Archive for the ‘Current Events’ Category

User Awareness Alert: Open source digital signatures might be vulnerable

Monday, March 13th, 2006

“A pair of security bugs in cryptography software could allow an attacker to insert content into a digitally signed message or forge signatures on files.

“The flaws lie in the open-source GNU Privacy Guard software, also known as GnuPG and GPG, the GnuPG group said in two alerts. The software, a free replacement for the Pretty Good Privacy cryptographic technology, ships with many open-source operating systems such as FreeBSD, OpenBSD and many Linux distributions” (By Joris Evers, CNET News.com Published on ZDNet News: March 10, 2006, 2:38 PM PT).

Read the rest of the article

Listen to our podcasts –> add to my PodNova

Free Security Training available at http://adventuresinsecurity.com/SCourses.html

 

Technical Security Alert: Rootkits can be hidden in virtual machines

Monday, March 13th, 2006

“Security researchers have uncovered new techniques to hide the presence of malware on infected systems. By hiding rootkit software in virtual machine environments, hackers have the potential to avoid detection by security software, boffins at Microsoft Research and the University of Michigan warn” (John Leyden, published 13 March 2006 in The Register).

View the rest of the article

Listen to our podcasts –> add to my PodNova

Free Security Training available at http://adventuresinsecurity.com/SCourses.html

 

CipherTrust Toolbar to Protect Email Users

Sunday, March 12th, 2006

Last week, I wrote a blog article about the growth of SPF and Sender ID technology in the fight against unwanted email (spam, phishing, etc.).  It appears that CipherTrust is taking advantage of its own implementation of these standards to help make the Internet a safer place – at no cost.

On Monday, March 13, CipherTrust plans to make available for download a free toolbar for Outlook and Lotus Notes email users.  The toolbar will be available from the CipherTrust Research Portal, which will also launch Monday.

This is the way it works:

  1. The user clicks on an email
  2. The CipherTrust toolbar program sends the IP address of the sender to a CipherTrust hosted server running the TrustedSource reputation engine for analysis
  3. The results of the analysis are returned to the user’s desktop causing the toolbar to flash:
    1. Green with a happy-face when the email is from a reputable sender
    2. Yellow for questionable trustworthiness
    3. Red when the user should probably just delete the message

The data used for analysis come from CipherTrust’s global network of more than 4,000 sensors installed in business and government networks.  They’re collected on TrustedSource servers where the trustworthiness of the source is assessed to a very granular level.  The assessment is based on the following criteria:

  1. Is this the first time the sender has been seen?  According to CipherTrust, about 30% of IP addresses analyzed fall into this category.  Of those, about 95% are spam, viruses, etc.
  2. How much email is the sender responsible for?
  3. Does the sender send and receive email, or just send?
  4. Does the sender’s behavior seem “bursty” or is it more continuous?

This is one more step in the right direction.  Although not perfect, it goes quite a distance down the path toward a world in which the Internet is a safe place to travel the globe. 

Author:  Tom Olzak

Listen to our Podcast –> add to my PodNova

Free Security training available at http://www.adventuresinsecurity.com/SCourses.html

 

Laptop Encryption: Reasonable and Appropriate?

Monday, February 20th, 2006

Senior U.S. District Judge for the District of Minnesota, the Honorable Richard H. Kyle, ruled last week that companies don’t have to encrypt their data as a requirement of the Gramm-Leach-Bliley Act of 1999.  The GLBA places a set of constraints on how financial insitutions should handle customer information.  There’s been plenty of coverage on this issue since the ruling.  But I’d like to look at this from a different perspective; given HIPAA, SOX, GLBA, and the standards of ethical behavior, what actions should be considered reasonable and appropriate when protecting sensitive consumer information?

(more…)

Invasion of the Botnet Armies

Sunday, February 12th, 2006

In previous articles, I wrote about  malicious hackers (crackers) moving away from attacks for bragging rights to attacks for profit.  Part of this transition is the increased use of zombie PCs, or bots, to surreptitiously acquire personal and business information with criminal intent.  In this article, I describe the nature of bots and botnets, the danger to your organization from these growing threats, and some things you can do to protect your information assets.

(more…)

University of Washington Spyware Study Results

Friday, February 10th, 2006

In a recent University of Washington paper (see Sources below), the results of a five month study (May 2005 to October 2005) of the state of spyware on the Internet were documented.  The following is a summary of the researchers’ conclusions:

(more…)

BIOS Rootkit Attacks: What’s the Real Risk?

Wednesday, February 1st, 2006

As I’ve written in previous articles, the frequency of malicious rootkit installations is increasing.  Now it seems that even the BIOS is a potential target.  John Heasman, principle security consultant for Next-Generation Security Software, announced this week that a collection of functions known as the Advanced Configuration and Power Interface (ACPI) could be used to deposit a rootkit in the BIOS in flash memory.  This is rather easy to do, said Heasman, because the ACPI has a high level programming language that’s easy to learn and easy to use.

When I read this story, which was covered on almost every security web site, I was initially concerned.  Who wouldn’t be?  The BIOS is the most fundmental layer of functionality in any PC.  But the more I thought about it, the more I wondered about how much risk a BIOS rootkit actually presents to a business network.  After some research, I concluded that the risk is very low for businesses that take normal precautions.

In this article, we’ll look at rootkit technology, how engineers or programmers flash the BIOS, the typical safeguards protecting BIOS access, and what you can do to protect your business from BIOS rootkit issues.

(more…)

Cyber-espionage: How vulnerable are we?

Thursday, January 26th, 2006

Hacking activities thought to be related to the theft of government secrets are a real threat to national security.  In a January 25, 2006 article in ComputerWorld, John E. Dunn reported that email containing an exploit for the Microsoft Windows WMF vulnerability was sent to recipients in the UK House of Parliament.  

According to Dunn, over 70 PCs were targeted on January 2, 2006 with messages intended to install keyloggers.  This was confirmed by MessageLabs Ltd – the government’s message filtering company.  Luckily, the messages were identified and stopped before they could reach their targets.  The most disturbing piece of information coming out of this incident is the source of the attack – Guangdong Province in China.

An isolated, one-time attack might be passed off as just another malicious individual flexing his muscles.  But this is at least the second incident in which Chinese attackers have targeted foreign governments.  

On November 1, 2004, attackers located in Guangdong Province launched an attack against the U.S. Army facility at Redstone Arsenal.  But this attack is thought to have been successful.  It is believed that U.S. military secrets, including aviation specifications and flight planning software, were stolen.  It is also believed that the intended recipient for this information was the Chinese government.  This successful breach of U.S. Government security is part of an on-going attempt by the Chinese to hack into government computers.  U.S. Officials have named the hackers Titan Rain.

So just how vulnerable is the U.S. infrastructure to cyber attacks by other nations or terrorist groups? 

  1. During a 2004 FISMA required audit of security implemented by entities within the Federal government, seven departments failed to achieve a passing grade. Included in the list of failed departments was the Department of Homeland Security (DHS).
  2. Congress and the Bush administration cut by 7% the 2005 DHS budget for cyber security programs.
  3. In February 2005, The Presidential IT Advisory Committee (PITAC) completed a report entitled “Cyber Security: A Crisis of Prioritzation.”  The following findings and recommendations were presented to the Bush Administration:
    1. Finding: ”The Federal R&D budget provides inadequate funding for fundamental research in civilian cyber security.”  Recommendation: The NSF, DHS, and DARPA budgets should be increased significantly.
    2. Finding: “The Nation’s cyber security research community is too small to adequately support the cyber security research and education programs necessary to protect the United States.”  Recommendation: Double the size of the civilian cyber security fundamental research community by the end of the decade. 
    3. Finding: “Current cyber security technology transfer efforts are not adequate to successfully transition Federal research investiments into civilian sector best practices and products.”  Recommendation: The relationship between the Federal government and the private sector must be strengthened.  Lines of communication and cooperation must be developed and maintained.
    4. Finding: “The overall Federal cyber security R&D effort is currently unfocused and inefficient because of inadequate coordination and oversite.”  Recommendation: The Interagency Working Group on Critical Information Infrastructure Protection should become the focal point of R&D efforts, coordinating and priortizing all activities.
  4. In December 2005, the members of the Cyber Security Alliance expressed to the Bush Administration its frustration with the lack of progress made in addressing online crime.  The Group - including organizations like Computer Associates, McAfee, Symantec, and RSA – believes that the lack of support and leadership shown by the Federal Goverment threatens the economy and national security.

We should not expect the Federal goverment to solve all our problems.  But we should expect leadership when national security and the overall public welfare are threatened.  Congress and the President must change their priorities when addressing cyber security within the context of overall defense and social spending.  If this does not happen, hackers will continue to outstrip our ability to protect our national infrastructure; terrorists and foreign governments will find us a soft target.

 

Author:  Tom Olzak 

Sources:

Security experts lift lid on Chinese hack attacks

Tech Group Blasts Federal Leadership on Cyber-Security

PITAC Report on Cyber Security, February 2005

Your email:  
subscribe unsubscribe  

Planning for the Ultimate Hack

Tuesday, January 24th, 2006

The attack surface for hacking opportunities is getting larger every day.  Even anti-virus applications are vulnerable.  F-Secure just announced a patch for a vulnerability in their product.  On this side of the ocean, Symantec announced several weeks ago that its AntiVirus Library might allow the execution of malicious code because of a high-risk buffer overflow vulnerability.  The important point to take from these announcements is that AV applications are still just that – client-side applications.  ALL client side applications are written by humans.  Humans make mistakes.  Mistakes equal security vulnerabilities.

As organizations shore up their Windows operating systems, non-Microsoft applications are becoming a more attractive target for hackers.  The SANS institute warns that the number of flaws in client-side applications continues to grow; this includes applications ostensibly intended to protect our end user devices and our networks.  This is providing easier access to sensitive information, which can result in HIPAA violations, identity theft, etc.  The bottom line?  Plan for a hacking, because it’s coming to a network near you.

But what is the best planning approach?  Some organizations plan for small events.  They base their planning decisions on the premise that the probability is quite low that a worst case scenario will become reality.  Other organizations plan for worst case scenarios, with the understanding that if their response team is trained in the worst that can happen, they can take care of lesser incidents.  I subscribe to the latter approach.

Incident response includes planning, team development, and testing.  If your team trains for small hacks, it may not be able to react to the big one when it occurs.  The proverbial handwriting is on the wall; the probability that your business will be the victim of a major compromise is growing every day.  Plan accordingly.

 

Author:  Tom Olzak 

Resources:

Anti-virus Software: The Next Big Worm Target? 

The Worst-Case Hack Scenario

NIST Guide to Malware Incident Prevention and Handling

 

Your email:  
subscribe unsubscribe  

Mobile Mayhem

Monday, January 23rd, 2006

Cell phones have been relatively safe from the dangers faced by PCs, Servers, and other network connected devices.  But this is changing.  As cell phone use grows, so do the opportunities for attackers.

According to an eWeek article by Ryan Naraine, a new batch of Trojans targeting Symbian OS based cell phones has been released into the wild (see link below).  Two of the three are spread by Bluetooth connections.  

As attacks against cell phones increase, anti-malware vendors are rushing to fill a growing demand for mobile device protection software.  But so far, the malware infecting cell phones might not be causing the level of financial impact that justifies the added expense.

 

Resources: 

eWeek Article – Triple Trojan Threat Calls on Symbian Cell Phones

Wireless Handheld Device Security 

New Trojan Horses Threaten Cell Phones