Securing the Internet against denial of service attacks is a near impossibility, and punishing those who launch such attacks when the culprits are countries is infeasible. -- Eugene Schultz, member SANS NewsBites Advisory BoardSrc: SANS NewsBites
Quote on securing the Internet
Quote on business culture
Data breaches and thefts are due to a lagging business culture – absent a new eCulture, breaches will, and continue to, increase. -- Reader comments from John FranksSrc: Monster.com Breach May Preface Targeted Attacks - Security Fix | WashingtonPost
Quote on business survival
In the realm of risk, unmanaged possibilities become probabilities. Any business and its survival is dependent on one thing: a managed progression through a world of accelerative change. -- David Scott, author of I. T. Wars: Managing the Business-Technology Weave in the New MilleniumSrc: I.T. Wars | The Business Forum Online
Data breach victims may not get directly notified
With 45 states having distinct data-loss disclosure laws, I believe it's time to level the playing field and establish a preemptive federal data-loss disclosure law that would apply throughout the US.
Src: Data-theft victims in Monster, Heartland cases may not be notified | USATODAY.com
UK's Personal Information Promise
Data protection is good for business [...] Organisations are waking up to the fact that privacy is now so significant that lapses risk reputations and bottom lines [...] Protecting people’s personal details should not be left to chance. I urge all CEOs and their executive teams to take personal responsibility for treating data protection as a corporate governance issue affecting the whole organisation. They have to make sure that safeguarding the personal information of the customers and staff is embedded in their organisational culture.In the UK, the Information Commissioner’s Office (ICO) is "independent authority set up to promote access to official information and to protect personal information." Src: ICO.gov.uk
Src: ICO Press Release
As of today, over twenty organizations have signed the 10-point Personal Information Promise which states that organizations will:
Src: Personal Information Promise | ICO.gov.uk1. value the personal information entrusted to us and make sure we respect that trust;
2. go further than just the letter of the law when it comes to handling personal information, and adopt good practice standards;
3. consider and address the privacy risks first when we are planning to use or hold personal information in new ways, such as when introducing new systems;
4. be open with individuals about how we use their information and who we give it to;
5. make it easy for individuals to access and correct their personal information;
6. keep personal information to the minimum necessary and delete it when we no longer need it;
7. have effective safeguards in place to make sure personal information is kept securely and does not fall into the wrong hands;
8. provide training to staff who handle personal information and treat it as a disciplinary matter if they misuse or don't look after personal information properly;
9. put appropriate financial and human resources into looking after personal information to make sure we can live up to our promises; and
10. regularly check that we are living up to our promises and report on how we are doing.
Src: ThisIsMoney.co.uk
SSN-based UserID and Password
EideBailly, which bills itself as a top 25 CPA firm in the US, describes its new login procedures where the password is derived from the user id, and both are based on the employee's SSN.
***Please note new login procedures*** [emphasis from source document]Src: EideBailly Employee Benefits Login Page
Enter your social security number as the User Name and last four digits of that same number as your PIN. Click on the “Log in” button. A new screen will open to “Set Up Your New Account.” In the User Name and Password field, type in a unique User Name and password. The password is case sensitive and must contain at least six characters, one of which must be a number. Enter an e-mail address to be used if you lose your password. Enter a security question and answer. Click on “Create the User.”
Bot software peers at victims' screens
The good news: financial institutions are (slowly) changing the way they authenticate users. ING.com for example presents users with a graphical numeric pad (like a calculator) for part of the authentication data.
The bad news: as was suspected, hackers have also changed their methods and are now reported to also be recording snapshots of the user's screen (or general area around the mouse pointer).
Src1: Bot software peers at victims' screens | SecurityFocus
Src2: Ozdok: Watching the Watchers | SecureWorks
Test your defenses against malicious USB flash drives
The article from Computerworld contains a small snippet of code that you can use to check (yes, "trust but verify" as Reagan would say) that Autorun is properly disabled on your USB devices.
Src: Test your defenses against malicious USB flash drives | Computerworld
Quote on two-factor authentication
Src: Twitter / Andrew Hay: two factor authentication ...:
An Inquiry into the Nature and Cause of the Wealth of Internet Miscreants
"The total wealth generated from credit card fraud in the channel is over $37,000,000" and over $93 million dollars when including other forms of financial data.
Src: 'An Inquiry into the Nature and Cause of the Wealth of Internet Miscreants'
McAfee Report - Businesses risk losing over $1 trillion from loss or theft of data and other cybercrime
Here are highlights of the research, conducted by Purdue University’s Center for Education and Research in Information Assurance and Security (CERIAS):
- Recession puts intellectual property at risk
- Commitment to protecting vital information varies
- Intellectual property is now an international currency
"Cybercriminals are increasingly targeting executives using sophisticated phishing techniques" - Employees steal intellectual property for financial gain and competitive advantage
- Geographic threats to intellectual property
Src: McAfee
The 7 dirty secrets of the security industry
Notable quotes:
Compliance in and of itself does not equal security...Src: The 7 dirty secrets of the security industry - Network World [Tx to @gattaca]
Compliance is supposed to raise the minimum standard of security, but it just gets us to do what we are required to do and nothing else.
Technology without strategy is chaos.
What the Web knows about you
Src: What the Web knows about you | ComputerWorld [Tx @BrianHonan]
New Fake Antivirus - "Total Defender"
Src: New Rogue: Total Defender - PandaLabs [Tx @lithium]
Innovation in firewalls? You bet!
Innovation in firewalls? You bet. | ThreatChaos
How to Use Twitter for Informatin Mining
Src: How to Use Twitter for Informatin Mining - SANS Internet Storm Center
Websense report - State of Internet Security Q3-Q4 2008
77 percent of Web sites with malicious code are legitimate sites that have been compromised.Meaning that instead of primarily registering new sites, attackers are instead choosing to compromise existing ones.
70 percent of the top 100 sites either hosted malicious content or contained a masked redirect to lure unsuspecting victims from legitimate sites to malicious sites.Attackers are choosing to compromise the very sites that people use frequently and normally trust (e.g. CNET Networks, BusinessWeek.com, BillOReilly.com, the New York Times, Facebook, Twitter)
sites that allow user-generated content comprise the majority of the top 50 mostWeb 2.0 allows for rich interactions with other users and content. However, it also provides hackers with powerful means to infect new machines by taking advantage of the dynamic and rich nature of the content that can be served (i.e. scripting).
active distributors of malicious content.
57 percent of data-stealing attacks are conducted over the Web (a 24% increase)The web has become the new weapon of choice for hackers, allowing massive theft of data, distributed over numerous law enforcement jurisdictions, making it hard to quickly investigate and prosecute.
The Web Remains the Number-One Attack VectorThe top 10 web attack vectors are not surprisingly centered around browser vulnerabilities, flaws with media software (PDF, Flash, ActiveX, RealPlayer, QuickTime), social engineering, third-party apps, and DNS weaknesses.
Src: State of Internet Security Q3-Q4 2008 | Websense
In the long run, the cops (feds) always win
Src: Three years undercover with the identity thieves | InfoWorld.com
Personal Privacy And Frequent Flyer Elite Status
Personal Privacy And Elite Status | Liquidmatrix Security Digest
The AutoRun that won't get disabled
Src: US-CERT Technical Cyber Security Alert TA09-020A -- Microsoft Windows Does Not Disable AutoRun Properly
Risk Measure and Risk Metric
Src: Risk Measure and Risk Metric | RiskGlossary.com
McAfee 2009 Threat Predictions
In 2008, 1.5 million pieces of malware were identified; that's 171 new pieces of malware detected every hour (2.85 every minute). "Malware is a business, and that business is thriving."
Src: 2009 Threat Predictions | McAfee
Heartland Payment Systems Breached
Heartland Payment Systems publicly admitted that they were "the victim of a security breach within its processing system in 2008" and has hired forensic investigators to help. But sometimes you have to read between the lines to extract truth out of public releases.
No merchant data or cardholder Social Security numbers, unencrypted personal identification numbers (PIN), addresses or telephone numbers were involved in the breach.So, this means that the hackers have my credit card number, my name, and the encrypted PIN.
Src: Heartland Payment Systems | 2008breach.com
Why Technology Won't Prevent Identity Theft
Security is a trade-off, and any well-designed authentication system balances security with ease of use, customer acceptance, cost, and so on. More authentication isn't always better. Banks make this trade-off when they don't bother authenticating signatures on checks under amounts like $25,000; it's cheaper to deal with fraud after the fact. Web sites make this trade-off when they use simple passwords instead of something more secure, and merchants make this trade-off when they don't bother verifying your signature against your credit card.Src: Why Technology Won't Prevent Identity Theft - WSJ.com
Choosing a good chart
Src: The Extreme Presentation(tm) Method: Choosing a good chart
[ Direct link to PDF ]
[Update1: Another resource (web site) to help you choose your chart]
Time to Take the Theoretical Seriously
The hope that no one is willing, or no one is able, to implement an attack is not a security strategy.Src: Time to Take the Theoretical Seriously | SecurityFocus [Tx @ioerror]
[...]
Yet, the necessity of demonstrating such attacks before the vulnerabilities are fixed is dangerous, both for Internet users and for researchers. By raising the amount of work required for researchers to get their voices heard it makes it all the more likely attackers will build the tools first.
Malware - catch and do not release
Src: SANS Internet Storm Center
Social Media Defined
Social media is the convergence of technology and freedom of expression, allowing instant publishing of one's thoughts and opinions free of editorial control.
Social media tears down the last barrier to communication - distance. Its users enjoy the freedom of expression, the instant delivery of content and feedback, and the ability to connect to countless others, making us one small world in a great sea of humanity.
Dr. Christophe Veltsos, January 19th, 2009
The Social Engineering Pyramid
Src: SANS Internet Storm Center; Cooperative Network Security Community - Internet Security - ISC
Windows7 UAC & desktop dimming

Mind your hashes
DidierStevens has lots more details and a proof of concept on his blog. Didier was able to create an evil file that contains the same MD5 hash as a known good file and thus would pass Authenticode verification.
Here is a site where you can find code to create your own MD5 hash collision.
Builders, Breakers, and Malicious Hackers
Builders build software, which gives breakers something to break. Breakers break software, a defensive sanity checking process, and provide insights into what attacks are theoretically possible... Then at some point malicious hackers hack said software, making what was previously possible probable. - Jeremiah Grossman, CTO of WhiteHat SecuritySrc: Builders, Breakers, and Malicious Hackers | Jeremiah Grossman Blog
It's time to start issuing PC licenses
A hybrid approach of licensing PC users and providing virtualized desktops may be the best approach.Src: It's time to start issuing PC licenses - Computerworld Blogs
Imagine a $100 device that would be instantly on, where you could not save anything (including malware taking over) and where the user would be brought to his/her virtual desktop with all of the enterprise-class protections that are considered best practices today.
So where does licensing fit in this picture? If you have a need to use a *real* PC (is there such a thing anymore), you would need to be licensed in safe computing (much like your state or country licenses safe drivers). If you are found to be in violation of safe computing practices, your license may be revoked and you will be brought back to the virtual desktop environments.
Storm Botnet Makes A Comeback
Src: Storm Botnet Makes A Comeback - DarkReading
Watch a movie of Malware in action
Src: Rash of Rogue Security Malware - PandaLabs
IT security standards planetarium
Src: IT security standards planetarium
The Bumper List of Windows 7 Secrets
Src: Tim Sneath : The Bumper List of Windows 7 Secrets
Laptop stolen from office containing finger prints, names, Social Security numbers, addresses, dates of birth and other information
Src: Laptop stolen from office containing finger prints, names, Social Security numbers, addresses, dates of birth and other information | OSF Data Loss Database
USB Encryption Fail
While the data was encrypted, the password was apparently "attached to the device" on a memo note when it went missing.
Src: Apology after prisoners' health info goes missing - Lancashire Evening Post
Police hacking laws moving from Germany to the rest of Europe
Src: Police hacking laws moving from Germany to the rest of Europe. Do as I say, not as I do. | Security4all
Woman beats immigration biometric system with sticky tape
"...the man had helped many South Koreans enter Japan using the method, in which people put special tape containing imitation fingerprints on their fingers to cheat the fingerprint scanner at immigration."
Src: Woman details immigration scam | The Daily Yomiuri
What is an “effective” Control?
If it does what it’s supposed to, to the degree it’s supposed to, it’s effective (no matter how much risk, or what % of attacks, etc it reduces). If it does that for a cost that is low relative to its effectiveness, it’s efficient. At the point where the cost of increasing effectiveness exceeds the incremental benefit of doing so, it’s optimal. - Wade Baker, Verizon Business Security SolutionsSrc: Verizon Business Security Blog » Blog Archive » What is an “effective” Control?
New phishing ploy exploits secure sessions to hijack data
Src: New phishing ploy exploits secure sessions to hijack data - SC Magazine US
Src: Move aside e-mail phishing, in-session phishing is in! | Oracle Blog
How to beat Downadup at its own game
[Updated on Jan 14: number of infected machines is now 3,521,230 up 1 million from the previous day]
Downadup is one of those fascinating pieces of malware that connects to various web addresses to download and install a predefined executable - which could allow more malware to be loaded.
Where Downadup is different from other botnets is the way in which it chooses, on a predefined basis, the names of the web addresses it will check on a particular day. Instead of a traditional list of preregistered web domains (e.g. evil1.com, evil2.com, etc), Downadup has a complex algorithm that generates domain names which change daily and use timestamps from other public web sites to come up with things like "qimkwaify .ws, mphtfrxs .net, gxjofpj .ws, imctaef .cc, and hcweu .org."
While the good guys can examine the code and thus be able to predict which domain name the worm will use on a given day, they cannot actually take control of the compromised machines which connect to them as it would be considered illegal in many countries. So instead, they patiently waited and counted the number of machines connecting. The tally so far: almost 2.4 million machines infected by the Downadup worm.
Src: How Big is Downadup? Very Big. | F-Secure Weblog
Update1: More than One million new infections | F-Secure Weblog
Update2: Worm infects 1.1M Windows PCs in 24 hours | ComputerWorld
Update3: Latest F-Secure Blog entry
EFF Surveillance Self-Defense Project
The SSD seeks to answer questions about what the government can do and what you can do to protect yourself against government spying.
Src: The SSD Project | EFF Surveillance Self-Defense Project
Creating a Mac-on-Stick using Mini vMac
Src: Creating a Mac-on-Stick using Mini vMac | No Thick Manuals
(Under)mining Privacy in Social Networks
Here's an excerpt of the paper's introduction:
...we point out three distinct areas where the highly-interlinked world of social networking sites can compromise user privacy. They areSrc: Could your social networks spill your secrets? | New Scientist
• lack of control over activity streams,
• unwelcome linkage, and
• deanonymization through merging of social graphs
Direct link to paper
Contents of Your Transportation Pass Revealed
I think that 2009 will have many more such revelations about the dangers of proximity-based technology, whether used for transportation or more importantly things like identification (drivers license) and passports.
Src: The Information Security Group, Université catholique de Louvain, Belgium [Tx @DidierStevens]
2008 - The year of malware
Another dire bit of news reported by PandaLabs is the growth of "fake" antivirus which they estimate generates over $13 million a month for hackers.
Src: 22,000 new malware samples created every day in 2008 | Net-Security.org
County Posts Social Security Numbers Online
Src: County Posts Social Security Numbers Online KOCO Oklahoma City
First documented case of Spear Phishing for 2009
Src: SANS Internet Storm Center
Fake CNN malware attack spins Gaza angle
Src: Fake CNN malware attack spins Gaza angle | ComputerWorld
Looking at the Crackpal.com Phishing-For-Hire Scheme
Src: McGrew Security Blog » Blog Archive » Looking at the Crackpal.com Phishing-For-Hire Scheme
No Patch for Human Stupidity
The lesson is that our security problems don’t lie in our technology, but in ourselves. The attacks this week [phishing attack on Twitter users & someone guessing the password for one of the Twitter admins] succeeded because, unfortunately, there is no patch for human stupidity. Charlie MartinSrc: Edgelings.com » No Patch for Human Stupidity
One Hacker's Audacious Plan to Rule the Black Market in Stolen Credit Cards
Src: One Hacker's Audacious Plan to Rule the Black Market in Stolen Credit Cards | Wired
Alex Hutton on Risk Management
Src: Domdingelom Blog