Wednesday, October 28, 2009

Around The Horn vol.1,157

Ars Technica - Security

Cyberattacks: Espionage now, sabotage soon

By jtimmer@arstechnica.com (John Timmer) on cyberattacks

companion photo for Cyberattacks: Espionage now, sabotage soon

In April 2009, the US National Academies of Science suggested that it was time for the US to get serious about cyberwarfare, setting official policy for its offensive use and spearheading the development of international norms governing its deployment. Less than three months later, the US and Korea were each hit by a series of network-based attacks that are thought to have originated in North Korea.

An analysis of these attacks has now concluded that their relative lack of sophistication reinforces the conclusion that only major nations have advanced cyberwarfare capabilities, but warns that this situation will only last for a few more years.

Sabotage or espionage?

The report was prepared for the Center for International and Strategic Studies, a non-partisan think tank, by James A. Lewis, who has written books on cyberwarfare. It spends very little time on the actual Korean attacks—they were recognized as unsophisticated at the time, and further analysis hasn't changed that diagnosis—dismissing them as a "noisy demonstration." Instead, Lewis uses them as a launching point for discussing the general state of cyberwarfare.

Read the rest of this article...

Microsoft Security Essentials ongoing beta begins

By emil.protalinski@arstechnica.com (Emil Protalinski) on Microsoft Security Essentials

companion photo for Microsoft Security Essentials ongoing beta begins

As expected, Microsoft has started sending out e-mails to testers accepted into the Microsoft Security Essentials (MSE) Ongoing Beta Program. This beta is supposed to have a much bigger number of participants and new private beta builds. "Microsoft does not make available the number of beta testers involved in beta programs," a Microsoft spokesperson told Ars. Microsoft has already given testers build 1.0.1676.0, which is available for Windows XP 32-bit (8.62MB), Windows Vista/7 32-bit (4.29MB), and Windows Vista/7 64-bit (4.72MB); every installer grew by 0.01MB.

Read the rest of this article...

Nigeria actually arrests, shuts down online scammers

By jacqui@arstechnica.com (Jacqui Cheng) on Nigerian scam

companion photo for Nigeria actually arrests, shuts down online scammers

It turns out Nigeria is taking measures to fight Internet scams—law enforcement there has shut down close to a thousand websites and made 18 arrests as part of a new initiative to save the nation's reputation and crack down on Internet scammers. The program, called "Project Eagle Claw," has only just begun, but Nigerian officials expect it to be fully operational in 2010.

Nigeria's Economic and Financial Crimes Commission (EFCC) described the initiative as "a renewed bid to clap down" (*clap clap*?) on Internet fraudsters. So far, the agency claims to have shut down 800 scam sites in addition to making the arrests, with many more apparently to come.

EFCC Chairman Farida Waziri said Wednesday during a US address to the National Conference of Black Mayors that Nigeria was working with Microsoft to fully deploy Project Eagle Claw, and that it will soon be able to take down up to 5,000 fraudulent e-mails per month. She also expects the system to send up to 230,000 advisory e-mails to victims every month.

Read the rest of this article...

CGISecurity - Website and Application Security News

All things related to website, database, SDL, and application security since 2000.

Microsoft's Enhanced Mitigation Evaluation Toolkit adds protection to processes

By Robert A. on Security Tools

Microsoft has published the Enhanced Mitigation Evaluation Toolkit. This toolkit allows you to specify a process to add the following forms of protection (without recompiling). SEHOP This mitigation performs Structured Exception Handling (SEH) chain validation and breaks SEH overwrite exploitation techniques. Take a look at the following SRD blog post for more...

Attacking Magstripe Gift Cards

By Robert A. on Research

Corsaire has published a rather lengthy paper on attacking gift card systems. While this is a little off topic it's a good read. "This paper is based on research conducted on a large number of UK gift cards. It has been created to complement the presentation “Stored Value Gift Cards: Magstripes Revisited”,...

CNET News - Security

Twitter users warned about new phishing attack

By Elinor Mills

This is Twitter's spam warning.

(Credit: Twitter)

Twitter warned on Wednesday about a new phishing attack in which direct messages to users link to a fake log-in page that steals passwords.

"We've seen a few phishing attempts today; if you've received a strange (direct message), and ...

Originally posted at InSecurity Complex

Bank Trojan botnet targets Facebook users

By Elinor Mills

On the heels of one fake Facebook e-mail scam, a researcher warned on Wednesday of another such campaign in which users of the popular social network are being tricked into revealing their passwords and downloading a Trojan that steals financial data.

In the latest scam being blasted to e-mail in-boxes, ...

Originally posted at InSecurity Complex

Survey: Few companies addressing cyberterrorism

By Lance Whitney

Cyberterrorism is on the rise around the world. But only one-third of companies are tackling it in their disaster recovery plans, says a survey released Tuesday by data center association AFCOM.

Although the majority (60.9 percent) of companies questioned see cyberterrorism as a threat to be addressed, "AFCOM's ...

More security breaches hit midsize companies

By Lance Whitney

More midsize companies are being attacked by cybercriminals at the same time they're spending less on security, says a McAfee report released Wednesday.

Across the world, more than half of the 900 midsize businesses (51 to 1,000 employees) surveyed by McAfee for its report, The Security Paradox, said ...

US-CERT warns about free BlackBerry spyware app

By Elinor Mills

The creator of PhoneSnoop shows how the free spyware app works in a video on his blog.

(Credit: Chirashi Security)

The U.S. Computer Emergency Readiness Team warned BlackBerry users on Tuesday about a new program called PhoneSnoop that allows someone to remotely eavesdrop on phone conversations.

The PhoneSnoop application ...

Originally posted at InSecurity Complex

Fake Facebook e-mail contains Trojan

By Don Reisinger

A new variant of the Bredolab Trojan horse is attached to a fake "Facebook Password Reset Confirmation" e-mail, security firm MX Labs is reporting.

Some users are receiving the e-mail from "The Facebook Team," according to the security firm. The sender's e-mail address ...

Originally posted at Webware

Nokia, SAP team up to fight counterfeiting

By Lance Whitney

Nokia and SAP are forming a new company that will use their technologies to help manufacturers battle counterfeit products.

Announced Tuesday at SAP TechEd in Vienna, Original1 will offer services to better authenticate branded products and protect them from counterfeiting, the companies said in a statement.

Offering software as a ...

Cisco to buy cloud security firm for $183 million

By Marguerite Reardon

Cisco Systems said Tuesday it plans to buy privately held Web-based security software company ScanSafe for about $183 million.

The all-cash deal, which also includes retention-based incentives, is expected to close in Cisco's fiscal second quarter, which ends in January 2010.

ScanSafe is a cloud-based software service that allows ...

Originally posted at Signal Strength

Web-based malware infections rise rapidly, stats show

By Elinor Mills

The number of Web sites hosting malicious software, either intentionally or unwittingly, is rising rapidly, according to statistics to be released on Tuesday from Dasient.

More than 640,000 Web sites and about 5.8 million pages are infected with malware, according to Dasient, which was founded by former Googlers ...

Originally posted at InSecurity Complex

Time Warner home routers still open to attack, blogger says

By Elinor Mills

If you have an SMC8014 cable modem/Wi-Fi router from Time Warner your network might still be vulnerable to attack.

Blogger David Chen reported last week on a security hole affecting about 67,000 combo modem/router devices that could allow anyone to access Time Warner customers' private networks, snoop ...

Originally posted at InSecurity Complex

Defense Department to partially lift flash drive ban

By Elinor Mills

(Credit: U.S. Navy)

The U.S. Department of Defense ban on USB thumb drives instated nearly a year ago will eventually be partially lifted to allow authorized people to use official flash drives for mission-critical functions, according to a top military official.

"In the future, we expect that a ...

Originally posted at InSecurity Complex

TrendMicro to 'protect the cloud'

By Larry Magid

TrendMicro last year introduced its cloud computing strategy to deliver security to desktop PCs. Now the security software vendor, according to CEO Eva Chen, is taking cloud security a step further by protecting the cloud itself.

An update to its Deep Security product, introduced Monday, offers protection for the "entire ...

Originally posted at Safe and Secure

Spying on a stolen laptop

By Elinor Mills

Imagine your laptop gets stolen. Wouldn't it be great to remotely spy on the machine and get it back?

Clair Fleener, chief executive of IT outsourcer InertLogic, got that chance after a laptop belonging to a customer was stolen.

Fleener was instrumental in the investigation that led to the ...

Originally posted at InSecurity Complex

Demos to show spying on mobile IP calls

By Elinor Mills

Using VoIP-based mobile devices over Wi-Fi or IP video phones? Be careful.

Researchers plan to demonstrate this weekend how they can eavesdrop on voice over IP conversations made using an iPhone over a Wi-Fi network and snoop on video and audio communications between IP video phones.

These types of man-in-the-middle ...

Originally posted at InSecurity Complex

Q&A: Schneier warns of marketers and dancing pigs

By Elinor Mills

Bruce Schneier

(Credit: Ann De Wulf)

In a security industry full of FUD and hype, cryptographer and consultant Bruce Schneier offers a no-nonsense reality check verging on social commentary.

He has worked on numerous ciphers, hash functions, and other cryptographic algorithms that are arcane to the average computer user but which have been instrumental in protecting the privacy of data. But his influence extends beyond the world of encryption.

Schneier wrote several bestselling books--including "Secrets and Lies: Digital Security in a Networked World," "Beyond Fear: Thinking Sensibly about Security in an Uncertain World," and his latest, "Schneier on Security"--that provide perspective on risks and threats in everything from e-mail to airport security. And his Cryto-Gram newsletter and blog are considered must-reads inside and outside the industry.

Opinionated and cynical, he doesn't hesitate to point out that one of the biggest limitations of technology is people. ("The user's going to pick dancing pigs over security every time," he has been quoted as saying.)

In an e-mail interview with CNET News, Schneier pokes fun at National Cyber Security Month, talks about his background in crypto and working for the U.S. Defense Department, and says he fears privacy invasion more from marketers than governments or criminals.

Q: You started out as a cryptographer but are considered an expert on all types of security threats, hypes, and realities. Do you still do much cryptography?
Schneier: Some. I'm a member of the cryptographic team that developed the Skein hash function, currently a second-round candidate in NIST's competition to choose an SHA-3. These competitions are kind of like cryptographic demolitions derbies: all the teams put their algorithms in the ring and try to beat up everyone else's. NIST received 64 submissions, of which 51 met the submission criteria. Of those 51, 14 proceeded to the second round. It's great fun to be working on this.

Overall, though, I am not doing a lot of cryptography. Over the past several years I have been studying security economics, and more recently, the psychology of security. These are important new fields that will have many lessons for security technology.

What are your thoughts on the state of cryptography today? There doesn't seem to be anything going on as exciting as the crypto battles of the 1990s.
Schneier: We really have all the cryptography we need for the foreseeable future; the problem is using it securely. Computer and network security are by far the weaker links. Even worse are things like user interface, installation, implementation, configuration, use, and update. There's so much good cryptography that doesn't get used properly because of one of these issues. These are hardly new areas, but they're the areas that need the most work.

Do you encrypt your e-mail?
...

Originally posted at InSecurity Complex

Congressional commission focuses on China's cyberwar capability

By Mark Rutherford

In war and possibly in peace, China will wage cyberwar to control the information flow and dominate the battle space, according to a new report compiled for a congressional commission.

Chinese military strategists see information dominance as the key to overall success in future conflicts and will continue to expand ...

Originally posted at Military Tech

Windows 7 default user account control worries experts

By Elinor Mills

Corporate IT departments should be pleased with new security measures in Windows 7, but consumers are still at risk of getting hit by malware despite changes in the User Account Control (UAC) feature designed to help people be smarter when using applications, security experts say.

Probably the most talked about ...

Originally posted at InSecurity Complex

Darknet%20-%20Hacking,%20Cracking%20%26%20Computer%20Security

Darknet - The Darkside

Ethical Hacking, Penetration Testing & Computer Security

Facebook E-mail Spam Conceals Malware Attack

By Darknet on zombie

Facebook has had a fair share of problems, being a large community of course it’s going to be a ripe target for spammers, scammers and malware distributors. The latest to hit is a spam e-mail claiming to be from the Facebook team that actually spreads a nasty piece of malware called Bredolab. It’s also been observed [...]
Read the full post at darknet.org.uk

Yokoso! – Web Infrastructure Fingerprinting & Delivery Tool

By Darknet on yokoso

Yokoso! is a project focused on creating fingerprinting code that is deliverable through some form of client attack. This can be used during penetration tests that combine network and web applications. One of the most common questions we hear is “so what can you do with XSS?” and we hope that Yokoso! answers that question. We [...]
Read the full post at darknet.org.uk

Web Application Security Consortium (WASC) 2008 Statistics Published

By Darknet on web-security

The Web Application Security Consortium (WASC) is pleased to announce the WASC Web Application Security Statistics Project 2008. This initiative is a collaborative industry wide effort to pool together sanitized website vulnerability data and to gain a better understanding about the web application vulnerability landscape. We ascertain which...
Read the full post at darknet.org.uk

Nikto 2.1.0 Released – Web Server Security Scanning Tool

By Darknet on web-server-security

It’s been almost 2 years since the last update on Nikto, which was version 2. For those that don’t know, Nikto is an Open Source (GPL) web server scanner which performs comprehensive tests against web servers for multiple items, including over 3500 potentially dangerous files/CGIs, versions on over 900 servers, and version specific...
Read the full post at darknet.org.uk

DarkReading - All Stories

DarkReading

MAAWG's Mission Evolving As Botnets, Web Threats Intensify

ISP group is starting to look at more than just email abuse as attacks span Websites, social networks

ISPs: Email Abuse Down But Not Out

Messaging Anti-Abuse Working Group (MAAWG) says ISPs, bad guys at a draw when it comes to spam, malicious email

Tech Insight: Managing Vulnerability In The Cloud

You can't control everything in the cloud, but you can control your data's exposure in the cloud

From Security Perspective, Windows 7 Off To A Rocky Start

Newly-launched Windows 7 could suffer security problems, experts say

Major Secure Email Products And Services Miss Spear-Phishing Attack

Experiment successfully slips fake LinkedIn invite from "Bill Gates" into inboxes

Metasploit Project Sold To Rapid7

Open-source Metasploit penetration testing tool creator HD Moore joins Rapid7, commercial Metasploit products to come

DarkReading - Security News

DarkReading

Activu Teams with Mitsubishi to Exhibit State-of-the-Art Control Room Solutions at EMEX 2009, Booth 211

SonicWALL Medallion Partner Shows Spending More Doesn't Guarantee Better Protection

Commerce Online Announces Roll Out Of Pre-Paid Debit And ID Card Program With State Licensed Medical Marijuana Dispensaries and Collectives

SEMCO ENERGY Selects ZixCorp for Email Encryption

eWeek Security Watch

Cyber-Protesters Hoist New Signs of Innovation

In Twitter

Hactivism is showing signs of advancement as protesters employ opt-in botnets and other new means to bring their collective influence to bear in the electronic domain.

Inside the Clampi Trojan: Using Shellcode to Game Firewalls

In Virus and Spyware

The Clampi Trojan attack employs some creative means to run its course and stay undetected, according to experts with Symantec.

Websites Often Reinfected After Malware Attacks

In Web 2.0

New research from Dasient suggests website owners need to do a better job of ensuring their sites are truly protected after remediating malware infections. According to the firm, compromised websites were re-infected at a rate of nearly 40 percent during the third quarter of 2009.

Botnet Click Fraud Problem Growing

In click fraud

Use of botnets to commit click fraud continues to proliferate, gaining noticeably during Q3 2009, according to researchers.

Do You Remember When... We Used to Pwn

The official Web site of singer Van Morrison is being used by attackers to deliver a variant on a long-running iframe infection attack.

Do You Remember When... We Used to Pwn

In Virus and Spyware

The official Web site of singer Van Morrison is being used by attackers to deliver a variant on a long-running iframe infection attack.

Federal Computer Week: Security News

Government to build $1.5B cybersecurity data center

Officials plan to build a $1.5 billion data center to bolster the cybersecurity capabilities of intelligence agencies, the Defense Department, and the Homeland Security Department.

Cloud computing: Winners and losers

Technology companies that expect to beneift from cloud computing must creatively adapt licensing, pricing and revenue models.

Obama nominates Wagner as DHS intell chief

President Barack Obama today nominated Caryn Wagner to lead the Homeland Security Department's office that uses information technology to share information with non-federal officials.

Secret Service doesn't keep IT needs secret

The Secret Service wants industry to help it shape procurement plans for the first phase of a wide-ranging information technology overhaul.

Pointers

Federal URL shortener makes sense; Browser wars heat up; Is there any pie Google doesn't have its fingers in?; Stupid spammer tricks.

E-Verify would get three-year extension in spending bill

The House and Senate have both approved a three-year extension for the E-Verify employment verification system in the Homeland Security Department's spending legislation.

Exit system for foreign travelers stands at a crossroads

The Obama administration is poised to decide whether to proceed with a program to use biometrics to keep track of foreign visitors' departures.

Lawmakers press for automated exit system

Some lawmakers are looking for the Obama administration to deploy an automated system that would use biometrics to verify the departure of noncitizens from the United States.

Info Security News

Carries news items (generally from mainstream sources) that relate to security.

Government to build $1.5B cybersecurity data center

Posted by InfoSec News on Oct 27

http://fcw.com/articles/2009/10/27/web-nsa-data-center-cybersecurity.aspx
By Ben Bain
FCW.com
Oct 27, 2009
The federal government will spend an estimated $1.5 billion to build a
new data center in Utah to support intelligence and defense agencies’
cybersecurity programs, according to state and federal officials.
The National Security Agency will run the center that Utah Gov. Gary
Herbert said would cost $1.5 billion to build and employ...

Judge says TD Ameritrade's proposed security fixes aren't enough

Posted by InfoSec News on Oct 27

http://www.computerworld.com/s/article/9139988/Judge_says_TD_Ameritrade_s_proposed_security_fixes_aren_t_enough?taxonomyId=17
By Jaikumar Vijayan
October 27, 2009
Computerworld
A federal judge's rejection of a proposed settlement by TD Ameritrade
Inc. in a data breach lawsuit marks the second time in recent months
that a court has weighed in on what it considers to be basic security
standards for protecting data.
U.S. District Court Judge...

Espionage suspect has friends puzzled

Posted by InfoSec News on Oct 27

http://www.washingtonpost.com/wp-dyn/content/article/2009/10/27/AR2009102704121.html
By Del Quentin Wilber and Maria Glod
The Washington Post
October 28, 2009
By all accounts, Stewart D. Nozette is a brilliant and creative
scientist, an astronomer who once sketched a key part of a lunar mission
on the back of a cocktail napkin and daydreamed of colonizing the moon.
In a recent photograph, he appears the caricature of a NASA geek: a
pudgy...

Defense Department to partially lift flash drive ban

Posted by InfoSec News on Oct 27

http://news.cnet.com/8301-27080_3-10383372-245.html
By Elinor Mills
InSecurity Complex
CNet News
October 26, 2009
The U.S. Department of Defense ban on USB thumb drives instated nearly a
year ago will eventually be partially lifted to allow authorized people
to use official flash drives for mission-critical functions, according
to a top military official.
"In the future, we expect that a government-owned and procured USB flash
media,...

Report: Nearly 6 Million Infected Web Pages Across 640K Compromised Sites

Posted by InfoSec News on Oct 27

http://www.darkreading.com/securityservices/security/app-security/showArticle.jhtml?articleID=220900638
By Kelly Jackson Higgins
DarkReading
Oct 27, 2009
More Websites are compromised today than ever, and about one-fifth of
the pages on each newly compromised Website were infected as of this
year's third quarter, according to new data gathered from real-time Web
malware monitoring service provider Dasient.
Dasient, a startup whose...

Rogue trader calls for smarter regulation to avert disaster

Posted by InfoSec News on Oct 26

http://www.theregister.co.uk/2009/10/26/leeson_rsa/
By John Leyden
The Register
26th October 2009
RSA Europe 2009 - Nick Leeson, the rogue trader who bankrupted a bank
before it became fashionable, said that unless the quality of regulation
improves, further financial disasters such as the Barings Bank collapse
he precipitated are inevitable.
Leeson, told journalists at the RSA Europe conference on Thursday that
little has changed in the...

Guardian job website hit by hackers

Posted by InfoSec News on Oct 26

http://www.computerweekly.com/Articles/2009/10/26/238289/guardian-job-website-hit-by-hackers.htm
By Warwick Ashford
ComputerWeekly.com
26 Oct 2009
The Guardian has notified around 500,000 users of its UK jobs website
that their personal details may have been compromised in a hacker
attack.
Users have been advised to take precautionary measures including
contacting a credit reference agency and the UK fraud prevention service
Cifas to...

Socialite Charged with Hacking Voice Mail

Posted by InfoSec News on Oct 26

http://www.cbsnews.com/stories/2009/10/21/earlyshow/main5405296.shtml
The Early Show
Oct. 21, 2009
(CBS) - Most of us carry a cell phone to stay in touch. But, as CBS News
Science and Technology correspondent Daniel Sieberg reports, you might
be surprised to learn just how easy it is to violate your privacy or
even trick you.
A high-profile publicist is accused of hacking into the voice mail of
some other women, including one who dated her...

Military`s Intranet Vulnerable to NK Hacking

Posted by InfoSec News on Oct 26

http://english.donga.com/srv/service.php3?bicode=040000&biid=2009102467968
The Dong-A Ilbo
OCTOBER 24, 2009
The military's intranet is vulnerable to attacks by North Korean
hackers, a lawmaker from a minor party said yesterday.
Rep. Lee Jin-sam of the minor conservative Liberty Forward Party said,
"North Korean hackers attacked our military's intranet in the Ulchi
Freedom Guardian in August after the Defense Security Command warned...

Computer failure paralyses Swiss ministries

Posted by InfoSec News on Oct 26

http://timesofindia.indiatimes.com/world/europe/Computer-failure-paralyses-Swiss-ministries/articleshow/5162275.cms
The Times of India
26 October 2009
GENEVA: Complicated computer problems at key Swiss government ministries
have paralysed work at several offices since Friday, a government
spokesperson said.
The foreign ministry was hardest hit by the information systems failure
and likely will face severe computer restrictions Monday.
The...

China Expands Cyberspying in U.S., Report Says

Posted by InfoSec News on Oct 23

http://online.wsj.com/article/SB125616872684400273.html
By SIOBHAN GORMAN
The Wall Street Journal
OCTOBER 23, 2009
WASHINGTON -- The Chinese government is ratcheting up its cyberspying
operations against the U.S., a congressional advisory panel found,
citing an example of a carefully orchestrated campaign against one U.S.
company that appears to have been sponsored by Beijing.
The unnamed company was just one of several successfully...

Cyberwarfare Needs Damage Assessment Tools

Posted by InfoSec News on Oct 23

http://www.aviationweek.com/aw/generic/story_channel.jsp?channel=defense&id=news/CYBER102109.xml
By David A. Fulghum
Aviation Week
Oct 21, 2009
Although today's rudimentary non-kinetic weaponry can incapacitate a
surface-to-air missile, radar, or even a tank, cyberwarriors still lack
the tools necessary to determine right away if an attack has been
effective.
"There's no smoking hole," says a National Security Agency veteran....

Re: Time Warner Cable Exposes 65, 000 Customer Routers to Remote Hacks

Posted by InfoSec News on Oct 23

Forwarded from: *Hobbit* <hobbit (at) avian.org>
And why was a similar hue and cry not raised two+ years ago over
Actiontec's similar backdoor they deliberately built into DSL
modems branded for Verizon?
http://techno-fandom.org/~hobbit/pix/vzdsl/
_H*
________________________________________
Did a friend send you this? From now on, be the
first to find out! Subscribe to InfoSec News
http://www.infosecnews.org

Zurich security breach affects 51,000 customers

Posted by InfoSec News on Oct 23

http://www.insurancedaily.co.uk/2009/10/22/zurich-security-breach-affects-51000-customers/
By Gill Montia
Insurance Daily
October 22, 2009
Zurich Insurance plc has announced that it has written to around 51,000
general insurance customers and other parties in the UK regarding the
loss of a back-up data tape in South Africa.
The tape, which also holds details of customers and other parties in
South Africa and Botswana, was lost in August...

Botnet click fraud at record high

Posted by InfoSec News on Oct 23

http://www.theregister.co.uk/2009/10/23/botnet_generated_click_fraud/
By Dan Goodin in San Francisco
The Register
23rd October 2009
Malware-infected computers are increasingly being used to perpetrate
click fraud, according to a study released Thursday that found their
contribution was the highest since researchers began compiling
statistics on the crime.
In the third quarter of this year, 42.6 percent of fraudulent clicks
were generated...

Secunia Weekly Summary - Issue: 2009-43

Posted by InfoSec News on Oct 23

========================================================================
The Secunia Weekly Advisory Summary
2009-10-15 - 2009-10-22
This week: 48 advisories
========================================================================
Table of Contents:
1.....................................................Word From...

Feds' Security Spending On a Roll: Over 8 Percent Growth Over Next Five Years

Posted by InfoSec News on Oct 23

http://www.darkreading.com/securityservices/security/government/showArticle.jhtml?articleID=220900236
By Kelly Jackson Higgins
DarkReading
Oct 22, 2009
The U.S. federal government's IT security spending will jump from $7.9
million to $11.7 billion in 2014 thanks to tightening federal security
regulations, a 300 percent jump in attacks on feds' networks and systems
during the past five years, and the Obama administration's emphasis on...

Almost half ISO 27001 'compliant' firms break basic security requirements

Posted by InfoSec News on Oct 23

http://www.computerworlduk.com/management/security/data-control/news/index.cfm?newsid=17211
By Leo King
Computerworld UK
October 22, 2009
Almost half of businesses that claim compliance with ISO 27001 are
sharing privileged user accounts and breaking other standard guidance,
according to a survey of IT managers.
Some 47 percent of firms in the UK said they were compliant with the
standard. But forty-one percent of these said that they were...

EXCLUSIVE: Chinese spymaster complains about news leak

Posted by InfoSec News on Oct 22

http://www.washingtontimes.com/news/2009/oct/08/inside-the-ring-68161223/
By Bill Gertz
INSIDE THE RING
October 8, 2009
China's most senior military intelligence official, a veteran of spy
operations in Europe and cyberspace, recently made a secret visit to the
United States and complained to the Pentagon about the press leak on the
Chinese submarine that secretly shadowed the USS Kitty Hawk aircraft
carrier in 2006.
Maj. Gen. Yang Hui...

Metasploit Project Sold To Rapid7

Posted by InfoSec News on Oct 22

http://www.darkreading.com/vulnerability_management/security/management/showArticle.jhtml?articleID=220800067
By Kelly Jackson Higgins
DarkReading
Oct 21, 2009
Vulnerability management vendor Rapid7 has purchased the popular
open-source Metasploit penetration testing tool project and named
Metasploit founder HD Moore chief security officer of the company.
Moore, who is synonymous with the Metasploit Project , will continue as
chief...

Area women unhappy over cancer data theft

Posted by InfoSec News on Oct 22

http://www.springhopeenterprise.com/default.asp?sourceid=&smenu=100&twindow=Default&mad=No&sdetail=3938&wpage=&skeyword=&sidate=&ccat=&ccatm=&restate=&restatus=&reoption=&retype=&repmin=&repmax=&rebed=&rebath=&subname=&pform=&sc=1379
By KEN MURCHISON
Spring Hope Enterprise
OCT 22, 2009
Many women in this area who have had mammograms are being warned by the
UNC...

Air Force focusing on cyber warfare challenges

Posted by InfoSec News on Oct 22

http://www.daytondailynews.com/business/air-force-focusing-on-cyber-warfare-challenges-358573.html
By John Nolan
Staff Writer
Dayton Daily News
October 21, 2009
DAYTON - Add this to the complexities of cyber warfare: It may someday
be difficult for the United States to attack an enemy in cyberspace
without damaging a network that the U.S. military itself needs for its
own electronic communications.
That is one of many issues that the...

Microsoft chief admits Sidekick outage hurt cloud

Posted by InfoSec News on Oct 22

http://news.techworld.com/storage/3204465/microsoft-chief-admits-sidekick-outage-hurt-cloud/
By John Fontana
Network World US
20 October 09
Microsoft CEO Steve Ballmer characterised the recent Sidekick data loss
episode as "not good", and said he believes all the data will be
recovered, but added that Microsoft will have to be more forthcoming in
explaining to enterprise customers why a similar situation won't occur
with...

San Jose jury hears conflicting stories in opening of espionage trial

Posted by InfoSec News on Oct 22

http://www.mercurynews.com/news/ci_13614574
By Howard Mintz
mercurynews.com
10/21/2009
Spies in the heart of Silicon Valley. Or two gifted engineers looking to
jump start a new company that could do business in booming China with
their own superfast computer chip.
Those were the two competing stories presented Wednesday to a federal
jury in San Jose, where valley engineers Lan Lee and Yuefei Ge find
themselves facing one of the nation's...

InformationWeek Security News

InformationWeek

Google's 'Gov Cloud' Wins $7.2 Million Los Angeles Contract

By Thomas Claburn

The City of Los Angeles plans to replace its Novell GroupWise e-mail system with Google Apps, partly using anti-trust settlement money paid by Microsoft.

Google CEO Imagines Era Of Mobile Supercomputers

By Thomas Claburn

The future, as Eric Schmidt describes it, belongs to smart phones and data centers.

SAP, Nokia Partner On Mobile Security

By Mary Hayes Weier

With the joint venture's technology, prescription drugs, software, and other goods could be tagged with smart barcodes to protect them from counterfeiting.

E-Health Records Option Extended To Families

By Marianne Kolbasuk McGee

Dossia, whose consortium members include Wal-Mart and Intel, is making it easier for employees' dependents to sign up for electronic health records.

Cisco To Acquire ScanSafe

By Thomas Claburn

The market for tech companies is heating up again, as Cisco strengthens its position in Web and mobile security.

Top 10 E-mail Blunders Of 2009, So Far

By Thomas Claburn

Proofpoint's list of the ten biggest e-mail gaffes this year shows that organizations have yet to deal with the risks of e-mail.

Trend Micro Secures Virtual, Cloud Servers

By Thomas Claburn

To address unique server security challenges, Trend Micro is connecting its Deep Security software to virtual machines and the cloud.

Guarding the Guards

By Adam Ely

Firewall management software makes sure your policies actually match your security goals.

Evidence Points To China In Cyber Attacks

By J. Nicholas Hoover

A Northrup Grumman report suggests that the Chinese government is behind a coordinated series of attacks on U.S. government and private sector computer systems.

Web 2.0 Summit: The Browser Is What Matters

By Thomas Claburn

Google's Sundar Pichai provides some hints about his company's upcoming browser-based Chrome operating system.

Secret Service To Revamp Ailing IT Systems

By J. Nicholas Hoover

In an effort to avoid 'mission failure,' the agency plans to deploy new storage systems, virtualize servers, modernize databases, and expand mobile and wireless capabilities.

InSecurity Complex

Keeping tabs on flaws, fixes, and the people behind them.

Bank Trojan botnet targets Facebook users

By Elinor Mills

On the heels of one fake Facebook e-mail scam, a researcher warned on Wednesday of another such campaign in which users of the popular social network are being tricked into revealing their passwords and downloading a Trojan that steals financial data.

In the latest scam being blasted to e-mail in-boxes, ...

LA approves $7.2 million Google Apps deal

By Elinor Mills

The city council in Los Angeles on Tuesday unanimously approved a $7.2 million deal to use Google Apps.

(Credit: City of Los Angeles)

The contract is tentative, contingent on integration provider Computer Sciences Corp.'s agreement to pay a penalty in the event of a security breach, according to ...

US-CERT warns about free BlackBerry spyware app

By Elinor Mills

The creator of PhoneSnoop shows how the free spyware app works in a video on his blog.

(Credit: Chirashi Security)

The U.S. Computer Emergency Readiness Team warned BlackBerry users on Tuesday about a new program called PhoneSnoop that allows someone to remotely eavesdrop on phone conversations.

The PhoneSnoop application ...

Web-based malware infections rise rapidly, stats show

By Elinor Mills

The number of Web sites hosting malicious software, either intentionally or unwittingly, is rising rapidly, according to statistics to be released on Tuesday from Dasient.

More than 640,000 Web sites and about 5.8 million pages are infected with malware, according to Dasient, which was founded by former Googlers ...

Time Warner home routers still open to attack, blogger says

By Elinor Mills

If you have an SMC8014 cable modem/Wi-Fi router from Time Warner your network might still be vulnerable to attack.

Blogger David Chen reported last week on a security hole affecting about 67,000 combo modem/router devices that could allow anyone to access Time Warner customers' private networks, snoop ...

Defense Department to partially lift flash drive ban

By Elinor Mills

(Credit: U.S. Navy)

The U.S. Department of Defense ban on USB thumb drives instated nearly a year ago will eventually be partially lifted to allow authorized people to use official flash drives for mission-critical functions, according to a top military official.

"In the future, we expect that a ...

Spying on a stolen laptop

By Elinor Mills

Imagine your laptop gets stolen. Wouldn't it be great to remotely spy on the machine and get it back?

Clair Fleener, chief executive of IT outsourcer InertLogic, got that chance after a laptop belonging to a customer was stolen.

Fleener was instrumental in the investigation that led to the ...

Demos to show spying on mobile IP calls

By Elinor Mills

Using VoIP-based mobile devices over Wi-Fi or IP video phones? Be careful.

Researchers plan to demonstrate this weekend how they can eavesdrop on voice over IP conversations made using an iPhone over a Wi-Fi network and snoop on video and audio communications between IP video phones.

These types of man-in-the-middle ...

Q&A: Schneier warns of marketers and dancing pigs

By Elinor Mills

Bruce Schneier

(Credit: Ann De Wulf)

In a security industry full of FUD and hype, cryptographer and consultant Bruce Schneier offers a no-nonsense reality check verging on social commentary.

He has worked on numerous ciphers, hash functions, and other cryptographic algorithms that are arcane to the average computer user but which have been instrumental in protecting the privacy of data. But his influence extends beyond the world of encryption.

Schneier wrote several bestselling books--including "Secrets and Lies: Digital Security in a Networked World," "Beyond Fear: Thinking Sensibly about Security in an Uncertain World," and his latest, "Schneier on Security"--that provide perspective on risks and threats in everything from e-mail to airport security. And his Cryto-Gram newsletter and blog are considered must-reads inside and outside the industry.

Opinionated and cynical, he doesn't hesitate to point out that one of the biggest limitations of technology is people. ("The user's going to pick dancing pigs over security every time," he has been quoted as saying.)

In an e-mail interview with CNET News, Schneier pokes fun at National Cyber Security Month, talks about his background in crypto and working for the U.S. Defense Department, and says he fears privacy invasion more from marketers than governments or criminals.

Q: You started out as a cryptographer but are considered an expert on all types of security threats, hypes, and realities. Do you still do much cryptography?
Schneier: Some. I'm a member of the cryptographic team that developed the Skein hash function, currently a second-round candidate in NIST's competition to choose an SHA-3. These competitions are kind of like cryptographic demolitions derbies: all the teams put their algorithms in the ring and try to beat up everyone else's. NIST received 64 submissions, of which 51 met the submission criteria. Of those 51, 14 proceeded to the second round. It's great fun to be working on this.

Overall, though, I am not doing a lot of cryptography. Over the past several years I have been studying security economics, and more recently, the psychology of security. These are important new fields that will have many lessons for security technology.

What are your thoughts on the state of cryptography today? There doesn't seem to be anything going on as exciting as the crypto battles of the 1990s.
Schneier: We really have all the cryptography we need for the foreseeable future; the problem is using it securely. Computer and network security are by far the weaker links. Even worse are things like user interface, installation, implementation, configuration, use, and update. There's so much good cryptography that doesn't get used properly because of one of these issues. These are hardly new areas, but they're the areas that need the most work.

Do you encrypt your e-mail?
...

Windows 7 default user account control worries experts

By Elinor Mills

Corporate IT departments should be pleased with new security measures in Windows 7, but consumers are still at risk of getting hit by malware despite changes in the User Account Control (UAC) feature designed to help people be smarter when using applications, security experts say.

Probably the most talked about ...

McAfee Avert Labs

Cutting edge security research as it happens.......

Let’s Play ‘Find the Errors’

By Pedro Bueno on Web and Internet Safety

I’m writing this blog to demonstrate how the bad guys are getting better each day–or not, depending of your point of view. Once again our topic is Brazilian malware authors. Yes, the dumb ones I keep running up against. One of the recent versions of the PWS-Banker Trojan being distributed via spam has an interesting feature. First, [...]

McAfee Labs Goes After Evil Maid

By Aditya Kapoor, Rachit Mathur on Rootkits and Stealth Malware

In her recent blog Joanna Rutkowska describes a proof-of-concept code to attack Truecrypt system disk encryption. The blog also mentions “the concept behind the Evil Maid Attack is neither new, nor l33t in any way.” However, because the POC is now published, we expect script kiddies to jump on this opportunity and tweak this code [...]

Balloon Boy Spam Drifts Through Town

By David Marcus on Web and Internet Safety

It’s bad enough that we are subjected to apparently fake child-peril balloon shenanigans in the news–and I guess this was only to be expected–but it seems that spammers and scammers have latched onto Balloon Boy as a lure to sell pharmaceuticals. Given the amount of news the original story of Falcon Heene and the runaway [...]

Network World on Security

The latest security news, analysis, reviews and feature articles from NetworkWorld.com.

Google accused of 'malicious revenge' in China

The official newspaper of China's ruling communist party has accused Google of seeking "malicious revenge" after a malware warning appeared by one of its Web sites in Google's search results.

Norton 360 beta 4 made available

Symantec has made a new beta version of its Norton 360 all-in-one security software publicly available.

IT Security Outsourcing in Decline

Seventh Annual Global Information Security Survey: Companies that once outsourced many IT security controls have opted to do more in-house. A look at what caused the shift. (Third in a four-part series)

Targeted attacks possible in the cloud, researchers warn

The use of virtualization by cloud service providers to host virtual machines belonging to multiple customers on a shared physical infrastructure is opening up fresh data leak risks, a research report warns.

Mozilla fixes 16 flaws with Firefox 3.5.4

Mozilla today patched 16 vulnerabilities in Firefox, 11 of them critical, as it updated the open-source browser to version 3.5.4.

Internet phone systems become the fraudster's tool

Cybercriminals have found a new launching pad for their scams: the phone systems of small and medium-sized businesses across the U.S.

Google Apps scores in L.A., with assist from Microsoft

Los Angeles City Council approved a $7.25 million five-year deal Tuesday in which the city will adopt Gmail and other Google Apps.

Privacy: Why Google Social Search Gives Me The Creeps

Has Google started following us around? It's new Google Social Search feature, going live today, sure feels like it. And hints at what Google can do both for and to you with all the information it has collected.

Brocade partners with Thales for network-based encryption appliance

Brocade and Thales have combined switching and encryption technologies to create a SAN-based appliance that encrypts data on the fly at high speed and performs centralized key management.

Practical identity protection you can use

Is it Christmas already? I'm beginning to receive informative e-mails about evil hackers who want to steal my identity during the dangerous (and ever lengthening) holiday season. As usual the advice ranges from lame to impossible.

Judge says TD Ameritrade's proposed security fixes not enough

A federal judge's rejection of a proposed settlement by TD Ameritrade Inc. in a data breach lawsuit marks the second time in recent months where a court has weighed in on what it consider to be basic security standards for protecting data.

New spam: Your bank has failed, download this Trojan

Spam that tells victims their bank has failed urges them to on a link that will tell if their accounts are insured but that really tries to trick them into downloading a Trojan that will turn their machine into a bot.

China security market tough to crack for foreign vendors

Major security vendors looking to crack China's market have met obstacles localizing their products and securing distribution channels, analysts said Tuesday.

India's new IT law increases surveillance powers

A new IT law has come into force in India that frees Internet portals from liability for third-party content and activity, but also gives the government powers to monitor communications on the Internet, and block web sites that are found to be offensive.

The Curse of Cloud Security

Seventh Annual Global Information Security Survey: Companies are clamoring for services in the cloud. But the biggest problem from a security perspective is that few understand what they're dealing with. (Second of a four-part series)

Cisco buying Web security firm ScanSafe for $183 million

Cisco has announced plans to buy privately held ScanSafe, a maker of software-as-a-service (SaaS) Web security services for enterprises and small-to-midsize businesses, for $183 million.

CalOptima says data on 68,000 members may be compromised

Personal data on about 68,000 members of CalOptima, a Medicaid managed care plan serving Orange County, Calif., may have been compromised earlier this month.

NSA to build $1.5B cybersecurity center near Salt Lake City

The National Security Agency is setting up a new $1.5 billion cybersecurity data center at the Utah National Guard's Camp Williams near Salt Lake City.

Windows 7: Choosing the Right Version

In case you missed it, Windows 7 is available now. October 22nd was marked with a moderate amount of hoopla to introduce the new flagship operating system. Now, users are faced with the task of not only deciding whether or not to upgrade, but of choosing which of the many variations of Windows 7 to install.

Government: Come hack our data

This week the Federal Government will open its data to web developers during its first hack day.

Guardian jobs site falls victim to 'sophisticated' hack

A major U.K. newspaper has notified 500,000 people that details they posted to the newspaper's employment site may be in the hands of hackers.

500,000 job hunters details exposed in Guardian hack

Sensitive personal data belonging to 500,000 job hunters have been exposed after hackers attacked The Guardian's Jobs website.

Pirate Bay ordered to remove links to copyright material

A Dutch court has ordered controversial BitTorrents search engine The Pirate Bay to remove links to copyrighted material.

Companies Seek Social Networking's Promise, But Peril

Social networking sites such as Twitter, Facebook and LinkedIn enhance collaboration but also make it easier than ever for your employees to share customer data and company secrets with outsiders (First of a four-part series).

NIST SP800-53 Rev. 3: Key to Unified Security Across Federal Government and Private Sectors

Standards play a critical role in information assurance. Given the impossibility of defining a deterministic model that includes billions of users, millions of computers, and thousands of programs and protocols potentially interacting with each other unpredictably, we have to rely on human consensus about best practices if we are to progress in our field. Standards also provide a basis for demonstrating due care and diligence in fulfilling our fiduciary responsibilities to stakeholders.

Trend Micro bolsters virtualization security options

Trend Micro's Deep Security firewall/intrusion-protection system software for VMware's ESX server can protect multiple virtual machines on one physical server.

Are Flash Cookies Devouring Your Privacy?

Even if you delete normal tracking cookies regularly to evade tracking by snooping sites and eager advertisers, little-known Flash cookies may be making an end run around your attempts to preserve your privacy.

Trend Micro CEO: hackers hitting AV infrastructure

It's become an all-too-common scam: A legitimate Web site pops up a window that looks just like a real security warning. It says there's something wrong with the computer, and click here to fix it. A few clicks later, the victim is paying out US$40 for some bogus software, called rogue antivirus.

Study: US gov't cybersecurity spending to grow significantly

U.S. government spending on cybersecurity will grow at a compound rate of 8.1 percent a year between 2009 and 2014, outpacing general IT spending, according to the government analyst firm Input.

Former federal worker sentenced for passport snooping

A former employee at the U.S. Department of State was sentenced to 12 months of probation Friday for illegally accessing more than 75 confidential passport application files, the U.S. Department of Justice said.

Ruminations on the Intersection of Inner Space & Cyber Space

For decades, cyber technologies brought forth from human genius have been radically transforming our society. Business, government, science and culture have changed swiftly and dramatically. Consequently, for decades, our collective psyche has been trying to work out its intense and complex relationship with these powerful cyber technologies. Just as Godzilla (1954), and its spin-offs, reflected the collective psyche's attempts to come to grips with grief over Hiroshima and Nagasaki, and anxieties over the threat of global nuclear war; the human race's unconscious fears and doubts about cyberspace have been projected on to the big screen in numerous sci-fi epics, notably:

Win 7 Launch: Early Adopters Eager to Bid Farewell to XP

At the Windows 7 launch in New York, businesses planning to migrate to Windows 7 discussed cost savings, testing strategies, and security hopes and fears with CIO.com. One consensus: Windows XP is on life support.

Zurich loses data of 641,000 customers on tape

Insurance giant Zurich has lost the sensitive personal account details of 641,000 customers held on backup tape.

Phishers Dangle Some Brand-New Bait

In September 2009, some unlucky visitors at the New York Times Web site clicked on an ad that attempted to install malware. The advertisement displayed a popup window informing readers that their computer might be infected with a virus; only by purchasing a new antivirus product could they be sure of having a clean system.

Analysis: Real ID program on life support

A decision by lawmakers in Congress to slash funding for the unpopular Real ID national driver's license program has put an already struggling program on life support.

Bugs and Fixes: Stymie Malicious Media, Attacks

Essential OS fixes are big this month. And fans of free software need to update their Firefox and OpenOffice copies.

Report says China ready for cyber-war, espionage

Looking to gain the upper hand in any future cyber conflicts, China is probably spying on U.S. companies and government, according to a report commissioned by a Congressional advisory panel monitoring the security implications of trade with China.

Microsoft wants ISO security certification for its Cloud services

Microsoft Corp. wants to get its suite of hosted messaging and collaboration products certified to the ISO 27001 international information security standard, part of an effort to assure customers about the security of its cloud computing services.

Taking the 'Closed' Out of CCTV

CCTV surveillance systems are notoriously proprietary. (Hey, those circuits are "closed", after all.) The IP networking protocol is generally thought of as an 'open' system - but that doesn't mean all IP-based surveillance devices work together.

Almost half ISO 27001 'compliant' firms break with security

Almost half of businesses that claim compliance with ISO 27001 are sharing privileged user accounts and breaking other standard guidance, according to a survey of IT managers.

DHS to get big boost in cybersecurity spending in 2010

The U.S. Department of Homeland Security will likely have a substantially bigger cybersecurity budget for fiscal 2010 compared to this year.

Anonymity of users is key issue in cyber crime: Kaspersky

The relative anonymity of Internet users is the key issue in managing cyber crime, according Eugene Kaspersky, founder of Russian security firm Kaspersky.

Botnets contributing more than ever to click fraud

Networks of hacked computers are being used more than ever to click on advertisements, a scam known as click fraud that cheats search engines, publishers and ad networks out of revenue.

Fraudsters trying to capture bank cards at machines

If your cash card gets eaten by the automated-teller machine, it may not end up in the hands of a bank employee.

Privacy advocate has ally in Social Security numbers fight

A fight to stop a Virginia privacy advocate from republishing on her Web site Social Security numbers obtained legally from public records on government sites is attracting the attention of some privacy heavyweights.

Gaping security hole turned 64,000 Time Warner cable modems into hacker prey

A blogger helping to tune a friend's wi-fi network uncovered a gaping security hole in Wi-Fi cable modem routers installed in 64,000 Time Warner subscribers' homes, leaving them open to attack.

Phoenix claims DeviceVM stole its instant-on technology

Ratcheting up the already hard-fought competition in the instant-on market, Phoenix Technologies Ltd. is suing next-door rival DeviceVM Inc. for trade secret theft.

Report: Employee Holiday Shopping Will Strain Security

Despite a lagging economy, many workers will shop online while at work this coming holiday season, according to a survey conducted on behalf of ISACA, a nonprofit association of information technology (IT) professionals. The second annual "Shopping on the Job: Online Holiday Shopping and Workplace Internet Safety" survey found that fully half of those surveyed plan to use their company's computer to shop, putting a strain on employers' systems and potentially compromising an organizations sensitive information and security.

Disk Encryption: How to Buy FDE

Characteristics of an Effective FDE (Full Disk Encryption) Solution

Making Sense of Rapid7's Metasploit Acquisition

News of Rapid7's Metasploit acquisition hit some in the information security community like a clap of thunder. The Metasploit Project has a deep, loyal user base, and it's always unsettling to those who rely on open-source tools when those tools are snatched up by a commercial vendor.

4 Tips for Writing a Great Social Media Security Policy

Facebook now claims 300 million active users. And Twitter, the micro-blogging site that was almost unheard of at the beginning of 2008, is now one of the internet's 50 most popular sites, according to Alexa Internet Inc.'s web traffic statistics.

The%20Register

The Register - Security

Biting the hand that feeds IT

Free Microsoft security tool locks down buggy apps
No assembly required

Microsoft has released a free tool designed to harden software applications against attacks that exploit common security vulnerabilities.…

Mass web infections spike to 6 million pages
640k sites out to get you

An estimated 5.8 million pages belonging to 640,000 websites were infected with code designed to launch malware attacks on visitors, according to a report released Tuesday.…

Gizmodo says sorry for malware suckerpunch
Staff on Macs late to spot hack

Tech blog Gizmodo has been suckerpunched by cyber scoundrels, who placed malware-loaded web ads on the site.…

Raytheon buys BBN for 'about $350m'
Arms biz buys up the "@" in email

Renowned techsploration company BBN - famed far and wide for inventing forerunner internet kit, and for giving the world the "@" symbol in email addresses - has been bought by US armsbiz colossus Raytheon. The move illustrates growing aspirations on the part of arms firms to do business in the information systems sector.…

Guardian loses half a million CVs
Police probe massive hack

The Guardian newspaper's jobs website has warned 500,000 users that hackers may have got hold of private information held on the site after a "sophisticated and deliberate" attack.…

Rogue trader calls for smarter regulation to avert disaster
Never mind the bonuses - listen to the Leeson lesson

RSA Europe 2009 Nick Leeson, the rogue trader who bankrupted a bank before it became fashionable, said that unless the quality of regulation improves, further financial disasters such as the Barings Bank collapse he precipitated are inevitable.…

California pair charged with multistate credit card fraud
'Adam Constant' and the case of the missing suitcase

Federal authorities have accused a California pair of racking up more than $50,000 in fraudulent charges using more than 100 cloned credit cards.…

Hotspot sniffer eavesdrops on iPhone in real-time
Audio and video VoIP sniffed

People who use public WiFi to make iPhone calls or conduct video conferences take heed: It just got a lot easier to monitor your conversations in real time.…

Computing website apologises for data gaffe
Egg/face interface

Venerable tech mag Computing has apologised to readers who clicked on a link in a marketing email only to find a completed form filled with someone else's account details.…

Operation Eagle Claw nets 18 Nigerian spammers
More to come say Nigerian scam police

Nigeria's Economic and Financial Crimes Commission is promising to push the country out of the top ten for fraudulent emails thanks to arrests and proactive action to scan all emails.…

Pizza-making ATM hacker avoids jail
Scam and pineapple

An Australian pizza store worker turned hacker has avoided prison after he was convicted of stealing A$30,000 ($28,000) from ATMs using computer hacking.…

Rapid7 penetrates Metaspolit
Pen testing tool gets commercial backing

Vulnerability management firm Rapid7 has acquired Metasploit, the popular open source dual-use penetration testing and hacking tool. Commercial terms of the deal were not disclosed.…

Botnet click fraud at record high
Move over, mules

Malware-infected computers are increasingly being used to perpetrate click fraud, according to a study released Thursday that found their contribution was the highest since researchers began compiling statistics on the crime.…

China fingered in cyberattack on mystery high tech co.
'Extremely large volumes' siphoned

The Chinese government is stepping up efforts to steal valuable information from high-technology companies in other countries, according to a congressional advisory panel, which detailed one operation that siphoned "extremely large volumes" of sensitive data.…

Free download turns BlackBerry into remote bugging device
Coming to a handset near you

A free software program released Thursday turns everyday BlackBerry smartphones into remote bugging devices.…

Aussie atheists knocked offline
Hand of hackers rather than the Lord

Two major Australian atheist websites were taken offline by distributed denial of service attacks earlier this week.…

FBI and SOCA plot cybercrime smackdown
White hats get proactive on e-crime

RSA Europe 2009 The FBI and the UK’s Serious and Organised Crime Agency have drawn up a program for dismantling and disrupting cybercrime operations. The effort relies on a better understanding of the business models of carders, malware authors and hacker groups which have increasingly come to resemble those of legitimate businesses.…

SANS%20RSS%20Feed

SANS Information Security Reading Room

Last 25 Computer Security Papers added to the Reading Room

Women in IT Security Project Management

Category: Management & Leadership

Paper Added: October 27, 2009

SANS%20Internet%20Storm%20Center,%20InfoCON%3A%20green

SANS Internet Storm Center, InfoCON: green

Cyber Security Awareness Month - Day 28 - ntp (123/udp), (Wed, Oct 28th)

With projects like DShield, I have spend a lot of times around logs. One of the challenges in collec ...(more)...

Firefox 3.5.4 released. Lots of security bug fixes. (thanks Gilbert!), (Wed, Oct 28th)

------ Johannes B. Ullrich, Ph ...(more)...

Sniffing SSL: RFC 4366 and TLS Extensions, (Wed, Oct 28th)

About once a week, we have a reader complain about a bad certificate for incidents.org ...(more)...

VMware Security Advisory: VMSA-2009-0015, (Tue, Oct 27th)

VMware released security advisoryVMSA-2009-0015 today, announcing patches that resolve two sec ...(more)...

Cyber Security Awareness Month - Day 27 - Active Directory Ports, (Tue, Oct 27th)

In the series of posts this month we've been looking at network ports relevant to security administr ...(more)...

New VMware Desktop Products Released (Workstation, Fusion, ACE), (Tue, Oct 27th)

VMware Fusion 3.0 went from Release Candidate to General Availability last night, as did VMwar ...(more)...

Social Engineering in Real-World Computer Attacks, (Tue, Oct 27th)

Why bother breaking down the door if you can simply ask to be let in? Social engineering works, both ...(more)...

Today: ISC Login bugfix day. If you have issues logging in using OpenID, please email a copy of your OpenID URL to jullrich\at\sans.edu, (Mon, Oct 26th)

------ Johannes B. Ullrich, Ph ...(more)...

Cyber Security Awareness Month - Day 26 port1433/1434 MSSQL, (Mon, Oct 26th)

Port 1433 together with port 1434 are the ports most associated with MSSQL or to security people as ...(more)...

Web honeypot Update, (Mon, Oct 26th)

We just released a significant update to our web honeypot. If you are running it, please update (and ...(more)...

FYI - Microsoft Baseline Security Analyser has a new version 2.1.1. Now with support for Windows 7 and Server 2008 R2 (thanks Jon), (Mon, Oct 26th)

...(more)...

Cyber Security Awareness Month - Day 25 - Port 80 and 443, (Sun, Oct 25th)

Port 80 and 443 are ports generally associated with the Internet. Port 443/HTTPS i ...(more)...

Cyber Security Awareness Month - Day 24 - The Small Services, (Sat, Oct 24th)

The ports below 20 and also 37 are frequently called the small services and can be safel ...(more)...

What's with tcp/0?, (Sat, Oct 24th)

In case you did not notice, the DShield system is going nuts with reports on tcp/0. Stephen Ha ...(more)...

Windows 7 - How is it doing?, (Sat, Oct 24th)

Microsoft's Windows 7 operating system was officially released on Thursday October 22nd. I'm s ...(more)...

Little new tool: reversing md5/sha1 hashes http://isc.sans.org/tools/reversehash.html, (Fri, Oct 23rd)

------ Johannes B. Ullrich, Ph ...(more)...

Cyber Security Awareness Month - Day 23 port 179 TCP - Border Gateway Protocol, (Fri, Oct 23rd)

What is BGP? It is the default Exterior Gateway Protocol for the INTERNET. It is also often the In ...(more)...

Snort Updated to Version 2.8.5.1, (Thu, Oct 22nd)

...(more)...

Sysinternals updates: Disk2vhd v1.1, ZoomIt v4.1, Coreinfo v2.0, VMMap v2.4, (Thu, Oct 22nd)

...(more)...

SANS%20RSS%20Feed

SANS NewsBites

All Stories From Vol: 11 - Issue: 85

NIST Postpones Proposed IT Lab Reorganization (October 22 & 23, 2009)

The National Institute of Standards and Technology (NIST) announced last week that "based on the feedback (they) continue to receive," a planned reorganization of its Information Technology Laboratory has been postponed.......

New Gmail Feature Helps Avoid Some Misdirected Messages (October 21 & 24, 2009)

Gmail has introduced a new optional feature designed to help prevent sending email to unintended recipients.......

Cyber Thieves Stole US $40 Million from Small and Mid-Sized Businesses (October 26, 2009)

The FBI says that since 2004, cyber thieves believed to be based in Eastern Europe have stolen US $40 million from small and mid-sized US businesses.......

Chamber of Commerce Press Release Hoax Prompts DMCA Takedown Notice (October 23, 2009)

California Internet service provider (ISP) Hurricane Electric has complied with a Digital Millennium Copyright Act (DMCA) takedown notice to remove a phony press release that was designed to appear as if it came from the US Chamber of Commerce.......

Operation Eagle Claw Aims to Thwart Nigerian eMail Scammers (October 23, 2009)

An initiative dubbed "Operation Eagle Claw" aims to move "Nigeria out of the top ten list of countries with the highest incidence of fraudulent emails," according to Farida Waziri, chairwoman of the country's Economic and Financial Crimes Commission.......

DHS Info-Sharing Program Needs to Meet Privacy Standards (October 23, 2009)

The Department of Homeland Security Appropriations Act 2010 (H.......

Swiss Foreign Ministry Computer Network Breached (October 26, 2009)

The Swiss Foreign Ministry says that attackers penetrated its computer system with the intent of stealing data from the network.......

Missing CDs Hold Medical Patient Data (October 26, 2009)

Personally identifiable information of 68,000 members of a CalOptima, California Medicaid managed health care plan, has been compromised after several unencrypted CDs sent through certified mail did not arrive at their destination.......

Guardian Breach Exposes Job Hunters' Personal Information (October 25 & 26, 2009)

The Guardian newspaper has notified 500,000 people that their personal information was compromised during a "deliberate and sophisticated" attack on the paper's jobs website.......

US $14.6 Million Fine in Australian Text Message Scam Case (October 23, 2009)

Australia's Federal Court has fined two organizations and three individuals a total of AU $15.......

ATM Hacker Gets Probation (October 23, 2009)

Australian pizza parlor worker and erstwhile hacker Brian Sommer will not be sent to jail for his role in stealing AU $30,000 (US $27,430) from ATM machines.......

Social Networking Sites Provide Data Thieves With Plenty of Raw Material (October 21 & 23, 2009)

The growing use of social networking sites is proving to be ripe pickings for identity thieves.......

Man Sentenced to Nearly Four-and-a-Half Years in Prison for Selling Pirated Software (October 22 & 23, 2009)

Gregory William Fair has been sentenced to 41 months in prison for selling pirated software over the Internet.......

Report Warns of Chinese Cyber Threat (October 22, 2009)

The US-China Economic and security Review Commission this week released a report titled "Capability of the People's Republic of China to Conduct Cyber Warfare and Computer Network Exploitation.......

European Parliament Shifts Stance on Disconnecting Illegal Filesharers (October 23, 2009)

The European Parliament has removed an amendment to its telecommunications legislation that would have made it difficult for member countries to cut off Internet service to file sharing copyright violators without a court order.......

FCC Moves Forward on Net Neutrality (October 22, 2009)

On Thursday, the US Federal Communications Commission (FCC) voted unanimously to begin the rulemaking proceeding to codify existing Net neutrality principles.......

Legislators Take Aim at Certain Patriot Act Provisions (October 21, 2009)

US legislators have introduced proposals that would reform certain provisions of 2001's USA Patriot Act, some of which are set to expire at the end of this calendar year.......

Microsoft Releases Windows 7 (October 18, 21 & 22, 2009)

Microsoft Windows 7 is now available to the general public.......

Bill Increases DHS Budget for Internal Cyber Security Improvements (October 22, 2009)

The US Senate approved a bill designating a budget of nearly US $43 billion to the Department of Homeland Security (DHS).......

"Cautious Optimism" About Rapid7's Acquisition of Metasploit (October 21, 2009)

Concerns about Rapid7's acquisition of Metasploit appear to be fading after it was announced that the terms of the deal call for Metasploit to continue operating as an open source enterprise.......

Bing Bug Fix Expected by End of Week (October 21, 2009)

Microsoft is fixing a bug in its Bing search engine that was being exploited by spammers to get around filters.......

Scareware Goes Hybrid (October 20, 2009)

According to information from both Symantec and Panda Security, scareware purveyors have begun releasing hybrid malware.......

Air Force Association Announces Cyber Challenge for High School Students (October 19, 2009)

Starting on November 7, 200 teams of high school students from the US, Japan and South Korea will compete in the US Air Force Association's CyberPatriot II, a series of live cyber war games aimed at promoting careers in related fields.......

SearchSecurity.com

SearchSecurity: Security Wire Daily News

The latest information security news on IT threats, vulnerabilities and market trends from the award-winning SearchSecurity.com.

Silon malware intercepts Internet Explorer sessions, steals credentials

By Robert Westervelt

A new malware variant called Silon has been has been associated with attacks against large banks, according to an advisory issued by Trusteer researchers.

Researchers find thousands of flawed embedded devices

By Robert Westervelt

Columbia University researchers found thousands of devices, from home routers to video conferencing units at risk. They say their research has implications for enterprises.

Pushdo botnet uses Facebook to spread malicious email attachment

By Robert Westervelt

A phony message warns users that their Facebook password has been reset.

Cisco acquires SaaS security vendor ScanSafe

By Neil Roiter

Cisco said the move would complement its line of IronPort appliances by offering customers Web security gateway services in the cloud.

Cisco acquires SaaS security vendor ScanSafe

By Neil Roiter

Move complements Cisco line of IronPort appliances by offering customers Web security gateway services in the cloud.

Group to shed light on secure identity management threats

By Robert Westervelt

Identity management technologies are struggling to keep pace with constantly evolving nature of attacks, according to the Center for Applied Identity Management Research (CAIMR).

Heartland CIO on end-to-end encryption, credit card tokenization

By Robert Westervelt

In this interview, Heartland CIO Steven Elefant explains Heartland's E3 end-to-end encryption plan and explains how some tokenization plans could create security weaknesses.

Heartland CIO is critical of First Data's credit card tokenization plan

By Robert Westervelt

First Data Corp. uses RSA software for tokenization, providing a possible threat vector for attackers, says Heartland CIO Steven Elefant.

Trend Micro to address DLP after analyst report criticizes strategy

By Robert Westervelt

Trend Micro CEO Eva Chen said the company plans further development to its data leakage protection product, integrating it with its threat management appliance.

SecuriTeam.com

SecuriTeam

Welcome to the SecuriTeam RSS Feed - sponsored by Beyond Security. Know Your Vulnerabilities! Visit BeyondSecurity.com for your web site, network and code security audit and scanning needs.

vBulletin Cross Site Scripting Vulnerability

An XSS flaw within the user profile page has recently been discovered. This could allow an attacker to carry out an action as a user or obtain access to a user's account. To resolve this issue, it has been necessary to release a patch level version of the active versions of vBulletin.

OSSIM Multiple Vulnerabilities

OSSIM - Open Source Security Information Management is vulnerable to multiple security vulnerabilities.

Poppler and Xpdf Integer Overflow Vulnerability

Poppler and Xpdf are two popular open source projects for processing PDF files. Both projects are vulnerable to an integer overflow during heap memory allocation when processing a PDF file. In general, this results in unexpected process termination.

Avast! Local Privilege Escalation and DoS Vulnerabilities

Avast! installs some program files with insecure permissions. "Everyone" group has "Full Control" rights to the files/folders in the following path: "%Program Files%\Alwil Software\Avast4\Data". It means that any unprivileged user can modify, delete or change permissions of any file in DATA folder. The folder consists of data, executable and configuration files. In result multiple attack vectors are possible.

Microsoft Windows Local Security Authority Integer Overflow Vulnerability

The vulnerability could allow denial of service if an attacker sent a maliciously crafted packet during the NTLM authentication process.

Windows Kernel Multiple Vulnerabilities

The most severe of the vulnerabilities could allow elevation of privilege if an attacker logged on to the system and ran a specially crafted application. An attacker must have valid logon credentials and be able to log on locally to exploit any of these vulnerabilities. The vulnerabilities could not be exploited remotely or by anonymous users.

Microsoft Windows ActiveX Indexing Service Memory Corruption Vulnerability

The vulnerability could allow remote code execution if an attacker set up a malicious Web page that invokes the Indexing Service through a call to its ActiveX component. This call could include a malicious URL and exploit the vulnerability, granting the attacker access to the client system with the privileges of the user browsing the Web page. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

Windows CryptoAPI Null Truncation and Integer Overflow Vulnerabilities

These vulnerabilities could allow spoofing if an attacker gains access to the certificate used by the end user for authentication.

Security - RSS Feeds

Security - RSS Feeds

McAfee: Midsized Businesses Face Security Budget Cuts, Challenges

McAfee released a report today that highlights the IT security struggles of midsized businesses. Though more than half said they have seen more security incidents this year than last, 75 percent reported having to cut or freeze their IT security budgets.
- Midsized businesses are slashing their security budgets even as cyber-threats continue to grow, according to a report from McAfee. In a survey of 900 employees of midsized businesses around the globe conducted by MSI International, researchers found that 75 percent of the respondents reported cu...

10 Reasons Why Conficker Can Happen Again

News Analysis: The Conficker worm affected users nearly one year ago. But now that it has left the headlines, there might be a false sense of security in the Windows ecosystem. There shouldn't be. Even the most up-to-date security programs are hard-pressed to keep up with the latest threats. There are countless millions of PCs and thousands of applications that aren't protected by the latest security software or have never been patched to close known security flaws. There is no telling when some new virus or Trojan as cunningly malicious as Conficker will appear.
- It was just under a year ago that the Conficker worm was first detected. It was ravaging Windows PCs all over the world. The worm exploits Windows flaws to link the host computer to virtual command that can be controlled by the worm's remote authors. Conficker still controls millions of computers...

Facebook Password Spam Conceals Malware Attack

Researchers at several security firms have uncovered a spam campaign targeting Facebook users. The e-mails, which pose as communications from Facebook about password resets, contain a nasty downloader that ultimately makes users part of a notorious botnet.
- Researchers at several security firms have tied the Bredolab Trojan to a spam campaign targeting Facebook users. The malware is being blasted out by spammers in e-mails claiming to come from "The Facebook Team. quot; Inside the e-mails is a message that the recipient's Facebook password has been c...

Cisco to Acquire ScanSafe for Web Security

Cisco is set to acquire SAAS security vendor ScanSafe for roughly $183 million. The move, Cisco says, will help add to the Web security capabilities the company acquired when it bought IronPort two years ago.
- Cisco Systems announced plans to acquire software-as-a-service vendor ScanSafe to broaden its presence in the cloud and expand its Web security offerings. The deal, made for approximately $183 million, is expected to close in the second quarter of Ciscos fiscal year 2010, and comes only two w...

How Notorious Trojans Hit Banks and Steal Your Money

Most of todays cyber-crime is all about one thing #151money. Nowhere is that more evident than in the case of online banking Trojans. Malware targeting banking information is not new, but as recent research into the URLZone Trojan has shown, attackers are not slowing down when it comes to innovation. Security pros at Finjan tied URLZone to the theft of 300,000 euros #151about $439,000 at the time #151from German bank accounts during a 22-day period. Other Trojans have been equally damaging. SecureWorks uncovered Clampi earlier this year and found that it had been swiping log-in credentials from Windows users who are customers of 4,600 banking and other sites. More well-known Trojans include Zeus (Zbot) and Prg. With the help of security researchers from Symantec, Finjan and SecureWorks, eWEEK is taking a look at some of the more notorious banking Trojans plaguing users, and how cyber-thieves are getting their hands on the cash.
- ...

10 Ways to Secure Your Upgrade to Windows 7

Now that Windows 7 is finally available, there undoubtedly are many users who are preparing for an upgrade from Windows XP or Windows Vista. There's just one problem: An upgrade from Windows XP is not easily done. Microsoft didn't build in a direct migration path to Windows 7, which will force users to find clever ways to back up their data and move it to the new operating system. Windows Vista is a different story, as there is a direct migration path to Windows 7, making it easy for users to get the new operating system up and running quickly with all their settings. That said, there can be pitfalls for users of both operating systems when they prepare to migrate to Windows 7. They need to ensure that their data is secure during the entire process. And they can never be too careful. Anything can happen. So let's take a look at ways to secure an upgrade to Windows 7.
- ...

Google Offers Six Tips to Stop Malicious Online Ads

Malicious online ads have plagued the Web for some time, but a series of recent events from an attack targeting NYTimes.com in September to a number of civil lawsuits filed by Microsoft have turned the spotlight on the problem once again. Among the groups fighting all this is Google. Earlier this year, the company redesigned the site Anti-malvertising.com to add more educational content to supplement a custom search engine designed to help ad network customers conduct quick background checks. As part of Cyber Security Awareness Month, Google has issued a number of tips to help users and Web publishers alike.
- ...

Federal IT Security Spending to Increase Nearly $4B by 2014

A report by analyst company Input predicts federal IT security spending will jump to $11.7 billion by 2014. The predicted increase follows from increases in the focus on federal cyber-security and in the number of attacks.
- Federal IT security spending is expected to jump by nearly 50 percent between 2009 and 2014, according to research from analyst company Input. In a report titled quot;Defining the Federal Information Security Mission: 2009-2014 Forecast, quot; the company predicts federal spending will jump quo...

Windows 7 UAC Security Feature Raises Concerns

The User Account Control feature in Microsoft Windows 7 is irking some in the security community who say Microsoft may have traded security for usability.
- Concerns about the User Account Control feature in Microsoft Windows 7 have resurfaced. UAC first appeared in Windows Vista as a way to bolster Windows security by limiting standard user privileges until an administrator authorizes a privilege level increase. In Windows 7, Microsoft adjusted t...

Botnets Tied to Increase in Click Fraud

A report by Click Forensics links a growing amount of click fraud to botnets. The increase in botnet-related activity follows an overall upsurge in click fraud in the third quarter of 2009.
- New research from Click Forensics shows botnets are playing a growing role in the spread of click fraud. Click fraud is a scheme when a person, automated script or computer program mimicks a legitimate user clicking on an online ad in order to profit from a pay-per-click arrangement. ...

SecurityFocus

SecurityFocus News

SecurityFocus is the most comprehensive and trusted source of security information on the Internet. We are a vendor-neutral site that provides objective, timely and comprehensive security information to all members of the security community, from end users, security hobbyists and network administrators to security consultants, IT Managers, CIOs and CSOs.

Brief: Cyber conflict still in infancy, states analysis

Cyber conflict still in infancy, states analysis

Gunter Ollmann: Time to Squish SQL Injection

Time to Squish SQL Injection

News: FBI and SOCA plot cybercrime smackdown

FBI and SOCA plot cybercrime smackdown

Brief: Hopes high for Windows 7 security

Hopes high for Windows 7 security

Brief: Rapid7 snaps up the Metasploit Project

Rapid7 snaps up the Metasploit Project

TaoSecurity

Richard Bejtlich's blog on digital security and the practices of network security monitoring, incident response, and forensics.

Initial Thoughts on Cloud A6

By Richard Bejtlich

I'm a little late to this issue, but let me start by saying I read Craig Balding's RSA Europe 2009 Presentation this evening. In it he mentioned something called the A6 Working Group. I learned this is related to several blog posts and a Twitter discussion. In brief:

  • In May, Chris Hoff posted Incomplete Thought: The Crushing Costs of Complying With Cloud Customer “Right To Audit” Clauses, where Chris wrote Cloud providers I have spoken to are being absolutely hammered by customers acting on their “right to audit” clauses in contracts.
  • In June, Craig posted Stop the Madness! Cloud Onboarding Audits - An Open Question... where he wondered Is there an existing system/application/protocol whereby I can transmit my policy requirements to a provider, they can respond in real-time with compliance level and any additional costs, with less structured/known requirements responded to by a human (but transmitted the same way)?
  • Later in June, Craig posted in Vulnerability Scanning and Clouds: An Attempt to Move the Dialog On... where he spoke of the need for customers to conduct vulnerability assessments of cloud providers: A “ScanAuth” API call empowers the customer (or their nominated 3rd party) to scan their hosted Cloud infrastructure confident in the knowledge they won’t fall foul of the providers Terms of Service.
  • In July, Chris extended Craig's idea with Extending the Concept: A Security API for Cloud Stacks, building on the aforementioned Twitter discussions. Chris mentioned The Audit, Assertion, Assessment, and Assurance API (A6) (Title credited to @CSOAndy)... Specifically, let’s take the capabilities of something like SCAP and embed a standardized and open API layer into each IaaS, PaaS and SaaS offering (see the API blocks in the diagram below) to provide not only a standardized way of scanning for network vulnerabilities, but also configuration management, asset management, patch remediation, compliance, etc.

Still with me? In August Network World posted A6 promises a way to check up on public cloud security, which said:
What cloud services users need is a way to verify that the security they expect is being delivered, and there is an effort underway for an interface that would do just that.
Called A6 (Audit, Assertion, Assessment and Assurance API) the proposal is still in the works, driven by two people: Chris Hoff - who came up with the idea and works for Cisco - and the author of the Iron Fog blog who identifies himself as Ben, an information security consultant in Toronto.
The usefulness of the API would be that cloud providers could offer customers a look into certain aspects of the service without compromising the security of other customers’ assets or the security of the cloud provider’s network itself.
Work on a draft of A6 is posted here http://www.scribd.com/doc/18515297/A6-API-Documentation-Draft-011. It’s incomplete, but offers a sound framework for what is ultimately needed.

So let's see what that says:

The A6 API was designed with the following concepts in mind:
  1. The security stack MUST provide external systems with the ability to query a utility computing provider for their security state.
Ok, that's pretty generic. We don't know what is meant by "security state," but we're just starting.
  • The stack MUST provide sufficient information for an evaluation of security state asserted by the provider. Same issue as #1.
  • The information exposed via public interfaces MUST NOT provide specific information about vulnerabilities or result in detailed security configurations being exposed to third parties or trusted customers. Hmm, I'm lost. I'm supposed to determine "security state" but without "specific information about vulnerabilities"?
  • The information exposed via public interfaces SHOULD NOT provide third parties or trusted customers with sufficient data as to infer the security state of a specific element within the providers environment. Same issue as #4.
  • The stack SHOULD reuse existing standards, tools and technologies wherever possible. Neutral, throwaway concern.
    That's about it, with the following appearing below:
    In classic outsourcing deals these security policies and controls would be incorporated into the procurement contract; with cloud computing providers, the ability to enter in specific contractual obligations for security or allow for third party audits is either limited or non-existent. However, this limitation does not reduce the need for consuming organizations to protect their data.
    The A6 API is intended to close this gap by providing consuming organizations with near real-time views into the security of their cloud computing provider. While this does not allow for consuming organizations to enforce their security policies and controls upon the provider, they will have information to allow them to assess their risk exposure.

    Before I drop the question you're all waiting for, let me say that I think it is great people are thinking about these problems. Much better to have a discussion than to assume cloud = secure.
    However, my question is this: how does this provide "consuming organizations with near real-time views into the security of their cloud computing provider"?
    Here is what I think is happening. Craig started this thread because he wanted a way to conduct audit and compliance (remember I highlighted those terms) activities against cloud providers without violating their terms of service. I am sure Craig would agree that compliance != security.
    The danger is that someone will believe that complaince = security, thinking one could conceivably determine security state by scanning for network vulnerabilities, but also configuration management, asset management, patch remediation, compliance, etc..
    This is like network access control all over again. A good "security state" means you're allowed on the network because your system is configured "properly," the system is "patched," and so on. Never mind that the system is 0wned. Never mind that there is no API for quering 0wnage.
    Don't get me wrong, this is a really difficult problem. It is exceptionally difficult to assess true system state by asking the system, since you are at the mercy of the intruder. It could be worse with cloud and virtual infrastructure if the intruder owns the system and the virtual infrastructure. Customer queries the A6 API and the cloud returns a healthy response, despite the reality. Shoot, the cloud could say it IS healthy by the definition of patches or configuration and still be 0wned.
    I think there's more thought required here, but that doesn't mean A6 is a waste of time -- if we are clear that it's more about compliance and really nothing about security, or especially trustworthiness of the assets.

    Copyright 2003-2009 Richard Bejtlich and TaoSecurity (taosecurity.blogspot.com and www.taosecurity.com)

    Wednesday is Last Day for Discounted SANS Registration

    By Richard Bejtlich

    In my off time I'm still busy organizing the SANS WhatWorks in Incident Detection Summit 2009, taking place in Washington, DC on 9-10 Dec 09. The agenda page should be updated soon to feature all of the speakers and panel participants. Wednesday is the last day to register at the discounted rate.
    I wrote the following to provide more information on the Summit and explain its purpose.
    All of us want to spend our limited information technology and security funds on the people, products, and processes that make a difference. Does it make sense to commit money to projects when we don’t know their impact? I’m not talking about fuzzy “return on investment” (ROI) calculations or fabricated “risk” ratings. Don’t we all want to know how to find intruders, right now, and then concentrate on improvements that will make it more difficult for bad guys to disclose, degrade, or deny our data?
    To answer this question, I’ve teamed with SANS to organize a unique event -- the SANS WhatWorks in Incident Detection Summit 2009, on 9-10 December 2009 in Washington, DC. My goal for this two-day, vendor-neutral, practitioner-focused Summit is to provide security operators with real-life guidance on how to discover intruders in the enterprise. This isn’t a conference on a specific commercial tool, or a series of death-by-slide presentations, or lectures by people disconnected from reality. I’ve reached out to the people I know on the front lines, who find intruders on a regular, daily basis. If you don’t think good guys know how to find bad guys, spend two days with people who go toe-to-toe with the worst intruders on the planet.
    We’ll discuss topics like the following:

    • How do Computer Incident Response Teams and Managed Security Service Providers detect intrusions?
    • What network-centric and host-centric indicators yield the best results, and how do you collect and analyze them?
    • What open source tools are the best-kept secrets in the security community, and how can you put them to work immediately in your organization?
    • What sources of security intelligence data produce actionable indicators?
    • How can emerging disciplines such as proactive live response and volatile analysis find advanced persistent threats?

    Here is a sample of the dozens of subject matter experts who will pack the schedule:
    • Michael Cloppert, senior technical member of Lockheed Martin's enterprise Computer Incident Response Team and frequent SANS Forensics blogger.
    • Michael Rash, Senior Security Architect for G2, Inc., author of Linux Firewalls and the psad, fwsnort, and fwknop security projects.
    • Matt Richard, Malicious Code Operations Lead for the Raytheon corporate Computer Emergency Response (RayCERT) Special Technologies and Analysis Team (STAT) program.
    • Martin Roesch, founder of Sourcefire and developer of Snort.
    • Bamm Visscher, Lead Information Security Incident Handler for the General Electric CIRT, and author of the open source Sguil suite.

    Ron Gula is scheduled to do one keynote and I'm working on the second. We'll have guest moderators for some panels too, such as Mike Cloppert and Rocky DeStefano.
    I look forward to seeing you at the conference!

    Copyright 2003-2009 Richard Bejtlich and TaoSecurity (taosecurity.blogspot.com and www.taosecurity.com)

    Review of Hacking Exposed: Web 2.0 Posted

    By Richard Bejtlich

    Amazon.com just posted my three star review of Hacking Exposed: Web 2.0 by Rich Cannings, Himanshu Dwivedi, Zane Lackey, et al. From the review:
    I have to agree with the other 3-star reviews of Hacking Exposed: Web 2.0 (HEW2). This book just does not stand up to the competition, such as The Web Application Hacker's Handbook (TWAHH) or Web Security Testing Cook (WSTC). I knew this book was in trouble when I was already reading snippets mentioning JavaScript arrays in the introduction. That set the tone for the book: compressed, probably rushed, mixing material of differing levels of difficulty. For example, p 8 mentions using prepared statements as a defense against SQL injection. However, only a paragraph on the topic appears, with no code samples (unlike TWAHH).
    Note: McGraw-Hill Osborne provided me a free review copy.

    Copyright 2003-2009 Richard Bejtlich and TaoSecurity (taosecurity.blogspot.com and www.taosecurity.com)

    Review of Web Security Testing Cookbook Posted

    By Richard Bejtlich

    Amazon.com just posted my five star review of Web Security Testing Cookbook by Paco Hope and Ben Walther. From the review:
    I just wrote five star reviews of The Web Application Hacker's Handbook (TWAHH) and SQL Injection Attacks and Defense (SIAAD). Is there really a need for another Web security book like Web Security Testing Cookbook (WSTC)? The answer is an emphatic yes. While TWAHH and SIAAD include offensive and defensive material helpful for developers, those books are more or less aimed at assessment professionals. WSTC, on the other hand, is directed squarely at Web developers. In fact, WSTC is specifically written for those who incorporate unit testing into their software development lifecycle. I believe anyone developing Web applications would benefit from reading WSTC.
    Note: O'Reilly provided me a free review copy.

    Copyright 2003-2009 Richard Bejtlich and TaoSecurity (taosecurity.blogspot.com and www.taosecurity.com)

    Review of SQL Injection Attacks and Defense Posted

    By Richard Bejtlich

    Amazon.com just posted my five star review of SQL Injection Attacks and Defense by Justin Clarke, et al. From the review:
    I just finished reviewing The Web Application Hacker's Handbook, calling it a "Serious candidate for Best Book Bejtlich Read
    2009." SQL Injection Attacks and Defense (SIAAD) is another serious contender for BBBR09. In fact, I recommend reading TWAHH first because it is a more comprehensive overview of Web application security. Next, read SIAAD as the definitive treatise on SQL injection. Syngress does not have a good track record when it comes to books with multiple authors -- SIAAD has ten! -- but SIAAD is clearly a winner.

    SIAAD is nnother serious contender for Best Book Bejtlich Read 2009.
    Note: Syngress provided me a free review copy.

    Copyright 2003-2009 Richard Bejtlich and TaoSecurity (taosecurity.blogspot.com and www.taosecurity.com)

    Review of The Web Application Hacker's Handbook Posted

    By Richard Bejtlich

    Amazon.com just posted my five star review of The Web Application Hacker's Handbook by Dafydd Stuttard and Marcus Pinto. From the review:
    The Web Application Hacker's Handbook (TWAHH) is an excellent book. I read several books on Web application security recently, and this is my favorite. The text is very well-written, clear, and thorough. While the book is not suitable for beginners, it is accessible and easy to read for those even without Web development or assessment experience.
    TWAHH is a serious candidate for Best Book Bejtlich Read 2009.
    Note: Wiley provided me a free review copy.

    Copyright 2003-2009 Richard Bejtlich and TaoSecurity (taosecurity.blogspot.com and www.taosecurity.com)

    "Protect the Data" from the Evil Maid

    By Richard Bejtlich


    I recently posted "Protect the Data" from Whom?. I wrote:
    [P]rivate citizens (and most organizations who are not nation-state actors) do not have a chance to win against a sufficiently motivated and resourced high-end threat.
    Joanna Rutkowska provides a great example of the importance of knowing the adversary in her post Evil Maid goes after TrueCrypt!, a follow-up to her January post Why do I miss Microsoft BitLocker?
    Her post describes how she and Alex Tereshkin implemented a physical attack against laptops with TrueCrypt full disk encryption. They implemented the attack (called "Evil Maid") as a bootable USB image that an intruder would use to boot a target laptop. Evil Maid hooks the TrueCrypt function that asks the user for a passphrase on boot, then stores the passphrase for later physical retrieval.
    The scenario is this:

    1. User leaves laptop alone in hotel room.
    2. Attacker enters room, boots laptop with Evil Maid, and compromises TrueCrypt loader. Attacker leaves.
    3. User returns to hotel room, boots laptop, enters TrueCrypt passphrase. Game over.
    4. User leaves laptop alone in hotel room again.
    5. Attacker enters room again, boots laptop with Evil Maid again, and retrieves passphrase.

    Joanna recommends implementing a product that supports Trusted Platform Module (TPM), like Microsoft BitLocker. A detection-oriented workaround is to calculate hashes of selected disk sectors and partitions and decide that mismatches indicate an intrusion has occurred. That approach still misses BIOS-based attacks but it's the best one can do without TPM support.

    Copyright 2003-2009 Richard Bejtlich and TaoSecurity (taosecurity.blogspot.com and www.taosecurity.com)

    Report on Chinese Government Sponsored Cyber Activities

    By Richard Bejtlich

    Today's Wall Street Journal features the following story:
    China Expands Cyberspying in U.S., Report Says by Siobhan Gorman.
    I've reprinted an excerpt below and highlighted interested aspects. I can vouch for the quality of the Northrop Grumman team that wrote this report and for their experience in this arena.
    Congressional Advisory Panel in Washington Cites Apparent Campaign by Beijing to Steal Information From American Firms
    WASHINGTON -- The Chinese government is ratcheting up its cyberspying operations against the U.S., a congressional advisory panel found, citing an example of a carefully orchestrated campaign against one U.S. company that appears to have been sponsored by Beijing.
    The unnamed company was just one of several successfully penetrated by a campaign of cyberespionage, according to the U.S.-China Economic and Security Review Commission report to be released Thursday. Chinese espionage operations are "straining the U.S. capacity to respond," the report concludes.
    The bipartisan commission, formed by Congress in 2000 to investigate the security implications of growing trade with China, is made up largely of former U.S. government officials in the national security field.
    The commission contracted analysts at defense giant Northrop Grumman Corp. to write the report. The analysts wouldn't name the company described in the case study, describing it only as "a firm involved in high-technology development."
    The report didn't provide a damage assessment and didn't say specifically who was behind the attack against the U.S. company. But it said the company's internal analysis indicated the attack originated in or came through China.
    The report concluded the attack was likely supported, if not orchestrated, by the Chinese government, because of the "professional quality" of the operation and the technical nature of the stolen information, which is not easily sold by rival companies or criminal groups. The operation also targeted specific data and processed "extremely large volumes" of stolen information, the report said.
    "The case study is absolutely clearly controlled and directed with a specific purpose to get at defense technology in a related group of companies," said Larry Wortzel, vice chairman of the commission and a former U.S. Army attaché in China. "There's no doubt that that's state-controlled."
    Attacks like that cited in the report hew closely to a blueprint frequently used by Chinese cyberspies, who in total steal $40 billion to $50 billion in intellectual property from U.S. organizations each year, according to U.S. intelligence agency estimates provided by a person familiar with them.

    Copyright 2003-2009 Richard Bejtlich and TaoSecurity (taosecurity.blogspot.com and www.taosecurity.com)

    WindowSecurity.com

    WindowSecurity.com

    WindowSecurity.com provides Windows security news, articles, tutorials, software listings and reviews for information security professionals.

    Buffer Overflows, Data Execution Prevention, and You

    By (Chris Sanders)

    What a buffer overflow is, how it can allow a potential attacker to execute a code on your system and how data execution can be employed in order to safeguard against this threat.

    Yahoo!%20News

    Yahoo! News: Security News

    Security News

    FBI: National Data-breach Law Would Help Fight Cybercrime (PC World)

    In technology

    PC World - A U.S. law that would require businesses to report data breaches to potential victims could help law enforcement agencies fight the growth of cybercrime, a U.S. Federal Bureau of Investigation official said Wednesday.

    Google Accused of 'malicious Revenge' in China (PC World)

    In technology

    PC World - The official newspaper of China's ruling communist party has accused Google of seeking "malicious revenge" after a malware warning appeared by one of its Web sites in Google's search results.

    Gizmodo duped by virus ad, apologizes (AFP)

    In technology

    Popular US gadget blog Gizmodo apologized to its readers on Tuesday after being duped by malware masquerading as an advertisement.(Gizmodo)AFP - Popular US gadget blog Gizmodo apologized to its readers on Tuesday after being duped by malware masquerading as an advertisement.

    Symantec Opens Public Beta of Norton 360 Version 4 (PC Magazine)

    In technology

    PC Magazine - On Tuesday, Symantec opened public access to beta testing of Norton 360 v4. This new version includes most of the same technology that made Norton Internet Security 2010 PCMag.com's Editors Choice in security suites.

    Stand Up To Cybercrime (Investor's Business Daily)

    In business

    Investor's Business Daily - Complacency is a luxury no company can afford when it comes to computer security. The commitment a company makes to thwart cybercrime can be high- or low-tech.

    Swiss foreign ministry hit by computer attack (AFP)

    In technology

    AFP - Unidentified hackers have penetrated the Swiss foreign ministry's computer system to seize data, forcing parts of it to be shut down for several days, the ministry revealed Monday.

    Trend Micro CEO: Hackers Hitting AV Infrastructure (PC World)

    In technology

    PC World - It's become an all-too-common scam: A legitimate Web site pops up a window that looks just like a real security warning. It says there's something wrong with the computer, and click here to fix it. A few clicks later, the victim is paying out US$40 for some bogus software, called rogue antivirus.

    Phishers Dangle Some Brand-New Bait (PC World)

    In technology

    PC World - In September 2009, some unlucky visitors at the New York Times Web site clicked on an ad that attempted to install malware. The advertisement displayed a popup window informing readers that their computer might be infected with a virus; only by purchasing a new antivirus product could they be sure of having a clean system.

    Nigeria's anti graft police shuts 800 scam websites (AFP)

    In technology

    AFP - Nigeria's anti-corruption police said Friday they had shut down some 800 scam websites and busted 18 syndicates of email fraudsters in a drive to curb cyber-crime the country is notorious for.

    Check Point 3Q profit rises 14 percent (AP)

    AP - Check Point Software Technologies Ltd., which makes Internet security products, said Thursday its third-quarter profit rose 14 percent on strong sales across all of its regions, especially Asia Pacific.

    Zero Day

    Tracking the hackers

    US-CERT warns about BlackBerry spyware app

    By Ryan Naraine on Uncategorized

    A free BlackBerry spyware application has been released to allow an attacker to call a user's BlackBerry and listen to personal conversations.

    Firefox hit by multiple drive-by download flaws

    By Ryan Naraine on Uncategorized

    Mozilla's flagship Firefox browser is vulnerable to at least 11 "critical" vulnerabilities that expose users to drive-by download attacks that require no user interaction beyond normal browsing.

    New LoroBot ransomware encrypts files, demands $100 for decryption

    By Dancho Danchev on Viruses and Worms

    Researchers from CA have intercepted a new ransomware variant encrypting popular file extensions (.zip; .rar; .pdf; .rtf; .txt; .jpg; .jpeg; .waw; .mp3; .db; .xls; .docx; .xlsx; .doc) and demanding a $100 for the decryption software. According to the message which replaces the desktop’s background upon execution, the files are encrypted with 256-bit AES encryption, and that [...]

    Gawker Media tricked into featuring malicious Suzuki ads

    By Dancho Danchev on Malware

    A group of cybercriminals have successfully managed to trick Gawker’s ad sales team into featuring malicious ads serving Adobe exploits (CVE-2008-2992; CVE-2009-0927) and scareware, by impersonating a legitimate ad agency inquiring about an upcoming Suzuki ad campaign. According to Gawker Media, the malware distributors were one of the most convincing ones they’ve seen, with clear experience [...]

    Malware ads served from Gizmodo

    By Ryan Naraine on Spyware and Adware

    Popular gadget blog Gizmodo has acknowledged falling victim to an "elaborate scam" that served malicious ads for scareware (fake anti-virus) to its readers.

    Facebook password-reset spam is Bredolab botnet attack

    By Ryan Naraine on Viruses and Worms

    Virus hunters are raising the alarm for a large-scale spam attack that uses fake Facebook password-reset messages to trick PC users into downloading a dangerous piece of malware.

    UK newspaper Web site hacked; 500,000 job-seekers affected

    By Ryan Naraine on Zero-day attacks

    In what is being described as a "deliberate and sophisticated crime," the Guardian newspaper in the U.K. says the careers section of its Web site was hacked.

    Metasploit + Rapid7 shakes up pen-test landscape

    By Ryan Naraine on Pen testing

    With the acquisition of Metasploit by Rapid7, the dynamics within the small penetration testing market have changed. We believe that more competition will challenge each of the three main penetration testing software vendors in different ways.

    Gaping security hole in Time Warner cable routers

    By Ryan Naraine on Responsible disclosure

    A gaping security hole in cable modems distributed to Time Warner/Road Runner customers could potentially be exploited remotely to access private networks and possibly capture and manipulate private data.

  • My Blog List