Src: Curse Of Silence' Exploit Found For Nokia Handsets | InformationWeek.com
The Storm Worm, which first surfaced in early 2007, has been one of the most formidable forms of malware ever seen. It is believed to have had control over as many as 50 million computers worldwide.
Src: Storm Worm Reincarnates As Waledac | SecurityProNews
Additional details about Waledac
Additional details about Storm Worm & its Botnet
- Myth: Opt-out means they no longer keep data about you
- Myth: If you remove it from the Internet, it's gone
A relative of mine had this happen to them and spent tens of hours dealing with this malware infection. The average PC user is prone to infection, and worse, to paying for "removal" of this malware threat.
Src: More than 1 Million Ways to Infect Your Computer | CyberCrime & Doing Time Blog
Src: Vulnerabilities in several virus scanners - Heise Security UK
There’s zero doubt that we humans can build a system more complex than we can understand, much less control, to the point of no surprises.
Every time we add another security product to our enterprise mix, we increase the complexity of that mix.Src: Dan Geer, IEEE Security & Privacy Nov/Dec 2008 ($)
I'd like to see web sites that are found to have easy to avoid vulnerabilities treated like restaurants that have cockroach infestations: not allow them to do business for a day or two and have them post a big notice while closed: 'Closed due to unsanitary business practices. Your business is important to us, though - have a nice day.' -- John Pescatore, Gartner IncSrc: SANS NewsBites Vol. 10 Num. 99
1. The Department of Health and Human Services sent an email with SSNs as an attachment to at least 61 recipients; and
2. That they (NH HHS) would have the audacity to say that there is "no evidence anyone has misused it." A credit card expires; SSNs are for life!
The icing on the cake comes from asking all of the email recipients to confirm that they have deleted that email. I guess someone will be implementing DLP (Data Loss Prevention) very quickly.
Src: NH agency sends 9,300 SSNs as email attachment | WCAX.COM
Security is about not trusting what you are hearing, seeing, or [what is] being sent to you. -- Bruce PotterSrc: DefCon 15 - T505 - Dirty Secrets of the Security Industry
Being a university faculty myself, let me provide my perspective on the subject of faculty being harder to educate and on the need for improved security education/awareness.Src: Does it seem like people with more education are harder to educate? | Black Fist Security
First of all, faculty members who have tenure (myself included) can be quite stubborn and may as you put it "thick-headed." Some of that may come from an attitude of "if it ain't broke, don't fix it" stemming from years of administration-backed changes that seem to have little positive impact on the primary mission of the university, i.e. teaching.
However, I suspect that there's a deeper mechanism at work here, namely that the very "thought leaders" and "lifelong learners" that you have identified focus the subject of their lifelong learning so narrowly as to become unable to absorb new concepts, ideas, or worse change their way of thinking.
On a concept like information security in which technology and practices need to adapt to the changes in the threat environment, I find that many of my faculty colleagues are thinking more like dinosaurs rather than "thought leaders." Most security professionals would agree that what worked yesterday (or last month, or last year, or 10 years ago) may not work tomorrow. Yet, many faculty continue to act and think as if what they've come to know and experience in the near or distant past will continue to hold true.
On the subject of the phishing emails, the simple act of questioning the validity of an email message, or a message received via more traditional means, goes contrary to the environment of trust and sharing that adorns academia. Faculty may, by the very nature of their training and conditioning, be more susceptible to phishing than the average user.
Finally, you are absolutely correct in wanting to ensure better security for ALL the machines within your domain, faculty and lab machines included. I am a firm believer in the validity of the configuration standards that you mention for all publicly visible servers. If a faculty (or staff) doesn't know what TCP, SMTP, or DNS are, then they should not be administering the server, at least not on their own. I see a need for cooperation here, where IT services and others can agree to share the administration of these servers in order to provide a valuable service (the reason that the server is up in the first place) with reasonable security and patching processes (to make security managers happy and keep hackers at bay).
When you look at the utility brought forward by the dynamic, agile and flexible capabilities of virtualized infrastructure, it's hard not to extrapolate all the fantastic things we could do.Src: Virtual Routing - The Anti-Matter of Network SECURITY | Rational Survivability
Unfortunately, the crushing weight of what happens when we introduce security, compliance and risk management to the dance means we have a more sobering discussion about those realities.
The Security Principle requires members to "provide reasonable security for that data." The accompanying footnote reads:
Reasonable security is determined in light of several factors including, but not limited to, the sensitivity of the data, the nature of a company’s business operations, the types of risks a company faces, and the reasonable protections available to a company.I read this as allowing NAI member businesses to take minimal steps towards security. There are no requirements of best-practices, audits, compliance checks, a named responsible party, staff training and awareness.
Another problem with self-regulatory privacy practices is that they often work in unexpected ways. Case in point is the NAI Opt-out tool, which allows you to opt-out from many NAI advertisers. However, since the choice is cookie-based, your settings will be lost if you choose to delete your cookies (which you might do to enhance your privacy).
The NAI Opt-out Tool is cookie-based. In order for the Tool to work on your computer, your browser must be set to accept third party cookies. If you buy a new computer, change web browsers or delete this cookie, you will need to perform the opt-out task again.
Src: Social Engineering Outsourced - New service offers to localize cybercrime | Softpedia
The article below goes into more details on each of these points and more.
Src: The 7 Reasons why Businesses are Insecure! | Beast or Buddha Blog
One more resource on this subject, educating upper-management as to the cyber risks, comes from the the American National Standards Institute (ANSI) and the Internet Security Alliance (ISA). Earlier this year, they released a new guide to assist business executives in the analysis, management and transfer of financial risk related to a cyber attack.
ISACA's reply (paraphrased, emphasis is mine) is that the password management system will change with the next update to their web site and that users can choose to have a password hint displayed or whether they want to have their old password sent back to their email address on record.
My reply to ISACA's
The problem with being able to send one's old password back to them is that it implies the password is stored in a form that can be retrieved. This can be achieved by storing the password in plaintext in the database, or via some (often home-grown) reversible encryption (such as ROT-13, XOR, etc).Original post:
This also implies that people who maintain the DB (and possibly the site) can have access to that data. Of course, I expect ISACA to have procedures in place to review access privileges and log all access attempts. Still, I would rather know that my password is stored in a one-way hash that cannot be reversed.
In the current threat environment, best practices for web sites mandate that when a user has forgotten his/her password, a new one be created for them and sent to the address on record. It is disappointing to see a giant of security like ISACA.org not follow that advice with their own web site.
Src: Open Sesame - The Daily WTF
1. Good end point security assumes the network is hostile.Src: Stiennon’s laws | ThreatChaos
2. Good network security assumes the end point is hostile.
3. Good data security assumes the user is hostile.
Who can you trust?
Targeted attacks and blended, cross-vector assaults, along with a 90 percent growth in threats originating from legitimate domainsA cloudy forecast for Web 2.0:
Internet criminals have staked out new attack vectors this year based on the use of Web-based services reached through standard browsers.Raising an army of machines:
Attacks using botnets, social engineering and reputation hijacking became noticeably more prevalent.But the network is secure, right?
The edge of the network is expanding rapidly, and the increasing number of devices and applications in use can make the expanding network more susceptible to new threats.And for the finale, some philosophy about security:
Human nature rules, and security decisions by corporations are sometimes only made after a problem develops.Src: Hackers Will Be Bolder, Smarter, Craftier in 2009 | Technewsworld.com
More including videos at CNN Money
Forrester Research data shows that 52 percent of companies surveyed have suffered data loss via USB drives and other removable media. The Ponemon Institute reports that 53 percent of companies acknowledge confidential data resides on flash drives. At the same time, 53 percent of these companies would have no way of knowing what data was on the flash drive if it was lost. Since 2005, more than 245 million records containing sensitive personal information have been involved in security breaches in the U.S. alone, according to Privacy Rights Clearinghouse. Ponemon further reports that the average security breach costs corporations $6.3 million.Src: Open Letter From SESTA Calls For Tighter USB Security - DarkReading
While this is nothing new, it does raise awareness into the issue that programs are just programs and the logic can detect a virus can itself be the target of a virus.
If the antivirus crashes, it can even cause remote system compromise. Attackers can steal information or cause denial of service' condition.Src: Hackers using antivirus to sneak into computers | The Times of India
Using a variety of file fuzzing techniques, the team discovered abnormal behaviour in several security tools when handling complex or unusual executable header data. In such events, multiple bugs were found in antivirus software while processing malformed packed executables. Some of these bugs proved to be security vulnerabilities which could make the antivirus itself as a back door for hackers.
Src: Printing error leaves La. taxpayers' data at risk | WXVT-TV
Government has lost files so secret their contents are unknown | The Local
Companies need to wake up that one of the biggest threats to their security is their own staff, remember those that you trust the most are the ones that can hurt you the most. -- Brian Honan, SANS NewsBites Vol 10, Num 97
Of course I understand that they need to abide with laws like COPPA, the Children's Online Privacy Protection Act, but isn't there a better way rather than asking for a date of birth?
The only way to ensure those people don't abuse the power they're entrusted with is through audit. Without it, we will simply never know who's peeking at what. -- Bruce SchneierSrc: How to Prevent Digital Snooping - WSJ.com
Earlier this year, I saw an presentation from Jeremiah Grossman (of WhiteHat Security) at the Twin Cities OWASP chapter which mesmerized the audience and destroyed our dreams of easy security in a Web 2.0 world.
Src: Gmail, Yahoo and Hotmail systematically abused by spammers | ZDNet.com
The Gartner report ranks countries based on 10 criteria, which include: language, government support, labor pool, infrastructure, educational system, cost, political and economic environment, cultural compatibility, global and legal maturity, and data and intellectual property security and privacy.
Src: Gartner Identifies Top 30 Countries for Offshore Services in 2008
Cyber-criminals are adopting new automation techniques and strategies that allow them to exploit vulnerabilities much faster than ever before. The new tools are being implemented on the Internet by organized criminal elements, and at the same time public exploit code published by researchers are putting more systems, databases and ultimately, people at risk of compromise.
94 percent of all browser-related online exploits occurred within 24 hours of official vulnerability disclosure. These attacks, known-as "zero-day" exploits, are on the Internet before people even know they have a vulnerability that needs to be patched in their systems.
It seems to me that the number of Zero-day attacks is steadily increasing. 2009 will most likely prove to be an eventful year.
Src: Hackers exploiting (unpatched) IE 7 flaw to launch drive-by attacks | ZDNet.com
Counter-terrorism efforts rob citizens of basic privacy rights, which undermines rather than improves security.and
General surveillance raises serious democratic problems which are not answered by the repeated assertion that those who have nothing to hide have nothing to fear. This puts the onus in the wrong place: It should be for states to justify the interferences they seek to make on privacy rights.
Src: 21 million German bank accounts for sale | ITworld
How about 5xx additions as well:Src: What I Want For Wednesday: More Error 408 (Gartner Blog)
506 - Server under Denial of Service Attack - We had no sys admin
507 - Server under Denial of Service Attack - Failed to pay extortion request
510 - Server Was Hacked - Start ID Theft Recovery Service Now
511 - Server Now Serving Malware - Please come again
The threats have moved way beyond what antivirus software can provide. -- John Pescatore, GartnerSrc: Microsoft Joins Free Security Software Push (BusinessWeek)
John Markoff, the author of the NYT article has several good quotes, including:
For example, malware programs now infect computers and then routinely use their own antivirus capabilities to not only disable antivirus software but also remove competing malware programs.and
The cyber-criminals appear to be at least as technically advanced as the most sophisticated software companies. And they are faster and more flexible.Src: Thieves Winning Online War, Maybe Even in Your Computer (NYTimes.com)
Malware writers spoof Firefox plug-in (vnunet.com)
Read more at: CBS Web site bitten by iFrame hack (InfoWorld)
That's due in part to the hacker's ability to use "malware constructor" tools to generate new malware variants with a few click of the mouse.
Prepare your Incident Response plan TODAY.
Src: "Constructing" bad things...again (PandaLabs)
Congratulations and job well done.
The bot client strategies for finding command and control centers has gotten increasingly devious. New techniques used mechanisms that are very similar to old style spycraft, the cyber equivalent of spy numbers stations and chalk Xs on mailboxes. -- John Pescatore, Gartner Inc, in SANS NewsBites Vol. 10 Num. 94
This case also sheds light on a new type of attack that combines stolen information with social engineering for a greater gain; in this case, the thieves changed or forwarded the victim's phone calls to phone lines under their control in order to intercept any bank's attempt at verifying the transactions. With VoIP, they could potentially do this from anywhere in the world.
Src: Thieves Stole Identities to Tap Home Equity (Washington Post)
"The sad truth is that a true zero day attack will own us all. The best we can do is to pay attention enough to clean up the mess, and you don’t need the press – or even a savvy security researcher – to tell you when you’ve been owned."
Src: Breaking the zero-day habit (ZDNet.com)
Src: Privacy Compliance 101: Why Massachusetts Data Security Standards DO Affect You (CIO)
Earlier in 2008, GMail (Google Mail) started allowing users to track the number of open sessions (meaning cookies) that they had on their account and giving users the ability to expire those sessions from a central point. A session cookie can be stolen and provide access to your account, often for days (or years) following a password change!
Src: Domdingelom on security, fun and life: Is firefox+twitter+https messing with me?