Archive for January, 2006

An Intrusion Defense Solution

Tuesday, January 31st, 2006

Rather than write another piece on security in general for today’s post, I’m going to share my team’s experience in selecting an intrusion defense solution that expands on our existing firewall perimeter defense.  During the past several weeks, my team and I struggled with the new infrastructure and management design to support our enterprise security strategy.  We looked at IDS and IPS.  We looked at SIM products.  And we assessed each solution based on the following criteria:


Peer-to-Peer IP Telephony Security Challenges

Monday, January 30th, 2006

Peer-to-peer VoIP phone services provide an inexpensive alternative to traditional switched services.  So many businesses are looking at ways to implement this Internet-based functionality.  Before you make a decision to toss out the old and bring in the new, it’s important to understand the risks associated with Internet phone service. 

Since Skype is the unquestioned leader in this space, I’ll use it as an example provider to examine how these services work, the potential risks they pose for your business, and possible ways to reduce that risk. 


The Fundamentals of Keystroke Logging

Saturday, January 28th, 2006

This month, hackers in China attempted to place keystroke loggers onto UK Parliament systems via email messages.  Phishing attacks in which keystroke loggers are installed on PCs are becoming more frequent.  Keystroke loggers are also popular among hackers whose attack vector of choice is instant messaging.  Because of the growth in the rate of keystroke logger attacks, I thought it might be a good idea to take a look at what a keystroke logger is, why this technology is a serious threat to your organization, and what you can do to protect your information assets.


Deleted Data Files Aren’t…

Friday, January 27th, 2006

Deleted files on retired hard drives might be a law suit waiting to happen.  Deleting a file from a disk isn’t enough to wipe the actual information.  In Windows, deleting a file simply tells the operating system it can reallocate the space the file currently occupies.  The file no longer shows up in a folder listing, but the data is still there.  The only way to be sure the information is actually gone is to overwrite all writable areas of the disk.

Organizations that dispose of old PCs or servers without taking special precautions to ensure sensitive information is actually removed from storage are failing to safeguard data that might be covered by regulations like HIPAA, or might reveal enough information about employees and customers to enable identity theft.  There are many utilities available to help with this challenge.  SDelete from Sysinternals, available at the link in Resources below, is a free program you can use to remove the data from one or all files on a disk.

But improper disposition of PCs and servers isn’t the only problem facing many companies.  PDAs and smartphones also present a risk.  Although these devices might store sensitive company information, they are often reassigned or turned in to the wireless vendor without first wiping their storage.

Every organization must have policies and processes in place to ensure the proper handling and disposal of data in its care.  A company that collects consumer and employee information has an obligation to protect it until the data is properly destroyed. 

Author:  Tom Olzak 


Don’t leave information on old hard drives

The hidden threat: Residual data security risks of PDAs and smartphones


Sysinternals SDelete Data Erase Program – Free Tool

Your email:  
subscribe unsubscribe  

Securing VoIP

Friday, January 27th, 2006


Voice over IP, also known as VoIP, is quickly growing in popularity. Organizations are initially attracted to this relatively new technology because of its lower per call costs when compared to traditional voice services.  But they soon realize that VoIP provides additional value.

  1. Unified messaging, though still in its infancy, is introduced into the enterprise.  Users can listen to their email and access their voice mail through their email.
  2. Applications can deliver company data directly to the phone display.
  3. VoIP runs on an organization’s data network, eliminating the need for a separate infrastructure just for voice.
  4. Moving end-user phone service to a different desk or office is as simple as plugging the existing IP phone into a network jack at the new location.

Like most emerging technologies, there’s a catch.  As an IT department integrates VoIP into a company network, it encounters new security challenges.

  1. Traditional network hackers have a new set of applications and protocols to scan for vulnerabilities  – vulnerabilities that provide easy access into converged data and voice networks.
  2. Since VoIP relies on the TCP/IP suite of protocols, voice now becomes vulnerable to tried and true TCP/IP exploits.


Cyber-espionage: How vulnerable are we?

Thursday, January 26th, 2006

Hacking activities thought to be related to the theft of government secrets are a real threat to national security.  In a January 25, 2006 article in ComputerWorld, John E. Dunn reported that email containing an exploit for the Microsoft Windows WMF vulnerability was sent to recipients in the UK House of Parliament.  

According to Dunn, over 70 PCs were targeted on January 2, 2006 with messages intended to install keyloggers.  This was confirmed by MessageLabs Ltd – the government’s message filtering company.  Luckily, the messages were identified and stopped before they could reach their targets.  The most disturbing piece of information coming out of this incident is the source of the attack – Guangdong Province in China.

An isolated, one-time attack might be passed off as just another malicious individual flexing his muscles.  But this is at least the second incident in which Chinese attackers have targeted foreign governments.  

On November 1, 2004, attackers located in Guangdong Province launched an attack against the U.S. Army facility at Redstone Arsenal.  But this attack is thought to have been successful.  It is believed that U.S. military secrets, including aviation specifications and flight planning software, were stolen.  It is also believed that the intended recipient for this information was the Chinese government.  This successful breach of U.S. Government security is part of an on-going attempt by the Chinese to hack into government computers.  U.S. Officials have named the hackers Titan Rain.

So just how vulnerable is the U.S. infrastructure to cyber attacks by other nations or terrorist groups? 

  1. During a 2004 FISMA required audit of security implemented by entities within the Federal government, seven departments failed to achieve a passing grade. Included in the list of failed departments was the Department of Homeland Security (DHS).
  2. Congress and the Bush administration cut by 7% the 2005 DHS budget for cyber security programs.
  3. In February 2005, The Presidential IT Advisory Committee (PITAC) completed a report entitled “Cyber Security: A Crisis of Prioritzation.”  The following findings and recommendations were presented to the Bush Administration:
    1. Finding: ”The Federal R&D budget provides inadequate funding for fundamental research in civilian cyber security.”  Recommendation: The NSF, DHS, and DARPA budgets should be increased significantly.
    2. Finding: “The Nation’s cyber security research community is too small to adequately support the cyber security research and education programs necessary to protect the United States.”  Recommendation: Double the size of the civilian cyber security fundamental research community by the end of the decade. 
    3. Finding: “Current cyber security technology transfer efforts are not adequate to successfully transition Federal research investiments into civilian sector best practices and products.”  Recommendation: The relationship between the Federal government and the private sector must be strengthened.  Lines of communication and cooperation must be developed and maintained.
    4. Finding: “The overall Federal cyber security R&D effort is currently unfocused and inefficient because of inadequate coordination and oversite.”  Recommendation: The Interagency Working Group on Critical Information Infrastructure Protection should become the focal point of R&D efforts, coordinating and priortizing all activities.
  4. In December 2005, the members of the Cyber Security Alliance expressed to the Bush Administration its frustration with the lack of progress made in addressing online crime.  The Group - including organizations like Computer Associates, McAfee, Symantec, and RSA – believes that the lack of support and leadership shown by the Federal Goverment threatens the economy and national security.

We should not expect the Federal goverment to solve all our problems.  But we should expect leadership when national security and the overall public welfare are threatened.  Congress and the President must change their priorities when addressing cyber security within the context of overall defense and social spending.  If this does not happen, hackers will continue to outstrip our ability to protect our national infrastructure; terrorists and foreign governments will find us a soft target.


Author:  Tom Olzak 


Security experts lift lid on Chinese hack attacks

Tech Group Blasts Federal Leadership on Cyber-Security

PITAC Report on Cyber Security, February 2005

Your email:  
subscribe unsubscribe  

New Worm in the Wild

Wednesday, January 25th, 2006


Nyxem Mass-mailing Worm
added January 24, 2006

US-CERT is aware of a new mass-mailing worm known as Nyxem (CME-24). This worm relies on social engineering to propagate. Specifically, the user must click on a link or open an attached file.

The Nyxem worm targets Windows systems that hide file extensions for known file types (this is the default setting for Windows XP and possibly other versions). The worm’s icon makes it appear to be a WinZip file. As a result, the user may unknowingly start the worm.

Once a Windows system is infected, the malicious code may:

  • Attempt to harvest email addresses stored on the infected system
  • Utilize its own SMTP engine to send itself to the harvested email addresses
  • Disable anti-virus and file sharing programs
  • Spread itself using all available Windows network shares on the infected system
  • Modify the active Desktop

In addition, on February 3, 2006, the worm will destroy files with the following extensions: DOC, XLS, MDB, MDE, PPT, PPS, ZIP, RAR, PDF, PSD and DM.

Although there is limited information concerning this potential threat, US-CERT strongly encourages users and system administrators to implement the following workarounds:

  • Install anti-virus software, and keep its virus signature files up-to-date
  • Block executable and unknown file types at the email gateway

Additionally, US-CERT strongly encourages users not to follow unknown links, even if sent by a known and trusted source. Users may also wish to visit the US-CERT Computer Virus Resources for general virus protection information.

Your email:  
subscribe unsubscribe  

Planning for the Ultimate Hack

Tuesday, January 24th, 2006

The attack surface for hacking opportunities is getting larger every day.  Even anti-virus applications are vulnerable.  F-Secure just announced a patch for a vulnerability in their product.  On this side of the ocean, Symantec announced several weeks ago that its AntiVirus Library might allow the execution of malicious code because of a high-risk buffer overflow vulnerability.  The important point to take from these announcements is that AV applications are still just that – client-side applications.  ALL client side applications are written by humans.  Humans make mistakes.  Mistakes equal security vulnerabilities.

As organizations shore up their Windows operating systems, non-Microsoft applications are becoming a more attractive target for hackers.  The SANS institute warns that the number of flaws in client-side applications continues to grow; this includes applications ostensibly intended to protect our end user devices and our networks.  This is providing easier access to sensitive information, which can result in HIPAA violations, identity theft, etc.  The bottom line?  Plan for a hacking, because it’s coming to a network near you.

But what is the best planning approach?  Some organizations plan for small events.  They base their planning decisions on the premise that the probability is quite low that a worst case scenario will become reality.  Other organizations plan for worst case scenarios, with the understanding that if their response team is trained in the worst that can happen, they can take care of lesser incidents.  I subscribe to the latter approach.

Incident response includes planning, team development, and testing.  If your team trains for small hacks, it may not be able to react to the big one when it occurs.  The proverbial handwriting is on the wall; the probability that your business will be the victim of a major compromise is growing every day.  Plan accordingly.


Author:  Tom Olzak 


Anti-virus Software: The Next Big Worm Target? 

The Worst-Case Hack Scenario

NIST Guide to Malware Incident Prevention and Handling


Your email:  
subscribe unsubscribe  

Sample Chapter from “Just Enough Security”

Monday, January 23rd, 2006

The attached PDF is a draft copy of Chapter 4 from my upcoming book, “Just Enough Security.”  The book will be published in late April. 

This chapter describes the Just Enough Security (JES) model.  It’s fundamentally a layered approach to applying security safeguards.


Mobile Mayhem

Monday, January 23rd, 2006

Cell phones have been relatively safe from the dangers faced by PCs, Servers, and other network connected devices.  But this is changing.  As cell phone use grows, so do the opportunities for attackers.

According to an eWeek article by Ryan Naraine, a new batch of Trojans targeting Symbian OS based cell phones has been released into the wild (see link below).  Two of the three are spread by Bluetooth connections.  

As attacks against cell phones increase, anti-malware vendors are rushing to fill a growing demand for mobile device protection software.  But so far, the malware infecting cell phones might not be causing the level of financial impact that justifies the added expense.



eWeek Article – Triple Trojan Threat Calls on Symbian Cell Phones

Wireless Handheld Device Security 

New Trojan Horses Threaten Cell Phones