDisk Enterprise Solutions Technology Alliance calls for improved security for USB devices. The statistics below should be enough to shake any IT person into action:

Forrester Research data shows that 52 percent of companies surveyed have suffered data loss via USB drives and other removable media.[2] The Ponemon Institute reports that 53 percent of companies acknowledge confidential data resides on flash drives.[3] At the same time, 53 percent of these companies would have no way of knowing what data was on the flash drive if it was lost. Since 2005, more than 245 million records containing sensitive personal information have been involved in security breaches in the U.S. alone, according to Privacy Rights Clearinghouse.[4] Ponemon further reports that the average security breach costs corporations $6.3 million.[5]
Src: Open Letter From SESTA Calls For Tighter USB Security - DarkReading

Hackers using antivirus to sneak into computers

The Times of India reports that many free and commercial antivirus software are vulnerable to attacks that would allow hackers to gain access into a system running such software.

While this is nothing new, it does raise awareness into the issue that programs are just programs and the logic can detect a virus can itself be the target of a virus.
If the antivirus crashes, it can even cause remote system compromise. Attackers can steal information or cause denial of service' condition.
Using a variety of file fuzzing techniques, the team discovered abnormal behaviour in several security tools when handling complex or unusual executable header data. In such events, multiple bugs were found in antivirus software while processing malformed packed executables. Some of these bugs proved to be security vulnerabilities which could make the antivirus itself as a back door for hackers.
Src: Hackers using antivirus to sneak into computers | The Times of India

Printing error leaves La. taxpayers' data at risk

The culprit appears to be two-sided printing... I wonder how many more millions of printers are vulnerable to this flaw [tongue in cheek].

Src: Printing error leaves La. taxpayers' data at risk | WXVT-TV

German Government Lost Files So Secret Their Contents Are Unknown

For very sensitive documents, even meta-data (the data about the data) could provide adversaries with information about your activities or the state of your surveillance. But the other edge of the sword is that you might not know what you had if you were ever to lose it; in the case of the German government, they have acknowledged losing over 300 such documents.

Government has lost files so secret their contents are unknown | The Local

Honan on insider threats

Brian Honan comments on the Irish CyberCrime Survey:
Companies need to wake up that one of the biggest threats to their security is their own staff, remember those that you trust the most are the ones that can hurt you the most. -- Brian Honan, SANS NewsBites Vol 10, Num 97

If you don't need it, don't ask for it

I find it really strange to see so many data-hungry applications and web sites that ask for stuff seemingly just for the heck of it. The latest instance I have come across is from the Acronis message boards in which they actually ask for people's date of birth (see screenshot). What's next, a social security number?

Of course I understand that they need to abide with laws like COPPA, the Children's Online Privacy Protection Act, but isn't there a better way rather than asking for a date of birth?

How to Prevent Digital Snooping -

Bruce Schneier writing for the WSJ on how to prevent digital snooping:
The only way to ensure those people don't abuse the power they're entrusted with is through audit. Without it, we will simply never know who's peeking at what. -- Bruce Schneier
Src: How to Prevent Digital Snooping -

Gmail, Yahoo and Hotmail systematically abused by spammers

To anyone who still thinks that security can be solved with technology, they ought to read articles such as these dealing with how spammers and hackers are defeating Captcha technology. Captcha's are those annoying distorted letters or sounds that humans have to figure out in order to proceed with some online activity (often when registering a new email account).

Earlier this year, I saw an presentation from Jeremiah Grossman (of WhiteHat Security) at the Twin Cities OWASP chapter which mesmerized the audience and destroyed our dreams of easy security in a Web 2.0 world.

Src: Gmail, Yahoo and Hotmail systematically abused by spammers |

Gartner Identifies Top 30 Countries for Offshore Services in 2008

It's about time that security and privacy be factored into offshoring decisions. My own experience has been that one person's culture impacts his/her grasp of security and privacy. Some cultures have bartering concepts built every aspects of life and therefore may not offer the level of robustness-against-bribery that might be expected. Anyone heard of "baksheesh?"

The Gartner report ranks countries based on 10 criteria, which include: language, government support, labor pool, infrastructure, educational system, cost, political and economic environment, cultural compatibility, global and legal maturity, and data and intellectual property security and privacy.

Src: Gartner Identifies Top 30 Countries for Offshore Services in 2008

IBM warns ‘zero-day’ hacker exploits growing

Simply because this is old news (from August 26, 2008) does not make it any less relevant or chilling. According to IBM's X-Force 2008 Mid-Year Trend Analysis,
Cyber-criminals are adopting new automation techniques and strategies that allow them to exploit vulnerabilities much faster than ever before. The new tools are being implemented on the Internet by organized criminal elements, and at the same time public exploit code published by researchers are putting more systems, databases and ultimately, people at risk of compromise.

94 percent of all browser-related online exploits occurred within 24 hours of official vulnerability disclosure. These attacks, known-as "zero-day" exploits, are on the Internet before people even know they have a vulnerability that needs to be patched in their systems.

Hackers exploiting (unpatched) IE 7 flaw to launch drive-by attacks

Ryan Naraine (of ZDNet) appears to have a knack for staying on top of Zero-day attacks. This time, the target is IE 7 running on XP SP2.

It seems to me that the number of Zero-day attacks is steadily increasing. 2009 will most likely prove to be an eventful year.

Hackers exploiting (unpatched) IE 7 flaw to launch drive-by attacks |

European Commissioner on Privacy vs Security

Europeans have always been stronger proponents of privacy than their American counterparts. The following illustrates just to what extent the perspective from the other side of the ocean is different from our own. Thomas Hammarberg, Council of Europe's commissioner for human rights:
Counter-terrorism efforts rob citizens of basic privacy rights, which undermines rather than improves security.
General surveillance raises serious democratic problems which are not answered by the repeated assertion that those who have nothing to hide have nothing to fear. This puts the onus in the wrong place: It should be for states to justify the interferences they seek to make on privacy rights.

21 million German bank accounts for sale

Germans have reason to be cautious of what 2009 will mean for them after a German magazine, WirtschaftsWoche (meaning Economic Week), was able to buy details for 1.2 million bank accounts from underground criminals who claim to have data for up to 21 million bank accounts.

Src: 21 million German bank accounts for sale | ITworld

What I Want For Wednesday: More Error 408

In his blog, Gartner's John Pescatore muses about new HTTP error codes that would be targeted at users. In a comment on the blog post, I've suggested a few of my own:
How about 5xx additions as well:
506 - Server under Denial of Service Attack - We had no sys admin
507 - Server under Denial of Service Attack - Failed to pay extortion request
510 - Server Was Hacked - Start ID Theft Recovery Service Now
511 - Server Now Serving Malware - Please come again
Src: What I Want For Wednesday: More Error 408 (Gartner Blog)

John Pescatore (Gartner) on Antivirus products

The threats have moved way beyond what antivirus software can provide. -- John Pescatore, Gartner
Src: Microsoft Joins Free Security Software Push (BusinessWeek)

Thieves Winning Online War, Maybe Even in Your Computer -

This is by no means news to the Security Professionals. However, it is time that stories like this one hit the mass media in order to raise attention and awareness of the issues. Next time someone's machine is acting quirky, take it seriously and have someone knowledgeable take a look at it.

John Markoff, the author of the NYT article has several good quotes, including:
For example, malware programs now infect computers and then routinely use their own antivirus capabilities to not only disable antivirus software but also remove competing malware programs.

The cyber-criminals appear to be at least as technically advanced as the most sophisticated software companies. And they are faster and more flexible.
Src: Thieves Winning Online War, Maybe Even in Your Computer (

Malware writers spoof Firefox plug-in

It was to be expected: as more people embrace alternative browsers, attackers are shifting their sights to new targets, in this case Firefox plug-ins. While you need to be careful not to install unknown or untrusted plug-ins, I still recommend using Firefox + NoScript for those who can live with the extra power and responsibility of having to decide when a site should be allowed to run Javascript/Flash/PDFs, etc.

Malware writers spoof Firefox plug-in (

Is there a safe place left on the Net?

Of course the title is shocking, but the truth of the matter is, no web site is safe from being hijacked by attackers and used to distribute malware to visitors. The latest victim? A subdomain of the CBS TV network.

Read more at: CBS Web site bitten by iFrame hack (InfoWorld)

Malware Constructor - New Version

If it seems like the bad guys are winning the malware arms race, it's because they are. If you don't know, or don't believe, take a look at this year's malware reports from major AntiVirus vendors as they acknowledge that they simply can't keep up.

That's due in part to the hacker's ability to use "malware constructor" tools to generate new malware variants with a few click of the mouse.

Prepare your Incident Response plan TODAY.

Src: "Constructing" bad things...again (PandaLabs)

Document Metadata, the Silent Killer... - SANS InfoSec Reading Room

Larry Pesce of the PaulDotCom Security Weekly podcast has just completed his SANS paper entitled "Document Metadata, the Silent Killer..." now available from the SANS Institute - SANS InfoSec Reading Room - Digital Privacy Area or via direct link (PDF).

Congratulations and job well done.

Pescatore on the Srizbi Botnet

The bot client strategies for finding command and control centers has gotten increasingly devious. New techniques used mechanisms that are very similar to old style spycraft, the cyber equivalent of spy numbers stations and chalk Xs on mailboxes. -- John Pescatore, Gartner Inc, in SANS NewsBites Vol. 10 Num. 94

Thieves Stole Identities to Tap Home Equity

Police have made arrests in connection with more than $12 million stolen from home equity lines of credit. The thieves used online search databases to find information about their victims, and then contacted the banks to draw from the home equity credit.

This case also sheds light on a new type of attack that combines stolen information with social engineering for a greater gain; in this case, the thieves changed or forwarded the victim's phone calls to phone lines under their control in order to intercept any bank's attempt at verifying the transactions. With VoIP, they could potentially do this from anywhere in the world.

Src: Thieves Stole Identities to Tap Home Equity (Washington Post)

Breaking the Zero-Day Habit

Kudos to Mike Rothman (guest editing Ryan Naraine's column) for saying things the way they are:

"The sad truth is that a true zero day attack will own us all. The best we can do is to pay attention enough to clean up the mess, and you don’t need the press – or even a savvy security researcher – to tell you when you’ve been owned."

Src: Breaking the zero-day habit (

Massachusetts' Data Security Standards Affects More Than Just MA Companies

The new Massachusetts Data Security Standard (M.G.L. c. 93H) will impact more than just the businesses and government entities in that state; any company that keeps records on Massachusetts customers or employs Massachusetts residents must be in compliance (by May 1, 2009) or face a civil penalty of $5,000 for each violation of 93H. In the case of improper disposal, businesses can be subject to a fine of up to $50,000 for each instance.

Src: Privacy Compliance 101: Why Massachusetts Data Security Standards DO Affect You (CIO)

Dangers of 3rd Party Apps: Firefox3+Twitter+Cookies

The original posting illustrates why so much of the software that powers our everyday lives is still flawed. Worse, updates or improvements often oversell the security aspect of things, which ends up making us believe that we are safe when we're really not.

So, whose fault is it that Firefox saves a cookie of your twitter session even when you tell it not to save your password? Well, for one, cookies are not considered passwords. So Firefox is not technically saving your password; it's simply saving your current "session" so you can continue to check your Twitter feed. The real security problem stems from the over use of cookies to store valid sessions and allow multiple valid sessions. In the case of Twitter, this user ended up with 6 valid sessions, across multiple browsers and machines.

Earlier in 2008, GMail (Google Mail) started allowing users to track the number of open sessions (meaning cookies) that they had on their account and giving users the ability to expire those sessions from a central point. A session cookie can be stolen and provide access to your account, often for days (or years) following a password change!

Src: Domdingelom on security, fun and life: Is firefox+twitter+https messing with me?